Tag Archives: Mozilla Firefox ESR

May 2018 Update Summary

====================
Update: 18th May 2018:
====================
Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4100347

This update was not offered to my Windows laptop running Version 1803. As you know it contains an Intel Core i7 6500U CPU. I downloaded the version 1803 update from the Microsoft Catalog and it installed successfully. My system is showing the full green result when the PowerShell command Get-SpeculationConntrolSetting is run. It results in the final screenshot shown with this article. Further tips on running this useful command are provided in this Microsoft support article, please see the headings “PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)” or “PowerShell Verification using a download from Technet (earlier operating system versions and earlier WMF versions)” depending on your version of Windows.

Microsoft have also issued an update for Windows version 1709 to resolve a vulnerability again introduced by their previous patch. This resolution was provided in update kb4103727. Further details are available in Alex Ionescu’s tweet (a security architect with CrowdStrike and Windows Internals expert). Previous Spectre V2 patches were kb4091666 and kb4078407

This issue was already addressed in version 1803 of Windows.

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

Thank you.

====================
Update: 17th May 2018:
====================
Adobe have since issued further updates to resolve critical vulnerabilities within Adobe Acrobat DC, Adobe Reader DC and Photoshop. Further details of the zero day (defined) vulnerabilities addressed in Adobe Acrobat/Reader are available here and here.

Adobe Acrobat and Reader (priority 1, 47 CVEs)

Adobe Photoshop CC 2018 and 2017 (priority 3, 1 CVE).

Further updates are listed at the end of this post. Thank you.

====================
Update: 10th May 2018:
====================
Further details have emerged of another zero day (defined) vulnerability affecting Windows Server 2008 R2 and Windows 7.

CVE-2018-8120 is an elevation of privilege (defined) vulnerability but can only be exploited if the attacker has already compromised the user account of the system allowing the attacker to log in when they choose. Upon logging in the attacker could obtain kernel level access/permissions (defined) by elevating their privileges to carry out any action they choose.

The prioritised list below has been updated to reflect this. Thank you.
====================

====================
Original Post:
====================

====================
Apologies for only posting an update summary last month. Other commitments meant I didn’t have the bandwidth to contribute more. I’ll try to make more time this month. Thanks.
====================

Earlier today Microsoft released their scheduled monthly security updates resolving 67 vulnerabilities. Notably Windows 10 Version 1803 receives it’s first update this month. Windows Server 2016 Version 1803 remains in testing in advance of it’s upcoming release. As always Microsoft have provided further details are provided within their Security Updates Guide.

There are 4 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4103712

4103718

4103723

4103727

====================

Separately, Adobe released updates for 3 of their products, namely:

Adobe Creative Cloud Desktop Application (priority 2 (overall), 3x CVEs)

Adobe Connect (priority 2, 1x CVE)

Adobe Flash Player (priority 2, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature (the update was not available at the time of writing). Like last month; Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI was phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Windows VBScript Engine Remote Code Execution Vulnerability (a zero day (defined) vulnerability)

Win32k Elevation of Privilege Vulnerability

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Hyper-V (Update 1 and Update 2)

Microsoft Office (detailed list available here)
====================
Please install the remaining updates at your earliest convenience.

One of the vulnerabilities addressed by Microsoft this month, namely CVE-2081-8897: Windows Kernel Elevation of Privilege Vulnerability arose due to the misinterpretation of documentation from Intel regarding how a CPU (defined) raise a debug (defined) exception to transfer control to debugging software (usually used by a software developer). The specific instructions were the assembly language instructions (defined) MOV to SS and POP to SS.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Malwarebytes Anti-Malware
=======================
Last week Malwarebytes updated their anti-malware product to version 3.5.1. The full list of improvements is available here but it also updated their include 7-Zip to version 18.05. I verified this manually since the above release notes did not reference to it. Further details of the 7-Zip update are available in my April blog post.

Moreover; Directory Opus updated their product to version 12.8.1. Beta adding new DLLs (defined) for 7-Zip and UnRAR once again to address the vulnerabilities found within the UnRAR DLL also used by 7-Zip.

=======================
Mozilla Firefox:
=======================
This month Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

9th May: Firefox 60.0: Resolves 2x critical CVEs, 6x high, 14 moderate CVEs and  4x low severity CVEs

9th May: Firefox ESR 52.8: Resolves 2x critical, 5x high, 3x moderate CVEs

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google released Google Chrome version 66.0.3359.170 to address 4 number of vulnerabilities and to include a newer version of Adobe Flash Player.

One of the four vulnerabilities addressed relates to how Chrome handles browser extensions resolving a privilege escalation issue (defined). Further details are availability here.

=======================
USB Denial of Service (DoS) Will not Receive a Fix
=======================
In other vulnerability related news; a denial of service issue (defined) privately/responsibly disclosed (defined) by a security researcher Marius Tivadar will not fixed by Microsoft with a security update since the vulnerability requires physical access to the target system or social engineering (defined) and does not result an attacker being able to execute code of their choice on the affected system.

In my opinion; this is justified since if an attacker can obtain physical access to your system it significantly enhances the damage they can do. This statement also forms part of Microsoft’s 10 Immutable Laws of Security.

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

I’ll update this post as the vulnerabilities disclosed during the contest are addressed. The full list of products exploited is provided below. Thank you.

=======================
Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox
=======================

March 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Protection Engine. Further details are available in this separate blog post.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
Last Tuesday Microsoft began distributing their scheduled security updates to resolve 74 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

This month there are 12 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4088787

4088782

4088776

4088786

4088779

4088876

4088879

4088875

4088878

4089344

4089229

4090450

====================

In addition to these updates; Adobe released updates for the following products:

Adobe Connect (priority 3, 2 CVEs)

Adobe Dreamweaver CC (priority 3, 1 CVE)

Flash Player v29.0.0.113 (priority 2, 2 CVEs)

Non-Microsoft browsers should update automatically e.g. Google Chrome released an update on Tuesday which includes the new Flash Player. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out very soon):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Windows Shell (CVE-2018-0883)

CredSSP (CVE-2018-0886): Please also enable the Group Policy setting to fully mitigate this issue. Further updates will be made available in subsequent months.

Microsoft Office (consisting of CVE-2018-0903 and CVE-2018-0922)

====================

Similar to last month additional updates for Spectre vulnerability were made available for Windows 10 Version 1709. Further updates are planned and will be listed in this knowledge base article.

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

===============

=======================
Mozilla Firefox:
=======================
This month Mozilla issued 3 sets of security updates for Firefox and Firefox ESR (Extended Support Release):

16th March: Firefox 59.0.1: Resolves 2x critical CVEs (1 of which originated from Pwn2Own 2018).

13th March: Firefox 59: Resolves 2x critical CVEs, 4x high CVEs, 7x moderate CVEs, 5x low CVEs

13th March: Firefox ESR 52.7: Resolves 2x critical, 3x high CVEs, 2x moderate CVEs

26th March: Firefox 59.0.2: Resolves 2x high severity CVEs

26th March: Firefox 52.7.3 ESR: Resolves 1x high severity CVE

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Malwarebytes Anti-Malware
=======================
Earlier this month Malwarebytes made available version 3.4.4 of their anti-malware product. While the update provides stability and performance improvements it also updates the 7-Zip DLL (defined) within it to version 18.01.

Please install this update using the steps detailed in this Malwarebytes forum post. Further details of the improvements made are available in this BleepingComputer article.

=======================
Google Chrome:
=======================
This month Google made available 4 updates for Google Chrome; one in early March and the other in mid-March. The more recent updates resolves 45 security issues while the update from the 20th of March resolves 1 security issue.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Nvidia Geforce Drivers:
=======================
This update (released on the 28th of March 2018) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
OpenSSL
=======================
On the 27th of March; the OpenSSL Foundation issued 2 updates for OpenSSL to address 1x moderate security vulnerability and 2x low severity issues as detailed in this security advisory. To resolve these issues please update your OpenSSL installations to 1.1.0h or 1.0.2o (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued update for the following products on the 15th of March to address one important severity security vulnerability:

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

Please review this security advisory and apply the necessary updates.

=======================
Apple security updates:
=======================
In the final week of March Apple made available security updates for the following products:

=======================
Apple tvOS 11.3

Apple iOS 11.3

Apple watchOS 4.3

Apple Safari 11.1

Apple macOS High Sierra 10.13.4, Sierra and El Capitan

Apple iTunes 12.7.4 for Windows

Apple iCloud for Windows 7.4
=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
WinSCP
=======================
In late March; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2o (which addresses 1x moderate CVE).

January 2018 Update Summary

====================
Update: 31st January 2018:
Please scroll down in this post to view more recent software updates available since the original posting date of the 16th of January 2018. Thank you.
====================

Last Tuesday Microsoft released their routine security updates to address 56 vulnerabilities more formally known as CVEs (defined). Further details are provided within Microsoft’s Security Updates Guide.

This month there are 11 knowledge base articles detailing potential issues (many of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4056890

4056891

4056892

4056893

4056888

4056895

4056898

4056894

4056897

4056896

4056899

====================

Separately Adobe released Flash Player v28.0.0.137 to address a single priority 2 CVE.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For January’s Microsoft updates, I will prioritize the order of installation below. I will discuss this month’s out of band (outside of the regular schedule) patches for Meltdown and Spectre in a separate blog post; the relevant CVEs are still listed below. A useful list of all CVEs for this month is present here:

====================
CVE-2017-5753 – Bounds check bypass (known as Spectre Variant 1)

CVE-2017-5715 – Branch target injection (known as Spectre Variant 2)

CVE-2017-5754 – Rogue data cache load (known as Meltdown Variant 3)

CVE-2018-0802: Microsoft Office zero day (similar to Novembers Office equation editor vulnerability)

Microsoft Office (18 further CVEs)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

For this month; please take extra care with your back up to ensure you can restore your systems should you wish to revert your systems prior to installing the Meltdown and Spectre patches should you wish to uninstall the Security only bundle of updates or the updates are causing your system to become unstable.

Thank you.

=======================
Wireshark 2.4.4 and 2.2.12
=======================
v2.4.4: 3 CVEs (defined) resolved

v2.2.12: 4 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.4) or v2.2.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Update: 24th January:
====================
Oracle:
====================
Oracle have resolved 237 vulnerabilities with the security updates they have made available this month. Further details and installation steps are available here. Within the 237 vulnerabilities addressed, 21 vulnerabilities were addressed in the Java runtime. 18 of these 21 are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Particular priority should be given to Oracle WebLogic Server and PeopleSoft due to documented incidents of attackers using such installations for crypto currency mining with one such incident resulting in more than USD $226,000 being mined. Further details are available in the following blog post from security vendor Onapsis.
=======================

=======================
Further updates released in January:
=======================
VMware Updates:
=======================
In early January; VMware issued security updates to address the Meltdown and Spectre vulnerabilities within some of their products. Another advisory  was also released later in January. The affected products/appliances are listed below. For virtual machines used with VMware Fusion and VMware Workstation, the steps listed within this knowledge base article should also be followed.

Please review the above linked to security advisories and knowledge base article and apply the necessary updates and mitigation steps.

Affected products/appliances:

  • VMware vCenter Server (VC)
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

=======================
Mozilla Firefox:
=======================
In January Mozilla issued security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 57.0.4 (2 mitigations added)

Firefox 58: 3x critical, 13x high, 13x moderate, 2x low CVEs

Firefox 58.0.1: 1x critical CVE

Firefox ESR 52.6: 1 high CVE

Firefox ESR 52.6: 2x critical, 8x high, 1x moderate

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
In late January an update for Google Chrome was made available which included 53 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
7-Zip
=======================
In late January a security researcher located 2 vulnerabilities within 7-Zip. He reported them to the developer Igor Pavlov who very quickly released an updated version; v18.00 Beta. This has since been updated to 18.01 Stable to fix further issues (NOT security related).

The alternative Windows file manager Directory Opus will include the updated 7-Zip DLL (defined) within their next release. Their current beta already contains these fixes.

While 7-Zip does not have many vulnerabilities discovered within it (which has both advantages and disadvantages), there appears to be an increasing emphasis on it since it is used by anti-malware software and other applications e.g. VMware Workstation. Thus when a security update is issued; all of this software should eventually include the fixes. This occurred last year with the release of 7-Zip 16.00 to resolve 2 other security vulnerabilities.

Separately, Malwarebytes updated their Anti-Malware product to version 3.4.4 to update the 7-Zip DLL (defined) within it. Further details are available in my March 2018 Update Summary blog post.

If you use 7-Zip, please ensure it is updated to resolve both this year’s vulnerabilities and last year’s vulnerabilities (if you hadn’t already installed version 16 or later). Please also update Malwarebytes Anti-Malware or Directory Opus if you use them.

=======================
Nvidia Geforce Drivers:
=======================
This driver update applies to Linux, FreeBSD, Solaris and Windows and mitigates the Meltdown security vulnerability (CVE-2017-5753). While Nvidia’s GPUs are not vulnerable to Meltdown or Spectre, the GPUs interaction with an affected CPU has the potential for exploitation.The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post. More details about the Meltdown and Spectre vulnerabilities are available in this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.8.20 (Build 292). This update resolves 2 vulnerabilities relating to libraries (defined) the tool uses namely zlib and libpng. Any previous version of the tool should update automatically when opened to the most recent version.

