April 2023 Windows 11 Version 22H2 Non-Security Optional Preview "C" Release

Microsoft released the monthly “C” release preview cumulative updates with non-security improvements and fixes for Windows 11, Version 22H2.  The Windows 11 version 22H1 is a separate update.

Following are the highlights for KB5025305 (OS Build 22621.1635):

• New! This update adds animations to a few icons on the Widgets taskbar button. These animations turn on when:

  • A new announcement appears on the Widgets taskbar button.

  • You hover over or click the Widgets taskbar button.

• New! This update adds a new toggle control on the Settings > Windows Update page. When you turn it on, we will prioritize your device to get the latest non-security updates and enhancements when they are available for your device. For managed devices, the toggle is disabled by default. For more information, see Get Windows updates as soon as they're available for your device.

• This update addresses an issue that affects Microsoft Edge IE mode. Pop-up windows open in the background instead of in the foreground.

• This update addresses an issue that affects the Chinese input method. You cannot see all of the first suggested item.

See the referenced KB article for the list of improvements and fixes included in the update.

Update: To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

For information about the types of updates released by Microsoft each month, see Windows monthly updates explained.

Windows 11 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

April 2023 Windows 11 Version 21H2 Non-Security Optional Preview "C" Release

 Microsoft released the monthly “C” release preview cumulative updates with non-security improvements and fixes for Windows 11, Version 21H2.  The preview update for Windows 11, Version 22H2 is a separate release.  

Following are the highlights for KB5025298 (OS Build 22000.1880) for Windows 11 version 22H1: 

• This update addresses an issue that affects Microsoft Edge IE mode. Pop-up windows open in the background instead of in the foreground.

• This update affects Xbox Elite users who have the Xbox Adaptive Controller. This update applies your controller remapping preferences on the desktop.

• This update changes the app icons for certain mobile providers.

See the referenced KB article for the list of improvements and fixes included in the update.

Update: To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

For information about the types of updates released by Microsoft each month, see Windows monthly updates explained.

Windows 11 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

April 2023 Windows 10 Non-Security Optional Preview "C" Release

 Microsoft released KB5025297 for Windows 10 version 22H2 optional non-security release preview (Windows monthly updates explained).

Reminder: There are no more optional, non-security preview releases for the supported editions of Windows 10, version 20H2 and Windows 10, version 21H2. Only monthly security update releases will continue for these versions.  Windows 10, version 22H2 will continue to receive security and optional releases on the fourth Tuesday of the month.

The following are the highlighted changes included in the update:

• New! This update adds the ability to sync language and region settings when you change your Microsoft account display language or regional format. Windows will save those settings to your account if you have turned on Language preferences sync in your Windows backup settings.

• This update addresses an issue that affects Microsoft Edge IE mode. Pop-up windows open in the background instead of in the foreground.

• This update addresses an issue that affects Edge IE mode. The Tab Window Manager stops responding.

• This update changes the app icons for certain mobile providers.

• This update addresses an issue that affects the Chinese input method. You cannot see all of the first suggested item.

• This update affects Xbox Elite users who have the Xbox Adaptive Controller. This update applies your controller remapping preferences on the desktop.

• This update addresses an issue that might affect news and interests. It might flicker on the taskbar and File Explorer might stop responding.

See the referenced KB Article for prerequisites and the additional improvements and fixes included in the update.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 112.0.2 Released

 

Mozilla sent Firefox Version 112.0.2 to the Release Channel today.

Fixed

• Fixes a high memory usage issue with animated images in minimized (or completely covered) windows, especially when using animated themes (bug 1828587).
  

• Fixes an issue where Linux users with bitmap fonts installed may have had entire sections of text invisible to them on some sites (bug 1827950).

• Fixes an issues where web notifications with images were not displaying for Windows 8 users (bug 1822817).

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Oracle Java SE Security Update Released

 

Oracle released the scheduled update for its Java SE Runtime Environment software.  This is a bugfix and security update.

Download Information

Java SE Runtime Environment Version 8u371:  https://www.oracle.com/java/technologies/javase-jre8-downloads.html or https://java.com/en/download/manual.jsp. 

Important Oracle Java License Information: The Oracle Java License changed for releases starting April 16, 2019.  From the above-referenced download page:

"The Oracle Technology Network License Agreement for Oracle Java SE is substantially different from prior Oracle Java licenses. This license permits certain uses, such as personal use and development use, at no cost -- but other uses authorized under prior Oracle Java licenses may no longer be available. Please review the terms carefully before downloading and using this product. An FAQ is available here."

Java Security Recommendations

1) If Java is still installed on your computer, it is recommended that all updates be applied as soon as possible and older, less secure, versions uninstalled.  See Why should I uninstall older versions of Java from my system?.
2) In the Java Control Panel, at minimum, set the security to high.
3) Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note: The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version
• Important: The Edge browser does not support plug-ins.  In the event you still have a need for Java, it will be necessary to use Firefox.

Patch Schedule

For Oracle Java SE, the next scheduled update is July 18, 2023.  The planned release schedule is available here.

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, that does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Release Notes
• Oracle Java SE Risk Matrix 
• Oracle Security Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 32.1.1 Released with Security Updates

 

Pale Moon has been updated to version 32.1.1.  This is a bugfix and security release.

Changes/Fixes:

• Fixed a crash in CompareDocumentPosition with Shadow DOM.
• Fixed a crash with display:contents styling.
• Added a preference to disable the TLS 1.3 protocol downgrade sentinel (see implementation notes).
• Changed the way large clipboard copy/paste operations are handled, improving privacy (see implementation notes).
• Improved filename safety when saving files to prevent potential environment leaks (bis).
• Improved sanity checks of MIME type headers.
• Security issues addressed: CVE-2023-29545 and CVE-2023-29539.
• UXP Mozilla security patch summary: 2 fixed, 1 rejected, 49 not applicable.

Implementation notes:

• Some proxies and middleware boxes improperly handle the TLS 1.3 protocol handshake causing an insecure downgrade to TLS 1.2. With our recent update of NSS, Pale Moon no longer allows this kind of protocol downgrade when trying to establish a TLS 1.3 connection to a server. The resulting error is ssl_error_rx_malformed_server_hello with an inability to connect to the server. To enable users to still connect to the servers or devices in question, we've added an option to switch off the downgrade sentinel. To switch it off as a temporary workaround, set security.tls.hello_downgrade_check to false.
• If copy and paste operations to/from the browser are performed, Pale Moon writes clipboard contents to disk in a temporary cache file if the copy/paste amount is particularly large, to avoid using large amounts of memory to hold this data. The average paste/clipboard size doesn't tend to hit this limit in which case it is just held in memory.
  Previously, these cache files, while in the O.S. temporary file location (%TEMP% or /tmp), would not be consistently cleaned up, potentially causing privacy issues if persisted. This was changed to using auto-cleaning anonymous temp files, improving user privacy and relying less on the O.S. or user performing cleanup of temporary file storage. Thanks to Sandra for pointing this out and providing the patch.

Notes:

DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 112.0.1 Released

 

Mozilla sent Firefox Version 112.0.1 to the Release Channel today.

Fixed

• Fixed a bug where cookie dates appear to be set in the far future after updating Firefox. This may have caused cookies to be unintentionally purged. (bug 1827669).

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft April 2023 Security Updates

 

The Microsoft April 2023 security updates have been released and consist of 97 new CVEs plus 3 Microsoft Edge releases included in the documentation.  Of these CVEs, 7 are rated critical and 90 are rated important in severity.  At the time of release, one is listed as being under active attack.

The security updates apply to the following products, features and roles: .NET Core, Azure Machine Learning, Azure Service Connector, Microsoft Bluetooth Driver, Microsoft Defender for Endpoint, Microsoft Dynamics, Microsoft Dynamics 365 Customer Voice, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Message Queuing, Microsoft Office, Microsoft Office Publisher, Microsoft Office SharePoint, Microsoft Office Word, Microsoft PostScript Printer Driver, Microsoft Printer Drivers, Microsoft WDAC OLE DB provider for SQL, Microsoft Windows DNS, Visual Studio, Visual Studio Code, Windows Active Directory, Windows ALPC, Windows Ancillary Function Driver for WinSock, Windows Boot Manager, Windows Clip Service, Windows CNG Key Isolation Service, Windows Common Log File System Driver, Windows DHCP Server, Windows Enroll Engine, Windows Error Reporting, Windows Group Policy, Windows Internet Key Exchange (IKE) Protocol, Windows Kerberos, Windows Kernel, Windows Layer 2 Tunneling Protocol, Windows Lock Screen, Windows Netlogon, Windows Network Address Translation (NAT), Windows Network File System, Windows Network Load Balancing, Windows NTLM, Windows PGM, Windows Point-to-Point Protocol over Ethernet (PPPoE), Windows Point-to-Point Tunneling Protocol, Windows Raw Image Extension, Windows RDP Client, Windows Registry, Windows RPC API, Windows Secure Boot, Windows Secure Channel, Windows Secure Socket Tunneling Protocol (SSTP), Windows Transport Security Layer (TLS), and Windows Win32K.

