Tuesday, April 13, 2021

Microsoft April 2021 Security Updates



The Microsoft April 2021 security updates have been released and consist of 114 CVEs.  The updates apply to the long list of products, features and roles that can be found in the April Security Updates Guide.  Of these 89 CVEs, 19 are rated Critical, 89, and 1 is rated Important in severity. Six additional bugs impact Chromium-based Edge.  

 

According to Microsoft, one bug is currently being exploited while four others are publicly known at the time of release.  In addition, CVE-2021-28310 is listed as being actively exploited.

  

The  updates released today will automatically remove Edge Legacy which is out of support and replace it with the new Chromium-based Edge.  In the event you still use legacy Edge or if you have blocked the Chromium Edge update using group policies/registry hacks, those settings will be ignored and the legacy version will be removed automatically.

 

Important Note For Windows 10, Version 2004 and Windows 10, Version 20H2:


Before installing this update


Prerequisite:  Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). If you encounter the error, 0x800f0823 – CBS_E_NEW_SERVICING_STACK_REQUIRED, close the error message and install the last standalone SSU (KB4598481) before installing this LCU. You will not need to install this SSU (KB4598481) again for future updates. 

 

For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions

 

For Windows 10 Version 1909, see KB5001337.

 

The KBs listed below contain information about known issues with the security updates:

KB Article

Applies To

4504715

SharePoint Server 2019 Language Pack

4504716

SharePoint Server 2019

5001330

Windows 10, Version 2004, Windows Server, Version 2004, Windows 10, Version 20H2, Windows Server, Version 20H2

5001332

Windows Server 2008 (Security-only update)

5001335

Windows 7, Windows Server 2008 R2 (Monthly Rollup)

5001337

Windows 10, Version 1909, Windows Server, Version 1909

5001342

Windows 10, Version 1809, Windows Server 2019

5001347

Windows 10, Version 1607, Windows Server 2016

5001382

Windows 8.1, Windows RT 8.1, Windows Server 2012 R2 (Monthly Rollup)

5001383

Windows Server 2012 (Security-only update)

5001387

Windows Server 2012 (Monthly Rollup)

5001389

Windows Server 2008 (Monthly Rollup)

5001392

Windows 7, Windows Server 2008 R2 (Security-only update)

5001393

Windows 8.1, Windows RT 8.1, Windows Server 2012 R2 (Security-only update)

5001779

Microosft Exchange Server 2019, 2016, 2013

 

 Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- TheApril 2021 Security Update Review.

 

Additional Update Notes:

 

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Sunday, April 04, 2021

Happy Easter! "Khrystos Voskres!"



"Khrystos Voskres!"

(Christ is Risen!)






"Voistyno Voskres!"

(He is Truly Risen!)






Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Tuesday, March 30, 2021

Pale Moon Version 29.1.1 Released with Security Update


Pale Moon

Pale Moon has been updated to version 29.1.1.  This update is a minor security and bugfix update.  Linux versions will follow soon.

Changes/fixes:
  • Updated NSS to fix certificate import and keygen regressions.
  • Removed restrictions for units of width/height attributes on SVG elements.
  • Enabled scrollbar-width CSS keyword by default.
  • Security issues addressed: CVE-2021-23981 and a DiD* fix for potential document parser confusion.
  • Unified XUL Platform Mozilla Security Patch Summary: 2 DiD*, 9 not applicable.

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Pale Moon includes both 32- and 64-bit versions for Windows:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Monday, March 29, 2021

Microsoft March 2021 "C" Release Preview Cumulative Update for Windows 10 Versions 2004 and 20H2

Microsoft released the monthly “C” release preview cumulative update with non-security improvements and fixes for Windows 10 Versions 2004 and 20H2.  Both versions are receiving the same KB5000850 with a long list of key changes which can be viewed in the KB article.  Note, however, if you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.  

Prerequisite:

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). If you encounter the error, 0x800f0823 – CBS_E_NEW_SERVICING_STACK_REQUIRED, close the error message and install the last standalone SSU (KB4598481) before installing this LCU. You will not need to install this SSU (KB4598481) again for future updates.

To download and install the update, go to Settings -> Update and Security -> Windows Update and select Check for updates. To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Version 2004 (Build 19041.906) and Version 20H2 (Build 19041.906), KB5000850:  

If you are using Windows Update, the latest SSU KB5001205 will be offered to you automatically. The SSU update addresses an issue that might prevent the CVE-2020-0689 update from installing. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

 Highlights

  • Updates an issue with zoom that occurs when using Microsoft Edge IE Mode on devices that use multiple high-DPI monitors.
  • Updates an issue that makes high dynamic range (HDR) screens appear much darker than expected.
  • Updates an issue that causes video playback to be out of sync in duplicate mode when you use multiple monitors.
  • Updates an issue that displays nothing or shows “Computing Filters” indefinitely when you filter File Explorer search results. 
  • Updates an issue that makes the split layout unavailable for the touch keyboard when you rotate a device to portrait mode. 
  • Informs users when a child account in the Family Safety plan has administrative privileges. 
  • Updates an issue that prevents you from closing Toast Notifications using the Close button on touchscreen devices. 
  • Updates an issue with 7.1 channel audio technology. 
  • Updates an issue that causes a device to stop working if you delete files or folders that OneDrive syncs. 

