Tag Archives: Adobe AIR

September 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s updates consist of 14 security bulletins. These bulletins address 50 vulnerabilities more formally known as CVEs (defined)(not including the Adobe vulnerabilities mentioned below).

Only the Internet Explorer security bulletin currently lists a Known Issue (discussed below). However as always please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates. At this time it does not list any Known Issues.

Update: 15th September 2016:

It has been reported that the security updates for Internet Explorer MS16-104 and Microsoft Edge (MS16-105) patches a zero-day (defined) vulnerability that has been publicly exploited. Further details of this vulnerability have since been disclosed and are available in this ThreatPost article.

The Known Issue for this update now mentions “Microsoft is aware of limited issues in which an ActiveX install may fail when using the ActiveX Installer Service (AXIS) with Internet Explorer 10 or Internet Explorer 11.” However, at this time no workaround or solution is available.

Moreover, the Microsoft Office security bulletin resolves an Important severity level ASLR (defined) bypass designated CVE-2016-0137 within the Microsoft Detours DLL (defined) that applications such as Microsoft App-V use. This issue has the potential to affect a lot of other 3rd party products and is discussed in more detail in this ThreatPost article. Further information/resources concerning this vulnerability are available on this GitHub page. A possibly related issue was found in Nvidia’s graphics driver (defined) (within detoured.dll) late last year which they issued a patch for.

This month also marks the final month that Windows 7 and Windows 8.1 will receive security updates packaged in the traditional format. From October the updates will be offered in packages similar to that of Windows 10 which will mean fewer individual updates will need to be installed to bring systems up to date. The updates will also replace updates from previous months again reducing the volume of updates needing to be installed. There will be single security and reliability updates.

While I am in favour of the simplification of updates, the “Known Issues” that I mention each month will become even more important since you won’t have the option of choosing which updates to install. This will lead to more outages and compatibility issues especially for corporate environments which is discussed in this article. Microsoft provides more details of these changes in their Windows IT Pro blog post. This additional Microsoft blog post and this Windows IT Pro blog post provide further coverage.

Further to this, next month Microsoft plans to begin to block out dated versions of Adobe Flash Player ActiveX controls (defined). Further details are available in their blog post.

====================
For Adobe’s scheduled released they made available an updated version of Flash Player that addresses 29 priority 1 vulnerabilities.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

Adobe also released a security bulletin for Adobe AIR SDK and compiler (AIR is its application runtime) to address a single priority 3 vulnerability. More information as well as installation steps are available in the relevant security bulletin. Finally, Adobe released a security bulletin for Digital Editions that addresses 8 priority 3 vulnerabilities.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

With Adobe’s Flash Player update (to version 23.0.0.162) addressing 29 critical vulnerabilities, this should be installed first if you already have a previous version installed.

For the Microsoft updates, for corporate environments/server operating systems please first install the Microsoft Exchange update (if you use it within your environment). This should be followed by Microsoft Office, Security Update for Windows (MS16-110) and the Microsoft Graphics Component.

For desktop workstations / small business environments please make Internet Explorer, Microsoft Edge, Microsoft Office and the Microsoft Graphics Component your first priorities due to their severities and prevalent use. The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is available in this Computerworld article (a new article is published each month within their Patch Tuesday Debugged column).

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

June 2016 Security Updates Summary

Yesterday Microsoft released their scheduled monthly security updates.

Microsoft’s updates consist of 16 security bulletins (not yet included is the upcoming Adobe Flash Player update (more details below)). These bulletins resolve 44 vulnerabilities more formally known as CVEs (defined).

One helpful point to note that should make deploying these updates easier is that Microsoft’s Security Bulletin Summary doesn’t list any Known Issues at this time. However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

As briefly discussed above one of Microsoft’s bulletins relates to Adobe’s Flash Player update; however, that update will be made available later this week (scheduled to arrive on the 16th of June) according to Adobe). Similar to last month this update will resolve a zero day (defined) vulnerability that is currently being exploited. I will update this post when more information becomes available.

====================
Update: 17th June 2016:
As scheduled Adobe released an updated version of Flash Player to address the zero-day vulnerability currently being used by an APT (Advanced Persistent Threat) (defined) group to attack systems belonging high profile targets.

This update also addresses 35 other critical CVEs. For Google Chrome, I have confirmed that version 51.0.2704.103 released yesterday contains the appropriate updated version of Flash Player.

For Windows 8.1 and later Microsoft have released a security bulletin MS16-083 (which is not yet listed on their security bulletin page at the time of writing). It includes the same fixes within the above mentioned Adobe bulletin.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Chrome. Further discussion of this update is available in this blog post.

Adobe also released a security bulletin for Adobe AIR (its application runtime) to address a priority 3 vulnerability in the AIR installer. More information as well as installation steps are available in the relevant security bulletin.

If I can clarify any of the above update installation steps, please let me know. I am always more than happy to assist.

Thank you.
====================

Adobe did however have make available four security bulletins yesterday that address vulnerabilities in Adobe DNG SDK (1 CVE addressed), Adobe Brackets (2 CVEs addressed), Adobe Creative Cloud Desktop (2 CVEs addressed ) and ColdFusion (1 CVE addressed of higher priority than all others). If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the Update for DNS Server your first priority since it is not only of critical severity but DNS (defined) is a business critical service used by business of all sizes making it a higher risk. Follow this with Microsoft Office, Microsoft Internet Explorer, Microsoft Edge and Microsoft Jscript and VBScript due to their severities and prevalent use. All remaining security updates can be installed when time allows.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Aside:
=======================
Apologies for not posting new content in such a long time. With other commitments that needed my attention as well as resolving the hardware failure issue 2 weeks ago (that I mentioned previously) led to this delay. I will post more content soon. Thank you for your understanding.

Adobe Releases Emergency Flash Security Updates

Yesterday Adobe released their January 2016 Flash Player and Adobe AIR (its application runtime) security updates ahead of schedule to address a critical zero-day (defined) security vulnerability designated as CVE-2015-8651.

The updates address 19 security vulnerabilities (more formally known as CVEs (defined). At the time of writing neither Google nor Microsoft have made available the relevant updates for Google Chrome (v47.0.2526.106, Stable 64 bit has not received this update) and Microsoft Edge/Internet Explorer (respectively). This is most likely due to the holiday period. Microsoft should announce the availability of their Flash update by updating this security advisory for users of Microsoft Edge for Windows 10 and Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1 (respectively).
=======================
Update 1: 29th December 2015:
Microsoft have now updated their security advisory. Update kb3132372 (no active web site link yet) is now available for Windows 10, 8.1 and 8.0 users.

Update 2: 31st December 2015:
Google updated Chrome (v47.0.2526.106)(Stable, 64 bit) to Flash Player v20.0.0.267 within hours of the above mentioned update from Microsoft. Apologies for not updating this post sooner.

I’m very impressed that they both made available the appropriate updates so quickly especially during the holiday period.
=======================

Adobe and Symantec have stated that limited targeted attacks are exploiting the above mentioned zero-day vulnerability. SecurityWeek elaborates on these attacks stating that they are spear phishing attacks (defined).

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). The use of this alternative link is now deprecated and will be decommissioned by Adobe on the 22nd of January 2016.

As always I would recommend that if you have Flash Player installed to install the necessary updates as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

December 2015 Security Updates Summary

Today Microsoft released it’s final scheduled collection of security bulletins for 2015. There are 12 bulletins in total addressing 71 security issues more formally known as CVEs (defined)(only 58 of those are unique CVEs since some updates address the same issue within different updates).

The Security Bulletin Summary at this time does not list any Known Issues. An excellent additional source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered.

Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve a record number of 79 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this); this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

I would recommend installing the update to Adobe Flash Player first if you make use of this web browser plugin. Their update addresses 79 critical security issues which may be exploited by exploit kits (defined) within a short timeframe. In addition, it has been a very eventful year for Adobe with a record number of security issues patched making this update even more important to install.

With regards to prioritizing Microsoft’s updates I would recommend installing the Windows Kernel update first since it addresses a zero day (defined) vulnerability. Next install the updates for Internet Explorer, Microsoft Edge Microsoft Office, JScript and VBScript, Windows DNS, Windows Graphics Component, Silverlight and Microsoft Uniscribe due to their critical severities. You can then install any remaining applicable updates. The DNS, Internet Explorer, Edge and Office updates will be of particular importance to large organizations due to the prevalence of this software.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

November 2015 Security Updates Summary

Earlier today Microsoft issued 12 security bulletins to address 53 CVEs (defined). As always further details are available within their Security Bulletin Summary.

