Alerts

Thunderbird 38.4 released

FYI...

Thunderbird 38.4 released

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/38.4.0/releasenotes/
Nov 23, 2015

Fixed in Thunderbird 38.4
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

- https://www.mozilla.org/en-US/thunderbird/releases/

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1034260
CVE Reference: CVE-2015-4513, CVE-2015-7189, CVE-2015-7193, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200
Nov 26 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Thunderbird version 38.4.0 ...

:fear:
 
Last edited:
Apple updates - Dec 8, 2015

FYI...

> https://support.apple.com/en-us/HT201222

iOS 9.2
- https://support.apple.com/en-us/HT205635
Dec 8, 2015 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
- http://www.securitytracker.com/id/1034348
CVE Reference: CVE-2015-7037, CVE-2015-7051, CVE-2015-7055, CVE-2015-7069, CVE-2015-7070, CVE-2015-7072, CVE-2015-7079, CVE-2015-7080, CVE-2015-7093, CVE-2015-7113
Dec 9 2015
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.2 ...

Safari 9.0.2
- https://support.apple.com/en-us/HT205639
Dec 8, 2015 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1 ..."
- http://www.securitytracker.com/id/1034341
CVE Reference: CVE-2015-7048, CVE-2015-7050, CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099, CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, CVE-2015-7103, CVE-2015-7104
Dec 9 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0.2 ...

OS X El Capitan 10.11.2 and Security Update 2015-008
- https://support.apple.com/en-us/HT205637
Dec 8, 2015 - "Available for: OS X El Capitan v10.11 and v10.11.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29, the most serious of which may have led to remote code execution. These were addressed by updating PHP to version 5.5.30..."
- http://www.securitytracker.com/id/1034344
CVE Reference: CVE-2012-1147, CVE-2012-1148, CVE-2015-5333, CVE-2015-5334, CVE-2015-7001, CVE-2015-7038, CVE-2015-7039, CVE-2015-7040, CVE-2015-7041, CVE-2015-7042, CVE-2015-7043, CVE-2015-7044, CVE-2015-7045, CVE-2015-7046, CVE-2015-7047, CVE-2015-7052, CVE-2015-7053, CVE-2015-7054, CVE-2015-7058, CVE-2015-7059, CVE-2015-7060, CVE-2015-7061, CVE-2015-7062, CVE-2015-7063, CVE-2015-7064, CVE-2015-7065, CVE-2015-7066, CVE-2015-7067, CVE-2015-7068, CVE-2015-7071, CVE-2015-7073, CVE-2015-7074, CVE-2015-7075, CVE-2015-7076, CVE-2015-7077, CVE-2015-7078, CVE-2015-7081, CVE-2015-7083, CVE-2015-7084, CVE-2015-7094, CVE-2015-7105, CVE-2015-7106, CVE-2015-7107, CVE-2015-7108, CVE-2015-7109, CVE-2015-7110, CVE-2015-7111, CVE-2015-7112
Dec 9 2015
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix.

Xcode 7.2
- https://support.apple.com/en-us/HT205642
Dec 8, 2015 - "Available for: OS X Yosemite v10.10.5 or later..."
- http://www.securitytracker.com/id/1034340
CVE Reference: CVE-2015-7049, CVE-2015-7056, CVE-2015-7057, CVE-2015-7082
Dec 9 2015
Impact: Execution of arbitrary code via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (7.2).

tvOS 9.1
- https://support.apple.com/en-us/HT205640
Dec 8, 2015 - "Available for: Apple TV (4th generation)..."

watchOS 2.1
- https://support.apple.com/en-us/HT205641
Dec 8, 2015 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes..."
___

- https://www.us-cert.gov/ncas/current-activity/2015/12/08/Apple-Releases-Multiple-Security-Updates
Dec 08, 2015

:fear::fear:
 
Last edited:
WordPress 4.4 update breaks itself

FYI...

