Tuesday, June 18, 2024

Pale Moon Version 33.2.0 Released with Security Updates

 Pale MoonPale Moon has been updated to version 33.2.0.  This is a development, stability and security release.

New features:

  • Implemented the missing parts of the html5 <dialog> element, including modal handling and custom backdrops.
  • Implemented courser, user-configurable granularity for the canvas poisoning anti-fingerprinting measure. See implementation notes.
  • Implemented new CSS viewport units svw, svh, svmin, svmax, lvw, lvh, lvmin, lvmax, dvw, dvh, dvmin and dvmax.
  • Implemented new CSS logical viewport units vb, vi, svb, svi, lvb, lvi, dvb and dvi.

Changes/fixes:

  • Removed the archaic and wholly outdated FIPS security module code.
  • Removed the archaic DBM support code for storing of passwords in DBM format files.
  • Removed the -moz prefix from -moz-fit-content, aligning with the current CSS standard fit-content value.
  • Updated our build system by adopting parts of the old autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build requirement. If you build from source, you may want to review your dependencies with this change.
  • Fixed issues when building with GCC 14.* and Clang 16.*.
  • Fixed issues with emoji sequence clusters causing incorrect rendering of emoji glyphs in some cases.
  • Made some arguments to the legacy XPathEvaluator/XPathExpression interfaces optional for web compatibility.
  • Fixed a crash when reporting JavaScript module exporting errors.
  • Updated checking of special cookie prefixes to be case-insensitive in accordance with the current RFC 6265 (bis-11+).
  • Fixed issues with external protocol handlers.
  • Fixed an issue where autocomplete pop-ups would stay open in some circumstances.
  • Fixed an issue with potentially bad file names being entered by the user to "Save As...".
  • Fixed several crashes and race conditions.
  • Security issues addressed: CVE-2024-5699, CVE-2024-5702 DiD, CVE-2024-5690, CVE-2024-5698 DiD, CVE-2024-5688 DiD, CVE-2024-5692 and several other security issues (some more DiD) that do not have CVE numbers assigned to them.

Notes:

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Mac builds have switched to Xcode 15 and are now cross-compiled from Apple silicon for Intel targets. While the resulting builds have been tested on a few Intel Mac systems, this is a big build change, so please get in touch through our forum if you experience any issues with these builds on Mac.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Sunday, June 16, 2024

Optional Update for Adobe Reader and Acrobat

 

Adobe
Adobe is releasing an optional hotfix patch for Acrobat and Acrobat Reader that addresses some important bug fixes.

Update or Complete Download

Adobe Acrobat and Reader were updated to version 24.002.20857.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Release Notes

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, June 15, 2024

Adobe Acrobat/Reader Update

 

Adobe
Adobe is releasing an update with new features and bug fixes for Acrobat and Reader. 

Update or Complete Download

Adobe Acrobat and Reader were updated to version 24.002.20854.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Release Notes

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, June 11, 2024

Microsoft June 2024 Security Updates

 

The Microsoft June 2024 security updates have been released and consist of 49 new patches to Microsoft products. In addition, 9 third-party CVEs are documented, bringing the total number of CVEs reported to 58.


Of the Microsoft CVEs released,1 is rated critical and,48 are rated important in security. At the time of release, one of the CVEs is listed as being publicly known.  However, it is a third-party update that is now being integrated into Microsoft products.  None are under active attack.

The security updates apply to the following products, features and roles: Windows and Windows Component, Office and Office Components, Azure, Dynamics Business Central and Visual Studio.

See the list of KBs at the bottom of the page at June 2024 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5039212.  For Windows 10, Version 22H2 see KB5039211.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The June 2024 Security Update Review.

Additional Update Notes:


 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 127.0 Released with Security Updates

 Mozilla sent Firefox Version 127.0 to the Release Channel. ESR was updated to Version 115.12.0.

The update includes fifteen security updates of which four (4) are rated high, eight (8) are rated moderate, and three (3) are rated low.

