As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.
Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)
Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)
If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468
Microsoft Windows Kernel (defined): CVE-2019-1458
Windows Hyper-V: CVE-2019-1471
Microsoft Visual Studio: CVE-2019-1349 , CVE-2019-1350 , CVE-2019-1352 , CVE-2019-1354 , CVE-2019-1387
Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs (defined) and used for Windows Hello for Business: Security Advisory
Please install the remaining less severe updates at your earliest convenience.
As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have provided further details of updates available for other commonly used applications below.
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:
Firefox 71.0: Resolves 6x high severity CVEs (defined) and 5x moderate CVEs
Firefox ESR 68.3 (Extended Support Release): Resolves 4x high severity CVEs and 4x moderate CVEs
Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.
The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves 5 vulnerabilities.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
In early December AMD issued a security advisory for its GPU and APU (defined) drivers (defined). It resolves 2 vulnerabilities CVE-2019-5049 and CVE-2019-5098. The steps to install the drivers on Windows are located here with a guide for Linux available here. Please make certain the drivers are version 20.1.1 or later (as per multiple recommendations from Talos, 1 , 2 and 3). As per those same recommendations if you use VMware Player or Workstation Pro, please make certain it is version 15.5.1 or later. If you use the affected AMD graphics cards, please consider updating your drivers to the most recent available.
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.
Intel Security Advisories
Intel have released a series of security advisories this month. The high priority advisories are the following:
Linux Administrative Tools for Intel Network Adapters Advisory
Intel NUC Firmware Advisory
The remaining advisories are of medium and low priority:
Intel Quartus Prime Pro Edition Advisory
Intel RST Advisory (see also my separate post on this vulnerability)
Control Center-I Advisory
Intel SCS Platform Discovery Utility Advisory
Unexpected Page Fault in Virtualized Environment Advisory
Intel FPGA SDK for OpenCL Advisory
Intel Ethernet I218 Adapter Driver for Windows Advisory
Intel Dynamic Platform and Thermal Framework Advisory
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:
Critical Severity Advisory:
VMware Horizon DaaS appliances
Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent
If you use the above VMware products, please review the advisories and apply the necessary updates.
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.
FTP mirrors to obtain the necessary downloads are available from here.
Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.
Apple Security Updates
Throughout December Apple has released security updates for the following products:
Apple iOS v12.4.4 and 13.3 / iPad OS 13.3: Resolves 1 CVE (defined) and 14 CVEs (respectively)
Apple Safari 13.0.4: Resolves 2 CVEs
Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs
Apple tvOS 13.3: Resolves 11 CVEs
Apple watchOS 5.3.4 and 6.1.1: Resolves 1 CVE and 10 CVEs (respectively)
Apple Xcode 11.3: Resolves 1 CVE
Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs
Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs
Apple iCloud for Windows 10.9: Resolves 4 CVEs
Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.
As always; further details of these updates are available on Apple’s dedicated security updates page.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).
In early December the following Wireshark updates were released:
v3.0.7: 1 security advisory
v2.6.13: 1 security advisory
The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.