Tag Archives: Nvidia Tesla

April 2021 Update Summary

To my readers; I hope you and your families are doing well in these still challenging times.

Last week Adobe and Microsoft released their scheduled security updates. Adobe’s updates resolve 10 and Microsoft’s updates 114 vulnerabilities (respectively) more formally known as CVEs (defined).

====================

Adobe released updates for the following products:

Adobe Bridge: Resolves 6x Priority 3 vulnerabilities (4x Critical Severity and 2x Important Severity)

Adobe Digital Editions: Resolves 1x Priority 3 vulnerability (1x Critical Severity)

Adobe Photoshop: Resolves 2x Priority 3 vulnerabilities (2x Critical Severity)

RoboHelp: Resolves 1x Priority 3 vulnerability (1x Important Severity)

As always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.

====================
A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================

For this month’s Microsoft updates, I will prioritise the order of installation below:

====================

Important

====================

If you use Microsoft Exchange (the on-premises, non-cloud Office 365 version); please follow the steps from last month to first verify your server is first not infected before installing this month’s security updates for Exchange server. This post from BleepingComputer may be helpful with providing hints on how to install the Exchange Server updates for this month (many thanks to BleepingComputer for this advice):

====================

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28480

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28481

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28482

Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-28483

Remote Procedure Call Runtime Remote Code Execution Vulnerabilities: CVE-2021-28329 , CVE-2021-28330, CVE-2021-28331, CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339 and CVE-2021-28343

Win32k Elevation of Privilege Vulnerability: CVE-2021-28310

Azure Sphere Unsigned Code Execution Vulnerability: CVE-2021-28460

Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability: CVE-2021-28458

RPC Endpoint Mapper Service Elevation of Privilege Vulnerability: CVE-2021-27091

Windows Media Video Decoder Remote Code Execution Vulnerabilities: CVE-2021-27095 and CVE-2021-28315

Windows Installer Information Disclosure Vulnerability: CVE-2021-28437

Windows NTFS Denial of Service Vulnerability: CVE-2021-28312 (Resolving the issue discussed in this post)

====================

Update: 8th May 2021

The gaming performance issue introduced with the security update kb5001330 is not resolved and does affect more systems that only have single monitors. AMD GPUs also appear to be impacted.

Further Reddit threads discussing this issue are located here and here.

Microsoft have since released a Known Issue Rollback (KIR) update to resolve the performance issues caused by kb5001330.

While some users are confirming that the resolves some of their issues; some issues remain (please also see the Reddit thread I previously linked). I have patched all of my Windows 8.1 and Windows 10 systems. My most powerful Windows 10 system is affected by this performance issue but only in some games, others play fine.

====================

Please note: For Windows 10 systems which use AMD and Nvidia graphics cards; there are reports of stability issues and loss of performance after the Windows 10 Version 20H2 security update kb5001330 is installed. Further details are here, here and here. Please note the prior update mentioned in these links kb5000842 was the April preview update released in late March. Not all systems with Nvidia graphics cards seem to be affected. Some affected systems have the latest models while others have older models. It is not clear if AMD graphics are affected too. At this time; it is unknown when these issues will be resolved.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications below

(I will continue to add to this list).

To all of my readers; I hope you and your families continue to do well during these challenging times. Thank you.

====================
Google Chrome (and a potential privacy issue)
====================

Google has released 2 Chrome updates so far in April version 89.0.4389.128 and 90.0.4430.72 for Linux, Mac and Windows to resolve 2 and 37 security vulnerabilities (respectively).

Another point to note is the initial incorporation of Federated Learning of Cohorts, or FLoC into Chrome. The EFF have published their feedback on this new technology. At this time, Microsoft Edge has not activated it. This is an emerging potential privacy issue. It’s unclear what action to take at this time but it is an item to aware of.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Nvidia
====================

On the 19th April in Nvidia released security updates for its drivers (defined) which power their Geforce, Nvidia RTX, Tesla and Quadro/NVS GPUs as well as updates for Geforce Experience.

