Tag Archives: Mozilla Firefox ESR

March 2022 Update Summary

Early last week Adobe and Microsoft released their scheduled security updates to address 6 and 71 vulnerabilities (respectively)(more formally known as CVEs (defined)).

First, please find below the list of Adobe products affected:

Adobe After Effects: Resolves 4x Priority 3 severity CVEs (4x Critical Severity)

Adobe Illustrator: Resolves 1x Priority 3 severity CVE (1x Critical Severity)

Adobe Photoshop: Resolves 1x Priority 3 severity CVE (1x Important Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

Useful source of update related information are the US Computer Emergency Readiness Team (CERT) and the Cybersecurity & Infrastructure Security Agency (CISA) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

https://www.cisa.gov/uscert/ncas/bulletins

====================

For this month’s Microsoft updates, I will prioritise the order of installation below and provide further relevant links and steps where necessary:

====================

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2022-22006

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2022-23277

VP9 Video Extensions Remote Code Execution Vulnerability: CVE-2022-24501

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2022-21990

Windows Fax and Scan Service Elevation of Privilege Vulnerability: CVE-2022-24459

.NET and Visual Studio Remote Code Execution Vulnerability: CVE-2022-24512

Windows SMBv3 Client/Server Remote Code Execution Vulnerability: CVE-2022-24508

Azure Site Recovery Elevation of Privilege Vulnerability: CVE-2022-24469

Windows Event Tracing Remote Code Execution Vulnerability: CVE-2022-23294

====================

Following standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families are staying safe. Thank you.

====================
Mozilla Firefox
====================

So far this month Mozilla have released 2 sets of security updates for Firefox and Firefox (Extended Support Release) detailed below:

Firefox 97.0.2: Addresses 2x Critical Severity CVEs

Firefox 98: Addresses 4x High Severity CVEs and 3x Moderate Severity CVEs

Firefox ESR 91.6.1: Addresses 2x Critical Severity CVEs

Firefox ESR 91.7: Addresses 4x High Severity CVEs and 1x Low Severity CVE

====================
Google Chrome
====================

Google has released 1 (stable channel) Chrome update so far this month version 99.0.4844.51 for Linux, Mac and Windows to address 28 security vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

August 2021 Update Summary

Leave a reply

I hope you and your families are staying safe.

Earlier today, as expected Adobe and Microsoft earlier today made available their monthly security updates. They address 29 and 44 vulnerabilities (respectively) also known as CVEs (defined).

First, a summary Adobe’s updates for this month:

Magento: Resolves 26x Priority 2 CVEs (20x Critical Severity and 6x Important Severity)

Adobe Connect: Resolves 3x Priority 3 CVEs (3x Important Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical updates to Magento.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below and provide further relevant links and steps where necessary:

====================

Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-36936: Apply this update and follow the guidance in KB5005652

Windows LSA Spoofing Vulnerability: CVE-2021-36942: Install this update and then follow the guidance with these two links: ADV210003 and KB5005413 (to mitigate the PetitPotam attack)

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2021-34535

Windows TCP/IP Remote Code Execution Vulnerability: CVE-2021-26424

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability: CVE-2021-26432

Windows Elevation of Privilege Vulnerability: CVE-2021-36934: Please make certain you have adequate backups before installing this update and then Delete the Volume Shadow Copies stored on your system to protect against this vulnerability (to protect against the vulnerability named “Serious Sam” (my thanks to BleepingComputer for this article).

Scripting Engine Memory Corruption Vulnerability: CVE-2021-34480

Windows Graphics Component Remote Code Execution Vulnerability: CVE-2021-34530

Windows Update Medic Service Elevation of Privilege Vulnerability: CVE-2021-36948

Windows MSHTML Platform Remote Code Execution Vulnerability: CVE-2021-34534

====================

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families are staying safe and well during these continuing uncertain times. Thank you.

====================
Mozilla Firefox
====================
Earlier today Mozilla released Firefox 91 and Firefox ESR (Extended Support Release) 78.13 to resolve the following vulnerabilities:

Firefox 91: Addresses 8x High Severity CVEs, 2x Moderate Severity CVEs and 1 Low Severity CVE

Firefox ESR 78.13: Addresses 5x High Severity CVEs and 1x Moderate CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 91 also introduced the features listed at this link.

====================

Google Chrome

====================

Google has released 1 Chrome updates in August so far version 92.0.4515.131 for Linux, Mac and Windows to resolve 10 security vulnerabilities.

July 2021 Update Summary

Leave a reply

I hope you and your families are doing well.

As scheduled, Adobe and Microsoft earlier today made available their monthly security updates. They address 29 and 117 vulnerabilities (respectively) also known as CVEs (defined).

