Tag Archives: Mozilla Firefox

Magellan 2.0 SQLite Vulnerabilities: What you need to know

====================
[TL DR]
====================
If you use any of the affected products e.g. Google Chrome, Mozilla Firefox or Android WebView (full list provided below), please make certain to update them to the latest version available.

In the closing days of December, security researchers from the Tencent Blade team disclosed five vulnerabilities that affect the SQLite database. This is used in products such as Google Chrome, Android WebView, Mozilla Firefox and Windows 10 (among others):

https://blade.tencent.com/magellan2/index_en.html

Why should these vulnerabilities be considered important?
Due to the widespread use of the affects products and the severity of the vulnerabilities the potential for a large impact is present. These vulnerabilities if exploited could allow “remote code execution in Chromium render process.

However, the CVSS base scores (defined) for all but one vulnerability (at 8.8: High) are 6.5 Medium severity. Thus, these vulnerabilities are NOT critical but medium to high severity. The rationale for this is explained by the creator of SQLite, D. Richard Hipp. While the comment is from 2018 it is still valid since most applications which use SQLite are not impacted by remote attacks:

“Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk” (Source).

While Chromium based browsers effectively do allow “random internet users to run arbitrary SQL”; Google have already issued an update (see below). Other browsers will follow e.g. Opera did so on the 27th of December upgrading to the same version of Chromium that Google issued namely, 79.0.3945.79

How can I protect my organisation or myself from these vulnerabilities?
If you use any of the following products, please make certain to update to the most recent versions available. Google made available Chrome version 79.0.3945.79 on the 10th of December to resolve these vulnerabilities with Opera following on the 27th of December:

Affected Products (among others):
Chrome/Chromium prior to version 79.0.3945.79
Smart devices using old version of Chrome/Chromium.
Browsers built with old version of Chromium/Webview.
Android Apps that uses old version of Webview and can access any web page.
Software that uses the old version of Chromium and can access any web page.

Thank you.

December 2019 Update Summary

As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.

Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
====================
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)

Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)

Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
====================

Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468

Microsoft Windows Kernel (defined): CVE-2019-1458

Windows Hyper-V: CVE-2019-1471

Microsoft Visual Studio: CVE-2019-1349 , CVE-2019-1350 , CVE-2019-1352 , CVE-2019-1354 , CVE-2019-1387

Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs (defined) and used for Windows Hello for Business: Security Advisory

Please install the remaining less severe updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:

Firefox 71.0: Resolves 6x high severity CVEs (defined) and 5x moderate CVEs

Firefox ESR 68.3 (Extended Support Release): Resolves 4x high severity CVEs and 4x moderate CVEs

Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.

The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 4 vulnerabilities while the second resolves  5 vulnerabilities.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Nvidia
====================
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience  apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The high priority advisories are the following:

High
Linux Administrative Tools for Intel Network Adapters Advisory

Intel NUC Firmware Advisory

The remaining advisories are of medium and low priority:

Medium
Intel Quartus Prime Pro Edition Advisory

Intel RST Advisory (see also my separate post on this vulnerability)

Control Center-I Advisory

Intel SCS Platform Discovery Utility Advisory

Unexpected Page Fault in Virtualized Environment Advisory

Intel FPGA SDK for OpenCL Advisory

Low
Intel Ethernet I218 Adapter Driver for Windows Advisory

Intel Dynamic Platform and Thermal Framework Advisory

====================
VMware
====================
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:

Critical Severity Advisory:

VMware ESXi
VMware Horizon DaaS appliances

Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent

If you use the above VMware products, please review the advisories and apply the necessary updates.

====================
OpenSSL
====================
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Apple Security Updates
=======================
Throughout December Apple has released security updates for the following products:

Apple iOS v12.4.4 and 13.3 / iPad OS 13.3: Resolves 1 CVE (defined) and 14 CVEs (respectively)

Apple Safari 13.0.4: Resolves 2 CVEs

Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs

Apple tvOS 13.3: Resolves 11 CVEs

Apple watchOS 5.3.4 and 6.1.1: Resolves 1 CVE and 10 CVEs (respectively)

Apple Xcode 11.3: Resolves 1 CVE

Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs

Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs

Apple iCloud for Windows 10.9: Resolves 4 CVEs

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
Wireshark
====================
In early December the following Wireshark updates were released:

v3.0.7: 1 security advisory

v2.6.13: 1 security advisory

The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

October 2019 Update Sumamry

================
Update: 25th October 2019
================
Apologies for the delay in updating this post due to professional commitments.

