Today Microsoft released updates to resolve 63 vulnerabilities (more formally known as CVEs (defined)).
This month also brings a new set of vulnerabilities affecting only Intel CPUs. I detail these more thoroughly in a separate post. However high level details are provided below.
Compared to previous months updates these have a smaller list of known issues (most of which have workarounds). Links to the relevant knowledge base (KB) articles are provided below:
Adobe also released update for the following products:
Adobe Acrobat and Reader DC (priority 2, 2x CVEs)
Adobe Creative Cloud Desktop (priority 3, 1x CVE)
Adobe Experience Manager (priority 2, 3x CVEs)
Adobe Flash (priority 2, 5x CVEs)
As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC. Updates for Google Chrome will be available shortly either via a browser update or their component updater.
Please also review the out of band updates for Photoshop CC and Creative Cloud Desktop and apply them if you use these products.
You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)
Windows Font Library
Malicious LNK File
Foreshadow (L1TF) Vulnerabilities: Allow information disclosure via speculative execution; are only locally executable (rather than remotely). This vulnerability may allow one virtual machine to improperly access information from another. More details in my dedicated blog post.
Please install the remaining updates at your earliest convenience.
As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.
Please find below summaries of other notable updates released this month.
Nvidia Geforce Experience Software:
In late August, Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 3 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be obtained from here.
On the final day of August, VideoLAN made available VLC 3.0.4. This appears to be a security update for Apple macOS due to the following entries within the releases notes (however it is unclear if this overflow is exploitable by an attacker):
* Fix head buffer overflow on macOS with some fonts
For Linux and Windows this version provides fixes numerous non-security issues. Please update to version 3.0.4 to benefit from these improvements.
Wireshark 2.4.9 and 2.6.3
v2.4.9: 3 security advisories
v2.6.3: 3 security advisories
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.3) or v2.4.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
In late August; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2p (which addresses 2x low severity CVEs (Link1 and Link2).
On the 12 June and 16th April 2018; the OpenSSL Foundation issued 2 updates for OpenSSL to address 2x low severity security vulnerabilities as detailed in these security advisories (Link1 and Link2). To resolve these issues please update your OpenSSL installations to 1.1.0i (released 14th August) or 1.0.2o (released 14th August) (as appropriate).
FTP mirrors to obtain the necessary downloads are available from here.
Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.
VMWare issued two security advisories for the following products during August:
Security advisory 1 (addresses 1 vulnerability of Important severity):
- VMware Horizon 6
- VMware Horizon 7
- VMware Horizon Client for Windows
- VMware Horizon View Agent
- VMware Horizon Agents Installer (HAI)
Security advisory 2 (addresses 1 vulnerability of Critical severity):
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro, Fusion (Fusion)
If you use the above VMware products, please review the security advisories and apply the necessary updates.