Category Archives: Security Vulnerabilities

Posts that discuss security vulnerabilities (for both software and hardware) and how best to respond to them.

Adobe Flash Player 2020 Update Tracker

As I have done in previous years this post will track the number of vulnerabilities patched within Adobe Flash for 2020. This will be the last year of tracking these numbers since Flash Player is due to be decommissioned at the end of 2020. The major browsers are taking slightly different approaches to the phase out but the result will be the same (FAQ: Flash Player Deprecation).

As you know, this post will be updated throughout the year with the details of vulnerabilities being patched and if they are being exploited in the wild.

Thank you.

=======================
14th January 2020: Adobe did not release any Adobe Flash updates this month.

11th February 2020: Adobe releases Flash Player v32.0.0.330 to resolve 1x critical priority 2 vulnerability.

=======================
Update: 19th February 2020: The timeline was created to include the Adobe Flash Player update for February 2020 and to record not updates were issued in January. At the time of writing no exploits for this critical vulnerability disclosed in February are known to be taking place.

February 2020 Update Summary

Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).

Let’s start with Adobe’s patches first:
====================
Adobe
====================
Adobe Acrobat and Reader: 17x Priority 2 CVEs resolved (12x Critical, 3x Important, 2x Moderate severity)

Adobe Digital Editions:  2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)

Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)

Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
====================

Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767

Internet Explorer: CVE-2020-0674 (this was  the zero day (defined) vulnerability reported last month).

Microsoft Edge Chromium:  ADV200002

Windows Shell (LNK): CVE-2020-0729

Windows Remote Desktop Client: CVE-2020-0681 , CVE-2020-0734

Windows Hyper-V: CVE-2020-0662

Windows Media Foundation: CVE-2020-0738

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Earlier this month Mozilla released Firefox 73 and Firefox ESR  (Extended Support Release) 68.5 to address the following vulnerabilities:

Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs

Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs

Firefox 73 brings the following minor features listed below:

  1. A global zoom level configured from the settings menu
  2. Opt-in notification when the use of virtual reality is being requested
  3. A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.

Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Realtek Audio/Sound Card Drivers
====================
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.

This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.

If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 1.0.0.8856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.

Vulnerability Within Philips Hue IoT Devices Disclosed

====================
TL;DR
If you use Philips Hue lightbulbs and/or the Philip Hue bridge, please make certain they are using the most recent firmware available.
====================

While the technological benefits and added convenience of Internet of Things (IoT) (defined) devices are well known, their increasing functionality/complexity is leading security researchers to target them. A recent example is the high severity vulnerability reported to Signify (owner of the Philips brand) within the Philip Hue bulbs and bridge. The vulnerability has been designated CVE-2020-6007 (defined)

How severe is this vulnerability?
While this vulnerability is of high severity it requires significant user interaction and would also require that the affected Philips Hue lightbulb be already compromised by an attacker by installing malicious firmware on it. The Philips Hue app on the victim’s smartphone is used to controls the bulbs, the attacker could then convince the victim to remove and re-add the bulb to the app.

What is the result of exploiting this vulnerability?
While the compromised bulb is being added or “commissioned” the compromised firmware of the bulb is used to exploit the Philips Hue Bridge. Once complete the attacker can then laterally traverse (defined) the victim’s business or home network by exploiting known vulnerabilities of other devices on the network e.g. the Microsoft Windows EternalBlue vulnerability on a Windows system.

How can I protect my organisation or myself from this vulnerability?
If you use Philips Hue lighting with the Hue Bridge, please update both the lighting and bridge to the most recent firmware available. Version Firmware 1935144040 (Bridge V2) and Software version: 1.65.9_hB3217DF4 for lights and later address this vulnerability. Please also strongly consider placing IoT devices such as these on segmented networks e.g. guest wireless networks for WiFi devices and VLANs (defined) for wired devices.

