Tag Archives: Adobe Experience Manager

April 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Engine. Further details are available in this separate blog post.

Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4073119

kb4093112

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
On Tuesday, 10th April Microsoft made available their scheduled security updates to resolve 63 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

There are 3 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4093112

4093118

4093108

====================

Alongside these updates; Adobe released updates for the following products:

Adobe ColdFusion (priority 2, 5x CVEs)

Adobe Digital Editions (priority 3, 2x CVEs)

Adobe Experience Manager (priority 3, 3x CVEs)

Adobe Flash Player v29.0.0.140 (priority 2, 6x CVEs)

Adobe InDesign CC (priority 3, 2x CVEs)

Adobe PhoneGap Push Plugin (priority 3, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Graphics Component consisting of the following 6 CVEs:

CVE-2018-1009

CVE-2018-1010

CVE-2018-1012

CVE-2018-1013

CVE-2018-1015

CVE-2018-1016

Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability : described in more detail here.

====================

Separately AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================

=======================
Apple Security Updates:
=======================
In late April Apple released updates for Safari, macOS and iOS:

Apple iOS v11.3.1

Apple Safari v11.1

Apple macOS High Sierra v10.13.4

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
7-Zip 18.05
=======================
In late April; version 18.05 of 7-Zip was made available resolving one security vulnerability in it’s RAR packing code. Further details are provided in this linked to blog post.

Other highlights include the inclusion of ASLR on the 32 bit version and high entropy (HE)(defined here and here) ASLR (defined) on the 64 bit version. While the above blog post mentions HEASLR is not enabled, when I tested it with Process Explorer it was showing HEASLR as enabled. That blog post also describes how to add Arbitrary Code Guard (ACG) (defined) protection for 7-Zip on Windows 10. Version 18.01 and later also come with Data Execution Prevention (DEP)(defined here and here).

While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from the resolved vulnerability and the new mitigations.

=======================
Wireshark 2.4.6 and 2.2.14
=======================
v2.4.6: 10 security advisories

v2.2.14: 8 security advisories

The security advisory wnpa-sec-2018-24 applicable to both of the above versions resolves 10 memory leaks (defined).

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.6) or v2.2.14). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
Wireshark 2.6.0
=======================
While this update is not listed as a security update; it is the latest version of Wireshark within the Stable release channel. The older 2.4.x version did not receive a further update. It is very likely version 2.6 will be required to receive future security updates. Further details are available in the release notes of version 2.6. If possible, please consider upgrading to this version in the near future.

Further installation tips are provided above (as per version 2.4.6 and 2.2.14).

=======================
Oracle:
=======================
Oracle issued updates to resolve 254 vulnerabilities. Further details and installation steps are available here. 14 vulnerabilities affect the Java runtime. 12 of these are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
A Closer Look at CVE-2018-0950
=======================
While Microsoft have addressed the vulnerability designated as CVE-2018-0950 (defined) this month; Will Dormann, a security researcher with the CERT Coordination Center has demonstrated further mitigations (defined) you may wish to take. These mitigations (listed at the end of his in-depth discussion) will better defend your system(s) against a variant of this vulnerability which still remains relatively easy for an attacker to exploit.

Thank you.

November 2017 Security Updates

Back in November; Microsoft released their routine monthly security updates. These updates resolved 53 vulnerabilities with 14 individual updates (which are grouped when downloaded). As always these are detailed within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

Microsoft have listed 6 Known Issues that can occur from Windows 7 up to and including Windows 10 (version 1703):

Windows 10 (versions 1511, 1607 and 1703 potentially impacted):

KB4048952: caused some Epson SIDM (Dot Matrix) and TM (POS) printers to lose the ability to print. This was later resolved by a further update; KB4053578

KB4048954:

could cause Internet Explorer 11 to not provide users of SQL Server Reporting Services (SSRS) the ability to scroll through drop-down menus.

Windows Pro devices on the Current Branch for Business (CBB) will upgrade unexpectedly.

The above issue regarding Epson printers could also occur. All 3 of the above issues have been resolved. Please see KB4048954 for details of the additional updates containing the appropriate fixes.

KB4048953:

Details 2 of the above issues as well as an additional issue regarding an error message for the CDP User Service. Please see KB4048953 for details of the additional updates containing the appropriate fixes.

