July 2020 Update Summary

Earlier this month Adobe and Microsoft made available their expected security updates. These updates resolve 13 and 123 vulnerabilities (respectively) more formally known as CVEs (defined).

An interesting fact as pointed out by ZDI is that for “five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691)”.

I believe that while this gives us all more work to apply the patches, overall we are becoming safer since more issues are being discovered and resolved.

Let’s begin with Adobe’s updates:

Adobe Bridge: 3x Priority 3 CVEs resolved (3x Critical Severity)

Adobe ColdFusion: 2x Priority 2 CVEs resolved (2x Important Severity)

Adobe Creative Cloud Desktop Application: 4x Priority 2 CVEs (1x Critical and 3x Important Severity)

Adobe Download Manager: 1x Priority 3 (1x Critical Severity)

Adobe Genuine Service: 3x Priority 3 (3x Important Severity)

Adobe Media Encoder: 3x Priority 3 (2x Critical Severity, 1x Important Severity)

Adobe Photoshop: 5x Priority 3 CVEs resolved (5x Critical Severity)

If you use any of the above Adobe products, especially those with critical severity updates; please install these updates as soon as possible.

Microsoft’s monthly summary; lists Known Issues for 11 Microsoft products but all have workarounds or corrective updates.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

The highest priority update for this month is the Windows DNS Server vulnerability. Please see my dedicated post for more details.

Windows SharedStream Library Elevation of Privilege Vulnerability: CVE-2020-1463

Windows Font Library Remote Code Execution Vulnerability: CVE-2020-1436

GDI+ Remote Code Execution Vulnerability: CVE-2020-1435

.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability: CVE-2020-1147

Windows Hyper-V RemoteFX vGPU Vulnerabilities: CVE-2020-1032 , CVE-2020-1036 , CVE-2020-1040 , CVE-2020-1041 , CVE-2020-1042 , CVE-2020-1043

For these Hyper-V vulnerabilities; they affect Intel and AMD GPU drivers. Intel has not yet released updates for these vulnerabilities. AMD has scheduled driver updates for September 2020. Nvidia GPU drivers are not affected.

DirectWrite Remote Code Execution Vulnerability: CVE-2020-1409

GDI+ Remote Code Execution Vulnerability: CVE-2020-1435

LNK Remote Code Execution Vulnerability: CVE-2020-1421

Microsoft Outlook Remote Code Execution Vulnerability: CVE-2020-1349

Microsoft Office Elevation of Privilege: CVE-2020-1025

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-1374

VBScript Remote Code Execution Vulnerability: CVE-2020-1403

Windows Address Book Remote Code Execution Vulnerability: CVE-2020-1410

PerformancePoint Services Remote Code Execution Vulnerability: CVE-2020-1439

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are continuing to stay safe during these tough times; things are slowly getting better. Thank you.

====================
Nvidia
====================
In early July Nvidia released a security update for GeForce Experience. A further security update was released on the 8th of July for Nvidia’s NVIDIA Jetson AGX Xavier, TX1, TX2, and Nano L4T software development kit (SDK) for Linux.

As was the case with previous Nvidia security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges.

To resolve the local vulnerabilities within GeForce Experience  apply the necessary update by opening GeForce Experience which will automatically update it or the update can be obtained from here.

An updated version of the Nvidia’s NVIDIA Jetson AGX Xavier, TX1, TX2, and Nano L4T software development kit (SDK) is available from NVIDIA DevZone. An alternative means of mitigating the vulnerability is also provided in the security advisory.

Separately as pointed out above in the update prioritisation for Microsoft’s updates, Nvidia have confirmed that their GPU drivers are not affected by the Windows Hyper-V RemoteFX vGPU vulnerabilities responsibly disclosed by the Cisco Talos team.

====================
Google Chrome
====================
In mid-July Google made available Chrome version 84.0.4147.89 or Linux, Mac and Windows to resolving 38 security vulnerabilities and introducing new features (please the see above Google link for details).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:

VMware vSphere ESXi (ESXi)

VMware Workstation Pro / Player (Workstation)

VMware Fusion Pro / Fusion (Fusion)

VMware Cloud Foundation

====================
Advisory 2: Severity: Important:

VMware SD-WAN by VeloCloud (VeloCloud)

====================
Advisory 3: Severity: Important:

VMware Fusion Pro / Fusion (Fusion)

VMware Remote Console for Mac (VMRC for Mac)

VMware Horizon Client for Mac

====================
If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible, especially in the case of the critical security updates.

====================
Wireshark
====================
On the 1st July; Wireshark made available security updates (I’ll detail only the 2 most recent versions here):

v3.2.5: Relating to 1 security advisory for 1 CVE

v3.0.12: Resolves minor non-security bugs.

