Update: 3rd January 2019
Apologies for the delay.
Microsoft made available an out of band (un-scheduled) security update available for Internet Explorer on the 19th of December. This vulnerability is being actively exploited; thus if you have not already done, please update your Windows systems. All supported Windows Server and consumer versions of Windows are affected. The full table of affected Windows versions is available here from Microsoft.
For Lenovo laptops running Windows 10 Version 1607 with less than 8 GB of system memory (RAM); Microsoft has provided the following workarounds since this new security update inadvertently causes these systems to be unbootable:
Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.
If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.
Microsoft is working with Lenovo and will provide an update in an upcoming release.
Earlier today Microsoft and Adobe made available monthly updates addressing 39 vulnerabilities and 88 vulnerabilities (more formally known as CVEs (defined)) respectively. As always; more information is available from Microsoft’s monthly summary page and Adobe’s blog post.
While Adobe’s update addresses a large number of vulnerabilities; Microsoft’s released updates are fewer in overall vulnerabilities and should be considered light when compared to some months this year. If you use Adobe Flash Player, if you have not already done so; please ensure it is up to date (version 220.127.116.11). They addressed a zero day (defined) vulnerability with that update earlier this month which was in use by an APT group (defined in this context it is an organised group making use of zero day vulnerabilities).
Unfortunately; Microsoft’s updates also come with a list of Known Issues that will be resolved in future updates. They are listed below for your reference:
KB4471318: Windows 7 SP1 and Windows Server 2008 R2 SP1 : Workaround provided
KB4471321 : Windows 10, Version 1607Windows Server 2016 : resolutions are in progress
KB4471324 Windows 10, Version 1803 : resolution in progress
KB4471327 : Windows 10, Version 1703 : resolution in progress
KB4471329 Windows 10, Version 1709 : resolution in progress
As briefly mentioned above Adobe issued updates for Adobe Acrobat and Reader:
Adobe Acrobat and Reader: Priority 2: Resolves 40x Critical CVEs ands 48x Important CVEs
If you use Adobe Acrobat or Reader, please update it as soon as possible especially given the large number of critical vulnerabilities that were patched.
You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates.
News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)
CVE-2018-8611 : Windows Kernel (defined) (this vulnerability is already being exploited)
Please install the remaining updates at your earliest convenience.
As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.
Please find below summaries of other notable updates released this month.
Also earlier today Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):
Firefox 64: Resolves 2x critical CVEs (defined), 5x high CVEs, 3x moderate CVEs and 1x low CVE
Firefox ESR 60.4: Resolves 1x critical CVE, 4x high CVEs and 1x low CVE.
Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
Separately; Firefox 64 now includes small pop-ups known as “snippets” which turned out to be an experiment by Mozilla. If you wish to turn them off; the steps are available here.
Meanwhile extension recommendations within Firefox 64 can be disabled using these steps.
Google released Google Chrome version 71.0.3578.80 to address 43 vulnerabilities.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.