Firefox: critical security patch (74.0.1)

Firefox 74.0.1 brings critical security patches with “targeted attacks in the wild abusing this flaw.”

Firefox is the free, cross-platform web browser from Mozilla, promising better privacy than Google’s Chrome and offering an appealing, open-source alternative to Apple’s Safari.

Firefox 74.0.1 is a free download for OS X 10.9 and up, plus Linux, and Windows.

Firefox ESR 68.6.1esr (see security notes and downloads) adds the critical security fix to the Extended Support Release family for OS X 10.9 or later, Linux, or Windows. A Firefox FTP server includes all the various versions for downloading.

Firefox Quantum Developer Edition is an alternate version for desktop systems that incorporates tools such as editors, debuggers and responsive design views.

Firefox Quantum for Enterprise is a version that lets people set up policies (e.g. proxy, restrict features) with Group Policy on Windows and a JSON file on Mac and Linux.

Firefox for iOS 24.1 is a free mobile version for iOS 11 and up, with automatic search suggestions, a private browsing mode, tracking protection and Siri Shortcut support for iOS 12.

Google Chrome security update

Google Chrome is the cross-platform web browser from Google Inc. with a hidden auto-update daemon and agent that has wrecked Mac systems and wreaked other havoc, and it has other proprietary Google additions on top of its open-source platform. The latest release includes critical patches for severe security flaws.

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data.

Google Chrome 80.0.3987.163 is a free download for OS X 10.10 and up, as well as Linux and Windows.

Google Chrome for iOS 80.0.3987.95 is a free download for iOS 12 and up.

Coronavirus

I continue to update the Coronavirus (COVID-19) information page frequently with the most important and helpful information I can find from a wide range of sources about this life-changing global catastrophe.

https://macintouch.com/coronavirus/

Recent additions include the clearest explanation of the situation I have seen yet, plus a guide to “living with worry“, online self-triage tools, lost smell/taste, infections in Congress, a survey of treatments in development, an FBI alert, an animated model of viral spread and more. (With JavaScript help from Sam Herschbein, I also redesigned the Updates section of the web page to select and display items for a chosen day, while other people have contributed good tips and conversation, too.)

I hope this resource (and all the work it involves) is helpful in these troubled times.

Ric Ford

Adobe security flaws critical

Adobe posted its latest batch of patches for critical security flaws in its various products:

Adobe Acrobat and Reader | APSB20-13
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution

Adobe Photoshop | APSB20-14
Adobe has released updates for Photoshop for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution

Adobe Bridge | APSB20-17
Adobe has released a security update for Adobe Bridge. This update addresses multiple critical vulnerabilities that could lead to arbitrary code execution

Adobe ColdFusion | APSB20-16
Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple critical vulnerabilities that could lead to arbitrary code execution.

Adobe Experience Manager | APSB20-15
Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve a vulnerability in AEM versions 6.5 and below rated Important. Successful exploitation could result in sensitive information disclosure.

VMware Fusion

VMware Fusion is a cross-platform virtualization system from VMware Inc. that creates “virtual machines” that can run one operating system (Windows, Linux or Mac) within another operating system for testing, development, security or cross-platform capabilities (e.g. running Windows on OS X in order to use Windows applications on a Mac).

Features include shared folders, support for the latest Windows 10 releases (and a Windows Migration Assistant) and for Retina Macs (including iMac 5K), Touch Bar, Apple Metal graphics, DirectX 10, OpenGL 3.3, USB 3, 64-bit processing and more.

VMware Fusion 11.5.2 is priced at $79.99; it now requires macOS 10.13 or later (with certain hardware requirements). Trial versions and upgrade discounts are available. VMware Fusion Pro is priced at $159.99. See comparison tables and FAQ for more information.

The latest Fusion release includes critical security patches for CVE-2020-3947 and CVE-2020-3948 plus a fix for a kernel extension issue in macOS version 10.9 to 10.12. (See Known Issues for workarounds to a number of problems with macOS 10.15 Catalina and other issues.)

VMware Workstation Player and Workstation Pro host virtual machines on Linux and Windows (but Apple licenses prohibit use of macOS on non-Apple hardware).

Coronavirus Disease 2019 (COVID-19)

The COVID-19 pandemic is a life-changing global crisis that has already killed thousands of people, overwhelmed medical systems and devasted daily life for entire populations along with crippling businesses and the global economy. Yet it has barely begun, and it will explode in the weeks and months ahead with untold consequences (barring a miracle, and I don’t see any signs of one).

