Update: 12th June 2018:
As scheduled Microsoft released their monthly security updates earlier today resolving 50 vulnerabilities. Further details are available within their Security Updates Guide.
In addition; there are 5 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:
Adobe have not released any further updates since their out of band (un-scheduled) update last week.
As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page.
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here courtesy of BleepingComputer:
CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability (a zero day (defined) vulnerability disclosed last month)
Microsoft Edge and Internet Explorer (similar to many other months; multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))
CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability
CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability (especially if your server hosts a Microsoft IIS installation)
Please install the remaining updates at your earliest convenience.
As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.
I usually write this post on or very shortly after Update Tuesday (the second Tuesday) of the month but with an Adobe Flash zero day vulnerability (defined) already patched and given that Mozilla have also released an update this month; I felt an earlier post would be appropriate.
I’ll update this post as further updates are made available. Thank you.
Early in June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):
6th June: Firefox 60.0.2 and Firefox ESR 52.8.1 and Firefox ESR 60.0.2: Resolves 1x high CVE (defined). This was a heap buffer overflow.
Further details of the security issues resolved by these updates are available in the link above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
In the final week of June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):
Firefox 61: Resolves 6x critical CVEs (defined), 5x high CVEs, 6x moderate CVEs, 1x low CVE
Firefox ESR 60.1: Resolves 5x critical CVEs, 4x high CVEs and 6x moderate CVEs.
Firefox ESR 52.9: Resolves 2x critical CVEs, 4x high CVEs, 3x moderate CVEs.
Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
Update: 19th June
Apple Security Updates: Update: 19th June
Following Apple’s release of security updates in the final days of May; they have made available further updates detailed below:
macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan: Resolves 39x CVEs (defined)
Safari 11.1.1: Resolves 14x CVEs
Apple iCloud for Windows (version 7.5): Resolves 17x CVEs
Apple Xcode version 9.4.1: Resolves 2x CVEs
Apple SwiftNIO 1.8.0: Resolves 1 CVE (For your reference: What is Apple SwiftNIO?)
As always; further details of these updates are available on Apple’s dedicated security updates page.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).
Please find below summaries of other notable updates released this month.
F-Secure Security Products:
As mentioned in a previous post; 7-Zip has been updated to version 18.05 to resolve a vulnerability in it’s RAR packing code. The F-Secure products listed in this security advisory utilise this 7-Zip DLL (defined) and are thus being updated for the same reason.
If you use these F-Secure products, please install this critical update as soon as possible.
Google released Google Chrome version 67.0.3396.87 to address 1 vulnerability.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
VMWare issued updates for the following products on the 11th and 28th of June to address 1 and 3 vulnerabilities respectively:
- VMware AirWatch Agent for Android (A/W Agent)
- VMware AirWatch Agent for Windows Mobile (A/W Agent)
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro, Fusion (Fusion)
Please review the above linked to security advisories and apply the necessary updates if you use these products.
On the 12th of June; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).
FTP mirrors to obtain the necessary downloads are available from here.
Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.
Intel Lazy Floating Point Vulnerability:
Please see my separate post for details.