Mozilla Firefox Version 96.0.3 Released

    Mozilla sent Firefox Version 96.0.3 to the release channel today.  

Fixed

• Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry (bug 1752317)

Security Updates
Release Notes
Rapid Release Calendar

Windows 10 Optional Preview Cumulative Update

    

Microsoft released KB5009596 (OS Builds 19042.1503, 19043.1503, and 19044.1503), the monthly “C” release preview cumulative update with non-security improvements and fixes for Windows 10.

The highlighted changes include the following:

• Adds a reminder to Internet Explorer 11 that notifies you about its upcoming retirement.
• Updates an issue that might sometimes cause Japanese Microsoft Office applications stop working when you use the new Japanese Input Method Editor (IME).
• Updates an issue that stops printing or prints the wrong output when you print using USB on Windows 10, version 2004 or later.
• Updates an issue that causes applications to stop working when you type text using the Chinese IME.
• Updates an issue that prevents certain surround sound audio from playing in Microsoft Edge.
• Adds a new feature that provides direct access to select your Microsoft Edge profiles from news & interests. You can also go to Microsoft Edge directly from news & interests in the same corresponding profile.
• Adds a new feature called Sync Your Settings for users who are migrating to Windows 11, original release. You’ll use Sync Your Settings to automatically back up a list of your applications to your Microsoft Account. Then, you can quickly restore those application on a Windows 11, original release device. This new feature that will deploy over the coming weeks.
• Updates an issue that causes functioning Bluetooth devices to stop working when you attempt to connect to a non-functioning Bluetooth device.
• Updates daylight savings time to start in February 2022 instead of March 2022 in Jordan.
• Updates the phone number for Windows Activation for locales that have the wrong phone number.

For information about the types of updates released by Microsoft each month see Windows 10 update servicing cadence primer.

Update:  To get the update, go to Settings > Update & Security > Windows Update.  The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

January 2022 Windows 11 Non-Security Optional Preview "C" Release

Microsoft released the monthly “C” release preview cumulative updates with non-security improvements and fixes for Windows 11 and other supported versions of Windows.

Following are the highlights for KB5008353 (OS Build 22000.469) for Windows 11: 

• Updates an issue that causes the audio service to stop responding on some devices that support hardware-accelerated Bluetooth audio.
• Updates an issue that affects icons for apps when the apps are not running. On the taskbar, these icons might display as active as if the apps are running.
• Adds a new Your Microsoft Account page to the Accounts category in Windows Settings for Home and Professional editions.
• Updates an issue that incorrectly shows the volume icon in the taskbar as muted.
• Updates an issue that causes a device to stop working when it’s connected to multiple displays.
• Updates an issue that affects the auto-hide feature of the taskbar. The taskbar might not reliably appear when you hover over the primary or secondary display.
• Updates an issue that might prevent icons from appearing on the taskbar of a secondary display.
• Improves auto brightness to provide a better response under low light conditions on all the supported systems.
• Updates daylight savings time to start in February 2022 instead of March 2022 in Jordan.
• Adds the HelpWith feature, which uses Microsoft Bing technologies to suggest Help topics that are relevant for each Settings page. 
• Updates an issue that displays outdated battery percentages for connected Bluetooth devices on the Bluetooth and other devices page in Settings.
• Updates a known issue that might prevent some image editing programs from rendering colors correctly on certain high dynamic range (HDR) displays. This frequently affects white colors that might display in bright yellow or other colors.

Update:  To get the update, go to Settings > Update & Security > Windows Update.  The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

See the referenced KB article for the long list of improvements and fixes included in the update.

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest LCU. This update includes SSU 2200.345.  For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

For information about the types of updates released by Microsoft each month see Windows 11 life cycle and servicing update.

Windows 11 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 96.0.2 Released

   Mozilla sent Firefox Version 96.0.2 to the release channel today.  

Fixed

• Fixed an issue that caused tab height to display inconsistently on Linux when audio was played (bug 1714276)
• Fixed an issue that caused Lastpass dropdowns to appear blank in Private Browsing mode (bug 1748158)
• Fixed a crash encountered when resizing a Facebook app (bug 1746084)

Security Updates
Release Notes
Rapid Release Calendar

Oracle Java SE Security Update Released

  

Oracle released the scheduled security update for its Java SE Runtime Environment software.  This Critical Patch Update contains eighteen (18) new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

Update:  If Java is still installed on your computer, it is recommended that this update be applied as soon as possible due to the threat posed by a successful attack.

Download Information

Java SE Runtime Environment Version 8u321:  https://www.oracle.com/java/technologies/javase-jre8-downloads.html or https://java.com/en/download/manual.jsp.

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note:  The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version
• Important:  The Edge browser does not support plug-ins.  In the event you still have a need for Java, it will be necessary to use Firefox or open with Internet Explorer by selecting the "More Actions" option located at the top of the Edge browser and then click "Open with Internet Explorer.  (See Windows 10 and Java.)

Critical Patch Updates

For Oracle Java SE Critical Patch Updates, the next scheduled dates are as follows:

• 19 April 2022
  
• 19 July 2022
• 18 October 2022
• 16 January 2023

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, tha does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

Java Security Recommendations

1)  In the Java Control Panel, at minimum, set the security to high.
2)  Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

3)  Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Release Notes
• Oracle Java SE Risk Matrix 
• Oracle Quality Assurance Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

2022 Windows Insider MVP! #WIMVP

I am happy and excited that I have been re-awarded Windows Insider MVP!  

The Windows Insider Program is critical to the development of the Windows operating system, testing changes and new features.  I have been particularly pleased with my experience testing Windows 11, having yet to have an issue with any of the changes or new features.  Microsoft Engineers, Developers, and the Windows Insider Team are to be commended for their excellent work.

