Tag Archives: Adobe ColdFusion

September 2017 Security Updates Summary

Earlier today Microsoft made available their scheduled monthly security updates. These resolve 81 vulnerabilities; more formally known as CVEs (defined). They are detailed within Microsoft’s new Security Updates Guide.

This month there are 3 Known Issues (KB4038792 , KB4038793 , and KB4011050) for this month’s Microsoft updates. 2 of these issues relate to the breaking NPS authentication or the hanging of Japanese IME. The first two links suggest editing the Windows Registry (defined) or installing an update (respectively for each issue) to correct them. The final issue involves the display of black borders around cells in Excel, resolved by installing an update.

====================

Separately Adobe made available three security bulletins for the following products:

Adobe ColdFusion (priority 2, 3x critical, 1x important CVEs)

Adobe Flash (priority 1, 2x critical CVEs)

Adobe RoboHelp (priority 3, 1x important, 1x moderate CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

Of note this month is a vulnerability in PDF reader software which does not affect Adobe’s Acrobat and Reader DC products. A detailed list is available in this news article. Google Chrome, Firefox and others have resolved this vulnerability while other affected products remain in progress.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows NetBIOS Vulnerability (CVE-2017-0161)(vulnerability affects more than Windows 10)(NetBIOS : defined)

Windows DHCP Vulnerability (CVE-2017-8686) (vulnerability affects more than Windows Server 2016)(DHCP : defined)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Office (CVE-2017-8630 and CVE-2017-8744)(multiple versions of Office affected)
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column. That link is becoming less useful, it has not been updated since June 2017.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017. Versions 1703 and 1709 of Windows 10 will consequently block the installation of EMET. This makes sense for version 1709 since it includes a replacement for EMET while 1703 (to the best of my knowledge does not).

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

April 2017 Security Updates Summary

As expected earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s set of updates are much lighter in volume this month addressing 45 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month sees four known issues listed for this months updates all relating to the AMD Carrizo processor experiencing an issue which prevents the installation of future Windows Updates. Microsoft states in all four knowledge base articles (listed below) they are aware of this issue and are working to resolve it in upcoming updates:

KB4015549
KB4015546
KB4015550
KB4015547

At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues (although it has not been updated since November 2016, I’m unsure why).

====================
Adobe issued five security bulletins today affecting the following products:

Adobe Campaign (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)
Adobe Acrobat and Reader (47x priority 2 CVEs)
Adobe Photoshop (2x priority 3 CVEs)
Adobe Creative Cloud Desktop (2x priority 3 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

=======================
Update: 8th May 2017:
=======================
I wish to provide information on other notable updates from April 2017 which I would recommend you install if you use these software products:

=======================
Skype: While the Skype update to version 7.34.0.102 was released in March; details of the vulnerability it addressed were not made public until April.
=======================

=======================
Putty 0.69: while released in March; it contains important security changes. It is downloadable from here.
=======================

=======================
Wireshark 2.2.6 and 2.0.12
=======================
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.2.6) or v2.0.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Oracle:
=======================
There was a record 299 vulnerabilities addressed by Oracle’s updates in April. Further details and installation steps are available here. A useful summary post from Qualys is here. Of the 299 fixes, 8 vulnerabilities were addressed in the Java runtime.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
=======================

=======================
Mozilla Firefox:
=======================
Firefox 53.0 and Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 45.9 and Firefox ESR 52.1.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 29 security fixes:

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Adobe Coldfusion:
=======================
Adobe Coldfusion: 2x priority 2 vulnerabilities resolved.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
For the Microsoft updates this month, I will prioritize the order of installation for you below:

====================
Critical severity:
Microsoft Office and Windows WordPad (due to a previously disclosed zero day vulnerability (defined))
Microsoft Edge
Internet Explorer
Microsoft .Net Framework
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

June 2016 Security Updates Summary

Yesterday Microsoft released their scheduled monthly security updates.

Microsoft’s updates consist of 16 security bulletins (not yet included is the upcoming Adobe Flash Player update (more details below)). These bulletins resolve 44 vulnerabilities more formally known as CVEs (defined).

One helpful point to note that should make deploying these updates easier is that Microsoft’s Security Bulletin Summary doesn’t list any Known Issues at this time. However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

As briefly discussed above one of Microsoft’s bulletins relates to Adobe’s Flash Player update; however, that update will be made available later this week (scheduled to arrive on the 16th of June) according to Adobe). Similar to last month this update will resolve a zero day (defined) vulnerability that is currently being exploited. I will update this post when more information becomes available.

