Sunday, December 24, 2023

Merry Christmas -- Khristos Razhdayetsya

My sincere wishes for a very Merry Christmas to my family 
as well as my "real-life" and "virtual" friends!

Along with those wishes, I am again sharing a video I created with the "Windows Movie Maker" which was a part of the Windows Essentials 2012 suite.  The video includes images of some of the traditional foods that are part of the Ukrainian Christmas Eve celebration.  They were part of our family tradition when my husband, born in Lviv, Ukraine was alive.

Shchedryk is the origin of "Carol of the Bells" which is one of my favorite Christmas songs.  It was composed by Ukrainian composer Mykola Leontovych in 1904 based on a Ukrainian folk song. (See The Unknown Ukrainian Carol that everyone knows for additional information.)

 



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, December 22, 2023

Pale Moon Version 32.5.2 Released with Security Updates

 Pale Moon

Pale Moon has been updated to version 32.5.2.  This is a bugfix and security update.

Changes/fixes:

  • Removed the standard Twitter/X user-agent override because they decided to block us on it.
  • Added preferences for the user to control whether or not the tab page title should be included in the window title or not. In Private Browsing mode, the default is now to not show the title in the window. This was done to avoid potential leakage to system logs (e.g. GNOME shell logs or Windows event logs) of websites visited through the recorded window title. The new preferences are privacy.exposeContentTitleInWindow and privacy.exposeContentTitleInWindow.pbm for normal mode and Private Browsing mode, respectively.
  • Fixed several crashes in DOM and relating to dynamic JavaScript module imports.
  • Removed a restriction on Fetch preflight redirects, following a spec update.
  • Improved the handling of web workers if they get aborted mid-action.
  • Security issues addressed: CVE-2023-6863, CVE-2023-6858 and several others that do not have a CVE number.
  • UXP Mozilla security patch summary: 4 fixed, 2 DiD, 1 rejected (which was DiD at best), 1 postponed (low risk), 22 not applicable.

Notes:

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, December 19, 2023

Mozilla Firefox Version 121.0 Released with Security Updates

 FirefoxMozilla sent Firefox Version 121.0 to the release channel.  Firefox ESR was updated to Version 115.6.

The update includes eighteen security updates of which five (5) are rated high, eight (8) moderate, and five (5) rated low.

High

#CVE-2023-6856: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver

#CVE-2023-6135: NSS susceptible to "Minerva" attack

#CVE-2023-6865: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code>

#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6

#CVE-2023-6873: Memory safety bugs fixed in Firefox 121



Moderate

#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers

#CVE-2023-6858: Heap buffer overflow in <code>nsTextFragment</code>

#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer

#CVE-2023-6866: TypedArrays lack sufficient exception handling

#CVE-2023-6860: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation

#CVE-2023-6867: Clickjacking permission prompts using the popup transition

#CVE-2023-6861: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode

#CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID key


Low

#CVE-2023-6869: Content can paint outside of sandboxed iframe

#CVE-2023-6870: Android Toast notifications may obscure fullscreen event notifications

#CVE-2023-6871: Lack of protocol handler warning in some instances

#CVE-2023-6872: Browsing history leaked to syslogs via GNOME

#CVE-2023-6863: Undefined behavior in <code>ShutdownObserver()</code>


New

  • Firefox now prompts Windows users to install the Microsoft AV1 Video Extension to enable hardware decoding support for the AV1 video codec from about:support if not already installed.

  • Firefox now supports Voice Control commands on macOS systems.

  • On Linux, Firefox now defaults to the Wayland compositor when available instead of XWayland. This brings support for touchpad & touchscreen gestures, swipe-to-nav, per-monitor DPI settings, better graphics performance, and more.

    Note that due to Wayland protocol limitations, Picture-in-Picture windows require an extra user interaction (generally right-click on the window) or a shell / desktop-environment tweak. See bug 1621261 for related discussion and tracking, this post for a KDE configuration, and this extension for GNOME.

  • Firefox can now force links to always be underlined. This option can be enabled in the Browsing section of the Firefox Settings menu.

    Screenshot of new Always underline links option

  • The PDF viewer now includes a floating button to simplify deleting drawings, text, and images added in PDFs.


Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, December 12, 2023

Microsoft December 2023 Security Updates

 

The Microsoft December 2023 security updates have been released and consist of 29 new patches. In addition, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.


Of the CVEs released, 4 are rated critical and 29 are rated important. At the time of release, none of the CVEs are listed as being under active attack or as publicly known.

The security updates apply to the following products, features and roles: Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic.

See the list of KBs at the bottom of the page at December 2023 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5033375.  For Windows 10, Version 22H2 see KB5033372.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The December 2023 Security Update Review.

IMPORTANT: 

  • After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Only cumulative monthly security updates (known as the "B" or Update Tuesday release) will continue for this version. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.
  • Because of reduced operations during the Western holidays and the upcoming new year, there won’t be a non-security preview release for the month of December 2023. Non-security preview releases will resume in January 2024. 

Additional Update Notes:

 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat/Reader Update

 

Adobe
Adobe is releasing an update with new features and bug fixes for Acrobat and Acrobat Reader. 

Update or Complete Download

Adobe Acrobat and Reader were updated to version 23.008.20421 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Release Notes

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, November 30, 2023

November 2023 Windows 10 Non-Security Preview Update

 

Microsoft released KB502278 for Windows 10 version 22H2 optional non-security release preview (Windows monthly updates explained).

Highlight included in the update:
  • New! This update adds the Copilot in Windows (in preview) button to the right side of the taskbar. This only applies to devices that run Home or Pro editions (non-managed business devices). When you select it, Copilot in Windows appears at the right on your screen. It will not overlap with desktop content or block open app windows. This is available to a small audience initially and deploys more broadly in the months that follow. To learn more, see How to get Copilot in Windows (in preview) on Windows 10 and Welcome to Copilot in Windows.

  • New! The news & interests feature on your device is now larger! This will help you use the feature more effectively and show the content you care about most on a larger scale.

  • New! If you use Home or Pro consumer devices or non-managed business devices, you can get some of the newest experiences as soon as they are ready. To do so, go to Settings > Update & Security > Windows Update. Set the Get the latest updates as soon as they are available toggle to on. Note that this toggle is not turned on for devices that your IT department manages unless IT configures a new policy.

  • This update addresses an issue that causes IE mode to stop responding. This occurs when you have multiple IE mode tabs open.

  • This update addresses an issue that affects the cursor. Its movement lags in some screen capture scenarios.

  • This update addresses an issue that affects the touch keyboard. It might not appear during the out-of-box experience (OOBE).

See the KB article for the lengthy list of quality improvements included in the update.

IMPORTANT Because of reduced operations during the Western holidays and the upcoming new year, there won’t be a non-security preview release for the month of December 2023. There will be a monthly security release for December 2023. Normal monthly servicing for both security and non-security preview releases will resume in January 2024.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 120.0.1 Released

 

Mozilla sent Firefox Version 120.0.1 to the Release Channel.

Fixed

  • Fixed a bug that was causing persistent startup slowdowns. (bug 1867095)

  • Fixed an issue that was causing 100% CPU usage on sites such as Google Maps. (bug 1866409)

  • Fixed an issue that was causing YouTube videos to show a green screen when hardware acceleration was enabled. (bug 1865928)

  • Fixed an issue where the status bar was still visible when viewing fullscreen video. (bug 1853896)

  • Fixed a startup crash affecting Linux users on some aarch64 systems with page sizes other than 4KB. (bug 1866025)

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox".  Mac users need to select "About Firefox" from the Firefox menu.  For non-English versions, Fully Localized Versions are available for download.

Release Notes


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 28, 2023

Pale Moon Version 32.5.1 Released with Security Updates

Pale Moon

Pale Moon has been updated to version 32.5.1.  This is a minor development and security update.

Important: as of this version, our beta FreeBSD binaries require at least FreeBSD 13.


