Tag Archives: Adobe Reader DC

May 2020 Update Summary

I hope this posts finds you doing well in these difficult times.

I’m writing this post early to highlight the availability of 2 important updates, for Mozilla Firefox and Google Chrome. I’ll update the post when Adobe and Microsoft release their expected security updates.

Thank you and please stay safe.

====================
Update: 19th May 2020
====================
Sorry for not updating this post sooner.

As scheduled both Adobe and Microsoft released their monthly security updates addressing 36 vulnerabilities and 111 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

Adobe DNG Software Development Kit (SDK): 12x Priority 3 CVEs resolved (4x Critical and 8x Important severity)

If you use the above Adobe products, please install these updates as soon as possible since both resolve multiple critical vulnerabilities. Similar to January, March and April no updates for Adobe Flash were released.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows Graphics Component: CVE-2020-1135

Visual Studio Code Python Extension: CVE-2020-1058, CVE-2020-1060, CVE-2020-1171 , CVE-2020-1192

Microsoft Internet Explorer: CVE-2020-1062

VBScript Remote Code Execution Vulnerability: CVE-2020-1035

Microsoft Edge CVE-2020-1056 , CVE-2020-1059 , CVE-2020-1096

Microsoft SharePoint: CVE-2020-1023 , CVE-2020-1024, CVE-2020-1102

Windows kernel: CVE-2020-1054CVE-2020-1143

Windows Media Foundation: CVE-2020-1126

Microsoft Color Management: CVE-2020-1117

Windows Print Spooler: CVE-2020-1048

Microsoft Windows Transport Layer Security Denial of Service Vulnerability: CVE-2020-1118

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May, Mozilla released Firefox 76 and Firefox ESR (Extended Support Release) 68.8 to resolve the following vulnerabilities:

Firefox 76.0: Addresses 3x critical severity CVEs, 2x high severity CVEs, 4x moderate CVEs and 1x low CVE

Firefox 68.8 ESR: Addresses 3x critical severity CVEs, 2x high severity CVEs and 2x moderate severity CVEs

Firefox 76 introduces a new password manager (with the ability to generate difficult to guess passwords) which includes a means of detecting if a password was part of a password breach and now requires changing or the use of the same password on multiple websites.

An improved picture in picture experience is also included. Firefox 76.0.1 has since been released resolving non-security issues such as crashing add-ons e.g. the Amazon Assistant extension and crashing with Nvidia GPU drivers on Windows 7 32 bit (my thanks to Bogdan Popa of Softpedia.com and Mozilla for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 81.0.4044.138 for Linux, Mac and Windows to resolve 3 security vulnerabilities with the most severe 2 issues being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================
VMware have a single security advisory so far this month for the following product:

====================
Advisory 1: Severity: Critical
vRealize Operations Application Remote Collector (ARC)
====================
If you use the above VMware product, please review the above advisory and install the applicable security updates as soon as possible.

Highlights from Pwn2Own 2020

====================
TL;DR:

The following products were successfully exploited, please install the necessary updates for them when they become available: Apple Safari, Apple macOS, Ubuntu Desktop, Windows, Oracle VirtualBox and Adobe Reader
====================
As long-time readers of this blog will know, the Pwn2Own security conference with its white hacking contest is my favourite event of the year. Sophisticated vulnerability exploitation is showcased, the contestants receive large sums of money and we as consumers receive safer products to use on a day to day basis. It took place late last week virtually due to the Coronavirus. The results from both days of competition can be found here. The total prize was USD $270,000.

The winners of the competition were Richard Zhu and Amat Cama of Team Fluoroacetate winning the Master of Pwn title and USD $90,000 in prize money.

Returning to the trend of previous years, exploits against the Apple macOS kernel (defined) and Windows kernel were common again. These are high severity vulnerabilities but when addressed will make our systems safer.

The vendors have up to 90 days to resolve the vulnerabilities before public disclosure. Please expect and apply the necessary security updates to the affected as they become available

Thank you.

March 2020 Update Summary

====================
Update: 28th March 2020
====================
I have added the details of the security updates released by Apple on the 24th March near the end of this post. Thank you.

====================
Update: 25th March 2020
====================
Adobe has released a further update for Creative Cloud Desktop. I have added the details below to the Adobe updates list.

