Tuesday, December 12, 2017

Microsoft Security Updates for December, 2017



The December security release consists of 32 security updates in which 20 are listed as Critical and 12 are rated Important. The release consists of security updates for the following software: 
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Services and Web Apps
  • Microsoft Exchange Server
  • ChakraCore
  • Microsoft Malware Protection Engine 
The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Security Feature Bypass, Spoofing and Denial of Service.

For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Also see this month's Zero Day Initiative — The December 2017 Security Update Review by Dustin Childs in which he discusses several of the patches.

Additional Update Notes

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Adobe Flash Player and AIR Security Update

Adobe Flashplayer

Adobe has released Version 28.0.0.126 of Adobe Flash Player and Version 28.0.0.127 of Adobe AIR.  The update addresses CVE-2017-11305, a regression that could lead to the unintended reset of the global settings preference file.

Release date:  December 12, 2017
Vulnerability identifier: APSB17-42
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Thursday, December 07, 2017

    Mozilla Firefox Version 57.0.2 Released


    FirefoxMozilla sent yet another update for Firefox Version 57 to the release channel, Version 57.0.2.

    Fixed

    • Block old versions of G Data Endpoint Security for crashing Firefox on start up - Windows only (bug 1421991)
    • Fix a regression with WebGL and D3D9 - Windows only

      Update:

      To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

      References




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Thursday, November 30, 2017

      Mozilla Firefox Version 57.0.1 Released


      FirefoxMozilla sent Firefox Version 57.0.1 to the release channel.

      Update:  The version update also included one Critical and two High security updates.


      Security vulnerabilities fixed in Firefox 57.0.1
      Critical:
       High:

      Fixed

      • Fix a video color distortion issue on YouTube and other video sites with some AMD devices (bug 1417442)
      • Fix an issue with prefs.js when the profile path has non-ascii characters (bug 1420427)
      • Various security fixes
      • Google map crashes on OSX with Intel HD Graphics 3000

      Changed

      • Block injection of a client library associated with the RealPlayer Free player which is known to cause performance problems in Firefox. (Bug 1418535)
        Update:

        To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...

        Tuesday, November 28, 2017

        Pale Moon Version 27.6.2 Released


        Pale Moon
        Pale Moon has been updated to Version 27.6.2. This is a security and minor bugfix update. Details from the Release Notes:

        Changes/fixes:
        • Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
        • Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
          Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar. (See Identity Panel below)*
          Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
        • Fixed an issue with mixed-content blocking. (CVE-2017-7835)
        • Added an extra check for the correct signature data type on certificates.
        • Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
        • Fixed several crashes and memory safety hazards.
        *Identity Panel

        If you are visiting a phishing site using an IDN (International-character Domain Names) to try and spoof the original domain, this identity panel, since 27.3.0, will clearly display the "raw" code of the IDN (also called "punycode", a domain starting with "xn--") instead of what the site is trying to spoof:

        spoofed-epic.png


         Minimum system Requirements (Windows):
        • Windows Vista/Windows 7/8/10/Server 2008 or later
        • Windows Platform Update (Vista/7) strongly recommended
        • A processor with SSE2 instruction support
        • 256 MB of free RAM (512 MB or more recommended)
        • At least 150 MB of free (uncompressed) disk space
        Pale Moon includes both 32- and 64-bit versions for Windows:

        Update

        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...


        Tuesday, November 14, 2017

        Microsoft Security Updates for November, 2017



        The November security release consists of 53 security updates in which 20 are listed as Critical, 30 are rated Important and 3 rated as Moderate. The November security release consists of security updates for the following software:
        • Internet Explorer
        • Microsoft Edge
        • Microsoft Windows
        • Microsoft Office and Microsoft Office Services and Web Apps
        • ASP.NET Core and .NET Core
        • Chakra Core
        The updates address Remote Code Execution, Information Disclosure, "Defense in Depth" (Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.), Denial of Service, Security Feature Bypass, Spoofing and Elevation of Privilege.

