Unsolved
This post is more than 5 years old
3 Apprentice
•
15.2K Posts
0
1281
Updates 11/15/16 - CCleaner, Firefox, MBAE
CCleaner v5.24.5839 (15 Nov 2016)
- Improved Firefox History cleaning
- Improved Opera and Vivaldi Session cleaning
- Updated Internet Explorer and Edge Cache cleaning
- Updated Windows Explorer MRU Cache cleaning
- Improved Monitoring notifications
- Minor GUI improvements
- Minor bug fixes
Either be careful to UNcheck any pre-checked offers for bundled programs/toolbars (unless you really want them)... or else, wait a few days until the SLIM build is released.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 15th, 2016 06:00
Firefox 50 ( https://www.mozilla.org/en-US/firefox/50.0/releasenotes/ )
New
Updates to keyboard shortcuts
Added option to Find in page that allows users to limit search to whole words only
Added Guarani (gn) locale
Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
Added download protection for a large number of executable file types on Windows, Mac and Linux
Improved performance for SDK extensions or extensions using the SDK module loader
Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
Fixed
Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
Various security fixes
Changed
Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
Blocked versions of libavcodec older than 54.35.1
======================================
Available via the internal updater: Help / About Firefox
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 15th, 2016 09:00
https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/
Security vulnerabilities fixed in Firefox 50
#CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
Description
A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially expoitable crash.
References
#CVE-2016-5292: URL parsing causes crash
Description
During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash.
References
#CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink
Description
When the Mozilla updater is run, if the updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access.
Note: this issue only affects Windows operating systems.
References
#CVE-2016-5294: Arbitrary target directory for result files of update process
Description
The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access.
Note: this issue only affects Windows operating systems.
References
#CVE-2016-5297: Incorrect argument length checking in Javascript
Description
An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues.
References
#CVE-2016-9064: Addons update must verify IDs match between current and new versions
Description
Addon updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update.
References
#CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
Description
The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.
References
#CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
Description
A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data.
References
#CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
Description
Two use-after-free errors during DOM operations resulting in potentially exploitable crashes.
References
#CVE-2016-9068: heap-use-after-free in nsRefreshDriver
Description
A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash.
References
#CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
Description
When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default.
Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected.
References
#CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
Description
An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission.
References
#CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
Description
Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations.
References
#CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
Description
A same-origin policy bypass with local shortcut files to load arbitrary local content from disk.
References
#CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
Description
This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozlla updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44.
Note: this issue only affects Windows operating systems.
References
#CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
Description
A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded.
Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected.
References
#CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Description
A previously installed malicious installed Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.
References
#CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Description
A previously installed malicious installed Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.
References
#CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file
Description
Private browsing mode leaves metadata information, such as URLs, for sites visited in browser.db and browser.db-wal files within the Firefox profile after the mode is exited.
Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected.
References
#CVE-2016-9070: Sidebar bookmark can have reference to chrome window
Description
A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections.
References
#CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
Description
WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox.
References
#CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
Description
An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1.
References
#CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
Description
An issue where a
dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function. References Bug 1276976 #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat ReporterGustavo GriecoImpactlow Description An integer overflow during the parsing of XML using the Expat library. References Bug 1274777 #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP ReporterXiaoyin LiuImpactlow Description Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. References Bug 1285003 #CVE-2016-5289: Memory safety bugs fixed in Firefox 50 ReporterMozilla developersImpactcritical Description Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 50 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 ReporterMozilla developersImpactcritical Description Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 15th, 2016 15:00
MBAE (Anti-Exploit) 1.9.1.1261
New Features:
• Hardened and more secure API hooking framework
• Added self protection mechanisms
• Added sandbox technique for Silverlight
• Added Layer3 techniques against Macro exploits
• Added Layer3 techniques against social engineering exploits
• Added Java advanced configuration options for companies
• Added dynamic configuration feature to manage conflicts
• Added support for MS Play Ready
• Changed balloon notification to off by default
• Remove Run entry during uninstallation
Fixes:
• Fixed conflict with Symantec DLP
• Fixed conflict with Chinese banking software
• Fixed conflict with Office TabLoader
• Fixed conflict with Kobil mIdentity software
• Fixed false positive with Adobe and .NET modules
• Fixed issue when adding invalid custom shield
--------------------------------------------------------------------------------
Remark: This is the same changelog as had been announced for build x.1235... so it's unclear what the NEW changes are --- perhaps some "bug-fixes"...
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
November 17th, 2016 06:00
Not sure of the reason... probably to fix a minor glitch... but CCleaner build has "revised" to x.5841