Earlier this month Adobe and Microsoft made available their expected security updates. These updates resolve 13 and 123 vulnerabilities (respectively) more formally known as CVEs (defined).
An interesting fact as pointed out by ZDI is that for “five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month. They have already passed their totals for 2017 (665) and 2018 (691)”.
I believe that while this gives us all more work to apply the patches, overall we are becoming safer since more issues are being discovered and resolved.
Let’s begin with Adobe’s updates:
Adobe Bridge: 3x Priority 3 CVEs resolved (3x Critical Severity)
Adobe ColdFusion: 2x Priority 2 CVEs resolved (2x Important Severity)
Adobe Creative Cloud Desktop Application: 4x Priority 2 CVEs (1x Critical and 3x Important Severity)
Adobe Download Manager: 1x Priority 3 (1x Critical Severity)
Adobe Genuine Service: 3x Priority 3 (3x Important Severity)
Adobe Media Encoder: 3x Priority 3 (2x Critical Severity, 1x Important Severity)
Adobe Photoshop: 5x Priority 3 CVEs resolved (5x Critical Severity)
If you use any of the above Adobe products, especially those with critical severity updates; please install these updates as soon as possible.
Microsoft’s monthly summary; lists Known Issues for 11 Microsoft products but all have workarounds or corrective updates.
====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
The highest priority update for this month is the Windows DNS Server vulnerability. Please see my dedicated post for more details.
Windows SharedStream Library Elevation of Privilege Vulnerability: CVE-2020-1463
Windows Font Library Remote Code Execution Vulnerability: CVE-2020-1436
GDI+ Remote Code Execution Vulnerability: CVE-2020-1435
.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability: CVE-2020-1147
Windows Hyper-V RemoteFX vGPU Vulnerabilities: CVE-2020-1032 , CVE-2020-1036 , CVE-2020-1040 , CVE-2020-1041 , CVE-2020-1042 , CVE-2020-1043
For these Hyper-V vulnerabilities; they affect Intel and AMD GPU drivers. Intel has not yet released updates for these vulnerabilities. AMD has scheduled driver updates for September 2020. Nvidia GPU drivers are not affected.
DirectWrite Remote Code Execution Vulnerability: CVE-2020-1409
GDI+ Remote Code Execution Vulnerability: CVE-2020-1435
LNK Remote Code Execution Vulnerability: CVE-2020-1421
Microsoft Outlook Remote Code Execution Vulnerability: CVE-2020-1349
Microsoft Office Elevation of Privilege: CVE-2020-1025
Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-1374
VBScript Remote Code Execution Vulnerability: CVE-2020-1403
Windows Address Book Remote Code Execution Vulnerability: CVE-2020-1410
PerformancePoint Services Remote Code Execution Vulnerability: CVE-2020-1439
As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications and devices below.
To all of my readers and your families, I hope you are continuing to stay safe during these tough times; things are slowly getting better. Thank you.
====================
Nvidia
====================
In early July Nvidia released a security update for GeForce Experience. A further security update was released on the 8th of July for Nvidia’s NVIDIA Jetson AGX Xavier, TX1, TX2, and Nano L4T software development kit (SDK) for Linux.
As was the case with previous Nvidia security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges.
To resolve the local vulnerabilities within GeForce Experience apply the necessary update by opening GeForce Experience which will automatically update it or the update can be obtained from here.
An updated version of the Nvidia’s NVIDIA Jetson AGX Xavier, TX1, TX2, and Nano L4T software development kit (SDK) is available from NVIDIA DevZone. An alternative means of mitigating the vulnerability is also provided in the security advisory.
Separately as pointed out above in the update prioritisation for Microsoft’s updates, Nvidia have confirmed that their GPU drivers are not affected by the Windows Hyper-V RemoteFX vGPU vulnerabilities responsibly disclosed by the Cisco Talos team.
====================
Google Chrome
====================
In mid-July Google made available Chrome version 84.0.4147.89 or Linux, Mac and Windows to resolving 38 security vulnerabilities and introducing new features (please the see above Google link for details).
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:
====================
Advisory 1: Severity: Critical:
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation
====================
Advisory 2: Severity: Important:
VMware SD-WAN by VeloCloud (VeloCloud)
====================
Advisory 3: Severity: Important:
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
====================
If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible, especially in the case of the critical security updates.
====================
Wireshark
====================
On the 1st July; Wireshark made available security updates (I’ll detail only the 2 most recent versions here):
v3.2.5: Relating to 1 security advisory for 1 CVE
v3.0.12: Resolves minor non-security bugs.
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.5 or v3.0.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================
Apple Security Updates:
=======================
In mid-July; Apple made available the following updates.
Further details for these updates are as follows:
macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra: Resolves 19 CVEs.
watchOS 6.2.8: Resolves 19 CVEs.
Apple tvOS 13.4.8: Resolves 20 CVEs.
Apple iOS 13.6 and iPadOS 13.6: Resolves 29 CVEs.
Safari 13.1.2: Resolves 11 CVEs.
While the following products do not have CVEs associated with them, it is still best practice to use the most updated versions:
Apple iOS 12.4.8
Apple Xcode 11.6
Apple watchOS 5.3.8
=======================
Please see these links from Apple for advice on backing up your iPhone and iPad. Steps for updating them are here. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.
As always; further details of these updates are available on Apple’s dedicated security updates page.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC”