Tag Archives: Corporate Security

May 2020 Update Summary

I hope this posts finds you doing well in these difficult times.

I’m writing this post early to highlight the availability of 2 important updates, for Mozilla Firefox and Google Chrome. I’ll update the post when Adobe and Microsoft release their expected security updates.

Thank you and please stay safe.

====================
Update: 19th May 2020
====================
Sorry for not updating this post sooner.

As scheduled both Adobe and Microsoft released their monthly security updates addressing 36 vulnerabilities and 111 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:

Adobe Acrobat and Reader: 24x Priority 2 CVEs resolved (12x Critical and 12x Important severity)

Adobe DNG Software Development Kit (SDK): 12x Priority 3 CVEs resolved (4x Critical and 8x Important severity)

If you use the above Adobe products, please install these updates as soon as possible since both resolve multiple critical vulnerabilities. Similar to January, March and April no updates for Adobe Flash were released.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows Graphics Component: CVE-2020-1135

Visual Studio Code Python Extension: CVE-2020-1058, CVE-2020-1060, CVE-2020-1171 , CVE-2020-1192

Microsoft Internet Explorer: CVE-2020-1062

VBScript Remote Code Execution Vulnerability: CVE-2020-1035

Microsoft Edge CVE-2020-1056 , CVE-2020-1059 , CVE-2020-1096

Microsoft SharePoint: CVE-2020-1023 , CVE-2020-1024, CVE-2020-1102

Windows kernel: CVE-2020-1054CVE-2020-1143

Windows Media Foundation: CVE-2020-1126

Microsoft Color Management: CVE-2020-1117

Windows Print Spooler: CVE-2020-1048

Microsoft Windows Transport Layer Security Denial of Service Vulnerability: CVE-2020-1118

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May, Mozilla released Firefox 76 and Firefox ESR (Extended Support Release) 68.8 to resolve the following vulnerabilities:

Firefox 76.0: Addresses 3x critical severity CVEs, 2x high severity CVEs, 4x moderate CVEs and 1x low CVE

Firefox 68.8 ESR: Addresses 3x critical severity CVEs, 2x high severity CVEs and 2x moderate severity CVEs

Firefox 76 introduces a new password manager (with the ability to generate difficult to guess passwords) which includes a means of detecting if a password was part of a password breach and now requires changing or the use of the same password on multiple websites.

An improved picture in picture experience is also included. Firefox 76.0.1 has since been released resolving non-security issues such as crashing add-ons e.g. the Amazon Assistant extension and crashing with Nvidia GPU drivers on Windows 7 32 bit (my thanks to Bogdan Popa of Softpedia.com and Mozilla for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 81.0.4044.138 for Linux, Mac and Windows to resolve 3 security vulnerabilities with the most severe 2 issues being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
VMware
====================
VMware have a single security advisory so far this month for the following product:

====================
Advisory 1: Severity: Critical
vRealize Operations Application Remote Collector (ARC)
====================
If you use the above VMware product, please review the above advisory and install the applicable security updates as soon as possible.

April 2020 Update Summary

=======================
Update: 27th April 2020
=======================
Late last week, Microsoft issued a security advisory for Microsoft Office 2019, 365 ProPlus and Paint 3D (available within Windows 10).

These correct 4 remote code execution (an attacker can carry out any action of their choice on a compromised system) and 2 denial of service (in this instance the affected application will become unresponsive) vulnerabilities. These vulnerabilities also affect the following Autodesk products:

FBX-SDK
Maya
Motion Builder
Mudbox
3ds Max
Fusion
Revit
Flame
Infraworks
Navisworks
Autodesk AutoCAD

Please make certain your versions of the affected Autodesk products, Office 2019 or 365 ProPlus and Paint3D are up to date. The steps detailed in this linked to BleepingComputer article will guide you through doing so. The Paint3D app should have already installed the update automatically. However you can manually check for updates with these steps.