See the very long list of KBs at the bottom of the page at April 2023 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. 

Reminder: There are no more optional, non-security preview releases for the supported editions of Windows 10, version 20H2 and Windows 10, version 21H2. Only cumulative monthly security updates (known as the "B" or Update Tuesday release) will continue for these versions. Windows 10, version 22H2 will continue to receive security and optional releases.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The April 2023 Security Update Review.

 

Additional Update Notes:

• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro - Microsoft Lifecycle | Microsoft Docs and Windows 11 Home and Pro (Version 21H2) - Microsoft Lifecycle | Microsoft Docs.
• Windows Update History:
• Windows 11
• Windows 10

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat DC and Reader DC Security Updates Released

 

Adobe has released updates for Adobe Acrobat DC and Reader DC for Windows and macOS. 

These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak.

 

Release date: April 11, 2023
Vulnerability identifier: APSB23-24
Platform: Windows and MacOS

New Features

See What's New in Acrobat to learn about the new features in this release.

Update or Complete Download

Adobe Acrobat and Reader were updated to version 23.001.20143.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

• Release Notes
• PSIRT

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 112.0 Released with Security Updates

 Mozilla sent Firefox Version 112.0 to the release channel today.  The update includes twenty-one security updates of which nine (9) are rated high, eight (8) moderate, and four (4) rated low.

Firefox ESR was updated to Version 102.10.

High

#CVE-2023-29531: Out-of-bound memory access in WebGL on macOS

#CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass

#CVE-2023-29533: Fullscreen notification obscured

#CVE-2023-29534: Fullscreen notification could have been obscured on Firefox for Android

#CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction

#CVE-2023-29536: Invalid free from JavaScript code

#CVE-2023-29537: Data Races in font initialization code

#CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10

#CVE-2023-29551: Memory safety bugs fixed in Firefox 112

Moderate

#CVE-2023-29538: Directory information could have been leaked to WebExtensions

#CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download

#CVE-2023-29540: Iframe sandbox bypass using redirects and sourceMappingUrls

#CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux

#CVE-2023-29542: Bypass of file download extension restrictions

#CVE-2023-29543: Use-after-free in debugging APIs

#CVE-2023-29544: Memory Corruption in garbage collector

#CVE-2023-29545: Windows Save As dialog resolved environment variables

 

Low

#CVE-2023-29546: Screen recording in Private Browsing included address bar on Android

#CVE-2023-29547: Secure document cookie could be spoofed with insecure cookie

#CVE-2023-29548: Incorrect optimization result on ARM64

#CVE-2023-29549: Javascript's bind function may have failed

New

• Right-clicking on password fields now shows an option to reveal the password.

• Ubuntu Linux users can now import their browser data from the Chromium Snap package. Currently, this will only work if Firefox is not also installed as a Snap package, but work is underway to address this!

• Do you use the tab list panel in the tab bar? If so, you can now close tabs by middle-clicking items in that list.

• You've always been able to un-close a tab by using (Cmd/Ctrl)-Shift-T. Now, that same shortcut will restore the previous session if there are no more closed tabs from the same session to re-open.

• For all ETP Strict users, we extended the list of known tracking parameters that are removed from URLs to further protect our users from cross-site tracking.

• Enables overlay of software-decoded video on Intel GPUs in Windows. Improves video down scaling quality and reduces GPU usage.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Happy Easter! "Khrystos Voskres!"

 

"Khrystos Voskres!"
(Christ is Risen!)

"Voistyno Voskres!"
(He is Truly Risen!)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...