Oracle Java Critical Security Update Released

 

Oracle released the scheduled update for its Java SE Runtime Environment software.  This is a bugfix and critical security update.  

This Critical Patch Update contains thirteen new security patches, plus additional third-party patches noted in the security risk matrix linked below for Oracle Java SE.  Ten of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  

Download Information:  

Java SE Runtime Environment Version 8u411: https://java.com/en/download/manual.jsp. 

Java Security Recommendations

1) If Java is still installed on your computer, it is recommended that all updates be applied as soon as possible and older, less secure, versions uninstalled.  See Why should I uninstall older versions of Java from my system?.
2) In the Java Control Panel, at minimum, set the security to high.
3) Keep Java disabled until needed.  Uncheck the box "Enable Java content in the browser" in the Java Control Panel.

Notes:

• UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  Preferably, see the instructions below on how to handle "Unwanted Extras".  
• Oracle does not plan to migrate desktops from Java 8 to Java 9 through the auto update feature.  Therefore, it is strongly recommended that you uninstall JRE 8 prior to updating.
• Verify your version:  http://www.java.com/en/download/testjava.jsp.   Note: The Java version verification page will only work if your browser has NPAPI support.  In that case, to check the version, open a cmd window and enter the following (note the space following Java):  java -version
• Important: The Edge browser does not support plug-ins.  In the event you still have a need for Java, it will be necessary to use Firefox.

Patch Schedule

For Oracle Java SE, the next scheduled update is July 16, 2024.  The planned release schedule is available here.

Unwanted "Extras"

Although most people do not need Java on their computer, there are some programs and games that require Java.  In the event you need to continue using Java, How-to Geek discovered a little-known and publicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras that Oracle has long included with the updates.  Although the Ask Toolbar has been removed, that does not preclude the pre-checked option for some other unnecessary add-on.

Do the following to suppress the sponsor offers:

1. Launch the Windows Start menu
2. Click on Programs
3. Find the Java program listing
4. Click Configure Java to launch the Java Control Panel
5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.

References

• Java, The Never-Ending Saga  
• Critical Patch Updates and Security Alerts
• Release Notes
• Oracle Java SE Risk Matrix 
• Oracle Security Blog 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Mozilla Firefox Version 125.0.1 Released with Security Updates

Mozilla sent Firefox Version 125.0.1 to the release channel.  Firefox ESR was updated to Version 115.9.1.

The update includes fifteen security updates of which nine (9) are rated high, five (5) are rated moderate, and one (1) is rated low.

High

#

#CVE-2024-3852: GetBoundName in the JIT returned the wrong object
#CVE-2024-3853: Use-after-free if garbage collection runs during realm initialization
#CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement
#CVE-2024-3855: Incorrect JIT optimization of MSubstr leads to out-of-bounds read
#CVE-2024-3856: Use-after-free in WASM garbage collection
#CVE-2024-3857: Incorrect JITting of arguments led to use-after-free during garbage collection
#CVE-2024-3858: Corrupt pointer dereference in js::CheckTracedThing<js::Shape>
#CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10
#CVE-2024-3865: Memory safety bugs fixed in Firefox 125

Moderate

#CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
#CVE-2024-3860: Crash when tracing empty shape lists
#CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move
#CVE-2024-3862: Potential use of uninitialized memory in MarkStack assignment operator on self-assignment
#CVE-2024-3863: Download Protections were bypassed by .xrm-ms files on Windows

Low

#

#CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames

New

• Firefox now supports the AV1 codec for Encrypted Media Extensions (EME), enabling higher-quality playback from video streaming providers.
• The Firefox PDF viewer now supports text highlighting.
• Firefox View now displays pinned tabs in the Open tabs section. Tab indicators have also been added to Open tabs, so users can do things like see which tabs are playing media and quickly mute or unmute across windows. Indicators were also added for bookmarks, tabs with notifications, and more!
• Firefox now prompts users in the US and Canada to save their addresses upon submitting an address form, allowing Firefox to autofill stored address information in the future.
• Firefox now more proactively blocks downloads from URLs that are considered to be potentially untrustworthy.
• The URL Paste Suggestion feature provides a convenient way for users to quickly visit URLs copied to the clipboard in the address bar of Firefox. When the clipboard contains a URL and the URL bar is focused, an autocomplete result appears automatically. Activating the clipboard suggestion will navigate the user to the URL with 1 click.
• Users of tab-specific Container add-ons can now search in the Address Bar for tabs that are open in different containers. Special thanks to volunteer contributor atararx for kicking off the work on this feature!
• Firefox now provides an option to enable Web Proxy Auto-Discovery (WPAD) while configured to use system proxy settings.

Changed

• In a group of radio buttons where no option is selected, the tab key now only reaches the first option rather than cycling through all available options. The arrow keys navigate between options as they do when there is a selected option. This makes keyboard navigation more efficient and consistent.

Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References

• Security Updates
• Release Notes
• Rapid Release Calendar
• ESR Release Notes

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft April 2024 Security Updates

 

The Microsoft April 2024 security updates have been released and consist of 147 new patches to Microsoft products. In addition, 8 third-party CVEs are documented, bringing the total number of CVEs reported to 155.

Of the Microsoft CVEs released, 3 are rated critical,142 are rated important and 2 are rated moderate in security. At the time of release, none of the CVEs are listed as being publicly known or under active attack.

The security updates apply to the following products, features and roles: Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot.

See the list of KBs at the bottom of the page at April 2024 Security Updates - Release Notes - Security Update Guide - Microsoft for information regarding known issues with the security updates as well as the CVEs with FAQs, Mitigations and/or Workarounds. For specific information on Windows 11, versions 23H2 and 22H2, see KB5036893.  For Windows 10, Version 22H2 see KB5036892.

Recommended Reading:   See Dustin Childs review and analysis in Zero Day Initiative -- The April 2024 Security Update Review.

Additional Update Notes:

• MSRT -- The Malicious Software Removal Tool is now run on a quarterly basis rather than monthly.  See Remove specific prevalent malware with Windows Malicious Software Removal Tool. 
• Servicing Stack Updates -- Microsoft now combines the latest servicing stack update (SSU) for your operating system with the Latest Cumulative Updates (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
  
• Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates. The updates are also available via search for the KB number in the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows 10 Home and Pro and Windows 11 Home and Pro.
• Windows Update History:
• Windows 11
• Windows 10

 

References

• Security Update FAQ
• Security Updates Guide

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...