Tag Archives: Google

February 2020 Update Summary

Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).

Let’s start with Adobe’s patches first:
====================
Adobe
====================
Adobe Acrobat and Reader: 17x Priority 2 CVEs resolved (12x Critical, 3x Important, 2x Moderate severity)

Adobe Digital Editions:  2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)

Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)

Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
====================

Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767

Internet Explorer: CVE-2020-0674 (this was  the zero day (defined) vulnerability reported last month).

Microsoft Edge Chromium:  ADV200002

Windows Shell (LNK): CVE-2020-0729

Windows Remote Desktop Client: CVE-2020-0681 , CVE-2020-0734

Windows Hyper-V: CVE-2020-0662

Windows Media Foundation: CVE-2020-0738

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Earlier this month Mozilla released Firefox 73 and Firefox ESR  (Extended Support Release) 68.5 to address the following vulnerabilities:

Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs

Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs

Firefox 73 brings the following minor features listed below:

  1. A global zoom level configured from the settings menu
  2. Opt-in notification when the use of virtual reality is being requested
  3. A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.

Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Realtek Audio/Sound Card Drivers
====================
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.

This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.

If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 1.0.0.8856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.

Potential Privacy and Security Issues of Virtual Assistants Highlighted Again

In late October security researchers published details of proof of concepts exploits affecting smart home devices e.g. Amazon Echoes (known as Amazon Alexa) and Google Home. These techniques allow for eavesdropping on conversations and the obtaining of passwords from users.

Why should these proofs of concepts be considered significant?
The proof of concept apps used by the researchers passed both Amazon’s and Google’s app validation processes and were briefly available to the public. Further modifications to the apps did not require a validation by either vendor.

The researchers demonstrated how their app can mislead a user into believing the smart device is no longer listening (and recording) when in fact it is.

Amazon Echo
Eavesdropping
For an Amazon Echo the device was made to keep listening by changing the de-activation intent (a phrase that can have values (words) within it to carry out custom actions. Instead the de-activation routine does not stop the device from recording you. This was done in a way that the owner of the Amazon Echo would not know anything was wrong since they will still hear the device speak “Goodbye” message. This was achieved by adding a Unicode (defined) character sequence (U+D801, dot, space) to the end of the intent sequence. Since these characters cannot be pronounced (and heard) by the device silencing the speaker but keeping the app active in order eavesdrop on a conversation. By adding more characters, the time can easily be extended.

Eavesdropping using the Amazon Echo is demonstrated in the following video from the SRLabs researchers:

https://youtu.be/A3n-0AbXznc

Phishing a Password
To phish a password the researchers simply added an audible message in place of some of the unpronounceable characters to simply ask the user for their password by first telling them a security update for app is available and to supply the password to install the update. The researchers demonstrated the ability to convert the spoken sentence into text and send it to their proof of concept server. This is demonstrated in the following video:

https://youtu.be/Wh2uexUAy7k

====================
Google Home
Eavesdropping
To perform the same actions with Google Home the researchers put the user into a loop and were able to capture recognised speech as text without alerting the user of the Google Home to this being carried out. This time the researchers used multiple “noInputPrompts” with SSML elements or the Unicode characters again to capture whatever is being spoken.

This is demonstrated in the following video:

https://youtu.be/X2gddqD1wUI

Phishing a Password
This was carried out using the same technique as for the Amazon Echo above. This is demonstrated in the following video:

https://youtu.be/HliuWtVW4vY

How can I protect my smart speaker / virtual assistant from these vulnerabilities?
Unfortunately, as the purchaser of these devices there is no action you can carry out to prevent these techniques being used against you. Instead the responsibility lies with Amazon and Google. They need to improve their app validation processes, as per the researcher’s findings:

“To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “U+D801, dot, space. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely.”

My thanks to the SRLabs researchers who explain what needs to be done by the vendors to remediate these issues.

The well-known security researcher Karsten Nohl provides his informed opinion on this issue and how we should treat our usage of these devices.

Proof of concept attacks using laser beams
Smart speakers use specific microphones known as microelectro-mechanical systems (MEMS) microphones to convert the voices they hear into electrical signals they can understand and process. Such microphones however also respond to the application of light to them as proven by academic researchers who user lasers to have the devices call out the time, order a laser pointer online, set the devices volume to zero and open a garage door (or potentially the front door of a house).