Not all drivers updates are available at this time but are in progress and will be released this week (timelines are provided within Nvidia’s security advisory).

As was the case with January’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or Geforce Experience software, please consider installing these updates.

January 2021 Update Summary

Leave a reply

To my readers; I hope you and your families are doing well. Happy New Year.

Today; Adobe and Microsoft released their scheduled security updates earlier today. Adobe’s updates resolve 8 and 83 vulnerabilities (respectively) more formally known as CVEs (defined).

Let’s start with Adobe updates:

Adobe Animate: 1x Priority 3 (1x Critical Severity)
Adobe Bridge: 1x Priority 3 (2x Important Severity)
Adobe Campaign Classic: 1x Priority 2 (1x Critical Severity)
Adobe Captivate: (1x Important Severity)
Adobe Illustrator: 1x Priority 3 (1x Critical Severity)
Adobe InCopy: 1x Priority 3 (1x Critical Severity)
Adobe Photoshop: 1x Priority 3 (1x Critical Severity)

As always; if you use any of the above Adobe products, please consider updating them especially those with critical severity updates.

While it does not appear that Microsoft made an automatic update available to remove Flash Player for Internet Explorer or Microsoft Edge (Legacy) today; you should still consider uninstalling it following the advice in my post from November. Corporate customers and consumers can make use of Microsoft’s manual update to uninstall this version of Flash Player. The other remaining versions are also addressed in that post; if you wish to take further action. Alternatively; simply wait until Microsoft makes the Flash Player uninstaller an automatic update and browser vendors take their scheduled actions later this month.

At the time of writing; Microsoft’s monthly summary; lists Known Issues for 11 Microsoft products this month, similar to last month all but one has a workaround.

In addition to the updates released by Microsoft; for all versions of Windows prior Windows 10 Version 2004; a further security update was released to address a security bypass vulnerability within the Secure Boot of Windows.

According to the above linked to Microsoft support article, if you are updating your Windows system manually, please make certain to install this update in the following order. Systems with automatic updates enabled (the default option) will automatically have the updates installed in the correct order:

Servicing Stack Update
Standalone Secure Boot Update listed in this CVE
January 2021 Security Update

Separately; I was able to confirm that for systems that pre-date Secure Boot (manufactured before 2012) and thus do not have a UEFI (defined) based firmware “While this update doesn’t include any security updates that will benefit your computer, it will address the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX”.

For your information I have installed this update KB4535680 on the following systems without any issues. Secure Boot is enabled on both systems. This update does not apply to my custom Core i9 Extreme system running Windows 10 Version 20H2 64 bit:

Custom PC: Asus Z97-C motherboard (BIOS Version 2103): Windows 8.1 Update (64 bit)

Notebook PC: Lenovo ThinkPad E460 (BIOS Version 1.40): Windows 10 Version 1909 (64 bit)

The custom PC dates from late 2014 and the notebook from late 2016.

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/
====================

For this month’s Microsoft updates, as always I will prioritise the order of installation below:
====================

Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-1647

Microsoft splwow64 Elevation of Privilege Vulnerability: CVE-2021-1648

GDI+ Remote Code Execution Vulnerability: CVE-2021-1665

HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2021-1643

Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability: CVE-2021-1668

Microsoft Edge (HTML-based) Memory Corruption Vulnerability: CVE-2021-1705

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1658

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1660

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1666

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1667

Remote Procedure Call Runtime Remote Code Execution Vulnerability: CVE-2021-1673

I have also provided further details of updates available for other commonly used applications below.

To all of my readers; I hope you and your families are continuing to stay safe during these tough times. Thank you.

====================
Nvidia
====================

====================
Update: 20th April 2021
====================

Nvidia driver version 461.92 and later resolve the stability issues mentioned in this blog post. This driver should be now be installed to address the security issues discussed in this post.

====================
Update: 19th January 2021
====================
It has been reported that this Nvidia driver update is causing instability of some systems. For this reason; I have not installed this on my systems. I will await a later driver which corrects these issues.