The necessary details to update the affected Autodesk products are available in the above linked to Autodesk security advisory. Details for verifying if Paint3D and Microsoft Office have been updated are provided in Microsoft’s advisory. Please see the questions titled: “I am running Office 2019 or Office 365 ProPlus. How do I tell if the security update for this vulnerability is included in my version of Office?” and “I have Paint 3D or 3D Viewer installed. How do I know if I have the security update installed?” Further details of the potential impact of these vulnerabilities as well as a recommended mitigation step are provided in this Sophos blog post.

Thank you.

=======================
Update: 15th April 2020
=======================
Yesterday Microsoft  released their scheduled updates to resolve 113 CVEs (defined). Similarly Adobe released 3 security bulletins.

Microsoft’s monthly summary; lists Known Issues for 43 Microsoft products but all have workarounds or resolution steps listed.

To begin with, let’s look at Adobe’s updates:
Adobe After Effects: 1x Priority 3 CVE resolved (1x Important severity)
Adobe ColdFusion: 3x Priority 2 CVEs resolved (3x Important severity)
Adobe Digital Editions: 1x Priority 3 CVE resolved (1x Important severity)

Adobe later issued further updates:
Adobe Bridge: 17x Priority 3 CVEs resolved (14x Critical severity, 3x Important severity)
Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Bridge and Illustrator).

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Following disclosure last month, the Adobe Type Manager (ATM) vulnerabilities have been patched in addition to the following zero day vulnerabilities and a further publicly disclosed vulnerability;

Zero Days (defined):
Microsoft Adobe Type Manager: CVE-2020-0938 and CVE-2020-1020
Microsoft Scripting Engine: CVE-2020-0968
Windows Kernel: CVE-2020-1027

Publicly disclosed:
Microsoft OneDrive: CVE-2020-0935

====================
Microsoft Scripting Engine: CVE-2020-0970
Microsoft Chakra Scripting Engine: CVE-2020-0969
Microsoft Graphics: CVE-2020-0687
Microsoft Graphics Components: CVE-2020-0907
Windows DNS: CVE-2020-0993
Windows Hyper-V: CVE-2020-0910
Windows Codecs: CVE-2020-0965
Windows Media Foundation: CVE-2020-0948 , CVE-2020-0949 , CVE-2020-0950
Microsoft SharePoint: CVE-2020-0929 , CVE-2020-0931 , CVE-2020-0932, CVE-2020-0974
Microsoft Office SharePoint XSS: CVE-2020-0927
Microsoft Dynamics: CVE-2020-1022

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, please stay safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
On the 7th of April, Mozilla released Firefox 75 and Firefox ESR (Extended Support Release) 68.7 to resolve the following vulnerabilities:

Firefox 75.0: Addresses 3x high severity CVEs, 3x moderate severity CVEs

Firefox 68.7 ESR: Addresses 4x high severity CVEs (1 of which only affects Firefox for Android) and 1x moderate severity CVE

Firefox 75 and the previous 74.0.1 reverse the removal of support for TLs 1.0 and TLS 1.1. due to the current COVID-19 situation. It offers improved performance when installed on systems powered by Intel GPUs (defined), is available in the Flatpak distribution format for Linux and offers improved performance by “locally cache all trusted Web PKI Certificate Authority certificates that Mozilla knows, improving security and HTTPS compatibility with misconfigured web servers as a direct result”. Moreover, an improved address bar is now present in Firefox 75. Its improvements are detailed in Firefox’s release notes. Please also be aware of the new telemetry Mozilla has begun to collect with Firefox 75, you may or may not wish to turn this off.

Firefox 74.0.1 and Firefox ESR 68.6.1 were released on the 3rd of April to resolve the following zero day (defined) vulnerabilities actively being exploited in targeted attacks:

Firefox 74.0.1 and Firefox 68.6.1 ESR: Addresses 2x critical severity CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:

VMware vCenter Server
VMware vRealize Log Insight
VMware ESXi 6.5 up to and including 7.0

====================
Advisory 1: Severity: Critical:
VMware vCenter Server

Advisory 2: Severity: Important
VMware vRealize Log Insight

Advisory 3: Severity: Important:
VMware ESXi 6.5 up to and including 7.0
====================

If you use either of the above products, please review the above advisories and install the applicable security updates as soon as possible.

