Tag Archives: Apple Safari

July 2018 Update Summary

Earlier this month, Microsoft made available their usual monthly security updates. This month 53 vulnerabilities more formally known as CVEs (defined) were resolved.

Among these updates are further updates for Spectre NG vulnerabilities (also known as Speculative Store Bypass vulnerabilities) making them available for Windows Server 2008, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 in addition to last month’s updates. The vulnerability known as Lazy Floating Point (FP) was also addressed this month. Finally the Spectre 1.1. and Spectre 1.2 vulnerabilities will be discussed in a separate blog post.

This month’s Microsoft updates have a long list of Known Issues detailed in the knowledge base (KB) articles listed at the abovel ink (due to the length I won’t reproduce it here). At the time of writing some of these issues have begun to be addressed by further updates (Windows 7, Windows 8.1 and Windows 10) released by Microsoft. Others relating to the .Net Framework should be addressed soon.

====================

This month also saw Adobe release an update (priority 2) for Adobe Acrobat DC and Reader DC which addresses 104x CVEs alone. The remaining updates made available this month were:

Adobe Connect (priority 2, 3x CVEs)

Adobe Experience Manager (priority 2, 3x CVEs)

Adobe Flash (priority 2, 2x CVEs)

For Flash, updates for Google Chrome (not a separate update but via its component updater), Microsoft Edge and Internet Explorer were made available. As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))(a previous update from May may need a further non-security fix)

Microsoft PowerShell Editor Services

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Oracle:
=======================
Oracle issued updates to resolve a monthly record of 334 vulnerabilities. Further details and installation steps are available here. 8 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
Apple:
=======================
In early July released a group of updates to resolve a large number of vulnerabilities:

Wi-Fi Updates for Boot Camp 6.4.0: Addresses 3x vulnerabilities

Apple iOS 11.4.1: Addresses 22x vulnerabilities

Apple tvOS 11.4.1: Addresses 18x vulnerabilities

Apple watchOS 4.3.2: Addresses 14x vulnerabilities

macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan: Addresses 12x vulnerabilities (also resolves the Intel Lazy FP vulnerability)

Apple Safari 11.1.2: Resolves 16x CVEs

Apple iCloud 7.6 for Windows: Resolves 14x CVEs

Apple iTunes 12.8 for Windows: Resolves 14x CVEs

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Google Chrome:
=======================
Google released Google Chrome version 68.0.3440.75 to address 42 vulnerabilities. This version also marks all HTTP sites as “not secure.” This Google blog post discusses the change in more detail and this migration guide will be of assistance to website owners in migrating to HTTPS.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Wireshark 2.4.8 and 2.6.2
=======================
v2.4.8: 10 security advisories

v2.6.2: 9 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.2) or v2.4.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

June 2018 Update Summary

=======================
Update: 12th June 2018:
=======================
As scheduled Microsoft released their monthly security updates earlier today resolving 50 vulnerabilities. Further details are available within their Security Updates Guide.

In addition; there are 5 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4284819
4284835
4284826
4284867
4284880

====================
Adobe have not released any further updates since their out of band (un-scheduled) update last week.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page.
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here courtesy of BleepingComputer:
====================

CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability (a zero day (defined) vulnerability disclosed last month)

Microsoft Edge and Internet Explorer (similar to many other months; multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability

CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability (especially if your server hosts a Microsoft IIS installation)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Original Post:
=======================
I usually write this post on or very shortly after Update Tuesday (the second Tuesday) of the month but with an Adobe Flash zero day vulnerability (defined) already patched and given that Mozilla have also released an update this month; I felt an earlier post would be appropriate.

I’ll update this post as further updates are made available. Thank you.

=======================
Mozilla Firefox:
=======================
Early in June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

6th June: Firefox 60.0.2 and Firefox ESR 52.8.1 and Firefox ESR 60.0.2: Resolves 1x high CVE (defined). This was a heap buffer overflow.