Let us begin with summarising Adobe’s updates for this month:

Adobe Acrobat and Reader: Addresses 20x Priority 2 CVEs (14x Critical Severity and 6x Important Severity)

Adobe Bridge: Addresses 5x Priority 3 CVEs (4x Critical Severity and 1x Moderate Severity)

Adobe Dimension: Addresses 1x Priority 3 CVE (1x Critical Severity)

Adobe Framemaker: Addresses 1x Priority 3 CVE (1x Critical Severity)

Adobe Illustrator: Addresses 3x Priority 3 CVEs (2x Critical Severity and 1 Important Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

The most important update this month was released earlier in July. It is the Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-34527 which addresses the vulnerability known as PrintNightmare. After installing this update, please make certain that steps 1, 2 and the Group policy setting from this KB article are also implemented (both registry DWORD entries should be zero) to better protect against other related exploits.

The image below is a flow diagram (courtesy of Carnegie Mellon University, image is Copyright ©2021 Carnegie Mellon University. My thanks to them for publishing this diagram) which details how an exploit may attempt to either remotely or locally compromise your Windows system. In addition, the diagram shows how the extra registry values described in this KB article help to protect your system from the locally exploitable aspect of this vulnerability.

====================

Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-34527

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-34473

Windows Kernel Elevation of Privilege Vulnerability: CVE-2021-31979

Windows Kernel Elevation of Privilege Vulnerability: CVE-2021-33771

Scripting Engine Memory Corruption Vulnerability: CVE-2021-34448

Microsoft Exchange Server Elevation of Privilege Vulnerability: CVE-2021-34523

Windows Kernel Remote Code Execution Vulnerability: CVE-2021-34458

Active Directory Security Feature Bypass Vulnerability: CVE-2021-33781

Windows ADFS Security Feature Bypass Vulnerability: CVE-2021-33779

Windows Certificate Spoofing Vulnerability: CVE-2021-34492

Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-34494

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2021-34450

Dynamics Business Central Remote Code Execution Vulnerability: CVE-2021-34474

Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-34464

Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-34522

Microsoft Windows Media Foundation Remote Code Execution Vulnerability: CVE-2021-34439

Microsoft Windows Media Foundation Remote Code Execution Vulnerability: CVE-2021-34503

Windows Media Remote Code Execution Vulnerability: CVE-2021-33740

Windows MSHTML Platform Remote Code Execution Vulnerability: CVE-2021-34497

====================

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families are safe and well during these continuing uncertain times. Thank you.

====================
Mozilla Firefox
====================
Earlier today Mozilla released Firefox 90 and Firefox ESR (Extended Support Release) 78.12 to resolve the following vulnerabilities:

Firefox 90: Addresses 5x High Severity CVEs and 4x Moderate Severity CVEs

Firefox ESR 78.12: Addresses 3x High Severity CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 90 also introduced the features listed at this link.

====================
VMware
====================
VMware has released 2 security advisories so far in July to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Important
VMware ESXi and VMware Cloud Foundation (Cloud Foundation)

Advisory 2: Severity: Moderate:

VMware ThinApp

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

June 2021 Update Summary

Leave a reply

I hope you are all safe and well.

Earlier today Adobe and Microsoft released their expected monthly security updates. The updates resolve 41 and 50 vulnerabilities (respectively) more formally known as CVEs (defined).

Similar to last month Adobe’s updates for June address vulnerabilities across a diverse set of their products:

Adobe Acrobat and Reader: Addresses 5x Priority 2 vulnerabilities (5x Critical Severity)

Adobe After Effects: Addresses 16x Priority 3 vulnerability (8x Critical Severity, 7x Important Severity and 1x Moderate Severity)

Adobe Animate: Addresses 8x Priority 3 vulnerability (4x Critical Severity, 3x Important Severity and 1x Moderate Severity)

Adobe Connect: Addresses 1x Priority 3 vulnerability (1x Important Severity)

Adobe Creative Cloud Desktop: Addresses 2x Priority 3 vulnerabilities (1x Critical and 1x Important Severity)

Adobe Experience Manager: Addresses 4x Priority 2 vulnerabilities (3x Important Severity, 1x Moderate Severity)

Adobe Photoshop: Addresses 2x Priority 3 vulnerabilities (2x Critical Severity)

Adobe Photoshop Elements: Addresses 1x Priority 3 vulnerability (1x Important Severity)

Adobe Premiere Elements: Addresses 1x Priority 3 vulnerability (1x Important Severity)

Adobe RoboHelp Server: Addresses 1x Priority 3 vulnerability (1x Critical Severity)

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

====================

Windows MSHTML Platform Remote Code Execution Vulnerability: CVE-2021-33742 (This vulnerability has been publicly disclosed and is being exploited)

Microsoft DWM Core Library Elevation of Privilege Vulnerability: CVE-2021-33739 (This vulnerability has been publicly disclosed and is being exploited)

Windows NTFS Elevation of Privilege Vulnerability: CVE-2021-31956 (This vulnerability is being exploited)

Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability: CVE-2021-31199 and CVE-2021-31201 (These vulnerabilities are being exploited)

Windows Kernel Information Disclosure Vulnerability: CVE-2021-31955 (This vulnerability is being exploited)

Remote Desktop Services Denial of Service Vulnerability: CVE-2021-31968 (This vulnerability has been publicly disclosed)

Microsoft SharePoint Server Remote Code Execution Vulnerability: CVE-2021-31963

Microsoft Windows Defender Remote Code Execution Vulnerability: CVE-2021-31985

Microsoft Scripting Engine Memory Corruption Vulnerability: CVE-2021-31959

Microsoft VP9 Video Extensions Remote Code Execution Vulnerability: CVE-2021-31967

====================

I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.

