Tag Archives: Microsoft Hyper V

February 2020 Update Summary

Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).

Let’s start with Adobe’s patches first:
====================
Adobe
====================
Adobe Acrobat and Reader: 17x Priority 2 CVEs resolved (12x Critical, 3x Important, 2x Moderate severity)

Adobe Digital Editions:  2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)

Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)

Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
====================

Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767

Internet Explorer: CVE-2020-0674 (this was  the zero day (defined) vulnerability reported last month).

Microsoft Edge Chromium:  ADV200002

Windows Shell (LNK): CVE-2020-0729

Windows Remote Desktop Client: CVE-2020-0681 , CVE-2020-0734

Windows Hyper-V: CVE-2020-0662

Windows Media Foundation: CVE-2020-0738

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Earlier this month Mozilla released Firefox 73 and Firefox ESR  (Extended Support Release) 68.5 to address the following vulnerabilities:

Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs

Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs

Firefox 73 brings the following minor features listed below:

  1. A global zoom level configured from the settings menu
  2. Opt-in notification when the use of virtual reality is being requested
  3. A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.

Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Realtek Audio/Sound Card Drivers
====================
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.

This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.

If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 1.0.0.8856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.

December 2019 Update Summary

As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.

Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
====================
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)

Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)

Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
====================

Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468

Microsoft Windows Kernel (defined): CVE-2019-1458

Windows Hyper-V: CVE-2019-1471

Microsoft Visual Studio: CVE-2019-1349 , CVE-2019-1350 , CVE-2019-1352 , CVE-2019-1354 , CVE-2019-1387

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs (defined) and used for Windows Hello for Business: Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:

Firefox 71.0: Resolves 6x high severity CVEs (defined) and 5x moderate CVEs

Firefox ESR 68.3 (Extended Support Release): Resolves 4x high severity CVEs and 4x moderate CVEs

Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.

The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
AMD
=======================
In early December AMD issued a security advisory for its GPU and APU (defined) drivers (defined). It resolves 2 vulnerabilities CVE-2019-5049 and CVE-2019-5098. The steps to install the drivers on Windows are located here with a guide for Linux available here. Please make certain the drivers are version 20.1.1 or later (as per multiple recommendations from Talos, 1 , 2 and 3). As per those same recommendations if you use VMware Player or Workstation Pro, please make certain it is version 15.5.1 or later. If you use the affected AMD graphics cards, please consider updating your drivers to the most recent available.

====================
Nvidia
====================
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The high priority advisories are the following:

High
Linux Administrative Tools for Intel Network Adapters Advisory

Intel NUC Firmware Advisory

The remaining advisories are of medium and low priority:

Medium
Intel Quartus Prime Pro Edition Advisory

Intel RST Advisory (see also my separate post on this vulnerability)

Control Center-I Advisory

Intel SCS Platform Discovery Utility Advisory

Unexpected Page Fault in Virtualized Environment Advisory

Intel FPGA SDK for OpenCL Advisory

Low
Intel Ethernet I218 Adapter Driver for Windows Advisory

Intel Dynamic Platform and Thermal Framework Advisory

====================
VMware
====================
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:

Critical Severity Advisory:

VMware ESXi
VMware Horizon DaaS appliances

Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
OpenSSL
====================
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Apple Security Updates
=======================
Throughout December Apple has released security updates for the following products:

Apple iOS v12.4.4 and 13.3 / iPad OS 13.3: Resolves 1 CVE (defined) and 14 CVEs (respectively)

Apple Safari 13.0.4: Resolves 2 CVEs

Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs

Apple tvOS 13.3: Resolves 11 CVEs

Apple watchOS 5.3.4 and 6.1.1: Resolves 1 CVE and 10 CVEs (respectively)

Apple Xcode 11.3: Resolves 1 CVE

Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs

Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs

Apple iCloud for Windows 10.9: Resolves 4 CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In early December the following Wireshark updates were released:

v3.0.7: 1 security advisory

v2.6.13: 1 security advisory

The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

November 2019 Update Sumamry

Apologies this notification is late due to my professional commitments.

As expected, on Tuesday 12th November Adobe and Microsoft made available their scheduled security updates. Adobe addressed 11 vulnerabilities with Microsoft also addressing 74 vulnerabilities more formally known as CVEs (defined).

====================
Adobe Animate CC: 1x Priority 3 CVE resolved (1x Important severity)

Adobe Bridge CC: 2x Priority 3 CVEs resolved (2x Important severity)

Adobe Illustrator CC:  3x Priority 3 CVEs resolved (1x Critical severity and 2x Important severity)

Adobe Media Encoder: 5x Priority 3 CVEs resolved (1x Critical severity and 4x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities).
====================

Within Microsoft’s monthly summary; there are Known Issues for 13 Microsoft products but all have workarounds or updates available to resolve  them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Microsoft Graphics Component (Win32k Graphics): CVE-2019-1441

Microsoft Graphics Component (OpenType font Parsing): CVE-2019-1419

Microsoft Scripting Engine: CVE-2019-1429 , CVE-2019-1426 , CVE-2019-1427

Microsoft Exchange Server: CVE-2019-1373

Windows Media Player: CVE-2019-1430

Windows Hyper-V: CVE-2019-1398 , CVE-2019-0719 , CVE-2019-1397 , CVE-2019-0721 , CVE-2019-1389

STMicroelectronics TPM (defined) Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories this month. The critical and high priority advisories are the following:

Critical
2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory

High
2019.2 IPU – Intel® Graphics Driver for Windows* and Linux Advisory

2019.2 IPU – Intel® SGX and TXT Advisory

2019.2 IPU – Intel® Processor Security Advisory

The remaining advisories are of medium priority:
2019.2 IPU – Intel® Processor Machine Check Error Advisory

2019.2 IPU – Intel® Processor Graphics Update Advisory

2019.2 IPU – Intel® TXT Advisory

2019.2 IPU – Intel® SGX with Intel® Processor Graphics Update Advisory

2019.2 IPU – Intel® Processor Graphics SMM Advisory

If you use any of the affected software or products, please update them as soon as possible especially in the case of the critical and high severity advisories.

====================
VMware
====================
VMware made available two security advisories, one of Important severity and the other of Moderate severity to addresses vulnerabilities within the following products:

Important Severity Advisory:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

Moderate Severity Advisory:
VMware ESXi
VMware Workstation
VMware Fusion

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
Nvidia
====================
In early November Nvidia made available Windows driver updates for their Geforce, Tesla and Quadro/NVS GPUs as well as their vGPU software (for Linux and Windows).  All vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider updating your drivers to the most recent available.

Further updates were made available for the NVFlash tool (not applicable to end users) and Nvidia Geforce Experience. To resolve the local vulnerabilities within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

June 2019 Update Summary

With yesterday being the second Tuesday of the month; it means it’s Update Tuesday again. Microsoft resolved 88 vulnerabilities  (more formally known as CVEs (defined) with Adobe addressing 11 vulnerabilities of their own.

Adobe Campaign: 7x Priority 3 vulnerabilities (1x Critical, 3x Important, 3x Moderate)

Adobe ColdFusion: 3x Priority 2 vulnerabilities (3x Critical)

Adobe Flash Player: 1x Priority 1 vulnerability (1x Critical)

If you use Adobe ColdFusion, please apply the necessary updates as soon as possible. For that product, as per Adobe’s advisory, please make certain the Java JDK/JRE in use on the server is fully up to date in order to fully secure it. Please install the remaining updates for Campaign and Flash Player as soon as possible since they also resolve critical vulnerabilities.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Windows Server 2008 Service Pack 2 Servicing stack update