VMware have also released VMware Fusion 11.5.3 to more completely address a previously patched vulnerability. Details are below in the VMware updates list.

Thank you.

====================
Update: 23rd March 2020
====================

Since originally writing this post, Adobe published their security updates a week later than usual. Further details are listed below.

Thank you.

====================
Adobe
====================
Adobe Acrobat and Reader: 13x Priority 2 CVEs (defined)resolved (9x Critical and 4x Important severity)
Adobe Bridge: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe ColdFusion:  2x Priority 2 CVEs resolved (2x Critical severity)
Adobe Creative Cloud Desktop: 1x Priority 2 CVE resolved (1x Critical severity)
Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Genuine Integrity Service: 1x Priority 3 CVE resolved (1x Important severity)
Adobe Photoshop: 21x Priority 3 CVEs resolved (15x Critical and 6x Important severity)

====================
Update: 15th March 2020:
====================
Security researcher Kevin Beaumont has provided further details of the critical SMBv3.1 vulnerability affecting Windows 10 Version 1903 and 1909. In summary the vulnerability is not trivial to exploit and the number of systems at the time of writing (13th March) vulnerability to the exploit had already dropped by 25%.

====================
Update: 12th March 2020:
====================
Microsoft have released an update to resolve the SMBv3 vulnerability now designated CVE-2020-0796, (EternalDarkness or SMBGhost) please apply it to any Windows 10 Server or Windows 10 workstation system running Windows 10 Version 1903 or 1909 as soon as possible. Please also make certain that such systems are not exposing port 445 to the internet (please seethe FAQ in their information on the relevant update).

An internet scan by security researchers of vulnerable estimates that there are 48,000 vulnerable Windows 10 systems. You can use the ollypwn scan (created by a Danish security researcher) can be used to check if a system is vulnerable.

I wish to add the following useful clarification (which was written before the Microsoft security update became available) from Richard Melick, senior technical product manager at Automox in relation to this SMBv3 vulnerability:

“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities. But that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch…it’s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today”.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Update: 11th March 2020
====================
As expected, yesterday Microsoft  released their scheduled updates to resolve 115 CVEs (defined). Unusually for this month, Adobe has not released any updates.

Microsoft’s monthly summary; lists Known Issues for 14 Microsoft products but all have workarounds or resolution steps listed just as the previous month’s did.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
For Windows or Windows Server system (Version 1903 and 1909) systems that uses SMBv3, please follow Microsoft’s guidance in the following security advisory while an update is not yet available. Please apply the update as soon as it is made available:

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

Please also make certain that TCP port 445 is blocked at the enterprise perimeter firewall to prevent exploitation.

This vulnerability is “wormable” meaning that similar to the WannaCry malware and the BlueKeep vulnerability if exploited it may lead to a very large malware outbreak in a very short time.

====================

Windows LNK: CVE-2020-0684
Windows Media Foundation: CVE-2020-0801 , CVE-2020-0807 , CVE-2020-0809,  CVE-2020-0869
Microsoft Internet Explorer: CVE-2020-0824
Microsoft Browsers: CVE-2020-0768

Microsoft Scripting Engine: CVE-2020-0830 , CVE-2020-0847, CVE-2020-0833 , CVE-2020-0832, CVE-2020-0829 , CVE-2020-0813 , CVE-2020-0826, CVE-2020-0827 , CVE-2020-0825 , CVE-2020-0831, CVE-2020-0811, CVE-2020-0828, CVE-2020-0848, CVE-2020-0823, CVE-2020-0812

Microsoft GDI+: CVE-2020-0881, CVE-2020-0883
Microsoft Word: CVE-2020-0852
Microsoft Dynamics: CVE-2020-0905
Microsoft Edge: CVE-2020-0816

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Netgear
====================
On the 3rd of March, Netgear released 25 security advisories for its modem-router gateways, approximately 40 routers and a range extender. The vulnerability range up to critical in severity.