To all of my readers, I hope you and your families continue to do well during these tough times. Thank you.

====================
Mozilla Firefox
====================
On the 1st June Mozilla released Firefox 89 and Firefox ESR (Extended Support Release) 78.11 to resolve the following vulnerabilities:

Firefox 89: Addresses 2x High Severity CVEs, 5x Moderate Severity CVEs and 2x Low Severity CVEs

Firefox ESR 78.11: Addresses 1x High Severity CVE and 1x Moderate Severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 88 also introduced the features listed at this link. Firefox 89 also introduced the features listed at this link.

May 2021 Update Summary

Leave a reply

During the second week of May, Adobe and Microsoft released their expected monthly security updates. They addressed 44 and 55 vulnerabilities (respectively) more formally known as CVEs (defined). System administrators may be pleased to see the decrease in the number of updates from Microsoft for that month. Apologies for not publishing this post sooner.

Adobe’s updates for May month address issues across a diverse range of products:

Adobe Acrobat and Reader: Resolves 14x Priority 1 vulnerabilities (10x Critical Severity and 4x Important Severity)

Adobe After Effects: Resolves 3x Priority 3 vulnerabilities (2x Critical Severity and 1x Important Severity)

Adobe Animate: Resolves 7x Priority 3 vulnerabilities (2x Critical and 5x Important Severity)

Adobe Creative Cloud Desktop: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Experience Manager: Resolves 2x Priority 2 vulnerabilities (1x Critical Severity and 1x Important Severity)

Adobe Genuine Service: Resolves 1x Priority 3 vulnerability (1x Important Severity)

Adobe Illustrator: Resolves 5x Priority 3 vulnerabilities (5x Critical Severity)

Adobe InCopy: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe InDesign: Resolves 3x Priority 3 vulnerabilities (3x Critical Severity)

Adobe Medium: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Media Encoder: Resolves 1x Priority 3 vulnerability (1x Important Severity)

Magento Security Updates: Resolves 7x Priority 2 vulnerabilities (1x Important Severity and 6x Moderate Severity)

Just as always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================

A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

====================

Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability: CVE-2021-31166 (This vulnerability is wormable and a proof of concept exploit is available)

Microsoft Hyper-V Remote Code Execution Vulnerability: CVE-2021-28476 (a proof of concept exploit for this vulnerability is also available)

Microsoft Exchange Server Security Feature Bypass Vulnerability: CVE-2021-31207

Microsoft OLE Automation Remote Code Execution Vulnerability: CVE-2021-31194

Microsoft .NET Core and Visual Studio Elevation of Privilege Vulnerability: CVE-2021-31204

Microsoft Common Utilities Remote Code Execution Vulnerability: CVE-2021-31200

Microsoft Scripting Engine Memory Corruption Vulnerability: CVE-2021-26419

====================

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below.

To all of my readers, I hope you and your families are doing well during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the first week of May Mozilla released Firefox 88.0.1 and Firefox ESR (Extended Support Release) 78.10.1 to resolve the following vulnerabilities:

Firefox 88.0.1: Addresses 1x Critical Severity CVE and 1x High Severity CVE

Firefox ESR 78.10.1: Addresses 1x Moderate Severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 88 also introduced the features listed at this link.

====================

Google Chrome

====================

Google released 2 Chrome updates in May versions 90.0.4430.212 and 91.0.4472.77 for Linux, Mac and Windows to resolve 19 and 33 security vulnerabilities (respectively).

=======================
Putty
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.75 in early May. It contains 1 security fixes (see below). Version 0.75 is downloadable from here.

If you use Putty, please update it to version 0.75. Thank you.

Security vulnerability fixed:

vuln-windows-remote-title-dos: Rapid changes of window title can DoS Windows GUI

====================
VideoLAN VLC
====================
On the 10th of May VideoLAN released version 3.0.13 resolving 4 known vulnerabilities. The other non-security improvements introduced are detailed in the above 3.0.13 link and within the changelog. Version 3.0.14 was later released to address an auto-update issue (not security related).

The most recent versions of VLC can be downloaded from:
http://www.videolan.org/vlc/

====================
VMware
====================
VMware released 4 security advisories to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Critical:
VMware vRealize Business for Cloud

Advisory 2: Severity: Low:

VMware Workspace ONE UEM console

Advisory 3: Severity: Low:

VMware Workstation Pro / Player (Workstation)

VMware Horizon Client for Windows

Advisory 4: Severity: Critical:

VMware vCenter Server (vCenter Server)

VMware Cloud Foundation (Cloud Foundation)

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

March 2021 Update Summary

Leave a reply

====================
Updated Post
====================

To my readers; I hope you and your families are safe and well during these on-going challenging times. Sorry once again for the delay in publishing this post. However, it does contain information made available after the 9th March and should still prove useful.

On Tuesday, 9th March saw the usual release of security updates by both Adobe and Microsoft. Adobe’s updates addressing 17 and Microsoft’s updates addressing 89 vulnerabilities more formally known as CVEs (defined).

====================

Before we begin with Adobe’s updates, Microsoft’s updates for Windows 10 have caused and are continuing to cause issues when printing. Revised updates to resolve these issues partially fixed them and yet more updates to resolve the remaining issues are themselves sometimes failing to install.

Microsoft have since released revised updates which have resolved the installation issues while printing as expected. You should now be able to update your systems (Windows 10 and Windows 8.1) as normal.

====================

Adobe released 2 sets of updates this month to resolve vulnerabilities in the following products:

Adobe Animate: Addresses 7x Priority 3 vulnerabilities (2x Critical Severity and 5x Important Severity)

Adobe ColdFusion: Addresses 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Connect: Addresses 4x Priority 3 vulnerabilities (1x Critical Severity and 3x Important Severity)

Adobe Creative Cloud Desktop: Addresses 3x Priority 3 vulnerabilities (3x Critical Severity)

Adobe Framemaker: Addresses 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Photoshop: Addresses 2x Priority 3 vulnerabilities (2x Critical Severity)

As always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/
====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

====================

Important

====================

If you use Microsoft Exchange (the on-premises, non-cloud Office 365 version); please follow the steps below first to make sure your Exchange server is secure:

It is recommended to first check if a vulnerable system has been compromised before installing the necessary security updates.

You can inventory your systems to check which systems require patching using the guidance from the first Microsoft reference below. You can then use Microsoft Exchange On-Premises Mitigation Tool to temporarily mitigate some of the known security issues and scan for and remove any traces of compromise placed there by threat actors. More thorough investigation of system logs may be necessary if any evidence of compromise is found. Finally; the vulnerable systems can be patched to prevent further exploitation.

Further defence in depth measures are recommended to further harden servers from attacks resulting in web shells being placed upon them.

Microsoft stated recently that 92% of Exchange servers globally were updated against these vulnerabilities but more work still needs to be done to bring the figure as high as possible:
====================

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26855

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26412

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26857

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-27065

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26858

Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-26897

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2021-26867

Microsoft Azure Sphere Unsigned Code Execution Vulnerability: CVE-2021-27080

Git for Visual Studio Remote Code Execution Vulnerability: CVE-2021-21300

OpenType Font Parsing Remote Code Execution Vulnerability: CVE-2021-26876

Microsoft Internet Explorer Memory Corruption Vulnerability: CVE-2021-26411

Microsoft Windows Win32k Elevation of Privilege Vulnerability: CVE-2021-27077

HEVC Video Extensions Remote Code Execution Vulnerabilities: CVE-2021-24089, CVE-2021-26902 and CVE-2021-27061

Microsoft Azure Sphere Unsigned Code Execution Vulnerability: CVE-2021-27074

A revised fix was made available for PsExec in March 2021 following an initial update in February 2021.

I have also provided further details of updates available for other commonly used applications below (I will continue to add to this list).

To all of my readers; I hope you and your families continue to stay well during these challenging times. Thank you.

====================
Mozilla Firefox
====================
In the third week of March Mozilla made available Firefox 87 and Firefox ESR (Extended Support Release) 78.9 to resolve the following vulnerabilities:

Firefox 87: Resolves 2x High severity CVEs, 4x Moderate severity and 2x Low severity

Firefox 78.9: Resolves 2x High Severity CVEs and 1x set of security issues (rated High) and 2x Moderate severity CVEs

Firefox 87 also introduces the following new features (my thanks to ghacks.net for this):

Firefox 87 introduces SmartBlock, a feature to reduce website breakage when using private browsing or strict enhanced tracking protection.
The default HTTP Referrer policy will trim the path so that only the domain name is submitted for cross-origin requests.

====================
Google Chrome
====================

Google has released 4 Chrome updates in March version 89.0.4389.72 , version 89.0.4389.90 and version 89.0.4389.114 for Linux, Mac and Windows to resolve 47, 5 and 8 security vulnerabilities (respectively). Version 89.0.4389.82 for does not contain security updates.

====================
Netmask Library
====================

The netmask npm library disclosed a security issue that was addressed in version 2.0.0. Version 2.0.2 has since been released with the previous version 2.0.1 providing a more complete fix for CVE-2021-29418. Further details are available from BleepingComputer.

The relevant security advisory is here with details of how to download version 2.0.2 available from here. Please update to this version if you use this library.