I wanted to provide details of this month’s security updates from Microsoft and Adobe. On the 8th of October, Microsoft made available their updates resolving 59 vulnerabilities more formally known CVEs (defined).

Separately Adobe made available their updates a week later:

====================

Adobe Acrobat and Reader: 68x Priority 2 CVEs resolved (45x critical severity, 23x Important severity)

Adobe Download Manager: Priority 3 CVE resolved (1x Important severity)

Adobe Experience Manager: Priority 2 CVEs (1x Critical CVE, 7x Important and 4x Moderate severity)

Adobe Experience Manager Forms: 1x Priority 3 CVE (1x Important severity)

As always, if you use these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Acrobat/Reader and Experience Manager updates.

====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. All issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

As for stability, I have installed all of this month’s updates on my Windows 10 systems (Builds 18362.388 , 18362.418) most recently the new kb4522355 (for Windows 10 Version 1903 Build 18362.449) and have not experienced any issues. Indeed, this update was intended to resolve the issues e.g. among with the Start menu that caused me to advise not to install Windows 10 updates earlier this month. Obviously, please continue to backup and test your systems as you usually would before install widely rolling out these updates but in general you should be fine.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: , CVE-2019-1307 CVE-2019-1308 CVE-2019-1366

VBScript Remote Code Execution Vulnerability: CVE-2019-1238 CVE-2019-1239

Azure Stack Remote Code Execution Vulnerability : CVE-2019-1372

Remote Desktop Client Remote Code Execution Vulnerability : CVE-2019-1333

MS XML Remote Code Execution Vulnerability: CVE-2019-1060

Windows Error Reporting Manager Elevation of Privilege Vulnerability : CVE-2019-1315

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On 22nd October Mozilla released Firefox 70 to address multiple critical vulnerabilities and to one again introduce further privacy features (see below):

Firefox 70: Resolves 1x critical CVE (defined)(but consisting of multiple vulnerabilities), 3x high CVEs, 8x moderate and 1x low CVE

Firefox ESR 68.2 (Extended Support Release): Resolves 1x critical CVE (but consisting of multiple vulnerabilities), 3x high CVEs, 5x moderate

Highlights from version 70 of Firefox include:

Details of improvements in the macOS and Windows versions of Firefox are provided in this article. The blocking of social networking tracking is discussed in another article.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
Google Chrome
====================
On October 22nd, Google released Chrome version 78.0.3904.70. This update resolves a high severity flaw that earned the researcher who reported it $20,000. The Multi-State Information Sharing and Analysis Center (MS-ISAC) stated “successful exploitation could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.” In total, this update contains 37 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
WinSCP:
=======================
In mid October; WinSCP version 5.15.5 was released upgrading it’s embedded version of Putty (the Windows SSH client) to 0.73 (along with its SSH private key tools to the same version) resolving 2 vulnerabilities (with one other issue possibly security related). WinSCP 5.15.6 has since been released as a non-security update.

Thank you.

================
Update: 8th October 2019
================
Unfortunately due to professional commitments I won’t be able to update this post today with details of Adobe’s and Microsoft’s updates. I will do so as soon as possible this week.

Thanks for your understanding.

================
Original Post
================
On the 23rd of September Microsoft issued two out of band (unscheduled) security updates to resolve 2 zero-day (defined) vulnerabilities. The vulnerabilities affect Internet Explorer and Windows Defender.

Microsoft has drawn criticism for adding confusion to these updates since they are not available on Windows Update but must be installed manually. For Windows 10 Version 1903 this prompted the release of kb4524147 which at this time I do NOT recommend you install since it is causing some systems not to boot, not being able to print and in some cases the Start menu is crashing.

With further security updates expected from Microsoft tomorrow, please await those updates and re-assess if you should install them. I’ll updater this post tomorrow with more information on the new monthly updates.

Separately since Windows Defender updates automatically you should have received the relevant anti-malware engine update (Version: 1.1.14700.5) 48 hours after the 23rd September.

Thank you.

September 2019 Update Summary

Today is the 2nd Tuesday of the month, when both Adobe and Microsoft routinely release their scheduled security updates.

Similar to last month Microsoft have released many updates resolving 79 vulnerabilities more formally known as CVEs (defined). It was a light month for Adobe releasing 2 updates resolving 3 vulnerabilities.