December 2017 Update Summary

Earlier this month Microsoft closed out the year with a small number of security updates. They resolved 32 vulnerabilities. Further details are provided within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

No Known Issues were listed as occurring for this months update.

====================

Meanwhile Adobe also completed their yearly updates with a single update for Flash Player resolving a single priority 2 CVE (defined).

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For December Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Important severity:

Windows RRAS (Routing and Remote Access) Service Remote Code Execution Vulnerability

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware AirWatch Console and other VMware Products
=======================
A security advisory for VMware AirWatch Console to address a moderate security vulnerability was made available in December. A further security advisory to address 4 important vulnerabilities within the products listed below was also published:

  • ESXi
  • vCenter Server Appliance
  • Workstation
  • Fusion

=======================
Google Chrome:
=======================
An update for Google Chrome included 37 security fixes while a second update included 2 further fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple security updates:
=======================
During the first half of December Apple made available security updates for the following products:

=======================

Apple tvOS 11.2 and 11.2.1

Apple iOS 11.2 and 11.2.1

Apple watchOS 4.2

Apple Safari 11.0.2

Apple macOS High Sierra 10.13.2, Sierra and El Capitan

Apple iTunes 12.7.2 for Windows

AirPort Base Station Firmware Update 7.6.9 and AirPort Base Station Firmware Update 7.7.9

Apple iCloud for Windows 7.2

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here. Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Mozilla Firefox and Firefox ESR
=======================
During December Mozilla released security updates for Firefox and Firefox ESR (Extended Support Release) raising their version numbers to 57.0.2 and 52.5.2 respectively.

  • Firefox 57.0.2 resolves 1 CVE
  • Firefox ESR 52.5.2 resolves 2 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57.0.2
Firefox 52.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
VideoLAN VLC:
=======================
In early December VideoLAN made available version 2.2.8 of VLC for Linux, Apple macOS  and Windows. It addresses 4 security vulnerabilities (3 of which were addressed in 2.2.7). If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

=======================
WinSCP
=======================
In mid-December; WinSCP version 5.11.3 was released upgrading it’s embedded OpenSSL version to 1.0.2n (which addresses 1x moderate and 1x low severity CVEs).

November 2017 Security Updates

Back in November; Microsoft released their routine monthly security updates. These updates resolved 53 vulnerabilities with 14 individual updates (which are grouped when downloaded). As always these are detailed within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

Microsoft have listed 6 Known Issues that can occur from Windows 7 up to and including Windows 10 (version 1703):

Windows 10 (versions 1511, 1607 and 1703 potentially impacted):

KB4048952: caused some Epson SIDM (Dot Matrix) and TM (POS) printers to lose the ability to print. This was later resolved by a further update; KB4053578

KB4048954:

could cause Internet Explorer 11 to not provide users of SQL Server Reporting Services (SSRS) the ability to scroll through drop-down menus.

Windows Pro devices on the Current Branch for Business (CBB) will upgrade unexpectedly.

The above issue regarding Epson printers could also occur. All 3 of the above issues have been resolved. Please see KB4048954 for details of the additional updates containing the appropriate fixes.

KB4048953:

Details 2 of the above issues as well as an additional issue regarding an error message for the CDP User Service. Please see KB4048953 for details of the additional updates containing the appropriate fixes.

Windows 8.1 and Windows Server 2012 R2:

KB4048958

Please see KB4048958 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048961

Please see KB4048961 for details of an additional update containing the appropriate fix for an issue already discussed above.

Windows 7 SP1 and Windows Server 2008 R2 Standard:

KB4048957

Please see KB4048957 for details of the additional updates containing the appropriate fixes for the issues already discussed above.

KB4048960

Please see KB4048960 for details of an additional update containing the appropriate fix for an issue already discussed above.

This month there are 4 Known Issues (kb4041691kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.

====================

Adobe also made available their scheduled security updates for the following products:

Adobe Acrobat and Reader (priority 2, 56 CVEs)

Adobe Connect (priority 3, 5 CVEs)

Adobe DNG Converter (priority 3, 1 CVE)

Adobe Digital Editions (priority 3, 6 CVEs)

Adobe Experience Manager (priority 3, 3 CVEs)

Adobe Flash Player (priority 2, 5 CVEs)

Adobe InDesign CC (priority 3, 1 CVE)

Adobe Photoshop CC (priority 3, 2 CVEs)

Adobe Shockwave Player (priority 2, 1 CVE)

As always the priority updates are Flash Player first and Adobe Acrobat (in that order).