====================
Original Post
====================

To my readers; I hope you are doing well.

In advance of next Tuesday’s security updates by Adobe and Microsoft I wanted to highlight the following emergency updates from Microsoft intended for Microsoft Exchange. Google also released an important update for Chrome.

If you use Microsoft Exchange 2013, 2016 or 2019, please make certain to install the following updates as soon as possible. Attackers are already seeking to advantage of these vulnerabilities:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065

BleepingComputer also provided the following helpful links:

How to install the Microsoft Exchange Updates

Provided PowerShell console commands to scan event logs for traces of attacks against these vulnerabilities

An Nmap script to scan your network for vulnerable Exchange servers (provided by Microsoft Senior Threat Intelligence Analyst Kevin Beaumont)

Special thanks to BleepingComputer for the above links and advice. Thank you.

====================
Google Chrome
====================
Google released Google Chrome v89.0.4389.72 for Linux, Mac and Windows on the 2nd March to resolve 47 security vulnerabilities. One; CVE-2021-21166 is being exploited by attackers.

February 2021 Update Summary

Leave a reply

To my readers; I hope you and your families are safe and well. Sorry for the delay in publishing this post. However, it does contain information made available after the 9th February and should still prove useful.

Tuesday, 9th February was the release day for Adobe and Microsoft’s scheduled security updates. Adobe addressed 50 vulnerabilities and Microsoft resolved 56 vulnerabilities more formally known as CVEs (defined).

Let’s begin with Adobe’s security updates:

Adobe Acrobat and Reader: Addresses 23x Priority 1 (17x Critical Severity and 6x Important Severity) vulnerabilities

Adobe Animate: Addresses 1x Priority 3 (1x Critical Severity) vulnerabilities

Adobe Dreamweaver: Addresses 1x Priority 3 (1x Important Severity) vulnerabilities

Adobe Illustrator: Addresses 2x Priority 3 (2x Critical Severity) vulnerabilities

Magento: Addresses 18x Priority 2 (7x Critical, 10x Important and 1x Moderate Severity) vulnerabilities

Adobe Photoshop: Addresses 5x Priority 3 (5x Critical Severity) vulnerabilities

If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

Separately, Microsoft from the 16th February onwards began releasing an optional update for Windows 10 that removes the embedded version of Flash Player (that was previously used by Internet Explorer).

I installed this update on my 3x Windows 10 20H2 systems (2x physical and 1x virtual machine). The update never requested a reboot. It left behind some empty folders (the locations of which are detailed here). This was a very smooth removal. I will install this update on my 2x physical Windows 8.1 systems when it is offered to them (likely in March 2021).

=======================

Microsoft currently lists 36 Known Issues within its monthly summary. Almost all have workarounds or resolutions (others have solutions currently being worked upon). Please review the list from the above link if you have any concerns.

https://www.us-cert.gov/
====================

For this month’s Microsoft updates, as always I will prioritise the order of installation below:
====================

Microsoft Windows Win32k Elevation of Privilege Vulnerability: CVE-2021-1732

Windows TCP/IP Remote Code Execution Vulnerability: CVE-2021-24074

Windows TCP/IP Remote Code Execution Vulnerability: CVE-2021-24094

Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-24078

Windows Local Spooler Remote Code Execution Vulnerability: CVE-2021-24088

Windows Graphics Component Remote Code Execution Vulnerability: CVE-2021-24093

.NET Core for Linux Remote Code Execution Vulnerability: CVE-2021-14112

Microsoft .NET Core and Visual Studio Remote Code Execution Vulnerability: CVE-2021-26701

Windows Fax Service Remote Code Execution Vulnerability: CVE-2021-24077

Windows Fax Service Remote Code Execution Vulnerability: CVE-2021-1722

Sysinternals PsExec Elevation of Privilege Vulnerability: CVE-2021-1733 (a revised fixed was made available by Microsoft in March 2021)

Microsoft Windows Codecs Library Remote Code Execution Vulnerability: CVE-2021-24081

Windows Camera Codec Pack Remote Code Execution Vulnerability: CVE-2021-24091

Microsoft Windows Installer Elevation of Privilege Vulnerability: CVE-2021-1727

Microsoft .NET Core and Visual Studio Remote Code Execution Vulnerability: CVE-2021-1721

Windows Console Driver Denial of Service Vulnerability: CVE-2021-24098

Windows DirectX Information Disclosure Vulnerability: CVE-2021-24106

I have also provided further details of updates available for other commonly used applications below.

To all of my readers; I hope you and your families stay safe during these tough times. Thank you.

====================
Mozilla Firefox
====================
In the first week of February Mozilla made available Firefox 85.0.1 and Firefox ESR (Extended Support Release) 78.7.1 to resolve the following critical vulnerability:

Firefox 85.0.1 and Firefox ESR 78.7.1: Resolves 1x Critical severity CVE

A mitigation for the Windows 10 NTFS Corruption vulnerability was also added to Firefox 85.0.1. My thanks to BleepingComputer for their article on that issue.