If you own a Netgear router, range extender or modem-router gateway, please use the guidance within this article (many thanks to Tom’s Guide for this advice and the appropriate how to check for updates steps) to locate your Netgear device model e.g. R6400 and to match it against the available security bulletins to check if your device requires a firmware (defined) update sometimes called a software update. Please install the update if one is available. The above linked to article also describes the varied methods to update your Netgear device.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel Smart Sound Technology Advisory
BlueZ Advisory
Intel NUC Firmware Advisory

Medium
Intel MAX 10 FPGA Advisory
Intel Processors Load Value Injection Advisory
Snoop Assisted L1D Sampling Advisory
Intel Optane DC Persistent Memory Module Management Software Advisory
Intel FPGA Programmable Acceleration Card N3000 Advisory
Intel Graphics Drivers Advisory

====================
Mozilla Firefox
====================
Yesterday, Mozilla released Firefox 74 and Firefox ESR (Extended Support Release) 68.6 to resolve the following vulnerabilities:

Firefox 74.0: Addresses 6x high severity CVEs, 6x medium severity CVEs and 1x low CVE

Firefox 68.6 ESR: Addresses 5x high severity CVEs and 3x medium severity CVEs

Firefox 74 also removes support TLS 1.0 (what is TLS, defined) and 1.1 as per Mozilla’s previous timelime, adds a Facebook Container add-in to limit how much the social tracks you across other sites and blocks the ability for other applications to install Firefox add-ons without your knowledge or consent. Further details of these features and other features added can be found within this article (my thanks to Lawrence Abrams of Bleepingcomputer.com for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 80.0.3987.132 for Linux, Mac and Windows to resolve 4 security vulnerabilities with the most severe being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Apple Security Updates:
=======================
On the 24th of March Apple made available the following updates. Notable fixes affect the kernels of macOS, iOS and iPadOS, WebKit (the renderer of Safari), Bluetooth and Safari.

These updates bring Safari to version 13.1 and add updates to its Intelligence Tracking Prevention (ITP) privacy feature while also introducing a block on all 3rd party cookies (defined) by default.

Further details for these updates are as follows:
Apple iOS v13.4 and iPadOS 13.4 (resolves 35x CVEs (defined))
Apple tvOS 13.4: Resolves 20x CVEs.
Apple watchOS 6.2: Resolves 17x CVEs
Apple watchOS 5.3.6 (no CVEs resolved)
Apple iTunes version 12.10.5 for Windows: Resolves 13x CVEs
macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra: Resolves 27x CVEs.
Safari 13.1: Resolves 11 CVEs
Apple iCloud for Windows 10.9.3: Resolves 13 CVEs
Apple iCloud for Windows 7.18: Resolves 13 CVEs
Xcode 11.4: Resolves 1 CVE (?: Apple’s post provides little details)

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
OpenSSL
====================
On the 17th March the OpenSSL Foundation issued OpenSSL 1.1.1e (download/installation links included) which includes a low severity security fix.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

====================
VMware
====================
VMware have so far released 2 security advisories this month to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
====================
Advisory 2: Severity: Important:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
VMware Horizon Client for Windows
====================

Advisory 2 (above) has been updated by VMware to state VMware Fusion has been updated to version 11.5.3 to more comprehensively resolve the vulnerability designated CVE-2020-3950. Please make certain if you use VMwre Fusion that it is the latest version available.

If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.

December 2019 Update Summary

As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.

Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
====================
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)

Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)

Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
====================

Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468

Microsoft Windows Kernel (defined): CVE-2019-1458

Windows Hyper-V: CVE-2019-1471

Microsoft Visual Studio: CVE-2019-1349 , CVE-2019-1350 , CVE-2019-1352 , CVE-2019-1354 , CVE-2019-1387

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs (defined) and used for Windows Hello for Business: Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:

Firefox 71.0: Resolves 6x high severity CVEs (defined) and 5x moderate CVEs

Firefox ESR 68.3 (Extended Support Release): Resolves 4x high severity CVEs and 4x moderate CVEs

Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.

The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
AMD
=======================
In early December AMD issued a security advisory for its GPU and APU (defined) drivers (defined). It resolves 2 vulnerabilities CVE-2019-5049 and CVE-2019-5098. The steps to install the drivers on Windows are located here with a guide for Linux available here. Please make certain the drivers are version 20.1.1 or later (as per multiple recommendations from Talos, 1 , 2 and 3). As per those same recommendations if you use VMware Player or Workstation Pro, please make certain it is version 15.5.1 or later. If you use the affected AMD graphics cards, please consider updating your drivers to the most recent available.

