Update: 11th February 2020
This Internet Explorer zero day (defined) vulnerability was resolved by the patch released by Microsoft today. If you use Internet Explorer (especially versions 8 or earlier), please install this update as soon as possible.
Update: 27th January 2020
Shortly after the release of Microsoft’s scheduled updates, on the 17th of January they issued a security advisory for a critical zero day (defined) vulnerability being exploited by attackers in targeted attacks.
An out of bound update has not been released by Microsoft since by default all support versions of Internet Explorer by default use Jscript9.dll rather than Jscript.dll However versions earlier then IE 9 face increased risk.
If you use Internet Explorer for day to day work or just general surfing, please consider implementing the workaround described within Microsoft’s security advisory. Please remember to remove the workaround prior to installing the relevant security update in February. Also, please note that this workaround is causing some printers not to print and the Microsoft Print To PDF function not to work. If this is the case, use another browser and disable the workaround or use the micropatch (discussed below).
An alternative which according to ghacks.net is free is to install the micro-patch for IE available from 0Patch. More information on the micropatch and how to install it is available in the previous link above. This micropatch does not come with side effects. A YouTube video of the micropatch in action is available from the following link:
Happy New Year to my dedicated readers!
Today Adobe and Microsoft released their first security updates of the year. Adobe resolved 9 vulnerabilities more formally known as CVEs (defined) with Microsoft addressing 50 vulnerabilities.
Adobe Illustrator CC: 5x Priority 3 CVEs resolved (5x Critical severity)
If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Illustrator CC).
Inside Microsoft’s monthly summary; there are Known Issues for 9 Microsoft products but all have workarounds (some workarounds will be replaced by further updates).
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
For this month’s Microsoft updates, I will prioritize the order of installation below:
Windows CryptoAPI Spoofing Vulnerability: CVE-2020-0601 (disclosed by the NSA to Microsoft). Further information on this vulnerability is available from KrebsonSecurity, within this CERT advisory and the detailed NSA PDF.
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0609
Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0610
Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-0611
.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020 0605
.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0606
.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0646
Please install the remaining less severe updates at your earliest convenience.
Microsoft Edge Chromium
Tomorrow, 15th January will mark the release of a new version of Microsoft Edge powered by the Chromium rendering engine. This version will be available for Windows 7, 8.1 and 10. This is especially relevant for Windows 7, Windows Server 2008 and Server 2008 R2 since while Windows itself ends its support lifecycle today, Edge Chromium will continue to be supported for a further 18 months. This matches similar statements from Google regarding Chrome and separately Vivaldi.
For details of which versions of Windows 10 will receive the new Edge via Windows Update and which versions will need to download it separately, please refer to this link. I wish to extend my thanks to Softpedia and Bleepingcomputer.com for these really useful links.
If for any reason, you wish to use the previous version of Edge (which uses the legacy rendering engine, please see this link for details of how to run the older version alongside its modern equivalent).
As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have provided further details of updates available for other commonly used applications below.
In early January Mozilla released new versions of Firefox to address the following vulnerabilities and to add new user privacy features:
More recently Firefox 72.0.1 was released to address a single critical severity zero day (defined) vulnerability which was responsibly disclosed to Mozilla and fixed very quickly. Finally Firefox 72.0.2 was released on the 20th of January resolving inconsistent playback of full-screen HD videos among non-security other issues.
Highlights from version 72 of Firefox include:
In addition to picture in picture enabled by default for macOS and Linux, it blocks the use of fingerprinting by default (the collection of data from your system e.g. browser version, font size, screen resolution and other unique data. This protection is provided by Disconnect. There are multiple levels of fingerprinting protection provided with the standard level being enabled by default. The strict level however may lead to websites not functioning as expected. Further details are available here.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
In mid-January the following Wireshark updates were released:
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.1 or v3.0.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
Google made available two security updates during November; the first resolves 3 vulnerabilities while the second resolves 16 vulnerabilities. The second also provides mitigation for the vulnerability disclosed by the NSA to Microsoft more commonly known as the Chain of Fools/CurveBall or CVE-2020-0601 This test page from SANS will then show your system is no longer vulnerable after applying the second update. Please still apply the update from Microsoft to provide the most protection, Google’s changes are a mitigation only.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
Intel Security Advisories
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories:
Intel Processors Data Leakage Advisory
Intel Processor Graphics Advisory
Intel RWC 3 for Windows Advisory
Intel Chipset Device Software Advisory
Intel SNMP Subagent Stand-Alone Advisory for Windows
VMware released 2 security advisories in January , the first is of moderate severity with the second being of important severity. The advisories relate to the following products:
Workspace ONE SDK
Workspace ONE Boxer
Workspace ONE Content
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE Intelligent Hub
Workspace ONE Notebook
Workspace ONE People
Workspace ONE PIV-D
Workspace ONE Web
Workspace ONE SDK Plugin for Xamarin
Important Severity Advisory:
If you use the above VMware products, please review the advisories and apply the necessary updates.
Oracle issued updates to resolve 334 vulnerabilities in January 2020. Further details and installation steps are available here. 12 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).
If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.