Tag Archives: Adobe Reader

July 2021 Update Summary

I hope you and your families are doing well.

As scheduled, Adobe and Microsoft earlier today made available their monthly security updates. They address 29 and 117 vulnerabilities (respectively) also known as CVEs (defined).

Let us begin with summarising Adobe’s updates for this month:

Adobe Acrobat and Reader: Addresses 20x Priority 2 CVEs (14x Critical Severity and 6x Important Severity)

Adobe Bridge: Addresses 5x Priority 3 CVEs (4x Critical Severity and 1x Moderate Severity)

Adobe Dimension: Addresses 1x Priority 3 CVE (1x Critical Severity)

Adobe Framemaker: Addresses 1x Priority 3 CVE (1x Critical Severity)

Adobe Illustrator: Addresses 3x Priority 3 CVEs (2x Critical Severity and 1 Important Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

The most important update this month was released earlier in July. It is the Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-34527 which addresses the vulnerability known as PrintNightmare. After installing this update, please make certain that steps 1, 2 and the Group policy setting from this KB article are also implemented (both registry DWORD entries should be zero) to better protect against other related exploits.

The image below is a flow diagram (courtesy of Carnegie Mellon University, image is Copyright ©2021 Carnegie Mellon University. My thanks to them for publishing this diagram) which details how an exploit may attempt to either remotely or locally compromise your Windows system. In addition, the diagram shows how the extra registry values described in this KB article help to protect your system from the locally exploitable aspect of this vulnerability.

====================

Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-34527

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-34473

Windows Kernel Elevation of Privilege Vulnerability: CVE-2021-31979

Windows Kernel Elevation of Privilege Vulnerability: CVE-2021-33771

Scripting Engine Memory Corruption Vulnerability: CVE-2021-34448

Microsoft Exchange Server Elevation of Privilege Vulnerability: CVE-2021-34523

Windows Kernel Remote Code Execution Vulnerability: CVE-2021-34458

Active Directory Security Feature Bypass Vulnerability: CVE-2021-33781

Windows ADFS Security Feature Bypass Vulnerability: CVE-2021-33779

Windows Certificate Spoofing Vulnerability: CVE-2021-34492

Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-34494

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2021-34450

Dynamics Business Central Remote Code Execution Vulnerability: CVE-2021-34474

Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-34464

Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-34522

Microsoft Windows Media Foundation Remote Code Execution Vulnerability: CVE-2021-34439

Microsoft Windows Media Foundation Remote Code Execution Vulnerability: CVE-2021-34503

Windows Media Remote Code Execution Vulnerability: CVE-2021-33740

Windows MSHTML Platform Remote Code Execution Vulnerability: CVE-2021-34497

====================

Following standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families are safe and well during these continuing uncertain times. Thank you.

====================
Mozilla Firefox
====================
Earlier today Mozilla released Firefox 90 and Firefox ESR (Extended Support Release) 78.12 to resolve the following vulnerabilities:

Firefox 90: Addresses 5x High Severity CVEs and 4x Moderate Severity CVEs

Firefox ESR 78.12: Addresses 3x High Severity CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 90 also introduced the features listed at this link.

====================
VMware
====================
VMware has released 2 security advisories so far in July to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Important
VMware ESXi and VMware Cloud Foundation (Cloud Foundation)

Advisory 2: Severity: Moderate:

VMware ThinApp

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

June 2021 Update Summary

Leave a reply

I hope you are all safe and well.

Earlier today Adobe and Microsoft released their expected monthly security updates. The updates resolve 41 and 50 vulnerabilities (respectively) more formally known as CVEs (defined).

Similar to last month Adobe’s updates for June address vulnerabilities across a diverse set of their products:

Adobe Acrobat and Reader: Addresses 5x Priority 2 vulnerabilities (5x Critical Severity)

Adobe After Effects: Addresses 16x Priority 3 vulnerability (8x Critical Severity, 7x Important Severity and 1x Moderate Severity)

Adobe Animate: Addresses 8x Priority 3 vulnerability (4x Critical Severity, 3x Important Severity and 1x Moderate Severity)

Adobe Connect: Addresses 1x Priority 3 vulnerability (1x Important Severity)

Adobe Creative Cloud Desktop: Addresses 2x Priority 3 vulnerabilities (1x Critical and 1x Important Severity)

