Tag Archives: Microsoft Edge

March 2020 Update Summary

====================
Update: 28th March 2020
====================
I have added the details of the security updates released by Apple on the 24th March near the end of this post. Thank you.

====================
Update: 25th March 2020
====================
Adobe has released a further update for Creative Cloud Desktop. I have added the details below to the Adobe updates list.

VMware have also released VMware Fusion 11.5.3 to more completely address a previously patched vulnerability. Details are below in the VMware updates list.

Thank you.

====================
Update: 23rd March 2020
====================

Since originally writing this post, Adobe published their security updates a week later than usual. Further details are listed below.

Thank you.

====================
Adobe
====================
Adobe Acrobat and Reader: 13x Priority 2 CVEs (defined)resolved (9x Critical and 4x Important severity)
Adobe Bridge: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe ColdFusion:  2x Priority 2 CVEs resolved (2x Critical severity)
Adobe Creative Cloud Desktop: 1x Priority 2 CVE resolved (1x Critical severity)
Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Genuine Integrity Service: 1x Priority 3 CVE resolved (1x Important severity)
Adobe Photoshop: 21x Priority 3 CVEs resolved (15x Critical and 6x Important severity)

====================
Update: 15th March 2020:
====================
Security researcher Kevin Beaumont has provided further details of the critical SMBv3.1 vulnerability affecting Windows 10 Version 1903 and 1909. In summary the vulnerability is not trivial to exploit and the number of systems at the time of writing (13th March) vulnerability to the exploit had already dropped by 25%.

====================
Update: 12th March 2020:
====================
Microsoft have released an update to resolve the SMBv3 vulnerability now designated CVE-2020-0796, (EternalDarkness or SMBGhost) please apply it to any Windows 10 Server or Windows 10 workstation system running Windows 10 Version 1903 or 1909 as soon as possible. Please also make certain that such systems are not exposing port 445 to the internet (please seethe FAQ in their information on the relevant update).

An internet scan by security researchers of vulnerable estimates that there are 48,000 vulnerable Windows 10 systems. You can use the ollypwn scan (created by a Danish security researcher) can be used to check if a system is vulnerable.

I wish to add the following useful clarification (which was written before the Microsoft security update became available) from Richard Melick, senior technical product manager at Automox in relation to this SMBv3 vulnerability:

“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities. But that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch…it’s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today”.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Update: 11th March 2020
====================
As expected, yesterday Microsoft  released their scheduled updates to resolve 115 CVEs (defined). Unusually for this month, Adobe has not released any updates.

Microsoft’s monthly summary; lists Known Issues for 14 Microsoft products but all have workarounds or resolution steps listed just as the previous month’s did.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
For Windows or Windows Server system (Version 1903 and 1909) systems that uses SMBv3, please follow Microsoft’s guidance in the following security advisory while an update is not yet available. Please apply the update as soon as it is made available:

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

Please also make certain that TCP port 445 is blocked at the enterprise perimeter firewall to prevent exploitation.

This vulnerability is “wormable” meaning that similar to the WannaCry malware and the BlueKeep vulnerability if exploited it may lead to a very large malware outbreak in a very short time.

====================

Windows LNK: CVE-2020-0684
Windows Media Foundation: CVE-2020-0801 , CVE-2020-0807 , CVE-2020-0809,  CVE-2020-0869
Microsoft Internet Explorer: CVE-2020-0824
Microsoft Browsers: CVE-2020-0768

Microsoft Scripting Engine: CVE-2020-0830 , CVE-2020-0847, CVE-2020-0833 , CVE-2020-0832, CVE-2020-0829 , CVE-2020-0813 , CVE-2020-0826, CVE-2020-0827 , CVE-2020-0825 , CVE-2020-0831, CVE-2020-0811, CVE-2020-0828, CVE-2020-0848, CVE-2020-0823, CVE-2020-0812

Microsoft GDI+: CVE-2020-0881, CVE-2020-0883
Microsoft Word: CVE-2020-0852
Microsoft Dynamics: CVE-2020-0905
Microsoft Edge: CVE-2020-0816

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers, please stay safe during these challenging times. Thank you.

====================
Netgear
====================
On the 3rd of March, Netgear released 25 security advisories for its modem-router gateways, approximately 40 routers and a range extender. The vulnerability range up to critical in severity.