====================
Update: 17th June 2016:
As scheduled Adobe released an updated version of Flash Player to address the zero-day vulnerability currently being used by an APT (Advanced Persistent Threat) (defined) group to attack systems belonging high profile targets.

This update also addresses 35 other critical CVEs. For Google Chrome, I have confirmed that version 51.0.2704.103 released yesterday contains the appropriate updated version of Flash Player.

For Windows 8.1 and later Microsoft have released a security bulletin MS16-083 (which is not yet listed on their security bulletin page at the time of writing). It includes the same fixes within the above mentioned Adobe bulletin.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Chrome. Further discussion of this update is available in this blog post.

Adobe also released a security bulletin for Adobe AIR (its application runtime) to address a priority 3 vulnerability in the AIR installer. More information as well as installation steps are available in the relevant security bulletin.

If I can clarify any of the above update installation steps, please let me know. I am always more than happy to assist.

Thank you.
====================

Adobe did however have make available four security bulletins yesterday that address vulnerabilities in Adobe DNG SDK (1 CVE addressed), Adobe Brackets (2 CVEs addressed), Adobe Creative Cloud Desktop (2 CVEs addressed ) and ColdFusion (1 CVE addressed of higher priority than all others). If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the Update for DNS Server your first priority since it is not only of critical severity but DNS (defined) is a business critical service used by business of all sizes making it a higher risk. Follow this with Microsoft Office, Microsoft Internet Explorer, Microsoft Edge and Microsoft Jscript and VBScript due to their severities and prevalent use. All remaining security updates can be installed when time allows.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Aside:
=======================
Apologies for not posting new content in such a long time. With other commitments that needed my attention as well as resolving the hardware failure issue 2 weeks ago (that I mentioned previously) led to this delay. I will post more content soon. Thank you for your understanding.

US-CERT Details Top 30 Targeted High Risk Security Vulnerabilities

In the final week of April the US-CERT announced the Top 30 exploitable security vulnerabilities that could be used to attack critical infrastructure organizations/companies.

The list includes flaws that can be exploited through malicious email attachments, targeted attacks (spear phishing) and most commonly “watering hole” attacks.

What is a Watering Hole Attack?
A watering hole attack is a targeted exploit of a frequently visited website by specific group of people. The attacker compromises/tampers with the website to inject HTML or JavaScript that will redirect visitors to another site/page specifically crafted to exploit a security vulnerability/flaw e.g. one of the top 30 flaws mentioned by US-CERT. If the exploit is successful (i.e. if the flaw exists on the users computing device) then malware can be installed or any other action of the attacker’s choice can take place (if it’s a remote code execution flaw).

Such an attack is more likely to succeed since the visitors to the site trust it and more likely to respond in a way the attackers wish should a dialog box appear or a message to perform an action is displayed e.g. download a fake codec update to watch a video (which would lead to an exploit taking place against a visitors computing device).

All of the products listed within the above mentioned alert are commonly used and can be patched with low to moderate effort. Please find below advice on how to update each of the affected products in the list.

I hope that the list of products with the associated steps to update each are useful to you in applying the necessary updates in order to avoid being exploited by the Top 30 high Risk Security Vulnerabilities mentioned by US-CERT.

Thank you.

==========================
Microsoft Internet Explorer:
==========================
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

==========================
Microsoft Silverlight:
==========================
For Mac:
Please visit this Silverlight page. If you have Silverlight installed and an update is available, please download and install it

For PC:
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

Microsoft Office for Mac and Windows:

Office for Mac:

==========================
Office 2011 for Mac:
==========================
The most recent update (at the time of writing is 14.4.9, please select “Office 2011” under the Products column on this page). Please download and install the most recent update for Office 2011 for Mac. In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2011 for Mac).

Please note that Update 14.4.9 requires 14.1.0 i.e. SP1 for Office 2011 for Mac to be installed first.

==========================
Office 2008 for Mac:
==========================
While this version of Office is now unsupported if you are using this version it would still be recommended to have the most recent version available. Update 12.3.6 is the most recent update. This update requires Update 12.2.0 (i.e. SP2 for Office 2008 for Mac) to already have been installed. SP2 requires that SP1 also be installed beforehand.

In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2008 for Mac).

==========================
Office 2004 for Mac:
==========================
This version of Office is also unsupported. Update 11.6.6 is the most recent update and requires Update 11.6.5 (and all prior updates). In order to install all updates I would suggest using Microsoft AutoUpdate for Office 2004 for Mac.