Adobe Experience Manager: Addresses 4x Priority 2 vulnerabilities (3x Important Severity, 1x Moderate Severity)

Adobe Photoshop: Addresses 2x Priority 3 vulnerabilities (2x Critical Severity)

Adobe Photoshop Elements: Addresses 1x Priority 3 vulnerability (1x Important Severity)

Adobe Premiere Elements: Addresses 1x Priority 3 vulnerability (1x Important Severity)

Adobe RoboHelp Server: Addresses 1x Priority 3 vulnerability (1x Critical Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

====================

Windows MSHTML Platform Remote Code Execution Vulnerability: CVE-2021-33742 (This vulnerability has been publicly disclosed and is being exploited)

Microsoft DWM Core Library Elevation of Privilege Vulnerability: CVE-2021-33739 (This vulnerability has been publicly disclosed and is being exploited)

Windows NTFS Elevation of Privilege Vulnerability: CVE-2021-31956 (This vulnerability is being exploited)

Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability: CVE-2021-31199 and CVE-2021-31201 (These vulnerabilities are being exploited)

Windows Kernel Information Disclosure Vulnerability: CVE-2021-31955 (This vulnerability is being exploited)

Remote Desktop Services Denial of Service Vulnerability: CVE-2021-31968 (This vulnerability has been publicly disclosed)

Microsoft SharePoint Server Remote Code Execution Vulnerability: CVE-2021-31963

Microsoft Windows Defender Remote Code Execution Vulnerability: CVE-2021-31985

Microsoft Scripting Engine Memory Corruption Vulnerability: CVE-2021-31959

Microsoft VP9 Video Extensions Remote Code Execution Vulnerability: CVE-2021-31967

====================

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families continue to do well during these tough times. Thank you.

====================
Mozilla Firefox
====================
On the 1st June Mozilla released Firefox 89 and Firefox ESR (Extended Support Release) 78.11 to resolve the following vulnerabilities:

Firefox 89: Addresses 2x High Severity CVEs, 5x Moderate Severity CVEs and 2x Low Severity CVEs

Firefox ESR 78.11: Addresses 1x High Severity CVE and 1x Moderate Severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 88 also introduced the features listed at this link. Firefox 89 also introduced the features listed at this link.

May 2021 Update Summary

Leave a reply

During the second week of May, Adobe and Microsoft released their expected monthly security updates. They addressed 44 and 55 vulnerabilities (respectively) more formally known as CVEs (defined). System administrators may be pleased to see the decrease in the number of updates from Microsoft for that month. Apologies for not publishing this post sooner.

Adobe’s updates for May month address issues across a diverse range of products:

Adobe Acrobat and Reader: Resolves 14x Priority 1 vulnerabilities (10x Critical Severity and 4x Important Severity)

Adobe After Effects: Resolves 3x Priority 3 vulnerabilities (2x Critical Severity and 1x Important Severity)

Adobe Animate: Resolves 7x Priority 3 vulnerabilities (2x Critical and 5x Important Severity)

Adobe Creative Cloud Desktop: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Experience Manager: Resolves 2x Priority 2 vulnerabilities (1x Critical Severity and 1x Important Severity)

Adobe Genuine Service: Resolves 1x Priority 3 vulnerability (1x Important Severity)

Adobe Illustrator: Resolves 5x Priority 3 vulnerabilities (5x Critical Severity)

Adobe InCopy: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe InDesign: Resolves 3x Priority 3 vulnerabilities (3x Critical Severity)

Adobe Medium: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Media Encoder: Resolves 1x Priority 3 vulnerability (1x Important Severity)

Magento Security Updates: Resolves 7x Priority 2 vulnerabilities (1x Important Severity and 6x Moderate Severity)

Just as always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

====================

Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability: CVE-2021-31166 (This vulnerability is wormable and a proof of concept exploit is available)

Microsoft Hyper-V Remote Code Execution Vulnerability: CVE-2021-28476 (a proof of concept exploit for this vulnerability is also available)

Microsoft Exchange Server Security Feature Bypass Vulnerability: CVE-2021-31207

Microsoft OLE Automation Remote Code Execution Vulnerability: CVE-2021-31194

Microsoft .NET Core and Visual Studio Elevation of Privilege Vulnerability: CVE-2021-31204

Microsoft Common Utilities Remote Code Execution Vulnerability: CVE-2021-31200

Microsoft Scripting Engine Memory Corruption Vulnerability: CVE-2021-26419

====================

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

To all of my readers, I hope you and your families are doing well during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May Mozilla released Firefox 88.0.1 and Firefox ESR (Extended Support Release) 78.10.1 to resolve the following vulnerabilities:

Firefox 88.0.1: Addresses 1x Critical Severity CVE and 1x High Severity CVE

Firefox ESR 78.10.1: Addresses 1x Moderate Severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 88 also introduced the features listed at this link.

