Earlier this month, Microsoft made available their usual monthly security updates. This month 53 vulnerabilities more formally known as CVEs (defined) were resolved.
Among these updates are further updates for Spectre NG vulnerabilities (also known as Speculative Store Bypass vulnerabilities) making them available for Windows Server 2008, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 in addition to last month’s updates. The vulnerability known as Lazy Floating Point (FP) was also addressed this month. Finally the Spectre 1.1. and Spectre 1.2 vulnerabilities will be discussed in a separate blog post.
This month’s Microsoft updates have a long list of Known Issues detailed in the knowledge base (KB) articles listed at the abovel ink (due to the length I won’t reproduce it here). At the time of writing some of these issues have begun to be addressed by further updates (Windows 7, Windows 8.1 and Windows 10) released by Microsoft. Others relating to the .Net Framework should be addressed soon.
This month also saw Adobe release an update (priority 2) for Adobe Acrobat DC and Reader DC which addresses 104x CVEs alone. The remaining updates made available this month were:
Adobe Connect (priority 2, 3x CVEs)
Adobe Experience Manager (priority 2, 3x CVEs)
Adobe Flash (priority 2, 2x CVEs)
For Flash, updates for Google Chrome (not a separate update but via its component updater), Microsoft Edge and Internet Explorer were made available. As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC.
As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))(a previous update from May may need a further non-security fix)
Microsoft PowerShell Editor Services
Please install the remaining updates at your earliest convenience.
As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.
Please find below summaries of other notable updates released this month.
Oracle issued updates to resolve a monthly record of 334 vulnerabilities. Further details and installation steps are available here. 8 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).
If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
In early July released a group of updates to resolve a large number of vulnerabilities:
Wi-Fi Updates for Boot Camp 6.4.0: Addresses 3x vulnerabilities
Apple iOS 11.4.1: Addresses 22x vulnerabilities
Apple tvOS 11.4.1: Addresses 18x vulnerabilities
Apple watchOS 4.3.2: Addresses 14x vulnerabilities
macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan: Addresses 12x vulnerabilities (also resolves the Intel Lazy FP vulnerability)
Apple Safari 11.1.2: Resolves 16x CVEs
Apple iCloud 7.6 for Windows: Resolves 14x CVEs
Apple iTunes 12.8 for Windows: Resolves 14x CVEs
Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.
As always; further details of these updates are available on Apple’s dedicated security updates page.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).
Google released Google Chrome version 68.0.3440.75 to address 42 vulnerabilities. This version also marks all HTTP sites as “not secure.” This Google blog post discusses the change in more detail and this migration guide will be of assistance to website owners in migrating to HTTPS.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
Wireshark 2.4.8 and 2.6.2
v2.4.8: 10 security advisories
v2.6.2: 9 security advisories
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.2) or v2.4.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.