=======================
Oracle:
=======================
Oracle issued updates to resolve 405 vulnerabilities this month. Further details and installation steps are available here. 15 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

Separately Oracle has issued a notice that attacks are being detected attempting to exploit a patched vulnerability (CVE-2020-2883) in Oracle Web Logic server. They strongly suggest installing this month’s update for that product to protect against these attacks.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

====================
OpenSSL
====================
On the 21st April the OpenSSL Foundation issued OpenSSL 1.1.1g which includes a high severity security fix.

FTP mirrors to obtain the necessary downloads are available from here. Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
WinSCP:
=======================
In early April WinSCP version 5.17.3 was made available upgrading its version of OpenSSL to 1.1.1f (from the previous version of 1.1.1d). This update resolves 1x Low severity vulnerability.

On the 24th of April, WinSCP was upgraded to version 5.17.4 which also upgrades its version of OpenSSL to version 1.1.1g resolving a high severity vulnerability. Please install this update if you use WinSCP.

====================
VideoLAN VLC
====================
On the 28th of April, VideoLAN released version 3.0.10 resolving multiple security issues (version 3.2.12 for Android and version 3.2.7 for iOS were also released) assigned to 7 CVEs (various DOSes (Denial of Services) in the microDNS service discovery). 1 CVE has been rated as critical with the other 6 being of high severity. The most recent versions can be downloaded from:

http://www.videolan.org/vlc/

Thank you and please stay safe.

Zoom Begins to Address Security Concerns

====================
TL;DR
====================
Zoom have now published a best practice guide for securing virtual classrooms (most of which apply to standard meetings too).

I hope the above-mentioned best practice guide is useful for securing the next Zoom meeting you organise. You may also wish to view my previous post with further guidance.
====================
I hope everyone is doing well.

While these best practices have been made available, I realise some may question how much at risk their Zoom meetings/links really are? Kreb’s on Security recently wrote about why corporate meetings should be secured by a password.

Zoom is also pledging to improve the security and privacy of their platform. To do this they have sought outside help from a panel of CISOs from companies such as Netflix, VMware, HSBC and others. An external advisor Alex Stamos, former Chief Security Officer of Facebook and Adjunct Professor at Stanford’s Freeman-Spogli Institute, has also been requested to undertake a security review of Zoom’s platform. These form just some aspects of their 90 day plan (detailed here) which seeks to “dedicat[e] the resources needed to better identify, address, and fix issues proactively”.

While adding a password to a meeting is still optional, the waiting room feature from the 31st March is now mandatory for new meetings.

The above measures are welcome, but users need to be more security aware if they intend to share Zoom meeting links publicly (or their exists a strong possibility the link could be shared by others).

Thank you and please stay safe.

Better Securing Your Zoom Meetings (and other advice)

With many of us attending virtual meetings both inside and outside of work; I wanted to share the following best practice article with you.

Attackers are taking advantage of the Zoom platform. Here is how you can better secure the next Zoom meeting you organise or better inform a person you know who does organise them:

https://www.bleepingcomputer.com/news/software/how-to-secure-your-zoom-meetings-from-zoom-bombing-attacks/

=====================
Many thanks to Lawrence Abrams of Bleepingcomputer for this.
=====================

Please also be aware of the following un-patched vulnerability in Zoom (mitigations are discussed and provided in the link below):

https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-via-unc-links/

Other privacy limitations of Zoom are the following (with one being partially mitigated):
Zoom Meetings Aren’t End-To-End Encrypted, Despite Misleading Marketing (partially mitigated)

Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers

The above guide can be used to supplement Zoom’s own best practice guide.

Thank you and please stay safe both outside and in cyberspace.

Highlights from Pwn2Own 2020

====================
TL;DR:

The following products were successfully exploited, please install the necessary updates for them when they become available: Apple Safari, Apple macOS, Ubuntu Desktop, Windows, Oracle VirtualBox and Adobe Reader
====================
As long-time readers of this blog will know, the Pwn2Own security conference with its white hacking contest is my favourite event of the year. Sophisticated vulnerability exploitation is showcased, the contestants receive large sums of money and we as consumers receive safer products to use on a day to day basis. It took place late last week virtually due to the Coronavirus. The results from both days of competition can be found here. The total prize was USD $270,000.