In this instance, the Hue Bridge could be placed on a VLAN to increase security (namely if the device is exploited it cannot be used to traverse further into your network). However, this increased security may result in reduced functionality if not implemented correctly.

Thank you.

====================
References:

The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb
https://blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/

What are IoT devices?
https://news.sophos.com/en-us/2015/10/26/what-is-the-internet-of-things/

What is EternalBlue?
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

What is lateral movement (pivoting)?
https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html

What is a VLAN?
https://kb.netgear.com/24720/What-is-a-VLAN

How to isolate a VLAN containing IoT devices
https://community.ui.com/questions/HomeKit-on-Isolated-VLAN/2fd20346-59df-4662-9559-0ecac7ec83cb

Philip Hue Firmware Release Notes
https://www2.meethue.com/en-us/support/release-notes

Researchers Disclose New DMA Attacks

=====================
TL;DR
If you own an affected laptop from Dell (XPS 13 7390) or HP (ProBook 640 G4), please update its BIOS/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. For servers, keep operating systems and software up to date and enforce physical access control.

If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. A social engineer might also attempt to exploit this vulnerability using either a closed or open chassis attack.
=====================

=====================
Acknowledgements
My sincere thanks to Eclypsium researchers, Jesse Michael and Mickey Shkatov for their detailed walkthrough of their research within their referenced work (below). I have used this research to provide the extracts below supplementing my write-up of this work below.

=====================

In the second half of last week, security researchers from Eclypsium disclosed a vulnerability present within Dell and HP laptops (however it is likely other vendors are also affected). Servers (especially hosting cloud infrastructure are at increased risk due to the widespread availability of remote DMA (RDMA) (defined) enabled networks.

How serious is this vulnerability?
While the vulnerability is considered high severity due to its CVSS 3 base score of 7.6 (defined) (in the case of CVE-2019-18579 for Dell systems) an attempt to leverage the vulnerability would not be trivial (see also “How can an attacker exploit this vulnerability?” below).

What could an attacker do if they exploited this vulnerability?
According to the researchers “It can allow attackers to bypass hardware-based root-of-trust and chain-of-trust protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start and Microsoft Virtualization-Based Security with Device Guard”.

“an attacker can…extend control over the execution of the kernel itself,”. “This can allow an attacker to execute kernel code on the system, insert a wide variety of kernel implants and perform a host of additional activity such as spawning system shells or removing password requirements”.

How can an attacker exploit this vulnerability?
This vulnerability could be exploited remotely or locally. Let’s discuss the remote means first:

Remote attacks
An attacker would first have needed to compromise software within your system and then attempt to exploit the systems firmware (defined) e.g. the network interface card (NIC). The Eclypsium researchers also provide the following example:

“malware on a device could use a vulnerable driver to implant malicious firmware to a DMA capable device such as a NIC. That malicious code could then DMA back into memory during boot to get arbitrary code injection during the boot process. The fundamental ability of DMA attacks to shim attacker code into the boot process makes it useful for almost any type of attacker goal”.

Alternatively an attacker could use the Throwhammer exploit developed by VUSec to compromise a system by sending specifically crafted data packets to a target system. This results in bit flips within the target systems main memory providing an attacker with code execution for an application (which is remote to the attacker).

Local attacks
Closed chassis
The researchers demonstrated a closed chassis attack on a Dell XPS 13 7390 laptop. They did so by connecting to the Thunderbolt port of the laptop and performed a DMA code injection during the boot process of the system.

Separately the researchers were able to compromise a Dell laptop connected to a modified WiGig (information on WiGig) dock which was wirelessly connected to that dock. They were successful in “dump[ing] secrets out of the laptop remotely over the air. In this example the laptop was never touched by the attacker or physically connected to any device but was compromised remotely via DMA”.

Open chassis
Due to the presence of HP SureStart it was necessary for the attackers to open the case of the HP laptop they were testing namely a HP ProBook 640 G4 (which includes HP SureStart Gen4). Upon opening the chassis, they replaced the systems M.2 wireless card with a Xilinx SP605 FPGA development platform, they then performed the following:

“We were able to successfully attack the system and gain control over the device. By using DMA to modify the system RAM during the boot process, we gained arbitrary code execution, thus bypassing the HP Sure Start protections that verify BIOS code integrity before CPU execution starts”.

How can I protect myself or my organisation from this vulnerability?
If your organisation uses either of the affected laptops, please update their BIOS(defined)/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. The update for the Dell XPS 13 7390 laptop is referenced from within their security advisory.

Since an attacker would need to first compromise the software of your systems, please keep your software (especially web browsers, email clients, productivity software, document readers, virtualisation software and media players) and operating system up to date.

Be cautious with the links you click and when processing your email, don’t click on unknown/unexpected links and don’t open unexpected file attachments. While up to date software and operating systems for servers are equally important they are much less likely to be vulnerable to malicious links in emails, IM clients or drive by downloads since only authorised administrators should have access for maintenance/admin and not for day to day work activities.

Social engineers or malicious insiders may seek to exploit this vulnerability in person, verify the identity of any person before allowing them near your IT infrastructure especially in the case of servers. Lock laptops away when not in use. If employees need to leave laptops unattended, use Kensington locks (especially at locations other than your usual office) and consider the use of port blockers (Type C for Thunderbolt) for laptops and servers which will deter casual attackers or less determined thieves.

For servers (especially part of cloud infrastructure), your existing IT security policy should already include regular patching of servers, only having necessary applications and sufficient physical access control. Access control monitoring should also be in place to detect malicious insiders, while your incident management policy should contain how to respond in a timely and decisive manner.

Thank you.

=====================

Aside
While I have used the term “BIOS/firmware” above they are not the same thing. I have done this since the terms are often used interchangeably and I wish for users to still understand the intended meaning. For one user, they may understand updating their laptops firmware but not updating its BIOS and vice versa. My intention is for them to check the vendor website for such updates and if present, to install them.

At the time of writing the HP ProBook 640 G4 did not have a BIOS update available resolving this vulnerability. From the researchers work, the BIOS appears to be still in beta testing. Please regularly check with the HP website and apply the update when it is publicly available.

=====================

References
Eclypsium PDF Report:
https://eclypsium.com/wp-content/uploads/2020/01/DMA-Attacks-A-Walk-Down-Memory-Lane.pdf

Eclypsium Vulnerability Write Up:
https://eclypsium.com/2020/01/30/direct-memory-access-attacks/

Dell Security Advisory:
https://www.dell.com/support/article/SLN319808

=====================

Blog Post Shout-out: Potential for Ransomware to Leverage Windows EFS

Related to my previous post detailing my tests of anti-ransomware software that could compliment existing anti-malware software, I wish to provide a respectful shout-out to the following post from SafeBreach. It details their results testing a proof of concept of using the built-in Encrypting File System (EFS) capability of Windows in order to encrypt a victim’s files rather than writing their own means of doing so:

https://safebreach.com/Post/EFS-Ransomware

Please review the list of anti-malware and anti-ransomware solutions available within the SafeBreach post. If yours is not on the list, contact the vendor to ask if such a change will be added soon? If you are certain you will not being EFS, disable it using the Windows Registry (defined) changes suggested in their post.

Thank you.

Cable Modems Vulnerable to Cable Haunt Vulnerabilities

=====================
TL;DR
If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. If you use a cable modem for your internet connection, you should check if your modem is vulnerable and follow the step “What should I do” mentioned below.
=====================

In mid-January it was discovered the firmware (defined) of many internet service provider (ISP) modems (specifically combined modems and routers in the same device) was vulnerable to remote takeover by attackers. These vulnerabilities have been named Cable Haunt as an easier to remember reference.

How widespread are the affected modems?
At the least the following manufacturers are affected with up to 200 million vulnerable modems mainly based in Europe but other regions e.g. North America are also affected. Please see also the FAQ “Am I Affected” on the Cable Haunt website.

Arris
COMPAL
Netgear
Sagemcom
Technicolor

Other brands of modems confirmed by the wider community as being vulnerable are:

Cisco EPC3928AD
Cisco/Technicolor DPC3216
Humax HGB10R-02
SMC Electronics SMC D3-CCR-v2
Zoom 5370
Virgin Media’s Super Hub 3 and 4 do not appear to be vulnerable.

How serious are these vulnerabilities?
While the vulnerabilities are serious in their impact, namely complete remote compromise of the device, how an attacker could exploit the vulnerabilities to achieve that outcome is not trivial. As per the researchers:

“This could be exploited by an attacker if you visit a malicious website or if they embed the code, for instance in an advert, on a trusted website. It is important to point out that this is not the only attack vector that can be employed, vulnerable mail-clients, exploited IoT devices, public networks etc. are also viable attack vectors”.

Summary of the Technical Aspects of these vulnerabilities
The vulnerability designated formally as CVE-2019-19494 is a buffer overflow (defined) that if exploited could allow remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) with kernel level (defined) privileges by using JavaScript (defined) within your web browser. The buffer overflow can be exploited using (according to the researchers: “a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker”.

An important aspect of the above described exploit is that while the attack is a remote attack (using a victim’s web browser) it results in the local compromise of the modems spectrum analyser. Linked to this; a DNS re-bind attack (defined) can be used to enable an attacker the ability to access the compromised spectrum analyser. The result of the above exploits provides the attackers with (according to the researchers): “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,”. This capability could be used to:

  1. Intercept private messages
  2. Redirect traffic
  3. Add the modems to botnets
  4. Replace the devices firmware
  5. Instruct the device to ignore remote system updates (which could be used to patch the vulnerabilities, complicating the resolution of a compromised device by its legitimate owner/user)

How can I protect my organisation or myself from these vulnerabilities?\
For in-depth answers from the researchers to answer this question in the context of an internet service provider (ISP), the user of the modem (e.g. within a small business), as an individual or a security researcher, please see the question “What Should I do” on the dedicated Cable Haunt website:

https://cablehaunt.com/

According to Graham Cluley: “Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this”.

Thank you.

=====================

My sincere thanks to the Cable Haunt researchers Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds) and Simon Vandel Sillesen (Independent) as well as Graham Cluley for the excellent information which this blog post is built upon.

January 2020 Update Summary

====================
Update: 11th February 2020
====================
This Internet Explorer zero day (defined) vulnerability was resolved by the patch released by Microsoft today. If you use Internet Explorer (especially versions 8 or earlier), please install this update as soon as possible.

Thank you.

==============
Update: 27th January 2020
==============
Shortly after the release of Microsoft’s scheduled updates, on the 17th of January they issued a security advisory for a critical zero day (defined) vulnerability being exploited by attackers in targeted attacks.

An out of bound update has not been released by Microsoft since by default all support versions of Internet Explorer by default use Jscript9.dll rather than Jscript.dll However versions earlier then IE 9 face increased risk.

If you use Internet Explorer for day to day work or just general surfing, please consider implementing the workaround described within Microsoft’s security advisory. Please remember to remove the workaround prior to installing the relevant security update in February. Also, please note that this workaround is causing some printers not to print and the Microsoft Print To PDF function not to work. If this is the case, use another browser and disable the workaround or use the micropatch (discussed below).

An alternative which according to ghacks.net is free is to install the micro-patch for IE available from 0Patch. More information on the micropatch and how to install it is available in the previous link above. This micropatch does not come with side effects. A YouTube video of the micropatch in action is available from the following link:

https://youtu.be/ixpBN_a2cHQ

Thank you.

==============
Original Post
==============
Happy New Year to my dedicated readers!

Today Adobe and Microsoft released their first security updates of the year. Adobe resolved 9 vulnerabilities more formally known as CVEs (defined) with Microsoft addressing 50 vulnerabilities.