====================
Nvidia
====================
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The high priority advisories are the following:

High
Linux Administrative Tools for Intel Network Adapters Advisory

Intel NUC Firmware Advisory

The remaining advisories are of medium and low priority:

Medium
Intel Quartus Prime Pro Edition Advisory

Intel RST Advisory (see also my separate post on this vulnerability)

Control Center-I Advisory

Intel SCS Platform Discovery Utility Advisory

Unexpected Page Fault in Virtualized Environment Advisory

Intel FPGA SDK for OpenCL Advisory

Low
Intel Ethernet I218 Adapter Driver for Windows Advisory

Intel Dynamic Platform and Thermal Framework Advisory

====================
VMware
====================
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:

Critical Severity Advisory:

VMware ESXi
VMware Horizon DaaS appliances

Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
OpenSSL
====================
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Apple Security Updates
=======================
Throughout December Apple has released security updates for the following products:

Apple iOS v12.4.4 and 13.3 / iPad OS 13.3: Resolves 1 CVE (defined) and 14 CVEs (respectively)

Apple Safari 13.0.4: Resolves 2 CVEs

Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs

Apple tvOS 13.3: Resolves 11 CVEs

Apple watchOS 5.3.4 and 6.1.1: Resolves 1 CVE and 10 CVEs (respectively)

Apple Xcode 11.3: Resolves 1 CVE

Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs

Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs

Apple iCloud for Windows 10.9: Resolves 4 CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In early December the following Wireshark updates were released:

v3.0.7: 1 security advisory

v2.6.13: 1 security advisory

The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

October 2019 Update Sumamry

================
Update: 25th October 2019
================
Apologies for the delay in updating this post due to professional commitments.

I wanted to provide details of this month’s security updates from Microsoft and Adobe. On the 8th of October, Microsoft made available their updates resolving 59 vulnerabilities more formally known CVEs (defined).

Separately Adobe made available their updates a week later:

====================

Adobe Acrobat and Reader: 68x Priority 2 CVEs resolved (45x critical severity, 23x Important severity)

Adobe Download Manager: Priority 3 CVE resolved (1x Important severity)

Adobe Experience Manager: Priority 2 CVEs (1x Critical CVE, 7x Important and 4x Moderate severity)

Adobe Experience Manager Forms: 1x Priority 3 CVE (1x Important severity)

As always, if you use these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Acrobat/Reader and Experience Manager updates.

====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. All issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

As for stability, I have installed all of this month’s updates on my Windows 10 systems (Builds 18362.388 , 18362.418) most recently the new kb4522355 (for Windows 10 Version 1903 Build 18362.449) and have not experienced any issues. Indeed, this update was intended to resolve the issues e.g. among with the Start menu that caused me to advise not to install Windows 10 updates earlier this month. Obviously, please continue to backup and test your systems as you usually would before install widely rolling out these updates but in general you should be fine.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2019-1307 CVE-2019-1308 CVE-2019-1366

VBScript Remote Code Execution Vulnerability: CVE-2019-1238 CVE-2019-1239

Azure Stack Remote Code Execution Vulnerability : CVE-2019-1372

Remote Desktop Client Remote Code Execution Vulnerability : CVE-2019-1333

MS XML Remote Code Execution Vulnerability: CVE-2019-1060

Windows Error Reporting Manager Elevation of Privilege Vulnerability : CVE-2019-1315

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On 22nd October Mozilla released Firefox 70 to address multiple critical vulnerabilities and to one again introduce further privacy features (see below):

Firefox 70: Resolves 1x critical CVE (defined)(but consisting of multiple vulnerabilities), 3x high CVEs, 8x moderate and 1x low CVE

Firefox ESR 68.2 (Extended Support Release): Resolves 1x critical CVE (but consisting of multiple vulnerabilities), 3x high CVEs, 5x moderate

Highlights from version 70 of Firefox include:

Details of improvements in the macOS and Windows versions of Firefox are provided in this article. The blocking of social networking tracking is discussed in another article.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
On October 22nd, Google released Chrome version 78.0.3904.70. This update resolves a high severity flaw that earned the researcher who reported it $20,000. The Multi-State Information Sharing and Analysis Center (MS-ISAC) stated “successful exploitation could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.” In total, this update contains 37 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
WinSCP:
=======================
In mid October; WinSCP version 5.15.5 was released upgrading it’s embedded version of Putty (the Windows SSH client) to 0.73 (along with its SSH private key tools to the same version) resolving 2 vulnerabilities (with one other issue possibly security related). WinSCP 5.15.6 has since been released as a non-security update.