MacInTouch will be affected, too.  Expect interruptions and delays at a minimum, and we’ll see what happens over time. I don’t anticipate changing the focus of the website, but I have collected useful, reliable information after seeing deadly misinformation promulgated by politicians, their media and irresponsible individuals inside and outside the USA, while family and community members have been confused and lacking critical facts.

Taking precedence over the usual MacInTouch topics at the moment, because this is infinitely more important, I have posted that collection and am updating it frequently: https://macintouch.com/coronavirus/

Ric Ford

Google Chrome/Chromium exploit

A Google Chrome security flaw has an exploit available “in the wild”, and Google  issued an update that should be applied immediately. The Chromium browser is also affected and also needs the update (see FreeSMUG and SourceForge). The patches are not available yet for iOS, Android or Chromebooks, and other browsers may also be affected (e.g. Microsoft Edge, Brave, etc.).

Chrome Releases, Monday, February 24, 2020
The stable channel has been updated to 80.0.3987.122 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. … This update includes 3 security fixes. … Google is aware of reports that an exploit for CVE-2020-6418 exists in the wild.

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks
… The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities — CVE-2020-6407 and CVE-2020-6418 — were identified by experts from the Google security team. … A successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system.

Google patches Chrome zero-day under active attacks
… Patches for this zero-day have been released part of Chrome version 80.0.3987.122. The update is available for Windows, Mac, and Linux users, but not Chrome OS, iOS, and Android.

Google patches holes in Chrome – exploit already out there for one of them after duo spot code fix
… Kurucsai and Rao developed proof-of-concept exploit code for CVE-2020-6418 after spotting the fix buried in the source tree, and before Google could emit an official binary release. The duo have now shared their exploit code which can be used by white and black hats to target those slow to patch.

Adobe critical security flaws

Adobe issued its latest batch of patches for critical security flaws across its product portfolio:

We strongly recommend removing Adobe Flash from your systems because of its security flaws and exploitation, and Adobe has announced its termination.

Windows 10/Server extreme security flaw

An extremely bad security flaw in Microsoft Windows has just been reported and patched. Here’s more information from the NSA:

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

o HTTPS connections
o Signed files and emails
o Signed executable code launched as user-mode processes

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

Information from the Department of Homeland Security:

Emergency Directive 20-02
Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

Information from US-CERT:

Alert (AA20-014A)
Critical Vulnerabilities in Microsoft Windows Operating Systems

Brian Krebs had sounded early alerts:

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.

Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here.

Thunderbird: important security patch (68.4.1)

The new Thunderbird 68.4.1 release brings an important security fix with targeted attacks in the wild abusing this flaw”, but “these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”

Thunderbird is Mozilla Corp.’s open-source, cross-platform email, chat, calendar, contacts and newsfeed (RSS) program, which features reliable email processing, smart folders, phishing protection and spam tools, special support for large-file transfers, quick filtering, Web searching, and plug-ins/add-ons for customization. See Thunderbird help topics for more information.

Thunderbird 68.4.1 is a free download for OS X 10.9 and up, as well as Linux and Windows. (Pre-release test versions are also available.)

 

Firefox: critical security patch (72.0.1)

Firefox 72.0.1 brings a critical security patch for “targeted attacks in the wild abusing this flaw.”

Version 72.0.0, the previous version released just a day earlier, also brought security fixes, plus additional privacy and security protections and feature updates:

Firefox’s Enhanced Tracking Protection marks a major new milestone in our battle against cross-site tracking: we now block fingerprinting scripts by default for all users, taking a new bold step in the fight for our users’ privacy.

Firefox replaces annoying notification request pop-ups with a more delightful experience, by default for all users. The pop-ups no longer interrupt your browsing, in its place, a speech bubble will appear in the address bar when you interact with the site.

Picture-in-picture video is now also available in Firefox for Mac and Linux: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs or apps.

Firefox is the free, cross-platform web browser from Mozilla, promising better privacy than Google’s Chrome and offering an appealing, open-source alternative to Apple’s Safari.

Firefox 72.0.1 is a free download for OS X 10.9 and up, plus Linux, and Windows.

Firefox ESR 68.4.1 (see security notes and downloads) adds the critical security fix to the Extended Support Release family for OS X 10.9 or later, Linux, or Windows. A Firefox FTP server includes all the various versions for downloading.

Firefox Quantum Developer Edition is an alternate version for desktop systems that incorporates tools such as editors, debuggers and responsive design views.

Firefox Quantum for Enterprise is a version that lets people set up policies (e.g. proxy, restrict features) with Group Policy on Windows and a JSON file on Mac and Linux.

Firefox for iOS 20.2 is a free mobile version for iOS 11 and up, with automatic search suggestions, a private browsing mode, tracking protection and Siri Shortcut support for iOS 12.