Changes/fixes:

  • Restricted protocol fallback for TLS. Pale Moon no longer (by default) allows TLS 1.3 to fall back to earlier protocol versions during the initial handshake.
  • Reverted the addition of browser.bookmarks.openInTabClosesMenu due to behavioral issues with menus.
    If you desire the intended behavior, please use an extension instead.
  • We no longer support the data: protocol inside SVG's <use> statements.
  • Enabled more validation/error checking for WebGL on Windows to prevent potential crashes.
  • Improved secure context checking for iframes.
  • Fixed the handling of relative paths in URLs starting with multiple forward slashes.
  • Security issues addressed: CVE-2023-6204, CVE-2023-6210, CVE-2023-6209 and CVE-2023-6205 DiD
  • UXP Mozilla security patch summary: 3 fixed, 1 DiD, 14 not applicable.

Notes:

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 21, 2023

Mozilla Firefox Version 120.0 Released with Security Updates

  FirefoxMozilla sent Firefox Version 120.0 to the release channel.  The update includes eleven security updates of which seven (7) are rated high, two (2) moderate, and two (2) rated low.

Firefox ESR was updated to Version 115.5.

High

#CVE-2023-6204: Out-of-bound memory access in WebGL2 blitFramebuffer
#CVE-2023-6204: Out-of-bound memory access in WebGL2 blitFramebuffer
#CVE-2023-6205: Use-after-free in MessagePort::Entangled
#CVE-2023-6206: Clickjacking permission prompts using the fullscreen transition
#CVE-2023-6207: Use-after-free in ReadableByteStreamQueueEntry::Buffer
#CVE-2023-6212: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5
#CVE-2023-6213: Memory safety bugs fixed in Firefox 120


#

Moderate

#CVE-2023-6208: Using Selection API would copy contents into X11 primary selection
#CVE-2023-6209: Incorrect parsing of relative URLs starting with "///"

Low

#CVE-2023-6210: Mixed-content resources not blocked in a javascript: pop-up
#CVE-2023-6211: Clickjacking to load insecure pages in HTTPS-only mode


New

  • Firefox supports a new “Copy Link Without Site Tracking” feature in the context menu which ensures that copied links no longer contain tracking information.

    Screenshot showing Copy Link feature

  • Firefox now supports a setting (in Preferences → Privacy & Security) to enable Global Privacy Control. With this opt-in feature, Firefox informs the websites that the user doesn’t want their data to be shared or sold.

    Screenshot showing GPC preference

  • Firefox’s private windows and ETP-Strict privacy configuration now enhance the Canvas APIs with Fingerprinting Protection, thereby continuing to protect our users’ online privacy.

  • Firefox has enabled Cookie Banner Blocker by default in private windows for all users in Germany. Firefox will now auto-refuse cookies and dismiss annoying cookie banners for supported sites.

  • Firefox has enabled URL Tracking Protection by default in private windows for all users in Germany. Firefox will remove non-essential URL query parameters that are often used to track users across the web.

  • Firefox now imports TLS trust anchors (e.g., certificates) from the operating system root store. This will be enabled by default on Windows, macOS, and Android, and if needed, can be turned off in settings (Preferences → Privacy & Security → Certificates).

  • Keyboard shortcuts have now been added for editing and deleting a selected credential on about:logins. For editing - Alt + enter (Option + return on macOS) and for deleting - Alt + Backspace (Option + Delete on macOS).

  • Users on Ubuntu Linux now have the ability to import from Chromium when both are installed as Snap packages.

  • Picture-in-Picture now supports corner snapping on Windows and Linux - just hold Ctrl as you move the PiP window.


Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 14, 2023

Microsoft November 2023 Security Updates

 

The Microsoft November 2023 security updates have been released and consist of 63 new patches. In addition, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.


Of the CVEs released, 3 are rated critical, 56 are rated important and 4 are rated moderate in severity. At the time of release, three of the CVEs are listed as being under active attack and three as publicly known.

The security updates apply to the following products, features and roles: Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V.

See the list of KBs at the bottom of the page at November 2023 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5032190.  For Windows 10, Version 22H2 and 21H2, see KB5032189.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The Novemberr 2023 Security Update Review.

 

Additional Update Notes:

 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...