If you own a Netgear router, range extender or modem-router gateway, please use the guidance within this article (many thanks to Tom’s Guide for this advice and the appropriate how to check for updates steps) to locate your Netgear device model e.g. R6400 and to match it against the available security bulletins to check if your device requires a firmware (defined) update sometimes called a software update. Please install the update if one is available. The above linked to article also describes the varied methods to update your Netgear device.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel Smart Sound Technology Advisory
BlueZ Advisory
Intel NUC Firmware Advisory

Medium
Intel MAX 10 FPGA Advisory
Intel Processors Load Value Injection Advisory
Snoop Assisted L1D Sampling Advisory
Intel Optane DC Persistent Memory Module Management Software Advisory
Intel FPGA Programmable Acceleration Card N3000 Advisory
Intel Graphics Drivers Advisory

====================
Mozilla Firefox
====================
Yesterday, Mozilla released Firefox 74 and Firefox ESR (Extended Support Release) 68.6 to resolve the following vulnerabilities:

Firefox 74.0: Addresses 6x high severity CVEs, 6x medium severity CVEs and 1x low CVE

Firefox 68.6 ESR: Addresses 5x high severity CVEs and 3x medium severity CVEs

Firefox 74 also removes support TLS 1.0 (what is TLS, defined) and 1.1 as per Mozilla’s previous timelime, adds a Facebook Container add-in to limit how much the social tracks you across other sites and blocks the ability for other applications to install Firefox add-ons without your knowledge or consent. Further details of these features and other features added can be found within this article (my thanks to Lawrence Abrams of Bleepingcomputer.com for this information).

====================
Google Chrome
====================
Early last week, Google released Chrome version 80.0.3987.132 for Linux, Mac and Windows to resolve 4 security vulnerabilities with the most severe being of high severity.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Apple Security Updates:
=======================
On the 24th of March Apple made available the following updates. Notable fixes affect the kernels of macOS, iOS and iPadOS, WebKit (the renderer of Safari), Bluetooth and Safari.

These updates bring Safari to version 13.1 and add updates to its Intelligence Tracking Prevention (ITP) privacy feature while also introducing a block on all 3rd party cookies (defined) by default.

Further details for these updates are as follows:
Apple iOS v13.4 and iPadOS 13.4 (resolves 35x CVEs (defined))
Apple tvOS 13.4: Resolves 20x CVEs.
Apple watchOS 6.2: Resolves 17x CVEs
Apple watchOS 5.3.6 (no CVEs resolved)
Apple iTunes version 12.10.5 for Windows: Resolves 13x CVEs
macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra: Resolves 27x CVEs.
Safari 13.1: Resolves 11 CVEs
Apple iCloud for Windows 10.9.3: Resolves 13 CVEs
Apple iCloud for Windows 7.18: Resolves 13 CVEs
Xcode 11.4: Resolves 1 CVE (?: Apple’s post provides little details)

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
VMware
====================
VMware have so far released 2 security advisories this month to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
====================
Advisory 2: Severity: Important:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Remote Console for Mac (VMRC for Mac)
VMware Horizon Client for Mac
VMware Horizon Client for Windows
====================

Advisory 2 (above) has been updated by VMware to state VMware Fusion has been updated to version 11.5.3 to more comprehensively resolve the vulnerability designated CVE-2020-3950. Please make certain if you use VMwre Fusion that it is the latest version available.

If you use any of the above products, please review the adobe advisories and install the applicable security updates as soon as possible.

January 2020 Update Summary

====================
Update: 11th February 2020
====================
This Internet Explorer zero day (defined) vulnerability was resolved by the patch released by Microsoft today. If you use Internet Explorer (especially versions 8 or earlier), please install this update as soon as possible.

Thank you.

==============
Update: 27th January 2020
==============
Shortly after the release of Microsoft’s scheduled updates, on the 17th of January they issued a security advisory for a critical zero day (defined) vulnerability being exploited by attackers in targeted attacks.

An out of bound update has not been released by Microsoft since by default all support versions of Internet Explorer by default use Jscript9.dll rather than Jscript.dll However versions earlier then IE 9 face increased risk.

If you use Internet Explorer for day to day work or just general surfing, please consider implementing the workaround described within Microsoft’s security advisory. Please remember to remove the workaround prior to installing the relevant security update in February. Also, please note that this workaround is causing some printers not to print and the Microsoft Print To PDF function not to work. If this is the case, use another browser and disable the workaround or use the micropatch (discussed below).

An alternative which according to ghacks.net is free is to install the micro-patch for IE available from 0Patch. More information on the micropatch and how to install it is available in the previous link above. This micropatch does not come with side effects. A YouTube video of the micropatch in action is available from the following link:

https://youtu.be/ixpBN_a2cHQ

Thank you.

==============
Original Post
==============
Happy New Year to my dedicated readers!

Today Adobe and Microsoft released their first security updates of the year. Adobe resolved 9 vulnerabilities more formally known as CVEs (defined) with Microsoft addressing 50 vulnerabilities.

====================
Adobe
====================
Adobe Experience Manager: 4x Priority 2 CVEs resolved (3x Important severity, 1x Moderate severity)

Adobe Illustrator CC: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Illustrator CC).
====================

Inside Microsoft’s monthly summary; there are Known Issues for 9 Microsoft products but all have workarounds (some workarounds will be replaced by further updates).

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows CryptoAPI Spoofing Vulnerability: CVE-2020-0601 (disclosed by the NSA to Microsoft). Further information on this vulnerability is available from KrebsonSecurity, within this CERT advisory and the detailed NSA PDF.

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0609

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0610

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-0611

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020 0605

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0606

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0646

Please install the remaining less severe updates at your earliest convenience.

====================
Microsoft Edge Chromium
====================
Tomorrow, 15th January will mark the release of a new version of Microsoft Edge powered by the Chromium rendering engine. This version will be available for Windows 7, 8.1 and 10. This is especially relevant for Windows 7, Windows Server 2008 and Server 2008 R2 since while Windows itself ends its support lifecycle today, Edge Chromium will continue to be supported for a further 18 months. This matches similar statements from Google regarding Chrome and separately Vivaldi.

For details of which versions of Windows 10 will receive the new Edge via Windows Update and which versions will need to download it separately, please refer to this link. I wish to extend my thanks to Softpedia and Bleepingcomputer.com for these really useful links.

If for any reason, you wish to use the previous version of Edge (which uses the legacy rendering engine, please see this link for details of how to run the older version alongside its modern equivalent).

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
In early January Mozilla released new versions of Firefox to address the following vulnerabilities and to add new user privacy features:

Firefox 72.0: Resolves 5x high severity CVEs (defined), 5x moderate CVEs and 1x low CVE

Firefox ESR 68.4 (Extended Support Release): Resolves 4x high severity CVEs and 2x moderate CVEs

More recently Firefox 72.0.1 was released to address a single critical severity zero day (defined) vulnerability which was responsibly disclosed to Mozilla and fixed very quickly. Finally Firefox 72.0.2  was released on the 20th of January resolving inconsistent playback of full-screen HD videos among non-security other issues.

Highlights from version 72 of Firefox include:
In addition to picture in picture enabled by default for macOS and Linux, it blocks the use of fingerprinting by default (the collection of data from your system e.g. browser version, font size, screen resolution and other unique data. This protection is provided by Disconnect. There are multiple levels of fingerprinting protection provided with the standard level being enabled by default. The strict level however may lead to websites not functioning as expected. Further details are available here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Wireshark
====================
In mid-January the following Wireshark updates were released:

v3.2.1: Relating to 1 security advisory

v3.0.8: Relating to 1 security advisory

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.1 or v3.0.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 3 vulnerabilities while the second resolves 16 vulnerabilities. The second also provides mitigation for the vulnerability disclosed by the NSA to Microsoft more commonly known as the  Chain of Fools/CurveBall or CVE-2020-0601 This test page from SANS will then show your system is no longer vulnerable after applying the second update. Please still apply the update from Microsoft to provide the most protection, Google’s changes are a mitigation only.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories:

High
Intel VTune Amplifier for Windows Advisory

Medium
Intel Processors Data Leakage Advisory
Intel Processor Graphics Advisory
Intel RWC 3 for Windows Advisory
Intel Chipset Device Software Advisory
Intel SNMP Subagent Stand-Alone Advisory for Windows

Low
Intel Data Analytics Acceleration Library (DAAL)

====================
VMware
====================
VMware released 2 security advisories in January , the first is of moderate severity with the second being of important severity. The advisories relate to the following products:

Moderate Severity Advisory:

Workspace ONE SDK

Workspace ONE Boxer

Workspace ONE Content

Workspace ONE SDK Plugin for Apache Cordova

Workspace ONE Intelligent Hub

Workspace ONE Notebook

Workspace ONE People

Workspace ONE PIV-D

Workspace ONE Web

Workspace ONE SDK Plugin for Xamarin

Important Severity Advisory:
VMware Tools

If you use the above VMware products, please review the advisories and apply the necessary updates.

