Tag Archives: Corporate Security

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

Mitigating the Intel SWAPGS Vulnerability

====================
TL DR
This is medium severity information disclosure vulnerability. An attacker must already have compromised a system to exploit it. Patches from Red Hat, Google and Microsoft are available. Apple hardware does not appear to be affected.
====================

If we look back 2 weeks we saw the disclosure of a vulnerability relating to VideoLAN VLC being performed incorrectly. This week there is an example of how responsible disclosure should be carried out and demonstrates it can work very well.

Red Hat Linux, Google and Microsoft have all issued patches for a newly discovered variant of the original Spectre v1 vulnerability (initially disclosed in January 2018).

The performance impact of the updates is described in the Red Hat advisory in more detail:

====================
The fix for this CVE has shown to cause a minimal performance impact. The impact will be felt more in applications with high rates of user-kernel-user space transitions. For example, in system calls, NMIs, and kernel interrupts.

Early benchmarks for this mitigation show approximately 1% performance penalty:

https://www.phoronix.com/scan.php?page=article&item=swapgs-spectre-impact&num=1
====================

How does this vulnerability work?
When building a memory address to access computer make use of segment registers (CS, DS, SS, ES, FS, GS). The FS and GS registers are used when the CPU (defined) is in 64-bit mode. The SWAPGS instruction is used on 64-bit entry into kernel code to swap the current user space value of GS with the value intended to be used during kernel operations. GS is used to access kernel data, but it does not validate the values it uses. There are checks during instruction execution to check if a swap to kernel mode is necessary. It is possible for the speculative execution process (attempting to look ahead to improve performance) to mis-judge if a swap is necessary  resulting in a small window of time where the wrong GS is used for memory access leading to disclosure of privileged information.

How can I protect my organisation and myself from this vulnerability?
Earlier this week Red Hat and Google released updates to resolve this vulnerability. Microsoft issued their update silently on 9th July:

Red Hat Linux
https://access.redhat.com/articles/4329821

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=18ec54fdd6d18d92025af097cd042a75cf0ea24c

Google Chrome OS
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1739575

Microsoft Windows
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125

Thank you.

IBM Creates “Warshipping” Proof of Concept Device

Earlier this year I detailed a new method for an attacker to compromise an organisation by means of a modified smartphone charging cable. Today we see another method to compromise an organisation using an even more common means; the postal mail.

Why should this attack method be considered important?
Virtually every organisation receives postal mail with packages being commonplace. An attacker could send an anonymous package with one of the devices the IBM X-Force team created. The device was a small motherboard (defined) with 3G, WiFi and GPS built-in. It can be activated remotely over the internet and report its position via GPS and then instructed to scan for vulnerable network devices to attack.

It’s used to obtain the credentials of a corporate WiFi network. Once complete the device seeks to pivot using other vulnerable devices on the network to eventually compromise the network (also achieving persistence) and exfiltrate data or any other action of the attacker’s choice.

An attacker no longer needs to scout premises before trying to infiltrate it. They can just send a parcel to do it for them.

How can I protect my organisation or myself from this?
For an organisation; you can prohibit employees from having personal packages shipped to their office. A much more rigorous and expensive option which is unlikely to be favoured would be to scan all deliveries with an RF scanner.

Other suggestions to counter this device are detailed in IBM’s blog post.

Thank you.

Wind River Resolves Critical Infrastructure Vulnerabilities

Last week the real-time embedded systems vendor Wind River Systems released security updates for a large number of critical infrastructure systems.

====================
TL DR:
If any of your enterprise clients use within their network perimeter: modems, routers, firewalls, printers, industrial control or medical monitoring devices; check if any of those devices use Wind River’s VxWorks software based on their TP/IP stack (IPnet). If so, review the FAQs and security advisory linked to below to install the necessary updates.
====================

Why should these vulnerabilities be considered important?
The sheer number of affected devices is thought to be very large due to the prevalence of devices running the vulnerable VxWorks software. I realize the list of devices above is very generic but the FAQs and security advisory are not vendor or model specific. This means you may have some of these devices and not even realize it. Verifying if they are using VxWorks and what version will be a priority.

Since medical monitoring and industrial control devices are included in this advisory; if these vulnerabilities are exploited there is the potential for a threat to human life. E.g. if incorrect results are displayed on a medical device, too much medication is administered, or if temperatures exceed safe levels in an industrial control system.

Due to the nature of four of the vulnerabilities; a border firewall will not always be enough to prevent an attacker exploiting. Broadcast packets could be sent to every device in the network, compromising them all at once.

How can I protect my organization from these vulnerabilities?
Review the FAQs and the security advisory and take the necessary steps to install the relevant patches. If your organisation is affected; first apply the necessary mitigations to any vulnerable device you initially discover while you assess the remaining number of impacted devices and develop a plan/schedule to approach the installation of the patches:

Mitigations listed on Page 3 (onwards) of this security advisory:
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/

FAQs:
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/ipnet-faq/

From my understanding of the information provided by Wind River they are directly contacting their affected clients and may offer paid for assistance to resolve these vulnerabilities for out of support devices. However, there is a possibility they may inadvertently miss an affected organisation. Please contact Wind River if in doubt:

support@windriver.com

Thank you.

====================
References:
Wind River’s Blog Post:
https://blogs.windriver.com/wind_river_blog/2019/07/urgent-11-further-boosts-vxworks-security.html

Kaspersky ThreatPost article:
https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/
====================

July 2019 Update Summary

As predicted; earlier today Adobe and Microsoft made available their usual monthly security updates addressing 5 and 77 vulnerabilities (respectively) more formally known as CVEs (defined):

====================
Adobe Bridge CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Dreamweaver: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Experience Manager: 3x Priority 2 vulnerabilities : 2x Important, 1x Moderate severity resolved

If you use any of these Adobe products, please apply the necessary updates as soon as possible.