HIGH

#CVE-2024-5687: An incorrect principal could have been used when opening new tabs
#CVE-2024-5688: Use-after-free in JavaScript object transplant
#CVE-2024-5700: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12
#CVE-2024-5701: Memory safety bugs fixed in Firefox 127

MODERATE

#CVE-2024-5689: User confusion and possible phishing vector via Firefox Screenshots
#CVE-2024-5690: External protocol handlers leaked by timing attack
#CVE-2024-5691: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
#CVE-2024-5692: Bypass of file name restrictions during saving
#CVE-2024-5693: Cross-Origin Image leak via Offscreen Canvas
#CVE-2024-5694: Use-after-free in JavaScript Strings
#CVE-2024-5695: Memory Corruption using allocation using out-of-memory conditions
#CVE-2024-5696: Memory Corruption in Text Fragments

LOW

#CVE-2024-5697: Website was able to detect when Firefox was taking a screenshot of them
#CVE-2024-5698: Data-list could have overlaid address bar
#CVE-2024-5699: Cookie prefixes not treated as case-sensitive

NEW

  • You can now set Firefox to automatically launch whenever you start or restart your Windows computer. Setting Firefox to auto-launch optimizes efficiency in our browser-centric digital routines, eliminating manual startup delays and facilitating immediate web access. (Learn more)
  • We completed work to optimize and enable DNS prefetching for HTTPS documents via the rel="dns-prefetch" link hint. This standard allows web developers to specify domain names for important assets that should be resolved preemptively.
  • It is now possible to close all duplicate tabs in a window with the Close duplicate tabs command available from the List all tabs widget in the tab bar or a tab context menu.
  • Firefox will now automatically try to upgrade <img><audio>, and <video> elements from HTTP to HTTPS if they are embedded within an HTTPS page. If these so-called mixed content elements do not support HTTPS, they will no longer load.
  • For added protection on MacOS and Windows, a device sign in (e.g. your operating system password, fingerprint, face or voice login if enabled) can be required when accessing and filling stored passwords in the Firefox Password Manager about:logins page.

Changed

  • To reduce user fingerprinting information and the risk of some website compatibility issues, the CPU architecture for 32-bit x86 Linux will now be reported as x86_64 in Firefox's User-Agent string and navigator.platform and navigator.oscpu Web APIs.
  • Links and other focusable elements are now tab-navigable by default on macOS, instead of following macOS' "Keyboard navigation" setting. This is a more accessible default and matches the default in all other platforms. A checkbox in the settings page still allows users to restore the old behavior.
  • The Screenshots feature in Firefox has gotten a big update! It now supports taking screenshots of file types like SVG, XML, and more as well as various about: pages within Firefox. We've also made the screenshot tool more accessible to everyone by implementing new keyboard shortcuts and adding theme compatibility and High Contrast Mode (HCM) support. And finally, performance for capturing large screenshots has been improved.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox".  Mac users need to select "About Firefox" from the Firefox menu.  For non-English versions, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, May 29, 2024

May 2024 Windows 11 Non-Security Preview Update

 Microsoft released KB5037853 (OS Builds 22621.3672 and 22631.3672 today for Windows 11 23H3 and Windows 11 22H2. 

IMPORTANT:  The date for optional, non-security preview releases for Home and Pro versions of Windows 11, version 22H2 has been extended from February 27, 2024 to June 26, 2024. 

See the KB article for a long list of highlighted changes as well as a separate list of quality improvements included in the update for Windows 11 23H3 and Windows 11 22H2. 

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

References:

Windows 11 update history


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

May 2024 Windows 10 Non-Security Preview Update

 Microsoft released KB5037849 for Windows 10 version 22H2 optional non-security release preview (Windows monthly updates explained).

Highlights included in the update:
  • This update addresses an issue that displays a hidden window. Its title bar has no content and no client area. This occurs when you share your screen using certain apps

  • This update addresses an issue that affects the Share button on USB controllers. It might not work with Game Bar.  

See the KB article for the list of quality improvements included in the update.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, May 28, 2024

Pale Moon Version 33.1.1 Released with Security Updates

 Pale MoonPale Moon has been updated to version 33.1.1.  This is a minor security and bugfix update.

Changes/fixes:

  • Made the nonce length for http digest auth configurable.
  • Fixed various potential issues with font loading, parsing and handling.
  • Cleaned up error reporting for workers and normalized error messages.
  • Security issues addressed: CVE-2024-4772 DiD, CVE-2024-4771, CVE-2024-4769 and CVE-2024-4770.
  • We've switched back to an older toolchain (17.3) for compiling 32-bit Windows binaries (again) to hopefully address some of the intermittent stability issues people continued to have on later Microsoft compiler versions when running on older hardware.