        For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

        Also see this month's Zero Day Initiative — The November 2017 Security Update Review by Dustin Childs in which he discusses ADV170020 - Microsoft Office Defense in Depth Update, CVE-2017-11830 - Device Guard Security Feature Bypass Vulnerability and CVE-2017-11877 - Microsoft Excel Security Feature Bypass Vulnerability.

        Known Issues

          Additional Update Notes

          • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
          • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
            Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
          • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

          References


            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...





            Adobe Shockwave Player Critical Update

            Shockwave Player
            Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves a critical memory corruption vulnerability that could lead to code execution.

            Although I have yet to need Shockwave Player on this computer, there are still many people who use it.  If you have Shockwave Player installed, please update to the latest version.

            Release date: November 14, 2017
            Vulnerability identifier: APSB17-40
            CVE number: CVE-2017-11294
            Platform: Windows

            The newest version 12.3.1.201 is available here: http://get.adobe.com/shockwave/.  As usual, watch for any pre-checked add-ons not needed for the update.

            References


            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...

            Adobe Reader DC and Adobe Acrobat DC Security Updates Released

            Adobe

            Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  In addition, although Adobe Reader XI reached end-of-life last month, an update has also been released.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

            Release date:  November 9, 2017
            Vulnerability identifier: APSB17-36
            Platform: Windows and Macintosh

            Update or Complete Download

            Update checks can be manually activated by choosing Help > Check for Updates.  Although Reader DC and Acrobat DC are both updated to the 2018.009.20044 version, the unexpected update for Adobe reader remains in the incremental version 11. 
            Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


            References





            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...







            Adobe Flash Player Critical Security Update

            Adobe Flashplayer

            Adobe has released Version 27.0.0.187 of Adobe Flash Player.  The update addresses critical vulnerabilities that could lead to code execution for Microsoft Windows, Macintosh, Chrome and Linux.  The update also includes bug fixes.

            Release date:  November 14, 2017
            Vulnerability identifier: APSB17-33
            Platform: Windows and Macintosh

            Update:

            *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

              Verify Installation

              To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

              Do this for each browser installed on your computer.

              To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

              References



              Remember - "A day without laughter is a day wasted."
              May the wind sing to you and the sun rise in your heart...









              Mozilla Firefox Version 57.0 Released with Security Updates


              FirefoxMozilla sent Firefox Version 57.0 to the release channel today.  The update includes four (4) security updates, 1 Critical, 1 High, 1 Moderate and 1 Low.  

              Update:  Firefox ESR version 52.5 has been released.

              With this release, "legacy" add-ons (XUL-based) will no longer function.  This update changes the add-ons system to the WebExtensions API. The Mozilla Add-ons portal will list only WebExtensions-compatible add-ons by default.  Legacy Extensions are listed separately located under Tools > Add-ons.  From there click "Find a Replacement"and check the three pages of available extensions.

              In addition, this update introduces the new Quantum engine (Firefox Quantum) which is replacing parts of parts of the familiar old Gecko engine.

              Security Updates
              • Critical Vulnerability: Can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
              • High Vulnerability:  Can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
              • Moderate:  Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
              • Low:  Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

              New

              • A completely new browsing engine, designed to take full advantage of the processing power in modern devices
              • A redesigned interface with a clean, modern appearance, consistent visual elements, and optimizations for touch screens
              • A unified address and search bar. New installs will see this unified bar. Learn how to add the stand-alone search bar to the toolbar
              • A revamped new tab page that includes top visited sites, recently visited pages, and recommendations from Pocket (in the US, Canada, and Germany)
              • An updated product tour to orient new and returning Firefox users
              • AMD VP9 hardware video decoder support for improved video playback with lower power consumption
              • An expanded section in preferences to manage all website permissions

              Changed

              • Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work. Learn more about our efforts to improve the performance and security of extensions
              • The browser's autoscroll feature, as well as scrolling by keyboard input and touch-dragging of scrollbars, now use asynchronous scrolling. These scrolling methods are now similar to other input methods like mousewheel, and provide a smoother scrolling experience
              • The content process now has a stricter security sandbox that blocks filesystem reading and writing on Linux, similar to the protections for Windows and macOS that shipped in Firefox 56
              • Middle mouse paste in the content area no longer navigates to URLs by default on Unix systems
              • Removed the toolbar Share button. If you relied on this feature, you can install the Share Backported extension instead.
              • Some older versions of the ATOK IME, including ATOK 2006, 2008, 2009 and 2010, can cause crashes and are therefore disabled on the Windows 64-bit version of Firefox Quantum. To fix those incompatibility issues, please use a newer version of ATOK or one of other IMEs.
              • The default font for Japanese text is now Meiryo

                Update:

                To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                References




                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...