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.5 or v3.0.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
Apple Security Updates:
=======================
In mid-July; Apple made available the following updates.

Further details for these updates are as follows:

macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra: Resolves 19 CVEs.
watchOS 6.2.8: Resolves 19 CVEs.
Apple tvOS 13.4.8: Resolves 20 CVEs.
Apple iOS 13.6 and iPadOS 13.6: Resolves 29 CVEs.
Safari 13.1.2: Resolves 11 CVEs.

While the following products do not have CVEs associated with them, it is still best practice to use the most updated versions:

Apple iOS 12.4.8
Apple Xcode 11.6
Apple watchOS 5.3.8
=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Steps for updating them are here. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC”

May 2020 Update Summary

I hope this posts finds you doing well in these difficult times.

I’m writing this post early to highlight the availability of 2 important updates, for Mozilla Firefox and Google Chrome. I’ll update the post when Adobe and Microsoft release their expected security updates.

Thank you and please stay safe.

====================
Update: 19th May 2020
====================
Sorry for not updating this post sooner.

As scheduled both Adobe and Microsoft released their monthly security updates addressing 36 vulnerabilities and 111 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

Adobe DNG Software Development Kit (SDK): 12x Priority 3 CVEs resolved (4x Critical and 8x Important severity)

Adobe have since released further security updates:

Adobe Audition: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Character Animator: 1x Priority 3 CVE resolved (1x Critical severity)

Adobe Premiere Pro: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Premiere Rush: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

If you use the above Adobe products, please install these updates as soon as possible since they resolve multiple critical vulnerabilities. Similar to January, March and April no updates for Adobe Flash were released.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows Graphics Component: CVE-2020-1135

Visual Studio Code Python Extension: CVE-2020-1058, CVE-2020-1060, CVE-2020-1171 , CVE-2020-1192

Microsoft Internet Explorer: CVE-2020-1062

VBScript Remote Code Execution Vulnerability: CVE-2020-1035

Microsoft Edge CVE-2020-1056 , CVE-2020-1059 , CVE-2020-1096

Microsoft SharePoint: CVE-2020-1023 , CVE-2020-1024, CVE-2020-1102

Windows kernel: CVE-2020-1054, CVE-2020-1143

Windows Media Foundation: CVE-2020-1126

Microsoft Color Management: CVE-2020-1117

Windows Print Spooler: CVE-2020-1048

Microsoft Windows Transport Layer Security Denial of Service Vulnerability: CVE-2020-1118

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May, Mozilla released Firefox 76 and Firefox ESR (Extended Support Release) 68.8 to resolve the following vulnerabilities:

Firefox 76.0: Addresses 3x critical severity CVEs, 2x high severity CVEs, 4x moderate CVEs and 1x low CVE

Firefox 68.8 ESR: Addresses 3x critical severity CVEs, 2x high severity CVEs and 2x moderate severity CVEs

Firefox 76 introduces a new password manager (with the ability to generate difficult to guess passwords) which includes a means of detecting if a password was part of a password breach and now requires changing or the use of the same password on multiple websites.

An improved picture in picture experience is also included. Firefox 76.0.1 has since been released resolving non-security issues such as crashing add-ons e.g. the Amazon Assistant extension and crashing with Nvidia GPU drivers on Windows 7 32 bit (my thanks to Bogdan Popa of Softpedia.com and Mozilla for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 81.0.4044.138 for Linux, Mac and Windows to resolve 3 security vulnerabilities with the most severe 2 issues being of high severity.

In mid-May, Google released version 83 of Google Chrome for Linux, Mac and Windows resolves 38 security vulnerabilities and adds multiple security features and features such as tab groups.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================

VMware released 3 security advisories this month to resolve vulnerabilities within the following products:

====================

Advisory 1: Severity: Critical:
VMware vRealize Operations Application Remote Collector (ARC)

Advisory 2: Severity: Important
VMware Cloud Director

Advisory 3: Severity: Important
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac

====================

If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.

=======================
Apple Security Updates:
=======================
In mid May Apple made available the following updates. Further details for these updates are as follows:

Apple watchOS 6.2.5: Resolves 34x CVEs (defined)

Apple watchOS 5.3.7: Resolves 2x CVEs
Apple xCode 11.5: Resolves 1x CVE
Apple tvOS 13.4.5: Resolves 34x CVEs
Apple iOS 13.5 and iPadOS 13.5: Resolves 47x CVEs
Apple iTunes 12.10.7 for Windows: Resolves 12x CVEs
Apple iCloud for Windows 7.19 (for Windows 7): Resolves 12x CVEs
Apple Safari 13.1.1: Resolves 10x CVEs
Windows Migration Assistant 2.2.0.0: Resolves 1 CVE
Apple iCloud 11.2 for Windows 10 (available from the Microsoft Store): Resolves 12x CVEs
macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra: Resolves 54x CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In the second half of May, Wireshark made available the following updates (I’ll detail only the 2 most recent versions here):

v3.2.4: Relating to 1 security advisory (relating to 1 CVE)
v3.0.11: Relating to 1 security advisory (relating to 1 CVE)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.4 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

March 2020 Update Summary

====================
Update: 28th March 2020
====================
I have added the details of the security updates released by Apple on the 24th March near the end of this post. Thank you.

====================
Update: 25th March 2020
====================
Adobe has released a further update for Creative Cloud Desktop. I have added the details below to the Adobe updates list.

VMware have also released VMware Fusion 11.5.3 to more completely address a previously patched vulnerability. Details are below in the VMware updates list.

Thank you.

====================
Update: 23rd March 2020
====================

Since originally writing this post, Adobe published their security updates a week later than usual. Further details are listed below.

Thank you.

====================
Adobe
====================
Adobe Acrobat and Reader: 13x Priority 2 CVEs (defined)resolved (9x Critical and 4x Important severity)
Adobe Bridge: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe ColdFusion:  2x Priority 2 CVEs resolved (2x Critical severity)
Adobe Creative Cloud Desktop: 1x Priority 2 CVE resolved (1x Critical severity)
Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Genuine Integrity Service: 1x Priority 3 CVE resolved (1x Important severity)
Adobe Photoshop: 21x Priority 3 CVEs resolved (15x Critical and 6x Important severity)

====================
Update: 15th March 2020:
====================
Security researcher Kevin Beaumont has provided further details of the critical SMBv3.1 vulnerability affecting Windows 10 Version 1903 and 1909. In summary the vulnerability is not trivial to exploit and the number of systems at the time of writing (13th March) vulnerability to the exploit had already dropped by 25%.

====================
Update: 12th March 2020:
====================
Microsoft have released an update to resolve the SMBv3 vulnerability now designated CVE-2020-0796, (EternalDarkness or SMBGhost) please apply it to any Windows 10 Server or Windows 10 workstation system running Windows 10 Version 1903 or 1909 as soon as possible. Please also make certain that such systems are not exposing port 445 to the internet (please seethe FAQ in their information on the relevant update).

An internet scan by security researchers of vulnerable estimates that there are 48,000 vulnerable Windows 10 systems. You can use the ollypwn scan (created by a Danish security researcher) can be used to check if a system is vulnerable.

I wish to add the following useful clarification (which was written before the Microsoft security update became available) from Richard Melick, senior technical product manager at Automox in relation to this SMBv3 vulnerability:

“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities. But that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch…it’s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today”.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Update: 11th March 2020
====================
As expected, yesterday Microsoft  released their scheduled updates to resolve 115 CVEs (defined). Unusually for this month, Adobe has not released any updates.

Microsoft’s monthly summary; lists Known Issues for 14 Microsoft products but all have workarounds or resolution steps listed just as the previous month’s did.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
For Windows or Windows Server system (Version 1903 and 1909) systems that uses SMBv3, please follow Microsoft’s guidance in the following security advisory while an update is not yet available. Please apply the update as soon as it is made available:

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

Please also make certain that TCP port 445 is blocked at the enterprise perimeter firewall to prevent exploitation.

This vulnerability is “wormable” meaning that similar to the WannaCry malware and the BlueKeep vulnerability if exploited it may lead to a very large malware outbreak in a very short time.

====================

Windows LNK: CVE-2020-0684
Windows Media Foundation: CVE-2020-0801 , CVE-2020-0807 , CVE-2020-0809,  CVE-2020-0869
Microsoft Internet Explorer: CVE-2020-0824
Microsoft Browsers: CVE-2020-0768

Microsoft Scripting Engine: CVE-2020-0830 , CVE-2020-0847, CVE-2020-0833 , CVE-2020-0832, CVE-2020-0829 , CVE-2020-0813 , CVE-2020-0826, CVE-2020-0827 , CVE-2020-0825 , CVE-2020-0831, CVE-2020-0811, CVE-2020-0828, CVE-2020-0848, CVE-2020-0823, CVE-2020-0812

Microsoft GDI+: CVE-2020-0881, CVE-2020-0883
Microsoft Word: CVE-2020-0852
Microsoft Dynamics: CVE-2020-0905
Microsoft Edge: CVE-2020-0816

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Netgear
====================
On the 3rd of March, Netgear released 25 security advisories for its modem-router gateways, approximately 40 routers and a range extender. The vulnerability range up to critical in severity.

If you own a Netgear router, range extender or modem-router gateway, please use the guidance within this article (many thanks to Tom’s Guide for this advice and the appropriate how to check for updates steps) to locate your Netgear device model e.g. R6400 and to match it against the available security bulletins to check if your device requires a firmware (defined) update sometimes called a software update. Please install the update if one is available. The above linked to article also describes the varied methods to update your Netgear device.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel Smart Sound Technology Advisory
BlueZ Advisory
Intel NUC Firmware Advisory

Medium
Intel MAX 10 FPGA Advisory
Intel Processors Load Value Injection Advisory
Snoop Assisted L1D Sampling Advisory
Intel Optane DC Persistent Memory Module Management Software Advisory
Intel FPGA Programmable Acceleration Card N3000 Advisory
Intel Graphics Drivers Advisory

====================
Mozilla Firefox
====================
Yesterday, Mozilla released Firefox 74 and Firefox ESR (Extended Support Release) 68.6 to resolve the following vulnerabilities:

Firefox 74.0: Addresses 6x high severity CVEs, 6x medium severity CVEs and 1x low CVE

Firefox 68.6 ESR: Addresses 5x high severity CVEs and 3x medium severity CVEs

Firefox 74 also removes support TLS 1.0 (what is TLS, defined) and 1.1 as per Mozilla’s previous timelime, adds a Facebook Container add-in to limit how much the social tracks you across other sites and blocks the ability for other applications to install Firefox add-ons without your knowledge or consent. Further details of these features and other features added can be found within this article (my thanks to Lawrence Abrams of Bleepingcomputer.com for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 80.0.3987.132 for Linux, Mac and Windows to resolve 4 security vulnerabilities with the most severe being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Apple Security Updates:
=======================
On the 24th of March Apple made available the following updates. Notable fixes affect the kernels of macOS, iOS and iPadOS, WebKit (the renderer of Safari), Bluetooth and Safari.

These updates bring Safari to version 13.1 and add updates to its Intelligence Tracking Prevention (ITP) privacy feature while also introducing a block on all 3rd party cookies (defined) by default.

Further details for these updates are as follows:
Apple iOS v13.4 and iPadOS 13.4 (resolves 35x CVEs (defined))
Apple tvOS 13.4: Resolves 20x CVEs.
Apple watchOS 6.2: Resolves 17x CVEs
Apple watchOS 5.3.6 (no CVEs resolved)
Apple iTunes version 12.10.5 for Windows: Resolves 13x CVEs
macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra: Resolves 27x CVEs.
Safari 13.1: Resolves 11 CVEs
Apple iCloud for Windows 10.9.3: Resolves 13 CVEs
Apple iCloud for Windows 7.18: Resolves 13 CVEs
Xcode 11.4: Resolves 1 CVE (?: Apple’s post provides little details)

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
OpenSSL
====================
On the 17th March the OpenSSL Foundation issued OpenSSL 1.1.1e (download/installation links included) which includes a low severity security fix.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

====================
VMware
====================
VMware have so far released 2 security advisories this month to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
====================
Advisory 2: Severity: Important:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
VMware Horizon Client for Windows
====================

Advisory 2 (above) has been updated by VMware to state VMware Fusion has been updated to version 11.5.3 to more comprehensively resolve the vulnerability designated CVE-2020-3950. Please make certain if you use VMwre Fusion that it is the latest version available.

If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.

December 2019 Update Summary

As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.

Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
====================
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)

Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)

Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
====================

Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468

Microsoft Windows Kernel (defined): CVE-2019-1458

Windows Hyper-V: CVE-2019-1471

Microsoft Visual Studio: CVE-2019-1349 , CVE-2019-1350 , CVE-2019-1352 , CVE-2019-1354 , CVE-2019-1387

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs (defined) and used for Windows Hello for Business: Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:

Firefox 71.0: Resolves 6x high severity CVEs (defined) and 5x moderate CVEs

Firefox ESR 68.3 (Extended Support Release): Resolves 4x high severity CVEs and 4x moderate CVEs

Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.

The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
AMD
=======================
In early December AMD issued a security advisory for its GPU and APU (defined) drivers (defined). It resolves 2 vulnerabilities CVE-2019-5049 and CVE-2019-5098. The steps to install the drivers on Windows are located here with a guide for Linux available here. Please make certain the drivers are version 20.1.1 or later (as per multiple recommendations from Talos, 1 , 2 and 3). As per those same recommendations if you use VMware Player or Workstation Pro, please make certain it is version 15.5.1 or later. If you use the affected AMD graphics cards, please consider updating your drivers to the most recent available.

