Tag Archives: Microsoft Hyper V

August 2017 Security Updates Summary

It’s the second Tuesday of August and Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved 48 vulnerabilities in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there is only 1 Known Issue for this month’s Microsoft updates.

====================

Separately Adobe made available four security bulletins for the following products:

Adobe Digital Editions (priority 2, 2x critical, 7x important CVEs)

Adobe Experience Manager (priority 2, 1x important, 2x moderate CVEs)

Adobe Acrobat/Reader (priority 2, 43x critical, 24 important CVEs)

Adobe Flash (priority 1, 1x critical, 1x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

Of note this month is the particularly large Adobe Acrobat/Reader update and the very small Flash Player update. The number of vulnerabilities resolved in last month’s Flash Player update was also small but it is too early to tell if vulnerability is moving away from Flash Player due to Adobe’s recent notice of their intention to de-commission Flash Player in 2020.

=======================
Update:12th September 2017:
=======================
Adobe last month updated their Adobe Acrobat and Acrobat Reader again after the availability of the initial patches in order resolve a regression (defined). Please ensure your installations of these products are updated to the version detailed by Adobe in their updated security bulletin (or are more recent than those listed in the bulletin).

Thank you.
=======================

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Windows Hyper-V

Windows Scripting Engine (affecting Edge, Internet Explorer and Office)

Microsoft Edge and Internet Explorer

Windows PDF Viewer

 

Important severity:

Windows Font Engine
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

March 2017 Security Updates Summary

As you know Microsoft and Adobe released their scheduled monthly security updates. For Microsoft this release was anticipated especially since last month’s set was delayed.

Within the above linked to post I predicted Microsoft would make a large number of updates and they did just that. 17 bulletins in total are now available. These updates address 138 vulnerabilities listed within Microsoft’s new Security Update Guide. These vulnerabilities are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within their March summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.
====================

Adobe issued two security bulletins today. One affecting Adobe Flash and the other for Adobe Shockwave Player. The Flash Player bulletin resolves 8x priority 1 vulnerabilities. While the Shockwave bulletin resolves 1x priority 2 vulnerability. These priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available last week.

If you use Flash or Adobe Shockwave, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
Update: 22nd March 2017:
=======================
I wish to provide information on other notable updates from this month which I would recommend you install if you use these software products:

Notepad++ version 7.3.3

VideoLAN VLC Media version 2.2.5 (release currently in progress)

Malwarebytes Anti-malware version 3.0.6 CU3 (with Component package version: 1.0.75):
It is unknown how many vulnerabilities this addresses but this forum post mentions their resolution.

Malwarebytes Anti-malware version 3.0.6 CU4 addresses further vulnerabilities.

More details of the vulnerabilities resolved by Malwarebytes 3.0.6 CU3 have emerged. Researchers responsibly disclosed a technique which uses Microsoft’s Application Verifier to hijack an anti-malware application. More details of this vulnerability are available here and here.

Mozilla Firefox 52.0.1 (more details in this post on Pwn2Own 2017)

VMware Workstation 12.5.4 (relevant security advisories are here and here)

VMware ESXi, Fusion and VMware Workstation 12.5.5 (the relevant security advisory is here). This advisory resolves the vulnerabilities disclosed during Pwn2Own 2017 for the above listed products.

Wireshark 2.2.5 and 2.0.11

Putty 0.68 (while released in February; it contains important security changes)

Apple Security Updates: updates are available for iTunes, iTunes for Windows, Pages, Numbers, Keynote (for macOS and iOS), Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, macOS Server, iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

=======================

For the 17 Microsoft bulletins this month, I will prioritize the order of updates for you below:

====================
Critical severity:
Windows Graphics Component

Windows SMB Server

Microsoft Edge

Internet Explorer

Windows Hyper-V

Windows PDF

====================
Important Severity
====================
The update for Microsoft Office should be installed next due to it’s criticality. With the follow updates after it:

Microsoft Exchange

Microsoft IIS

Active Directory Federation Server

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.