                Friday, November 10, 2017

                Lest We Forget

                Whether you call it Veteran's Day, Armistice Day or Remembrance Day, November 11th is a time to put aside politics and pay tribute to all who died for their country.  It is also a perfect time to thank the Veterans in whatever country you live in. 

                As in previous years, I am republishing my friend Canuk's last tribute and, once again, adding a special thank you to my friends "Phantom Phixer" and "Ghost".

                The comment Canuk posted provides one example of why he was a special person:
                "I too "will remember your friends who never had a full life", while thanking you and your comrades who have served with pride, honesty and honour.

                Despite anyone's thoughts of the current conflict in Iraq - opposition or agreement, we must always remember that these brave young men and women are fighting for a cause they also may or may not agree with. The huge difference between them and us is that they are putting their lives on the line 24/7 while we sit in our homes in comfort, using the freedom of speech previous warriors won for us, and for that they deserve our love, respect, and support."
                LEST WE FORGET




                We Shall Keep the Faith by Moira Michael, November 1918
                Oh! you who sleep in Flanders Fields, Sleep sweet - to rise anew! We caught the torch you threw And holding high, we keep the Faith With All who died. We cherish, too, the poppy red That grows on fields where valor led; It seems to signal to the skies That blood of heroes never dies, But lends a lustre to the red Of the flower that blooms above the dead In Flanders Fields. And now the Torch and Poppy Red We wear in honor of our dead. Fear not that ye have died for naught; We'll teach the lesson that ye wrought In Flanders Fields. Flags courtesy of3DFlags.com









                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...



                Tuesday, November 07, 2017

                Pale Moon Version 27.6.0 Released With Security Updates


                Pale Moon
                Pale Moon has been updated to Version 27.6.0. This is a major development update. Details from the Release Notes:

                Security/privacy fixes:
                • Added an option to clear Site Connectivity Data (delete history).
                • Removed stale entries from the HSTS preload list, and improved generation/processing of it.
                • Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
                • Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
                • Worked around some more issues with broken Apple fonts.
                Changes/fixes:

                • Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
                • Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
                • Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
                • Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
                  (enjoy your LOLcats again!)
                • Changed automatic updates over to the new infrastructure.
                • Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
                • Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
                • Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
                • Improved upmixing of mono sound for multi-channel setups.
                • Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
                • Fixed "Remove from history" function from the downloads panel.
                • Forced focus on the address bar in new windows if the content is a blank/empty document.
                • Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
                • Further cleaned up the status bar code.
                • Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
                • Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
                • Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
                • Updated WOFF2 code from upstream.
                • Updated the zlib compression library.
                • Made general improvements to internal code structure and spec adherence.
                • Fixed an issue with certain command-line parameters being used.
                • Updated the default theme to improve consistency and contrast of toolbar and download buttons.
                • Increased the default duration of notification pop-ups and made them configurable.
                • Improved handling of audio-visual media (ongoing).
                • Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
                • Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
                • Fixed the selection system inside of a nested contenteditable element being broken.
                • Fixed Windows 10 detection for blocklisting graphics drivers.
                • Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
                • Fixed the uninstallation routine of restartless add-ons.
                • Fixed the handling of unimplemented functions in the console API.
                • Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
                • Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
                 Minimum system Requirements (Windows):
                • Windows Vista/Windows 7/8/10/Server 2008 or later
                • Windows Platform Update (Vista/7) strongly recommended
                • A processor with SSE2 instruction support
                • 256 MB of free RAM (512 MB or more recommended)
                • At least 150 MB of free (uncompressed) disk space
                Pale Moon includes both 32- and 64-bit versions for Windows:

                Update

                To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                Remember - "A day without laughter is a day wasted."
                May the wind sing to you and the sun rise in your heart...


                Thursday, October 26, 2017

                Mozilla Firefox Version 56.0.2 Released


                FirefoxMozilla sent Firefox Version 56.0.2 to the release channel today.  The update includes several bug fixes.  There is no mention of the previously listed unresolved issues.

                Firefox ESR remains at version 52.4.0.

                Fixed

                    Previous Listed Unresolved Issues

                    • Due to a bug in Mac OS X High Sierra, fullscreen mode has some issues
                    • Startup crash with RelevantKnowledge adware installed. Firefox Support has helpful instructions to remove it.
                    • Startup crashes with 64-bit Firefox on Windows 7, for users of Lenovo's "OneKey Theater" software for IdeaPad laptops. To fix this crash, please re-install 32-bit Firefox.
                    • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release

                    Update:

                    To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

                    References




                    Remember - "A day without laughter is a day wasted."
                    May the wind sing to you and the sun rise in your heart...

                    Wednesday, October 25, 2017

                    Another Adobe Flash Player Update

                    Adobe Flashplayer

                    Adobe has released Version 27.0.0.183 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                    The update does not include any security fixes.  Rather, it is to correct an important functional fix impacting Flex content.  If impacted, it is recommend the update be installed.  For those who have the option to 'Allow Adobe to install updates', the update will be automatic. 

                    Update:

                    *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                      Verify Installation

                      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                      Do this for each browser installed on your computer.

                      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                      References



                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...









                      Saturday, October 21, 2017

                      Adobe Reader XI and Acrobat XI -- End-of-Life

                      Adobe

                      Adobe provides product support from the general availability date of Adobe Acrobat and Adobe Reader for five years.  The five-year date was October 15, 2017, meaning Adobe Reader XI and Acrobat XI have reached end-of-life.  As a result, Adobe will no longer be providing technical support for those products.  This also includes both product and, more importantly, security updates.

                      If either or both of these programs are installed on your computer it is strongly advised that you uninstall them as soon as possible.  If you wish to stay with Adobe products, the Adobe Acrobat Reader DC can be downloaded from here.
                      Note: UNcheck any pre-checked additional options presented with the download. They are not part of the software and are completely optional.
                      If you use Windows 10, Microsoft Edge works great to read PDF documents.  In addition, new features are included in the Windows 10 Fall Creators Update.   See How Microsoft Edge will beat Chrome as the best PDF reader with the Fall Creators Update for additional information.

                      Another alternative is Sumatra PDF:
                      "Sumatra PDF is a free PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, Comic Book (CBZ and CBR) reader for Windows.
                      Sumatra PDF is powerful, small, portable and starts up very fast.
                      Simplicity of the user interface has a high priority."

                      h/t ky331

                      References

                      Adobe Acrobat XI and Adobe Reader XI End of Support
                      Adobe Support Lifecycle Policy,


                      Home
                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...







                      Wednesday, October 18, 2017

                      Oracle Java Critical Security Updates Released

                      java

                      Oracle released the scheduled critical security updates for its Java SE Runtime Environment software.  The update contains 22 new security fixes for Oracle Java SE.  Twenty-two (22) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

                      Update

                      If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

                      Download Information

                      Java SE 8u151/ 8u152
                      Java™ SE Development Kit 8, Update 151 Release Notes
                      Java™ SE Development Kit 8, Update 152 Release Notes
                      Java SE Runtime Environment 8 - Downloads

                      Java SE 9.0.1  (x64-bit only)
                      Java™ SE Development Kit 9.0.1 Release Notes
                      Java SE Runtime Environment 9 - Downloads
                      Notes:
                      • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
                      • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
                      • Verify your versionhttp://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version

                      Critical Patch Updates

                      For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:
                      • 16 January 2018
                      • 17 April 2018
                      • 17 July 2018
                      • 16 October 2018

                      Unwanted "Extras"

                      Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

                      Do the following to suppress the sponsor offers:
                      1. Launch the Windows Start menu
                      2. Click on Programs
                      3. Find the Java program listing
                      4. Click Configure Java to launch the Java Control Panel
                      5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
                      6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
                      Java suppress sponsor offers

                      Java Security Recommendations

                      1)  In the Java Control Panel, at minimum, set the security to high.
                      2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

                      3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

                      References




                      Remember - "A day without laughter is a day wasted."
                      May the wind sing to you and the sun rise in your heart...