Windows 8.1 and Windows Server 2012 R2:

KB4048958

Please see KB4048958 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048961

Please see KB4048961 for details of an additional update containing the appropriate fix for an issue already discussed above.

Windows 7 SP1 and Windows Server 2008 R2 Standard:

KB4048957

Please see KB4048957 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048960

Please see KB4048960 for details of an additional update containing the appropriate fix for an issue already discussed above.

This month there are 4 Known Issues (kb4041691kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.

====================

Adobe also made available their scheduled security updates for the following products:

Adobe Acrobat and Reader (priority 2, 56 CVEs)

Adobe Connect (priority 3, 5 CVEs)

Adobe DNG Converter (priority 3, 1 CVE)

Adobe Digital Editions (priority 3, 6 CVEs)

Adobe Experience Manager (priority 3, 3 CVEs)

Adobe Flash Player (priority 2, 5 CVEs)

Adobe InDesign CC (priority 3, 1 CVE)

Adobe Photoshop CC (priority 3, 2 CVEs)

Adobe Shockwave Player (priority 2, 1 CVE)

As always the priority updates are Flash Player first and Adobe Acrobat (in that order).

One point to note is that Adobe Acrobat 11 (or XI) / Reader 11 are now out of support from November onwards. These will be the final updates they receive. Adobe recommends upgrading to Adobe Acrobat DC or Reader DC (as appropriate). Apart from the different user interface of the DC version, possible privacy concerns were raised about one of the components of this newer version namely RdrCEF.exe (the purpose of which is described here). The suggestions to resolve these concerns were:

  • Adding cloud.adobe.com to your Hosts file (defined) to redirect it to localhost (defined) (to prevent it disclosing any private info)
  • Blocking RdRCEF.exe from accessing the internet using your software firewall

A list of changes to the Windows Registry (defined) were suggested in this forum thread but it is not clear if these are effective.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For Novembers Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Office Vulnerability : CVE-2017-11882 : was described as “extremely dangerous” by researchers at security firm Embedi to disclosed the vulnerability to Microsoft. In addition to installing the security update they recommend disabling the legacy equation editor to protect against future attackers against the code which does not benefit from the more secure coding practices.

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware Workstation, Fusion and Horizon View Client
=======================
A security advisory with details of how to obtain updates for the above mentioned products to address 6 CVEs was made available by VMware in November.

=======================
Google Chrome:
=======================
An update for Google Chrome included 2 security fixes while a second update included a further security fix,

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Wireshark 2.4.3 and 2.2.11
=======================
v2.4.3: 3 CVEs (defined) resolved

v2.2.11: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.3) or v2.2.11). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Apple security update:
=======================
An updates was made available by Apple on the 29th of November for macOS High Sierra to resolve a critical security vulnerability that could have resolved in the creation of a root (defined) account on the affected system allowing an unauthorised user privileged access to that system. Further details of this vulnerability are available here. As discussed in that link, this security update should have been installed automatically (no user action required).

=======================
Mozilla Firefox and Firefox ESR
=======================
During November Mozilla released security updates for Firefox and Firefox ESR(Extended Support Release) raising their version numbers to 57 (and later to 57.0.1) and 52.5 respectively.

  • Firefox 57 resolves 15 security issues more formally known as CVEs (defined) while 57.0.1 resolves 2 CVEs.
  • Firefox ESR 52.5 resolves 3 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57 and Firefox 57.0.1
Firefox 52.5

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

August 2017 Security Updates Summary

It’s the second Tuesday of August and Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved 48 vulnerabilities in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there is only 1 Known Issue for this month’s Microsoft updates.

====================

Separately Adobe made available four security bulletins for the following products:

Adobe Digital Editions (priority 2, 2x critical, 7x important CVEs)

Adobe Experience Manager (priority 2, 1x important, 2x moderate CVEs)

Adobe Acrobat/Reader (priority 2, 43x critical, 24 important CVEs)

Adobe Flash (priority 1, 1x critical, 1x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

Of note this month is the particularly large Adobe Acrobat/Reader update and the very small Flash Player update. The number of vulnerabilities resolved in last month’s Flash Player update was also small but it is too early to tell if vulnerability is moving away from Flash Player due to Adobe’s recent notice of their intention to de-commission Flash Player in 2020.