One point to note is that Adobe Acrobat 11 (or XI) / Reader 11 are now out of support from November onwards. These will be the final updates they receive. Adobe recommends upgrading to Adobe Acrobat DC or Reader DC (as appropriate). Apart from the different user interface of the DC version, possible privacy concerns were raised about one of the components of this newer version namely RdrCEF.exe (the purpose of which is described here). The suggestions to resolve these concerns were:

  • Adding cloud.adobe.com to your Hosts file (defined) to redirect it to localhost (defined) (to prevent it disclosing any private info)
  • Blocking RdRCEF.exe from accessing the internet using your software firewall

A list of changes to the Windows Registry (defined) were suggested in this forum thread but it is not clear if these are effective.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For Novembers Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft Office Vulnerability : CVE-2017-11882 : was described as “extremely dangerous” by researchers at security firm Embedi to disclosed the vulnerability to Microsoft. In addition to installing the security update they recommend disabling the legacy equation editor to protect against future attackers against the code which does not benefit from the more secure coding practices.

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware Workstation, Fusion and Horizon View Client
=======================
A security advisory with details of how to obtain updates for the above mentioned products to address 6 CVEs was made available by VMware in November.

=======================
Google Chrome:
=======================
An update for Google Chrome included 2 security fixes while a second update included a further security fix,

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Wireshark 2.4.3 and 2.2.11
=======================
v2.4.3: 3 CVEs (defined) resolved

v2.2.11: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.3) or v2.2.11). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Apple security update:
=======================
An updates was made available by Apple on the 29th of November for macOS High Sierra to resolve a critical security vulnerability that could have resolved in the creation of a root (defined) account on the affected system allowing an unauthorised user privileged access to that system. Further details of this vulnerability are available here. As discussed in that link, this security update should have been installed automatically (no user action required).

=======================
Mozilla Firefox and Firefox ESR
=======================
During November Mozilla released security updates for Firefox and Firefox ESR(Extended Support Release) raising their version numbers to 57 (and later to 57.0.1) and 52.5 respectively.

  • Firefox 57 resolves 15 security issues more formally known as CVEs (defined) while 57.0.1 resolves 2 CVEs.
  • Firefox ESR 52.5 resolves 3 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57 and Firefox 57.0.1
Firefox 52.5

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

June 2017 Security Updates Summary

Yesterday Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft’s addressed a large number of vulnerabilities, 94 in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are three Known Issues for this month’s Microsoft updates (although all three knowledge base articles (4022717, 4022726, 4022715) describe the same iSCSI availability issue which is currently awaiting a resolution). The IT Pro Patch Tuesday blog hasn’t been updated since April and isn’t of assistance this time (and for that reason is becoming increasingly irrelevant).

====================

This month again breaks the usual trend with these updates to offer a collection of updates for Windows XP and Windows Server 2003 which address the remaining vulnerabilities disclosed by the ShadowBrokers hacking team back in April this year. The majority of these updates were already released for more modern versions of Windows after the end of support dates for Windows XP (April 2014) and Windows Server 2003 (July 2015) respectively. Please review the detailed security advisory to download the appropriate updates for your systems. Further information is available in Microsoft’s blog posts here and here.

As with the update made available in May, these updates will not be available via Microsoft Updates or Automatic Updates. The availability of these updates provides mixed meanings; namely that while they were made available is positive. However for those corporations, organisations and individuals sing out dated versions of Windows, it provides them less reasons to migrate since it hints at an attitude that Microsoft will patch those system if the situation get very bad. While Microsoft worked to dispel this point, not everyone will be aware of their statement on this matter.

In a further break from the routine of Update Tuesday, I wanted to mention a further set of vulnerabilities found in Windows Defender which Microsoft patched last month. Please ensure your version of Windows is using the patched version of Windows Defender as detailed in this news article to address these issues.

====================
Separately Adobe made available four security bulletins to updates for the following products:

Adobe Captivate (1x priority 3 CVE)

Adobe Digital Editions (9x priority 3 CVEs)

Adobe Flash (9x priority 1 CVEs)

Adobe Shockwave Player (1x priority 2 CVE)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Windows Lnk

Windows Graphics

Microsoft Edge (CVE-2017-8498CVE-2017-8530 and CVE-2017-8523) and Internet Explorer

Microsoft Office  (CVE-2017-0260 and CVE-2017-8506)

Microsoft Outlook
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 14th June 2017:
=======================
I wish to provide information on other notable updates from June 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 54.0

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 30 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Wireshark 2.2.7 and 2.0.13
=======================
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.2.6) or v2.0.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================