Alerts

[AplusWebMaster]

FYI...

Thunderbird 38 - delayed ...
- http://emailmafia.net/2015/05/12/thu...rd-38-delayed/
May 12, 2015 - "... Thunderbird 38.0 will -not- ship on the same date as Firefox 38.0 but will likely be delayed a couple of weeks... there are still a number of regressions that we are working on, and last week’s beta was the first beta that was feature complete. That means we will not be ready to ship according to the original schedule.
A current estimate of when we will ship Thunderbird 38.0 is approximately May 26."
___

Thunderbird 31.7 released

Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/securi...hunderbird31.7
Fixed in Thunderbird 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

Thunderbird 31.7 download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1032303
CVE Reference: CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716
May 13 2015
Impact: Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.7

[AplusWebMaster]

FYI... iPhone "Text msg" bug

If Messages quits unexpectedly after you get a text with a specific string of characters
- https://support.apple.com/en-us/HT204897
Last Modified: May 29, 2015
"Apple is aware of an iMessage issue caused by a specific series of unicode characters and we will make a fix available in a software update. Until the update is available, you can use these steps to re-open the Messages app.
1. Ask Siri* to "read unread messages."
2. Use Siri to reply to the malicious message. After you reply, you'll be able to open Messages again.
3. If the issue continues, tap and hold the malicious message, tap More, and delete the message from the thread."

About Siri
* https://support.apple.com/en-us/HT204389
Last Modified: Apr 15, 2015
___

- http://www.idownloadblog.com/2015/05...e-coming-soon/
"... the company will be releasing a fix via a software update soon, presumably along iOS 8.4, which is still in beta stage."

[AplusWebMaster]

FYI...

Adblock Plus 1.9 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adb...afari-released
2015-06-16
Install Adblock Plus 1.9 for Chrome
Install Adblock Plus 1.9 for Opera
Install Adblock Plus 1.9 for Safari (Safari 6 or higher required)
>> Changes:
Fixed: Placeholders weren’t hidden for elements that were blocked by an URL given in the srcset attribute (issue 2634).
Exception rules with protocol don’t imply the $document flag anymore (issue 2503).
Changed the label for the share buttons to reflect the functionality more accurately (issue 2202).
Implemented an alternative format for subscription links (issue 2212).
Fixed some issues with the “Block element” dialog:
Fixed some issues with element highlighting (issue 2077, issue 2209).
Fixed some issues with dragging the dialog (issue 2100, issue 2173, issue 2194).
Fixed issues with how the context menu interacted with other parts of the user interface (issue 2279, issue 2298).
The page no longer freezes when selecting an element that would result in a lot of other elements being blocked as well (issue 2215).
Performance improvements:
Mitigated the effect of slow request blocking filters (issue 2177).
Determine whether a page or frame is whitelisted more efficiently by only matching exception rules (issue 2132).
Moved code not crucial to blocking requests out of the critical path, decreasing load times (issue 2505).
> Chrome/Opera-only changes
Changed the way Adblock Plus stores persistent data such as setting and filter lists, replacing localStorage and the deprecated FileSystem API with chrome.storage (issue 2021, issue 2040).
Run content scripts in anonymous frames again, in order to block ads more reliably (issue 2216, issue 2217).
Worked around a Chromium bug that caused corruption of the page layout when using the feedback dialog on Google Mail and other Google websites (issue 2602).
Fixed element hiding filters using CSS selectors with commas inside quoted text (issue 2467).
Don’t assume Chromium-specific user agent string, fixing issues when using --user-agent switch, or running on a different platform (issue 2537).
Performance improvements:
Flush caches after filter changes only when absolutely necessary and respect the browser’s quotas (issue 2034, issue 2297).
Improved the performance of CSS selector injection, slightly decreasing page load time, in particular on pages with many frames and/or many active element hiding filters (issue 2528).
Avoid calling into JavaScript when processing headers when loading other resources than documents and frames (issue 2538).
Got rid of some try..catch statements which prevent functions from being (issue 2658, issue 2569).
Avoid iteration over a hash-table which prevents functions from being optimized, slightly improving performance of element hiding filter matching (issue 2582).
> Chrome-only changes
Added a pre-configurable preference to suppress the first run page (issue 1488).
> Opera-only changes
Fixed: Spanish translation wasn’t being used (issue 2665).
> Safari-only changes
Restored compatibility with Safari 6 (issue 2172).

[AplusWebMaster]

FYI...

- http://it.slashdot.org/story/15/06/2...ulnerabilities
June 19, 2015 - "Secunia just announced on a forum post* that they will no longer provide public access to advisories newer than 9 months. According to Secunia they, "frequently encounter organizations engaged in wrongful use of Secunia Advisories" and that VIM customers, "have full access to all advisories." While Secunia is under no obligation to provide their aggregated vulnerabilities they've been doing it for over 10 years. The information they provide is primarily from public sources."

