====================
Update: 28th March 2020
====================
I have added the details of the security updates released by Apple on the 24th March near the end of this post. Thank you.
====================
Update: 25th March 2020
====================
Adobe has released a further update for Creative Cloud Desktop. I have added the details below to the Adobe updates list.
VMware have also released VMware Fusion 11.5.3 to more completely address a previously patched vulnerability. Details are below in the VMware updates list.
Thank you.
====================
Update: 23rd March 2020
====================
Since originally writing this post, Adobe published their security updates a week later than usual. Further details are listed below.
Thank you.
====================
Adobe
====================
Adobe Acrobat and Reader: 13x Priority 2 CVEs (defined)resolved (9x Critical and 4x Important severity)
Adobe Bridge: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe ColdFusion: 2x Priority 2 CVEs resolved (2x Critical severity)
Adobe Creative Cloud Desktop: 1x Priority 2 CVE resolved (1x Critical severity)
Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Genuine Integrity Service: 1x Priority 3 CVE resolved (1x Important severity)
Adobe Photoshop: 21x Priority 3 CVEs resolved (15x Critical and 6x Important severity)
====================
Update: 15th March 2020:
====================
Security researcher Kevin Beaumont has provided further details of the critical SMBv3.1 vulnerability affecting Windows 10 Version 1903 and 1909. In summary the vulnerability is not trivial to exploit and the number of systems at the time of writing (13th March) vulnerability to the exploit had already dropped by 25%.
====================
Update: 12th March 2020:
====================
Microsoft have released an update to resolve the SMBv3 vulnerability now designated CVE-2020-0796, (EternalDarkness or SMBGhost) please apply it to any Windows 10 Server or Windows 10 workstation system running Windows 10 Version 1903 or 1909 as soon as possible. Please also make certain that such systems are not exposing port 445 to the internet (please seethe FAQ in their information on the relevant update).
An internet scan by security researchers of vulnerable estimates that there are 48,000 vulnerable Windows 10 systems. You can use the ollypwn scan (created by a Danish security researcher) can be used to check if a system is vulnerable.
I wish to add the following useful clarification (which was written before the Microsoft security update became available) from Richard Melick, senior technical product manager at Automox in relation to this SMBv3 vulnerability:
“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities. But that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch…it’s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today”.
To all of my readers, please stay safe during these challenging times. Thank you.
====================
Update: 11th March 2020
====================
As expected, yesterday Microsoft released their scheduled updates to resolve 115 CVEs (defined). Unusually for this month, Adobe has not released any updates.
Microsoft’s monthly summary; lists Known Issues for 14 Microsoft products but all have workarounds or resolution steps listed just as the previous month’s did.
====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/
====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
For Windows or Windows Server system (Version 1903 and 1909) systems that uses SMBv3, please follow Microsoft’s guidance in the following security advisory while an update is not yet available. Please apply the update as soon as it is made available:
ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
Please also make certain that TCP port 445 is blocked at the enterprise perimeter firewall to prevent exploitation.
This vulnerability is “wormable” meaning that similar to the WannaCry malware and the BlueKeep vulnerability if exploited it may lead to a very large malware outbreak in a very short time.
====================
Windows LNK: CVE-2020-0684
Windows Media Foundation: CVE-2020-0801 , CVE-2020-0807 , CVE-2020-0809, CVE-2020-0869
Microsoft Internet Explorer: CVE-2020-0824
Microsoft Browsers: CVE-2020-0768
Microsoft Scripting Engine: CVE-2020-0830 , CVE-2020-0847, CVE-2020-0833 , CVE-2020-0832, CVE-2020-0829 , CVE-2020-0813 , CVE-2020-0826, CVE-2020-0827 , CVE-2020-0825 , CVE-2020-0831, CVE-2020-0811, CVE-2020-0828, CVE-2020-0848, CVE-2020-0823, CVE-2020-0812
Microsoft GDI+: CVE-2020-0881, CVE-2020-0883
Microsoft Word: CVE-2020-0852
Microsoft Dynamics: CVE-2020-0905
Microsoft Edge: CVE-2020-0816
====================
Please install the remaining updates at your earliest convenience.
