Tuesday, August 09, 2022

Microsoft August 2022 Security Updates

              

The Microsoft August 2022 security updates have been released and consist of 151 CVEs.  Of these CVEs, 17 are rated critical, 102 rated important, 1 rated moderate, and 1 rated low in severity.  At the time of release, two are listed as publicly known and one is listed as under active attack.

The security updates apply to the following products, features, and roles: .NET Core, Active Directory Domain Services, Azure Batch Node Agent, Azure Real Time Operating System, Azure Site Recovery, Azure Sphere, Microsoft ATA Port Driver, Microsoft Bluetooth Driver, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Office, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Windows Support Diagnostic Tool (MSDT), Remote Access Service Point-to-Point Tunneling Protocol, Role: Windows Fax Service, Role: Windows Hyper-V, System Center Operations Manager, Visual Studio, Windows Bluetooth Service, Windows Canonical Display Driver, Windows Cloud Files Mini Filter Driver, Windows Defender Credential Guard, Windows Digital Media, Windows Error Reporting, Windows Hello, Windows Internet Information Services, Windows Kerberos, Windows Kernel, Windows Local Security Authority (LSA), Windows Network File System, Windows Partition Management Driver, Windows Point-to-Point Tunneling Protocol, Windows Print Spooler Components, Windows Secure Boot, Windows Secure Socket Tunneling Protocol (SSTP), Windows Storage Spaces Direct, Windows Unified Write Filter, Windows WebBrowser Control, and Windows Win32K.

See the long list of KBs at the bottom of the page at August 2022 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. 

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The August 2022 Security Update Review.

 

Additional Update Notes:

 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




 

Adobe Acrobat DC and Reader DC Security Updates Released

      

Adobe
Adobe has released updates for Adobe Acrobat DC and Reader DC for Windows and macOS. 

These updates address multiple critical, and important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.  
 
Release date: August 9, 2022
Vulnerability identifier: APSB22-39
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 22.001.20191 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References
Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 103.0.2 Released

  FirefoxMozilla sent Firefox Version 103.0.2 to the release channel today.  

Fixed

  • Fixed menu shortcuts for users of the JAWS screen reader.
  • Fixed an occasional non-overridable certificate error when accessing device configuration pages.
  • Fixed an issue with Picture-in-Picture displaying in fullscreen on macOS.


Release Notes




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, August 03, 2022

Pale Moon Out-of-Band Update to Version 31.2.0.1

             

Pale Moon

Pale Moon has been updated to version 31.2.0.1. 

This is a small out-of-band update to address the fact that the final builds did not include the intended NSS library update.

Linux versions will follow shortly.

Pale Moon includes both 32- and 64-bit versions for Windows:  Pale Moon for Windows downloads.

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, August 02, 2022

Pale Moon Version 31.2.0 Released

            

Pale Moon

Pale Moon has been updated to version 31.2.0.  This is a major bugfix and development update.

Linux versions will follow shortly.

Changes/Fixes:

  • Implemented CSS white-space: break-spaces for web compatibility.
  • Implemented Intl.RelativeTimeFormat for web compatibility.
  • Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
  • Implemented support for async generator methods in JavaScript.
  • Added preliminary support for building on Apple Silicon like M1/M2 SoC.
  • Added support for building with Visual Studio 2022.
  • Improved the handling of CSS "sticky" elements in tables.
  • Improved stack size limits on all platforms. See implementation notes.
  • Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
  • Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
  • Updated many in-tree third-party libraries to pick up various performance and stability improvements.
  • Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe.
  • Removed some leftover (and unused) telemetry code in the platform and front-end.
  • Fixed an issue with VP9 video playback on Windows on some systems.
  • Fixed an issue with the add-ons manager not properly handling empty update URLs.
  • Fixed a major performance regression on *nix based systems due to incorrect thread handling.
  • Fixed volume handling when building with the sndio audio back-end.
  • Pale Moon no longer applies content security policies to documents that are explicitly loaded as data documents or to images. See implementation notes.
  • Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler.
  • Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes.
  • UXP Mozilla security patch summary: 3 DiD, 12 not applicable.