                      Monday, October 16, 2017

                      Adobe Flash Player Out-of-Band Critical Security Update

                      Adobe Flashplayer

                      Adobe has released Version 27.0.0.170 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                      The critical update addresses a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

                      Release date:  October 16, 2017
                      Vulnerability identifier: APSB17-32
                      CVE Numbers:   CVE-2017-11292
                      Platform: Windows, Macintosh, Linux and Chrome OS

                      Update:

                      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                        Verify Installation

                        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                        Do this for each browser installed on your computer.

                        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                        References



                        Remember - "A day without laughter is a day wasted."
                        May the wind sing to you and the sun rise in your heart...









                        Tuesday, October 10, 2017

                        Microsoft Security Updates for October, 2017



                        The October security release consists of 62 security updates for the following software in which 27 are listed as Critical and 35 are rated Important. In particular, note that one CVE in Microsoft Office is listed as under active attack, and two other CVEs are listed as publically known prior to release.
                        • Internet Explorer
                        • Microsoft Edge
                        • Microsoft Windows
                        • Microsoft Office and Microsoft Office Services and Web Apps
                        • Skype for Business and Lync
                        • Chakra Core

                          Known Issues
                          The updates address Remote Code Execution, Information Disclosure, "Defense in Depth",Security Feature Bypass and Elevation of Privilege. Note:  "Defense-in-Depth" is a fix that does not apply to an actively exploitable vulnerability but prevents future vulnerabilities caused by the same code when surrounding code changes expose the problem.  In addition, Windows 10 1511 support ends today.

                          For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

                          CVEs addressed by Microsoft this month that deserve extra attention are discussed in Zero Day Initiative — The October 2017 Security Update Review by Dustin Childs.

                            Additional Update Notes

                            • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
                            • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
                              Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
                            • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

                            References


                              Remember - "A day without laughter is a day wasted."
                              May the wind sing to you and the sun rise in your heart...





                              Adobe Flash Player Updates

                              Adobe Flashplayer

                              Adobe has released Version 27.0.0.159 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

                              These updates address functionality bugs.

                              Release date:  October 10, 2017
                              Vulnerability identifier: APSB17-31
                              CVE Numbers:   None
                              Platform: Windows, Macintosh, Linux and Chrome OS

                              Update:

                              *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

                                Verify Installation

                                To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

                                Do this for each browser installed on your computer.

                                To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

                                References



                                Remember - "A day without laughter is a day wasted."
                                May the wind sing to you and the sun rise in your heart...









                                Pale Moon 27.5.1 Released


                                Pale Moon
                                Pale Moon has been updated to Version 27.5.1. This is a security and stability update.

                                The security updates include DiD ("Defense-in-Depth") fixes.  This means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

                                Details from the Release Notes:

                                Changes/fixes:
                                • Changed the default Windows 10 styling when no accent color is aplied to black-on-white.
                                • Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
                                • Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
                                • Fixed a crash in the media subsystem.
                                • Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
                                 Security fixes:
                                • Updated libhyphen to the latest upstream code to fix a security issue.
                                • Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
                                • Updated NSS to 3.32.1-RTM.
                                • Worked around some more issues with Mac fonts (CVE-2017-7825).
                                • Fixed a potential rooting hazard in NPAPI plugin code. DiD
                                • Fixed a potential reference issue in JavaScript arrays. DiD
                                Minimum system Requirements (Windows):
                                • Windows Vista/Windows 7/8/10/Server 2008 or later
                                • Windows Platform Update (Vista/7) strongly recommended
                                • A processor with SSE2 instruction support
                                • 256 MB of free RAM (512 MB or more recommended)
                                • At least 150 MB of free (uncompressed) disk space
                                Pale Moon includes both 32- and 64-bit versions for Windows:

                                Update

                                To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




                                Remember - "A day without laughter is a day wasted."
                                May the wind sing to you and the sun rise in your heart...