====================
Adobe Application Manager: 1x Priority 2 vulnerability resolved (Important severity)
Adobe Flash Player: 2x Priority 3 vulnerabilities resolved (Critical severity)

If you use either of these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Flash Player update.
====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Almost all issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Windows LNK Remote Code Execution Vulnerability: CVE-2019-1280

Microsoft Scripting Engine: CVE-2019-1298

Microsoft Scripting Engine: CVE-2019-1300

Microsoft Scripting Engine: CVE-2019-1217

Microsoft Scripting Engine: CVE-2019-1208

Microsoft Scripting Engine: CVE-2019-1221

Microsoft Scripting Engine: CVE-2019-1237

Windows RDP: CVE-2019-1291

Windows RDP: CVE-2019-1290

Windows RDP: CVE-2019-0788

Windows RDP: CVE-2019-0787

Team Foundation Server/Azure DevOps: CVE-2019-1306

Microsoft Office SharePoint: CVE-2019-1295

Microsoft Office SharePoint: CVE-2019-1257

Microsoft Office SharePoint: CVE-2019-1296

Common Log File System Driver (defined): CVE-2019-1214

Microsoft Windows Elevation of Privilege Vulnerability (defined): CVE-2019-1215

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On September the 3rd Mozilla released Firefox 69.0 to address the following vulnerabilities and to introduce new privacy features:

Firefox 69.0: Resolves 1x critical CVE (defined), 11x high CVEs, 4x moderate and 3x low CVEs

Firefox ESR 68.1 (Extended Support Release): Resolves 1x critical, 9x high, 4x moderate and 2x low CVEs

Firefox 60.9 ESR : Resolves 1x critical CVE, 7x high CVEs and 1x moderate CVE

Highlights from version 69 of Firefox include:
Blocks 3rd party cookies and cryptominers (using Enhanced Tracking Protection) by default (blocking of fingerprinting scripts will be the default in a future release)

Adobe Flash disabled by default (must be re-enabled if needed)

Separately Mozilla is facing criticism over their plans to gradually roll-out DNS over HTTPS (DoH) later this month since all DNS traffic would go to only one provider, Cloudflare. Google Chrome will implement a similar feature soon (further details are available in the above link also regarding Mozilla).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

Thank you.

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

July 2019 Update Summary

As predicted; earlier today Adobe and Microsoft made available their usual monthly security updates addressing 5 and 77 vulnerabilities (respectively) more formally known as CVEs (defined):

====================
Adobe Bridge CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Dreamweaver: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Experience Manager: 3x Priority 2 vulnerabilities : 2x Important, 1x Moderate severity resolved

If you use any of these Adobe products, please apply the necessary updates as soon as possible.

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Just like last month; Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Servicing stack update for Windows Server 2008 SP2

4507434                Internet Explorer 11

4507435                Windows 10, version 1803

4507448                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4507449                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4507450                Windows 10, version 1703

4507453                Windows 10, version 1903, Windows Server version 1903

4507455                Windows 10, version 1709

4507457                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4507458                Windows 10

4507460                Windows 10 1607 and Windows Server 2016

4507462                Windows Server 2012 (Monthly Rollup)

4507464                Windows Server 2012 (Security-only update)

4507469                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Zero-day (defined) vulnerabilities:
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability

CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability

====================
Critical
====================
CVE-2019-0785  Windows DHCP Server Remote Code Execution Vulnerability

CVE-2019-1072  Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

CVE-2019-1056  Scripting Engine

CVE-2019-1106  Scripting Engine

CVE-2019-1092  Scripting Engine

CVE-2019-1103  Scripting Engine

CVE-2019-1107  Scripting Engine

CVE-2019-1062  Scripting Engine

CVE-2019-1004  Scripting Engine

CVE-2019-1001  Scripting Engine

CVE-2019-1063  Internet Explorer Memory Corruption Vulnerability

CVE-2019-1104  Microsoft Browser Memory Corruption Vulnerability

CVE-2019-1102  GDI+ Remote Code Execution Vulnerability

CVE-2019-1113  .NET Framework Remote Code Execution Vulnerability

Servicing Stack Update

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
Today, Mozilla released Firefox 68.0 to address the following vulnerabilities and to introduce new features:

Firefox 68.0: Resolves 2x critical CVEs (defined), 3x high CVEs, 10x moderate and 4x low CVEs

Firefox 60.8 ESR (Extended Support Release): Resolves 1x critical CVE, 4x high CVEs and 5x moderate CVEs

Firefox now also includes cryptomining protection and fingerprinting protections and improved add-on security (my thanks to Softpedia for this information, more details on other security features are here).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware ESXi
=======================
Earlier today VMware made available an update for ESXi version 6.5. Version 6.0 is unaffected and a patch for 6.7 is pending. This update resolves a denial of service vulnerability.

If you use VMware ESXi, please update when you can.