Note:  This update also removes the Microsoft Edge Legacy desktop application that is out of support and installs the new Microsoft Edge. For more information, see New Microsoft Edge to replace Microsoft Edge Legacy with April’s Windows 10 Update Tuesday release

For information about the the types of updates released by Microsoft each month see Windows 10 update servicing cadence primer.


Windows 10 update history


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, March 26, 2021

Microsoft March 2021 "C" Release Preview Cumulative Update for Windows 10 Versions 1909 and 1809


Microsoft released the monthly “C” release preview cumulative update with non-security improvements and fixes yesterday for Windows 10 Versions 1909 and 1809. 

Both sets of updates have a long list of key changes which can be viewed in the KB articles.  Note, however, if you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.  To download and install the update, go to Settings -> Update and Security -> Windows Update and select Check for updates. Links to the standalone packages are included in the update information below.

Windows Version 1909 (Build 18363.1474), KB5000850:  

If you are using Windows Update, the latest SSU KB5001205 will be offered to you automatically. The SSU update addresses an issue that might prevent the CVE-2020-0689 update from installing. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Highlights

  • Updates an issue with zoom that occurs when using Microsoft Edge IE Mode on devices that use multiple high-DPI monitors. 
  • Updates an issue with Japanese input that occurs after focus changes between boxes in Microsoft Edge Legacy. 
  • Updates an issue that displays nothing or shows “Computing Filters” indefinitely when you filter File Explorer search results. 

Note:  This update also removes the Microsoft Edge Legacy desktop application that is out of support and installs the new Microsoft Edge. For more information, see New Microsoft Edge to replace Microsoft Edge Legacy with April’s Windows 10 Update Tuesday release.

Windows 10 Version 1809 (Build 17763.1852), KB45000854:  

If you are using Windows Update, the latest SSU (KB5000859) will be offered to you automatically. The standalone package for the update is available in the Microsoft Update Catalog.  To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Highlights

  • Updates an issue with zoom that occurs when using Microsoft Edge IE Mode on devices that use multiple high-DPI monitors.
  • Updates an issue that displays nothing or shows “Computing Filters” indefinitely when you filter File Explorer search results. 
  • Updates an issue with Japanese input that occurs after focus changes between boxes in Microsoft Edge Legacy. 

Known Issue:  After installing KB4493509, devices with some Asian language packs installed may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND."

For information about the the types of updates released by Microsoft each month see Windows 10 update servicing cadence primer.

Windows 10 update history


Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, March 23, 2021

Mozilla Firefox Version 87.0 Released With Security Updates

Firefox

Mozilla sent Firefox Version 87.0 to the release channel today.  The update includes eight security updates of which two (2) are rated high, four (4) moderate and two (2) rated low.

 

Firefox ESR was updated to Version 78.9.

High

 

Moderate

 

Low

 New

  • You’ll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly.
  • To further protect your privacy, our new default HTTP Referrer policy will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data.
  • The “Highlight All” feature on Find in Page now displays tick marks alongside your scrollbar that correspond to the location of matches found on that page.
  • We’re proud to announce full support for macOS built-in screen reader, VoiceOver.
  • We’ve added a new locale: Silesian (szl)

 

Fixed

 

Changed

  • To prevent user data loss when filling out forms, we’ve disabled the Backspace key as a navigation shortcut for the back navigation button. To re-enable the Backspace keyboard shortcut, you can change the about:config preference browser.backspace_action to 0. You can also use the recommended Alt + Left arrow (Command + Left arrow on Mac) shortcut instead.
    Firefox keyboard shortcuts
  • We've removed items from the Library menu that weren't used often or have other access points in the browser: Synced tabs, Recent highlights, and Pocket list.
  • We've simplified the Help menu by reducing redundant items, such as those that point to Firefox support pages that can also be accessed via the Get Help item.

 
Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download. 
 
References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, March 19, 2021

Second Out-of-Band Update Released by Microsoft for Printer Issues

Microsoft released a second out-of-band non-security update to address unexpected results when printing from some apps or to some printers for the Windows 10 Versions listed below.  

The issues affect printer brands Kyocera, Rico, Dymo, Zebra, HP, Brother, and Canon after installing the security update released March 9, 2021 and the out-of-band updates released March 15, 2021.  