====================

Google Chrome

====================

Google released 2 Chrome updates in May versions 90.0.4430.212 and 91.0.4472.77 for Linux, Mac and Windows to resolve 19 and 33 security vulnerabilities (respectively).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Putty
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.75 in early May. It contains 1 security fixes (see below). Version 0.75 is downloadable from here.

If you use Putty, please update it to version 0.75. Thank you.

Security vulnerability fixed:

vuln-windows-remote-title-dos: Rapid changes of window title can DoS Windows GUI

====================
VideoLAN VLC
====================
On the 10th of May VideoLAN released version 3.0.13 resolving 4 known vulnerabilities. The other non-security improvements introduced are detailed in the above 3.0.13 link and within the changelog. Version 3.0.14 was later released to address an auto-update issue (not security related).

The most recent versions of VLC can be downloaded from:
http://www.videolan.org/vlc/

====================
VMware
====================
VMware released 4 security advisories to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:
VMware vRealize Business for Cloud

Advisory 2: Severity: Low:

VMware Workspace ONE UEM console

Advisory 3: Severity: Low:

VMware Workstation Pro / Player (Workstation)

VMware Horizon Client for Windows

Advisory 4: Severity: Critical:

VMware vCenter Server (vCenter Server)

VMware Cloud Foundation (Cloud Foundation)

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

February 2021 Update Summary

Leave a reply

To my readers; I hope you and your families are safe and well. Sorry for the delay in publishing this post. However, it does contain information made available after the 9th February and should still prove useful.

Tuesday, 9th February was the release day for Adobe and Microsoft’s scheduled security updates. Adobe addressed 50 vulnerabilities and Microsoft resolved 56 vulnerabilities more formally known as CVEs (defined).

Let’s begin with Adobe’s security updates:

Adobe Acrobat and Reader: Addresses 23x Priority 1 (17x Critical Severity and 6x Important Severity) vulnerabilities

Adobe Animate: Addresses 1x Priority 3 (1x Critical Severity) vulnerabilities

Adobe Dreamweaver: Addresses 1x Priority 3 (1x Important Severity) vulnerabilities

Adobe Illustrator: Addresses 2x Priority 3 (2x Critical Severity) vulnerabilities

Magento: Addresses 18x Priority 2 (7x Critical, 10x Important and 1x Moderate Severity) vulnerabilities

Adobe Photoshop: Addresses 5x Priority 3 (5x Critical Severity) vulnerabilities

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

Separately, Microsoft from the 16th February onwards began releasing an optional update for Windows 10 that removes the embedded version of Flash Player (that was previously used by Internet Explorer).

I installed this update on my 3x Windows 10 20H2 systems (2x physical and 1x virtual machine). The update never requested a reboot. It left behind some empty folders (the locations of which are detailed here). This was a very smooth removal. I will install this update on my 2x physical Windows 8.1 systems when it is offered to them (likely in March 2021).

=======================

Microsoft currently lists 36 Known Issues within its monthly summary. Almost all have workarounds or resolutions (others have solutions currently being worked upon). Please review the list from the above link if you have any concerns.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/
====================

For this month’s Microsoft updates, as always I will prioritise the order of installation below:
====================

Microsoft Windows Win32k Elevation of Privilege Vulnerability: CVE-2021-1732

Windows TCP/IP Remote Code Execution Vulnerability: CVE-2021-24074

Windows TCP/IP Remote Code Execution Vulnerability: CVE-2021-24094

Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-24078

Windows Local Spooler Remote Code Execution Vulnerability: CVE-2021-24088

Windows Graphics Component Remote Code Execution Vulnerability: CVE-2021-24093

.NET Core for Linux Remote Code Execution Vulnerability: CVE-2021-14112

Microsoft .NET Core and Visual Studio Remote Code Execution Vulnerability: CVE-2021-26701