WordPress 4.4 update breaks itself with SSL certificate problem...
- http://myonlinesecurity.co.uk/wordp...oblem-unable-to-get-local-issuer-certificate/
Dec 9, 2015 - "WordPress4.4 has just been released and it is highly recommended to update. BUT it is -broken- on many servers. The update will go OK -but- it will also update the SSL certificate bundle that WordPress uses to update itself, the themes and plugins. The certificate bundle appears to be damaged-or-incorrect and stops any WP updates. You will get a message saying http_request_failed: “SSL certificate problem: unable to get local issuer certificate” whenever you try to do anything involving WordPress updates, updating or installing themes or plugins or using Jetpack features like stats or sharing etc. The error screen will look something like this. It doesn’t matter what plugin or theme you try to update. the error message will be similar:
>> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/ssl-update-error.png
... found this post on WordPress support that does fix the problem. All my WP sites gave me the SSL warning until I used the certificate bundle from that post:
- https://wordpress.org/support/topic/cant-update-wordpress-ssl-certificate-problem-error14090086s
... until WordPress fixes/updates themselves, you should manually do this yourself...
WordPress could send out a hotfix of some sort now to make this update... - Derek"
___

WordPress hosting service WP Engine has been hacked
- http://www.theinquirer.net/inquirer/news/2438804/wordpress-hosting-service-wp-engine-has-been-hacked
Dec 10 2015

- https://wpengine.com/support/infosec/
Security Update: "Update 12/13/2015 1:00pm Central: WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available..."

:fear::fear:
 
Last edited:
Adblock Plus 2.7 for Firefox released

FYI...

Adblock Plus 2.7 for Firefox released
- https://adblockplus.org/releases/adblock-plus-27-for-firefox-released
2015-12-15 - "... In order to support multiple processes properly we had to implement massive changes to the core functionality of Adblock Plus. These changes should have almost no visible effect other than improved performance however.
Visible changes:
- If pop-ups are blocked after the redirect, the pop-up window will actually be closed and not merely prevented from loading (issue 443).
- The diagnostic page under chrome://adblockplus/content/errors.html has been removed, it was of very limited use (issue 3357).
Known issues:
- Element hiding functionality isn’t working on Mac OS X when multi-process mode is enabled (bug 1187099). Given the lack of progress on Mozilla’s side, we will have to come up with some work-around later on.
- Issue reporter doesn’t create screenshots when multi-process mode is enabled (issue 3375). To be addressed in the next release.
- “Unsafe CPOW usage” warnings will still show up in Error Console sometimes when multi-process mode is enabled, most prominently when using the list of blockable items (issue 3407). To be addressed in the next release.
- Selection in the list of blockable items isn’t remembered reliably when multi-process mode is enabled (issue 3259). To be addressed in the next release."

:fear::fear:
 
Last edited:
Thunderbird 38.5 released

FYI...

Thunderbird 38.5 released

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/38.5.0/releasenotes/
Dec 23, 2015

Fixed in Thunderbird 38.5
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.5
2015-149 Cross-site reading attack through data and view-source URIs
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-139 Integer overflow allocating extremely large textures
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

- https://www.mozilla.org/en-US/thunderbird/releases/

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

Version 38.5.1
- https://www.mozilla.org/en-US/thunderbird/38.5.1/releasenotes/
Jan 7, 2016

What’s New:
Changed: Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
Known Issues:
unresolved: Windows XP SP2 will no longer install Thunderbird (workaround: Install Thunderbird 38.5.0 then update)

:fear:
 
Last edited:
WordPress 4.4.1 released

FYI...

WordPress 4.4.1 Security and Maintenance Release
- https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Jan 6, 2016 - "WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised... There were also several non-security bug fixes..."

- https://wordpress.org/download/

> https://www.us-cert.gov/ncas/current-activity/2016/01/06/WordPress-Releases-Security-Update
Jan 6, 2016
___

- http://www.securitytracker.com/id/1034622
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
Jan 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.4.1 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.4.1)...

:fear::fear:
 
Last edited:
QuickTime 7.7.9 released

FYI...

QuickTime 7.7.9 released
- https://support.apple.com/en-us/HT205638
Jan 7, 2016

Download:
- https://www.apple.com/quicktime/download/
... for Windows Vista or Windows 7
___

- http://www.securitytracker.com/id/1034610
CVE Reference: CVE-2015-7085, CVE-2015-7086, CVE-2015-7087, CVE-2015-7088, CVE-2015-7089, CVE-2015-7090, CVE-2015-7091, CVE-2015-7092, CVE-2015-7117
Jan 8 2016
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.9 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (7.7.9)...
___

... fails to install plug-in on Firefox - unless this procedure is followed:

1. Download QT 7.7.9 from:
> https://www.apple.com/quicktime/download/
... save download where you want.
2. Dble-click the .exe file.
3. Choose "Custom" install.
4. See "Optional Quicktime Features" and choose "QuickTime Web Plugin" (eliminate the red-x).
5. Choose "Next" and the upgrade/install should complete OK. If you don't do this in the recommended sequence, it will -fail- to install the plug-in for Firefox - likely other browsers, too.

