Daily Archives: March 8, 2016

March 2016 Security Updates Summary

Today is Microsoft’s Update Tuesday. Adobe have also released updates for Adobe Acrobat, Adobe Reader and Adobe Digital Editions (Adobe Flash was not updated today; more details on this below).

Similar to last month there are 13 Microsoft security bulletins resolving 44 security issues more formally known as CVEs (defined).

At the time of writing Microsoft’s Security Bulletin Summary does not list any Known issues for the security bulletins made available today. An alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered. No issues are listed at the time of writing.

Adobe’s updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI address 3 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin. An update for Adobe Digital Editions was also made available resolving 1 critical CVE.

If you use any of Adobe’s PDF applications mentioned above or Adobe Digital Editions, please follow the above product links to the appropriate security bulletins and apply the necessary updates.

As mentioned in January; Adobe no longer supports Acrobat X and Adobe Reader X. They did not receive any updates within that bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

=======================
Update: 10th March 2016:
Earlier today Adobe published an updated version of Flash Player bringing it to version 21.0.0.182. This update resolves 23 security issues (all have been assigned CVEs). Adobe AIR, their application runtime was also updated to version 21.0.0.176 within the same bulletin.

Please follow the above Adobe Flash Player bulletin link and apply the necessary updates as soon as possible due to the severity of the issues the Flash update addresses and since one issue, an integer overflow (defined) vulnerability CVE-2016-1010 is being exploited in targeted attacks.

Thank you.
=======================

Adobe within their PSIRT blog post mentioned that a security update for Flash Player will be available in the coming days. No reason(s) for the delay was/were given. Wolfgang Kandek of Qualys in a blog post makes educated guesses as to what may be the cause for the delay. I will update this post when the updates become available.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with the deployment of Microsoft’s security updates I would recommend prioritising them as follows: Internet Explorer, Microsoft Edge, Windows Graphics Fonts, Windows PDF Library and Windows Media (in this order) due to their critical severities and widespread use.

As always you can then install any remaining applicable updates beginning this round of updates with the Windows USB Mass Storage Class Driver Security update (more info here) due to it’s ease of exploitation and the level of access it can allow an attacker to obtain. Next I would recommend the Kernel Mode Drivers update and Microsoft Office update since exploitation of these vulnerabilities is listed as more likely in the Security Bulletin Summary.

One final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Mozilla Releases Firefox 45 and Firefox ESR 38.7

Earlier today Mozilla made available their scheduled security updates for Firefox and Firefox ESR (Extended Support Release) bringing them to versions 45 and 38.7 respectively.

Firefox 45 resolves 40 security issues more formally known as CVEs (defined). Individually the severity of these issues are as follows:

====================
22x critical severity CVEs
7x high severity CVEs
10x moderate severity CVEs
1x low severity CVE
====================

Moreover; Firefox ESR 38.7 resolves 30 security issues:
====================
22x critical severity CVEs
4x high severity CVEs and 1 high severity issue (not assigned a CVE)
2x moderate CVEs
1x low severity CVE
====================

Full details of the security issues resolved by these updates are available in the following links:

Firefox 45
Firefox ESR 38.7

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

Generally, Mozilla Firefox updates install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.