Earlier in January Nvidia released security updates for its drivers (defined) which power their Geforce, Nvidia RTX, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).

As was the case with October’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates.

====================
Mozilla Firefox
====================
In the first week of January Mozilla released Firefox 84.0.2 and Firefox ESR (Extended Support Release) 78.6.1 to resolve the following vulnerabilities:

Firefox 84.0.2 and Firefox 78.6.1 ESR: Addresses 1x critical severity CVE

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change.

====================
VideoLAN VLC
====================
On the 12th of January VideoLAN released version 3.0.12 resolving at least 3 known vulnerabilities. The other non-security improvements introduced are detailed in the above 3.0.12 link and within the changelog.

The most recent versions of VLC can be downloaded from:
http://www.videolan.org/vlc/

====================
Google Chrome
====================
Last week, Google released Chrome version 87.0.4280.141 for Linux, Mac and Windows to resolve 16 security vulnerabilities.

June 2020 Update Summary

Leave a reply

I hope all is well during these challenging times.

Earlier today Adobe and Microsoft released their monthly security updates resolving 10 vulnerabilities and 129 vulnerabilities (respectively). These vulnerabilities are more formally known as CVEs (defined).

Adobe’s updates for this month are as following:
Adobe Experience Manager: 6x Priority 2 CVEs resolved (6x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved, (1x Critical severity)

Adobe Framemaker: 2x Priority 3 CVEs resolved (3x Critical severity)

Adobe After Effects: 5x Priority 3 CVEs resolved (5x Critical severity)

Adobe Audition: 2x Priority 3 CVEs resolved (2x Critical severity)

Adobe Campaign Classic: 1x Priority 3 CVEs resolved (1x Important severity)

Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)

Adobe Premiere Pro: 3x Priority 3 CVEs resolved (3x Critical severity)

Adobe Premiere Rush: 3x Priority 3 CVEs resolved (3x Critical severity)

If you use any of the above Adobe products, especially Adobe Flash Player; please install these updates as soon as possible since both multiple critical vulnerabilities have been resolved.

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

VBScript Remote Code Execution Vulnerability: CVE-2020-1213 , CVE-2020-1216

Microsoft Browser Memory Corruption Vulnerability: CVE-2020-1219

Microsoft SharePoint Server Remote Code Execution Vulnerability: CVE-2020-1181

Scripting Engine Memory Corruption Vulnerability: CVE-2020-1073

Windows GDI+: CVE-2020-1248

Windows OLE: CVE-2020-1281

Windows Shell Remote Code Execution Vulnerability: CVE-2020-1286

Windows Remote Code Execution Vulnerability: CVE-2020-1300

Please install the remaining updates at your earliest convenience.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, I hope you are staying safe during these tough times. Thank you.

====================
Mozilla Firefox
====================
In the first week of June, Mozilla released Firefox 77 and Firefox ESR (Extended Support Release) 68.9 to resolve the following vulnerabilities:

Firefox 77.0: Addresses 4x high severity CVEs, 1x moderate CVE and 2x low CVEs

Firefox 68.9 ESR: Addresses 4x high severity CVEs

====================
Google Chrome
====================
Last week, Google released Chrome version 83.0.4103.97 for Linux, Mac and Windows to resolve 5 security vulnerabilities.

Two further updates were released by Google in June resolving 4 and 2 vulnerabilities respectively. The latest version of Google Chrome in the stable channel is 83.0.4103.116

====================
Intel Security Advisories
====================
Intel have released a series of security advisories today. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the critical and high severity advisories:

Critical:

2020.1 IPU – Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory

High:

2020.1 IPU – Intel SSD Advisory

2020.1 IPU – BIOS Advisory

Intel Innovation Engine Advisory

Medium:

Special Register Buffer Data Sampling Advisory

====================
Nvidia
====================
In late June Nvidia released security updates for its drivers which power their Geforce, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).

As was the case with previous Nvidia security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates. For Windows, this update also brings improved performance and functionality with Windows 10 Version 2004.