Further details of the security issues resolved by these updates are available in the link above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

In the final week of June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

=======================
26th June:
=======================
Firefox 61: Resolves 6x critical CVEs (defined), 5x high CVEs, 6x moderate CVEs, 1x low CVE

Firefox ESR 60.1: Resolves 5x critical CVEs, 4x high CVEs and 6x moderate CVEs.

Firefox ESR 52.9: Resolves 2x critical CVEs, 4x high CVEs, 3x moderate CVEs.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
=======================

=======================
Update: 19th June
=======================
=======================
Apple Security Updates: Update: 19th June
=======================
Following Apple’s release of security updates in the final days of May; they have made available further updates detailed below:

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan: Resolves 39x CVEs (defined)

Safari 11.1.1: Resolves 14x CVEs

Apple iCloud for Windows (version 7.5): Resolves 17x CVEs

Apple Xcode version 9.4.1: Resolves 2x CVEs

Apple SwiftNIO 1.8.0: Resolves 1 CVE (For your reference: What is Apple SwiftNIO?)

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Please find below summaries of other notable updates released this month.

Thank you.

=======================
F-Secure Security Products:
=======================
As mentioned in a previous post; 7-Zip has been updated to version 18.05 to resolve a vulnerability in it’s RAR packing code. The F-Secure products listed in this security advisory utilise this 7-Zip DLL (defined) and are thus being updated for the same reason.

If you use these F-Secure products, please install this critical update as soon as possible.

=======================
Google Chrome:
=======================
Google released Google Chrome version 67.0.3396.87 to address 1 vulnerability.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMWare issued updates for the following products on the 11th and 28th of June to address 1 and 3 vulnerabilities respectively:

11th June:

  • VMware AirWatch Agent for Android (A/W Agent)
  • VMware AirWatch Agent for Windows Mobile (A/W Agent)

26th June:

  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

Please review the above linked to security advisories and apply the necessary updates if you use these products.

=======================
OpenSSL
=======================
On the 12th of June; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Intel Lazy Floating Point Vulnerability:
=======================
Please see my separate post for details.

April 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Engine. Further details are available in this separate blog post.

Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4073119

kb4093112

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
On Tuesday, 10th April Microsoft made available their scheduled security updates to resolve 63 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

There are 3 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4093112

4093118

4093108

====================

Alongside these updates; Adobe released updates for the following products:

Adobe ColdFusion (priority 2, 5x CVEs)

Adobe Digital Editions (priority 3, 2x CVEs)

Adobe Experience Manager (priority 3, 3x CVEs)

Adobe Flash Player v29.0.0.140 (priority 2, 6x CVEs)

Adobe InDesign CC (priority 3, 2x CVEs)

Adobe PhoneGap Push Plugin (priority 3, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Graphics Component consisting of the following 6 CVEs:

CVE-2018-1009

CVE-2018-1010

CVE-2018-1012

CVE-2018-1013

CVE-2018-1015

CVE-2018-1016

Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability : described in more detail here.

====================

Separately AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================

=======================
Apple Security Updates:
=======================
In late April Apple released updates for Safari, macOS and iOS:

Apple iOS v11.3.1

Apple Safari v11.1

Apple macOS High Sierra v10.13.4

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
7-Zip 18.05
=======================
In late April; version 18.05 of 7-Zip was made available resolving one security vulnerability in it’s RAR packing code. Further details are provided in this linked to blog post.

Other highlights include the inclusion of ASLR on the 32 bit version and high entropy (HE)(defined here and here) ASLR (defined) on the 64 bit version. While the above blog post mentions HEASLR is not enabled, when I tested it with Process Explorer it was showing HEASLR as enabled. That blog post also describes how to add Arbitrary Code Guard (ACG) (defined) protection for 7-Zip on Windows 10. Version 18.01 and later also come with Data Execution Prevention (DEP)(defined here and here).

While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from the resolved vulnerability and the new mitigations.