:fear:
 
Last edited:
Adblock Plus 2.7.1 for Firefox released

FYI...

Adblock Plus 2.7.1 for Firefox released
- https://adblockplus.org/releases/adblock-plus-271-for-firefox-released
2016-01-19
"With this release Adblock Plus becomes fully compatible with the upcoming multi-process mode in Firefox, it no longer relies on backwards compatibility hacks in Firefox (issue 3259, issue 3407, issue 3449, issue 3465, issue 3486, issue 3494). This also means that the screenshot functionality in Issue Reporter is fully functional now (issue 3375), and also quite fast (issue 3504).
- Additional changes:
Improved performance: patterns.ini was being saved way more often than necessary (issue 3473).
$ping filter option is back and will especially apply to requests sent via navigator.sendBeacon() (issue 3452).
Requests produced by <img srcset> and <picture> will be assigned type image (issue 3459).
Requests produced by the Fetch API will be assigned type xmlhttprequest (issue 3459).
genericblock and generichide types will no longer show up in the filter assistant (issue 3478).
Removed non-standard JavaScript syntax, which caused warnings in Firefox Aurora and Nightly builds (issue 1434, issue 3418, issue 3421, issue 3502, issue 3505).
Fixed: Previously disabled and removed filter is still disabled when added back (issue 3451).
- Regressions fixed:
As the previous release changed Adblock Plus quite drastically, it inevitably introduced some issues. As far as we know, all of these have been resolved:
Pop-up blocking doesn’t catch redirects to a different domain (issue 3458).
Issue Reporter gets stuck if filter subscriptions need updating (issue 3461, issue 3464).
Screenshot marker in Issue Reporter is no longer red (issue 3503).
Fixed image preview in Blockable Items tooltip (issue 3491).
- Known issues:
Element hiding functionality isn’t working on Mac OS X when multi-process mode is enabled (bug 1187099). Mozilla is working on this..."

:fear::fear:
 
Apple software updates

FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.2.1 released
- https://support.apple.com/en-us/HT205732
Jan 14, 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.."
- http://www.securitytracker.com/id/1034737
CVE Reference: CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728, CVE-2016-1730
Jan 20 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.2.1
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can read and write cookies on the target user's system.
Solution: The vendor has issued a fix (9.2.1)...

Safari 9.0.3 released
- https://support.apple.com/en-us/HT205730
Jan 15, 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.2..."

OS X El Capitan 10.11.3 and Security Update 2016-001
- https://support.apple.com/en-us/HT205731
Jan 19, 2016
- http://www.securitytracker.com/id/1034736
CVE Reference: CVE-2015-7995, CVE-2016-1716, CVE-2016-1717, CVE-2016-1718, CVE-2016-1719, CVE-2016-1720, CVE-2016-1721, CVE-2016-1722, CVE-2016-1729
Jan 20 2016
Impact: A local user can obtain kernel-level or root privileges on the target system.
Solution: The vendor has issued a fix (10.11.3; Security Update 2016-001).
___

- https://www.us-cert.gov/ncas/curren...curity-Updates-iOS-OS-X-El-Capitan-and-Safari
Jan 19, 2016

:fear::fear::fear:
 
Last edited:
WordPress 4.4.2 released

FYI...

WordPress 4.4.2 - Security and Maintenance Release
- https://wordpress.org/news/
Feb 2, 2016 - "WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs... and an open redirection attack...
In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes..."

Release notes
- https://codex.wordpress.org/Version_4.4.2

List of changes
- https://core.trac.wordpress.org/query?milestone=4.4.2

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current-activity/2016/02/02/WordPress-Releases-Security-Update
Feb 02, 2016
___

- http://www.securitytracker.com/id/1034933
CVE Reference: CVE-2016-2221, CVE-2016-2222
Feb 4 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.4.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (4.4.2)...

:fear::fear:
 
Last edited:
Adblock Plus 1.10.1 for Chrome, Opera and Safari released

FYI...

Adblock Plus 1.10.1 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-1101-for-chrome-opera-and-safari-released
2016-02-03 - "This is an emergency bugfix release, fixing a regression that was introduced in the previous release and broke compatibility with Chrome 37, Opera 24, and earlier versions (issue 3580)...
Install Adblock Plus 1.10.1 for Chrome
Install Adblock Plus 1.10.1 for Opera
Install Adblock Plus 1.10.1 for Safari (Safari 6 or higher required)...

