Microsoft March 2023 Security Updates

  

The Microsoft March 2023 security updates have been released and consist of 74 new CVEs.  Of these CVEs, 6 are rated critical and 67 are rated important and one rated moderate in severity.  At the time of release, one is listed as publicly known and two as being in the wild.

The security updates apply to the following products, features, and roles:  Azure, Client Server Run-time Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office SharePoint, Microsoft OneDrive, Microsoft PostScript Printer Driver, Microsoft Printer Drivers, Microsoft Windows Codecs Library, Office for Android, Remote Access Service Point-to-Point Tunneling Protocol, Role: DNS Server, Role: Windows Hyper-V, Service Fabric, Visual Studio, Windows Accounts Control, Windows Bluetooth Service, Windows Central Resource Manager, Windows Cryptographic Services, Windows Defender, Windows HTTP Protocol Stack, Windows HTTP.sys, Windows Internet Key Exchange (IKE) Protocol, Windows Kernel, Windows Partition Management Driver, Windows Point-to-Point Protocol over Ethernet (PPPoE), Windows Remote Procedure Call, Windows Remote Procedure Call Runtime, Windows Resilient File System (ReFS), Windows Secure Channel, Windows SmartScreen, Windows TPM, and Windows Win32K,

See the very long list of KBs at the bottom of the page at March 2023 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. 

Important:

After March 2023, there are no more optional, non-security preview releases for the supported editions of Windows 10, version 20H2 and Windows 10, version 21H2. Only cumulative monthly security updates (known as the "B" or Update Tuesday release) will continue for these versions. Windows 10, version 22H2 will continue to receive security and optional releases.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The March 2023 Security Update Review.

 

Additional Update Notes:

• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro - Microsoft Lifecycle | Microsoft Docs and Windows 11 Home and Pro (Version 21H2) - Microsoft Lifecycle | Microsoft Docs.
• Windows Update History:
• Windows 11
• Windows 10

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 111.0 Released with Security Updates

 Mozilla sent Firefox Version 111.0 to the release channel today.  The update includes nineteen security updates of which seven (7) are rated high and six (6) rated moderate.

Firefox ESR was updated to Version 102.9.

High

#CVE-2023-28159: Fullscreen Notification could have been hidden by download popups on Android

#CVE-2023-25748: Fullscreen Notification could have been hidden by window prompts on Android

#CVE-2023-25749: Firefox for Android may have opened third-party apps without a prompt

#CVE-2023-25750: Potential ServiceWorker cache leak during private browsing mode

#CVE-2023-25751: Incorrect code generation during JIT compilation

#CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

#CVE-2023-28177: Memory safety bugs fixed in Firefox 111

Moderate

#CVE-2023-28160: Redirect to Web Extension files may have leaked local path

#CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation

#CVE-2023-28161: One-time permissions granted to a local file were extended to other local files loaded in the same tab

#CVE-2023-28162: Invalid downcast in Worklets

#CVE-2023-25752: Potential out-of-bounds when accessing throttled streams

#CVE-2023-28163: Windows Save As dialog resolved environment variables 

New

• Windows native notifications are now enabled.
• Firefox Relay users can now opt-in to create Relay email masks directly from the Firefox credential manager. You must be signed in with your Firefox Account.
• We’ve added two new locales: Silhe Friulian (fur) and Sardinian (sc).

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References:

• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat and Reader Update with New Features

  

Adobe has released an update with new features for Acrobat and Acrobat Reader for Windows and Mac with some of the features being rolled out incrementally. 

New Features

The following new features are introduced in this release. See the Release Notes to know more about the features.

• Introducing Acrobat Reader's new experience
• Adobe Acrobat and Acrobat Reader version changes
• Enhanced scrolling experience
• Improvements in auto-adjust layout while editing PDFs
• Back button to navigate to all tools in modern viewer
• Third-party plugins support in modern viewer
• New crop option in the right click context menu
• Add custom page tool renamed to design a new page
• Page size while adding a new custom page
• Enable recipients to invite people using @mention
• Promote sharing of files using @mention
• Promote sharing of files tool usage after create and convert workflows
• Promote edit tool usage
• Promote export tool usage while using select all and take a snapshot option
• Promote sign tools discovery
• Acrobat cross surface discovery

Update or Complete Download

Adobe Acrobat and Reader were updated to version 23.001.20064 for Windows and .x20063 for Mac.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...