=======================
Wireshark 2.4.6 and 2.2.14
=======================
v2.4.6: 10 security advisories

v2.2.14: 8 security advisories

The security advisory wnpa-sec-2018-24 applicable to both of the above versions resolves 10 memory leaks (defined).

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.6) or v2.2.14). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
Wireshark 2.6.0
=======================
While this update is not listed as a security update; it is the latest version of Wireshark within the Stable release channel. The older 2.4.x version did not receive a further update. It is very likely version 2.6 will be required to receive future security updates. Further details are available in the release notes of version 2.6. If possible, please consider upgrading to this version in the near future.

Further installation tips are provided above (as per version 2.4.6 and 2.2.14).

=======================
Oracle:
=======================
Oracle issued updates to resolve 254 vulnerabilities. Further details and installation steps are available here. 14 vulnerabilities affect the Java runtime. 12 of these are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
OpenSSL
=======================
In mid April; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
A Closer Look at CVE-2018-0950
=======================
While Microsoft have addressed the vulnerability designated as CVE-2018-0950 (defined) this month; Will Dormann, a security researcher with the CERT Coordination Center has demonstrated further mitigations (defined) you may wish to take. These mitigations (listed at the end of his in-depth discussion) will better defend your system(s) against a variant of this vulnerability which still remains relatively easy for an attacker to exploit.

Thank you.

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

I’ll update this post as the vulnerabilities disclosed during the contest are addressed. The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

March 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Protection Engine. Further details are available in this separate blog post.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
Last Tuesday Microsoft began distributing their scheduled security updates to resolve 74 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

This month there are 12 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4088787

4088782

4088776

4088786

4088779

4088876

4088879

4088875

4088878

4089344

4089229

4090450

====================

In addition to these updates; Adobe released updates for the following products:

Adobe Connect (priority 3, 2 CVEs)

Adobe Dreamweaver CC (priority 3, 1 CVE)

Flash Player v29.0.0.113 (priority 2, 2 CVEs)

Non-Microsoft browsers should update automatically e.g. Google Chrome released an update on Tuesday which includes the new Flash Player. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out very soon):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Windows Shell (CVE-2018-0883)

CredSSP (CVE-2018-0886): Please also enable the Group Policy setting to fully mitigate this issue. Further updates will be made available in subsequent months.

Microsoft Office (consisting of CVE-2018-0903 and CVE-2018-0922)

====================

Similar to last month additional updates for Spectre vulnerability were made available for Windows 10 Version 1709. Further updates are planned and will be listed in this knowledge base article.

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

===============

=======================
Mozilla Firefox:
=======================
This month Mozilla issued 3 sets of security updates for Firefox and Firefox ESR (Extended Support Release):

16th March: Firefox 59.0.1: Resolves 2x critical CVEs (1 of which originated from Pwn2Own 2018).

13th March: Firefox 59: Resolves 2x critical CVEs, 4x high CVEs, 7x moderate CVEs, 5x low CVEs

13th March: Firefox ESR 52.7: Resolves 2x critical, 3x high CVEs, 2x moderate CVEs

26th March: Firefox 59.0.2: Resolves 2x high severity CVEs

26th March: Firefox 52.7.3 ESR: Resolves 1x high severity CVE

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Malwarebytes Anti-Malware
=======================
Earlier this month Malwarebytes made available version 3.4.4 of their anti-malware product. While the update provides stability and performance improvements it also updates the 7-Zip DLL (defined) within it to version 18.01.

Please install this update using the steps detailed in this Malwarebytes forum post. Further details of the improvements made are available in this BleepingComputer article.