Besides that and some changes under the hood, this release fixes the following minor bugs:
Subscription links caused the options page to be opened twice (issue 3153).
The “Block element” option wasn’t shown in icon popup while page was loading (issue 3472)."

:fear::fear:
 
Adblock Plus 2.7.2 for Firefox

FYI...

Adblock Plus 2.7.2 for Firefox released
- https://adblockplus.org/releases/adblock-plus-272-for-firefox-released
2016-02-23
Install Adblock Plus 2.7.2 for Firefox
"This release works around some obscure Firefox bugs which Adblock Plus has been triggering since Adblock Plus 2.7 release (visible for example as issue 3489, issue 3541, bug 1127744).
Additional changes
Closed a pop-up blocking loophole misused by some websites (issue 3568).
Fixed tooltip display for very long filters (issue 1950)."

:fear:
 
Apple - OS X update broke Ethernet port on some Macs

FYI...

Apple confirms OS X update broke Ethernet port on some Macs, here’s how to fix ...
- http://9to5mac.com/2016/02/28/apple...-ethernet-port-on-some-macs-heres-how-to-fix/
"... Read the -full- steps on Apple’s Support Site* and take care not to delete anything but the file in question. If you don’t mind losing data, it may be simpler to use Recovery Mode to just Reinstall OS X. This will fix the problem when OS X is started afresh, but obviously has the big downside of deleting other data. Make sure you have recent -backups- in any case."
* https://support.apple.com/en-us/HT205956
Last Modified: Mar 4, 2016

:fear::fear:
 
WordPress plugin backdoor

FYI...

WordPress plugin backdoor
- https://www.helpnetsecurity.com/201...lugin-opens-backdoor-steals-user-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)

:fear::fear:
 
Adblock Plus 1.11 for Chrome, Opera and Safari released

FYI...

Adblock Plus 1.11 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-111-for-chrome-opera-and-safari-released
2016-03-08
Install Adblock Plus 1.11 for Chrome
Install Adblock Plus 1.11 for Opera
Install Adblock Plus 1.11 for Safari (Safari 6 or higher required)
"This release features the new developer tools panel which shows blockable items along with applied filters, and provides an easy way to create new filters for these items, on Chrome and Opera. Another big change in this release: The “Block element” dialog is no longer injected into the page, but opened as a popup on Chrome and Opera, and as a new tab on Safari. This solved a couple issues, most notably a way that allowed websites to reliably detect whether Adblock Plus is installed..."

:fear::fear:
 
Thunderbird 45.0, 38.7.1, 38.7 released

FYI...

Thunderbird 45.0
- https://www.mozilla.org/en-US/thunderbird/45.0/releasenotes/
Apr 12, 2016
What’s New:
- Add a Correspondents column combining Sender and Recipient
- Much better support for XMPP chatrooms and commands.
- Implement option to always use HTML formatting to prevent unexpected format loss when converting messages to plain text.
- Use OpenStreetmap for maps (even allow the user to choose from list of map services)
- Allow spell checking and dictionary selection in the subject line
- Add dropdown in compose to allow specific setting of font size.
- Return/Enter in composer will now insert a new paragraph by default (shift-Enter will insert a line break)
- Mail.ru supports OAuth authentication.
- Improved options for remote content exceptions (but previous settings based on the sender's email address are not migrated, so these need to be added again by users).
- Allow editing of From when composing a message.
- Allow copying of name and email address from the message header of an email
Fixed:
- When sending e-mail which was composed using Chinese, Japanese or Korean characters, unwanted extra spaces were inserted within the text.
- XMPP had connection problems for users with large rosters
- Spell checker checked spelling in invisible HTML parts of the message.
- When saving a draft that is edited as new message, original draft was overwritten.
- External images not displayed in reply/forward
- Properly preserve pre-formatted blocks in message replies.
- Crashed in some cases while parsing IMAP messages.
- Copy/paste from a plain text editor lost white-space (multiple spaces/blanks, tabs, newlines)
- "Open Draft"/"Forward"/"Edit As New"/"Reply" created message composition with incorrect character encoding.
- Grouped By view sort direction change was broken, plus enabled custom column grouping.
- New emails into a mailbox did not adhere to sort order by received.
- Box.com attachments failed to upload.
- Drag and drop of multiple attachments failed to OS file folder.
Known Issues:
- unresolved - Outlook and Eudora import non-functional.