What are the limitations of this technique?
The aiming of the laser can be imprecise which limits its distance and may also inadvertently hit other smart speaker devices. The researchers used a telescope, a telephoto lens and a tripod to focus the beam and to provide accurate timing.

Further limitations are detailed in this BleepingComputer article. My thanks to them for this detail and for the descriptions of this technique.

They also detail methods by which the owner of the smart speaker could be alerted to this technique being used to exploit it: “the victim may be alerted by the visibility of the light beam, unless infrared is used – but additional gear is necessary in this case, and the audio response from the target device confirm execution of the command”.

Both Amazon and Google provided statements that they are analysing the results of this research and are working with the researchers to improve security.

Thank you.

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

Blog Post Shout Out March 2019

TL DR: If a device that stores your personal information has reached the end of it’s life, please strongly consider erasing it correctly before recycling or disposing of it.

A security researcher from Rapid7 purchased 85 used pieces of technology to check them for data left behind by their previous owners. 80 of the devices had data still remaining on them.

He was able to uncover the following:

  • 214,019 images, 3,406 documents and 148,903 email messages
  • 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit-card numbers, six driver’s license numbers and two passport numbers.

For these reasons I wanted to provide a respectful shout out to the following blog post by Josh Frantz of Rapid7:

https://blog.rapid7.com/2019/03/19/buy-one-device-get-data-free-private-information-remains-on-donated-devices/

When our devices have reached the end of their useful life we need to become better at removing our data from them. Please find below recommended guides for Apple iPhones, Google Android device and hard disks (both RAID and simple disk set ups). My thanks to Mr. Josh Frantz for collecting these links within his post.

Thank you.

====================
Apple iPhone:
https://support.apple.com/en-us/HT201351

Google Android:
https://www.greenbot.com/article/2451612/how-to-properly-and-securely-erase-your-android-device.html

Hard disks (typically how they are set up):
https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148

Hard disks (when used in a RAID configuration):
https://linhost.info/2010/06/parted-magic-erase-a-hard-drive/
====================

March 2019 Update Summary

====================
Updated: 21st March 2019
====================
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683CVE-2019-0754CVE-2019-0757 and CVE-2019-0809).

Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.

After publishing my original post; Adobe and Microsoft jointly reported that while a newer version (32.0.0.156) of Flash Player was made available it only resolves non-security bugs.

I have updated the suggested installation order (below) to reflect this new information. Thank you.

====================
Original Post:
====================
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.

For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:

Adobe Digital Editions: 1x priority 3 CVE resolved

Adobe Photoshop CC: 1x priority3 CVE resolved

If you use the affected Adobe products; please install their remaining priority 3 updates when you can.

This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:

KB4489878          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

KB4489881          Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

KB4489882          Windows 10 version 1607, Windows Server 2016

KB4489883          Windows 8.1, Windows Server 2012 R2 (Security-only update)

KB4489884          Windows Server 2012 (Security-only update)

KB4489885          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

KB4489891          Windows Server 2012 (Monthly Rollup)

KB4489899          Windows 10 version 1809, Windows Server 2019

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel: CVE-2019-0797CVE-2019-0808

Windows DHCP Client: CVE-2019-0697 , CVE-2019-0698 , CVE-2019-0726

Microsoft XML: CVE-2019-0756

Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772

Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809

Microsoft Active Directory: CVE-2019-0683

NuGet Package Manager Tampering Vulnerability: CVE-2019-0757

Windows Denial of Service Vulnerability: CVE-2019-0754

Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)

If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005

====================
Please install the remaining updates at your earliest convenience.

As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Google Chrome:
=======================
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Notepad++:
=======================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Mozilla Firefox
=======================
Update: 25th March 2019: As detailed in the Pwn2Own 2019 results post; Mozilla released a further update for Firefox and Firefox ESR bringing their version numbers to 66.0.1 and 60.6.1 respectively. Both updates resolve 2x critical CVEs. Please consider updating to these versions as soon as possible.

