Thunderbird security update

Thunderbird is Mozilla Corp.’s open-source, cross-platform email, chat, calendar, contacts and newsfeed (RSS) program, which features reliable email processing, smart folders, phishing protection and spam tools, special support for large-file transfers, quick filtering, Web searching, and plug-ins/add-ons for customization. See Thunderbird help topics for more information.

Thunderbird 68.9.0 is a free download for OS X 10.9 and up, as well as Linux and Windows. (Pre-release test versions are also available.)

The latest release brings security fixes, along with a few bug fixes.

Google Chrome security patches

Google Chrome has another security update today with patches for high-priority vulnerabilities in the latest release.

The cross-platform web browser from Google Inc. utilizes a hidden auto-update daemon and agent that wrecked Mac systems and wreaked other havoc, plus other proprietary Google additions on top of its open-source platform.

Google Chrome 83.0.4103.97 is a free download for OS X 10.10 and later, as well as Linux and Windows.

Google Chrome for iOS 83.0.4103.88 is a free download for iOS 12 and up.

TenFourFox

TenFourFox is a Firefox-based web browser, reprogrammed for PowerPC-based Macs with separate downloads optimized for G3, G4 and G5 processors. Providing up-to-date security to the older Mac platform, it offers “the latest bug fixes, security improvements and all the powerful technology underlying Mozilla Firefox”, along with “AltiVec JPEG, HTML and WebM decoding acceleration for G4 and G5 Macintoshes” and JavaScript performance based on a “best-in-class, just-in-time PowerPC script compiler.”

TenFourFox Feature Parity Release 23 is free and open-source software for PowerPC-based Macs running Mac OS X 10.4 and 10.5. Release 23 brings security fixes, faster performance and other improvements.

  • Improved image and CSP compatibility
  • Improved JavaScript performance
  • All relevant security and stability fixes from Firefox ESR 68.9

Firefox security fixes, QR sync

Firefox, Mozilla’s open-source, privacy-enhancing alternative to Apple’s proprietary Safari and Google Chrome web browsers, got an update today with important security fixes.

Firefox 77.0 is a free download for OS X 10.9 and up, plus Linux, and Windows.

Firefox ESR 68.9.0esr (see security notes and downloads) includes the security fixes for the Extended Support Release family for OS X 10.9 or later, Linux, or Windows. A Firefox FTP server includes all the various versions for downloading.

Firefox Quantum Developer Edition is an alternate version for desktop systems that incorporates tools such as editors, debuggers and responsive design views.

Firefox Quantum for Enterprise is a version that lets people set up policies (e.g. proxy, restrict features) with Group Policy on Windows and a JSON file on Mac and Linux.

Firefox for iOS 26 is a free mobile version for iOS 11 and up, with automatic search suggestions, a private browsing mode, tracking protection and Siri Shortcut support for iOS 12 and later. The latest update adds QR sync:

Syncing your bookmarks, logins and browsing history is easier than ever with QR code pairing. Pair Firefox for iOS with Firefox desktop using your phone’s camera for a seamless experience.

Apple security updates

Apple posted unexpected security updates today for its Mac, mobile and media platforms just a week after its last batch of critical security patches, apparently this time looking to shut down the unc0ver jailbreak.

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-9859: unc0ver

Apple also modified the macOS 10.15.5 update packages it had posted last week on its Downloads page (which is often out of date and misleading but has been updated).

Discussions

Recent discussion topics include:

VMware security update

VMware Fusion 11.5.5 patches a security problem in the cross-platform virtualization system from VMware Inc.

Attackers with normal user privileges can exploit this issue to escalate their privileges to root on a system where Fusion is installed. The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2020-3957 to this issue. See VMSA-2020-0011 for more information.

VMware Fusion creates “virtual machines” that can run one operating system (Windows, Linux or Mac) within another operating system for testing, development, security or cross-platform capabilities (e.g. running Windows on OS X in order to use Windows applications on a Mac).