=======================
Oracle:
=======================
Oracle issued updates to resolve 334 vulnerabilities in January 2020. Further details and installation steps are available here. 12 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

June 2019 Update Summary

With yesterday being the second Tuesday of the month; it means it’s Update Tuesday again. Microsoft resolved 88 vulnerabilities  (more formally known as CVEs (defined) with Adobe addressing 11 vulnerabilities of their own.

Adobe Campaign: 7x Priority 3 vulnerabilities (1x Critical, 3x Important, 3x Moderate)

Adobe ColdFusion: 3x Priority 2 vulnerabilities (3x Critical)

Adobe Flash Player: 1x Priority 1 vulnerability (1x Critical)

If you use Adobe ColdFusion, please apply the necessary updates as soon as possible. For that product, as per Adobe’s advisory, please make certain the Java JDK/JRE in use on the server is fully up to date in order to fully secure it. Please install the remaining updates for Campaign and Flash Player as soon as possible since they also resolve critical vulnerabilities.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Windows Server 2008 Service Pack 2 Servicing stack update

4503027                Exchange Server 2019, Exchange Server 2016

4503028                Exchange Server 2010 Service Pack 3, Exchange Server 2013

4503263                Windows Server 2012 (Security-only update)

4503267                Windows 10, version 1607, Windows Server 2016

4503276                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4503279                Windows 10, version 1703

4503284                Windows 10, version 1709

4503285                Windows Server 2012 (Monthly Rollup)

4503286                Windows 10, version 1803

4503290                Windows 8.1 Windows Server 2012 R2 (Security-only update)

4503291                Windows 10

4503292                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4503293                Windows 10, version 1903

4503327                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer: CVE-2019-1038

Microsoft Speech API Remote Code Execution Vulnerability: CVE-2019-0985

Microsoft Scripting Engine:

CVE-2019-1002

CVE-2019-0991

CVE-2019-1080

CVE-2019-1023

CVE-2019-0992

CVE-2019-1024

CVE-2019-0990

CVE-2019-0988

CVE-2019-0989

CVE-2019-1055

CVE-2019-1052

CVE-2019-1051

CVE-2019-0920

CVE-2019-1003

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2019-0709 , CVE-2019-0722 , CVE-2019-0620

ActiveX Data Objects (ADO) Remote Code Execution Vulnerability: CVE-2019-0888

Windows Task Scheduler: CVE-2019-1069 (disclosed by SandboxEscaper)

Windows AppX Deployment Service (AppXSVC): CVE-2019-1064 (disclosed by SandboxEscaper)

Windows Shell: CVE-2019-1053 (disclosed by SandboxEscaper)

Windows Installer: CVE-2019-0973 (disclosed by SandboxEscaper)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
VideoLAN VLC:
=======================
A new version of VLC is available for Apple macOS, Linux, Windows (desktop and Windows Store), Google Android and Apple iOS with some great performance improvements and resolving 33 security vulnerabilities (2 of which are high severity) as a result of the EU-FOSSA bug bounty programme which opened in January this year.

Further details are below:

http://www.videolan.org/vlc/releases/3.0.7.html

http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

Version 3.0.7.1 has since been released to resolve other non-security issues. The most recent version can be downloaded from:

http://www.videolan.org/vlc/

=======================
Mozilla Firefox
=======================
Yesterday (11th June), Mozilla released Firefox 67.0.2 to address a single moderate severity vulnerability.

Further to the above updates, on the 18th and the 20th June; Mozilla issued 2 updates for Firefox version 67.0.3 (ESR (Extended Support Release) 60.7.1) and 67.0.4 (ESR 60.7.2) to resolve 2x critical zero day (defined) vulnerabilities actively being exploited in the wild.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome:
=======================
Google released Google Chrome version 75.0.3770.80 to address 42 vulnerabilities in early June.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware:
=======================
Earlier this month VMware published a security advisory to address a single Important severity vulnerability in VMware Tools for Linux and Windows.

If you use VMware Tools on Linux or Windows, please review the security advisory and apply the necessary updates.

=======================
DOSBox
=======================
The retro gaming and legacy software emulator DOSBox in late June released an update to correct vulnerabilities discovered during a small code audit.

2 CVEs (CVE-2019-7165 and CVE-2019-12594) were assigned (that resolve critical vulnerabilities with CVSS 3.0 (defined) base scores of 9.8) but more out of bound access and buffer overflows (defined) were also resolved. Further details are available in their news post dated, 26th June 2019.

If you use DOSBox, please consider upgrading to version 0.74-3 which also includes many fixes for non-security bugs. The new version is available from here.

Thank you.

May 2019 Update Summary

====================
Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.
====================

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730   Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440   Windows 10, version 1607, Windows Server 2016

4494441   Windows 10, version 1809, Windows Server 2019

4497936   Windows 10, version 1903

4498206   Internet Explorer Cumulative Update

4499151   Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154   Windows 10

4499158   Windows Server 2012 (Security-only update)

4499164   Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165   Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167   Windows 10, version 1803

4499171   Windows Server 2012 (Monthly Rollup)

4499179   Windows 10, version 1709

4499180   Windows Server 2008 Service Pack 2 (Security-only update)

4499181  Windows 10, version 1703

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 ,  CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
VMware
=======================
VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.

Pwn2Own 2019 Results

TL DR: With popular products such as the Tesla Model 3, Apple Safari, Mozilla Firefox, Oracle VirtualBox, VMware Workstation Pro and Microsoft Edge being successfully exploited; please install the necessary updates when they become available.

The annual white hat hacking contest known as Pwn2Own took place last week. Detailed results from all 3 days are available from this link.

Day 3 saw initially two teams attempting to exploit a Tesla Model 3 before one withdrew. The team Fluoroacetate made up of both Richard Zhu and Amat Cama successfully exploited the infotainment system of the Tesla earning them a further $35,000 and the car itself. They earned $375k in total and became the Master of Pwn for 2019. The contest overall distributed $545k for 19 vulnerabilities.

In contrast to previous years the researchers have targeted vulnerabilities other than those within the operating system kernel (defined) to obtain a total system compromise. Only 3 times were exploits on the OS kernel used this year (one exploit was used in conjunction when exploiting each of the web browsers Apple Safari, Microsoft Edge and Mozilla Firefox).

We can expect updates for each of the exploited products over the coming weeks and months (the vendors have up to 120 days to resolve the vulnerabilities before public disclosure). Mozilla released Firefox 66.0.1 and 60.6.1 to resolve the 2 Firefox CVEs (defined) disclosed during the contest.

If you use the affected products, please keep current with the necessary updates. Thank you.

March 2019 Update Summary

====================
Updated: 21st March 2019
====================
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683CVE-2019-0754CVE-2019-0757 and CVE-2019-0809).

Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.

After publishing my original post; Adobe and Microsoft jointly reported that while a newer version (32.0.0.156) of Flash Player was made available it only resolves non-security bugs.

I have updated the suggested installation order (below) to reflect this new information. Thank you.

====================
Original Post:
====================
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.

For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:

Adobe Digital Editions: 1x priority 3 CVE resolved

Adobe Photoshop CC: 1x priority3 CVE resolved

If you use the affected Adobe products; please install their remaining priority 3 updates when you can.

This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:

KB4489878          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

KB4489881          Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

KB4489882          Windows 10 version 1607, Windows Server 2016

KB4489883          Windows 8.1, Windows Server 2012 R2 (Security-only update)

KB4489884          Windows Server 2012 (Security-only update)

KB4489885          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

KB4489891          Windows Server 2012 (Monthly Rollup)

KB4489899          Windows 10 version 1809, Windows Server 2019

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel: CVE-2019-0797CVE-2019-0808

Windows DHCP Client: CVE-2019-0697 , CVE-2019-0698 , CVE-2019-0726

Microsoft XML: CVE-2019-0756

Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772

Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809

Microsoft Active Directory: CVE-2019-0683

NuGet Package Manager Tampering Vulnerability: CVE-2019-0757

Windows Denial of Service Vulnerability: CVE-2019-0754

Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)

If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005

====================
Please install the remaining updates at your earliest convenience.

As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Google Chrome:
=======================
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Notepad++:
=======================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Mozilla Firefox
=======================
Update: 25th March 2019: As detailed in the Pwn2Own 2019 results post; Mozilla released a further update for Firefox and Firefox ESR bringing their version numbers to 66.0.1 and 60.6.1 respectively. Both updates resolve 2x critical CVEs. Please consider updating to these versions as soon as possible.

=======================
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:

Firefox 66.0: Resolves 5x critical CVEs (defined), 7x high CVEs, 5x moderate CVEs and 4x low CVEs

Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs

Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware:
=======================
VMware issued 2 security advisories during March:
Security Advisory 1: Addresses 2x important severity CVEs in the following products:

VMware Player
VMware Workstation Pro

Security Advisory 2: Addresses 1x moderate severity CVE in the following products:

VMware Horizon

If you use the above VMware products, please review the security advisories and apply the necessary updates.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.71 in mid-March. It contains 8 security fixes (see below). They are a result of the bug bounties awarded through the EU-Free and Open Source Software Auditing (EU-FOSSA) (discussed previously in this post). Version 0.71 is downloadable from here.

If you use Putty, please update it to version 0.71. Thank you.

Security vulnerabilities fixed:

=======================

=======================
Nvidia Geforce Experience Software:
=======================
In late March , Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 1 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be applied by opening Geforce Experience which will automatically updated it or the update can be obtained from here.

=======================
GOG Galaxy
=======================
Golden Old Games (GOG) has published an update for their popular game distribution platform GOG Galaxy. It resolves 2 critical vulnerabilities. Additionally, 2 high severity and 2x medium severity vulnerabilities were also resolved. These vulnerabilities are discussed in more detail in this Cisco Talos blog post and within this Kaspersky ThreatPost article. Please update GOG Galaxy to version 1.2.54.23 or later to resolve these vulnerabilities.

I don’t often post about vulnerabilities in gaming clients/gaming distribution clients but like any software; security updates can and are made available for them.

February 2019 Update Summary

Earlier today Microsoft made available 13 bulletins and 3 advisories resolving 74 vulnerabilities (more formally known as CVEs (defined)) respectively. As always more details are available from Microsoft’s monthly summary page.

Also today Adobe released scheduled updates for the products listed below addressing 75 CVEs in total:

Adobe Acrobat and Reader: 71x priority 2 CVEs resolved (43 of the 75 are Critical, the remainder are Important severity)

Adobe ColdFusion: 2x priority 2 CVEs resolved

Adobe Creative Cloud Desktop Application: 1x priority 3 CVE resolved

Adobe Flash Player: 1x priority 2 CVE resolved

If you use the affected Adobe products; due to the public disclosure (defined) of CVE-2019-7089 as a zero day (defined) vulnerability, please install the Adobe Acrobat and Reader updates first followed by Flash Player and the remaining updates. I provide more detail on the zero day vulnerability in a separate post.

As we are accustomed to Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates or for which workarounds are provided. They are listed below for your reference:

4345836
4471391
4471392
4483452
4486996
4487017
4487020
4487026
4487044
4487052

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft GDI+

Scripting Engine (CVE-2019-0590 , CVE-2019-0591 , CVE-2019-0593 , CVE-2019-0640  ,
CVE-2019-0642
, CVE-2019-0648 , CVE-2019-0649  , CVE-2019-0651 , CVE-2019-0652 , CVE-2019-0655 , CVE-2019-0658)

Windows DHCP

Microsoft Exchange

Microsoft SharePoint and CVE-2019-0604

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
8 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 8.8 have been resolved within Nvidia’s graphics card drivers (defined) in February. These vulnerabilities affect Linux FreeBSD, Solaris and Windows. The steps to install the drivers are detailed here (and here) for Ubuntu and here for Linux Mint. Windows install steps are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
7-Zip:
=======================
In the 3rd week of February; 7-Zip version 19.00 was released. While it is not designated as a security update; the changes it contains appear to be security related. While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. Directory Opus version 12.2.2 Beta includes version 19.00 of the 7-Zip DLL.

If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from these improvements.

=======================
Changes:
=======================
– Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved.
– Some bugs were fixed.
=======================

If you are using the standalone version and it’s older than version 19, please consider updating it.

=======================
Mozilla Firefox
=======================
In mid-February Mozilla issued updates for Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65.0.1: Resolves 3x high CVEs (defined)

Firefox 60.5.1: Resolves 3x high CVEs

As always; details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from changes such as improvements to Netflix playback, color management on Apple macOS and resolving audio/video delays during WebRTC calls etc.

=======================
Wireshark 3.0.0, 2.6.7 and 2.4.13
=======================
v3.0.0: 0 security advisories (new features and benefits discussed here and here)

v2.6.7: 3 security advisories

v2.4.13: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.0, v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Note: from this post onwards, I will only report on the most recent (v3.0) and previous branches (v2.6) of Wireshark.

Thank you.