=======================
Putty
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.74 in the latter half of June. It contains 2 security fixes (see below). Version 0.74 is downloadable from here.

If you use Putty, please update it to version 0.74. Thank you.

Security vulnerabilities fixed:

====================
VMware
====================
VMware released 4 security advisories to resolve vulnerabilities within the following products:

====================
Advisory 1: Severity: Important:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

Advisory 2: Severity: Important:

VMware Horizon Client for Windows
Advisory 3: Severity: Low

VMware Tools for macOS
Advisory 4: Severity: Critical

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation

====================

If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.

====================
Mozilla Firefox
====================
In the final week of June, Mozilla released Firefox 78 and Firefox ESR (Extended Support Release) 68.10 to resolve the following vulnerabilities:

Firefox 78.0: Addresses 7x high severity CVEs, 4x moderate CVE and 2x low CVEs

Firefox 68.10 ESR: Addresses 4x high severity CVEs and 1x moderate CVE

Firefox 78 introduces a repair option within its uninstaller to attempt to fix issues the browser is experiencing and a refined version of the built-in PDF reader allowing downloaded PDFs to be easily read.

The day after the release of Firefox 78, Mozilla released 78.0.1 to resolve non-security issues:

All search engines are gone, list of one-click search engines is empty now
Auto complete in the address bar doesn’t work any longer
Search function on the start page doesn’t start a search any longer

====================
Google Chrome
====================
Two further updates were released by Google in June resolving 4 and 2 vulnerabilities respectively. The latest version of Google Chrome in the stable channel is 83.0.4103.116

=======================
Apple Security Updates:
=======================
On the 1st of June Apple made available the following updates.

Further details for these updates are as follows:
Apple iOS 13.5.1 and iPadOS 13.5.1 (resolves 1x CVE (defined))
Apple tvOS 13.4.6: Resolves 1x CVE.
Apple watchOS 6.2.6: Resolves 1x CVE
macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003 High Sierra: Resolves 1x CVE.

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

====================
VideoLAN VLC
====================
On the 16th of June VideoLAN released version 3.0.11 resolving at least 3 known CVEs (other vulnerabilities were addressed by upgrading internal 3rd party libraries used by VLC). CVE-2020-13428 however only affected Apple macOS/iOS but was of high severity (CVSSv3 base score (defined) of 7.8).

The most recent versions of VLC can be downloaded from:

http://www.videolan.org/vlc/

February 2020 Update Summary

Leave a reply

Today marks the release of this year’s second wave of scheduled updates from Adobe and Microsoft. 42 vulnerabilities were resolved by Adobe with Microsoft addressing 99 CVEs (defined).

Let’s start with Adobe’s patches first:
====================
Adobe
====================
Adobe Acrobat and Reader: 17x Priority 2 CVEs resolved (12x Critical, 3x Important, 2x Moderate severity)

Adobe Digital Editions: 2x Priority 3 CVEs resolved (1x Critical and 1x Important severity)

Adobe Experience Manager: 1x Priority 2 CVE resolved (1x Important severity)

Adobe Flash Player: 1x Priority 2 CVE resolved (1x Critical severity)

Adobe Framemaker: 21x Priority 3 CVEs resolved (21x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Flash Player, Adobe Acrobat/Reader and Framemaker).
====================

Microsoft’s monthly summary; lists Known Issues for 13 Microsoft products but all have workarounds or resolution steps listed.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Scripting Engine: CVE-2020-0710 , CVE-2020-0711 , CVE-2020-0712 , CVE-2020-0713 , CVE-2020-0767

Internet Explorer: CVE-2020-0674 (this was the zero day (defined) vulnerability reported last month).

Microsoft Edge Chromium: ADV200002

Windows Shell (LNK): CVE-2020-0729

Windows Remote Desktop Client: CVE-2020-0681 , CVE-2020-0734

Windows Hyper-V: CVE-2020-0662

Windows Media Foundation: CVE-2020-0738

Please install the remaining updates at your earliest convenience.