4503027                Exchange Server 2019, Exchange Server 2016

4503028                Exchange Server 2010 Service Pack 3, Exchange Server 2013

4503263                Windows Server 2012 (Security-only update)

4503267                Windows 10, version 1607, Windows Server 2016

4503276                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4503279                Windows 10, version 1703

4503284                Windows 10, version 1709

4503285                Windows Server 2012 (Monthly Rollup)

4503286                Windows 10, version 1803

4503290                Windows 8.1 Windows Server 2012 R2 (Security-only update)

4503291                Windows 10

4503292                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4503293                Windows 10, version 1903

4503327                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer: CVE-2019-1038

Microsoft Speech API Remote Code Execution Vulnerability: CVE-2019-0985

Microsoft Scripting Engine:

CVE-2019-1002

CVE-2019-0991

CVE-2019-1080

CVE-2019-1023

CVE-2019-0992

CVE-2019-1024

CVE-2019-0990

CVE-2019-0988

CVE-2019-0989

CVE-2019-1055

CVE-2019-1052

CVE-2019-1051

CVE-2019-0920

CVE-2019-1003

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2019-0709 , CVE-2019-0722 , CVE-2019-0620

ActiveX Data Objects (ADO) Remote Code Execution Vulnerability: CVE-2019-0888

Windows Task Scheduler: CVE-2019-1069 (disclosed by SandboxEscaper)

Windows AppX Deployment Service (AppXSVC): CVE-2019-1064 (disclosed by SandboxEscaper)

Windows Shell: CVE-2019-1053 (disclosed by SandboxEscaper)

Windows Installer: CVE-2019-0973 (disclosed by SandboxEscaper)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
VideoLAN VLC:
=======================
A new version of VLC is available for Apple macOS, Linux, Windows (desktop and Windows Store), Google Android and Apple iOS with some great performance improvements and resolving 33 security vulnerabilities (2 of which are high severity) as a result of the EU-FOSSA bug bounty programme which opened in January this year.

Further details are below:

http://www.videolan.org/vlc/releases/3.0.7.html

http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

Version 3.0.7.1 has since been released to resolve other non-security issues. The most recent version can be downloaded from:

http://www.videolan.org/vlc/

=======================
Mozilla Firefox
=======================
Yesterday (11th June), Mozilla released Firefox 67.0.2 to address a single moderate severity vulnerability.

Further to the above updates, on the 18th and the 20th June; Mozilla issued 2 updates for Firefox version 67.0.3 (ESR (Extended Support Release) 60.7.1) and 67.0.4 (ESR 60.7.2) to resolve 2x critical zero day (defined) vulnerabilities actively being exploited in the wild.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome:
=======================
Google released Google Chrome version 75.0.3770.80 to address 42 vulnerabilities in early June.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware:
=======================
Earlier this month VMware published a security advisory to address a single Important severity vulnerability in VMware Tools for Linux and Windows.

If you use VMware Tools on Linux or Windows, please review the security advisory and apply the necessary updates.

=======================
DOSBox
=======================
The retro gaming and legacy software emulator DOSBox in late June released an update to correct vulnerabilities discovered during a small code audit.

2 CVEs (CVE-2019-7165 and CVE-2019-12594) were assigned (that resolve critical vulnerabilities with CVSS 3.0 (defined) base scores of 9.8) but more out of bound access and buffer overflows (defined) were also resolved. Further details are available in their news post dated, 26th June 2019.

If you use DOSBox, please consider upgrading to version 0.74-3 which also includes many fixes for non-security bugs. The new version is available from here.

Thank you.

January 2019 Update Summary

====================
Updated: 9th January 2019
====================
Happy New Year to all of my readers. Thanks very much.

Today Microsoft made available monthly updates resolving 47 vulnerabilities (more formally known as CVEs (defined)) respectively. Further details are available from Microsoft’s monthly summary page.

Separately Adobe released out of band (unscheduled) updates last week for Acrobat 2017 and Acrobat DC/Acrobat DC. These updates address 2x critical CVEs.