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird45
Fixed in Thunderbird 45
... fixes dtd. March 8, 2016 ?

> https://www.mozilla.org/en-US/thunderbird/releases/
___

Thunderbird v38.7 released
- https://www.mozilla.org/en-US/thunderbird/38.7.0/releasenotes/
March 14, 2016
Fixed: Various security fixes*
* https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.7
Fixed in Thunderbird 38.7
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-31 Memory corruption with malicious NPAPI plugin
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

... 60 bugs found.
> http://preview.tinyurl.com/jhljn2x

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all/

- https://www.mozilla.org/en-US/thunderbird/releases/
___

Thunderbird 38.7.1
- https://www.mozilla.org/en-US/thunderbird/38.7.1/releasenotes/
Mar 25, 2016
> Disabled Graphite font shaping library

:fear::fear:
 
Last edited:
Apple Updates - 3.21.2016

FYI...

Do NOT install iOS 9.3 on your iPad 2 - Upgrade bricks slabs
> http://www.theregister.co.uk/2016/03/23/ios_93_update_bricks_ipad_2s/
23 Mar 2016 at 20:30

... iPad 2 (GSM model) after you update to iOS 9.3
>> https://support.apple.com/en-us/HT206214
Mar 25, 2016 Mar 28, 2016

> https://support.apple.com/en-us/HT206203
Mar 25, 2016 Mar 28, 2016 Mar 29, 2016

- https://apple.slashdot.org/story/16...inks-in-ios-93-can-crash-your-iphone-and-ipad
Mar 29, 2016 - "Many users are experiencing an issue with their iPhone and iPad wherein trying to open a link on Safari, Mail, Chrome or any other app causes it to freeze and crash*. The issue renders any type of search with Safari as useless as none of the links returned will open. The wide-spread issue - for which there's no-known-workaround just yet - seems to be affecting users on both iOS 9.2 and iOS 9.3. Apple has acknowledged the issue and says it will release a fix "soon." There's no official word on what's causing the issue, but a popular theory with developers is that the glitch has something to do with Universal Links, a feature Apple first introduced with iOS 9. It appears some apps, such as Booking .com, are abusing this capability, causing the Universal Link database to overload."
* https://discussions.apple.com/thread/7505840?start=765&tstart=0
___

- https://support.apple.com/en-us/HT201222

iOS 9.3 released
- https://support.apple.com/en-us/HT206166
21 Mar 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
- http://www.securitytracker.com/id/1035353
CVE Reference: CVE-2015-8659, CVE-2016-0801, CVE-2016-0802, CVE-2016-1734, CVE-2016-1740, CVE-2016-1748, CVE-2016-1750, CVE-2016-1751, CVE-2016-1752, CVE-2016-1753, CVE-2016-1754, CVE-2016-1755, CVE-2016-1756, CVE-2016-1757, CVE-2016-1758, CVE-2016-1760, CVE-2016-1761, CVE-2016-1762, CVE-2016-1763, CVE-2016-1766, CVE-2016-1775, CVE-2016-1778, CVE-2016-1779, CVE-2016-1780, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1784, CVE-2016-1785, CVE-2016-1786, CVE-2016-1788
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.3 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote or local user can obtain potentially sensitive information on the target system.
An application can obtain elevated privileges on the target system.
An application can bypass security controls on the target system.
Solution: The vendor has issued a fix (9.3)...

Safari 9.1
- https://support.apple.com/en-us/HT206171
21 Mar 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3..."
- http://www.securitytracker.com/id/1035354
CVE Reference: CVE-2009-2197, CVE-2016-1771, CVE-2016-1772
Mar 22 2016
Impact: A remote user can cause denial of service conditions on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof the user interface.
Solution: The vendor has issued a fix (9.1)...

OS X El Capitan v10.11.4 and Security Update 2016-002
- https://support.apple.com/en-us/HT206167
21 Mar 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3..."
- http://www.securitytracker.com/id/1035363
CVE Reference: CVE-2016-1732, CVE-2016-1733, CVE-2016-1735, CVE-2016-1736, CVE-2016-1737, CVE-2016-1738, CVE-2016-1741, CVE-2016-1743, CVE-2016-1744, CVE-2016-1745, CVE-2016-1746, CVE-2016-1747, CVE-2016-1749, CVE-2016-1764, CVE-2016-1767, CVE-2016-1768, CVE-2016-1769, CVE-2016-1770, CVE-2016-1773
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local or remote user can obtain potentially sensitive information on the target system.
A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (10.11.4, Security Update 2016-002)...