Windows Fax Service Remote Code Execution Vulnerability: CVE-2021-24077

Windows Fax Service Remote Code Execution Vulnerability: CVE-2021-1722

Sysinternals PsExec Elevation of Privilege Vulnerability: CVE-2021-1733 (a revised fixed was made available by Microsoft in March 2021)

Microsoft Windows Codecs Library Remote Code Execution Vulnerability: CVE-2021-24081

Windows Camera Codec Pack Remote Code Execution Vulnerability: CVE-2021-24091

Microsoft Windows Installer Elevation of Privilege Vulnerability: CVE-2021-1727

Microsoft .NET Core and Visual Studio Remote Code Execution Vulnerability: CVE-2021-1721

Windows Console Driver Denial of Service Vulnerability: CVE-2021-24098

Windows DirectX Information Disclosure Vulnerability: CVE-2021-24106

I have also provided further details of updates available for other commonly used applications below.

To all of my readers; I hope you and your families stay safe during these tough times. Thank you.

====================
Mozilla Firefox
====================
In the first week of February Mozilla made available Firefox 85.0.1 and Firefox ESR (Extended Support Release) 78.7.1 to resolve the following critical vulnerability:

Firefox 85.0.1 and Firefox ESR 78.7.1: Resolves 1x Critical severity CVE

A mitigation for the Windows 10 NTFS Corruption vulnerability was also added to Firefox 85.0.1. My thanks to BleepingComputer for their article on that issue.

Later on, the 23rd February, Mozilla made available Firefox 86 and Firefox ESR 78.8 to resolve the following vulnerabilities:

Firefox 86: Resolves 5x High severity, 4x Moderate and 3x Low severity CVEs

Firefox ESR 78.8: Resolves 3x High and 1x Low severity CVEs

Firefox 86 introduces Total Cookie Protection and multiple picture in picture (among other features detailed here).

====================
Google Chrome
====================
Google has released 4 Chrome updates so far in February version 88.0.4324.146 , version 88.0.4324.150 and version 88.0.4324.182 for Linux, Mac and Windows to resolve 6, 1 and 10 security vulnerabilities (respectively). Version 88.0.4324.190 and 192 for Mac do not contain security updates. Version 88 of Chrome removes support for Adobe Flash.

====================
Cyberpunk 2077
====================
The popular video game Cyberpunk 2077 has released a security update, hotfix version 1.12 to resolve the following security issues:

Fixed a buffer overrun (defined) issue

Removed/replaced non-ASLR (defined) DLLs (defined)

My thanks to BleepingComputer for their article listing the availability of this security update.

====================
Apple Security Updates
====================
Apple had released the following security updates so far in February:

Apple macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave: Addresses 66x CVEs

Apple Safari 14.0.3: Addresses 3X CVEs

Apple macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002: Addresses 3x CVEs

December 2020 Update Summary

Leave a reply

To my readers; I hope all is well for you and our families.

As expected, earlier this week Adobe and Microsoft issued their monthly security updates. These updates address 4 and 58 vulnerabilities (respectively) more formally known as CVEs (defined).

Let’s begin with Adobe updates; while 4 updates were made available yesterday.

Adobe Experience Manager: 2x Priority 2 (1x Critical Severity and 1x Important Severity)

Adobe Prelude: Resolves 1x Priority 3 CVE (1x Critical Severity)

Adobe Lightroom: Resolves 1x Priority 3 CVE (1x Critical Severity)

Adobe Acrobat and Reader: Resolves 1x Priority CVEs (1x Important Severity)(at the time of writing the updates have not yet been made available)

If you use any of the above Adobe products, please consider updating them especially those with critical severity updates. Microsoft’s plans for Flash Player are detailed in their blog post.

Microsoft’s monthly summary; lists Known Issues for 15 Microsoft products this month, all but one has a workaround.

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritise the order of installation below:
====================
Microsoft Exchange Remote Code Execution Vulnerability: CVE-2020-17132

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2020-17095

Chakra Scripting Engine Memory Corruption Vulnerability: CVE-2020-17131

Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability: CVE-2020-17152

Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability: CVE-2020-17158

Microsoft Exchange Remote Code Execution Vulnerability: CVE-2020-17117

Microsoft Exchange Remote Code Execution Vulnerability: CVE-2020-17142

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-17118

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-17121

I have also provided further details of updates available for other commonly used applications below.