Later on, the 23rd February, Mozilla made available Firefox 86 and Firefox ESR 78.8 to resolve the following vulnerabilities:

Firefox 86: Resolves 5x High severity, 4x Moderate and 3x Low severity CVEs

Firefox ESR 78.8: Resolves 3x High and 1x Low severity CVEs

Firefox 86 introduces Total Cookie Protection and multiple picture in picture (among other features detailed here).

====================
Google Chrome
====================
Google has released 4 Chrome updates so far in February version 88.0.4324.146 , version 88.0.4324.150 and version 88.0.4324.182 for Linux, Mac and Windows to resolve 6, 1 and 10 security vulnerabilities (respectively). Version 88.0.4324.190 and 192 for Mac do not contain security updates. Version 88 of Chrome removes support for Adobe Flash.

====================
Cyberpunk 2077
====================
The popular video game Cyberpunk 2077 has released a security update, hotfix version 1.12 to resolve the following security issues:

Fixed a buffer overrun (defined) issue

Removed/replaced non-ASLR (defined) DLLs (defined)

My thanks to BleepingComputer for their article listing the availability of this security update.

====================
Apple Security Updates
====================
Apple had released the following security updates so far in February:

Apple macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave: Addresses 66x CVEs

Apple Safari 14.0.3: Addresses 3X CVEs

Apple macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002: Addresses 3x CVEs

January 2021 Update Summary

Leave a reply

To my readers; I hope you and your families are doing well. Happy New Year.

Today; Adobe and Microsoft released their scheduled security updates earlier today. Adobe’s updates resolve 8 and 83 vulnerabilities (respectively) more formally known as CVEs (defined).

Let’s start with Adobe updates:

Adobe Animate: 1x Priority 3 (1x Critical Severity)
Adobe Bridge: 1x Priority 3 (2x Important Severity)
Adobe Campaign Classic: 1x Priority 2 (1x Critical Severity)
Adobe Captivate: (1x Important Severity)
Adobe Illustrator: 1x Priority 3 (1x Critical Severity)
Adobe InCopy: 1x Priority 3 (1x Critical Severity)
Adobe Photoshop: 1x Priority 3 (1x Critical Severity)

As always; if you use any of the above Adobe products, please consider updating them especially those with critical severity updates.

While it does not appear that Microsoft made an automatic update available to remove Flash Player for Internet Explorer or Microsoft Edge (Legacy) today; you should still consider uninstalling it following the advice in my post from November. Corporate customers and consumers can make use of Microsoft’s manual update to uninstall this version of Flash Player. The other remaining versions are also addressed in that post; if you wish to take further action. Alternatively; simply wait until Microsoft makes the Flash Player uninstaller an automatic update and browser vendors take their scheduled actions later this month.

At the time of writing; Microsoft’s monthly summary; lists Known Issues for 11 Microsoft products this month, similar to last month all but one has a workaround.

In addition to the updates released by Microsoft; for all versions of Windows prior Windows 10 Version 2004; a further security update was released to address a security bypass vulnerability within the Secure Boot of Windows.

According to the above linked to Microsoft support article, if you are updating your Windows system manually, please make certain to install this update in the following order. Systems with automatic updates enabled (the default option) will automatically have the updates installed in the correct order:

Servicing Stack Update
Standalone Secure Boot Update listed in this CVE
January 2021 Security Update

Separately; I was able to confirm that for systems that pre-date Secure Boot (manufactured before 2012) and thus do not have a UEFI (defined) based firmware “While this update doesn’t include any security updates that will benefit your computer, it will address the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX”.

For your information I have installed this update KB4535680 on the following systems without any issues. Secure Boot is enabled on both systems. This update does not apply to my custom Core i9 Extreme system running Windows 10 Version 20H2 64 bit:

Custom PC: Asus Z97-C motherboard (BIOS Version 2103): Windows 8.1 Update (64 bit)

Notebook PC: Lenovo ThinkPad E460 (BIOS Version 1.40): Windows 10 Version 1909 (64 bit)

The custom PC dates from late 2014 and the notebook from late 2016.

https://www.us-cert.gov/
====================

For this month’s Microsoft updates, as always I will prioritise the order of installation below:
====================

Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-1647

Microsoft splwow64 Elevation of Privilege Vulnerability: CVE-2021-1648

GDI+ Remote Code Execution Vulnerability: CVE-2021-1665

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2021-1643

Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability: CVE-2021-1668

Microsoft Edge (HTML-based) Memory Corruption Vulnerability: CVE-2021-1705

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1658

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1660

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1666

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1667

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1673

I have also provided further details of updates available for other commonly used applications below.

To all of my readers; I hope you and your families are continuing to stay safe during these tough times. Thank you.

====================
Nvidia
====================

====================
Update: 20th April 2021
====================

Nvidia driver version 461.92 and later resolve the stability issues mentioned in this blog post. This driver should be now be installed to address the security issues discussed in this post.

