July 2021 ~ Security Garden

Thursday, July 29, 2021

Windows July C Release Preview Update for Windows 10 Versions 21H1, 2004 and 20H2

Microsoft released KB5004296, the monthly “C” release preview cumulative update with non-security improvements and fixes for Windows 10 Versions 21H1, 20H2, and 2004. The highlighted changes include the following:

Updates an issue that prevents gaming services from opening certain games for desktop users.
Updates an issue that prevents you from entering text using the Input Method Editor (IME). This might occur, for example, after startup if you have set the power options to shut down a laptop by closing its lid.
Updates an issue that plays the sound for selecting something in a game loudly when you press the trigger button on a game controller.
Updates an issue that prevents power plans and Game Mode from working as expected. This results in lower frame rates and reduced performance while gaming.
Updates an issue that fails to detect that you are connected to the internet after you connect to a virtual private network (VPN).
Updates an issue that causes printing to stop or prints the wrong output. This issue occurs when you print using a USB connection after updating to Windows 10, version 2004 or later.

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

For information about the types of updates released by Microsoft each month see Windows 10 update servicing cadence primer.

Update: To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area. To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Adobe Reader DC Optional Hotfix

Adobe released an optional hotfix for Adobe Acrobat DC and Adobe Reader DC for Windows that addresses important bug fixes for vulnerabilities described in the corresponding security bulletins of Reader and Acrobat.

Release date: July 29, 2021
Vulnerability identifier: None
Platform: Windows

Bug fixes

Installers

4336133: Acrobat prompting to update browser/operating system on a machine with IE11 due to IE7 emulation mode being enforced in embedded IE mode.

Browser

4334561: SAP: Fixing a GDI leak in Acrobat & Reader

Update or Complete Download

Reader DC and Acrobat DC were updated to version 21.005.20060. Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates. Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

PSIRT

Release Notes

Security Bulletin
System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 27, 2021

Out-of-Band Update for Windows 10 Version 1809

Microsoft released an out-of-band non-security quality improvement update described as follows:

"Addresses an issue with devices that do not comply with section 3.2.1 of the RFC 4556 specification. Noncompliant printers, scanners, and multifunction devices might not work when you use smart card authentication (PIV). This issue occurs after you install the July 13, 2021 update on domain controllers (DC) in your environment. For more information, see KB5005408."

Update: This out-of-band update can only be obtained from the standalone package at the Microsoft Update Catalog website.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, July 22, 2021

Mozilla Firefox Version 90.0.2 Released

Mozilla sent another update to the release channel today, Firefox Version 90.0.2.

Fixed

Fixed truncated output when printing (bug 1720621)
Fixed menu styling on some Gtk themes (bug 1720441, bug 1720874)

Changed

Updates to support DoH Canada rollout

Update

To get the update now, select "Help" from the Firefox menu, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 20, 2021

Oracle Java SE Security Update Released

Oracle released the scheduled security update for its Java SE Runtime Environment software.

Important: The Edge browser does not support plug-ins. In the event you still have a need for Java, it will be necessary to use Firefox or open with Internet Explorer by selecting the "More Actions" option located at the top of the Edge browser and then click "Open with Internet Explorer. (See Windows 10 and Java.)

Update

If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE Runtime Environment Version 8u301: https://www.oracle.com/java/technologies/javase-jre8-downloads.html or https://java.com/en/download/manual.jsp.

Notes:

UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional. Preferably, see the instructions below on how to handle "Unwanted Extras".
Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature. Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
Verify your version: http://www.java.com/en/download/testjava.jsp. Note: The Java version verification page will only work if your browser has NPAPI support. In that case, to check the version, open a cmd window and enter the following (note the space following Java): java -version

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follow

19 October 2021
18 January 2022
19 April 2022
19 July 2022

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java. In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates. Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

Launch the Windows Start menu
Click on Programs
Find the Java program listing
Click Configure Java to launch the Java Control Panel
Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

Java Security Recommendations

1) In the Java Control Panel, at minimum, set the security to high.
2) Keep Java disabled until needed. Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3) Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References

Java, The Never-Ending Saga

Oracle Java SE Risk Matrix

Oracle Quality Assurance Blog

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, July 19, 2021

Pale Moon Version 29.3.0 Released With Security Updates

Pale Moon has been updated to version 29.3.0. This is a development, bugfix and security release. Linux versions may be slightly delayed since the update was released earlier than planned.

Due to the security patches in this update, it is strongly recommended that those who haven't updated from version 29.1.1 or older due to extension compatibility update now.

Changes/fixes:

"Web Developer" is now called "Developer Tools" in the menus.
Updated and aligned about:home, the QuickDial page and logopage styling.
Re-organized the privacy category in the preferences window.
Enabled brotli compression for http for sites that support it. See implementation notes.
Implemented EventTarget as a constructor.
Updated Windows 10 toolkit styling.
Updated the port blacklist (removed 10080). See implementation notes.
CSS: Implemented calc() and animation support for stroke-dashoffset.
Added support for checking boolean preferences to chrome CSS style sheets, to support more advanced theming options.
Added support for dynamic dark color capable themes in CSS.
Updated ResizeObserver implementation to a more recent specification. See implementation notes.
Removed a metric ton of Macintosh code.
Removed obsolete system theme support from the layout engine.
Fixed several crashes.
Linux: blocked particularly old versions of Mesa/Nouveau drivers due to issues.
Security issues addressed: CVE-2021-30547 and several other issues that don't have a CVE number.
Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD, 2 deferred (DiD), 12 not applicable.

Implementation notes:

Brotli compression (introduced a few years back) has originally been restricted to https only in web browsers because there was some concern about interaction with middleware boxes with poor design trying to transparently recompress data not recognizing the new compression stream type and causing failures. The kind of processing done in those boxes (SDCH) has long since been deprecated. Since then, the segregation for Brotli between http and https has been maintained by Chrome and Firefox as a vessel to further promote https over http by artificially keeping http less efficient (denying the use of the more dense Brotli compression). Since there is no technical reason not to enable Brotli over http, we will accept (by way of Accept-encoding) Brotli over plain http from this version on, offering up to 20% less bandwidth use when servers also support it.
We maintain a blacklist of ports that should not be addressed from a browser (primarily to prevent scripted abuse). Not too long ago we updated these ports with a number of additional (higher range) ones, including port 10080 (Amanda). Unfortunately there is too much overlap with other common services/devices that also use this (arbitrarily chosen) port, so we've removed this particular port again from our blacklist.
The ResizeObserver implementation was changed to now support the updated specification for this API, including the experimental properties contentBoxSize and borderBoxSize which allows finer control to respond to size changes of elements. The old spec sizing property of contentRect remains supported for web compatibility.

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Select About Pale Moon > Check for Updates.

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 90.0.1 Released

Mozilla sent Firefox Version 90.,0.1 to the release channel today.

Fixed

Fixed a crash when using some accessibility clients on Windows (bug 1720696)
Fixed busy looping processing some HTTP3 responses (bug 1720079)
Fixed transient errors authenticating with some smart cards (bug 1715325)
Fixed a rare crash on shutdown (bug 1707057)
Fixed a race on startup that caused about:support to end up empty after upgrade (bug 1717894)

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 13, 2021

Microsoft July 2021 Security Updates

The Microsoft July 2021 security updates have been released and consist of 117 CVEs. Of these CVEs, 13 are rated Critical, 103 are rated Important, and one is rated moderate in severity.

According to Microsoft, six of these bugs are publicly known and four are under active attack at the time of release.

The updates apply to the following products: Microsoft Windows, Dynamics, Exchange Server, Microsoft Office, Windows Storage Spaces Controller, Bing, SharePoint Server, Internet Explorer (IE), Visual Studio, and OpenEnclave.

See the KBs listed at June 2021 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates.

Recommended Reading: See Dustin Childs review and analysis in Zero Day Initiative -- The July 2021 Security Update Review.

Additional Update Notes:

MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly. See Remove specific prevalent malware with Windows Malicious Software Removal Tool.
Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are also available via the Microsoft Update Catalog.
For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
Windows Update History:

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Reader DC Security Updates Released

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Release date: July 13, 2021
Vulnerability identifier: APSB21-51
Platform: Windows and MacOS