====================
Nvidia
====================
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The high priority advisories are the following:

High
Linux Administrative Tools for Intel Network Adapters Advisory

Intel NUC Firmware Advisory

The remaining advisories are of medium and low priority:

Medium
Intel Quartus Prime Pro Edition Advisory

Intel RST Advisory (see also my separate post on this vulnerability)

Control Center-I Advisory

Intel SCS Platform Discovery Utility Advisory

Unexpected Page Fault in Virtualized Environment Advisory

Intel FPGA SDK for OpenCL Advisory

Low
Intel Ethernet I218 Adapter Driver for Windows Advisory

Intel Dynamic Platform and Thermal Framework Advisory

====================
VMware
====================
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:

Critical Severity Advisory:

VMware ESXi
VMware Horizon DaaS appliances

Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
OpenSSL
====================
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Apple Security Updates
=======================
Throughout December Apple has released security updates for the following products:

Apple iOS v12.4.4 and 13.3 / iPad OS 13.3: Resolves 1 CVE (defined) and 14 CVEs (respectively)

Apple Safari 13.0.4: Resolves 2 CVEs

Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs

Apple tvOS 13.3: Resolves 11 CVEs

Apple watchOS 5.3.4 and 6.1.1: Resolves 1 CVE and 10 CVEs (respectively)

Apple Xcode 11.3: Resolves 1 CVE

Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs

Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs

Apple iCloud for Windows 10.9: Resolves 4 CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In early December the following Wireshark updates were released:

v3.0.7: 1 security advisory

v2.6.13: 1 security advisory

The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

June 2018 Update Summary

=======================
Update: 12th June 2018:
=======================
As scheduled Microsoft released their monthly security updates earlier today resolving 50 vulnerabilities. Further details are available within their Security Updates Guide.

In addition; there are 5 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4284819
4284835
4284826
4284867
4284880

====================
Adobe have not released any further updates since their out of band (un-scheduled) update last week.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page.
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here courtesy of BleepingComputer:
====================

CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability (a zero day (defined) vulnerability disclosed last month)

Microsoft Edge and Internet Explorer (similar to many other months; multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability

CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability (especially if your server hosts a Microsoft IIS installation)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Original Post:
=======================
I usually write this post on or very shortly after Update Tuesday (the second Tuesday) of the month but with an Adobe Flash zero day vulnerability (defined) already patched and given that Mozilla have also released an update this month; I felt an earlier post would be appropriate.

I’ll update this post as further updates are made available. Thank you.

=======================
Mozilla Firefox:
=======================
Early in June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

6th June: Firefox 60.0.2 and Firefox ESR 52.8.1 and Firefox ESR 60.0.2: Resolves 1x high CVE (defined). This was a heap buffer overflow.

Further details of the security issues resolved by these updates are available in the link above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

In the final week of June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

=======================
26th June:
=======================
Firefox 61: Resolves 6x critical CVEs (defined), 5x high CVEs, 6x moderate CVEs, 1x low CVE

Firefox ESR 60.1: Resolves 5x critical CVEs, 4x high CVEs and 6x moderate CVEs.

Firefox ESR 52.9: Resolves 2x critical CVEs, 4x high CVEs, 3x moderate CVEs.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
=======================

=======================
Update: 19th June
=======================
=======================
Apple Security Updates: Update: 19th June
=======================
Following Apple’s release of security updates in the final days of May; they have made available further updates detailed below:

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan: Resolves 39x CVEs (defined)

Safari 11.1.1: Resolves 14x CVEs

Apple iCloud for Windows (version 7.5): Resolves 17x CVEs

Apple Xcode version 9.4.1: Resolves 2x CVEs

Apple SwiftNIO 1.8.0: Resolves 1 CVE (For your reference: What is Apple SwiftNIO?)

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Please find below summaries of other notable updates released this month.

Thank you.

=======================
F-Secure Security Products:
=======================
As mentioned in a previous post; 7-Zip has been updated to version 18.05 to resolve a vulnerability in it’s RAR packing code. The F-Secure products listed in this security advisory utilise this 7-Zip DLL (defined) and are thus being updated for the same reason.

If you use these F-Secure products, please install this critical update as soon as possible.

=======================
Google Chrome:
=======================
Google released Google Chrome version 67.0.3396.87 to address 1 vulnerability.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMWare issued updates for the following products on the 11th and 28th of June to address 1 and 3 vulnerabilities respectively:

11th June:

• VMware AirWatch Agent for Android (A/W Agent)
• VMware AirWatch Agent for Windows Mobile (A/W Agent)

26th June:

• VMware vSphere ESXi (ESXi)
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro, Fusion (Fusion)

Please review the above linked to security advisories and apply the necessary updates if you use these products.

=======================
OpenSSL
=======================
On the 12th of June; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Intel Lazy Floating Point Vulnerability:
=======================
Please see my separate post for details.

Apple Releases Xcode Security Update

In early May Apple made available a security update for their Xcode development tool bringing it to version 7.3.1. This updates resolves 1 critical severity issue assigned to 2 CVEs (defined).

This heap based (the concept of a heap is defined here) buffer overflow (defined) issue was addressed by updating Xcode’s built in Git (a convenient version control system used for software development) to version 2.7.4. This issue was caused by the mishandling of filenames. Further technical details are available here.

As always, full details of all of these updates are provided on Apple’s Security Updates page. Further release notes are available here.

If you make use of Apple Xcode, please install the appropriate update as soon as possible. For advice on how to install Apple updates, please see the resources available on the “Protecting Your PC” page of this page (in this context PC is being used in the general sense of a personal computer and does not in this case refer to a computer using a Microsoft operating system).

Thank you.

Apple Releases Security Updates To Address iMessage Vulnerability

Yesterday Apple released a very large collection of security updates that affect most of their product range to address issues among them the widely published vulnerability in the iMessage app:

=======================

• Apple iOS 9.3: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
• Apple watchOS 2.2: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
• Apple tvOS 9.2: For Apple TV (4th generation)
• Apple Xcode 7.3: For OS X El Capitan v10.11 and later
• Apple OS X El Capitan v10.11.4 and Security Update 2016-002: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3
• Apple Safari 9.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3
• Apple OS X Sever 5.1: For OS X Yosemite v10.10.5 and later

=======================
As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

Without question the most important update is for iOS bringing it to version 9.3. This issue is also present in watchOS and OS X. These updates resolve the cryptographic flaw in Apple’s iMessage app as reported by Matthew Green and his team of research students known as CVE-2016-1788 (defined). I will provide more detail on this vulnerability below.
=======================

Noteworthy fixes included are as follows:

Apple iOS 9.3: Resolves 38 CVEs and includes fixes for AppleUSBNetworking, FontParser, HTTPProtocol, iOS kernel (defined), libxml2, Security, TrueTypeScaler, WebKit (and associated components and Wi-Fi (among others).

Apple watchOS 2.2: Resolves 34 CVEs and includes fixes for DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple tvOS 9.2: Addresses 23 CVEs, the most severe present in the following components: DiskImages, FontParser, HTTPProtocol, IOHIDFamily, watchOS kernel, libxml2, Messages, Security, syslog, TrueTypeScaler, WebKit and Wi-Fi.

Apple Xcode 7.3: Resolves 2 critical CVEs.

Apple OS X El Capitan v10.11.4 and Security Update 2016-002: Resolves 59 CVEs the most severe being present in the following: apache_mod_php, AppleRAID (defined), AppleUSBNetworking, Bluetooth, Carbon, dyld, FontParser, HTTPProtocol, Intel Graphics Driver (defined), IOGraphics, IOUSBFamily, OS X kernel, libxml2, Messages, Nvidia Graphics Drivers, OpenSSH, OpenSSL, Python, QuickTime, Ruby, Security, Tcl, TrueTypeScaler, Wi-Fi.

Update: 30th March 2016:
The update for OS X 10.11 (El Capitan) also addresses a vulnerability in the System Integrity Protection (SIP) present in the most recent version of the OS. This vulnerability was assigned the following CVE: CVE-2016-1757 Further discussion of this vulnerability is available here.

Apple Safari 9.1: Resolves 12 CVEs the most critical being present in the libxml2 and WebKit (the renderer of Safari).

Apple OS X Server 5.1: Addresses 4 CVEs the most severe of which could allow information disclosure.

An alternative summary of these updates is available within Intego’s blog post.

=======================
Why Should The Critical Cryptographic Flaw Resolved in the Updated Messages App be Considered Important?
From the information that has been made available on this attack it appears to be a side-channel attack; namely one where real world data is gathered in how the cryptosystem works. This is then used to attack it. If an attacker were to access Apple’s servers without being detected and obtained cipher texts(encrypted messages sent using iMessage) they could given sufficient time decrypt the attachments of the messages which can be photos or other files providing that either the sender or receiver of that encrypted message is online.

The tests to decrypt the attachments are done by sending 2^18 (invisible) encrypted messages to the target device. For each response, an attacker can tell if they “guessed” the encryption of that segment of the attachment correctly. This process must be repeated over and over until the entire attachment has been decrypted. It took the researchers over 70 hours to complete a proof of concept attack using un-optimized code but they estimate with optimized code only a fraction of 1 day would be needed.