====================
Update: 19th January 2021
====================
It has been reported that this Nvidia driver update is causing instability of some systems. For this reason; I have not installed this on my systems. I will await a later driver which corrects these issues.

Earlier in January Nvidia released security updates for its drivers (defined) which power their Geforce, Nvidia RTX, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).

As was the case with October’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates.

====================
Mozilla Firefox
====================
In the first week of January Mozilla released Firefox 84.0.2 and Firefox ESR (Extended Support Release) 78.6.1 to resolve the following vulnerabilities:

Firefox 84.0.2 and Firefox 78.6.1 ESR: Addresses 1x critical severity CVE

====================
VideoLAN VLC
====================
On the 12th of January VideoLAN released version 3.0.12 resolving at least 3 known vulnerabilities. The other non-security improvements introduced are detailed in the above 3.0.12 link and within the changelog.

The most recent versions of VLC can be downloaded from:
http://www.videolan.org/vlc/

====================
Google Chrome
====================
Last week, Google released Chrome version 87.0.4280.141 for Linux, Mac and Windows to resolve 16 security vulnerabilities.

November 2020 Update Summary

Leave a reply

To my readers; I hope you and your families are doing well. Apologies for not publishing this post sooner.

As scheduled earlier this week; Adobe and Microsoft issued their monthly security updates. These updates address 17 and 112 vulnerabilities (respectively) more formally known as CVEs (defined).

First, let’s detail the Adobe updates; the Acrobat update was released a week ago:

Adobe Connect: Resolves 2x Priority 3 CVEs (2x Important Severity)

Adobe Acrobat and Reader: Resolves 14x Priority 2 CVEs (4x Critical Severity, 6x Important Severity and 4x Moderate Severity)

Adobe Reader Mobile: Resolves 1 x Priority 3 (1x Important Severity)

If you use any of the above Adobe products, especially Acrobat or Reader with its critical severity updates; please install these updates as soon as possible.

Microsoft’s monthly summary; lists Known Issues for 17 Microsoft products again this month but all have workarounds listed.

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritise the order of installation below:
====================
Windows Network File System Remote Code Execution Vulnerability: CVE-2020-17051

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2020-17084

Windows Kernel Local Elevation of Privilege Vulnerability: CVE-2020-17087

Windows Hyper-V Security Feature Bypass Vulnerability: CVE-2020-17040

Chakra Scripting Engine Memory Corruption Vulnerability: CVE-2020-17048

Scripting Engine Memory Corruption Vulnerability: CVE-2020-17052

Internet Explorer Memory Corruption Vulnerability: CVE-2020-17053

Microsoft Browser Memory Corruption Vulnerability: CVE-2020-17058

Azure Sphere Elevation of Privilege Vulnerability: CVE-2020-16988

AV1 Video Extension Remote Code Execution Vulnerability: CVE-2020-17105

HEIF Image Extensions Remote Code Execution Vulnerability: CVE-2020-17101

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17106

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17107

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17108

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17109

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2020-17110

Raw Image Extension Remote Code Execution Vulnerability: CVE-2020-17078

Raw Image Extension Remote Code Execution Vulnerability: CVE-2020-17079

Raw Image Extension Remote Code Execution Vulnerability: CVE-2020-17082

Windows Print Spooler Remote Code Execution Vulnerability: CVE-2020-17042

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are continuing to stay safe during these tough times. Thank you.

====================
Google Chrome
====================
So far this month, Google has made available 4 Chrome updates version 86.0.4240.183 , 86.0.4240.193, 86.0.4240.198 and 87.0.42809.67 for Linux, Mac and Windows to resolve 10, 1, 2, and 33 security vulnerabilities (respectively) and to introduce new features (please see this BleepingComputer link for details). My thanks to BleepingComputer for this detailed description.

====================
Mozilla Firefox
====================
In the second week of November, Mozilla released Firefox 82.0.3 and Firefox ESR (Extended Support Release) 78.4.1 to resolve the following security vulnerabilities:

Firefox 82.0.3: Resolves 1x Critical severity CVE

Firefox ESR 78.4.1: Resolves 1x Critical severity CVE

Later during the 3rd week of November, Mozilla made Firefox 83 which again resolved security vulnerabilities (details provided below) and introduced new features such as HTTPS only mode, and improved PDF viewer as well as improved JavaScript performance and reduced memory usage etc. My thanks to BleepingComputer for this explanation.