Thank you.

June 2019 Update Summary

With yesterday being the second Tuesday of the month; it means it’s Update Tuesday again. Microsoft resolved 88 vulnerabilities  (more formally known as CVEs (defined) with Adobe addressing 11 vulnerabilities of their own.

Adobe Campaign: 7x Priority 3 vulnerabilities (1x Critical, 3x Important, 3x Moderate)

Adobe ColdFusion: 3x Priority 2 vulnerabilities (3x Critical)

Adobe Flash Player: 1x Priority 1 vulnerability (1x Critical)

If you use Adobe ColdFusion, please apply the necessary updates as soon as possible. For that product, as per Adobe’s advisory, please make certain the Java JDK/JRE in use on the server is fully up to date in order to fully secure it. Please install the remaining updates for Campaign and Flash Player as soon as possible since they also resolve critical vulnerabilities.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Windows Server 2008 Service Pack 2 Servicing stack update

4503027                Exchange Server 2019, Exchange Server 2016

4503028                Exchange Server 2010 Service Pack 3, Exchange Server 2013

4503263                Windows Server 2012 (Security-only update)

4503267                Windows 10, version 1607, Windows Server 2016

4503276                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4503279                Windows 10, version 1703

4503284                Windows 10, version 1709

4503285                Windows Server 2012 (Monthly Rollup)

4503286                Windows 10, version 1803

4503290                Windows 8.1 Windows Server 2012 R2 (Security-only update)

4503291                Windows 10

4503292                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4503293                Windows 10, version 1903

4503327                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer: CVE-2019-1038

Microsoft Speech API Remote Code Execution Vulnerability: CVE-2019-0985

Microsoft Scripting Engine:

CVE-2019-1002

CVE-2019-0991

CVE-2019-1080

CVE-2019-1023

CVE-2019-0992

CVE-2019-1024

CVE-2019-0990

CVE-2019-0988

CVE-2019-0989

CVE-2019-1055

CVE-2019-1052

CVE-2019-1051

CVE-2019-0920

CVE-2019-1003

Windows Hyper-V Remote Code Execution Vulnerability: CVE-2019-0709 , CVE-2019-0722 , CVE-2019-0620

ActiveX Data Objects (ADO) Remote Code Execution Vulnerability: CVE-2019-0888

Windows Task Scheduler: CVE-2019-1069 (disclosed by SandboxEscaper)

Windows AppX Deployment Service (AppXSVC): CVE-2019-1064 (disclosed by SandboxEscaper)

Windows Shell: CVE-2019-1053 (disclosed by SandboxEscaper)

Windows Installer: CVE-2019-0973 (disclosed by SandboxEscaper)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
VideoLAN VLC:
=======================
A new version of VLC is available for Apple macOS, Linux, Windows (desktop and Windows Store), Google Android and Apple iOS with some great performance improvements and resolving 33 security vulnerabilities (2 of which are high severity) as a result of the EU-FOSSA bug bounty programme which opened in January this year.

Further details are below:

http://www.videolan.org/vlc/releases/3.0.7.html

http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

Version 3.0.7.1 has since been released to resolve other non-security issues. The most recent version can be downloaded from:

http://www.videolan.org/vlc/

=======================
Mozilla Firefox
=======================
Yesterday (11th June), Mozilla released Firefox 67.0.2 to address a single moderate severity vulnerability.

Further to the above updates, on the 18th and the 20th June; Mozilla issued 2 updates for Firefox version 67.0.3 (ESR (Extended Support Release) 60.7.1) and 67.0.4 (ESR 60.7.2) to resolve 2x critical zero day (defined) vulnerabilities actively being exploited in the wild.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome:
=======================
Google released Google Chrome version 75.0.3770.80 to address 42 vulnerabilities in early June.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware:
=======================
Earlier this month VMware published a security advisory to address a single Important severity vulnerability in VMware Tools for Linux and Windows.

If you use VMware Tools on Linux or Windows, please review the security advisory and apply the necessary updates.

=======================
DOSBox
=======================
The retro gaming and legacy software emulator DOSBox in late June released an update to correct vulnerabilities discovered during a small code audit.

2 CVEs (CVE-2019-7165 and CVE-2019-12594) were assigned (that resolve critical vulnerabilities with CVSS 3.0 (defined) base scores of 9.8) but more out of bound access and buffer overflows (defined) were also resolved. Further details are available in their news post dated, 26th June 2019.

If you use DOSBox, please consider upgrading to version 0.74-3 which also includes many fixes for non-security bugs. The new version is available from here.

Thank you.