Thursday, December 05, 2024

Pale Moon Version 33.5.0 Released with Security Updates

 Pale Moon Pale Moon has been updated to version 33.5.0.  This is a development, bugfix and security release.  

Note: Intel Mac builds are now "ad hoc" signed instead of unsigned, which should solve potential issues with newer macOS while still being compatible with old OS X. If you experience issues, please post in the Mac board on the forum for support.

Changes/fixes:

  • Implemented Regular Expression "match indices" (/d) feature.
  • Added a way to programmatically clear the DNS cache in the browser, and added a button to the UI for it in about:networking.
  • Updated handling of referrer policies to adhere to the updated spec.
  • CSS font variations keywords no longer throw an error. See implementation notes.
  • CSS border-radius will now also apply to element outlines.
  • Improved the display of amount of cached web content in preferences when cache is being cleared.
  • Improved the installer AVX check to skip on early versions of Windows 10 (which don't support it).
  • Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.
  • Refreshed the built-in list of effective top-level domains.
  • Fixed several application crashes.
  • Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).
  • Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).
  • Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base.
  • From this version forward we also publish language packs for Persian (Farsi), Hindi, Kannada and Vietnamese.
  • Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).

Implementation notes:

  • The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Pale Moon throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse the -variations keywords allowing variation alternative font-faces to be loaded, even if no base font was specified. To webmasters only supplying @font-face entries with variations keywords: please understand the intent of this CSS 4 spec and always provide a base font entry (graceful fallback).

*DiD: This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Remember - "A day without laughter is a day wasted."

Wednesday, December 04, 2024

Optional Hotfix Patch for Adobe Reader and Acrobat

 

Adobe
Adobe has released an optional hotfix patch that addresses some important bug fixes.

Update or Complete Download

Reader DC and Acrobat DC were updated to version 24.005.20307.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 26, 2024

Mozilla Firefox Version 133.0 Released with Security Updates

 FirefoxMozilla sent Firefox Version 133.0 to the release channel.  Firefox ESR was updated to Version 128.5.  

Note: For Firefox users on Windows 7, 8 and 8.1, Firefox Version 115 is the last supported version for those operating systems and will be moved to the latest ESR version by automatic update.  See Firefox users on Windows 7, 8 and 8.1 moving to Extended Support Release.

The update includes seventeen security updates of which two (2) are rated high, nine (9) are rated moderate, and six (6) are rated low.

High

#

#CVE-2024-11691: Memory corruption in Apple GPU drivers
#CVE-2024-11699: Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5

CVE-2024-11691: Memory corruption in Apple GPU drivers

Moderate

#CVE-2024-11700: Potential Tapjacking Exploit for Intent Confirmation on Android
#CVE-2024-11692: Select list elements could be shown over another site
#CVE-2024-11701: Misleading Address Bar State During Navigation Interruption
#CVE-2024-11702: Inadequate Clipboard Protection in Private Browsing Mode on Android
#CVE-2024-11693: Download Protections were bypassed by .library-ms files on Windows
#CVE-2024-11694: CSP Bypass and XSS Exposure via Web Compatibility Shims
#CVE-2024-11695: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
#CVE-2024-11703: Password access without authentication via PIN bypass on Android
#CVE-2024-11696: Unhandled Exception in Add-on Signature Verification

Low

#CVE-2024-11697: Improper Keypress Handling in Executable File Confirmation Dialog
#CVE-2024-11704: Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
#CVE-2024-11698: Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
#CVE-2024-11705: Null Pointer Dereference in NSC_DeriveKey
#CVE-2024-11706: Null Pointer Dereference in PKCS#12 Utility
#CVE-2024-11708: Data race with PlaybackParams

New

  • Firefox now has a new anti-tracking feature, Bounce Tracking Protection, which is now available in Enhanced Tracking Protection's "Strict" mode. This feature detects bounce trackers based on their redirect behavior and periodically purges their cookies and site data to block tracking.
  • The sidebar to view tabs from other devices can now be opened via the Tab overview menu.
  • GPU-accelerated Canvas2D is now enabled by default on Windows providing a performance improvement.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...