Other updates released today are as follows:
Adobe Connect: 1x priority 3 CVE resolved
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Flash Player: reliability/performance update only

While the Flash Player update is a non-security update it’s likely Adobe chose to release it via the usual channels since it’s what people are familiar with and it helps to get updates out sooner.

Similar to last month; Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4468742
KB4471389
KB4480116
KB4480961
KB4480962
KB4480963
KB4480966
KB4480970
KB4480973
KB4480975
KB4480978

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows DHCP Client (Further details here)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)(please also remember last months’s Internet Explorer update).

Microsoft Hyper-V (CVE-2019-0550 and CVE-2019-0551)

Microsoft Exchange (CVE-2019-0586)(Further details here)
====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories so far this month. Of highest priority is the advisory for their Intel PROSet/Wireless WiFi Software to resolve a high severity CVSS Base Score 7.8 vulnerability. The security advisory affects many of their WiFi adapters.

Further important updates for their System Support Utility and Intel SGX SDK and Intel SGX Platform Software were also made available. Meanwhile lower severity issues were addressed in Intel’s SSD data-center tool for Windows, Intel NUC Firmware and Intel Optane SSD DC P4800:

If you use any of the affected software or products, please update them as soon as possible especially in the case of the PROSet/Wireless WiFi Software.

=======================
Mozilla Firefox
=======================
In the final week of January; Mozilla made available Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65: Resolves 3x critical, 2x high and 2x moderate CVEs (defined)

Firefox 60.5: Resolves 2x critical and 1x high CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the most recent improvements by Mozilla.

=======================
Wireshark 2.4.12 and 2.6.6
=======================
v2.4.12: 6 security advisories

v2.6.6: 4 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

October 2018 Update Summary

Earlier today Microsoft resolved 49 vulnerabilities more formally known as CVEs (defined).

At the time of writing; there are known issues with the Windows 7 NIC being an issue again this month:

4459266 : Can be resolved by installed the Microsoft Exchange update with administrative (defined) privileges.

4462917 : No workaround at this time.

4462923 : Workaround available.

As always; further details are available in Microsoft’s update summary for October. Moreover, Adobe issued 4 updates today patching the following products:
Adobe Digital Editions (priority 3, resolves 4x critical and 5x important CVEs)

Adobe Experience Manager (priority 2. 3x important and 2x moderate CVEs)

Adobe Framemaker (priority 3, resolves 1x important CVE)

Adobe Technical Communications Suite (priority 3, resolves 1x important CVE)

Earlier this month Adobe released updates for Acrobat DC and Reader DC resolving 86 CVEs (47x critical and 39x important). These were in addition to the updates made available in September (which resolved 1x critical and 6 important CVEs).

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Acrobat DC and Reader DC. No updates for Flash Player have been distributed so far this month.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

2x vulnerabilities  affecting Microsoft Hyper-V (affects Windows 10, Windows 8.1 (including Windows RT 8.1) and Windows 7 along with their Server equivalents)(the links above provide details on both vulnerabilities)

Microsoft JET database (resolved by installing the latest cumulative update for your version of Windows: Windows 10; Windows 8.1 or Windows 7.

Microsoft Exchange Server 2016, 2013 and 2010

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox:
=======================
In early September Mozilla made available updated versions of Firefox:

Firefox 62.0.3: Resolves 2x critical CVEs (defined)

Firefox ESR 60.2.2 (Extended Support Release): Resolves 2x critical CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
VMware
=======================
VMWare has issued 2 security advisories so far for October:

Security advisory 1 (addresses 1 critical vulnerability) in the following products:

  • AirWatch Console 9.1 to 9.7

Security advisory 2 (addresses 1 important vulnerability via a mitigation) in the following products:

  • ESXI
  • Fusion
  • Workstation Pro

If you use the above VMware products, please review the security advisories and apply the necessary updates/mitigations.