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Implementation notes:

  • Prior to this version, Pale Moon would apply Content Security Policies (CSPs) to all requests made to servers that would respond with a policy header, as one would expect for strict use of CSPs as-intended. Unfortunately, Chrome has been less strict in applying these policies and specifically excluded applying these policies to images and "data documents". As a result, web compatibility became a problem for non-Google browsers with webmasters being oblivious about their overzealous CSPs deployed on websites, causing images (especially SVG) and data to not load or load properly. To align with mainstream browser behavior and improve web compatibility on misconfigured websites, we are now no longer applying CSPs to images or documents explicitly loaded as arbitrary data.
  • We've adjusted default per-thread stack sizes in the platform to be more generous on all platforms. This allows the browser to render more deeply nested visual elements in web pages and the new limit matches the capabilities of mainstream browsers as a result. Please note that some custom builds may need to adjust their linker's stack sizes on some operating systems to come to a stable and usable build with this change since the new Goanna rendering depth requires this larger stack size to not run out of memory. The default per-thread stack size is now 2 MB with the exception of 32-bit Windows builds where 1.5 MB is used to go easy on its limited address space. Custom Linux builds with system-default small stack sizes should adjust their build configuration accordingly.

Pale Moon includes both 32- and 64-bit versions for Windows:  Pale Moon for Windows downloads.

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, August 01, 2022

Mozilla Firefox Version 103.0.1 Released

 FirefoxMozilla sent Firefox Version 103.0.1 to the release channel today.  

New

  • Enabled hardware acceleration on newer AMD cards.

Fixed

  • Fixed a crash on Firefox shutdown caused by a bug in the audio manager.

Release Notes




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 26, 2022

July 2022 Windows 10 Version 21H2 Non-Security Optional Preview "C" Release

  


 
Microsoft released KB5015878 (OS Builds 19042.1865, 19043.1865, and 19044.1865), optional “C” release preview cumulative updates with non-security improvements and fixes.

The following are the highlights included in the update:
  • New!  Gives you the option to receive important notifications when focus assist is on. Focus assist is like a do not disturb mode that hides notifications.

  • New! Restores functionality for Windows Autopilot deployment scenarios that are affected by the security mitigation for hardware reuse. This update removes the one-time use restriction for self-deploying mode (SDM) and pre-provisioning (PP). This update also re-enables any User Principal Name (UPN) display in user-driven mode (UDM) deployments for approved manufacturers.

  • Addresses an issue that causes certain docking stations to lose internet connectivity when waking from Sleep mode.

  • Adds functionality that improves the OS upgrade experience. 

  • Addresses an issue that might cause consecutive video clip playback to fail in games that use DX12.

  • Addresses an issue that affects certain games that use the XAudio API to play sound effects.

  • Addresses an issue that affects the height of the Search box when you use multiple monitors that have different resolutions.

  •  Addresses an issue that prevents certain troubleshooting tools from opening.

Refer to the referenced KB update for information on additional improvements and fixes.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update.  The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 103.0 Released with Security Updates

               FirefoxMozilla sent Firefox Version 103.0 to the release channel today.  The update includes eight security updates of which two (2) are rated high, four (4) moderate and two (2) are rated low.

Firefox ESR was updated to Version 91.12.

High

Moderate

Low

New

  • Improved responsiveness on macOS during periods of high CPU load by switching to a modern lock API.
  • Do you always forget something? Required fields are now highlighted in PDF forms.
  • Improved performance on high-refresh rate monitors (120Hz+).
  • Enjoying Picture-in-Picture subtitles feature? It just got better: you can now change subtitles font size directly from the PiP window. Additionally, PiP subtitles are now available at Funimation, Dailymotion, Tubi, Hotstar, and SonyLIV.
  • Buttons in the Tabs toolbar can now be reached with Tab, Shift+Tab, and Arrow keys. 
  • Windows' "Make text bigger" accessibility setting now affects all the UI and content pages, rather than only applying to system font sizes.
  • Rejoice! You can now conveniently access Firefox, which will now be pinned to the Windows taskbar during installation on Windows 10 and 11. (This will also allow for Firefox to be launched quicker after installing.)

Fixed

  • Non-breaking spaces are now preserved—preventing automatic line breaks—when copying text from a form control.
  • Fixed WebGL performance issues on NVIDIA binary drivers via DMA-Buf on Linux.
  • Fixed an issue in which Firefox startup could be significantly slowed down by the processing of Web content local storage. This had the greatest impact on users with platter hard drives and significant local storage.

Changed

  • Removed a configuration option to allow SHA-1 signatures in certificates: SHA-1 signatures in certificates—long since determined to no longer be secure enough—are now not supported.

