Merry Christmas, Khristos Razhdayetsya!

Warmest wishes to family, friends, 

fellow #WindowsInsiders, and 

Security Garden subscribers for a

Merry Christmas!

Khristos Razhdayetsya!

May you enjoy the spirit of Christmas every day of the coming year.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 95.0.2 Released

         Mozilla released yet another update to Firefox, sending Firefox Version 95.0.2 to the release channel today.  

Fixed

• Addresses frequent crashes experienced by users with certain AMD CPUs running on Windows 7, 8, and 8.1

Security Updates
Release Notes
Rapid Release Calendar

Mozilla Firefox Version 95.0.1 Released

        Mozilla sent Firefox Version 95.0.1 to the release channel today.  

Fixed

• Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bug 1745600)
• Fix for a WebRender crash on some Linux/X11 systems (bug 1741956)
• Fix for a frequent Windows shutdown crash (bug 1738984)
• Fix websites contrast issues for some Linux users with Dark mode set at OS level (bug 1740518)

Security Updates
Release Notes
Rapid Release Calendar

Scot's Newsletter Forums Lives On!

A little over two weeks ago, Scot Finnie (owner and founder of Scot's Newsletter Forums) posted what was to long-time members, a shocking Announcement that the time had come for him to pull away from the forums and Scot's Newsletter, reading in part:

"To be honest, in recent years -- since leaving Computerworld -- I have lost my long-held zeal for computers. I've moved on to other pursuits, and have even launched a small local business in an unrelated field.

 

My hope is that I can find someone or some group of people to whom I can turn over the forums, the scotsnewsletter.com domain, and all the keys to the castle. In other words, a new owner. As the new owner, you would have the option to use my first name in perpetuity (in any marketing materials etc.) For the first year I would be around to consult on any questions that might arise (at no cost). All that for one dollar. Such a deal.

 

I think that new blood, someone with new ideas who wants to try a few things, will find there's still enough of an ember on the forums to start something new. One of those ideas might be changing the name of the forums."

Fortunately, with the announcement today, We Have a New Owner! that hope has come true!   

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft December 2021 Security Updates

      

The Microsoft December 2021 security updates have been released and consist of 67 CVEs.  Of these CVEs, 7 are rated Critical, and 60 are rated Important severity.  At the time of release, five are listed as publicly known and one is listed as under active exploit.

The updates apply to the following long list of products:  Apps, ASP.NET Core & Visual Studio, Azure Bot Framework SDK, BizTalk ESB Toolkit, Internet Storage Name Service, Microsoft Defender for IoT, Microsoft Devices, Microsoft Edge (Chromium-based), Microsoft Local Security Authority Server (lsasrv), Microsoft Message Queuing, Microsoft Office, Microsoft Office Access, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft PowerShell, Microsoft Windows Codecs Library, Office Developer Platform, Remote Desktop Client, Role: Windows Fax Service, Role: Windows Hyper-V, Visual Studio Code, Visual Studio Code - WSL Extension, Windows Common Log File System Driver, Windows Digital TV Tuner, Windows DirectX, Windows Encrypting File System (EFS), Windows Event Tracing, Windows Installer, Windows Kernel, Windows Media, Windows Mobile Device Management, Windows NTFS, Windows Print Spooler Components, Windows Remote Access Connection Manager, Windows Storage, Windows Storage Spaces Controller, Windows SymCrypt, Windows TCP/IP, and Windows Update Stack.

See the KBs listed at December 2021 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds.

Note:  This is the month for the quarterly MSRT run.  Although included with Windows updates, it can be downloaded separately:  

• For 32-bit x86-based systems:  Download the x86 MSRT package now 
• For 64-bit x64-based systems:  Download the x64 MSRT package now

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The December 2021 Security Update Review.

 

Additional Update Notes:

• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro - Microsoft Lifecycle | Microsoft Docs and Windows 11 Home and Pro (Version 21H2) - Microsoft Lifecycle | Microsoft Docs.
• Windows Update History:
• Windows 11
• Windows 10
• Windows 8.1

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

 

Pale Moon Version 29.4.3 Released with Security Updates

    

Pale Moon has been updated to version 29.4.3.  This is a security update.  This update reinstates FUEL again for old extension compatibility. See implementation notes.

Linux versions will follow shortly.

Changes/fixes:

• Restored the FUEL abstraction library again.
• Added some extra sanity checks to timers and text fragments. DiD
• Added a potential crash safeguard in program threading logic. DiD
• Fixed the following security issues: CVE-2021-43537, CVE-2021-43541, CVE-2021-43536, CVE-2021-43545 and CVE-2021-43542.
• Unified XUL Platform Mozilla Security Patch Summary: 5 fixed, 3 DiD, 10 not applicable.

Implementation notes:

• Despite being removed in 29.4.0 and 29.4.2, the long-since deprecated FUEL abstraction functions inside Pale Moon have been restored again after considerable blowback from the community and lack of effort to fix afflicted extensions. It was decided to just restore this indefinitely in the end, since it serves no-one to have users be forced to do without or stay on insecure versions of the browser for something nobody seems to want to address in the extension ecosystem. Keep an eye on the forum for a more in-depth announcement soon (will be linked here when available).

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Pale Moon includes both 32- and 64-bit versions for Windows:  Pale Moon for Windows downloads.

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 95 Released with Security Updates

       Mozilla sent Firefox Version 95.0 to the release channel today.  The update includes thirteen security updates of which six (6) are rated high, five (5) are rated moderate, and two (2) are rated low.

Firefox ESR was updated to Version 91.4.

High

• #CVE-2021-43536: URL leakage when navigating while executing asynchronous function
• #CVE-2021-43537: Heap buffer overflow when using structured clone
• #CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
• #CVE-2021-43539: GC rooting failure when calling wasm instance methods
• #MOZ-2021-0010: Use-after-free in fullscreen objects on MacOS
• #MOZ-2021-0009: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

Moderate

• #CVE-2021-43540: WebExtensions could have installed persistent ServiceWorkers
• #CVE-2021-43541: External protocol handler parameters were unescaped
• #CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
• #CVE-2021-43543: Bypass of CSP sandbox directive when embedding
• #CVE-2021-43544: Receiving a malicious URL as text through a SEND intent could have led to XSS

 Low

• #CVE-2021-43545: Denial of Service when using the Location API in a loop
• #CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed

New

• RLBox — a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries — is now enabled on all platforms.
• Good news! You can now download Firefox from the Microsoft Store on Windows 10 and Windows 11 platforms.
• We’ve reduced CPU usage on macOS in Firefox and WindowServer during event processing.
• We’ve also reduced the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.
• You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
• To better protect Firefox users against side-channel attacks such as Spectre, Site Isolation is now enabled for all Firefox 95 users.

Fixed

• After starting Firefox, users of the JAWS screen reader and ZoomText magnifier will no longer need to switch applications in order to access Firefox.
• You’ll find the state of controls using the ARIA switch role is now correctly reported by Mac OS VoiceOver.
• You’ll see a faster content process startup on macOS.
• We’ve also made memory allocator improvements.
• And we’ve improved page load performance by speculatively compiling JavaScript ahead of time. 

Changed

• We’ve added a User Agent override for Slack.com, which allows Firefox users to use more Call features and have access to Huddles.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar