Tag Archives: Adobe Shockwave

April 2019 Update Summary

Yesterday Microsoft and Adobe made available their scheduled security updates. Microsoft addressed 74 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 42 vulnerabilities.

Adobe Acrobat and Reader: 21x priority 2 vulnerabilities (11x Critical and 10x Important severity)

Adobe Flash: 2x priority 2 vulnerabilities (1x Critical and 1x Important severity)

Adobe Shockwave Player: 7x priority 2 vulnerabilities (7x Critical severity)

Adobe Dreamweaver: 1x priority 3 vulnerability (Moderate severity)

Adobe XD: 2x priority 3 vulnerabilities (2x Critical severity)

Adobe InDesign: 1x priority 3 vulnerability (Critical severity)

Adobe Experience Manager Forms: 1x priority 2 vulnerability (Important severity)

Adobe Bridge CC: 8x priority CVEs (2x Critical, 6x Important)

If you use Acrobat/Reader, Flash or Shockwave, please apply the necessary updates as soon as possible. Please install their remaining priority 2 and 3 updates when you can.

Please note; as per Adobe’s notice Shockwave Player has now reached it’s end of life. No further updates will be made available.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4487563                Microsoft Exchange Server 2019, 2016, and 2013

4491413                Update Rollup 27 for Exchange Server 2010 Service Pack 3

4493441                Windows 10 version 1709, Windows Server Version 1709

4493446                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4493448                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4493450                Windows Server 2012 (Security-only Rollup)

4493451                Windows Server 2012 (Monthly Rollup)

4493458                Windows Server 2008 Service Pack 2 (Security-only update)

4493464                Windows 10 version 1803, Windows Server Version 1803

4493467                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4493470                Windows 10 version 1607, Windows Server 2016

4493471                Windows Server 2008 Service Pack 2 (Monthly Rollup)

4493472                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4493474                Windows 10 version 1703

4493509                Windows 10 version 1809, Windows Server 2019

4493730                Windows Server 2008 SP2

4493435                Internet Explorer Cumulative Update

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Win32k: CVE-2019-0803CVE-2019-0859 (both are being actively exploited in the wild)

Scripting Engine: CVE-2019-0861 ,  CVE-2019-0806 , CVE-2019-0739 , CVE-2019-0812 , CVE-2019-0829

Microsoft Graphics Component (GDI+): CVE-2019-0853

Microsoft Windows IOleCvt Interface: CVE-2019-0845

Microsoft Windows SMB Server: CVE-2019-0786

Microsoft (MS) XML: CVE-2019-0790 , CVE-2019-0791 , CVE-2019-0792 , CVE-2019-0793 , CVE-2019-0795

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Notepad++:
======================
As noted in the March Update Summary post (due to a critical regression for the version that was released in March) Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Wireshark 3.0.1 and 2.6.8
=======================
v3.0.1: 10 security advisories

v2.6.8: 6 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.1 or v2.6.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

November 2017 Security Updates

Back in November; Microsoft released their routine monthly security updates. These updates resolved 53 vulnerabilities with 14 individual updates (which are grouped when downloaded). As always these are detailed within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

Microsoft have listed 6 Known Issues that can occur from Windows 7 up to and including Windows 10 (version 1703):

Windows 10 (versions 1511, 1607 and 1703 potentially impacted):

KB4048952: caused some Epson SIDM (Dot Matrix) and TM (POS) printers to lose the ability to print. This was later resolved by a further update; KB4053578

KB4048954:

could cause Internet Explorer 11 to not provide users of SQL Server Reporting Services (SSRS) the ability to scroll through drop-down menus.

Windows Pro devices on the Current Branch for Business (CBB) will upgrade unexpectedly.

The above issue regarding Epson printers could also occur. All 3 of the above issues have been resolved. Please see KB4048954 for details of the additional updates containing the appropriate fixes.

KB4048953:

Details 2 of the above issues as well as an additional issue regarding an error message for the CDP User Service. Please see KB4048953 for details of the additional updates containing the appropriate fixes.

Windows 8.1 and Windows Server 2012 R2:

KB4048958

Please see KB4048958 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048961

Please see KB4048961 for details of an additional update containing the appropriate fix for an issue already discussed above.

Windows 7 SP1 and Windows Server 2008 R2 Standard:

KB4048957

Please see KB4048957 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048960

Please see KB4048960 for details of an additional update containing the appropriate fix for an issue already discussed above.

This month there are 4 Known Issues (kb4041691kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.

====================

Adobe also made available their scheduled security updates for the following products:

Adobe Acrobat and Reader (priority 2, 56 CVEs)

Adobe Connect (priority 3, 5 CVEs)

Adobe DNG Converter (priority 3, 1 CVE)

Adobe Digital Editions (priority 3, 6 CVEs)

Adobe Experience Manager (priority 3, 3 CVEs)

Adobe Flash Player (priority 2, 5 CVEs)

Adobe InDesign CC (priority 3, 1 CVE)

Adobe Photoshop CC (priority 3, 2 CVEs)

Adobe Shockwave Player (priority 2, 1 CVE)

As always the priority updates are Flash Player first and Adobe Acrobat (in that order).

One point to note is that Adobe Acrobat 11 (or XI) / Reader 11 are now out of support from November onwards. These will be the final updates they receive. Adobe recommends upgrading to Adobe Acrobat DC or Reader DC (as appropriate). Apart from the different user interface of the DC version, possible privacy concerns were raised about one of the components of this newer version namely RdrCEF.exe (the purpose of which is described here). The suggestions to resolve these concerns were:

  • Adding cloud.adobe.com to your Hosts file (defined) to redirect it to localhost (defined) (to prevent it disclosing any private info)
  • Blocking RdRCEF.exe from accessing the internet using your software firewall

A list of changes to the Windows Registry (defined) were suggested in this forum thread but it is not clear if these are effective.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For Novembers Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Office Vulnerability : CVE-2017-11882 : was described as “extremely dangerous” by researchers at security firm Embedi to disclosed the vulnerability to Microsoft. In addition to installing the security update they recommend disabling the legacy equation editor to protect against future attackers against the code which does not benefit from the more secure coding practices.

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware Workstation, Fusion and Horizon View Client
=======================
A security advisory with details of how to obtain updates for the above mentioned products to address 6 CVEs was made available by VMware in November.

=======================
Google Chrome:
=======================
An update for Google Chrome included 2 security fixes while a second update included a further security fix,

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Wireshark 2.4.3 and 2.2.11
=======================
v2.4.3: 3 CVEs (defined) resolved

v2.2.11: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.3) or v2.2.11). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Apple security update:
=======================
An updates was made available by Apple on the 29th of November for macOS High Sierra to resolve a critical security vulnerability that could have resolved in the creation of a root (defined) account on the affected system allowing an unauthorised user privileged access to that system. Further details of this vulnerability are available here. As discussed in that link, this security update should have been installed automatically (no user action required).

=======================
Mozilla Firefox and Firefox ESR
=======================
During November Mozilla released security updates for Firefox and Firefox ESR(Extended Support Release) raising their version numbers to 57 (and later to 57.0.1) and 52.5 respectively.

  • Firefox 57 resolves 15 security issues more formally known as CVEs (defined) while 57.0.1 resolves 2 CVEs.
  • Firefox ESR 52.5 resolves 3 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57 and Firefox 57.0.1
Firefox 52.5

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

March 2017 Security Updates Summary

As you know Microsoft and Adobe released their scheduled monthly security updates. For Microsoft this release was anticipated especially since last month’s set was delayed.

Within the above linked to post I predicted Microsoft would make a large number of updates and they did just that. 17 bulletins in total are now available. These updates address 138 vulnerabilities listed within Microsoft’s new Security Update Guide. These vulnerabilities are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within their March summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.
====================

Adobe issued two security bulletins today. One affecting Adobe Flash and the other for Adobe Shockwave Player. The Flash Player bulletin resolves 8x priority 1 vulnerabilities. While the Shockwave bulletin resolves 1x priority 2 vulnerability. These priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available last week.

If you use Flash or Adobe Shockwave, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
Update: 22nd March 2017:
=======================
I wish to provide information on other notable updates from this month which I would recommend you install if you use these software products:

Notepad++ version 7.3.3

VideoLAN VLC Media version 2.2.5 (release currently in progress)

Malwarebytes Anti-malware version 3.0.6 CU3 (with Component package version: 1.0.75):
It is unknown how many vulnerabilities this addresses but this forum post mentions their resolution.

Malwarebytes Anti-malware version 3.0.6 CU4 addresses further vulnerabilities.

More details of the vulnerabilities resolved by Malwarebytes 3.0.6 CU3 have emerged. Researchers responsibly disclosed a technique which uses Microsoft’s Application Verifier to hijack an anti-malware application. More details of this vulnerability are available here and here.

Mozilla Firefox 52.0.1 (more details in this post on Pwn2Own 2017)

VMware Workstation 12.5.4 (relevant security advisories are here and here)

VMware ESXi, Fusion and VMware Workstation 12.5.5 (the relevant security advisory is here). This advisory resolves the vulnerabilities disclosed during Pwn2Own 2017 for the above listed products.

Wireshark 2.2.5 and 2.0.11

Putty 0.68 (while released in February; it contains important security changes)

Apple Security Updates: updates are available for iTunes, iTunes for Windows, Pages, Numbers, Keynote (for macOS and iOS), Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, macOS Server, iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

=======================

For the 17 Microsoft bulletins this month, I will prioritize the order of updates for you below:

====================
Critical severity:
Windows Graphics Component

Windows SMB Server

Microsoft Edge

Internet Explorer

Windows Hyper-V

Windows PDF

====================
Important Severity
====================
The update for Microsoft Office should be installed next due to it’s criticality. With the follow updates after it:

Microsoft Exchange

Microsoft IIS

Active Directory Federation Server

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Adobe Shockwave Player Security Update Released

Earlier today Adobe issued a security update for Shockwave Player to address 1 critical CVE (defined). This updates brings Shockwave Player to version 12.2.1.171.

If you use Shockwave Player (this page will tell you if it’s installed and if so which version), please install the appropriate update by following the steps provided by Adobe in their security bulletin).

Finally you may also be interested in this point (see the heading titled: “Update: 25th September 2015”) raised in a previous blog post concerning how the development pace for Shockwave differs from Adobe Flash.

Thank you.

September 2015 Security Updates Summary

Yesterday was Update Tuesday and Microsoft made available 12 security bulletins to resolve 55 CVEs (definition of the term CVE). Further details are provided in their Security Bulletin Summary.

Reviewing this summary at the time of writing it details a known issue for only 1 security bulletin MS15-097 (Microsoft Graphics Component). The known issue relates to a defense in-depth (a layered defense) measure included with this update which is referenced in the bulletin within the FAQ section. This update turns off the service used to load the Macrovision secdrv.sys driver which while it addresses the issues mentioned in this bulletin will affect the ability to play older video games.

I personally own several older games that I still play which use this driver e.g. Command and Conquer (C&C) Red Alert 2, C&C Tiberian Sun, C&C Renegade and Medal of Honor Allied Assault. To continue to play such games when I wish, I’m using the commands provided by Microsoft in this knowledge base article to manually start and stop the service using these commands (within an administrator/elevated command prompt window). These in my opinion are the fastest means of turning the service on and off:

sc start secdrv
sc stop secdrv

I remember patching this Macrovision driver many years ago when Microsoft released security bulletin MS07-067. With limited testing I can confirm that the above commands work as expected and that the above games continue to work as normal however I will carry out further checks and update this post if I find older games are no longer working.

=======================
Update: 15th September 2015:
After further testing I have found that the use of the above commands is not necessary. The Windows registry change documented in this knowledge base article when set to a value of 3 manually re-enables the service when it is needed. With only this change, the above mentioned games continued to work as normal (making the above mentioned command prompt commands unnecessary). This registry key is present within Windows 7 and Windows 8.1.

Please note that Windows 10 does not have this registry key but when testing the above games on Windows 10, the games still worked normally (tested using Electronics Arts Origin game launcher).

However if you don’t play older games (or if you have Windows 10) you won’t need to make this change. In addition I wouldn’t recommend leaving this registry setting with a value of 3 over the long term. Microsoft set it to 4 to disable the service as a defense in-depth measure.