Web Platform

  • Your information now has increased protection from online tracking via Total Cookie Protection enabled by default. All third-party cookies are now isolated into partitioned storage.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, July 21, 2022

July 2022 Windows 11 Non-Security Optional Preview "C" Release

      Microsoft released the monthly “C” release preview cumulative updates with non-security improvements and fixes for Windows 11.

Following are the highlights for KB5015882 (OS Build 22000.829) for Windows 11: 

  • New! Gives you the option to receive urgent notifications when focus assist is on. Focus assist is like a do not disturb mode that hides notifications. 
  • New! Gives you the option to update to a newer Windows 11 version at the very first startup of Windows if your device is eligible.
  • Addresses an issue that causes File Explorer to stop working when you use the play and pause keyboard buttons on certain devices.
  • Addresses an issue that causes File Explorer to stop working when you use the Start menu’s context menu (Win+X) and an external monitor is connected to your device.
  • Addresses an issue that displays a blank window that you cannot close when you hover over the search icon on the taskbar.

See the referenced KB article for the long list of improvements and fixes included in the update.

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest LCU.  For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

For information about the types of updates released by Microsoft each month, see Windows 11 life cycle and servicing update.

Windows 11 update history


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

July 2022 Windows 10 Version 1809 Non-Security Optional Preview "C" Release

 


 
Microsoft released KB5015880 (OS Build 17763.3232, optional “C” release preview cumulative updates with non-security improvements and fixes.

The following is the highlight included in the update:
  • Addresses an issue that prevents certain trouble-shooting tools from opening.

A long list of additional improvements and fixes is included in the referenced KB update.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Prerequisite: You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. 

Update:  To get the update, go to Settings > Update & Security > Windows Update.  The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 19, 2022

Oracle Java SE Security Update Released

   

java



Oracle released the scheduled security update for its Java SE Runtime Environment software.  This Critical Patch Update contains five (5) new security patches for Oracle Java SE.  Four of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Update:  If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE Runtime Environment Version 8u341:  https://www.oracle.com/java/technologies/javase-jre8-downloads.html or https://java.com/en/download/manual.jsp.

Notes:

  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your version:  http://www.java.com/en/download/testjava.jsp  Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version
  • Important:  The Edge browser does not support plug-ins.  In the event you still have a need for Java, it will be necessary to use Firefox or open with Internet Explorer mode (See Microsoft Edge Enhancements for IE Mode).

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates is October 18, 2022.

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, that does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.
3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 12, 2022

Adobe Acrobat DC and Reader DC Security Updates Released

     

Adobe
Adobe has released updates for Adobe Acrobat DC and Reader DC for Windows and macOS. 

These updates address multiple critical, and important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.  
 
Release date: July 12, 2022
Vulnerability identifier: None
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 22.001.20169 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References
Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft July 2022 Security Updates

             

The Microsoft June 2022 security updates have been released and consist of 84 CVEs.  Of these CVEs, 4 are rated critical and 80 rated important in severity.  At the time of release, none are listed as publicly known but one of the updates for CSRSS is under active attack.

The security updates apply to the following products, features, and roles: AMD CPU Branch, Azure Site Recovery, Azure Storage Library, Microsoft Defender for Endpoint, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office, Open Source Software, Role: DNS Server, Role: Windows Fax Service, Role: Windows Hyper-V, Skype for Business and Microsoft Lync, Windows Active Directory, Windows Advanced Local Procedure Call, Windows BitLocker, Windows Boot Manager, Windows Client/Server Runtime Subsystem, Windows Connected Devices Platform Service, Windows Credential Guard, Windows Fast FAT Driver, Windows Fax and Scan Service, Windows Group Policy, Windows IIS, Windows Kernel, Windows Media, Windows Network File System, Windows Performance Counters, Windows Point-to-Point Tunneling Protocol, Windows Portable Device Enumerator Service, Windows Print Spooler Components, Windows Remote Procedure Call Runtime, Windows Security Account Manager, Windows Server Service, Windows Shell, Windows Storage, and XBox.

See the long list of KBs at the bottom of the page at July 2022 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds.

Important Notes: 

The Internet Explorer 11 desktop application has been retired and out of support, effective June 15, 2022.  See the steps at Microsoft Support to enable IE Mod on your Windows 10 or Windows 11 device. 

Windows 10 Versions 1909 and 20H2 have reached the end of service and will no longer receive updates.  The most current version of Windows 10 is 21H2. 

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The July 2022 Security Update Review.

 

Additional Update Notes:

 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...