Notes:

*DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 126.0.1 Released with Updates

   Mozilla sent Firefox Version 126.0.1 to the Release Channel.

Fixed

  • Fixed an issue with reading tagged PDF documents in a screen reader. (Bug 1894849)

  • Fixed not displaying localized text for non-en-US locales in the Crash Reporter dialog box on macOS. (Bug 1896097)

  • Fixed issues with drag-and-drop functionality on Linux. (Bug 1897115)

  • Fixed an issue causing high GPU memory usage on certain versions of AMD cards. (Bug 1897006)

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox".  Mac users need to select "About Firefox" from the Firefox menu.  For non-English versions, Fully Localized Versions are available for download.

Release Notes


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, May 14, 2024

Microsoft May 2024 Security Updates

 

The Microsoft May 2024 security updates have been released and consist of 57 new patches to Microsoft products. In addition, 4 third-party CVEs are documented, bringing the total number of CVEs reported to 63.


Of the Microsoft CVEs released, 1 is rated critical,57 rated important and 1 is rated moderate in security. At the time of release, one of the CVEs is listed as being publicly known and under active attack.

The security updates apply to the following products, features and roles: Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband.

See the list of KBs at the bottom of the page at May 2024 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5037771.  For Windows 10, Version 22H2 see KB5037778.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The May 2024 Security Update Review.

Additional Update Notes:


 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat/Reader Update with Security Updates

 

Adobe
Adobe is releasing an update with new features for Acrobat and security updates for Acrobat and Reader. 

The security updates provide mitigations for vulnerabilities described in the corresponding security bulletins for Reader and Acrobat.


Update or Complete Download

Adobe Acrobat and Reader were updated to version 24.002.20759 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Release Notes

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 126.0 Released with Security Updates

 Mozilla sent Firefox Version 126.0 to the Release Channel. ESR was updated to Version 115.11.0.

The update includes sixteen security updates of which two (2) are rated high, nine (9) are rated moderate, and five (5) are rated low.

High

#CVE-2024-4764: Use-after-free when audio input connected with multiple consumers

#CVE-2024-4367: Arbitrary JavaScript execution in PDF.js


Moderate

#CVE-2024-4765: Web application manifests could have been overwritten via hash collision

#CVE-2024-4766: Fullscreen notification could have been obscured on Firefox for Android

#CVE-2024-4767: IndexedDB files retained in private browsing mode

#CVE-2024-4768: Potential permissions request bypass via clickjacking

#CVE-2024-4769: Cross-origin responses could be distinguished between script and non-script content-types

#CVE-2024-4770: Use-after-free could occur when printing to PDF

#CVE-2024-4771: Failed allocation could lead to use-after-free

#CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11

#CVE-2024-4778: Memory safety bugs fixed in Firefox 126


Low

#CVE-2024-4772: Use of insecure rand() function to generate nonce

#CVE-2024-4773: URL bar could be cleared after network error

#CVE-2024-4774: Undefined behavior in ShmemCharMapHashEntry()

#CVE-2024-4775: Invalid memory access in the built-in profiler

#CVE-2024-4776: Window may remain disabled after file dialog is shown in full-screen


New
  • The Copy Without Site Tracking option can now remove parameters from nested URLs. It also includes expanded support for blocking over 300 tracking parameters from copied links, including those from major shopping websites. Keep those trackers away when sharing links!
  • Catalan is now available in Firefox Translations.
  • Enabled AV1 hardware decode acceleration on macOS for M3 Macs.
  • Telemetry was added to create an aggregate count of searches by category to broadly inform search feature development. These categories are based on 20 high-level content types, such as "sports,” "business," and "travel". This data will not be associated with specific users and will be collected using OHTTP to remove IP addresses as potentially identifying metadata. No profiling will be performed, and no data will be shared with third parties.  (read more)
Changed
  • The URL Paste Suggestion feature added in Fx125 was temporarily disabled while the team investigates a potential performance issue. The feature will be re-enabled in a future release once the performance issue is addressed.
Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox".  Mac users need to select "About Firefox" from the Firefox menu.  For non-English versions, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...