* https://secunia.com/community/forum/thread/show/15400
19th Jun, 2015 - "We have decided to make advisories more recent than nine months unavailable on secunia.com . The decision was made to avoid abuse of the advisories for commercial use, and because we frequently encounter organizations engaged in wrongful use of Secunia Advisories. Our advisories are made available for personal use only, and commercial use is prohibited.
Users who wish to make commercial use of our vulnerability intelligence must subscribe to our vulnerability management solution, the Secunia Vulnerability Intelligence Manager (Secunia VIM: - http://secunia.com/vulnerability_intelligence/ ). Users of the Secunia VIM have full access to all advisories and are able to analyse all the latest advisories in chronological order as well as proactive alerting the moment they have been released. Private users who have created a Secunia community profile ( http://secunia.com/community/profile/ ), can access advisories less than 9 months old using the search engine ( http://secunia.com/community/advisories/search/ ). We are aware that the search on the community pages is not working optimally and are working to fix that shortly.
Stay Secure,
Kasper Lindgaard, Director of Research and Security"

.

[AplusWebMaster]

FYI...

> https://support.apple.com/en-us/HT201222

iOS 8.4 released
- https://support.apple.com/en-us/HT204941
Jun 30, 2015
- http://www.securitytracker.com/id/1032761
CVE Reference: CVE-2015-3722, CVE-2015-3723, CVE-2015-3724, CVE-2015-3725, CVE-2015-3726, CVE-2015-3728
Jul 1 2015
Impact: Denial of service via network, Execution of arbitrary code via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.4...
___

QuickTime 7.7.7 released
- https://support.apple.com/en-us/HT204947
Jun 30, 2015
- http://www.securitytracker.com/id/1032756
CVE Reference: CVE-2015-3661, CVE-2015-3662, CVE-2015-3663, CVE-2015-3664, CVE-2015-3665, CVE-2015-3666, CVE-2015-3667, CVE-2015-3668, CVE-2015-3669
Jul 1 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.7 ...
Download: https://www.apple.com/quicktime/download/
"QuickTime 7.7.7 for Windows Vista or Windows 7"
Alternate download site: http://www.majorgeeks.com/files/details/quicktime.html
Author: Apple, Inc.
Date: 07/01/2015 06:34 AM
Size: 39.9 MB
License: Freeware
Requires: Win 10/8/7/Vista
___

Safari 8.0.7, 7.1.7, 6.2.7
- https://support.apple.com/en-us/HT204950
Jun 30, 2015
- http://www.securitytracker.com/id/1032754
CVE Reference: CVE-2015-3658, CVE-2015-3659, CVE-2015-3660, CVE-2015-3727
Jun 30 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.2.7, 7.1.7, 8.0.7 ...
___

Security Update 2015-005 - OS X Yosemite v10.10.4
- https://support.apple.com/en-us/HT204942
Jun 30, 2015
- http://www.securitytracker.com/id/1032759
CVE Reference: CVE-2015-4000
Jul 1 2015
Impact: Modification of authentication information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (10.10.4, Security Update 2015-005)...
- http://www.securitytracker.com/id/1032760
CVE Reference: CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2015-3671, CVE-2015-3672, CVE-2015-3673, CVE-2015-3674, CVE-2015-3675, CVE-2015-3676, CVE-2015-3677, CVE-2015-3678, CVE-2015-3679, CVE-2015-3680, CVE-2015-3681, CVE-2015-3682, CVE-2015-3683, CVE-2015-3684, CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-3689, CVE-2015-3690, CVE-2015-3691, CVE-2015-3694, CVE-2015-3695, CVE-2015-3696, CVE-2015-3697, CVE-2015-3698, CVE-2015-3699, CVE-2015-3700, CVE-2015-3701, CVE-2015-3702, CVE-2015-3703, CVE-2015-3704, CVE-2015-3705, CVE-2015-3706, CVE-2015-3707, CVE-2015-3708, CVE-2015-3709, CVE-2015-3710, CVE-2015-3711, CVE-2015-3712, CVE-2015-3714, CVE-2015-3715, CVE-2015-3716, CVE-2015-3717, CVE-2015-3718, CVE-2015-3719, CVE-2015-3721
Jul 1 2015
Impact: Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (10.10.4, Security Update 2015-005)...
___