Note:  It is recommended that the update be installed only if your printer is affected by the issue(s) being addressed in the update.  The issues missing are solid color graphics, misalignment/formatting issues, or printing of blank pages/labels.  For more information, see the known issues section for your version of Windows 10 in the appropriate KB Article below.

  • Windows 10, version 20H2 and Windows Server, version 20H2 (KB5001649)
  • Windows 10, version 2004 and Windows Server, version 2004 (KB5001649)
  • Windows 10, version 1909 and Windows Server, version 1909 (KB5001648)
  • Windows 10, version 1809 and Windows Server 2019 (KB5001638)
  • Windows 10, version 1803 (KB5001634)
  • Windows 10, version 1607 and Windows Server 2016 (KB5001633)
  • Windows 10, version 1507 (KB5001631)

As indicated in the Windows message center, "Updates for the remaining affected versions of Windows will be released in the coming days.


Windows 10 update history

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, March 15, 2021

Microsoft Out-of-Band Update for BSOD Network Printer Issue Released

 

Microsoft released out-of-band non-security updates for Windows 10 Versions 1909 and 2004 as well as versions 1803 and 1809 for enterprise/education.  The purpose of the updates is to fix the issue causing blue screens (BSOD) when printing to network printers with Type 3 printer drivers.  The issue showed up after installing the March 2021 cumulative updates.

Because the updates are optional, they are not available via Windows update.  However, if you have been affected by this issue, the updates can be downloaded manually from the Microsoft Catalog:


Windows 10 update history

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, March 11, 2021

Mozilla Firefox Version 86.0.1 Released

Firefox


Mozilla sent Firefox Version 86.0.1 to the release channel today as a bug fix update.  Firefox ESR remains at Version 78.8.

Fixed

  • Fixed an issue on Apple Silicon machines that caused Firefox to be unresponsive after system sleep (bug 1682713)
  • Fixed an issue causing windows to gain or lose focus unexpectedly (bug 1694927)
  • Fixed truncation of date and time widgets due to incorrect width calculation (bug 1695578)
  • Fixed an issue causing unexpected behavior with extensions managing tab groups (bug 1694699)
  • Fixed a frequent Linux crash on browser launch (bug 1694670)

  References

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, March 10, 2021

Adobe Acrobat and Reader Optional Hotfix Released

Adobe
Adobe released an optional hotfix Adobe Acrobat and Adobe Reader for Windows and macOS that addresses important bug fixes.

Release date:  March 10, 2020
Vulnerability identifier: None
Platform: Windows and MacOS

Bug fixes

Annotations

  • 4325450: Comments missing in shared review if done using Reader DC

Update

Reader DC was updated to version 21.001.20145.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates. 


Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References




Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, March 09, 2021

End of Support For Microsoft Edge Legacy

Microsoft Edge

Support for Microsoft Edge legacy ends today, March 9, 2021, and will no longer receive future security updates.  

The Microsoft Edge Legacy desktop application will be removed and replaced with the new Microsoft Edge if you install the optional Windows 10 March Preview ("C") release or next month when the Windows 10 cumulative monthly security updates released on April 13, 2021 are installed for the following Windows 10 versions:

  • Windows 10, version 1803, all editions (April 2018)
    • Note: This version will not be included in the optional Windows 10 March Preview release.
  • Windows 10, version 1809, all editions (October 2018)
  • Windows 10, version 1903, all editions (May 2019)
    • Note: This version is out of support for desktop
  • Windows 10, version 1909, all editions (October 2019)
  • Windows 10, version 2004, all editions (May 2020)
  • Windows 10, version 20H2, all editions (October 2020)
    • Because Windows 10, 20H2 already uses the new Microsoft Edge as its default browser, it will not be reinstalled; only Microsoft Edge Legacy will be removed.

When the April 13 update is installed or you install the optional Windows 10 March Preview ("C") release, the out of support Microsoft Edge Legacy desktop application will be removed and the new Microsoft Edge will be installed.

In the event you use kisok mode in Microsoft Edge Legacy, see What you need to know about kiosk mode when support for Microsoft Edge Legacy ends.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Microsoft March 2021 Security Updates



The Microsoft March 2021 security updates have been released and consist of 89 CVEs, including the seven Exchange CVEs released last week.  Of these 89 CVEs, 14 are rated Critical and 75 are rated Important in severity. At the time of release, two of the bugs are listed as publicly known and five are listed as under active attack.


The updates apply to the following
products:  
Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V.

Important Note For Windows 10, Version 2004 and Windows 10, Version 20H2:

Before installing this update

Prerequisite:

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). If you encounter the error, 0x800f0823 – CBS_E_NEW_SERVICING_STACK_REQUIRED, close the error message and install the last standalone SSU (KB4598481) before installing this LCU. You will not need to install this SSU (KB4598481) again for future updates. 

