Tag Archives: Azure DevOps

September 2019 Update Summary

Today is the 2nd Tuesday of the month, when both Adobe and Microsoft routinely release their scheduled security updates.

Similar to last month Microsoft have released many updates resolving 79 vulnerabilities more formally known as CVEs (defined). It was a light month for Adobe releasing 2 updates resolving 3 vulnerabilities.

====================
Adobe Application Manager: 1x Priority 2 vulnerability resolved (Important severity)
Adobe Flash Player: 2x Priority 3 vulnerabilities resolved (Critical severity)

If you use either of these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Flash Player update.
====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Almost all issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Windows LNK Remote Code Execution Vulnerability: CVE-2019-1280

Microsoft Scripting Engine: CVE-2019-1298

Microsoft Scripting Engine: CVE-2019-1300

Microsoft Scripting Engine: CVE-2019-1217

Microsoft Scripting Engine: CVE-2019-1208

Microsoft Scripting Engine: CVE-2019-1221

Microsoft Scripting Engine: CVE-2019-1237

Windows RDP: CVE-2019-1291

Windows RDP: CVE-2019-1290

Windows RDP: CVE-2019-0788

Windows RDP: CVE-2019-0787

Team Foundation Server/Azure DevOps: CVE-2019-1306

Microsoft Office SharePoint: CVE-2019-1295

Microsoft Office SharePoint: CVE-2019-1257

Microsoft Office SharePoint: CVE-2019-1296

Common Log File System Driver (defined): CVE-2019-1214

Microsoft Windows Elevation of Privilege Vulnerability (defined): CVE-2019-1215

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On September the 3rd Mozilla released Firefox 69.0 to address the following vulnerabilities and to introduce new privacy features:

Firefox 69.0: Resolves 1x critical CVE (defined), 11x high CVEs, 4x moderate and 3x low CVEs

Firefox ESR 68.1 (Extended Support Release): Resolves 1x critical, 9x high, 4x moderate and 2x low CVEs

Firefox 60.9 ESR : Resolves 1x critical CVE, 7x high CVEs and 1x moderate CVE

Highlights from version 69 of Firefox include:
Blocks 3rd party cookies and cryptominers (using Enhanced Tracking Protection) by default (blocking of fingerprinting scripts will be the default in a future release)

Adobe Flash disabled by default (must be re-enabled if needed)

Separately Mozilla is facing criticism over their plans to gradually roll-out DNS over HTTPS (DoH) later this month since all DNS traffic would go to only one provider, Cloudflare. Google Chrome will implement a similar feature soon (further details are available in the above link also regarding Mozilla).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

Thank you.

July 2019 Update Summary

As predicted; earlier today Adobe and Microsoft made available their usual monthly security updates addressing 5 and 77 vulnerabilities (respectively) more formally known as CVEs (defined):

====================
Adobe Bridge CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Dreamweaver: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Experience Manager: 3x Priority 2 vulnerabilities : 2x Important, 1x Moderate severity resolved

If you use any of these Adobe products, please apply the necessary updates as soon as possible.

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Just like last month; Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Servicing stack update for Windows Server 2008 SP2

4507434                Internet Explorer 11

4507435                Windows 10, version 1803

4507448                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4507449                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4507450                Windows 10, version 1703

4507453                Windows 10, version 1903, Windows Server version 1903

4507455                Windows 10, version 1709

4507457                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4507458                Windows 10

4507460                Windows 10 1607 and Windows Server 2016

4507462                Windows Server 2012 (Monthly Rollup)

4507464                Windows Server 2012 (Security-only update)

4507469                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Zero-day (defined) vulnerabilities:
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability

CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability

====================
Critical
====================
CVE-2019-0785  Windows DHCP Server Remote Code Execution Vulnerability

CVE-2019-1072  Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

CVE-2019-1056  Scripting Engine

CVE-2019-1106  Scripting Engine

CVE-2019-1092  Scripting Engine

CVE-2019-1103  Scripting Engine

CVE-2019-1107  Scripting Engine

CVE-2019-1062  Scripting Engine

CVE-2019-1004  Scripting Engine

CVE-2019-1001  Scripting Engine

CVE-2019-1063  Internet Explorer Memory Corruption Vulnerability

CVE-2019-1104  Microsoft Browser Memory Corruption Vulnerability

CVE-2019-1102  GDI+ Remote Code Execution Vulnerability

CVE-2019-1113  .NET Framework Remote Code Execution Vulnerability

Servicing Stack Update

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
Today, Mozilla released Firefox 68.0 to address the following vulnerabilities and to introduce new features:

Firefox 68.0: Resolves 2x critical CVEs (defined), 3x high CVEs, 10x moderate and 4x low CVEs

Firefox 60.8 ESR (Extended Support Release): Resolves 1x critical CVE, 4x high CVEs and 5x moderate CVEs

Firefox now also includes cryptomining protection and fingerprinting protections and improved add-on security (my thanks to Softpedia for this information, more details on other security features are here).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware ESXi
=======================
Earlier today VMware made available an update for ESXi version 6.5. Version 6.0 is unaffected and a patch for 6.7 is pending. This update resolves a denial of service vulnerability.

If you use VMware ESXi, please update when you can.

Thank you.