=======================
Update:12th September 2017:
=======================
Adobe last month updated their Adobe Acrobat and Acrobat Reader again after the availability of the initial patches in order resolve a regression (defined). Please ensure your installations of these products are updated to the version detailed by Adobe in their updated security bulletin (or are more recent than those listed in the bulletin).

Thank you.
=======================

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Windows Hyper-V

Windows Scripting Engine (affecting Edge, Internet Explorer and Office)

Microsoft Edge and Internet Explorer

Windows PDF Viewer

 

Important severity:

Windows Font Engine
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================
Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

August 2016 Security Updates Summary

Yesterday was Microsoft’s Update Tuesday and they made available their scheduled monthly security updates.

Microsoft’s updates consist of 9 security bulletins. These bulletins resolve 33 vulnerabilities more formally known as CVEs (defined).

Microsoft’s Security bulletin summary lists Known Issues for bulletins MS16-100 (Update for Secure Boot, kb3179577) and MS16-101 (Security update for Windows authentication methods, kb3178465).

The first issue is more informational rather than an error/interruption to your work. While the second known issue is notifying you that this update “disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations”.

The IT Pro Patch Tuesday blog is also a very useful resource to check before installing the updates to better inform you of whether to proceed or not.

====================
For the first time since January Adobe has not published a Flash Player security bulletin. However, they did release a priority 2 update for Adobe Experience Manager, resolving 4 CVEs.

If you use any the above Adobe products, please review the security bulletins linked to above and apply the necessary updates as soon as possible.

====================
You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying this month’s Microsoft updates, I will prioritise the updates for you below:

Please make the updates for Microsoft Office, Microsoft Internet Explorer, Microsoft Edge your first priorities since they all address critical severity vulnerabilities. Please follow these with the Microsoft Graphics Component update (since it addresses a critical font handling issue (font vulnerabilities are discussed in a previous blog post)). All remaining security updates can be installed when you have the time available.

A final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

February 2016 Security Updates Summary

Since today is the second Tuesday of the month Microsoft and Adobe made available their scheduled security updates for their software.

There are 13 bulletins in total (although MS16-022 is related to Adobe Flash Player) addressing 41 security issues with Microsoft software more formally known as CVEs (defined) and 32 CVEs within Adobe software (22 within Flash Player and a further 10 CVEs in total within Adobe Experience Manager, Adobe Connect and Photoshop CC/Bridge CC):

=======================
Microsoft’s Security Bulletin Summary lists 5 Known Issues with regard to the following bulletins:

MS16-009: Update for Internet Explorer: Knowledge base article kb3134814: After installing this update it can cause websites not to display in Internet Explorer 11 Enterprise mode (used for compatibility with older websites). This issue can be resolved by installing the update documented in knowledge base article kb3141092

MS16-014: Security Update for Windows: Knowledge base articles kb3126587 and kb3126593: Issues include compatibility issues with Corel software (suggested workaround available) and possible error messages appearing in the Windows event log, no workaround provided.

MS16-017: Security Update for Remote Desktop Display Driver: Knowledge base articles kb3134700 and kb3126446: Issues involve needing to restart your computer multiple times after installing this update.
=======================

Microsoft have also made available a security advisory today for ASP.Net templates when used within Visual Studio 2013 and 2015. Users of Visual Studio and/or software developers should review this advisory to determine if you need to take further action.

Moreover; an alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered. No issues are listed at the time of writing.

One of Adobe’s updates that was mentioned above addresses 22 critical CVEs within Flash Player. From the many exploits that were developed for Flash Player last year it would be prudent to install this update before any other updates (further discussion provided below). Further details for this update are available in this security bulletin. If you use Adobe Experience Manager, Adobe Connect or Photoshop CC/Bridge CC, please follow the above product links to the appropriate security bulletins and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While the Adobe Flash Player update should be applied before all other updates this month to assist with prioritizing Microsoft’s updates I would recommend beginning to install Microsoft updates starting with the Internet Explorer update, Microsoft Edge, Microsoft Office, Windows PDF Library and Windows Journal (in this order) due to their critical severities and widespread use. You can then install any remaining applicable updates beginning this round of updates with the Kernel Mode Drivers update since exploitation of the vulnerability it addresses is more likely.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.