=======================
Google Chrome:
=======================
This month Google made available 4 updates for Google Chrome; one in early March and the other in mid-March. The more recent updates resolves 45 security issues while the update from the 20th of March resolves 1 security issue.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Nvidia Geforce Drivers:
=======================
This update (released on the 28th of March 2018) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
OpenSSL
=======================
On the 27th of March; the OpenSSL Foundation issued 2 updates for OpenSSL to address 1x moderate security vulnerability and 2x low severity issues as detailed in this security advisory. To resolve these issues please update your OpenSSL installations to 1.1.0h or 1.0.2o (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued update for the following products on the 15th of March to address one important severity security vulnerability:

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

Please review this security advisory and apply the necessary updates.

=======================
Apple security updates:
=======================
In the final week of March Apple made available security updates for the following products:

=======================
Apple tvOS 11.3

Apple iOS 11.3

Apple watchOS 4.3

Apple Safari 11.1

Apple macOS High Sierra 10.13.4, Sierra and El Capitan

Apple iTunes 12.7.4 for Windows

Apple iCloud for Windows 7.4
=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
WinSCP
=======================
In late March; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2o (which addresses 1x moderate CVE).

December 2017 Update Summary

Earlier this month Microsoft closed out the year with a small number of security updates. They resolved 32 vulnerabilities. Further details are provided within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

No Known Issues were listed as occurring for this months update.

====================

Meanwhile Adobe also completed their yearly updates with a single update for Flash Player resolving a single priority 2 CVE (defined).

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For December Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Important severity:

Windows RRAS (Routing and Remote Access) Service Remote Code Execution Vulnerability

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware AirWatch Console and other VMware Products
=======================
A security advisory for VMware AirWatch Console to address a moderate security vulnerability was made available in December. A further security advisory to address 4 important vulnerabilities within the products listed below was also published:

  • ESXi
  • vCenter Server Appliance
  • Workstation
  • Fusion

=======================
Google Chrome:
=======================
An update for Google Chrome included 37 security fixes while a second update included 2 further fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple security updates:
=======================
During the first half of December Apple made available security updates for the following products:

=======================

Apple tvOS 11.2 and 11.2.1

Apple iOS 11.2 and 11.2.1

Apple watchOS 4.2

Apple Safari 11.0.2

Apple macOS High Sierra 10.13.2, Sierra and El Capitan

Apple iTunes 12.7.2 for Windows

AirPort Base Station Firmware Update 7.6.9 and AirPort Base Station Firmware Update 7.7.9

Apple iCloud for Windows 7.2

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here. Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Mozilla Firefox and Firefox ESR
=======================
During December Mozilla released security updates for Firefox and Firefox ESR (Extended Support Release) raising their version numbers to 57.0.2 and 52.5.2 respectively.

  • Firefox 57.0.2 resolves 1 CVE
  • Firefox ESR 52.5.2 resolves 2 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57.0.2
Firefox 52.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
VideoLAN VLC:
=======================
In early December VideoLAN made available version 2.2.8 of VLC for Linux, Apple macOS  and Windows. It addresses 4 security vulnerabilities (3 of which were addressed in 2.2.7). If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

=======================
WinSCP
=======================
In mid-December; WinSCP version 5.11.3 was released upgrading it’s embedded OpenSSL version to 1.0.2n (which addresses 1x moderate and 1x low severity CVEs).

May 2017 Security Updates Summary

Today Microsoft and Adobe made available their expected monthly security updates.

Microsoft’s updates address 57 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog while not updated since last month doesn’t contain this months updates yet.
====================

Before continuing with this months updates I wanted to provide information on a critical out of band (un-scheduled) update made available by Microsoft yesterday to address a vulnerability responsibly disclosed (defined) by Google Project Zero researchers Natalie Silvanovich and Tavis Ormandy within Microsoft’s Malware Protection Engine. The full list of affected products is listed within their security advisory. The exploit code for this vulnerability was later published within a tweet (which will not exploit the vulnerability).

I recommend updating your version of the Malware Protection Engine as soon as possible to version 1.1.13704.0 (or later) since this vulnerability when exploited by an attacker will lead to them obtaining system level access (NT AUTHORITY\SYSTEM)(defined)(namely the highest level of privilege within a Windows system) over an affected system.