A more complete technical description is available in Matthew Green’s blog post.

How Can I Protect Myself From This Issue?
As mentioned below if you own any devices that have Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates December 2015

On the 8th and 11th of December Apple released numerous security updates for the following products:

=======================

• Apple iOS 9.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
• Apple tvOS 9.1: For Apple TV (4th generation)
• Apple OS X: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 (2 updates), OS X El Capitan v10.11 and v10.11.1
• Apple watchOS v2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
• Apple Safari 9.0.2: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
• Apple Xcode 7.2: For OS X Yosemite v10.10.5 or later
• Apple iTunes 12.3.2: For Windows 7 and later

=======================

Comprehensive details of all of these updates are provided on Apple’s Security Updates page.

If you wish to prioritize these updates I would suggest beginning with installing the updates for iOS, OS X, watchOS and tvOS as well as Safari due to the number and severity of the issues they address (the most serious resulting in an attacker having the ability to run code of their choice (remote code execution) with kernel or system level privileges).

Noteworthy fixes included are as follows:

Apple iOS 9.2: Resolves 51 CVEs (defined) and includes fixes for AppleMobileFileIntegrity, CoreGraphics, GPUTools Framework, ImageIO, iOS Kernel, libc, MobileStorageMounter, iOS Safari and WebKit (among others)

Apple OS X and Security Update 2015-006 Yosemite: Resolves 55 CVEs which includes fixes for apache_mod_php, AppSandbox, Bluetooth, , CoreGraphics, CoreMedia Playback, EFI, Intel Graphics Driver, OS X kernel, libc, OpenGL, OpenSSH and System Integrity Protection (among others).

Apple tvOS 9.1: Resolves 45 CVEs including security issues within AppleMobileFileIntegrity, CoreGraphics, CoreMedia Playback, ImageIO, tvOS kernel, libc, MobileStorageMounter, OpenGL and WebKit (among others).

Apple watchOS 2.1: Resolves 30 CVEs within components such as AppSandbox, CoreGraphics, CoreMedia Playback, FontParser, GasGauge, ImageIO, watchOS kernel, libc, OpenGL and Sandbox (among others).

Apple Safari 9.0.2: Resolves 12 CVEs all within WebKit (the renderer of Safari).

Apple Xcode 7.2: Resolves 4 CVEs. The most serious of which were present within the otools component of Xcode.

Apple iTunes 12.3.2: Resolves 12 CVEs: all within WebKit. This updates applies to the Windows version of iTunes only.
=======================

If you use any of the above software, please install the appropriate updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Apple Releases Security Updates October 2015

On Wednesday of last week Apple made available a large collection of security updates to resolve vulnerabilities across it’s product range:

=======================

• Apple OS X Server 5.0.15: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later).
• Apple Xcode 7.1: For OS X Yosemite v10.10.5, OS X El Capitan v10.11.1 or later.
• Mac EFI: For OS X Mavericks v10.9.5.
• Apple iTunes: For Windows 7 and later (while this was also available for Apple systems it does not appear to contain security related changes i.e. Apple devices may not be vulnerable to those vulnerabilities).
• OS X El Capitan 10.11.1 and Security Update 2015-007: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
• Apple Safari 9.0.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.
• Apple watchOS v2.0.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes.
• Apple iOS 9.1: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.

=======================

Full details on all updates are available on Apple’s Security Updates page. If you wish to prioritize these updates I would suggest beginning with installing the updates for OS X, iOS, watchOS, Safari and OS X Server due to the number and severity of the vulnerabilities that they address.

Noteworthy fixes included are as follows:

OS X Server 5.0.15: Resolves 3 CVEs (defined) with potentially high severity (includes 2 CVEs in ISC BIND).

Apple Xcode 7.1: Addresses a Swift type conversion issues (1 CVE).

Mac EFI Security Update 2015-002: Addresses 1 potentially high severity CVE

Apple iTunes 12.3.1: Addresses 12 critical CVEs.

Apple OS X El Capitan 10.11.1 and Security Update 2015-007: Addresses 60 CVEs and includes fixes for apache_mod_php, CoreText, EFI, FontParser, Grand Central Dispatch, Graphics Drivers, OS X kernel, OpenGL and OpenSSH (among others).

Apple Safari 9.0.1: Addresses 9 critical CVEs in WebKit (the renderer of Safari).

Apple watchOS v2.0.1: Resolves 14 CVEs which includes fixes for Apple Pay, CoreGraphics, FontParser and Grand Central Dispatch (among others).

