March 2016 Security Updates Summary

Today is Microsoft’s Update Tuesday. Adobe have also released updates for Adobe Acrobat, Adobe Reader and Adobe Digital Editions (Adobe Flash was not updated today; more details on this below).

Similar to last month there are 13 Microsoft security bulletins resolving 44 security issues more formally known as CVEs (defined).

At the time of writing Microsoft’s Security Bulletin Summary does not list any Known issues for the security bulletins made available today. An alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered. No issues are listed at the time of writing.

Adobe’s updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI address 3 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin. An update for Adobe Digital Editions was also made available resolving 1 critical CVE.

If you use any of Adobe’s PDF applications mentioned above or Adobe Digital Editions, please follow the above product links to the appropriate security bulletins and apply the necessary updates.

As mentioned in January; Adobe no longer supports Acrobat X and Adobe Reader X. They did not receive any updates within that bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

=======================
Update: 10th March 2016:
Earlier today Adobe published an updated version of Flash Player bringing it to version 21.0.0.182. This update resolves 23 security issues (all have been assigned CVEs). Adobe AIR, their application runtime was also updated to version 21.0.0.176 within the same bulletin.

Please follow the above Adobe Flash Player bulletin link and apply the necessary updates as soon as possible due to the severity of the issues the Flash update addresses and since one issue, an integer overflow (defined) vulnerability CVE-2016-1010 is being exploited in targeted attacks.

Thank you.
=======================

Adobe within their PSIRT blog post mentioned that a security update for Flash Player will be available in the coming days. No reason(s) for the delay was/were given. Wolfgang Kandek of Qualys in a blog post makes educated guesses as to what may be the cause for the delay. I will update this post when the updates become available.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with the deployment of Microsoft’s security updates I would recommend prioritising them as follows: Internet Explorer, Microsoft Edge, Windows Graphics Fonts, Windows PDF Library and Windows Media (in this order) due to their critical severities and widespread use.

As always you can then install any remaining applicable updates beginning this round of updates with the Windows USB Mass Storage Class Driver Security update (more info here) due to it’s ease of exploitation and the level of access it can allow an attacker to obtain. Next I would recommend the Kernel Mode Drivers update and Microsoft Office update since exploitation of these vulnerabilities is listed as more likely in the Security Bulletin Summary.

One final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s