Congratulations! | 2022 Windows Insider MVP Award

Dear Corrine, Thank you for your participation in the Windows Insider MVP Program this past year. Upon careful review of your application and community activity, we are excited to re-award you as a Windows Insider MVP in 2022. This award reflects the impressive contributions you make within the Windows community and your commitment to shaping the future of Windows.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 29.4.4 Released with Security Updates

     

Pale Moon has been updated to version 29.4.4.  This is a security update. 

Linux versions will follow shortly.

Changes/fixes:

• Improved application library loading security. DiD
• Fixed an issue in JavaScript serialization. DiD
• Fixed a potential out-of-bounds issue in IndexedDB. DiD
• Fixed a potential issue in widget data handling code. DiD
• Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams.
• Fixed an issue in the DOM FileReader code.
• Updated NSS to 3.52.3 to address a security issue.
  
• Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
• Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, 17 not applicable.

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Pale Moon includes both 32- and 64-bit versions for Windows:  Pale Moon for Windows downloads.

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Out-of-Band Update to Address Issues from January Updates

Microsoft released out-of-band (OOB) updates to address issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.

As indicated in the Announcement at https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2777, the updates released today are available for download on the Microsoft Update Catalog.  In addition, some can also be installed directly through Windows Update as optional updates.

Updates for the Windows versions below are also available through Windows Update as an optional update.  Instructions are available at the KB listed for your version of Windows.

• Windows 11, version 21H1 (original release): KB5010795
• Windows Server 2022: KB5010796
• Windows 10, version 21H2: KB5010793
• Windows 10, version 21H1: KB5010793
• Windows 10, version 20H2, Windows Server, version 20H2: KB5010793
• Windows 10, version 20H1, Windows Server, version 20H1: KB5010793
• Windows 10, version 1909, Windows Server, version 1909: KB5010792
• Windows 10, version 1607, Windows Server 2016: KB5010790
• Windows 10, version 1507: KB5010789
• Windows 7 SP1: KB5010798
• Windows Server 2008 SP2: KB5010799

The updates for the systems listed below can only be downloaded and installed via the Microsoft Update Catalog:

• Windows 8.1, Windows Server 2012 R2: KB5010794
• Windows Server 2012: KB5010797

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 96.0.1 Released

  Mozilla sent Firefox Version 96.0.1 to the release channel today.  

Fixed

• Addresses proxy rule exceptions not working on Windows systems when "Use system proxy settings" is set (bug 1749501)
• Improvements to make the parsing of content-length headers more robust (bug 1749957)

Security Updates
Release Notes
Rapid Release Calendar

Microsoft January 2022 Security Updates

       

The Microsoft January 2022 security updates have been released and consist of 96 CVEs.  Of these CVEs, 9 are rated Critical, and 89 are rated Important severity.  At the time of release, six are listed as publicly known but none are listed as under active exploit.

The updates apply to a very long list of products, available here.  Additionally announced in the Release Notes is a new notification system.  See Coming Soon: A Brand-New Notification System!

See the KBs listed at January 2022 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The January 2022 Security Update Review.

 

Additional Update Notes:

• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro - Microsoft Lifecycle | Microsoft Docs and Windows 11 Home and Pro (Version 21H2) - Microsoft Lifecycle | Microsoft Docs.
• Windows Update History:
• Windows 11
• Windows 10
• Windows 8.1

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

 

Adobe Acrobat DC and Reader DC Security Updates Released

     

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, application denial of service, security feature bypass and privilege escalation 

 

Release date:  January 11, 2022
Vulnerability identifier: APSB21-104
Platform: Windows and MacOS

Update or Complete Download

Reader DC and Acrobat DC were updated to version 21.011.20039.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• PSIRT
• Release Notes
• Security Bulletin
• System Requirements

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 96.0 Released with Security Updates

        Mozilla sent Firefox Version 96.0 to the release channel today.  The update includes eighteen security updates of which nine (9) are rated high, six (6) are rated moderate, and three (3) are rated low.

Firefox ESR was updated to Version 91.5.

High

• #CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
• #CVE-2022-22743: Browser window spoof using fullscreen mode
• #CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
• #CVE-2022-22741: Browser window spoof using fullscreen mode
• #CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
• #CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
• #CVE-2022-22737: Race condition when playing audio files
• #CVE-2021-4140: Iframe sandbox bypass with XSLT
• #CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

Moderate

• #CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass
• #CVE-2022-22749: Lack of URL restrictions when scanning QR codes
• #CVE-2022-22748: Spoofed origin on external protocol launch dialog
• #CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event
• #CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
• #CVE-2022-22752: Memory safety bugs fixed in Firefox 96

 Low

• CVE-2022-22747: Crash when handling empty pkcs7 sequence
• #CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.
• #CVE-2022-22739: Missing throttling on external protocol launch dialog

New

• We’ve made significant improvements in noise-suppression and auto-gain-control as well as slight improvements in echo-cancellation to provide you with a better overall experience.
• We’ve also significantly reduced main-thread load.
• Firefox will now enforce the Cookie Policy: Same-Site=lax by default which provides a solid first line of defense against Cross-Site Request Forgery (CSRF) attacks.
• 
  

Fixed

• On macOS, command-clicking links in Gmail now opens them in a new tab as expected.
• Our newest release fixes an issue where video intermittently drops SSRC.
• It also fixes an issue where WebRTC downgrades screen sharing resolution to provide you with a clearer browsing experience.
• Plus, we’ve fixed video quality degradation issues on certain sites.
• Detached video in fullscreen on macOS has been temporarily disabled to avoid some issues with corruption, brightness changes, missing subtitles and high cpu usage. 

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar