Updated: 21st March 2019
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797, CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683, CVE-2019-0754, CVE-2019-0757 and CVE-2019-0809).
Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.
I have updated the suggested installation order (below) to reflect this new information. Thank you.
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.
For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Photoshop CC: 1x priority3 CVE resolved
If you use the affected Adobe products; please install their remaining priority 3 updates when you can.
This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:
KB4489878 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
KB4489881 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
KB4489882 Windows 10 version 1607, Windows Server 2016
KB4489883 Windows 8.1, Windows Server 2012 R2 (Security-only update)
KB4489884 Windows Server 2012 (Security-only update)
KB4489885 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)
KB4489891 Windows Server 2012 (Monthly Rollup)
KB4489899 Windows 10 version 1809, Windows Server 2019
You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates.
News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)
Microsoft XML: CVE-2019-0756
Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772
Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809
Microsoft Active Directory: CVE-2019-0683
NuGet Package Manager Tampering Vulnerability: CVE-2019-0757
Windows Denial of Service Vulnerability: CVE-2019-0754
Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)
If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005
Please install the remaining updates at your earliest convenience.
As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.
Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.
If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.
Update: 25th March 2019: As detailed in the Pwn2Own 2019 results post; Mozilla released a further update for Firefox and Firefox ESR bringing their version numbers to 66.0.1 and 60.6.1 respectively. Both updates resolve 2x critical CVEs. Please consider updating to these versions as soon as possible.
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:
Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs
Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
VMware issued 2 security advisories during March:
Security Advisory 1: Addresses 2x important severity CVEs in the following products:
VMware Workstation Pro
Security Advisory 2: Addresses 1x moderate severity CVE in the following products:
If you use the above VMware products, please review the security advisories and apply the necessary updates.
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.71 in mid-March. It contains 8 security fixes (see below). They are a result of the bug bounties awarded through the EU-Free and Open Source Software Auditing (EU-FOSSA) (discussed previously in this post). Version 0.71 is downloadable from here.
If you use Putty, please update it to version 0.71. Thank you.
Security vulnerabilities fixed:
- vuln-auth-prompt-spoofing: Authentication prompts can be spoofed by a malicious server
- vuln-chm-hijack: Potential malicious code execution via CHM hijacking
- vuln-fd-set-overflow: Buffer overflow in Unix PuTTY tools if server opens too many port forwardings
- vuln-rng-reuse: Cryptographic random numbers can occasionally be reused
- vuln-rsa-kex-integer-overflow: Integer overflow due to missing key-size check in RSA key exchange code
- vuln-terminal-dos-combining-chars: DoS if many Unicode combining characters are written to the terminal
- vuln-terminal-dos-combining-chars-double-width-gtk: DoS by terminal output involving combining characters, double-width text, an odd number of terminal columns, and GTK
- vuln-terminal-dos-one-column-cjk: DoS by terminal output if a CJK wide character is written to a 1-column-wide terminal
Nvidia Geforce Experience Software:
In late March , Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 1 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be applied by opening Geforce Experience which will automatically updated it or the update can be obtained from here.
Golden Old Games (GOG) has published an update for their popular game distribution platform GOG Galaxy. It resolves 2 critical vulnerabilities. Additionally, 2 high severity and 2x medium severity vulnerabilities were also resolved. These vulnerabilities are discussed in more detail in this Cisco Talos blog post and within this Kaspersky ThreatPost article. Please update GOG Galaxy to version 220.127.116.11 or later to resolve these vulnerabilities.
I don’t often post about vulnerabilities in gaming clients/gaming distribution clients but like any software; security updates can and are made available for them.