====================
Adobe
====================
Adobe Experience Manager: 4x Priority 2 CVEs resolved (3x Important severity, 1x Moderate severity)

Adobe Illustrator CC: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Illustrator CC).
====================

Inside Microsoft’s monthly summary; there are Known Issues for 9 Microsoft products but all have workarounds (some workarounds will be replaced by further updates).

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows CryptoAPI Spoofing Vulnerability: CVE-2020-0601 (disclosed by the NSA to Microsoft). Further information on this vulnerability is available from KrebsonSecurity, within this CERT advisory and the detailed NSA PDF.

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0609

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0610

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-0611

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020 0605

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0606

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0646

Please install the remaining less severe updates at your earliest convenience.

====================
Microsoft Edge Chromium
====================
Tomorrow, 15th January will mark the release of a new version of Microsoft Edge powered by the Chromium rendering engine. This version will be available for Windows 7, 8.1 and 10. This is especially relevant for Windows 7, Windows Server 2008 and Server 2008 R2 since while Windows itself ends its support lifecycle today, Edge Chromium will continue to be supported for a further 18 months. This matches similar statements from Google regarding Chrome and separately Vivaldi.

For details of which versions of Windows 10 will receive the new Edge via Windows Update and which versions will need to download it separately, please refer to this link. I wish to extend my thanks to Softpedia and Bleepingcomputer.com for these really useful links.

If for any reason, you wish to use the previous version of Edge (which uses the legacy rendering engine, please see this link for details of how to run the older version alongside its modern equivalent).

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
In early January Mozilla released new versions of Firefox to address the following vulnerabilities and to add new user privacy features:

Firefox 72.0: Resolves 5x high severity CVEs (defined), 5x moderate CVEs and 1x low CVE

Firefox ESR 68.4 (Extended Support Release): Resolves 4x high severity CVEs and 2x moderate CVEs

More recently Firefox 72.0.1 was released to address a single critical severity zero day (defined) vulnerability which was responsibly disclosed to Mozilla and fixed very quickly. Finally Firefox 72.0.2  was released on the 20th of January resolving inconsistent playback of full-screen HD videos among non-security other issues.

Highlights from version 72 of Firefox include:
In addition to picture in picture enabled by default for macOS and Linux, it blocks the use of fingerprinting by default (the collection of data from your system e.g. browser version, font size, screen resolution and other unique data. This protection is provided by Disconnect. There are multiple levels of fingerprinting protection provided with the standard level being enabled by default. The strict level however may lead to websites not functioning as expected. Further details are available here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Wireshark
====================
In mid-January the following Wireshark updates were released:

v3.2.1: Relating to 1 security advisory

v3.0.8: Relating to 1 security advisory

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.1 or v3.0.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 3 vulnerabilities while the second resolves 16 vulnerabilities. The second also provides mitigation for the vulnerability disclosed by the NSA to Microsoft more commonly known as the  Chain of Fools/CurveBall or CVE-2020-0601 This test page from SANS will then show your system is no longer vulnerable after applying the second update. Please still apply the update from Microsoft to provide the most protection, Google’s changes are a mitigation only.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================
VMware released 2 security advisories in January , the first is of moderate severity with the second being of important severity. The advisories relate to the following products:

Moderate Severity Advisory:

Workspace ONE SDK

Workspace ONE Boxer

Workspace ONE Content

Workspace ONE SDK Plugin for Apache Cordova

Workspace ONE Intelligent Hub

Workspace ONE Notebook

Workspace ONE People

Workspace ONE PIV-D

Workspace ONE Web

Workspace ONE SDK Plugin for Xamarin

Important Severity Advisory:
VMware Tools

If you use the above VMware products, please review the advisories and apply the necessary updates.

=======================
Oracle:
=======================
Oracle issued updates to resolve 334 vulnerabilities in January 2020. Further details and installation steps are available here. 12 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.