Alerts

[AplusWebMaster]

FYI...

Thunderbird 38.4 released

Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunde.../releasenotes/
Nov 23, 2015

Fixed in Thunderbird 38.4
- https://www.mozilla.org/en-US/securi...hunderbird38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

- https://www.mozilla.org/en-US/thunderbird/releases/

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1034260
CVE Reference: CVE-2015-4513, CVE-2015-7189, CVE-2015-7193, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200
Nov 26 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Thunderbird version 38.4.0 ...

[AplusWebMaster]

FYI...

> https://support.apple.com/en-us/HT201222

iOS 9.2
- https://support.apple.com/en-us/HT205635
Dec 8, 2015 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
- http://www.securitytracker.com/id/1034348
CVE Reference: CVE-2015-7037, CVE-2015-7051, CVE-2015-7055, CVE-2015-7069, CVE-2015-7070, CVE-2015-7072, CVE-2015-7079, CVE-2015-7080, CVE-2015-7093, CVE-2015-7113
Dec 9 2015
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.2 ...

Safari 9.0.2
- https://support.apple.com/en-us/HT205639
Dec 8, 2015 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1 ..."
- http://www.securitytracker.com/id/1034341
CVE Reference: CVE-2015-7048, CVE-2015-7050, CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099, CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, CVE-2015-7103, CVE-2015-7104
Dec 9 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0.2 ...

OS X El Capitan 10.11.2 and Security Update 2015-008
- https://support.apple.com/en-us/HT205637
Dec 8, 2015 - "Available for: OS X El Capitan v10.11 and v10.11.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29, the most serious of which may have led to remote code execution. These were addressed by updating PHP to version 5.5.30..."
- http://www.securitytracker.com/id/1034344
CVE Reference: CVE-2012-1147, CVE-2012-1148, CVE-2015-5333, CVE-2015-5334, CVE-2015-7001, CVE-2015-7038, CVE-2015-7039, CVE-2015-7040, CVE-2015-7041, CVE-2015-7042, CVE-2015-7043, CVE-2015-7044, CVE-2015-7045, CVE-2015-7046, CVE-2015-7047, CVE-2015-7052, CVE-2015-7053, CVE-2015-7054, CVE-2015-7058, CVE-2015-7059, CVE-2015-7060, CVE-2015-7061, CVE-2015-7062, CVE-2015-7063, CVE-2015-7064, CVE-2015-7065, CVE-2015-7066, CVE-2015-7067, CVE-2015-7068, CVE-2015-7071, CVE-2015-7073, CVE-2015-7074, CVE-2015-7075, CVE-2015-7076, CVE-2015-7077, CVE-2015-7078, CVE-2015-7081, CVE-2015-7083, CVE-2015-7084, CVE-2015-7094, CVE-2015-7105, CVE-2015-7106, CVE-2015-7107, CVE-2015-7108, CVE-2015-7109, CVE-2015-7110, CVE-2015-7111, CVE-2015-7112
Dec 9 2015
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix.

Xcode 7.2
- https://support.apple.com/en-us/HT205642
Dec 8, 2015 - "Available for: OS X Yosemite v10.10.5 or later..."
- http://www.securitytracker.com/id/1034340
CVE Reference: CVE-2015-7049, CVE-2015-7056, CVE-2015-7057, CVE-2015-7082
Dec 9 2015
Impact: Execution of arbitrary code via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (7.2).

tvOS 9.1
- https://support.apple.com/en-us/HT205640
Dec 8, 2015 - "Available for: Apple TV (4th generation)..."

watchOS 2.1
- https://support.apple.com/en-us/HT205641
Dec 8, 2015 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes..."
___

- https://www.us-cert.gov/ncas/current...curity-Updates
Dec 08, 2015

[AplusWebMaster]

FYI...

