Mozilla Firefox Version 132.0 Released with Security Updates

  Mozilla sent Firefox Version 132.0 to the release channel.  

The update includes nine security updates of which two (2) are rated high, six (6) are rated moderate, and three (3) are rated low.

High

#

#CVE-2024-10458: Permission leak via embed or object elements
#CVE-2024-10459: Use-after-free in layout with accessibility

Moderate

#CVE-2024-10460: Confusing display of origin for external protocol handler prompt
#CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
#CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
#CVE-2024-10463: Cross origin video frame leak
#CVE-2024-10468: Race conditions in IndexedDB
#CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4

Low

#CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
#CVE-2024-10465: Clipboard "paste" button persisted across tabs#CVE-2024-10466: DOM push subscription message could hang Firefox
#CVE-2024-10466: DOM push subscription message could hang Firefox

New

• Microsoft PlayReady encrypted media playback is now being rolled out to select sites on Windows. Through this support, we are gradually rolling out a 1080p baseline and 4K Ultra HD support with key streaming partners. An added benefit is that viewers get less battery drain and better performance when streaming their favorite movies and shows.
• A tab preview is now displayed when hovering the mouse over background tabs, making it easier to locate the desired tab without needing to switch tabs.
• Wide Color Gamut WebGL is now available for Windows and macOS users! With this support, Firefox is bringing a richer, more vivid range of colors to the videos, games, and images on your screen. This implementation currently supports wider color (P3) profiles in 8-bit.
• WebRender hardware accelerated rendering is now enabled for most SVG filter primitives, improving performance for certain graphics-heavy content. Accelerated filters are feBlend, feColorMatrix, feComponentTransfer, feComposite, feDropShadow, feFlood, feGaussianBlur, feMerge and feOffset.
• Added support for macOS’ new screen and window sharing selection features on macOS 15 and later. Support for macOS 14 will be added in a future release.
• The macOS session resume feature has been enhanced. Firefox will now automatically relaunch if it was open before a system restart, like after an OS update.
• Firefox now blocks third-party cookie access when Enhanced Tracking Protection's Strict mode is enabled.

Fixed:

• Fixed an issue where Copy and Paste context menu items intermittently were not enabled when expected.

Changed:

• As a follow-up to our work to upgrade mixed content starting with Firefox 127, HTTP-favicons will now also be blocked if they can not be received over HTTPS instead
• The Copy Without Site Tracking option is now grayed out when no known tracking parameters are found within the link. Additionally, more tracking parameter support has been added for websites such as LinkedIn and Shopee. Please report tracking parameters that aren't removed by filing a bug in Bugzilla.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Adobe Acrobat/Reader Update

 

Adobe is releasing an update with new features and bug fixes for Acrobat and Reader. 

Update or Complete Download

Adobe Acrobat and Reader were updated to version 24.004.20220.  Updates should become available via the internal updater or checks can be manually activated by choosing Help/Check for Updates.  

Reader DC and other versions are available here: https://get.adobe.com/reader/

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

October 2024 Windows 11 24H2 Non-Security Preview Update

 Microsoft released KB5044384 (OS Builds 22100.2161 for Windows 11 24H2.

Gradual rollout

These might not be available to all users because they will roll out gradually.​​​​​

• [Notifications] New! You can now stop the suggestions to turn off notifications from certain apps. Select the ellipses (…) in the notification and turn it off. You can also go to Settings > System > Notifications and turn it off from there. Look for “Notification Suggestions” in the senders list. An entry will only appear in the list after you receive a notification.

• [Wi-Fi password dialog] New! The dialog now has the Windows 11 visual design. Go to Settings > Network & internet.​​​​​​​

• [Narrator]

  
  

  • New! This update adds a new Narrator shortcut. Press the Narrator key + Ctrl + X to copy what Narrator last spoke to the clipboard. This shortcut is useful when you want to quickly copy some content, like codes or numbers for use.

  • New! It will now auto read the contents of an email message in the new Outlook. This is like the behavior in Outlook classic.

• [Gamepad keyboard] New! This update starts the roll out of a new Gamepad keyboard layout for the on-screen keyboard. With it, you can use your Xbox controller to move around the screen and type. Button accelerators are also available; these include the X button for backspace and the Y button for the spacebar. For better movement patterns, the keyboard keys are aligned vertically.

• [Start menu] New! “All apps” has the new name, “All.”​​​​​​​​​​​​​​

• [ALT + Tab] Fixed: The screen goes black on some PCs for a few seconds when you switch between certain windows.

• ​​​​​​​[Scanning apps] Fixed: They don't detect certain scanners although they are connected.

Normal rollout

• [Web sign-in] Fixed: You cannot sign in to your account from the web because the screen stops responding.

• [Copilot key settings] New! You can configure the Copilot key on the keyboard. On new devices, the key opens the Copilot app. If you sign in to your account using a Microsoft Entra ID, the key opens the M365 app. You can make the key open a different app or open Search. To do this, go to Settings > Personalization > Text input. To make the key open a different app, the app must be in a signed MSIX package. This ensures that the app meets security and privacy standards to keep you safe. If your PC’s keyboard does not have a Copilot key, changing this setting will do nothing.

• [WindowsDisk Cleanup app] Fixed: This update addresses some of the causes for the wrong free space estimates and improves its accuracy.

See the KB article for improvements included.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

References:

Windows 11 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

October 2024 Windows 11 Non-Security Preview Update

 Microsoft released KB5044380 (OS Builds 22621.4391 and 22631.4391 for Windows 11 23H3 and Windows 11 22H2. The non-security preview update for Windows 11, version 24H2 will be available soon.

Highlights

These might not be available to all users because they will roll out gradually.

• [Gamepad keyboard]New! This update starts the roll out of a new Gamepad keyboard layout for the on-screen keyboard. With it, you can use your Xbox controller to move around the screen and type. Button accelerators are also available; these include the X button for backspace and the Y button for the spacebar. For better movement patterns, the keyboard keys are aligned vertically.
• [Notifications] New! You can now stop the suggestions to turn off notifications from certain apps. Select the ellipses (…) in the notification and turn it off. You can also go to Settings > System > Notifications and turn it off from there. Look for “Notification Suggestions” in the senders list. An entry will only appear in the list after you receive a notification.
• [Start menu] New! “All apps” has the new name, “All.”
• [Narrator]
  
  • New! This update adds a new Narrator shortcut. Press the Narrator key + Ctrl + X to copy what Narrator last spoke to the clipboard. This shortcut is useful when you want to quickly copy some content, like codes or numbers for use.
  • New! It will now auto read the contents of an email message in the new Outlook. This is like the behavior in Outlook classic.

Normal rollout​

• [Copilot key settings] New! You can configure the Copilot key on the keyboard. On new devices, the key opens the Copilot app. If you sign in to your account using a Microsoft Entra ID, the key opens the M365 app. You can make the key open a different app or open Search. To do this, go to Settings > Personalization > Text input. To make the key open a different app, the app must be in a signed MSIX package. This ensures that the app meets security and privacy standards to keep you safe. If your PC’s keyboard does not have a Copilot key, changing this setting will do nothing.
• [Battery use] Fixed: A device uses too much battery power while the device is in Modern Standby.
• [Microsoft Teams] Fixed: The issue stops you from joining Teams meetings when you select an Outlook meeting reminder.
• [Product activation phone numbers] Fixed: This adds new phone numbers for several regions.
• [Multi-Function Printer (MFP)] Fixed: When you use a USB cable to connect to it, it prints specific network command text when you do want it to.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

References:

Windows 11 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

October 2024 Windows 10 Non-Security Preview Update

 Microsoft released KB5045594 for Windows 10 version 22H2 optional non-security release preview (Windows monthly updates explained).

Highlights

• [Start menu] New! This update starts the roll out of the new account manager on the Start menu. The new design makes it easy to view your account and access account settings. To change to a different user, select the ellipses (...) next to Sign out. The Lock command is now on the power menu. Note This change might not be available to all users because it will roll out gradually.
• [ Multi-Function Printer (MFP) ]
  
  • Fixed: When you use a USB cable to connect to it, it prints specific network command text when you do want it to.
  • Fixed: A scanner driver fails to install when you use a USB cable to connect to an MFP.

See the KB article for the list of quality improvements included in the update.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Update:  To get the update, go to Settings > Update & Security > Windows Update. The link to download and install the update can be found in the Optional updates available area.  To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows 10 update history

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Oracle Java Runtime (JRE) Update Released

 

Oracle released the scheduled update for its Java SE Runtime Environment software.  This is a bugfix update.  

Download Information:  

Java SE Runtime Environment Version 8u431: https://java.com/en/download/manual.jsp. 

Java Security Recommendations

1) If Java is still installed on your computer, it is recommended that all updates be applied as soon as possible and older, less secure, versions uninstalled.  See Why should I uninstall older versions of Java from my system?
2) In the Java Control Panel, at minimum, set the security to high.
3) Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note: The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version
• Important:  If you have a need to use Java, see which browser support it at Browsers That Still Support Java & How to Enable It.

Patch Schedule

For Oracle Java SE, the next scheduled update is January 21, 2025.  The planned release schedule is available here.

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, that does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Release Notes
• Oracle Java SE Risk Matrix 
• Oracle Security Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 131.0.3 Released with Updates

   Mozilla sent Firefox Version 131.0.3 to the Release Channel.

Fixed

• Fixed an issue where some users could not access the Bill Pay portion of their bank's site. (Bug 1923500).
• Fixed an issue where some VR180 and 360 videos were not properly rendering on YouTube. (Bug 1922278).
• Fixed a crash that Windows users with Avast or AVG security software were experiencing when visiting certain sites. (Bug 1919678).
• Fixed an issue where the "List all tabs" button was not able to be moved from the toolbar. (Bug 1918681).

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox".  Mac users need to select "About Firefox" from the Firefox menu.  For non-English versions, Fully Localized Versions are available for download.

Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 33.4.0.1 Released

  Pale Moon has been updated to version 33.4.0.1.  This is a small update to address two important issues.

Changes/fixes:

• Extension compatibility issues with the ghostbuster (leading to tab handling problems).
• Windows 7 compatibility issues in 32-bit builds on some systems (leading to application UI paint failures/black window).

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 131.0.2 Released with a Critical Security Update

 Mozilla sent Firefox Version 131.0.2 to the release channel.  Firefox ESR versions were updated to ESR 128.3.1 and ESR 115.16.1.

The update includes one (1) critical security update. The update is critical due to an attacker achieving code execution in the content process by exploiting a use-after-free in Animation timelines. There are reports of this vulnerability being exploited in the wild. 

Critical

#CVE-2024-9680: Use-after-free in Animation timeline

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft October 2024 Security Updates

 

The Microsoft September 2024 security updates have been released and consist of 117 new patches to Microsoft products.

Of the Microsoft CVEs released, 3 are rated critical, 115 important, and 2 moderate in security. At the time of release, five of the CVEs is listed as being publicly known and two are listed as under active attack.

The security updates apply to the following products, features and roles: Windows and Windows Components; Office and Office Components; Azure; .NET and Visual Studio; OpenSSH for Windows; Power BI; Windows Hyper-V; and Windows Mobile Broadband.

See the list of KBs at the bottom of the page at October 2024 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, Version 24H2 see KB5044284, Version 21H2, see KB5044280.  For Windows 10, Versions 22H2 and 21H2, see KB5043273 (OS Builds 19044.4894 and 19045.4894).

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The September 2024 Security Update Review.

Additional Update Notes:

• Windows 10 End of Support -- On October 14, 2024, Windows 11, version 21H2 (Enterprise, Education, and IoT Enterprise editions) and Windows 11, version 22H2 (Home and Pro editions) will reach end of support. The October 8, 2024 update will be the last security update available for these editions. 
• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro and Windows 11 Home and Pro.
• Windows Update History:
• Windows 11
• Windows 10

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 33.4.0 Released with Security Updates

   Pale Moon has been updated to version 33.4.0.  This is a development and security update.  

Changes/fixes:

• Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes.
• Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
• Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
• Improved buildability on NetBSD and Altivec architectures.
• Fixed building issues on Apple Silicon Mac with XCode 16.
• Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
• Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
• Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
• Dev: Implemented ES2023 Hashbang grammar proposal.
  
• Fixed an issue with JavaScript's StructuredClone.
• Security issues addressed: CVE-2024-9396.
• Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Implementation notes:

• When very complex "modern" websites get closed by the user, it is possible that the browser is unable to properly release all the resources attached to it, especially those resources, modules and scripts that were part of Shadow DOM or complex interlinked module scripts. This can then result in "detached" web content and scripts that continue to use memory, have active event listeners and loaded scripts. Mainstream browsers are less affected by this as their multi-process setups will effectively "throw the baby out with the bath water" by simply killing the relevant content process. Since we don't have that luxury of a lazy solution to an architectural problem, we need to handle these so-called "ghost windows" resulting from this problem internally without restarting the browser process. This version of Pale Moon introduces the "ghostbuster" concept to try and address this: an automated, internal mechanism that periodically checks for the existence of ghost windows and severs links of them, so that garbage/cycle collection can come in afterwards and release the resources, hopefully preventing browser slowdowns and inflated memory usage over time. If this, for some reason, causes issues for you, you can disable the ghostbuster by setting the preference browser.ghostbuster.enabled to false. Also please report (in detail) on the forum about the issue you're having if flipping this preference to false resolves it, so we can look into improving this new feature.
• By user request, primarily for advanced power users who need this for their local setups, 2 new preferences were introduced to control how the browser deals with same-origin and CORS.
  
  • security.same_origin_policy.enabled, when set to false, will completely disable checking if scripts are allowed to be loaded based on the same-origin policy. Security warning: this is a really bad idea on the open web and you should never blanket disable the Same-Origin Policy check in a web browser for normal use.
  • content.cors.bypass_preflight_request, when set to true, will no longer send CORS preflight requests or check preflight responses and always allow cross-origin requests. Note that this kind of request is normally only made if sending a request to a server might result in data changes server-side (e.g. POST). This preference only does something when CORS is already disabled; provided primarily for specific corner cases where CORS is disabled and preflight checks (providing an extra safety net for server data) need to be shut off too.
  There are dragons hiding in these two preferences. Please handle them responsibly.

*DiD: This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle

Remember - "A day without laughter is a day wasted."