For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. 

The KBs listed below contain information about known issues with the security updates:

KB Article Applies To
5000802 Windows 10, Version 2004, Windows Server, Version 2004
5000803 Windows 10, Version 1607, Windows Server 2016
5000808 Windows 10, Version 1909, Windows Server, Version 1909
5000822 Windows 10, Version 1809, Windows Server 2019
5000840 Windows Server 2012 (Security-only update)
5000841 Windows 7, Windows Server 2008 R2 (Monthly Rollup)
5000844 Windows Server 2008 (Monthly Rollup)
5000847 Windows Server 2012 (Monthly Rollup)
5000848 Windows 8.1, Windows RT 8.1, Windows Server 2012 R2 (Monthly Rollup)
5000851 Windows 7, Windows Server 2008 R2 (Security-only update)
5000853 Windows 8.1, Windows RT 8.1, Windows Server 2012 R2 (Security-only update)
5000856 Windows Server 2008 (Security-only update)
5000871 Microsoft Exchange Server 2019, 2016 and 2013
5000978 Microsoft Exchange Server 2010

 Recommended Reading 

See Dustin Childs review and analysis in Zero Day Initiative -- The March 2021 Security Update Review.

For more information about the updates released today, see the Security Update Guide.

REMINDER:  Adobe Flash Player is out of support.  For more information, see Adobe Flash end of support on December 31, 2020. Flash content is blocked from running in Flash Player today, January 12, 2021. For more information, see Adobe Flash Player EOL General Information Page.

Additional Update Notes:

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Tuesday, March 02, 2021

Pale Moon Version 29.1.0 Released With Security Update


Pale Moon

Pale Moon has been updated to version 29.1.0.  This update is a development, bugfix and security update.

New features:
  • Language packs for the following newly-supported languages:
    • Arabic (ar)
    • Chinese Traditional (zh-TW)
    • Croatian (hr)
    • Danish (da)
    • Finnish (fi)
    • Galician (gl)
    • Indonesian (id)
    • Icelandic (is)
    • Japanese (ja)
    • Romanian (ro)
    • Serbian (cyrillic) (sr)
    • Slovenian (sl)
    • Thai (th)
  • Implemented String.prototype.replaceAll().
  • Implemented JSON superset proposal.
  • Implemented well-formed JSON stringify.
  • Implemented numeric separators in JavaScript.
Changes/fixes:
  • Updated timezone data to 2021a.
  • Updated the wording and inclusion of more select license blocks in about:license.
  • Updated some site-specific user-agent overrides for web compatibility.
  • Updated the lz4 library for performance and security updates.
  • Improved performance of JSON stringify.
  • Further improved support for building on FreeBSD.
  • Fixed a regression where changes to useragent compatibility required a restart to take effect.
  • Fixed a regression where AES-GCM in WebCrypto ("subtle" crypto API) wasn't working.
    This could make certain login procedures fail to work.
  • Fixed a full browser deadlock when page scripting would flood browsing history with rapid location state changes.
  • Disabled AV1 codec use by default again since our implementation has significant streaming issues (particularly audio) that needs further work.
  • Added required interaction with file/folder open dialog boxes on html file input elements on some operating systems to avoid malicious content tricking users into uploading sensitive files unintentionally (related to CVE-2021-23956).
  • Added a font sanity check to avoid triggering a potential vulnerability on unpatched Windows operating systems (related to CVE-2021-24093).
  • Security issues addressed: CVE-2021-23974, CVE-2021-23973 and several memory safety hazards that don't have CVE numbers.
  • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 DiD*, 19 not applicable.

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Pale Moon includes both 32- and 64-bit versions for Windows:

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Saturday, February 27, 2021

Adobe Acrobat and Reader Optional Hotfix Released

Adobe
Adobe released a third optional hotfix this month, this release for both Adobe Acrobat and Adobe Reader for Windows and macOS that addresses important bug fixes.

Release date:  February 25, 2020
Vulnerability identifier: None
Platform: Windows and MacOS

Bug fixes

Sandbox

  • 4312515: Not able to render and switch out from PV in Portfolio files and blank page is rendered.

Rendering

  • 4323682: Acrobat DC disappears upon opening files with comments.

PDF Shell

  • 4324435: PDF thumbnails are not getting generated after the latest update in Reader DC.

PDFL

  • 4324516: Acrobat is not able to launch if 3rd party tools “PDFLib TET Plugin” is placed

JavaScript

  • 4324590: app.thermometer produces error when it’s value is updated

Security-Signatures

  • 4324697: Crash on Opening a particular Signed PDF

PDF Optimizer

  • 4325421: Win: Acrobat Standard - Reduce File Size option not being displayed under File menu

Update

Reader DC was updated to version 21.001.20142.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

 
Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References




Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...