I have also provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
Earlier this month Mozilla released Firefox 73 and Firefox ESR (Extended Support Release) 68.5 to address the following vulnerabilities:

Firefox 73.0: Resolves 3x high severity CVEs and 3x moderate severity CVEs

Firefox ESR 68.5: Resolves 2x high severity CVEs and 3x moderate severity CVEs

Firefox 73 brings the following minor features listed below:

A global zoom level configured from the settings menu
Opt-in notification when the use of virtual reality is being requested
A new DNS over HTTP (DoH) (defined) provider was added within Firefox. The new provider, NextDNS can be selected as follows: Select Options -> General -> Network Settings. Scroll down and place a tick/check in the ‘Enable DNS over HTTPs’ box and finally choose from NextDNS as a DoH provider.

====================
Google Chrome
====================
Google made available a security update in early February; resolving 56 vulnerabilities bringing Google Chrome to version 80. A further 2 updates on the 11th and 13th were also released but are not security updates.

Version 80 of Chrome also brings changes to how it handles cookies (defined). Specifically, restricting them to first party access by default and requiring website developers to specify within their code which cookies are allowed to work across websites. In addition, 3rd party cookies will then only be sent over HTTPS. This change was initially announced by Google in May 2019. As Google states “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default”. Further advice to developers is available in this video.

Separately in late February Google released Chrome version 80.0.3987.122 to address 3 security vulnerabilities, the most severe being a zero day (defined) vulnerability designated CVE-2020-6418 which is a type confusion vulnerability within Chrome’s JavaScript (defined) and Web Assembly (defined) engine known as V8.

====================
Realtek Audio/Sound Card Drivers
====================
In early February, the hardware manufacturer Realtek released an updated audio/sound card driver. This driver addressed a security vulnerability that requires an attacker to have already compromised your Windows system and to have obtained administrative privileges. More information on this vulnerability is available from the security researchers who responsibly disclosed (defined) it to Realtek. The vulnerability has been assigned CVE-2019-19705 by Mitre.

This vulnerability is a DLL search-order hijacking vulnerability (defined) which if exploited could allow an attacker to download and run a malicious executable file on your system. They also have the ability to achieve persistence on your system namely that any malware they install will remain on your system after it is shutdown or restarted.

If your system uses a Realtek audio device (use Windows Device Manager and expand the category named “Sound, video and game controllers” looking for a device with Realtek in its name), please refer to the manufacturer of your desktop, laptop or motherboard for a driver update. If no driver is available, please contact them to request that a driver be made available. As per Realtek’s security advisory, drivers with versions later than 1.0.0.8856 (legacy , non DCH (what is the difference between DCH and standard drivers?) are not vulnerable.

====================
Nvidia
====================
On the 28th of February Nvidia released security updates for its drivers which power their Geforce, Tesla and Quadro/NVS GPUs as well and updates for its vGPU software (for Linux, Windows, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Nutanix AHV). Not all updates for the vGPU software are available at this time but are in progress and will be released over the coming weeks (timelines are provided within Nvidia’s security advisory).

As was the case with November’s security updates all of these vulnerabilities are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use the affected Nvidia graphics cards or software, please consider installing these updates.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories.

High
Intel CSME Advisory (Intel Management Engine (ME) Firmware)

Medium
Intel RWC3 Advisory
Intel RWC2 Advisory
Intel MPSS Advisory
Intel Renesas Electronics USB 3.0 Driver Advisory

Low
Intel SGX SDK Advisory

====================
VMware
====================
In the latter half of February, VMware released a critical security advisory to address vulnerabilities within the following product:

vRealize Operations for Horizon Adapter

If you use VMware vRealize Operations for Horizon Adapter, please install the applicable security updates (depending upon which version of this product you are using) as soon as possible.