Firefox 83: Resolves 4x High Severity CVEs, 11x Moderate CVEs, 6x Low CVEs

Firefox ESR 78.5: Resolves 2x High Severity CVEs, 8x Moderate and 2x Low CVEs

====================
VMware
====================
VMware released 3 security advisories impacting the following products. If you use any of the VMware products listed below, please review the above advisories and install the applicable security updates as soon as possible:

Advisory 1: Severity: Important:
VMware SD-WAN Orchestrator (SD-WAN Orchestrator)

Advisory 2: Severity: Critical:
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation

Advisory 3: Severity: Critical:
VMware Workspace One Access (Access)
VMware Workspace One Access Connector (Access Connector)
VMware Identity Manager (vIDM)
VMware Identity Manager Connector (vIDM Connector)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

September 2020 Update Summary

Leave a reply

I hope you are doing well today especially given these challenging and different times. Sorry for not publishing this post sooner due to my professional commitments.

As you know, Adobe and Microsoft made available their monthly security updates. For September those updates resolve 18 and 129 vulnerabilities (respectively) more formally known as CVEs (defined).

Let’s begin with Adobe’s updates
Adobe Experience Manager: Addresses 11x Priority 2 CVEs (5x Critical Severity and 6x Important Severity)

Adobe Framemaker: Addresses 2x Priority 3 CVEs (2x Critical Severity)

Adobe InDesign: Addresses 5x Priority 3 CVEs (5x Critical Severity)

Adobe Media Encoder: Addresses 3x Priority 3 CVEs (3x Important Severity)

If you use any of the Adobe products, please install the above updates as soon as possible since almost address critical vulnerabilities.

Microsoft’s monthly summary; lists Known Issues for 15 Microsoft products this month but all have workarounds listed.

https://www.us-cert.gov/

====================
For Septembers Microsoft updates, I will prioritise the order of installation below:
====================
If you manage a server e.g. Windows Server 2008 R2 – Windows Server 2019) and you have not yet installed the August 2020 security update for the Netlogon Elevation of Privilege Vulnerability, please do so immediately. Attacks are becoming more frequent on this vulnerability.
====================

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-1200

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-1210

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2020-16875

Windows GDI+ Remote Code Execution Vulnerability: CVE-2020-1285

Microsoft Browser Memory Corruption Vulnerability: CVE-2020-0878

Microsoft Windows Codecs Library Remote Code Execution Vulnerability: CVE-2020-1129

Microsoft COM for Windows Remote Code Execution Vulnerability: CVE-2020-0922

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability: CVE-2020-16862

Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability: CVE-2020-16857

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-1452

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-1453

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-1576

Microsoft SharePoint Remote Code Execution Vulnerability: CVE-2020-1595

Microsoft SharePoint Server Remote Code Execution Vulnerability: CVE-2020-1460

Windows Defender Application Control Security Feature Bypass Vulnerability: CVE-2020-0951

Visual Studio Remote Code Execution Vulnerability: CVE-2020-16874

Scripting Engine Memory Corruption Vulnerability: CVE-2020-1057

Scripting Engine Memory Corruption Vulnerability: CVE-2020-1172

Microsoft Windows Codecs Library Remote Code Execution Vulnerability: CVE-2020-1129

Microsoft Windows Codecs Library Remote Code Execution Vulnerability: CVE-2020-1319

Windows Media Audio Decoder Remote Code Execution Vulnerability: CVE-2020-1508

Windows Media Audio Decoder Remote Code Execution Vulnerability: CVE-2020-1593

Windows Remote Code Execution Vulnerability: CVE-2020-1252

Windows Camera Codec Pack Remote Code Execution Vulnerability: CVE-2020-0997

Windows Text Service Module Remote Code Execution Vulnerability: CVE-2020-0908

====================

As always, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are continuing to stay safe during these challenging times. Thank you.

====================
Google Chrome
====================
Google made available two Google Chrome updates during the month of September; versions 85.0.4183.102 and 85.0.4183.121 for Linux, Mac and Windows to resolve 5 and 10 security vulnerabilities (respectively).

====================
Mozilla Firefox
====================
In the first week of September, Mozilla released Firefox 80.0.1 to “fix crashes caused by GPU resets and issues affecting downloads triggered by browser extensions”. My thanks to BleepingComputer for this explanation.

Separately in the latter half of September, Firefox 81.0 and Firefox ESR 78.3 (Extended Support Release) to address the following vulnerabilities:

Firefox 81.0: Resolves 3x high severity CVEs and 3x moderate CVEs

Firefox ESR 78.3: Resolves 1x high CVE and 3x moderate CVEs

The new features introduced in this release are “the ability to control videos via your headset and keyboard and a new credit card autofill feature”. My thanks to BleepingComputer for this explanation.

====================
VMware
====================
VMware released 2 security advisories to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Moderate:
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows

Advisory 2: Severity: Moderate:
VMware Horizon DaaS (Horizon DaaS)

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

securityinaction

A blog dedicated to sharing security best practice advice for organisations and individuals.

Tag Archives: Mozilla Firefox ESR

March 2022 Update Summary

August 2021 Update Summary

July 2021 Update Summary

June 2021 Update Summary

May 2021 Update Summary

March 2021 Update Summary

February 2021 Update Summary

January 2021 Update Summary

November 2020 Update Summary

September 2020 Update Summary