Apple iOS 9.1: Includes fixes for 49 CVEs; notable fixes of which are CoreGraphics, CoreText, FontParser, Grand Central Dispatch, Graphics Driver, iOS kernel, OpenGL and WebKit (among others).

If you use any of the above software, please install the appropriate updates as soon as possible.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

Please see these links from Apple for advice on backing up your iPhone and iPad especially since the iOS upgrade is a significant one.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Thank you.

Blog Post Shout Out September 2015

Update: 24th November 2015:
Since this blog post was written FireEye have continued to monitor the command and control servers (defined) of XcodeGhost to determine where devices are located that are connecting to these servers and to determine if this malware still poses a threat. They have also found an updated version of XcodeGhost that they have named “XcodeGhost S”.

FireEye have worked with Apple to remove an app from the App Store that was found to be infected with this new variant of the malware.

In addition, an app development firm Possible Mobile has detailed in a blog post how their newly updated app that was built with a verifiably legitimate version of Apple Xcode was being rejected by Apple since their app contained the XcodeGhost malware. It was eventually found that while the code written by Possible Mobile was clean, the third party libraries and frameworks used to provide essential functionality within their app were found to contain the infected code. How Possible Mobile resolved this issue, is detailed in their blog post.

How Can I Protect Myself From This Issue?
In addition to the guidance provided within the blog posts linked to below I would recommend the following:

1. If you are an app developer and are submitting apps to the Apple App Store it may be worthwhile to follow the steps within Possible Mobile’s blog post concerning validating your copy of Apple Xcode and checking any third party libraries for infection.
2. As detailed in FireEye’s blog post, for all of the apps installed on your Apple devices, ensure they are the latest versions. This Apple Support article explains how to enable automatic app updates. This is important since later versions of apps should not contain this malware. FireEye discovered large numbers of users (exact figures are provided in this FireEye blog post) still using older versions of their app which still contained the infected code).
3. If you were using one of the apps removed by Apple from the App Store, uninstall those apps and switch to similar/alternative apps available within the App Store.
4. Ensure that your Apple device is using the most recent version of iOS that is available for your device. If your device is too old to support iOS 9, this blog post may help to explain your options. Updating to most recent iOS will ensure that you are not affected by the original version of XcodeGhost. Moreover, iOS 9 and iOS 9.1 contain many fixes for other security vulnerabilities.

Thank you.

=======================
Original Post:
=======================
In recent days there has been detailed coverage of a new technique used to tamper with legitimate Apple iOS apps by adding extra code to those apps when they were being compiled (converted from human written source code into a form that a computer can use). That additional code called XcodeGhost was also found to contain a vulnerability that could allow remote access to the infected apps using a man-in-the-middle (MITM) (defined) attack as discussed in the ThreatPost article mentioned below.

In addition, a new technique used by malware authors to install a rootkit (see Aside below for a definition) on a user’s Android smartphone by having them download a popular app has also been discovered.

In order to provide advice and further information on how to protect yourself from these threats I wanted to respectfully give a shout out for the following new articles and blog posts:

• XcodeGhost continues to haunt users of the iOS App Store by Graham Cluley (writing for Lumension)
• Apple’s App Store hit by the XCodeGhost of malware present by Paul Ducklin (Sophos) (this post provides advice mainly focused on Apple iOS app developers)
• Xcodeghost Malware Stirring Up More Trouble by Michael Mimoso (Kaspersky ThreatPost)
• Apple lists 25 apps affected by XcodeGhost by John Ribeiro (ComputerWorld.com) (mentions that all infected apps have been removed from the App Store)
• Apple devs: Don’t let Apple’s Xcode validation scare you by Eric Knorr (InfoWorld.com)
• BrainTest – A New Level of Sophistication in Mobile Malware by Andrey Polkovnichenko and Alon Boxiner (CheckPoint)(Android Malware)

I hope that you find these useful in further securing your Apple iOS or Google Android based smartphone from malware.

Thank you.

=======================
Aside:
What is a rootkit?
To provide a comprehensive definition of a rootkit I have chosen to quote from 2 well-known texts on the subject written by Reverend Bill Blunden in his book “The Rootkit Arsenal” (1st edition, Wordware Publishing 2009) and “Rootkits: Subverting the Windows Kernel” by Greg Hoglund and James Butler (Addison-Wesley, 2005). My thanks to them for providing excellent sources of information on this topic:

“A rootkit is a collection of tools (e.g. binaries, scripts, configuration files) that allow intruders to conceal their activity on a computer so that they can covertly monitor and control the system for an extended period of time by maintaining access to the root (defined) account.

While the above definition mentions a computer it still applies equally to smartphones since they run sophisticated operating systems, in this case Google Android.
=======================