OS X Server 5.1
- https://support.apple.com/en-us/HT206173
21 Mar 2016 - "Available for: OS X Yosemite v10.10.5 and later..."
- http://www.securitytracker.com/id/1035342
CVE Reference: CVE-2016-1774, CVE-2016-1776, CVE-2016-1777, CVE-2016-1787
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): OS X Server prior to 5.1; OS X 10.10.5 and after...
Impact: A local user can obtain privileged files on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (OS X Server 5.1)...

Xcode 7.3
- https://support.apple.com/en-us/HT206172
21 Mar 2016 - "Available for: OS X El Capitan v10.11 and later..."
- http://www.securitytracker.com/id/1035352
CVE Reference: CVE-2016-1765
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (7.3)...

tvOS 9.2
- https://support.apple.com/en-us/HT206169
21 Mar 2016 - "Available for: Apple TV (4th generation)..."

watchOS 2.2
- https://support.apple.com/en-us/HT206168
21 Mar 2016 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes..."

Apple Software Update 2.2
- https://support.apple.com/en-us/HT206091
Mar 10, 2016 - "Available for: Windows 7 and later..."
___

iOS 9.3
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
watchOS 2.2
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
tvOS 9.2
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
Xcode 7.3
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html
OS X El Capitan 10.11.4 and Security Update 2016-002
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
Safari 9.1
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
OS X Server 5.1
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00006.html
___

- https://www.us-cert.gov/ncas/current-activity/2016/03/21/Apple-Releases-Multiple-Security-Updates
March 21, 2016

:fear::fear:
 
Last edited:
iOS 9.3.1 ...

FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.3.1 released
- https://support.apple.com/en-us/HT206225
Last Modified: Mar 31, 2016 - "iOS 9.3.1 includes the security content of iOS 9.3."

> https://lists.apple.com/archives/security-announce/2016/Mar/index.html
??

- http://www.theinquirer.net/inquirer...e-access-a-locked-iphones-contacts-and-photos
Apr 05 2016 - "... AFTER releasing iOS 9.3.1 to fix the link-crashing glitch plaguing iPhones and iPads, a bug has been spotted in the update that allows -anyone- to access photos and contacts on a locked device. A YouTube video (below) shows the vulnerability in action and reveals that all a hacker needs to pilfer contacts from a passcode-locked iPhone 6S or 6S Plus is access to Siri and 3D Touch... there -is- a way to keep your iPhone's information safe should it fall into the hands of a hacker... Siri can carry out the command in question only if given permission to access Twitter account information, as well as contacts and photos. To -revoke- these permissions, head to:
Settings > Privacy and switch -off- Siri's access to Twitter and Photos. To stop it accessing your contacts, you'll need to -disable- Siri's lock screen activation by heading to Settings > Touch ID & Passcode."
(See Video 0:49 at the URL above.)
___

iBooks Author 2.4.1
- https://support.apple.com/en-us/HT206224
Last Modified: Mar 31, 2016
CVE-2016-1789

> https://lists.apple.com/archives/security-announce/2016/Mar/msg00008.html

- https://www.us-cert.gov/ncas/current-activity/2016/04/01/Apple-Releases-Security-Update
Apr 1, 2016
___

APPLE-SA-2016-03-28-1 OS X: Flash Player plug-in blocked
- https://lists.apple.com/archives/security-announce/2016/Mar/msg00007.html
28 Mar 2016 - "Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 21.0.0.182 and 18.0.0.333. Information on blocked web plug-ins will be posted to:
- http://support.apple.com/en-us/HT202681 "
Last Modified: Mar 18, 2016

:fear::fear:
 
Last edited:
Last edited:
Apple ends support for QuickTime for Windows

FYI...

Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
- https://www.us-cert.gov/ncas/alerts/TA16-105A
April 14, 2016

> https://support.apple.com/en-us/HT205771
___

Apple is deprecating QuickTime for Windows
- http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/
April 14, 2016 - "... Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX... our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows..."
> http://zerodayinitiative.com/advisories/ZDI-16-241/
> http://zerodayinitiative.com/advisories/ZDI-16-242/

- http://www.securitytracker.com/id/1035579
Apr 15 2016
___

- https://support.apple.com/en-us/HT201175
Apr 20, 2016 - "QuickTime 7 for Windows is no longer supported by Apple... All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows*."
* https://support.apple.com/kb/HT205771

:fear::fear:
 
Last edited:
Back
Top