Features include shared folders, support for the latest Windows 10 releases (and a Windows Migration Assistant) and for Retina Macs (including iMac 5K), Touch Bar, Apple Metal graphics, DirectX 10, OpenGL 3.3, USB 3, 64-bit processing and more.

VMware Fusion 11.5.5 is priced at $79.99. The updated version suddenly requires macOS 10.14 or later and fails on earlier versions.

Trial versions and upgrade discounts are available. VMware Fusion Pro is priced at $159.99. See comparison tables and FAQ for more information.  (See also Known Issues for workarounds to a number of problems with macOS 10.15 Catalina and other issues.)

VMware Workstation Player and Workstation Pro host virtual machines on Linux and Windows (but Apple licenses prohibit use of macOS on non-Apple hardware).

Apple additional security patches

In addition to a big batch of macOS security and bug fixes, Apple issued security patches for its Safari web browser (for macOS 10.13 and later), plus Apple Windows software, as well as tvOS and delayed notes about recent iOS and watchOS security patches.

macOS security patches, bug fixes, etc.

Apple posted macOS 10.15.5 today to patch a bunch of big security holes, plus patch updates for the two previous macOS versions it supports. (Apple no longer supports macOS 10.12 or any earlier versions.)

macOS 10.15.5 also adds features, including “battery health management”, plus a bunch of bug fixes, including kernel panics with RAID volumes, GPU-related freezes, sleep/wake bugs, authentication issues, T2 sound bugs, notification badge bugs, and more.

macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

  • Processing a maliciously crafted image, audio file, or PDF file may lead to arbitrary code execution
  • A remote attacker may be able to cause arbitrary code execution
  • An application may be able to execute arbitrary code with kernel privileges
  • malicious application may be able to gain root privileges
  • Importing a maliciously crafted calendar invitation may exfiltrate user information
  • A remote attacker may be able to leak sensitive user information
  • A malicious website may be able to exfiltrate autofilled data in Safari
  • A malicious application may be able to bypass Privacy preferences
  • A malicious application may be able to break out of its sandbox
  • A file may be incorrectly rendered to execute JavaScript
  • Inserting a USB device that sends invalid messages may cause a kernel panic
  • [etc.]

Little Snitch security update

Little Snitch is privacy/firewall software for the Mac from Objective Development Software GmbH that monitors network activity and gives you control and visibility for data leaving your computer via network connections. Features include connection alerts with flexible blocking of outgoing traffic, including on-the-fly control, rules-based configuration (with several aids) and configuration profiles (e.g. for different locations or networks); DNS name based traffic filtering; network monitoring displays and snapshots (with details about traffic, history, hostnames, ports, geographic locations, etc., plus packet capture in PCAP format); an inbound firewall; a “research assistant” database to help identify networks and activities; and much more.

Little Snitch 4.5.2 is priced at $45 for OS X 10.11 and up. A demo mode functions for three hours at a time, for 30 days. (Little Snitch legacy versions support Mac OS X 10.2 and up.)

The latest release brings a security patch and should be installed promptly:

We highly recommend to update to this version soon because it fixes a possible privilege escalation.

  • Fixes a privilege escalation issue (CVE-2020-13095). Details about this issue will be revealed later.
  • Fixes an issue in the connection alert causing the user’s host/domain choice to be ignored under some rare circumstances.

Chromium: major security update

The Chromium web browser gets a bunch of high-priority security patches (including for CVE-2020-6465 to CVE-2020-6469, plus others) in the latest release, in conjunction with the “massive” overhaul of Chrome 83.

Chromium is an open-source web browser project on which Google Chrome is built, but it doesn’t include Google’s proprietary alterations, such as the hidden auto-update daemon and agent that wrecked Mac systems and caused other havoc. (Chromium also omits the Adobe/Pepper Flash plug-in with Flash’s many dangerous security flaws.)

Chromium 83.0.4103.61 is a free download for OS X 10.10 and up, available via SourceForge and via FreeSMUG. A separate Chromium updater extension checks FreeSMUG for new releases, and Chromium can also be installed and updated via Homebrew.

Chromium is available for Linux and Windows, too.