Daily Archives: April 13, 2016

Google Releases Chrome Version 50

Earlier today Google made available a security update for Google Chrome bringing it to version 50.0.2661.75. This update includes fixes for 20 security issues described/categorized below:

  • 2x high severity CVEs (defined, this definition also explains that 1 CVE doesn’t necessarily equal 1 issue)
  • 5x medium severity CVEs
  • 1x low severity CVE
  • 1x remaining CVE assigned to multiple uncategorized issues

Details of further security issues addressed are provided in Google’s blog post.

=======================
Update: 16th April 2016:
If at any time the Flash Player within your installation of Google Chrome does not update, you can use the tip in this ComputerWorld article to update it manually. It describes how to manually use Google’s Component Updater to easily update Flash Player. This tip works for Apple Mac OS X, Google Chrome OS and Windows.

I hope this helps. Thank you.

=======================

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

If you use Google Chrome as your web browser, please consider updating it as soon as possible to be protected from these security vulnerabilities. Thank you.

April 2016 Security Updates Summary

Yesterday as scheduled Microsoft and Adobe made available their monthly security updates.

Microsoft’s updates consist of 13 security bulletins one of which relates to last week’s Adobe Flash Player update (more details below). These bulletins resolve 30 vulnerabilities more formally known as CVEs (defined).

Just like last month; at the time of writing Microsoft’s Security Bulletin Summary does not list any Known issues for the security bulletins made available today. An alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered. Again, no issues are listed at the time of writing. These are welcome signs when there a large number of updates to install.

One of the Microsoft bulletins relates to Adobe Flash Player update that was made available for non-Windows 8.1 and Windows 10 users last week. Further details are available in my blog post. That update resolves 24 security issues including 1x zero day (defined) vulnerability. Yesterday, Adobe also released security updates for the Creative Cloud Desktop Application and RoboHelp Server each resolving an important severity vulnerability listed as priority 2 by Adobe.

If you use any of the above Adobe applications, please follow the above product links to the appropriate security bulletins and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

In order to resolve the most severe vulnerabilities first, I will provide a prioritised list of the Microsoft updates below. However, before beginning the installation of these, please install the above mentioned Adobe Flash Player update (for Windows 8.1 and Windows 10 users) if you have not already done so.

Next, please install the Microsoft Graphics component update first (it addresses 2x zero day (defined) vulnerabilities), followed by Internet Explorer, Microsoft Edge, Microsoft Office, XML Core Services, Security Update for SAM and LSAD Remote Protocols (otherwise known as “Badlock”, discussed further in this post) due to their severities. You can then proceed to install all remaining applicable updates in an order of your choice.

One final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Badlock: What You Need to Know

Yesterday as scheduled the Samba project and Microsoft made available their security updates to resolve the issue that was previously announced and named “Badlock.”

Why Should These Issues Be Considered Important?
While this issue is important (it affects a lot of Windows version from Server 2008/Vista up to and including Windows Server 2016/Windows 10), it’s severity was exaggerated in it’s announcement last month. Microsoft have assigned it an important severity rather than critical. They have done so since it is an elevation of privilege (EoP) (defined) issue that would allow an attacker to increase their privileges (which would allow them to cause even more harm) once they have already exploited another vulnerability to become present on your device in the first instance.

This vulnerability could allow an attacker to listen/analyse the traffic on your network; this technique is known as a man-in-the-middle-attack (MITM, defined). If your login credentials happened to be within the traffic the attacker gathers and analyzes there is a possibility they could obtain the unencrypted username and password used to access your device/account upon that device (even though your sensitive information is encrypted). Further discussion of this issue is available here.

How Can I Protect Myself from These Issues?
Updates from the Samba project and Microsoft are available to resolve this security issue. Please download and install them as soon as possible if you are affected by this issue.

=======================
Update: 13th April 2016:
Further information and advice for mitigating the Badlock issue is provided by US CERT in this vulnerability note. The Samba project also discusses its updated software releases in this release news post.
=======================

While there are no known issues with these updates at this time, as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.