Tag Archives: Adobe Reader

March 2016 Security Updates Summary

Today is Microsoft’s Update Tuesday. Adobe have also released updates for Adobe Acrobat, Adobe Reader and Adobe Digital Editions (Adobe Flash was not updated today; more details on this below).

Similar to last month there are 13 Microsoft security bulletins resolving 44 security issues more formally known as CVEs (defined).

At the time of writing Microsoft’s Security Bulletin Summary does not list any Known issues for the security bulletins made available today. An alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered. No issues are listed at the time of writing.

Adobe’s updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI address 3 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin. An update for Adobe Digital Editions was also made available resolving 1 critical CVE.

If you use any of Adobe’s PDF applications mentioned above or Adobe Digital Editions, please follow the above product links to the appropriate security bulletins and apply the necessary updates.

As mentioned in January; Adobe no longer supports Acrobat X and Adobe Reader X. They did not receive any updates within that bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

=======================
Update: 10th March 2016:
Earlier today Adobe published an updated version of Flash Player bringing it to version 21.0.0.182. This update resolves 23 security issues (all have been assigned CVEs). Adobe AIR, their application runtime was also updated to version 21.0.0.176 within the same bulletin.

Please follow the above Adobe Flash Player bulletin link and apply the necessary updates as soon as possible due to the severity of the issues the Flash update addresses and since one issue, an integer overflow (defined) vulnerability CVE-2016-1010 is being exploited in targeted attacks.

Thank you.
=======================

Adobe within their PSIRT blog post mentioned that a security update for Flash Player will be available in the coming days. No reason(s) for the delay was/were given. Wolfgang Kandek of Qualys in a blog post makes educated guesses as to what may be the cause for the delay. I will update this post when the updates become available.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with the deployment of Microsoft’s security updates I would recommend prioritising them as follows: Internet Explorer, Microsoft Edge, Windows Graphics Fonts, Windows PDF Library and Windows Media (in this order) due to their critical severities and widespread use.

As always you can then install any remaining applicable updates beginning this round of updates with the Windows USB Mass Storage Class Driver Security update (more info here) due to it’s ease of exploitation and the level of access it can allow an attacker to obtain. Next I would recommend the Kernel Mode Drivers update and Microsoft Office update since exploitation of these vulnerabilities is listed as more likely in the Security Bulletin Summary.

One final security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

January 2016 Security Updates Summary

=======================
Update: 13th January 2016:
Kaspersky have published a blog post that provides details of the security issue resolved by Silverlight update MS16-006. This issue is a zero-day vulnerability (defined) and for that reason should be installed before all other updates mentioned below.

Thank you.
=======================

=======================
Original Post:
=======================
Earlier today Microsoft made available it’s scheduled security updates for Windows and other Microsoft software.

There are 9 bulletins in total (although MS16-009 is not yet available and may be delayed until next month) addressing 25 security issues more formally known as CVEs (defined).

The Security Bulletin Summary lists 2 Known Issues with regard to MS16-007 (an update to Windows which addresses a number of DLL (defined) loading issues, among others). The issues are both related to software from Citrix namely XenDesktop which will experience compatibility issues with this update if it was to be installed. Microsoft will not offer this update to users with this software installed in order to avoid these issues. Microsoft recommends uninstalling the Citrix software, installing the security update and contacting Citrix for a workaround for these issues. This advice was obtained from these knowledge base articles (article 1, article 2) which are referenced within the Security Bulletin Summary.

Microsoft have also made available 2 security advisories today (an advisory for Adobe Flash was published earlier this month to announce the availability of a non-security update). The Deprecation of SHA-1 Hashing Algorithm (discussed and defined here) and the TLS Session Resumption Interoperability update may or may not apply in your environment, please review these advisories to determine if you need to take further action.

Moreover; an alternative source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered.

Adobe have also issued updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI addressing 17 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin.

Please note that Adobe Acrobat X and Adobe Reader X are no longer supported. They did not receive any updates within this bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/ Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with prioritizing Microsoft’s updates I would recommend first installing the Silverlight update since it is a zero day security vulnerability (defined) under attack in the wild ((under attack on computing devices used by the general public in their professional and personal lives)).

This should then be followed by the Windows Kernel update since the kernel (defined) is the core of Windows and exploiting this issue could allow the attacker to gain system level privileges (defined) . Next I would recommend installing the updates for Microsoft Office, Internet Explorer, Microsoft Edge and JScript and VBScript due to their critical severities. You can then install any remaining applicable updates.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

October 2015 Security Updates Summary

Today is Update Tuesday and Microsoft made available 6 security bulletins to resolve 33 CVEs (defined). Further details are provided in their Security Bulletin Summary.