At the time of writing there were a number of bulletins that have Known Issues associated with them (as mentioned in the Security Bulletin Summary), they are:

====================
MS15-121: Security update for Schannel to address spoofing: This knowledge base article mentions that any custom providers for SChannel will no longer work after this update is installed. Microsoft advises working with the vendor of such custom providers to update them.

MS15-123: Skype for Business November 2015 cumulative update (kb3108096): Issues with instant messages not being received and loss of video when joining a meeting are mentioned. There is a workaround for the latter issue.

MS15-115: Description of the security update for Windows: While this update is listed as having Known Issues none are currently present within the above linked to knowledge base article.

MS15-122: Description of the security update for Windows Kerberos: While this update is listed as having Known Issues none are currently present within the above linked to knowledge base article.

====================
Update: 13th November 2015:
An additional workaround for the remaining Known Issue that occurs after installing MS15-123: Skype for Business November 2015 cumulative update (mentioned above) is not available from this link.

Moreover, MS15-115: Security update for Windows was re-published on the 11th of November due to issues causing Microsoft Outlook to crash or being unable to log into Windows after installing this update. According to the aforementioned link, these issues should now be resolved.
====================

Microsoft also issued a security advisory for Windows Hyper-V to address 2 CVEs with Important severity that could lead to a denial of service issue (defined). Please add this update to your Patch To-Do List if you make use of this software.

At this time, the IT Pro Patch Tuesday blog does not mention any known issues, it may be updated at a later stage.

Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve 17 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this); this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.
Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

I would recommend installing the update to Adobe Flash Player first if you make use of this web browser plugin. Their update addresses 17 critical security issues which may be exploited by exploit kits (defined) within a short timeframe.

If you wish to prioritize the deployment of the Microsoft security updates, I would recommend an installation order of Security Update for Windows; Internet Explorer, Windows Journal, Microsoft Office and Microsoft Edge due to their severity (successful exploitation results in remote code execution; namely allowing a remote attacker to carry out any action of their choice). After installing these updates, install any remaining applicable Microsoft security updates.

=======================
Update: 17th November 2015:
If your organization uses Windows BitLocker you may wish to prioritize the installation of the Security Update for Kerberos (MS15-122) since it addresses a potentially severe authentication bypass vulnerability that could lead to the data on your BitLocker encrypted devices being much more easily obtained by an attacker. Further details are available in a more recent blog post.
=======================

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

October 2015 Security Updates Summary

Today is Update Tuesday and Microsoft made available 6 security bulletins to resolve 33 CVEs (defined). Further details are provided in their Security Bulletin Summary.

Reviewing this summary at the time of writing it currently shows that there are no known issues for these bulletins. Another useful source to monitor for any issues encountered with Microsoft security updates is the IT Pro Patch Tuesday blog.

Adobe have also issued updates for Adobe Acrobat DC, Acrobat XI, Acrobat X, Acrobat Reader DC and Adobe Reader addressing 56 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin.

Finally Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve 21 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this) this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-
If you use any of the above software, please install the appropriate updates as soon as possible.
Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

Since the Adobe Flash Player update resolves 21 critical CVEs some of which are likely to be exploited very quickly by exploit kits (defined) this update should be installed first.

If you wish to prioritize the deployment of the Microsoft security updates, I would recommend an installation order of Internet Explorer, JScript and VBScript, Microsoft Office and Windows Shell due to their severity (successful exploitation results in remote code execution; namely allowing a remote attacker to carry out any action of their choice). After installing these updates, install any remaining applicable Microsoft security updates.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Adobe Releases Flash Player Security Update

Yesterday Adobe published a security bulletin for Flash Player it’s web browser plugin and Adobe AIR, its application runtime. While the reason for releasing this update outside of it’s usual schedule of the second Tuesday of each month is unknown, Wolfgang Kandek of Qualys offers some possible explanations as to why this update has been released at this time.

This update brings Flash Player to version 19.0.0.185 and resolves 23 CVEs (defined).

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Moreover only Flash Player is installed by the installers included on that page, no additional unwanted is offered/included.

Users of Google Chrome 45 have also received this update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Microsoft Edge on Windows 10 and Internet Explorer 10 and 11 installed on Windows 8.0 and 8.1 respectively.

I would recommend that if you use Flash Player (you can check it its installed using this page), that you install the necessary updates as soon as possible. It is only a matter of time before these security issues will be used by exploit kits to install malware/carry out malicious actions.

To add a further layer of protection, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.