The winners of the competition were Richard Zhu and Amat Cama of Team Fluoroacetate winning the Master of Pwn title and USD $90,000 in prize money.

Returning to the trend of previous years, exploits against the Apple macOS kernel (defined) and Windows kernel were common again. These are high severity vulnerabilities but when addressed will make our systems safer.

The vendors have up to 90 days to resolve the vulnerabilities before public disclosure. Please expect and apply the necessary security updates to the affected as they become available

Thank you.

Protecting against the Windows Adobe Type Manager (ATM) Zero Day Vulnerabilities

=======================
Update: 15th April 2020
=======================
Microsoft have now issued updates for both of the Adobe Type Manager vulnerabilities. These updates apply to Windows 10, Windows 8.1 and Windows 7 (and their Windows Server equivalents):

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0938

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020

Please install these updates when you can. Thank you.

=====================
TL;DR
A patch for these vulnerabilities is expected at the next scheduled collection of updates to be released on the 14th of April. Until then be aware of attempts to have you open unexpected or suspicious files via clicking links on websites/within emails or opening email attachments. If you are using any version of Windows earlier than Server 2016, 2019 or Windows 10 (Version 1703 or earlier), evaluate if you wish to enable the workarounds until a patch is released. This vulnerability is of critical severity for Windows 8.1 and Windows 7, please be certain your staff are security aware not to open unknown or suspicious attachments/files.

A micro-patch is now available for Windows 7 and Windows 8.1 (including their Windows Server equivalents):

https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html
=====================

=====================
Update: 30th March 2020
=====================
0Patch have released a micro-patch for these vulnerabilities that is free of charge during these uncertain times (some micro-patches are usually paid for services from 0Patch).

The patch works by blocking Windows from using the common code path used by Windows Explorer, Font Viewer, and applications using Windows-integrated font support to display Adobe Type 1 PostScript fonts. The micro-patch does not protect against local attacks but does block the more important remote attack vector.

The micro-patch is available for Windows versions including Windows 7 and Windows Server 2008 R2 with ESU, Windows 8.1 and Windows Server 2012, both 32-bit and 64-bit:

https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html

A YouTube video of the micro-patch in action is available from the following link:

https://youtu.be/VmL-C7Tqpac

Thank you.

=====================
Update: 28th March 2020
=====================
As detailed in Microsoft’s security advisory, these zero day (defined) vulnerabilities are of critical severity for Windows 8.1 and Windows 7. Please make certain your staff/users are security aware and strongly advise them not to open unknown or suspicious attachments/files. This is particularly severe when staff/users are likely working from home at this time and the security of systems they are using may not benefit from the firewalls/IPS and proxy servers of their primary work location. Staff/users may even be using their personal laptop/desktops to access corporate data during the current COVID-19 lockdown period.

If possible, please evaluate and implement the appropriate workarounds in Microsoft’s security advisory (which mitigate the vulnerabilities but have the least impact on your day to day work/activities) while the appropriate updates are not yet available.

Thank you.

=====================
Original Post:
=====================
I hope everyone is staying safe under the current circumstances.

Yesterday Microsoft published a security advisory describing the use of vulnerabilities within the Windows Adobe Type Manager (ATM) library by attackers to run unauthorised code on victim systems.

Why should these vulnerabilities be considered important?
If an attacker can persuade you to open a document (a document, you may have been expecting but the email it came in doesn’t look or sound quite right or by clicking a potentially useful link) they may be successful in remotely running code of their choice on your system.

According to Kaspersky a more likely scenario would be “attackers also can exploit this vulnerability through an extension to the HTTP called Web Distributed Authoring and Versioning (WebDAV), which allows users to collaborate on a document. Microsoft suggests disabling the WebClient service, which allows you to use this feature”

https://www.kaspersky.com/blog/windows-adobe-type-manager-vulnerability/34395/

For the attack to be successful you must be using a version of Windows older than Windows Server 2016 (Version 1703 or earlier), 2019 or Windows 10 (Version 1703 or earlier). If your version of Windows is newer as per Microsoft’s analysis : ”The possibility of remote code execution is negligible and elevation of privilege is not possible”.

How can I protect my organisation or myself from these vulnerabilities?
Until an update is made available, be aware and don’t open email attachments that look suspicious or click on links (from emails, while web browsing or via instant message clients) that you weren’t expecting or are suspicious.

If you are using an older version of Windows, consider implementing the workarounds provided by Microsoft in their advisory but please be aware of their potential impact to routine functionality before more widely enabling such workarounds:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

Thank you and stay safe everyone both inside and outside of cyberspace.

March 2020 Update Summary

====================
Update: 28th March 2020
====================
I have added the details of the security updates released by Apple on the 24th March near the end of this post. Thank you.

====================
Update: 25th March 2020
====================
Adobe has released a further update for Creative Cloud Desktop. I have added the details below to the Adobe updates list.

VMware have also released VMware Fusion 11.5.3 to more completely address a previously patched vulnerability. Details are below in the VMware updates list.

Thank you.

====================
Update: 23rd March 2020
====================

Since originally writing this post, Adobe published their security updates a week later than usual. Further details are listed below.

Thank you.

====================
Adobe
====================
Adobe Acrobat and Reader: 13x Priority 2 CVEs (defined)resolved (9x Critical and 4x Important severity)
Adobe Bridge: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe ColdFusion:  2x Priority 2 CVEs resolved (2x Critical severity)
Adobe Creative Cloud Desktop: 1x Priority 2 CVE resolved (1x Critical severity)
Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Genuine Integrity Service: 1x Priority 3 CVE resolved (1x Important severity)
Adobe Photoshop: 21x Priority 3 CVEs resolved (15x Critical and 6x Important severity)

====================
Update: 15th March 2020:
====================
Security researcher Kevin Beaumont has provided further details of the critical SMBv3.1 vulnerability affecting Windows 10 Version 1903 and 1909. In summary the vulnerability is not trivial to exploit and the number of systems at the time of writing (13th March) vulnerability to the exploit had already dropped by 25%.

====================
Update: 12th March 2020:
====================
Microsoft have released an update to resolve the SMBv3 vulnerability now designated CVE-2020-0796, (EternalDarkness or SMBGhost) please apply it to any Windows 10 Server or Windows 10 workstation system running Windows 10 Version 1903 or 1909 as soon as possible. Please also make certain that such systems are not exposing port 445 to the internet (please seethe FAQ in their information on the relevant update).

An internet scan by security researchers of vulnerable estimates that there are 48,000 vulnerable Windows 10 systems. You can use the ollypwn scan (created by a Danish security researcher) can be used to check if a system is vulnerable.

I wish to add the following useful clarification (which was written before the Microsoft security update became available) from Richard Melick, senior technical product manager at Automox in relation to this SMBv3 vulnerability:

“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities. But that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch…it’s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today”.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Update: 11th March 2020
====================
As expected, yesterday Microsoft  released their scheduled updates to resolve 115 CVEs (defined). Unusually for this month, Adobe has not released any updates.

Microsoft’s monthly summary; lists Known Issues for 14 Microsoft products but all have workarounds or resolution steps listed just as the previous month’s did.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
For Windows or Windows Server system (Version 1903 and 1909) systems that uses SMBv3, please follow Microsoft’s guidance in the following security advisory while an update is not yet available. Please apply the update as soon as it is made available:

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

Please also make certain that TCP port 445 is blocked at the enterprise perimeter firewall to prevent exploitation.

This vulnerability is “wormable” meaning that similar to the WannaCry malware and the BlueKeep vulnerability if exploited it may lead to a very large malware outbreak in a very short time.

