Tuesday, October 28, 2014

Mozilla Firefox 33.0.2 Released



Firefox

Mozilla sent Firefox Version 33.0.2 to the release channel.  The update includes a fix for a startup crash that has affected some users.  Released earlier was yet another fix affecting drivers.



What’s New

  • Fixed -- 33.0.2: Fix a startup crash with some combination of hardware and drivers
  • Fixed -- 33.0.1: Firefox displays a black screen at start-up with certain graphics drivers

Update

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...








Friday, October 24, 2014

Pale Moon Version 25.0.2 Released

Pale Moon
Pale Moon has released version 25.0.2 to address a number of "teething problems" with the new milestone release.


As explained by the Pale Moon developer, Moonchild, one of the changes impacting the milestone release in version 25.0 was the removal of the "Firefox" portion from Pale Moon's user agent. 

Because the Pale Moon User Agent string is not universally recognized, this has resulted in poor user experiences, including being presented with mobile site layouts, broken pages, or even being flat-out refused service.  As a result, the update to Pale Moon version 25.0.2 includes the following change:

  • Added a "Firefox compatibility mode" selection in Options -> Advanced.   This mode is enabled by default.

Security fix:

  • Disabled SSL 3.0 by default (to put a muzzle on the POODLE).

    Please note that this may cause issues with some poorly configured web servers (usually ones with a hopelessly broken security setup that do not support TLS 1.2 or secure (re)negotiation of the protocol).
    Additional Fixes/changes:
    • Improved active tab display on particularly dark personas.
      People using "black" personas/lightweight themes should now have a lot less difficulty distinguishing the active tab.
    • Fixed add-on update issue (that was preventing update checking through addons.palemoon.org).
    • Fixed the redundant redundancy in asking redundantly if the browser would be allowed to ask to install an extension when not on addons.mozilla.org.
    • Fixed the internal UA-sniffing insanity that broke devtools in a few different and colorful ways.

    Minimum system Requirements (Windows):
    • Windows Vista/Windows 7/Windows 8/Server 2008 or later
    • A processor with SSE2 support
    • 256 MB of free RAM (512 MB or more recommended)
    • At least 150 MB of free (uncompressed) disk space
    Pale Moon includes both 32- and 64-bit versions:

    Update

    To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

    Pale Moon:  Release Notes

    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...






    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Thursday, October 23, 2014

    App Launcher Added to Outlook

    In another step to create consistency between Microsoft products, Outlook.com now includes the App Launcher that is part of Office 365.  One click on the App Launcher opens the view shown below.  Merely click the destination and it launches!

    The App Launcher makes it easy to toggle between your calendar, OneDrive and the Office Online applications.  If you are using the free Outlook.com email service (@outlook.com, @hotmail.com, @live.com, or @msn.com), see how easy it is to use. 

    App Launcher

    If you click the App Launcher and change your mind about leaving the service you are currently, merely click in another spot on the page or click the Launcher again to close it.

    Read the complete announcement at the Office Blog, Toggle between Outlook.com, OneDrive and Office Online with the new app launcher.



    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Tuesday, October 21, 2014

    Microsoft Security Advisory 3010060 with Fixit Solution

    Security Advisory
    Microsoft released Security Advisory 3010060 which relates to a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003.

    The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. Microsoft is aware of limited, targeted attacks. 

    Recommendations

    Microsoft has made available a Fix it solution "OLE packager shim workaround" which prevents execution of the vulnerability.  Below are direct links to both enable and disable the Fix it solution.



    NoteThe Fix it solution is not at this time for 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1. 
     
    Enable Fix itDisable Fix it


    Another option is to install the Enhanced Mitigation Experience Toolkit (EMET), described in the "workarounds" section of the Tech Net Advisory.

    References:




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Wednesday, October 15, 2014

    Pale Moon 25.0.1 Released with Critical Security Update

    Pale Moon
    Pale Moon has released version 25.0.1 to address an important Jetpack extension compatibility issue. 

    The update also includes a number of security fixes.

    Security fixes:

    • Fix for VP9 decoder vulnerability
    • Fix for direct access to raw connection sockets in http 
    • Fix for unsafe conversion to JSON of data through the alarm dom element 
    • Update of NSS to 3.16.2.2-RTM 
      Other Changes
      • Update of the add-on SDK to add missing "PaleMoon" engine entries to lists in some modules. This should fix extension compatibility issues for things like Self-destructing cookies, Privacybadger and other Jetpack add-ons that should otherwise already work with the new GUID.
      • About box release notes link corrected

      Minimum system Requirements (Windows):
      • Windows Vista/Windows 7/Windows 8/Server 2008 or later
      • A processor with SSE2 support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


      Home
      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...





      Tuesday, October 14, 2014

      Oracle Java Critical Security Update

      java


      Oracle released the scheduled critical security updates for its Java SE Runtime Environment software. 

      This is a Critical Patch Update that affects Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20.  From The Assurance Blog:
      "Out of the 154 vulnerabilities fixed with today’s Critical Patch Update release, 31 are for the Oracle Database. All but 3 of these database vulnerabilities are related to features implemented using Java in the Database, and a number of these vulnerabilities have received a CVSS Base Score of 9.0."

      Unwanted "Extras"

      Oracle has long included pre-checked options with the updates.  Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras.

      1. Launch the Windows Start menu
      2. Click on Programs
      3. Find the Java program listing
      4. Click Configure Java to launch the Java Control Panel
      5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
      6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
      Java suppress sponsor offers

      Windows XP

      There has been a lot of recent controversy regarding Java updates for Windows XP.  While Windows XP has reached end of life, Java 7 will continue to be updated until April, 2015.

      Thus, organizations and individuals who must continue using Windows XP and have Java installed can also continue getting updates for Java 7.  It is noted, however, that if an issue arises that is specific to Windows XP, Oracle is not required to and also may not be able to create a patch.  For additional information, refer to the Oracle blog post, The future of Java on Windows XP (Henrik on Java).

      Update

      If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

      Download Information

      Download link:  Java SE 8u25

      Verify your version:  http://www.java.com/en/download/testjava.jsp

      Notes:
      • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
      • Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.  It is not recommended to run untrusted/unsigned Certificates.  See How to protect your computer against dangerous Java Applets

      Critical Patch Updates

      For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
      • 20 January 2015
      • 14 April 2015
      • 14 July 2015
      • 20 October 2015

      Java Security Recommendations

      For those people who have desktop applications that require Java and cannot uninstall it, Java can now be disabled in Internet Explorer.  See Microsoft Fix it to Disable Java in Internet Explorer.

      1)  In the Java Control Panel, at minimum, set the security to high.
      2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

      Java ControlPanel
      (Image via Sophos Naked Security Blog)

      3)  If you use Firefox, install NoScript and only allow Java on those sites where it is required.

      Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

      References





      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Microsoft Security Bulletin Release for October 2014


      Microsoft released eight (8) bulletins.  Three (3) bulletins are identified as Critical and five (5) as Important.

      The updates address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). Reminder to those who have problems with .NET updates to install separately with a restart between other updates.

      Critical:

      • MS14-056 -- Cumulative Security Update for Internet Explorer (2987107)  
      • MS14-057 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) 
      • MS14-058 -- Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) 

      Important:
      • MS14-059 -- Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) 
      • MS14-060 -- Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)
      • MS14-061 -- Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) 
      • MS14-062 -- Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) 
      • MS14-063 -- Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)   
      Information on non-security update information can be found in KB 894199.

      Security Advisories


      The following security advisories were released:
      Revised advisories:

      Notes



      The following additional information is provided in the Security Bulletin:

      References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...



        Adobe Flash Player Critical Security Update

        Adobe Flashplayer

        Adobe has released security updates for Adobe Flash Player Active X version 15.0.0.167 and Plugin version 15.0.0.152 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.406 and earlier versions for Linux.

        These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  The updates to Flash Player are rated Critical.

        Internet Explorer in Windows 8x systems will be updated via Windows Update.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.

        Update Information

        The newest versions are as follows:
        ActiveX for IE and Macintosh version:  15.0.0.189
        Plugin:  15.0.0.189
        Linux: 11.2.202.411
        Users of Adobe AIR 15.0.0.252 and earlier versions for Windows and Macintosh should update to the Adobe AIR 15.0.0.293.

