I hope all is well during these challenging times.
Earlier today Adobe and Microsoft released their monthly security updates resolving 10 vulnerabilities and 129 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).
Adobe’s updates for this month are as following:
Adobe Experience Manager: 6x Priority 2 CVEs resolved (6x Important severity)
Adobe Flash Player: 1x Priority 2 CVE resolved, (1x Critical severity)
Adobe Framemaker: 2x Priority 3 CVEs resolved (3x Critical severity)
Adobe After Effects: 5x Priority 3 CVEs resolved (5x Critical severity)
Adobe Audition: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe Campaign Classic: 1x Priority 3 CVEs resolved (1x Important severity)
Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)
Adobe Premiere Pro: 3x Priority 3 CVEs resolved (3x Critical severity)
Adobe Premiere Rush: 3x Priority 3 CVEs resolved (3x Critical severity)
If you use any of the above Adobe products, especially Adobe Flash Player; please install these updates as soon as possible since both multiple critical vulnerabilities have been resolved.
====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/
====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
VBScript Remote Code Execution Vulnerability: CVE-2020-1213 , CVE-2020-1216
Microsoft Browser Memory Corruption Vulnerability: CVE-2020-1219
Microsoft SharePoint Server Remote Code Execution Vulnerability: CVE-2020-1181
Scripting Engine Memory Corruption Vulnerability: CVE-2020-1073
Windows GDI+: CVE-2020-1248
Windows OLE: CVE-2020-1281
Windows Shell Remote Code Execution Vulnerability: CVE-2020-1286
Windows Remote Code Execution Vulnerability: CVE-2020-1300
Please install the remaining updates at your earliest convenience.
As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications and devices below.
To all of my readers and your families, I hope you are staying safe during these tough times. Thank you.
====================
Mozilla Firefox
====================
In the first week of June, Mozilla released Firefox 77 and Firefox ESR (Extended Support Release) 68.9 to resolve the following vulnerabilities:
Firefox 77.0: Addresses 4x high severity CVEs, 1x moderate CVE and 2x low CVEs
Firefox 68.9 ESR: Addresses 4x high severity CVEs
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
====================
Google Chrome
====================
Last week, Google released Chrome version 83.0.4103.97 for Linux, Mac and Windows to resolve 5 security vulnerabilities.
Two further updates were released by Google in June resolving 4 and 2 vulnerabilities respectively. The latest version of Google Chrome in the stable channel is 83.0.4103.116
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
====================
Intel Security Advisories
====================
Intel have released a series of security advisories today. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the critical and high severity advisories:
Critical:
2020.1 IPU – Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory
High:
2020.1 IPU – Intel SSD Advisory
2020.1 IPU – BIOS Advisory
Intel Innovation Engine Advisory
Medium:
Special Register Buffer Data Sampling Advisory
====================
Nvidia
====================
In late June Nvidia released security updates for its drivers which power their Geforce, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).
As was the case with previous Nvidia security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates. For Windows, this update also brings improved performance and functionality with Windows 10 Version 2004.
=======================
Putty
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.74 in the latter half of June. It contains 2 security fixes (see below). Version 0.74 is downloadable from here.
If you use Putty, please update it to version 0.74. Thank you.
Security vulnerabilities fixed:
====================
VMware
====================
VMware released 4 security advisories to resolve vulnerabilities within the following products:
====================
Advisory 1: Severity: Important:
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
Advisory 2: Severity: Important:
VMware Horizon Client for Windows
Advisory 3: Severity: Low
VMware Tools for macOS
Advisory 4: Severity: Critical
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation
====================
If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.
====================
Mozilla Firefox
====================
In the final week of June, Mozilla released Firefox 78 and Firefox ESR (Extended Support Release) 68.10 to resolve the following vulnerabilities:
Firefox 78.0: Addresses 7x high severity CVEs, 4x moderate CVE and 2x low CVEs
Firefox 68.10 ESR: Addresses 4x high severity CVEs and 1x moderate CVE
Firefox 78 introduces a repair option within its uninstaller to attempt to fix issues the browser is experiencing and a refined version of the built-in PDF reader allowing downloaded PDFs to be easily read.
The day after the release of Firefox 78, Mozilla released 78.0.1 to resolve non-security issues:
- All search engines are gone, list of one-click search engines is empty now
- Auto complete in the address bar doesn’t work any longer
- Search function on the start page doesn’t start a search any longer
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
====================
Google Chrome
====================
Two further updates were released by Google in June resolving 4 and 2 vulnerabilities respectively. The latest version of Google Chrome in the stable channel is 83.0.4103.116
=======================
Apple Security Updates:
=======================
On the 1st of June Apple made available the following updates.
Further details for these updates are as follows:
Apple iOS 13.5.1 and iPadOS 13.5.1 (resolves 1x CVE (defined))
Apple tvOS 13.4.6: Resolves 1x CVE.
Apple watchOS 6.2.6: Resolves 1x CVE
macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003 High Sierra: Resolves 1x CVE.
=======================
Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.
As always; further details of these updates are available on Apple’s dedicated security updates page.
For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).
====================
VideoLAN VLC
====================
On the 16th of June VideoLAN released version 3.0.11 resolving at least 3 known CVEs (other vulnerabilities were addressed by upgrading internal 3rd party libraries used by VLC). CVE-2020-13428 however only affected Apple macOS/iOS but was of high severity (CVSSv3 base score (defined) of 7.8).
The most recent versions of VLC can be downloaded from:
http://www.videolan.org/vlc/
securityinaction 