Reviewing this summary at the time of writing it currently shows that there are no known issues for these bulletins. Another useful source to monitor for any issues encountered with Microsoft security updates is the IT Pro Patch Tuesday blog.

Adobe have also issued updates for Adobe Acrobat DC, Acrobat XI, Acrobat X, Acrobat Reader DC and Adobe Reader addressing 56 CVEs within these products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin.

Finally Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve 21 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this) this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-
If you use any of the above software, please install the appropriate updates as soon as possible.
Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

Since the Adobe Flash Player update resolves 21 critical CVEs some of which are likely to be exploited very quickly by exploit kits (defined) this update should be installed first.

If you wish to prioritize the deployment of the Microsoft security updates, I would recommend an installation order of Internet Explorer, JScript and VBScript, Microsoft Office and Windows Shell due to their severity (successful exploitation results in remote code execution; namely allowing a remote attacker to carry out any action of their choice). After installing these updates, install any remaining applicable Microsoft security updates.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2015 Security Updates Summary

On Tuesday the 14th of July, Microsoft made available its monthly security updates resolving 59 CVEs (definition of the term CVE). Details of the affected products are provided in their Security Bulletin Summary. This page also details any Known Issues for these security updates. At the time of writing, only issues for the SQL Server bulletin were present. In addition, an excellent source for information on issues that arise from installing these updates is the IT Pro Patch Tuesday blog.

Adobe made updates available for Flash Player v18.0.0.203 to resolve 2 critical zero day CVEs, Adobe Shockwave Player resolving 2 CVEs and Adobe Acrobat/Adobe Reader resolving 46 CVEs.

In addition, Oracle made available security updates for Java resolving 25 CVEs, among them the zero day CVE-2015-2590.

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.

If you wish to prioritize some of the updates I would recommend installing Adobe’s Flash Player update first due to the nature of the 2 critical flaws that it resolves. The next priorities should be Microsoft’s updates for Internet Explorer (it also includes a fix for the zero day flaw CVE-2015-2425), Remote Desktop Protocol, VBScript, Microsoft Office, ATM Font Driver and Windows Hyper-V due to their severity. In addition the ATM Font Driver vulnerability CVE-2015-2387 and Microsoft Office vulnerability CVE-2015-2424 have already seen exploitation. With high profile issues being resolved by Adobe’s updates it is recommended to install them before they begin to be incorporated into exploit kits for much wider exploitation.

I would also recommend using the Attack Surface Reduction (ASR) feature of Microsoft EMET 5.2 in order to mitigate Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. Details of the ASR feature are available on page 9 and 19 within the EMET user guide (follow this link and opt to download EMET, you can then choose to download only the PDF user guide). How to add Adobe Flash (flash*.ocx) is detailed in this news article. I suggest adding this file name (the full name including the wildcard * and the ocx file extension) to any application that you use that can open Microsoft Office documents or Adobe PDF files as a defence in depth measure. I have done this for all of my Microsoft Office applications and my PDF reader with no issues encountered.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

US-CERT Details Top 30 Targeted High Risk Security Vulnerabilities

In the final week of April the US-CERT announced the Top 30 exploitable security vulnerabilities that could be used to attack critical infrastructure organizations/companies.

The list includes flaws that can be exploited through malicious email attachments, targeted attacks (spear phishing) and most commonly “watering hole” attacks.

What is a Watering Hole Attack?
A watering hole attack is a targeted exploit of a frequently visited website by specific group of people. The attacker compromises/tampers with the website to inject HTML or JavaScript that will redirect visitors to another site/page specifically crafted to exploit a security vulnerability/flaw e.g. one of the top 30 flaws mentioned by US-CERT. If the exploit is successful (i.e. if the flaw exists on the users computing device) then malware can be installed or any other action of the attacker’s choice can take place (if it’s a remote code execution flaw).

Such an attack is more likely to succeed since the visitors to the site trust it and more likely to respond in a way the attackers wish should a dialog box appear or a message to perform an action is displayed e.g. download a fake codec update to watch a video (which would lead to an exploit taking place against a visitors computing device).

All of the products listed within the above mentioned alert are commonly used and can be patched with low to moderate effort. Please find below advice on how to update each of the affected products in the list.

I hope that the list of products with the associated steps to update each are useful to you in applying the necessary updates in order to avoid being exploited by the Top 30 high Risk Security Vulnerabilities mentioned by US-CERT.