Thank you.

================
Update: 8th October 2019
================
Unfortunately due to professional commitments I won’t be able to update this post today with details of Adobe’s and Microsoft’s updates. I will do so as soon as possible this week.

Thanks for your understanding.

================
Original Post
================
On the 23rd of September Microsoft issued two out of band (unscheduled) security updates to resolve 2 zero-day (defined) vulnerabilities. The vulnerabilities affect Internet Explorer and Windows Defender.

Microsoft has drawn criticism for adding confusion to these updates since they are not available on Windows Update but must be installed manually. For Windows 10 Version 1903 this prompted the release of kb4524147 which at this time I do NOT recommend you install since it is causing some systems not to boot, not being able to print and in some cases the Start menu is crashing.

With further security updates expected from Microsoft tomorrow, please await those updates and re-assess if you should install them. I’ll updater this post tomorrow with more information on the new monthly updates.

Separately since Windows Defender updates automatically you should have received the relevant anti-malware engine update (Version: 1.1.14700.5) 48 hours after the 23rd September.

Thank you.

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

February 2019 Update Summary

Earlier today Microsoft made available 13 bulletins and 3 advisories resolving 74 vulnerabilities (more formally known as CVEs (defined)) respectively. As always more details are available from Microsoft’s monthly summary page.

Also today Adobe released scheduled updates for the products listed below addressing 75 CVEs in total:

Adobe Acrobat and Reader: 71x priority 2 CVEs resolved (43 of the 75 are Critical, the remainder are Important severity)

Adobe ColdFusion: 2x priority 2 CVEs resolved

Adobe Creative Cloud Desktop Application: 1x priority 3 CVE resolved

Adobe Flash Player: 1x priority 2 CVE resolved

If you use the affected Adobe products; due to the public disclosure (defined) of CVE-2019-7089 as a zero day (defined) vulnerability, please install the Adobe Acrobat and Reader updates first followed by Flash Player and the remaining updates. I provide more detail on the zero day vulnerability in a separate post.

As we are accustomed to Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates or for which workarounds are provided. They are listed below for your reference:

4345836
4471391
4471392
4483452
4486996
4487017
4487020
4487026
4487044
4487052

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft GDI+

Scripting Engine (CVE-2019-0590 , CVE-2019-0591 , CVE-2019-0593 , CVE-2019-0640  ,
CVE-2019-0642
, CVE-2019-0648 , CVE-2019-0649  , CVE-2019-0651 , CVE-2019-0652 , CVE-2019-0655 , CVE-2019-0658)

Windows DHCP

Microsoft Exchange

Microsoft SharePoint and CVE-2019-0604

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
8 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 8.8 have been resolved within Nvidia’s graphics card drivers (defined) in February. These vulnerabilities affect Linux FreeBSD, Solaris and Windows. The steps to install the drivers are detailed here (and here) for Ubuntu and here for Linux Mint. Windows install steps are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
7-Zip:
=======================
In the 3rd week of February; 7-Zip version 19.00 was released. While it is not designated as a security update; the changes it contains appear to be security related. While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. Directory Opus version 12.2.2 Beta includes version 19.00 of the 7-Zip DLL.

If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from these improvements.

=======================
Changes:
=======================
– Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved.
– Some bugs were fixed.
=======================

If you are using the standalone version and it’s older than version 19, please consider updating it.

=======================
Mozilla Firefox
=======================
In mid-February Mozilla issued updates for Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65.0.1: Resolves 3x high CVEs (defined)

Firefox 60.5.1: Resolves 3x high CVEs

As always; details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from changes such as improvements to Netflix playback, color management on Apple macOS and resolving audio/video delays during WebRTC calls etc.

=======================
Wireshark 3.0.0, 2.6.7 and 2.4.13
=======================
v3.0.0: 0 security advisories (new features and benefits discussed here and here)

v2.6.7: 3 security advisories

v2.4.13: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.0, v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Note: from this post onwards, I will only report on the most recent (v3.0) and previous branches (v2.6) of Wireshark.

Thank you.