==========================
Office for Windows:
==========================
For Office 365 (Business Essentials, Business, Business Premium, Home and Personal): These suites stays up to date automatically while an internet connection is available.

==========================
Office 2013, 2010 and 2007:
==========================
Windows Update can detect and install all updates for you when it is configured correctly. Alternatively for Office 2013, it can also be updated manually.

==========================
For Office 2003, Office XP and Office 2000:
==========================
Windows Update can detect and install all updates for Office for you when it is configured correctly.

For any product listed in the table within US-CERT alert that you have installed and no update is being offered within Windows Update I would recommend checking the security bulletins mentioned in the US-CERT alert for more information on installing the appropriate updates manually.

==========================
Oracle Java:
==========================
In order to obtain the latest updates for Java, if you are developer, visit this page and download the most recent Java Development Kit (JDK) or the most recent update for your version of Java JDK e.g. v7, v6, v5 etc. Currently JDK v8 is the most recent. Some developers may also need the latest Java FX.

For corporate desktop systems or consumer/home users, please visit http://java.com to download the most recent Java Runtime Environment (JRE). There is also the option of enabling automatic updates when Java is installed on Windows.

==========================
Adobe:
==========================
Adobe Flash:
For Adobe Flash, since version 11.2 Adobe has included an automatic updater when Flash is installed on Windows. For any version of Windows older than Windows 8.0, Flash can also be downloaded and installed manually from this page (the downloaded version will automatically replace any older version of Flash already installed).

For Windows 8.0 and later, Microsoft issues updates to Adobe Flash via Windows Update. These updates are detailed in this security advisory.

==========================
Adobe AIR:
For the Adobe SDK and SDK & Compiler, updates can be obtained from Adobe’s developer page.
For Adobe AIR desktop runtime, updates are available from this download page.

==========================
Adobe Acrobat and Adobe Reader:
For Acrobat DC and Reader DC, updates are automatically delivered (and available using “Check for Updates” mentioned below). Alternatively, updates for Acrobat for Mac and Windows are available. The latest version of Reader DC is available from here (please ensure to un-check install options such as Google Chrome and Google Toolbar).

For Acrobat 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For Adobe Reader 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For older versions of Acrobat and Reader (namely 9, 8 and earlier), no further updates are being made available. It should be possible to run a check for updates as mentioned above but it is recommended to upgrade to a currently serviced version, e.g. 10, 11 or DC.

==========================
For Adobe ColdFusion:
Updates are available for ColdFusion 11 and 10. Installation instructions are also provided within the aforementioned pages.

For ColdFusion 9, there are 3 updates available to be installed in the order presented here:

ColdFusion Security hotfix APSB13-03

ColdFusion Security hot fix APSB13-13

ColdFusion Security hot fix APSB13-27

Additional Security Hotfixes (in addition to those above)

==========================
Adobe Flex:
Adobe Flex is available for download from here. However in an April 2015 security bulletin Adobe recommended updating the Flex index.html file using the steps provided in that bulletin.

==========================
OpenSSL:
==========================
For OpenSSL I would recommend following the guidance provided by US-CERT for upgrading to the most recent non-vulnerable version of OpenSSL using their link provided within their alert since the upgrade/update process requires specific steps to be completed.
==========================

April 2015 Security Updates Summary

On Tuesday the 14th of April Microsoft made available its anticipated security updates resolving 26 CVEs. The individual products affected are detailed in the Security Bulletin Summary. Any Known Issues are also summarized there.

In addition, Adobe also made available updates for Flash Player, ColdFusion and Adobe Flex. Further details are available in the Adobe PSIRT blog post. 24 CVEs in total were resolved.

Oracle (includes Oracle Java) (98 CVEs resolved), Google Chrome (45 security fixes) and VideoLAN VLC for Windows (1 CVE resolved) were also updated last week. For VLC I would recommend that you update to 2.2.1 if you have not already done so since 2.2.0 also included fixes for 5 other CVEs.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————-
Security Updates Calendar (as mentioned within the heading “Information on Security Updates” within the Protecting Your PC page):
http://www.calendarofupdates.com/updates/index.php?act=calendar

US Computer Emergency Readiness Team (CERT) (as mentioned within the heading “Information on Security Updates” within the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible. I would like to mention that Microsoft’s MS15-034 update should be prioritized for installation before all other updates due to its severity and ease of exploitation.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.