WordPress 4.4 update breaks itself with SSL certificate problem...
- http://myonlinesecurity.co.uk/wordpr...r-certificate/
Dec 9, 2015 - "WordPress4.4 has just been released and it is highly recommended to update. BUT it is -broken- on many servers. The update will go OK -but- it will also update the SSL certificate bundle that WordPress uses to update itself, the themes and plugins. The certificate bundle appears to be damaged-or-incorrect and stops any WP updates. You will get a message saying http_request_failed: “SSL certificate problem: unable to get local issuer certificate” whenever you try to do anything involving WordPress updates, updating or installing themes or plugins or using Jetpack features like stats or sharing etc. The error screen will look something like this. It doesn’t matter what plugin or theme you try to update. the error message will be similar:
>> http://myonlinesecurity.co.uk/wp-con...date-error.png
... found this post on WordPress support that does fix the problem. All my WP sites gave me the SSL warning until I used the certificate bundle from that post:
- https://wordpress.org/support/topic/...error14090086s
... until WordPress fixes/updates themselves, you should manually do this yourself...
WordPress could send out a hotfix of some sort now to make this update... - Derek"
___

WordPress hosting service WP Engine has been hacked
- http://www.theinquirer.net/inquirer/...as-been-hacked
Dec 10 2015

- https://wpengine.com/support/infosec/
Security Update: "Update 12/13/2015 1:00pm Central: WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available..."

[AplusWebMaster]

FYI...

Adblock Plus 2.7 for Firefox released
- https://adblockplus.org/releases/adb...refox-released
2015-12-15 - "... In order to support multiple processes properly we had to implement massive changes to the core functionality of Adblock Plus. These changes should have almost no visible effect other than improved performance however.
Visible changes:
- If pop-ups are blocked after the redirect, the pop-up window will actually be closed and not merely prevented from loading (issue 443).
- The diagnostic page under chrome://adblockplus/content/errors.html has been removed, it was of very limited use (issue 3357).
Known issues:
- Element hiding functionality isn’t working on Mac OS X when multi-process mode is enabled (bug 1187099). Given the lack of progress on Mozilla’s side, we will have to come up with some work-around later on.
- Issue reporter doesn’t create screenshots when multi-process mode is enabled (issue 3375). To be addressed in the next release.
- “Unsafe CPOW usage” warnings will still show up in Error Console sometimes when multi-process mode is enabled, most prominently when using the list of blockable items (issue 3407). To be addressed in the next release.
- Selection in the list of blockable items isn’t remembered reliably when multi-process mode is enabled (issue 3259). To be addressed in the next release."

[AplusWebMaster]

FYI...

Thunderbird 38.5 released

Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunde.../releasenotes/
Dec 23, 2015

Fixed in Thunderbird 38.5
- https://www.mozilla.org/en-US/securi...hunderbird38.5
2015-149 Cross-site reading attack through data and view-source URIs
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-139 Integer overflow allocating extremely large textures
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

- https://www.mozilla.org/en-US/thunderbird/releases/

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

Version 38.5.1
- https://www.mozilla.org/en-US/thunde.../releasenotes/
Jan 7, 2016

What’s New:
Changed: Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
Known Issues:
unresolved: Windows XP SP2 will no longer install Thunderbird (workaround: Install Thunderbird 38.5.0 then update)

[AplusWebMaster]

FYI...

WordPress 4.4.1 Security and Maintenance Release
- https://wordpress.org/news/2016/01/w...nance-release/
Jan 6, 2016 - "WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised... There were also several non-security bug fixes..."

- https://wordpress.org/download/

> https://www.us-cert.gov/ncas/current...ecurity-Update
Jan 6, 2016
___

- http://www.securitytracker.com/id/1034622
CVE Reference: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2016-1564
Jan 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.4.1 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.4.1)...

[AplusWebMaster]

FYI...

QuickTime 7.7.9 released
- https://support.apple.com/en-us/HT205638
Jan 7, 2016

Download:
- https://www.apple.com/quicktime/download/
... for Windows Vista or Windows 7
___

- http://www.securitytracker.com/id/1034610
CVE Reference: CVE-2015-7085, CVE-2015-7086, CVE-2015-7087, CVE-2015-7088, CVE-2015-7089, CVE-2015-7090, CVE-2015-7091, CVE-2015-7092, CVE-2015-7117
Jan 8 2016
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.9 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (7.7.9)...
___

... fails to install plug-in on Firefox - unless this procedure is followed:

1. Download QT 7.7.9 from:
> https://www.apple.com/quicktime/download/
... save download where you want.
2. Dble-click the .exe file.
3. Choose "Custom" install.
4. See "Optional Quicktime Features" and choose "QuickTime Web Plugin" (eliminate the red-x).
5. Choose "Next" and the upgrade/install should complete OK. If you don't do this in the recommended sequence, it will -fail- to install the plug-in for Firefox - likely other browsers, too.

