Tuesday, January 30, 2024

Pale Moon Version 33.0.0 Released with Security Updates

 Pale Moon Pale Moon has been updated to version 33.0.0.  This is a milestone update.  The update involves over 250 commits, the most important of which are below..

The primary focus for this milestone is web compatibility, in particular Regular Expression extensions, standards compliance issues and further JPEG-XL support.  This milestone now offers full coverage of the ECMAScript 2016-2020 JavaScript specifications, with the exception of BigInt primitives.

New features:

  • Implemented a restricted version of the asynchronous clipboard API (navigator.clipboard). This API is restricted to writing only for obvious security considerations. It supports both plaintext and the standard DataTransfer methods. We did not implement the reinvented wheel concept of ClipboardItem objects.
  • Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for OCSP stapled responses.
  • Implemented an option (Found in Preferences -> Content -> Media tab (new this version)) to restrict DOM full-screen mode to the existing browser window.
  • Implemented several options in a new preferences tab (Preference -> Privacy -> Tracking) to allow users to more easily control several privacy-impacting features, namely poisoning of canvas data (to prevent fingerprinting), and enabling of Performance observers (a developer feature) that some websites rely on for their operation.
  • Implemented PromiseRejectionEvent. Although this is rarely actually used, some common JS libraries (you know who you are!) use it as a feature level canary and start loading (broken!) Promise shims if it is not found, causing compatibility issues and broken websites due to the shims.

Fixes:

  • Aligned microtasks and Promises scheduling with the current spec and expected behavior.
  • We now no longer send click events to top levels of the document hierarchy when using non-primary buttons (use auxclick, instead, to capture these events).
  • Greatly improved the performance of box shadows.
  • Greatly improved the performance of file/data uploads over HTTP/2 (most of the secure websites out there).
  • Fixed several issues related to focus and content selection.
  • Fixed issues with the use of focus-within caused by unexpected processing of DOM events.
  • Fixed an issue with CSP not behaving as-expected when using importScripts(), and fixed a number of additional CSP-related issues.
  • Fixed a web compatibility issue with CORS preflights not sending the original request's referrer policy or referrer header.
  • Fixed a spec compliance issue with StructuredClone.
  • Fixed a crash due to clamping code introduced for SetInterval and SetTimeout timers.
  • Fixed crashes when dynamic imports are canceled (e.g. by navigation).

Other changes:

  • Changed <input type=file> to now have its .files property be writable following a spec change and recommendation.
  • We are now requiring and building against the C++17 language standard.
  • Updated the in-tree ffvpx lib to 6.0.
  • Added a preference to allow users to completely disable reporting of CSP errors to webmasters. Using this is strongly discouraged as it will provide essential troubleshooting information to webmasters setting up CSP, and does not pose a privacy issue, but for those who really want it, it can now be fully disabled. The preference is security.csp.reporting.enabled.
  • Updated the IntersectionObserver interface to now also accept documents for the observer root instead of only HTML elements.
  • Cleaned up various bits of code surrounding GMP, memory allocation, system libraries, vestigial Android code, freetype2 and developer tools.
  • Improved efficiency of handling D3D textures.
  • Added initial and experimental Mac PowerPC and Big Endian support.
  • Changed the behavior of hung scripts. We now automatically terminate them instead of presenting the user with a dialog box (which may or may not show in a reasonable time if the browser is too busy trying to process the hung script). If you prefer the old behavior, uncheck the box "Automatically stop non-responsive scripts" in Preferences -> Content -> General
  • Security issues addressed: CVE-2024-0746, CVE-2024-0741, CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753.
  • UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not applicable.

*DiD: This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Remember - "A day without laughter is a day wasted."

Tuesday, January 23, 2024

January 2024 Windows 11 23H2 and Windows 11 22H2 Non-Security Update

  Microsoft released KB5034204 (OS Builds 22621.3085 and 22631.3085) today for Windows 11 23H3 and Windows 11 22H2. 

IMPORTANT:  After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Only cumulative monthly security updates (known as the "B" or Update Tuesday release) will continue for this version. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.

Highlights included in the update:

  • This update addresses an issue that stops search from working on the Start menu for some users. The issue occurs because of a deadlock.

  • This update addresses an issue to make video calls more reliable.

  • This update addresses an issue that causes your device to stop responding. This is intermittent and occurs after you install a print support app.

  • This update addresses an issue that makes the troubleshooting process fail. This occurs when you use the Get Help app.

  • This update addresses an issue that affects the File Explorer Gallery. It stops you from closing a tooltip.

  • This update addresses an issue that affects Bluetooth Low Energy (LE) Audio earbuds. They lose sound when you stream music.

  • This update addresses an issue that affects a Bluetooth phone call. It stops the audio from routing through the PC when you answer the call on your PC.

See the KB article for a separate list of quality improvements included in the update for Windows 11 23H3 and Windows 11 22H2. 

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

References:

Windows 11 update history


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

January 2024 Windows 10 Non-Security Preview Update

 Microsoft released KB5034203 for Windows 10 version 22H2 optional non-security release preview (Windows monthly updates explained).

Highlights included in the update:
  • This update addresses an issue that affects some single-function printers. They might install as a scanner.
  • The coming weeks will bring a richer weather experience to your lock screen. This includes dynamic, interactive weather updates.
  • Microsoft has been working to ensure compliance with the Digital Markets Act (DMA) in the European Economic Area (EEA). To learn more, see Previewing changes in Windows to comply with the Digital Markets Act in the European Economic Area.
  • This update addresses an issue that affects an Internet Explorer shortcut. After you use a policy to remove it, the shortcut reappears.
  • This update addresses an issue that stops you from reconnecting to an existing Remote Desktop session.
See the KB article for the lengthy list of quality improvements included in the update.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Verson 122.0 Released with Security Updates

 FirefoxMozilla sent Firefox Version 122.0 to the release channel.  Firefox ESR was updated to Version 115.7.

