Merry Christmas -- Khristos Razhdayetsya

My sincere wishes for a very Merry Christmas to my family 
as well as my "real-life" and "virtual" friends!

Along with those wishes, I am again sharing a video I created with the "Windows Movie Maker" which was a part of the Windows Essentials 2012 suite.  The video includes images of some of the traditional foods that are part of the Ukrainian Christmas Eve celebration.  They were part of our family tradition when my husband, born in Lviv, Ukraine was alive.

Shchedryk is the origin of "Carol of the Bells" which is one of my favorite Christmas songs.  It was composed by Ukrainian composer Mykola Leontovych in 1904 based on a Ukrainian folk song. (See The Unknown Ukrainian Carol that everyone knows for additional information.)

 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 32.5.2 Released with Security Updates

 

Pale Moon has been updated to version 32.5.2.  This is a bugfix and security update.

Changes/fixes:

• Removed the standard Twitter/X user-agent override because they decided to block us on it.
• Added preferences for the user to control whether or not the tab page title should be included in the window title or not. In Private Browsing mode, the default is now to not show the title in the window. This was done to avoid potential leakage to system logs (e.g. GNOME shell logs or Windows event logs) of websites visited through the recorded window title. The new preferences are privacy.exposeContentTitleInWindow and privacy.exposeContentTitleInWindow.pbm for normal mode and Private Browsing mode, respectively.
• Fixed several crashes in DOM and relating to dynamic JavaScript module imports.
• Removed a restriction on Fetch preflight redirects, following a spec update.
• Improved the handling of web workers if they get aborted mid-action.
• Security issues addressed: CVE-2023-6863, CVE-2023-6858 and several others that do not have a CVE number.
• UXP Mozilla security patch summary: 4 fixed, 2 DiD, 1 rejected (which was DiD at best), 1 postponed (low risk), 22 not applicable.

Notes:

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 121.0 Released with Security Updates

 Mozilla sent Firefox Version 121.0 to the release channel.  Firefox ESR was updated to Version 115.6.

The update includes eighteen security updates of which five (5) are rated high, eight (8) moderate, and five (5) rated low.

High

#CVE-2023-6856: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver

#CVE-2023-6135: NSS susceptible to "Minerva" attack

#CVE-2023-6865: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code>

#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6

#CVE-2023-6873: Memory safety bugs fixed in Firefox 121

Moderate

#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers

#CVE-2023-6858: Heap buffer overflow in <code>nsTextFragment</code>

#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer

#CVE-2023-6866: TypedArrays lack sufficient exception handling

#CVE-2023-6860: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation

#CVE-2023-6867: Clickjacking permission prompts using the popup transition

#CVE-2023-6861: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode

#CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID key

Low

#CVE-2023-6869: Content can paint outside of sandboxed iframe

#CVE-2023-6870: Android Toast notifications may obscure fullscreen event notifications

#CVE-2023-6871: Lack of protocol handler warning in some instances

#CVE-2023-6872: Browsing history leaked to syslogs via GNOME

#CVE-2023-6863: Undefined behavior in <code>ShutdownObserver()</code>

New

• Firefox now prompts Windows users to install the Microsoft AV1 Video Extension to enable hardware decoding support for the AV1 video codec from about:support if not already installed.

• Firefox now supports Voice Control commands on macOS systems.

• On Linux, Firefox now defaults to the Wayland compositor when available instead of XWayland. This brings support for touchpad & touchscreen gestures, swipe-to-nav, per-monitor DPI settings, better graphics performance, and more.

  Note that due to Wayland protocol limitations, Picture-in-Picture windows require an extra user interaction (generally right-click on the window) or a shell / desktop-environment tweak. See bug 1621261 for related discussion and tracking, this post for a KDE configuration, and this extension for GNOME.

• Firefox can now force links to always be underlined. This option can be enabled in the Browsing section of the Firefox Settings menu.

  

• The PDF viewer now includes a floating button to simplify deleting drawings, text, and images added in PDFs.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar
• ESR Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft December 2023 Security Updates

 

The Microsoft December 2023 security updates have been released and consist of 29 new patches. In addition, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.

Of the CVEs released, 4 are rated critical and 29 are rated important. At the time of release, none of the CVEs are listed as being under active attack or as publicly known.

The security updates apply to the following products, features and roles: Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic.

See the list of KBs at the bottom of the page at December 2023 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5033375.  For Windows 10, Version 22H2 see KB5033372.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The December 2023 Security Update Review.

IMPORTANT: 

• After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Only cumulative monthly security updates (known as the "B" or Update Tuesday release) will continue for this version. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.
• Because of reduced operations during the Western holidays and the upcoming new year, there won’t be a non-security preview release for the month of December 2023. Non-security preview releases will resume in January 2024. 

Additional Update Notes:

• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro and Windows 11 Home and Pro.
• Windows Update History:
• Windows 11
• Windows 10

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat/Reader Update

 

Adobe is releasing an update with new features and bug fixes for Acrobat and Acrobat Reader. 

Update or Complete Download

Adobe Acrobat and Reader were updated to version 23.008.20421 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...