To all of my readers and your families, I hope you are continuing to stay safe during these challenging times. Happy Holidays and Best Wises for the New Year. Thank you.

====================
Google Chrome
====================
So far this month, Google has made available 1 Chrome update version 87.0.4280.88 for Linux, Mac and Windows to resolve 8 security vulnerabilities. Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

November 2020 Update Summary

Leave a reply

To my readers; I hope you and your families are doing well. Apologies for not publishing this post sooner.

As scheduled earlier this week; Adobe and Microsoft issued their monthly security updates. These updates address 17 and 112 vulnerabilities (respectively) more formally known as CVEs (defined).

First, let’s detail the Adobe updates; the Acrobat update was released a week ago:

Adobe Connect: Resolves 2x Priority 3 CVEs (2x Important Severity)

Adobe Acrobat and Reader: Resolves 14x Priority 2 CVEs (4x Critical Severity, 6x Important Severity and 4x Moderate Severity)

Adobe Reader Mobile: Resolves 1 x Priority 3 (1x Important Severity)

If you use any of the above Adobe products, especially Acrobat or Reader with its critical severity updates; please install these updates as soon as possible.

Microsoft’s monthly summary; lists Known Issues for 17 Microsoft products again this month but all have workarounds listed.

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritise the order of installation below:
====================
Windows Network File System Remote Code Execution Vulnerability: CVE-2020-17051

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2020-17084

Windows Kernel Local Elevation of Privilege Vulnerability: CVE-2020-17087

Windows Hyper-V Security Feature Bypass Vulnerability: CVE-2020-17040

Chakra Scripting Engine Memory Corruption Vulnerability: CVE-2020-17048

Scripting Engine Memory Corruption Vulnerability: CVE-2020-17052

Internet Explorer Memory Corruption Vulnerability: CVE-2020-17053

Microsoft Browser Memory Corruption Vulnerability: CVE-2020-17058

Azure Sphere Elevation of Privilege Vulnerability: CVE-2020-16988

AV1 Video Extension Remote Code Execution Vulnerability: CVE-2020-17105

HEIF Image Extensions Remote Code Execution Vulnerability: CVE-2020-17101

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17106

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17107

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17108

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17109

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17110

Raw Image Extension Remote Code Execution Vulnerability: CVE-2020-17078

Raw Image Extension Remote Code Execution Vulnerability: CVE-2020-17079

Raw Image Extension Remote Code Execution Vulnerability: CVE-2020-17082

Windows Print Spooler Remote Code Execution Vulnerability: CVE-2020-17042

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are continuing to stay safe during these tough times. Thank you.

====================
Google Chrome
====================
So far this month, Google has made available 4 Chrome updates version 86.0.4240.183 , 86.0.4240.193, 86.0.4240.198 and 87.0.42809.67 for Linux, Mac and Windows to resolve 10, 1, 2, and 33 security vulnerabilities (respectively) and to introduce new features (please see this BleepingComputer link for details). My thanks to BleepingComputer for this detailed description.

====================
Mozilla Firefox
====================
In the second week of November, Mozilla released Firefox 82.0.3 and Firefox ESR (Extended Support Release) 78.4.1 to resolve the following security vulnerabilities:

Firefox 82.0.3: Resolves 1x Critical severity CVE

Firefox ESR 78.4.1: Resolves 1x Critical severity CVE

Later during the 3rd week of November, Mozilla made Firefox 83 which again resolved security vulnerabilities (details provided below) and introduced new features such as HTTPS only mode, and improved PDF viewer as well as improved JavaScript performance and reduced memory usage etc. My thanks to BleepingComputer for this explanation.

Firefox 83: Resolves 4x High Severity CVEs, 11x Moderate CVEs, 6x Low CVEs

Firefox ESR 78.5: Resolves 2x High Severity CVEs, 8x Moderate and 2x Low CVEs

====================
VMware
====================
VMware released 3 security advisories impacting the following products. If you use any of the VMware products listed below, please review the above advisories and install the applicable security updates as soon as possible:

Advisory 1: Severity: Important:
VMware SD-WAN Orchestrator (SD-WAN Orchestrator)

Advisory 2: Severity: Critical:
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation

Advisory 3: Severity: Critical:
VMware Workspace One Access (Access)
VMware Workspace One Access Connector (Access Connector)
VMware Identity Manager (vIDM)
VMware Identity Manager Connector (vIDM Connector)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

August 2020 Update Summary

Leave a reply

I hope this post finds you safe and well in these uncertain and tough times.

