Daily Archives: December 8, 2015

December 2015 Security Updates Summary

Today Microsoft released it’s final scheduled collection of security bulletins for 2015. There are 12 bulletins in total addressing 71 security issues more formally known as CVEs (defined)(only 58 of those are unique CVEs since some updates address the same issue within different updates).

The Security Bulletin Summary at this time does not list any Known Issues. An excellent additional source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered.

Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve a record number of 79 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this); this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

I would recommend installing the update to Adobe Flash Player first if you make use of this web browser plugin. Their update addresses 79 critical security issues which may be exploited by exploit kits (defined) within a short timeframe. In addition, it has been a very eventful year for Adobe with a record number of security issues patched making this update even more important to install.

With regards to prioritizing Microsoft’s updates I would recommend installing the Windows Kernel update first since it addresses a zero day (defined) vulnerability. Next install the updates for Internet Explorer, Microsoft Edge Microsoft Office, JScript and VBScript, Windows DNS, Windows Graphics Component, Silverlight and Microsoft Uniscribe due to their critical severities. You can then install any remaining applicable updates. The DNS, Internet Explorer, Edge and Office updates will be of particular importance to large organizations due to the prevalence of this software.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Google Releases Security Update for Chrome

Earlier today Google released an update for Google Chrome bringing it to version 47.0.2526.80. This update addresses 7 security issues, 4 of which have been assigned CVE numbers. Security issues are more formally known as CVEs (defined)). The severity levels of these issues are detailed below:

  • 2x high severity
  • 1x medium severity
  • 4x remaining issues uncategorized

This update also updates the built-in Adobe Flash Player to 20.0.0.228.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in a blog post. If you use Google Chrome as your web browser, please consider updating it as soon as possible. Thank you.

Python 3.5.1 and 2.7.11 Released

Last weekend the Python Foundation made available Python 2.7.11. Yesterday they also made available Python 3.5.1 (and a release candidate for 3.4.4).

=======================
The noteworthy changes in these updates are as follows:

For version 3.5.1, the following issues are resolved:

  • 1x buffer overead
  • 1x overflow in _Unpickler_Read (not a typo)
  • 2x memory leaks in SSLSocket.getpeercer()
  • SSLv3 is disabled by default when ssl.SSLContext

For version 2.7.11, the following issues are resolved:

  • 6x buffer overreads
  • 1x issue reading from a buffer
  • 1x buffer overflow
  • 1x integer overflow
  • 1x use after free (defined) issue
  • OpenSSL upgraded from 1.0.2a to 1.0.2d (which resolves 7 CVEs (defined))
  • SSLv3 is disabled by default when ssl.SSLContext

=======================

The full changelogs are available at the following links:

Version 3.5.1
Version 2.7.11

As before, while the above versions resolve buffer overflows, use-after-free bugs etc. these bugs have not been assigned CVE numbers and are not explicitly reported as security vulnerabilities in these changelogs, it is still best practice to patch these bugs if you are using an affected version of Python. My note above concerning CVEs within OpenSSL originated from OpenSSL’s release rotes for version 1.0.2.

An application on my computer uses Python 2.7 and it continues to work with the 2.7.11 release. If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.5.0 update to benefit from the above mentioned fixes.

Advice on porting (adapting) older Python code to newer releases is available here and here.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.