As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications and devices below.
To all of my readers, please stay safe during these challenging times. Thank you.
====================
Netgear
====================
On the 3rd of March, Netgear released 25 security advisories for its modem-router gateways, approximately 40 routers and a range extender. The vulnerability range up to critical in severity.
If you own a Netgear router, range extender or modem-router gateway, please use the guidance within this article (many thanks to Tom’s Guide for this advice and the appropriate how to check for updates steps) to locate your Netgear device model e.g. R6400 and to match it against the available security bulletins to check if your device requires a firmware (defined) update sometimes called a software update. Please install the update if one is available. The above linked to article also describes the varied methods to update your Netgear device.
====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.
High
Intel Smart Sound Technology Advisory
BlueZ Advisory
Intel NUC Firmware Advisory
Medium
Intel MAX 10 FPGA Advisory
Intel Processors Load Value Injection Advisory
Snoop Assisted L1D Sampling Advisory
Intel Optane DC Persistent Memory Module Management Software Advisory
Intel FPGA Programmable Acceleration Card N3000 Advisory
Intel Graphics Drivers Advisory
====================
Mozilla Firefox
====================
Yesterday, Mozilla released Firefox 74 and Firefox ESR (Extended Support Release) 68.6 to resolve the following vulnerabilities:
Firefox 74.0: Addresses 6x high severity CVEs, 6x medium severity CVEs and 1x low CVE
Firefox 68.6 ESR: Addresses 5x high severity CVEs and 3x medium severity CVEs
Firefox 74 also removes support TLS 1.0 (what is TLS, defined) and 1.1 as per Mozilla’s previous timelime, adds a Facebook Container add-in to limit how much the social tracks you across other sites and blocks the ability for other applications to install Firefox add-ons without your knowledge or consent. Further details of these features and other features added can be found within this article (my thanks to Lawrence Abrams of Bleepingcomputer.com for this information).
====================
Google Chrome
====================
Early last week, Google released Chrome version 80.0.3987.132 for Linux, Mac and Windows to resolve 4 security vulnerabilities with the most severe being of high severity.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================
Apple Security Updates:
=======================
On the 24th of March Apple made available the following updates. Notable fixes affect the kernels of macOS, iOS and iPadOS, WebKit (the renderer of Safari), Bluetooth and Safari.
These updates bring Safari to version 13.1 and add updates to its Intelligence Tracking Prevention (ITP) privacy feature while also introducing a block on all 3rd party cookies (defined) by default.
Further details for these updates are as follows:
Apple iOS v13.4 and iPadOS 13.4 (resolves 35x CVEs (defined))
Apple tvOS 13.4: Resolves 20x CVEs.
Apple watchOS 6.2: Resolves 17x CVEs
Apple watchOS 5.3.6 (no CVEs resolved)
Apple iTunes version 12.10.5 for Windows: Resolves 13x CVEs
macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra: Resolves 27x CVEs.
Safari 13.1: Resolves 11 CVEs
Apple iCloud for Windows 10.9.3: Resolves 13 CVEs
Apple iCloud for Windows 7.18: Resolves 13 CVEs
Xcode 11.4: Resolves 1 CVE (?: Apple’s post provides little details)
=======================
Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.
As always; further details of these updates are available on Apple’s dedicated security updates page.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).
====================
OpenSSL
====================
On the 17th March the OpenSSL Foundation issued OpenSSL 1.1.1e (download/installation links included) which includes a low severity security fix.
FTP mirrors to obtain the necessary downloads are available from here.
Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.
====================
VMware
====================
VMware have so far released 2 security advisories this month to resolve vulnerabilities within the following products:
====================
Advisory 1: Severity: Critical:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
====================
Advisory 2: Severity: Important:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
VMware Horizon Client for Windows
====================
Advisory 2 (above) has been updated by VMware to state VMware Fusion has been updated to version 11.5.3 to more comprehensively resolve the vulnerability designated CVE-2020-3950. Please make certain if you use VMwre Fusion that it is the latest version available.
If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.
securityinaction 