As scheduled, earlier today Adobe and Microsoft released their security updates. These updates resolve 26 and 120 vulnerabilities (respectively) more formally known as CVEs (defined).

As mentioned last month by ZDI with the very large number of CVEs being resolved each month by Microsoft (862 CVEs in total, 11 more than in all of the year 2019); is increasing the pressure on system admins to patch systems even in these challenging times.

I’ll start with summarising the updates made available by Adobe:

Adobe Acrobat and Reader: Resolves 25x Priority 2 CVEs (11x Critical Severity and 14x Important Severity)

Adobe Lightroom: Resolves 1x Priority 3 CVE (1x Important Severity)

If you use either of the above Adobe products, especially Acrobat or Reader with its critical severity updates; please install these updates as soon as possible.

Microsoft’s monthly summary; lists Known Issues for 11 Microsoft products again this month but all have workarounds listed.

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
The highest priority updates for this month start with the following two vulnerabilities; both of which are being exploited in the wild (until today as zero day (defined) vulnerabilities) and one of which has been publicly disclosed:

Windows Spoofing Vulnerability: CVE-2020-1464

Microsoft Windows Scripting Engine Memory Corruption Vulnerability: CVE-2020-1380

====================
Microsoft Outlook Memory Corruption Vulnerability: CVE-2020-1483

Microsoft .NET Framework Remote Code Execution Vulnerability: CVE-2020-1046

Window Media Foundation Memory Corruption Vulnerabilities: CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1554, CVE-2020-1525

Microsoft Windows Codecs Library Remote Code Execution Vulnerabilities: CVE-2020-1560, CVE-2020-1576, CVE-2020-1585

Microsoft Edge PDF Remote Code Execution Vulnerability: CVE-2020-1568

Microsoft Windows Scripting Engine Memory Corruption Vulnerabilities: CVE-2020-1555, CVE-2020-1570

Microsoft NetLogon Elevation of Privilege Vulnerability: CVE-2020-1472

MSHTML Engine Remote Code Execution Vulnerability: CVE-2020-1567

Microsoft Windows Media Remote Code Execution Vulnerability: CVE-2020-1339

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are continuing to stay safe during these unprecedented times. Thank you.

====================
Google Chrome
====================
Yesterday, Google made available Chrome version 84.0.4147.125 for Linux, Mac and Windows to resolve 15 security vulnerabilities and to introduce new features (please the see above Google link for details).

====================
Intel Security Advisories
====================
Earlier today Intel made available 18 security advisories which I have prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the critical and high severity advisories.

Critical
Intel Server Boards, Server Systems and Compute Modules Advisory

High
Intel Server Board Families Advisory

Intel Server Board M10JNP2SB Advisory

Intel RAID Web Console 3 for Windows Advisory

Intel Graphics Drivers Advisory

Intel Wireless for Open Source Advisory

Intel Wireless Bluetooth Advisory

Intel NUC Firmware Advisory

Intel PAC with Arria 10 GX FPGA Advisory

Medium
Intel PROSet/Wireless WiFi Software Advisory

Intel SSD DCT Advisory

Intel RSTe Software RAID Driver Advisory

Intel Mailbox Interface Driver Advisory

Intel Computing Improvement Program Advisory

Intel Distribution of OpenVINO Toolkit Advisory

Intel RealSense D400 Series UWP Advisory

Intel Thunderbolt Controller Advisory

Intel LED Manager for NUC Advisory

====================
VMware
====================
VMware released 2 security advisories to resolve vulnerabilities within the following products:
Advisory 1: Severity: Moderate:

VMware ESXi
VMware vCenter Server
VMware Cloud Foundation

Advisory 2: Severity: Moderate:
VMware App Volumes

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

May 2020 Update Summary

Leave a reply

I hope this posts finds you doing well in these difficult times.

I’m writing this post early to highlight the availability of 2 important updates, for Mozilla Firefox and Google Chrome. I’ll update the post when Adobe and Microsoft release their expected security updates.

Thank you and please stay safe.

====================
Update: 19th May 2020
====================
Sorry for not updating this post sooner.