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Just like last month; Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Servicing stack update for Windows Server 2008 SP2

4507434                Internet Explorer 11

4507435                Windows 10, version 1803

4507448                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4507449                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4507450                Windows 10, version 1703

4507453                Windows 10, version 1903, Windows Server version 1903

4507455                Windows 10, version 1709

4507457                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4507458                Windows 10

4507460                Windows 10 1607 and Windows Server 2016

4507462                Windows Server 2012 (Monthly Rollup)

4507464                Windows Server 2012 (Security-only update)

4507469                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Zero-day (defined) vulnerabilities:
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability

CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability

====================
Critical
====================
CVE-2019-0785  Windows DHCP Server Remote Code Execution Vulnerability

CVE-2019-1072  Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

CVE-2019-1056  Scripting Engine

CVE-2019-1106  Scripting Engine

CVE-2019-1092  Scripting Engine

CVE-2019-1103  Scripting Engine

CVE-2019-1107  Scripting Engine

CVE-2019-1062  Scripting Engine

CVE-2019-1004  Scripting Engine

CVE-2019-1001  Scripting Engine

CVE-2019-1063  Internet Explorer Memory Corruption Vulnerability

CVE-2019-1104  Microsoft Browser Memory Corruption Vulnerability

CVE-2019-1102  GDI+ Remote Code Execution Vulnerability

CVE-2019-1113  .NET Framework Remote Code Execution Vulnerability

Servicing Stack Update

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
Today, Mozilla released Firefox 68.0 to address the following vulnerabilities and to introduce new features:

Firefox 68.0: Resolves 2x critical CVEs (defined), 3x high CVEs, 10x moderate and 4x low CVEs

Firefox 60.8 ESR (Extended Support Release): Resolves 1x critical CVE, 4x high CVEs and 5x moderate CVEs

Firefox now also includes cryptomining protection and fingerprinting protections and improved add-on security (my thanks to Softpedia for this information, more details on other security features are here).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware ESXi
=======================
Earlier today VMware made available an update for ESXi version 6.5. Version 6.0 is unaffected and a patch for 6.7 is pending. This update resolves a denial of service vulnerability.

If you use VMware ESXi, please update when you can.

Thank you.

May 2019 Update Summary

====================
Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.
====================

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730   Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440   Windows 10, version 1607, Windows Server 2016

4494441   Windows 10, version 1809, Windows Server 2019

4497936   Windows 10, version 1903

4498206   Internet Explorer Cumulative Update

4499151   Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154   Windows 10

4499158   Windows Server 2012 (Security-only update)

4499164   Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165   Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167   Windows 10, version 1803

4499171   Windows Server 2012 (Monthly Rollup)

4499179   Windows 10, version 1709

4499180   Windows Server 2008 Service Pack 2 (Security-only update)

4499181  Windows 10, version 1703

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 ,  CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
VMware
=======================
VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.

Adobe Flash Player 2019 Update Tracker

In a similar manner to previous years this post will track the number of vulnerabilities patched within Adobe Flash for 2019. This will be the penultimate year of tracking these numbers since Flash Player is due to be decommissioned in 2020.

As always this post will be updated throughout the year with the details of vulnerabilities being patched and if they are being exploited in the wild. Apologies for not making this 2019 tracker available sooner.

Thank you.

=======================

=======================
8th  January 2019: Adobe releases Flash Player v32.0.0.114 This update is a non-security update addressing only feature and performance bugs.

12th February: Adobe releases Flash Player v32.0.0.142 resolving 1x priority 2 CVE.

12th March: Adobe have not released any Flash Player updates this month.

12th March 2019: Adobe makes available Flash Player v32.0.0.156 to resolve non-security bugs only.

9th April 2019: Adobe releases Flash Player v32.0.0.171  resolving 2x priority 2 vulnerabilities (CVEs) (1x Critical and 1x Important severity).

14th May 2019: Adobe releases  Flash Player v32.0.0.192 to resolve a single critical CVE.

11th June 2019: Adobe releases Flash Player v32.0.0.207 just like last month to resolve a single critical CVE.

9th July 2019: Adobe has not released any Flash Player updates this month.

13th August 2019: Just like last month; Adobe has not released any Flash Player updates this month.

10th September 2019: Adobe has released Flash Player v32.0.0.255 to resolve 2x critical vulnerabilities.

=======================
Update: 19th February 2019: The timeline was created to include the Adobe Flash Player updates for January and February 2019. At the time of writing no exploits for the issue fixed by the February update are known to be taking place.

Update 12th March 2019: The timeline was updated to reflect that Adobe did not issue Flash Player updates this month.

Update: 21st March 2019: The timeline was updated to reflect that Adobe did publish a Flash Player update for March 2019 but it is a non-security update.

Update: 10th April 2019: The timeline was updated to include the Adobe Flash Player updates for April 2019. At the time of writing no exploits for the issues resolved fixed by the April update are known to be taking place.

Update: 12th June 2019: The timeline was updated to include the Adobe Flash Player updates for May and June 2019. At this time no exploits for the issues resolved in either month are known to be currently taking place.

Update: 9th July 2019: The timeline was updated to state Adobe did not release Flash Player update for July 2019.

Update: 13th August 2019: The timeline was updated to state Adobe did not release Flash Player update for August 2019.

Update: 10th September 2019: The timeline was updated to add a Flash Player update for September 2019. At the time of writing, the two vulnerabilities it resolves are not known to being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives).
=======================