Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).
Adobe Digital Editions: 2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)
Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)
Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)
If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767
Microsoft Edge Chromium: ADV200002
Windows Shell (LNK): CVE-2020-0729
Windows Hyper-V: CVE-2020-0662
Windows Media Foundation: CVE-2020-0738
Please install the remaining updates at your earliest convenience.
As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications below.
Earlier this month Mozilla released Firefox 73 and Firefox ESR (Extended Support Release) 68.5 to address the following vulnerabilities:
Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs
Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs
Firefox 73 brings the following minor features listed below:
- A global zoom level configured from the settings menu
- Opt-in notification when the use of virtual reality is being requested
- A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.
Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
Realtek Audio/Sound Card Drivers
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.
This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.
If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 18.104.22.16856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.
On the 28th of February Nvidia released security updates for its drivers which power their Geforce, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).
As was the case with November’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates.
Intel Security Advisories
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.
In the latter half of February, VMware released a critical security advisory to address vulnerabilities within the following product:
If you use VMware vRealize Operations for Horizon Adapter, please install the applicable security updates (depending upon which version of this product you are using) as soon as possible.
In the final week of February, updates were released for Wireshark (I’ll detail only the 2 most recent versions here):
v3.2.2: Relating to 4 security advisories (relating to 4 CVEs)
v3.0.9: Relating to 3 security advisories (relating to 3 CVEs)
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.2 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.