The update includes fifteen security updates of which five (5) are rated high and ten (10) rated moderate.

High

#CVE-2024-0741: Out of bounds write in ANGLE

#CVE-2024-0742: Failure to update user input timestamp

#CVE-2024-0743: Crash in NSS TLS method

#CVE-2024-0744: Wild pointer dereference in JavaScript

#CVE-2024-0745: Stack buffer overflow in WebAudio



Moderate

#CVE-2024-0746: Crash when listing printers on Linux

#CVE-2024-0747: Bypass of Content Security Policy when directive unsafe-inline was set

#CVE-2024-0748: Compromised content process could modify document URI

#CVE-2024-0749: Phishing site popup could show local origin in address bar

#CVE-2024-0750: Potential permissions request bypass via clickjacking

#CVE-2024-0751: Privilege escalation through devtools

#CVE-2024-0752: Use-after-free could occur when applying update on macOS

#CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain

#CVE-2024-0754: Crash when using some WASM files in devtools

#CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7


New

  • Firefox now displays images and descriptions for search suggestions when provided by the search engine.
  • The translations feature received an improvement in the quality of translated webpages. The results should be much more stable. This fixes issues where the content of a page could disappear when translated, or interactive widgets could break.
  • Firefox now supports creating and using passkeys stored in the iCloud Keychain on macOS.
  • MDN Web Docs article suggestions from Firefox Suggest will be available in the address bar for users searching for web development-related information.
  • The line breaking rules of Web content now match the Unicode Standard. This improves Web Browser compatibility for line breaking. An additional improvement for East Asian and South East Asian end users, Firefox now supports proper language-aware word selection when double-clicking on text for languages including Chinese, Japanese, Burmese, Lao, Khmer, and Thai.
  • Firefox now ships with a new .deb package for Linux users on Ubuntu, Debian, and Linux Mint.

Unresolved

  • Some machines with older AMD CPUs may see image thumbnails incorrectly rendered as all black in file dialogs. If this is the case, updating the graphics driver should address this issue.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, January 16, 2024

Oracle Java Critical Security Update Released

java



Oracle released the scheduled update for its Java SE Runtime Environment software.  This is a bugfix and critical security update.  

This Critical Patch Update contains 13 new security patches for Oracle Java SE.  Eleven (11) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Download Information:  Java SE Runtime Environment Version  8u401:  https://java.com/en/download/manual.jsp

Java Security Recommendations

1) If Java is still installed on your computer, it is recommended that all updates be applied as soon as possible and older, less secure, versions uninstalled.  See Why should I uninstall older versions of Java from my system?.
2) In the Java Control Panel, at minimum, set the security to high.
3) Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Notes:

  • UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
  • Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
  • Verify your version:  http://www.java.com/en/download/testjava.jsp  Note: The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version
  • Important: The Edge browser does not support plug-ins.  In the event you still have a need for Java, it will be necessary to use Firefox.

Patch Schedule

For Oracle Java SE, the next scheduled update is April 16, 2024.  The planned release schedule is available here.

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, that does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Optional Hotfix Patch for Adobe Reader and Acrobat

Adobe
Adobe has released an optional hotfix patch for Acrobat and Acrobat Reader that addresses some important bug fixes for Adobe Acrobat DC and Reader. 

Update or Complete Download

Reader DC and Acrobat DC were updated to version 23.008.20470 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, January 09, 2024

Microsoft January 2024 Security Updates

 

The Microsoft January 2024 security updates have been released and consist of 49 new patches. In addition, 4 Chromium updates are included, bringing the total number of CVEs to 53.


Of the CVEs released, 2 are rated critical and 47 are rated important. At the time of release, none of the CVEs are listed as being under active attack or as publicly known.

The security updates apply to the following products, features and roles: Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; and Internet Explorer.

See the list of KBs at the bottom of the page at January 2024 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5034123.  For Windows 10, Version 22H2 see KB5034122.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The January 2023 Security Update Review.

IMPORTANT: 

  • After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Only cumulative monthly security updates (known as the "B" or Update Tuesday release) will continue for this version. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.

Additional Update Notes:

 

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 121.0.1 Released

 

Mozilla sent Firefox Version 121.0.1 to the Release Channel.

Fixed

  • Fixed unexpected line wrapping in some CJK contexts caused by changes in ideographic space handling. (Bug 1870973)

  • Fixed a hang when loading sites containing column-based layouts under some circumstances. (Bug 1867784)

  • Fixed missing rounded corners for videos playing over another video. (Bug 1869994)

  • Fixed Firefox not closing properly and other applications being unable to use a USB security key after being previously used during a Firefox session. (Bug 1863135)

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox".  Mac users need to select "About Firefox" from the Firefox menu.  For non-English versions, Fully Localized Versions are available for download.

Release Notes


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, January 05, 2024

Optional Hotfix Patch for Adobe Reader and Acrobat

 

Adobe
Adobe has released an optional hotfix patch for Acrobat and Acrobat Reader that addresses some important bug fixes for Adobe Acrobat DC and Reader. 

Update or Complete Download

Reader DC and Acrobat DC were updated to version 23.008.20458 for Windows.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...