As scheduled both Adobe and Microsoft released their monthly security updates addressing 36 vulnerabilities and 111 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

Adobe DNG Software Development Kit (SDK): 12x Priority 3 CVEs resolved (4x Critical and 8x Important severity)

Adobe have since released further security updates:

Adobe Audition: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Character Animator: 1x Priority 3 CVE resolved (1x Critical severity)

Adobe Premiere Pro: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Premiere Rush: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

If you use the above Adobe products, please install these updates as soon as possible since they resolve multiple critical vulnerabilities. Similar to January, March and April no updates for Adobe Flash were released.

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows Graphics Component: CVE-2020-1135

Visual Studio Code Python Extension: CVE-2020-1058, CVE-2020-1060, CVE-2020-1171 , CVE-2020-1192

Microsoft Internet Explorer: CVE-2020-1062

VBScript Remote Code Execution Vulnerability: CVE-2020-1035

Microsoft Edge CVE-2020-1056 , CVE-2020-1059 , CVE-2020-1096

Microsoft SharePoint: CVE-2020-1023 , CVE-2020-1024, CVE-2020-1102

Windows kernel: CVE-2020-1054, CVE-2020-1143

Windows Media Foundation: CVE-2020-1126

Microsoft Color Management: CVE-2020-1117

Windows Print Spooler: CVE-2020-1048

Microsoft Windows Transport Layer Security Denial of Service Vulnerability: CVE-2020-1118

Please install the remaining updates at your earliest convenience.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May, Mozilla released Firefox 76 and Firefox ESR (Extended Support Release) 68.8 to resolve the following vulnerabilities:

Firefox 76.0: Addresses 3x critical severity CVEs, 2x high severity CVEs, 4x moderate CVEs and 1x low CVE

Firefox 68.8 ESR: Addresses 3x critical severity CVEs, 2x high severity CVEs and 2x moderate severity CVEs

Firefox 76 introduces a new password manager (with the ability to generate difficult to guess passwords) which includes a means of detecting if a password was part of a password breach and now requires changing or the use of the same password on multiple websites.

An improved picture in picture experience is also included. Firefox 76.0.1 has since been released resolving non-security issues such as crashing add-ons e.g. the Amazon Assistant extension and crashing with Nvidia GPU drivers on Windows 7 32 bit (my thanks to Bogdan Popa of Softpedia.com and Mozilla for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 81.0.4044.138 for Linux, Mac and Windows to resolve 3 security vulnerabilities with the most severe 2 issues being of high severity.

In mid-May, Google released version 83 of Google Chrome for Linux, Mac and Windows resolves 38 security vulnerabilities and adds multiple security features and features such as tab groups.

====================
VMware
====================

VMware released 3 security advisories this month to resolve vulnerabilities within the following products:

====================

Advisory 1: Severity: Critical:
VMware vRealize Operations Application Remote Collector (ARC)

Advisory 2: Severity: Important
VMware Cloud Director

Advisory 3: Severity: Important
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac

====================

If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.

=======================
Apple Security Updates:
=======================
In mid May Apple made available the following updates. Further details for these updates are as follows:

Apple watchOS 6.2.5: Resolves 34x CVEs (defined)

Apple watchOS 5.3.7: Resolves 2x CVEs
Apple xCode 11.5: Resolves 1x CVE
Apple tvOS 13.4.5: Resolves 34x CVEs
Apple iOS 13.5 and iPadOS 13.5: Resolves 47x CVEs
Apple iTunes 12.10.7 for Windows: Resolves 12x CVEs
Apple iCloud for Windows 7.19 (for Windows 7): Resolves 12x CVEs
Apple Safari 13.1.1: Resolves 10x CVEs
Windows Migration Assistant 2.2.0.0: Resolves 1 CVE
Apple iCloud 11.2 for Windows 10 (available from the Microsoft Store): Resolves 12x CVEs
macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra: Resolves 54x CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In the second half of May, Wireshark made available the following updates (I’ll detail only the 2 most recent versions here):

v3.2.4: Relating to 1 security advisory (relating to 1 CVE)
v3.0.11: Relating to 1 security advisory (relating to 1 CVE)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.4 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

October 2019 Update Sumamry

Leave a reply

================
Update: 25th October 2019
================
Apologies for the delay in updating this post due to professional commitments.

I wanted to provide details of this month’s security updates from Microsoft and Adobe. On the 8th of October, Microsoft made available their updates resolving 59 vulnerabilities more formally known CVEs (defined).