Thank you.

==========================
Microsoft Internet Explorer:
==========================
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

==========================
Microsoft Silverlight:
==========================
For Mac:
Please visit this Silverlight page. If you have Silverlight installed and an update is available, please download and install it

For PC:
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

Microsoft Office for Mac and Windows:

Office for Mac:

==========================
Office 2011 for Mac:
==========================
The most recent update (at the time of writing is 14.4.9, please select “Office 2011” under the Products column on this page). Please download and install the most recent update for Office 2011 for Mac. In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2011 for Mac).

Please note that Update 14.4.9 requires 14.1.0 i.e. SP1 for Office 2011 for Mac to be installed first.

==========================
Office 2008 for Mac:
==========================
While this version of Office is now unsupported if you are using this version it would still be recommended to have the most recent version available. Update 12.3.6 is the most recent update. This update requires Update 12.2.0 (i.e. SP2 for Office 2008 for Mac) to already have been installed. SP2 requires that SP1 also be installed beforehand.

In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2008 for Mac).

==========================
Office 2004 for Mac:
==========================
This version of Office is also unsupported. Update 11.6.6 is the most recent update and requires Update 11.6.5 (and all prior updates). In order to install all updates I would suggest using Microsoft AutoUpdate for Office 2004 for Mac.

==========================
Office for Windows:
==========================
For Office 365 (Business Essentials, Business, Business Premium, Home and Personal): These suites stays up to date automatically while an internet connection is available.

==========================
Office 2013, 2010 and 2007:
==========================
Windows Update can detect and install all updates for you when it is configured correctly. Alternatively for Office 2013, it can also be updated manually.

==========================
For Office 2003, Office XP and Office 2000:
==========================
Windows Update can detect and install all updates for Office for you when it is configured correctly.

For any product listed in the table within US-CERT alert that you have installed and no update is being offered within Windows Update I would recommend checking the security bulletins mentioned in the US-CERT alert for more information on installing the appropriate updates manually.

==========================
Oracle Java:
==========================
In order to obtain the latest updates for Java, if you are developer, visit this page and download the most recent Java Development Kit (JDK) or the most recent update for your version of Java JDK e.g. v7, v6, v5 etc. Currently JDK v8 is the most recent. Some developers may also need the latest Java FX.

For corporate desktop systems or consumer/home users, please visit http://java.com to download the most recent Java Runtime Environment (JRE). There is also the option of enabling automatic updates when Java is installed on Windows.

==========================
Adobe:
==========================
Adobe Flash:
For Adobe Flash, since version 11.2 Adobe has included an automatic updater when Flash is installed on Windows. For any version of Windows older than Windows 8.0, Flash can also be downloaded and installed manually from this page (the downloaded version will automatically replace any older version of Flash already installed).

For Windows 8.0 and later, Microsoft issues updates to Adobe Flash via Windows Update. These updates are detailed in this security advisory.

==========================
Adobe AIR:
For the Adobe SDK and SDK & Compiler, updates can be obtained from Adobe’s developer page.
For Adobe AIR desktop runtime, updates are available from this download page.

==========================
Adobe Acrobat and Adobe Reader:
For Acrobat DC and Reader DC, updates are automatically delivered (and available using “Check for Updates” mentioned below). Alternatively, updates for Acrobat for Mac and Windows are available. The latest version of Reader DC is available from here (please ensure to un-check install options such as Google Chrome and Google Toolbar).

For Acrobat 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For Adobe Reader 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For older versions of Acrobat and Reader (namely 9, 8 and earlier), no further updates are being made available. It should be possible to run a check for updates as mentioned above but it is recommended to upgrade to a currently serviced version, e.g. 10, 11 or DC.

==========================
For Adobe ColdFusion:
Updates are available for ColdFusion 11 and 10. Installation instructions are also provided within the aforementioned pages.

For ColdFusion 9, there are 3 updates available to be installed in the order presented here:

ColdFusion Security hotfix APSB13-03

ColdFusion Security hot fix APSB13-13

ColdFusion Security hot fix APSB13-27

Additional Security Hotfixes (in addition to those above)

==========================
Adobe Flex:
Adobe Flex is available for download from here. However in an April 2015 security bulletin Adobe recommended updating the Flex index.html file using the steps provided in that bulletin.

==========================
OpenSSL:
==========================
For OpenSSL I would recommend following the guidance provided by US-CERT for upgrading to the most recent non-vulnerable version of OpenSSL using their link provided within their alert since the upgrade/update process requires specific steps to be completed.
==========================