=======================
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:

Firefox 66.0: Resolves 5x critical CVEs (defined), 7x high CVEs, 5x moderate CVEs and 4x low CVEs

Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs

Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware:
=======================
VMware issued 2 security advisories during March:
Security Advisory 1: Addresses 2x important severity CVEs in the following products:

VMware Player
VMware Workstation Pro

Security Advisory 2: Addresses 1x moderate severity CVE in the following products:

VMware Horizon

If you use the above VMware products, please review the security advisories and apply the necessary updates.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.71 in mid-March. It contains 8 security fixes (see below). They are a result of the bug bounties awarded through the EU-Free and Open Source Software Auditing (EU-FOSSA) (discussed previously in this post). Version 0.71 is downloadable from here.

If you use Putty, please update it to version 0.71. Thank you.

Security vulnerabilities fixed:

=======================

=======================
Nvidia Geforce Experience Software:
=======================
In late March , Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 1 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be applied by opening Geforce Experience which will automatically updated it or the update can be obtained from here.

=======================
GOG Galaxy
=======================
Golden Old Games (GOG) has published an update for their popular game distribution platform GOG Galaxy. It resolves 2 critical vulnerabilities. Additionally, 2 high severity and 2x medium severity vulnerabilities were also resolved. These vulnerabilities are discussed in more detail in this Cisco Talos blog post and within this Kaspersky ThreatPost article. Please update GOG Galaxy to version 1.2.54.23 or later to resolve these vulnerabilities.

I don’t often post about vulnerabilities in gaming clients/gaming distribution clients but like any software; security updates can and are made available for them.

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

==============
The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.
==============

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

December 2018 Update Summary

====================
Update: 3rd January 2019
====================
Apologies for the delay.

Microsoft made available an out of band (un-scheduled) security update available for Internet Explorer on the 19th of December. This vulnerability is being actively exploited; thus if you have not already done, please update your Windows systems. All supported Windows Server and consumer versions of Windows are affected. The full table of affected Windows versions is available here from Microsoft.

For Lenovo laptops running Windows 10 Version 1607 with less than 8 GB of system memory (RAM); Microsoft has provided the following workarounds since this new security update inadvertently causes these systems to be unbootable:

====================
Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.

If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Microsoft is working with Lenovo and will provide an update in an upcoming release.
====================

Thank you.

====================
Original Post:
====================
Earlier today Microsoft and Adobe made available monthly updates addressing 39 vulnerabilities and 88 vulnerabilities (more formally known as CVEs (defined)) respectively. As always; more information is available from Microsoft’s monthly summary page and Adobe’s blog post.

While Adobe’s update addresses a large number of vulnerabilities; Microsoft’s released updates are fewer in overall vulnerabilities and should be considered light when compared to some months this year. If you use Adobe Flash Player, if you have not already done so; please ensure it is up to date (version 32.0.0.101). They addressed a zero day (defined) vulnerability with that update earlier this month which was in use by an APT group (defined in this context it is an organised group making use of zero day vulnerabilities).

Unfortunately; Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4471318: Windows 7 SP1 and Windows Server 2008 R2 SP1 : Workaround provided

KB4471321 : Windows 10, Version 1607Windows Server 2016 : resolutions are in progress

KB4471324 Windows 10, Version 1803 : resolution in progress

KB4471327 : Windows 10, Version 1703 : resolution in progress

KB4471329 Windows 10, Version 1709 : resolution in progress

As briefly mentioned above Adobe issued updates for Adobe Acrobat and Reader:

Adobe Acrobat and ReaderPriority 2: Resolves 40x Critical CVEs ands 48x Important CVEs

If you use Adobe Acrobat or Reader, please update it as soon as possible especially given the large number of critical vulnerabilities that were patched.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

CVE-2018-8611 : Windows Kernel (defined) (this vulnerability is already being exploited)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox
=======================
Also earlier today Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 64: Resolves 2x critical CVEs (defined), 5x high CVEs, 3x moderate CVEs and 1x low CVE

Firefox ESR 60.4: Resolves 1x critical CVE, 4x high CVEs and 1x low CVE.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

Update:
Separately; Firefox 64 now includes small pop-ups known as “snippets” which turned out to be an experiment by Mozilla. If you wish to turn them off; the steps are available here.

Meanwhile extension recommendations within Firefox 64 can be disabled using these steps.

=======================
Google Chrome:
=======================
Google released Google Chrome version 71.0.3578.80 to address 43 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.