To quickly change this settings you could either use a pair of registry export files (one with a value of 4 and the other 3) or simply use Regedit to make this change when necessary.
=======================

Another source to monitor for any issues encountered with Microsoft security updates is the IT Pro Patch Tuesday blog. At the time of writing, no issues have been posted.

One of the bulletins released by Microsoft, MS15-100 for Windows Media Center addresses and issue that was disclosed among the documents released during the Hacking Team data breach. This issue was reported to Microsoft by Trend Micro.

In addition, Adobe issued an update for Shockwave Player to resolve 2 critical CVEs. If you use/have Shockwave Player installed, details of obtaining the relevant update are available within Adobe’s security bulletin.

Adobe did not release an update for Flash Player this month. As noted by Wolfgang Kandek of Qualys there hasn’t been a gap in the updates for Flash Player since October 2013. However given that Google Chrome v46.0.2490.13 64 bit (Beta channel) includes Flash Player v19.0.0.142 I suspect that an update will arrive next month that more widely makes v19 of Flash Player available.

Update: 18th September 2015: Google Chrome v46.0.2490.33 64 bit (Beta channel) includes Flash Player v19.0.0.185.

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.
Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

If you wish to prioritize the deployment of the above security updates, I would first recommend the installation of Microsoft Graphics Component, Microsoft Office, Internet Explorer, Microsoft Edge and Windows Journal due to their critical severities. In addition, 1 issue from both the Microsoft Graphics Component and Microsoft Office security bulletins are currently being exploited.

=======================
Update: 25th September 2015:
In addition to the advice mentioned above regarding keeping Adobe Shockwave Player up to date, according to well-known security blogger Brian Krebs and Graham Cluley; Adobe has confirmed that Shockwave Player includes an older version of Flash Player that is missing a very large number of security fixes.

Such fixes have been made available to Flash Player but they have not yet been included even within the newest Shockwave Player v12.2.0.162. This provides a compelling reason to consider an alternative if you are using Shockwave Player regularly in order to reduce the risk of such vulnerabilities being exploited.
=======================

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2015 Security Updates Summary

On Tuesday the 14th of July, Microsoft made available its monthly security updates resolving 59 CVEs (definition of the term CVE). Details of the affected products are provided in their Security Bulletin Summary. This page also details any Known Issues for these security updates. At the time of writing, only issues for the SQL Server bulletin were present. In addition, an excellent source for information on issues that arise from installing these updates is the IT Pro Patch Tuesday blog.

Adobe made updates available for Flash Player v18.0.0.203 to resolve 2 critical zero day CVEs, Adobe Shockwave Player resolving 2 CVEs and Adobe Acrobat/Adobe Reader resolving 46 CVEs.

In addition, Oracle made available security updates for Java resolving 25 CVEs, among them the zero day CVE-2015-2590.

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.

If you wish to prioritize some of the updates I would recommend installing Adobe’s Flash Player update first due to the nature of the 2 critical flaws that it resolves. The next priorities should be Microsoft’s updates for Internet Explorer (it also includes a fix for the zero day flaw CVE-2015-2425), Remote Desktop Protocol, VBScript, Microsoft Office, ATM Font Driver and Windows Hyper-V due to their severity. In addition the ATM Font Driver vulnerability CVE-2015-2387 and Microsoft Office vulnerability CVE-2015-2424 have already seen exploitation. With high profile issues being resolved by Adobe’s updates it is recommended to install them before they begin to be incorporated into exploit kits for much wider exploitation.

I would also recommend using the Attack Surface Reduction (ASR) feature of Microsoft EMET 5.2 in order to mitigate Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. Details of the ASR feature are available on page 9 and 19 within the EMET user guide (follow this link and opt to download EMET, you can then choose to download only the PDF user guide). How to add Adobe Flash (flash*.ocx) is detailed in this news article. I suggest adding this file name (the full name including the wildcard * and the ocx file extension) to any application that you use that can open Microsoft Office documents or Adobe PDF files as a defence in depth measure. I have done this for all of my Microsoft Office applications and my PDF reader with no issues encountered.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.