        Release date: October 14, 2014
        Vulnerability identifier: APSB14-22

        CVE number: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
        Platform: All Platforms

        Flash Player Update Instructions

        Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

        It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

          Notes:
          • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
          • Uncheck any toolbar offered with Adobe products if not wanted.
          • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
          • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
          • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.250.
          Adobe Flash Player for Android

          The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

          Verify Installation

          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

          Do this for each browser installed on your computer.

          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

          References







          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Mozilla Firefox Version 33.0 Released



          Firefox

          Mozilla sent Firefox Version 33.0 to the release channel.  No security updates are indicated in the Release Notes as having been included.  The Release Notes have not been updated, but courtesy of a friend (thank you, ky331), I learned that the update does indeed include security updates three of which are Critical, four High and two moderate.

          Fixed in Firefox 33

          MFSA 2014-82 Accessing cross-origin objects via the Alarms API
          MFSA 2014-81 Inconsistent video sharing within iframe
          MFSA 2014-80 Key pinning bypasses
          MFSA 2014-79 Use-after-free interacting with text directionality
          MFSA 2014-78 Further uninitialized memory use during GIF
          MFSA 2014-77 Out-of-bounds write with WebM video
          MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
          MFSA 2014-75 Buffer overflow during CSS manipulation
          MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

          What’s New

          • New --Windows: OMTC enabled by default
          • New --OpenH264 support (sandboxed)
          • New --Improved search experience through the location bar
          • New --Slimmer and faster JavaScript strings
          • New --Search suggestions on the Firefox Start (about:home) and new tab (about:newtab) pages
          • New --New CSP (Content Security Policy) backend
          • New --Support for connecting to HTTP proxy over HTTPS
          • New --Improved reliability of the session restoration
          • New --Azerbaijani [az] locale added
          • Changed --Proprietary window.crypto properties/functions removed
          • Changed --JSD (JavaScript Debugger Service) removed in favor of the Debugger interface
          • HTML5 --@counter-style rule from CSS3 Counter Styles specification implemented
          • HTML5 --DOMMatrix interface implemented
          • Fixed --Fix incomplete downloads being marked as complete by detecting broken HTTP1.1 transfers (237623)

          Known Issues

          • unresolved --PDF.js: With some images, wrong colors could show up. Affects a very small number of PDF
          • unresolved --Some certificate errors cannot be overridden (1042889)

          Update

          To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

          If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...







          Friday, October 10, 2014

          Pale Moon Version 25.0 Released

          Pale Moon
          Pale Moon has released version 25.0, which is a major upgrade from version 24x.

          It is important to note that Pale Moon 25.0 will not run on Windows XP*.  An exception is the specialized Atom build because of limited operating system availability on netbooks and the like. More details on the dedicated page for this change.

          *Update: For those stuck with Windows XP, via Moon Child on the Pale Moon Facebook page,
          "Windows XP users may be happy to know about this fully endorsed version specifically for Windows XP! Both x86 and x64 supported.  Pale Moon for Windows XP - Software - Binary Outcast"

          See this page for Known Incompatible Add-ons - Add-ons - Pale Moon.  Note that although AdBlock Plus is shown as incompatible, it does indeed work.  However, to edit the filters, it is necessary to open the Add-ons tab and click the icon to change filter options.

          Update 2:  Although AdBlock Plus was continuing to block ads for me on Pale Moon version 25 (since I wasn't seeing ads on websites that I know have them) check this out from Adblock Plus (Pseudo-Static) - Add-ons - Pale Moon

          "About: This Pseudo-Static release provides users of Pale Moon a fully functional ABP experence while we work with the Adblock Plus team to get Pale Moon officially supported.

          BEFORE YOU INSTALL PLEASE REMOVE THE MAIN-LINE VERSION AS THEY WILL CONFLICT

          By: Adblock Plus Team (Modified by Pale Moon Add-ons Team)

          Version: 2.4.6-pm
          Compatible with Pale Moon 25.*

          Download"
          Update 3:  See Moon Child's explanation, Why do some extensions no longer work in v25?.

          The list of changes to Pale Moon version 25 is extremely long.  Detailed information about this new version is available in the Announcement.

          Security fixes:

          • Properly derive/insert the host of a URL
          • Avoid negative audio ratios (can lead to crashes) (CVE-2014-1565)
          • Avoid some root hazards in the style parser
          • Add is-object check to IonBuilder::makeCallHelper (CVE-2014-1562)
          • Clear the jumplist icon cache when history is cleared (privacy fix)
          • Crash fix on Windows (JS JIT) (CVE-2014-1554)
          • Prevent buffer overrun in text directionality component (CVE-2014-1567)
          • Update NSS to 3.16.2.1-RTM (CVE-2014-1568)

          Minimum system Requirements (Windows):
          • Windows Vista/Windows 7/Windows 8/Server 2008 or later
          • A processor with SSE2 support
          • 256 MB of free RAM (512 MB or more recommended)
          • At least 150 MB of free (uncompressed) disk space
          Pale Moon includes both 32- and 64-bit versions:

          Update

          To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.


          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...




          Thursday, October 09, 2014

          Microsoft Security Bulletin Advance Notice for October, 2014

          Security Bulletin
          On Tuesday, October 14, 2014, Microsoft is planning to release nine (9) bulletins.  Three bulletins are identified as Critical, five (5) as Important, and one is rated Moderate in severity.

          These updates are for Microsoft Windows, Internet Explorer, Office, .NET Framework, and ASP.NET.with the remaining three as Important.  As usual, my reminder if you have had problems with .NET Framework in the past is to install the update(s) separately with a shutdown/restart.

          Reminder

          As has been widely publicized, support ended for Windows XP and Office 2003 on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014. Note also that Microsoft Security Essentials will no longer be available for download for Windows XP.

          As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

          References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...








            Monday, October 06, 2014

            Cyber Security Awareness Month


            With the release of the Windows 10 Technical Preview, Cyber Security Awareness Month almost lost focus.  Well, I've set Windows 10 Technical Preview aside for now to share some of the many security resources available not only during October but year round.

            First, however, let's focus on protecting your digital life.

            #NCSAM

            Two-Factor Authentication

            Two-factor Authentication (2FA) or Multi-factor Authentication (MVA) is a method of providing two forms of identification in order to obtain access.  It is comprised of something you know (password, passphrase, pin) and something you have (SMF code, RSA SecurID).  A third means is something you are such as your fingerprint or other biometric.

            Why the concern?  It isn't only your email, Facebook or Twitter account that you need to be concerned about protecting.  A more grave concern is protection from identity theft which can occur when someone steals your personal information and uses it without your permission.  Identity theft can result in loss of finances and destroy both your credit history and reputation and is not easy to recover from.

            It is the very information that is accessible from in your email account and shared in social media sites that, if compromised, can result in identity theft.  Two-factor authentication is a means protecting that information.
            1. Although you've heard this before, it bears repeating.  Start with a strong password and use a different password for each site.  (See Tips for creating a strong password.)  This becomes the something you know.

            2. The next step in enabling two-factor authentication requires setting up your account for the something you have, a code sent to your cell phone or to an alternate email address. 

              With your Microsoft Account used not only for email but also other Microsoft apps and services, it is one of the first places to start.  Fortunately, setting up two-factor authentication for your Microsoft Account is easy.Numerous references are available from my earlier blog post here.  
            For sites that still use the archaic "challenge question" method to verify your identity, please see this advice in Bits from Bill, Your Email Password is a Target.

            It is equally important to protect any files stored in the cloud.  If you use a Microsoft or Google account, Office 365, Dropbox, Facebook, or Twitter, see Ed Bott's step-by-step instructions in Make your cloud safer: How to enable two-factor authentication for the most popular cloud services.  Also check the Two Factor Auth List to find out which sites support two-factor authentication.

            Cyber Security Awareness Month Resources

            The United States isn't the only country supporting cyber security awareness.   Canada and the European Union are also involved in promoting cyber security awareness month.  Visit their sites along with the others listed below and



            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...