Separately Adobe made available their updates a week later:

====================

Adobe Acrobat and Reader: 68x Priority 2 CVEs resolved (45x critical severity, 23x Important severity)

Adobe Download Manager: Priority 3 CVE resolved (1x Important severity)

Adobe Experience Manager: Priority 2 CVEs (1x Critical CVE, 7x Important and 4x Moderate severity)

Adobe Experience Manager Forms: 1x Priority 3 CVE (1x Important severity)

As always, if you use these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Acrobat/Reader and Experience Manager updates.

====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. All issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

As for stability, I have installed all of this month’s updates on my Windows 10 systems (Builds 18362.388 , 18362.418) most recently the new kb4522355 (for Windows 10 Version 1903 Build 18362.449) and have not experienced any issues. Indeed, this update was intended to resolve the issues e.g. among with the Start menu that caused me to advise not to install Windows 10 updates earlier this month. Obviously, please continue to backup and test your systems as you usually would before install widely rolling out these updates but in general you should be fine.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2019-1307 CVE-2019-1308 CVE-2019-1366

VBScript Remote Code Execution Vulnerability: CVE-2019-1238 CVE-2019-1239

Azure Stack Remote Code Execution Vulnerability : CVE-2019-1372

Remote Desktop Client Remote Code Execution Vulnerability : CVE-2019-1333

MS XML Remote Code Execution Vulnerability: CVE-2019-1060

Windows Error Reporting Manager Elevation of Privilege Vulnerability : CVE-2019-1315

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On 22nd October Mozilla released Firefox 70 to address multiple critical vulnerabilities and to one again introduce further privacy features (see below):

Firefox 70: Resolves 1x critical CVE (defined)(but consisting of multiple vulnerabilities), 3x high CVEs, 8x moderate and 1x low CVE

Firefox ESR 68.2 (Extended Support Release): Resolves 1x critical CVE (but consisting of multiple vulnerabilities), 3x high CVEs, 5x moderate

Highlights from version 70 of Firefox include:

Details of improvements in the macOS and Windows versions of Firefox are provided in this article. The blocking of social networking tracking is discussed in another article.

====================
Google Chrome
====================
On October 22nd, Google released Chrome version 78.0.3904.70. This update resolves a high severity flaw that earned the researcher who reported it $20,000. The Multi-State Information Sharing and Analysis Center (MS-ISAC) stated “successful exploitation could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.” In total, this update contains 37 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
WinSCP:
=======================
In mid October; WinSCP version 5.15.5 was released upgrading it’s embedded version of Putty (the Windows SSH client) to 0.73 (along with its SSH private key tools to the same version) resolving 2 vulnerabilities (with one other issue possibly security related). WinSCP 5.15.6 has since been released as a non-security update.

Thank you.

================
Update: 8th October 2019
================
Unfortunately due to professional commitments I won’t be able to update this post today with details of Adobe’s and Microsoft’s updates. I will do so as soon as possible this week.

Thanks for your understanding.

================
Original Post
================
On the 23rd of September Microsoft issued two out of band (unscheduled) security updates to resolve 2 zero-day (defined) vulnerabilities. The vulnerabilities affect Internet Explorer and Windows Defender.

Microsoft has drawn criticism for adding confusion to these updates since they are not available on Windows Update but must be installed manually. For Windows 10 Version 1903 this prompted the release of kb4524147 which at this time I do NOT recommend you install since it is causing some systems not to boot, not being able to print and in some cases the Start menu is crashing.

With further security updates expected from Microsoft tomorrow, please await those updates and re-assess if you should install them. I’ll updater this post tomorrow with more information on the new monthly updates.

Separately since Windows Defender updates automatically you should have received the relevant anti-malware engine update (Version: 1.1.14700.5) 48 hours after the 23rd September.

Thank you.

August 2019 Update Summary

Leave a reply

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS): CVE-2019-1181 CVE-2019-1182 CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144 CVE-2019-1152 CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

securityinaction

A blog dedicated to sharing security best practice advice for organisations and individuals.

Tag Archives: Adobe Reader

July 2021 Update Summary

June 2021 Update Summary

May 2021 Update Summary

February 2021 Update Summary

December 2020 Update Summary

November 2020 Update Summary

August 2020 Update Summary

May 2020 Update Summary

October 2019 Update Sumamry

August 2019 Update Summary