====================
Also today Adobe issued two security bulletins for the following products:

Adobe Experience Manager Forms (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As always the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:
Microsoft Malware Protection Engine
Microsoft Office
Microsoft Edge
Internet Explorer
Microsoft SMB (CVE-2017-0277, CVE-2017-0278, CVE-2017-0279)
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 10th May 2017:
=======================
I wish to provide information on other notable updates from May 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.1.1

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 1 security fix.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 15 security vulnerabilities. The steps to install the drivers are detailed here.

I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Malwarebytes:
=======================
This update to Malwarebytes 3.1 (specifically v3.1.2.1733) resolves more than 1 security vulnerability (exact numbers and further details are not available).

Malwarebytes typically roll out updates in waves meaning it may be sometime before you receive this update. If the update is not automatically downloaded and installed in a timely manner, it is available from this link. Manual installation and general troubleshooting steps are available here.

=======================
Apple security updates:
=======================
Updates were made available by Apple on the 15th of May for iTunes for Windows, Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, and iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

Further information on the content of these updates is available this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.7.20 (Build 286). This update resolves 3 important vulnerabilities relating to the driver the tool uses for scanning. Any previous version of the tool should update automatically when opened to the most recent version.

=======================
VideoLAN VLC:
=======================
=======================
Update: 25th May 2017:
=======================
Yesterday VideoLAN released version 2.2.6 of VLC for Windows only. It resolves the security issues listed below (assuming at least 2 heap overflows (given their use of the plural form)). This list came from the NEWS.txt file after installing version 2.2.6 since the detailed release notes on VideoLAN’s website have not yet been updated (and may not be until 2.2.6 is officially made available for macOS and Linux systems).

The update is currently being distributed via their automatic updater (upon opening VLC) and manually from their website (unexpectedly that page also contains tarballs for Linux):

Changes between 2.2.5.1 and 2.2.6:
———————————-

Video output:
* Fix systematic green line on nvidia
* Fix direct3d SPU texture offsets handling

Demuxer:
* Fix heap buffer overflows

———————————-

It was not known at the time version 2.2.5.1 was made available that the correction of “Fix potential out-of-band reads in subtitle decoders and demuxers” were actually security issues assigned to 4x CVEs discovered by CheckPoint security.

=================
Late last week VideoLAN released version 2.2.5.1 of VLC. This update is available for Linux, Apple Mac OS X and Windows. It addresses (at least) 13 security issues mentioned here (I’ll explain my numbering using the list below). This update is available for download for the above operating systems from this page.

If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

1. Security hardening for DLL hijacking environments
2. Fix potential out-of-band dereference in flac decoder
3. Fix potential out-of-band reads in mpeg packetizers
4. Fix incorrect memory free in ogg demuxer
5. Fix potential out-of-band reads in subtitle decoders and demuxers
6. Fix ADPCM heap corruption (FG-VD-16-067)
7. Fix DVD/LPCM heap corruption (FG-VD-16-090)
8. Fix possible ASF integer overflow
9. Fix MP4 heap buffer overflows
10. Fix Flac metadata integer overflow
11. Fix flac null-pointer dereference
12. Fix vorbis and opus comments integer overflows and leaks
13. The plugins loading will not load external DLLs by default. Plugins will need to LoadLibrary explicitly.

=======================
Notepad++:
=======================
On the 14th of May, Notepad++ made available a new version updating it to version 7.4. While it is not a security update it includes a security related improvement namely: Improve certificate verifying method.

This version has since been updated to version 7.4.1 to resolve a number of non-security issues. If you use Notepad++, please consider updating to the most recent version to benefit from the security improvement and the bug fixes it includes.

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
GIMP (photo editor):
=======================
The open source ((the source code (human readable code) is free to view and edit by the wider IT community) photo editor GIMP has made available version 2.8.22 which resolves one security vulnerability. If you use this editor, please update it to this version (or later).