Security Update 2015-001 - Mac EFI
- https://support.apple.com/en-us/HT204934
Jun 30, 2015
- http://www.securitytracker.com/id/1032755
CVE Reference: CVE-2015-3693
Jun 30 2015
Impact: Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (Security Update 2015-001, OS X 10.10.4).
___

iTunes 12.2 for Windows
- https://support.apple.com/en-us/HT204949
Jul 1, 2015

- https://www.apple.com/itunes/download/
___

- http://net-security.org/secworld.php?id=18577
01 July 2015 - "... The OS X update contains fixes for 77 vulnerabilities, many of which can be exploited by attackers to gain admin or root privilege, crash applications, perform unauthenticated access to the system, execute arbitrary code, intercept network traffic, and so on. It also includes fixes for vulnerabilities in the Mac EFI (Extensible Firmware Interface), one of which could allow a malicious app with root privileges to modify EFI flash memory when it resumes from sleep states...
The iOS security update contains fixes for a slew of vulnerabilities that could lead to unexpected application termination or arbitrary code execution just by making the users open or the OS process a malicious crafted PDF, text, font or .tiff file.
The 'Logjam bug' in coreTLS that could be exploited by an attacker with a privileged network position to SSL/TLS connections has also been plugged, as have two vulnerabilities discovered by FireEye researchers, which could allow attackers to deploy two new kinds of Masque Attack and prevent iOS and Watch apps from launching..."

> http://lists.apple.com/archives/secu...dex.html#00005

[AplusWebMaster]

FYI...

Thunderbird 38.1 released

Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/securi...hunderbird38.1
Fixed in Thunderbird 38.1
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1032784
CVE Reference: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-4000
Jul 3 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 38.0 and prior ...
Solution: The vendor has issued a fix (38.1)...
___

Thunderbird 38.2

Download: https://www.mozilla.org/en-US/thunderbird/all/

- https://www.mozilla.org/en-US/securi...hunderbird38.2
Aug 11, 2015
Fixed in Thunderbird 38.2
Vulnerabilities found through code inspection
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

[AplusWebMaster]

FYI...

Adblock Plus 1.9.1 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adb...afari-released
2015-07-14
Install Adblock Plus 1.9.1 for Chrome
Install Adblock Plus 1.9.1 for Opera
Install Adblock Plus 1.9.1 for Safari (Safari 6 or higher required)
Changes:
- Added global opt-out for notifications (issue 2195).
- Immediately show notifications after they were downloaded (issue 2419).
- Reduced delay of initial download of notifications (issue 2659).
- Fixed: Notification data was reset when pages load during extension intitialization (issue 2757).

[AplusWebMaster]

FYI...

WordPress 4.2.3 released
- https://wordpress.org/news/2015/07/wordpress-4-2-3/
July 23, 2015 - "WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site... WordPress 4.2.3 also contains fixes for 20 bugs from 4.2..."

Release notes
- https://codex.wordpress.org/Version_4.2.3

Change log
- https://core.trac.wordpress.org/log/...stop_rev=32430

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current...ecurity-Update
July 23, 2015
___

- http://www.securitytracker.com/id/1033037
CVE Reference: CVE-2015-5622, CVE-2015-5623
Jul 23 2015
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.2.2 and prior...
Solution: The vendor has issued a fix (4.2.3).

[AplusWebMaster]

FYI...

Adblock Plus 2.6.10 for Firefox released
- https://adblockplus.org/releases/adb...refox-released
2015-07-28 - "This is a quality and stability release, with the focus being compatibility with upcoming Firefox versions. Most of the changes are under the hood, only the visible changes are listed:
• suppress_first_run_page preference introduced by previous release can now be preconfigured by machine administrators via setting extensions.adblockplus.preconfigured.suppress_first_run_page Firefox preference (issue 2439).
• Issue reporter
Made sure there is always enough space to display report data (issue 344).
No longer intercepting right-clicks on the resulting report link, only left- and middle-clicks result in the report being opened (issue 701).
• Subscription links
Implemented an alternative format that is easier to use in forums or emails: https ://subscribe.adblockplus .org/?location=foo instead of abp:subscribe?location=foo (issue 2211).
• Fixed subscription links in multi-process Firefox (issue 1730)
• Notifications
Added global opt-out for notifications (issue 2192 and issue 2193).
Notifications are shown immediately after download rather than waiting for a browser restart (issue 2419).
• Removed inconsistent behavior (breaks backwards compatibility): exception rules starting with http:// or https:// no longer imply $document option (issue 2503).
• Reduced the initial delay for filter lists and notification updates after browser startup (issue 284 and issue 2659).
• First-run page: Fixed social buttons being broken starting with Firefox 38 (issue 2710)...

[AplusWebMaster]

FYI...

WordPress 4.2.4 released
- https://wordpress.org/news/2015/08/w...nance-release/
Aug 4, 2015 - "WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site..."

Release notes
- https://codex.wordpress.org/Version_4.2.4

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current...ecurity-Update
Aug 04, 2015

Hardening WordPress: https://codex.wordpress.org/Hardening_WordPress
___

- http://www.securitytracker.com/id/1033178
CVE Reference: CVE-2015-2213, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, CVE-2015-5734
Aug 4 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.2.3 and prior versions...
Solution: The vendor has issued a fix (4.2.4)...