[AplusWebMaster]

FYI...

Adblock Plus 2.7.1 for Firefox released
- https://adblockplus.org/releases/adb...refox-released
2016-01-19
"With this release Adblock Plus becomes fully compatible with the upcoming multi-process mode in Firefox, it no longer relies on backwards compatibility hacks in Firefox (issue 3259, issue 3407, issue 3449, issue 3465, issue 3486, issue 3494). This also means that the screenshot functionality in Issue Reporter is fully functional now (issue 3375), and also quite fast (issue 3504).
- Additional changes:
Improved performance: patterns.ini was being saved way more often than necessary (issue 3473).
$ping filter option is back and will especially apply to requests sent via navigator.sendBeacon() (issue 3452).
Requests produced by <img srcset> and <picture> will be assigned type image (issue 3459).
Requests produced by the Fetch API will be assigned type xmlhttprequest (issue 3459).
genericblock and generichide types will no longer show up in the filter assistant (issue 3478).
Removed non-standard JavaScript syntax, which caused warnings in Firefox Aurora and Nightly builds (issue 1434, issue 3418, issue 3421, issue 3502, issue 3505).
Fixed: Previously disabled and removed filter is still disabled when added back (issue 3451).
- Regressions fixed:
As the previous release changed Adblock Plus quite drastically, it inevitably introduced some issues. As far as we know, all of these have been resolved:
Pop-up blocking doesn’t catch redirects to a different domain (issue 3458).
Issue Reporter gets stuck if filter subscriptions need updating (issue 3461, issue 3464).
Screenshot marker in Issue Reporter is no longer red (issue 3503).
Fixed image preview in Blockable Items tooltip (issue 3491).
- Known issues:
Element hiding functionality isn’t working on Mac OS X when multi-process mode is enabled (bug 1187099). Mozilla is working on this..."

[AplusWebMaster]

FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.2.1 released
- https://support.apple.com/en-us/HT205732
Jan 14, 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.."
- http://www.securitytracker.com/id/1034737
CVE Reference: CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728, CVE-2016-1730
Jan 20 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.2.1
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can read and write cookies on the target user's system.
Solution: The vendor has issued a fix (9.2.1)...

Safari 9.0.3 released
- https://support.apple.com/en-us/HT205730
Jan 15, 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.2..."

OS X El Capitan 10.11.3 and Security Update 2016-001
- https://support.apple.com/en-us/HT205731
Jan 19, 2016
- http://www.securitytracker.com/id/1034736
CVE Reference: CVE-2015-7995, CVE-2016-1716, CVE-2016-1717, CVE-2016-1718, CVE-2016-1719, CVE-2016-1720, CVE-2016-1721, CVE-2016-1722, CVE-2016-1729
Jan 20 2016
Impact: A local user can obtain kernel-level or root privileges on the target system.
Solution: The vendor has issued a fix (10.11.3; Security Update 2016-001).
___

- https://www.us-cert.gov/ncas/current...tan-and-Safari
Jan 19, 2016

[AplusWebMaster]

FYI...

WordPress 4.4.2 - Security and Maintenance Release
- https://wordpress.org/news/
Feb 2, 2016 - "WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs... and an open redirection attack...
In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes..."

Release notes
- https://codex.wordpress.org/Version_4.4.2

List of changes
- https://core.trac.wordpress.org/query?milestone=4.4.2

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current...ecurity-Update
Feb 02, 2016
___

- http://www.securitytracker.com/id/1034933
CVE Reference: CVE-2016-2221, CVE-2016-2222
Feb 4 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.4.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (4.4.2)...