====================

Windows LNK: CVE-2020-0684
Windows Media Foundation: CVE-2020-0801 , CVE-2020-0807 , CVE-2020-0809,  CVE-2020-0869
Microsoft Internet Explorer: CVE-2020-0824
Microsoft Browsers: CVE-2020-0768

Microsoft Scripting Engine: CVE-2020-0830 , CVE-2020-0847, CVE-2020-0833 , CVE-2020-0832, CVE-2020-0829 , CVE-2020-0813 , CVE-2020-0826, CVE-2020-0827 , CVE-2020-0825 , CVE-2020-0831, CVE-2020-0811, CVE-2020-0828, CVE-2020-0848, CVE-2020-0823, CVE-2020-0812

Microsoft GDI+: CVE-2020-0881, CVE-2020-0883
Microsoft Word: CVE-2020-0852
Microsoft Dynamics: CVE-2020-0905
Microsoft Edge: CVE-2020-0816

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Netgear
====================
On the 3rd of March, Netgear released 25 security advisories for its modem-router gateways, approximately 40 routers and a range extender. The vulnerability range up to critical in severity.

If you own a Netgear router, range extender or modem-router gateway, please use the guidance within this article (many thanks to Tom’s Guide for this advice and the appropriate how to check for updates steps) to locate your Netgear device model e.g. R6400 and to match it against the available security bulletins to check if your device requires a firmware (defined) update sometimes called a software update. Please install the update if one is available. The above linked to article also describes the varied methods to update your Netgear device.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel Smart Sound Technology Advisory
BlueZ Advisory
Intel NUC Firmware Advisory

Medium
Intel MAX 10 FPGA Advisory
Intel Processors Load Value Injection Advisory
Snoop Assisted L1D Sampling Advisory
Intel Optane DC Persistent Memory Module Management Software Advisory
Intel FPGA Programmable Acceleration Card N3000 Advisory
Intel Graphics Drivers Advisory

====================
Mozilla Firefox
====================
Yesterday, Mozilla released Firefox 74 and Firefox ESR (Extended Support Release) 68.6 to resolve the following vulnerabilities:

Firefox 74.0: Addresses 6x high severity CVEs, 6x medium severity CVEs and 1x low CVE

Firefox 68.6 ESR: Addresses 5x high severity CVEs and 3x medium severity CVEs

Firefox 74 also removes support TLS 1.0 (what is TLS, defined) and 1.1 as per Mozilla’s previous timelime, adds a Facebook Container add-in to limit how much the social tracks you across other sites and blocks the ability for other applications to install Firefox add-ons without your knowledge or consent. Further details of these features and other features added can be found within this article (my thanks to Lawrence Abrams of Bleepingcomputer.com for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 80.0.3987.132 for Linux, Mac and Windows to resolve 4 security vulnerabilities with the most severe being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Apple Security Updates:
=======================
On the 24th of March Apple made available the following updates. Notable fixes affect the kernels of macOS, iOS and iPadOS, WebKit (the renderer of Safari), Bluetooth and Safari.

These updates bring Safari to version 13.1 and add updates to its Intelligence Tracking Prevention (ITP) privacy feature while also introducing a block on all 3rd party cookies (defined) by default.

Further details for these updates are as follows:
Apple iOS v13.4 and iPadOS 13.4 (resolves 35x CVEs (defined))
Apple tvOS 13.4: Resolves 20x CVEs.
Apple watchOS 6.2: Resolves 17x CVEs
Apple watchOS 5.3.6 (no CVEs resolved)
Apple iTunes version 12.10.5 for Windows: Resolves 13x CVEs
macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra: Resolves 27x CVEs.
Safari 13.1: Resolves 11 CVEs
Apple iCloud for Windows 10.9.3: Resolves 13 CVEs
Apple iCloud for Windows 7.18: Resolves 13 CVEs
Xcode 11.4: Resolves 1 CVE (?: Apple’s post provides little details)

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
OpenSSL
====================
On the 17th March the OpenSSL Foundation issued OpenSSL 1.1.1e (download/installation links included) which includes a low severity security fix.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

====================
VMware
====================
VMware have so far released 2 security advisories this month to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
====================
Advisory 2: Severity: Important:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
VMware Horizon Client for Windows
====================

Advisory 2 (above) has been updated by VMware to state VMware Fusion has been updated to version 11.5.3 to more comprehensively resolve the vulnerability designated CVE-2020-3950. Please make certain if you use VMwre Fusion that it is the latest version available.

If you use any of the above products, please review the above advisories and install the applicable security updates as soon as possible.