====================
Wireshark
====================
In the final week of February, updates were released for Wireshark (I’ll detail only the 2 most recent versions here):

v3.2.2: Relating to 4 security advisories (relating to 4 CVEs)

v3.0.9: Relating to 3 security advisories (relating to 3 CVEs)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.2 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

August 2019 Update Summary

Leave a reply

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS): CVE-2019-1181 CVE-2019-1182 CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144 CVE-2019-1152 CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

May 2019 Update Summary

Leave a reply

====================
Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.
====================

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730 Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440 Windows 10, version 1607, Windows Server 2016

4494441 Windows 10, version 1809, Windows Server 2019

4497936 Windows 10, version 1903

4498206 Internet Explorer Cumulative Update

4499151 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154 Windows 10

4499158 Windows Server 2012 (Security-only update)

4499164 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165 Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167 Windows 10, version 1803

4499171 Windows Server 2012 (Monthly Rollup)

4499179 Windows 10, version 1709

4499180 Windows Server 2008 Service Pack 2 (Security-only update)

4499181 Windows 10, version 1703

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 , CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
VMware
=======================
VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.

February 2019 Update Summary

Leave a reply

Earlier today Microsoft made available 13 bulletins and 3 advisories resolving 74 vulnerabilities (more formally known as CVEs (defined)) respectively. As always more details are available from Microsoft’s monthly summary page.

Also today Adobe released scheduled updates for the products listed below addressing 75 CVEs in total:

Adobe Acrobat and Reader: 71x priority 2 CVEs resolved (43 of the 75 are Critical, the remainder are Important severity)

Adobe ColdFusion: 2x priority 2 CVEs resolved

Adobe Creative Cloud Desktop Application: 1x priority 3 CVE resolved

Adobe Flash Player: 1x priority 2 CVE resolved

If you use the affected Adobe products; due to the public disclosure (defined) of CVE-2019-7089 as a zero day (defined) vulnerability, please install the Adobe Acrobat and Reader updates first followed by Flash Player and the remaining updates. I provide more detail on the zero day vulnerability in a separate post.

As we are accustomed to Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates or for which workarounds are provided. They are listed below for your reference:

4345836
4471391
4471392
4483452
4486996
4487017
4487020
4487026
4487044
4487052

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Microsoft GDI+

Scripting Engine (CVE-2019-0590 , CVE-2019-0591 , CVE-2019-0593 , CVE-2019-0640 ,
CVE-2019-0642 , CVE-2019-0648 , CVE-2019-0649 , CVE-2019-0651 , CVE-2019-0652 , CVE-2019-0655 , CVE-2019-0658)

Windows DHCP

Microsoft Exchange

Microsoft SharePoint and CVE-2019-0604

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
8 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 8.8 have been resolved within Nvidia’s graphics card drivers (defined) in February. These vulnerabilities affect Linux FreeBSD, Solaris and Windows. The steps to install the drivers are detailed here (and here) for Ubuntu and here for Linux Mint. Windows install steps are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
7-Zip:
=======================
In the 3rd week of February; 7-Zip version 19.00 was released. While it is not designated as a security update; the changes it contains appear to be security related. While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. Directory Opus version 12.2.2 Beta includes version 19.00 of the 7-Zip DLL.

If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from these improvements.

=======================
Changes:
=======================
– Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved.
– Some bugs were fixed.
=======================

If you are using the standalone version and it’s older than version 19, please consider updating it.

=======================
Mozilla Firefox
=======================
In mid-February Mozilla issued updates for Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65.0.1: Resolves 3x high CVEs (defined)

Firefox 60.5.1: Resolves 3x high CVEs

As always; details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from changes such as improvements to Netflix playback, color management on Apple macOS and resolving audio/video delays during WebRTC calls etc.

=======================
Wireshark 3.0.0, 2.6.7 and 2.4.13
=======================
v3.0.0: 0 security advisories (new features and benefits discussed here and here)

v2.6.7: 3 security advisories

v2.4.13: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.0, v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Note: from this post onwards, I will only report on the most recent (v3.0) and previous branches (v2.6) of Wireshark.

Thank you.

January 2018 Update Summary

Leave a reply

====================
Update: 31st January 2018:
Please scroll down in this post to view more recent software updates available since the original posting date of the 16th of January 2018. Thank you.
====================

Last Tuesday Microsoft released their routine security updates to address 56 vulnerabilities more formally known as CVEs (defined). Further details are provided within Microsoft’s Security Updates Guide.

This month there are 11 knowledge base articles detailing potential issues (many of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

====================

Separately Adobe released Flash Player v28.0.0.137 to address a single priority 2 CVE.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For January’s Microsoft updates, I will prioritize the order of installation below. I will discuss this month’s out of band (outside of the regular schedule) patches for Meltdown and Spectre in a separate blog post; the relevant CVEs are still listed below. A useful list of all CVEs for this month is present here:

====================
CVE-2017-5753 – Bounds check bypass (known as Spectre Variant 1)

CVE-2017-5715 – Branch target injection (known as Spectre Variant 2)

CVE-2017-5754 – Rogue data cache load (known as Meltdown Variant 3)

CVE-2018-0802: Microsoft Office zero day (similar to Novembers Office equation editor vulnerability)

Microsoft Office (18 further CVEs)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

For this month; please take extra care with your back up to ensure you can restore your systems should you wish to revert your systems prior to installing the Meltdown and Spectre patches should you wish to uninstall the Security only bundle of updates or the updates are causing your system to become unstable.

Thank you.

=======================
Wireshark 2.4.4 and 2.2.12
=======================
v2.4.4: 3 CVEs (defined) resolved

v2.2.12: 4 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.4) or v2.2.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Update: 24th January:
====================
Oracle:
====================
Oracle have resolved 237 vulnerabilities with the security updates they have made available this month. Further details and installation steps are available here. Within the 237 vulnerabilities addressed, 21 vulnerabilities were addressed in the Java runtime. 18 of these 21 are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Particular priority should be given to Oracle WebLogic Server and PeopleSoft due to documented incidents of attackers using such installations for crypto currency mining with one such incident resulting in more than USD $226,000 being mined. Further details are available in the following blog post from security vendor Onapsis.
=======================

=======================
Further updates released in January:
=======================
VMware Updates:
=======================
In early January; VMware issued security updates to address the Meltdown and Spectre vulnerabilities within some of their products. Another advisory was also released later in January. The affected products/appliances are listed below. For virtual machines used with VMware Fusion and VMware Workstation, the steps listed within this knowledge base article should also be followed.

Please review the above linked to security advisories and knowledge base article and apply the necessary updates and mitigation steps.

Affected products/appliances:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

=======================
Mozilla Firefox:
=======================
In January Mozilla issued security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 57.0.4 (2 mitigations added)

Firefox 58: 3x critical, 13x high, 13x moderate, 2x low CVEs

Firefox 58.0.1: 1x critical CVE

Firefox ESR 52.6: 1 high CVE

Firefox ESR 52.6: 2x critical, 8x high, 1x moderate

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
In late January an update for Google Chrome was made available which included 53 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
7-Zip
=======================
In late January a security researcher located 2 vulnerabilities within 7-Zip. He reported them to the developer Igor Pavlov who very quickly released an updated version; v18.00 Beta. This has since been updated to 18.01 Stable to fix further issues (NOT security related).

The alternative Windows file manager Directory Opus will include the updated 7-Zip DLL (defined) within their next release. Their current beta already contains these fixes.

While 7-Zip does not have many vulnerabilities discovered within it (which has both advantages and disadvantages), there appears to be an increasing emphasis on it since it is used by anti-malware software and other applications e.g. VMware Workstation. Thus when a security update is issued; all of this software should eventually include the fixes. This occurred last year with the release of 7-Zip 16.00 to resolve 2 other security vulnerabilities.

Separately, Malwarebytes updated their Anti-Malware product to version 3.4.4 to update the 7-Zip DLL (defined) within it. Further details are available in my March 2018 Update Summary blog post.

If you use 7-Zip, please ensure it is updated to resolve both this year’s vulnerabilities and last year’s vulnerabilities (if you hadn’t already installed version 16 or later). Please also update Malwarebytes Anti-Malware or Directory Opus if you use them.

=======================
Nvidia Geforce Drivers:
=======================
This driver update applies to Linux, FreeBSD, Solaris and Windows and mitigates the Meltdown security vulnerability (CVE-2017-5753). While Nvidia’s GPUs are not vulnerable to Meltdown or Spectre, the GPUs interaction with an affected CPU has the potential for exploitation.The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post. More details about the Meltdown and Spectre vulnerabilities are available in this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.8.20 (Build 292). This update resolves 2 vulnerabilities relating to libraries (defined) the tool uses namely zlib and libpng. Any previous version of the tool should update automatically when opened to the most recent version.

October 2017 Security Updates Summary

Leave a reply

As scheduled Microsoft released their monthly security updates earlier today. They address 62 vulnerabilities; more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there are 4 Known Issues (kb4041691, kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.

====================

Update: 18th October:

On the 16th of October Adobe released Flash Player v27.0.0.170 to address a critical zero day (defined) vulnerability being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives)). The BlackOasis APT group are believed to operate in the Middle East. The group is using malicious Microsoft Office documents with embedded ActiveX controls which contain the necessary Flash exploit. This exploit later installs the FinSpy malware.

Please install this update as soon as possible for any device with Flash Player installed. Google Chrome has already automatically received the update while earlier today Windows 8.1 and Windows 10 began receiving it.

As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Microsoft Office Vulnerability : CVE-2017-11826 : While not critical severity since it is already being exploited by attackers namely a zero day (defined) vulnerability.

Windows DNS Vulnerabilities: Further details provided within this news article

Windows Search Service (CVE-11771): affects Windows 7 up to and including Windows 10

Windows Font Vulnerabilities: CVE-2017-11762 and CVE-2017-11763

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Nvidia Geforce Drivers:
=======================
This update (released in September 2017) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Google Chrome:
=======================
Google Chrome: includes 35 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Wireshark 2.4.2 and 2.2.10
=======================
v2.4.2: 5 CVEs (defined) resolved

v2.2.10: 3 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.2) or v2.2.10). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Oracle:
=======================
This month Oracle resolved 250 vulnerabilities. Further details and installation steps are available here. Within the 250 vulnerabilities addressed, 22 vulnerabilities were addressed in the Java runtime.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
=======================

July 2017 Security Updates Summary

Leave a reply

Earlier today as expected Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved a relatively large number of vulnerabilities at 54 in total more formally known as CVEs (defined). However it’s less than last month at 94. These are detailed within Microsoft’s new Security Updates Guide.

After 2 months of updates being released for versions of Windows which were no longer supported, this month is a return to the usual expected patches.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog which I routinely referenced is no longer available.

====================

Adobe made available just two security bulletins for the following products:

Adobe Connect (priority 3, 2x important and 1x moderate CVE)

Adobe Flash (priority 1, 1x critical, 2x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Edge and Internet Explorer

NT LAN Manager Elevation of privilege (CVE-2017-8563)(Corporate users: please ensure to set a more secure LDAP setting as per this knowledge base article)

Windows Explorer (CVE-2017-8463)
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Note: This post marks the 300th post on this blog. Thank you very much to my readers and here’s to the next 300!

=======================
Update:8th August 2017:
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 9 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.70 in early July. It contains 1 security fix and 2 non-security bug fixes (see below). It is downloadable from here.

=======================
Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even a name we missed when we thought we’d fixed this in 0.69. See vuln-indirect-dll-hijack-3.
=======================

If you use Putty, please update it to version 0.70. Thank you.

securityinaction

A blog dedicated to sharing security best practice advice for organisations and individuals.

Tag Archives: Nvidia Tesla

April 2021 Update Summary

January 2021 Update Summary

June 2020 Update Summary

February 2020 Update Summary

August 2019 Update Summary

May 2019 Update Summary

February 2019 Update Summary

January 2018 Update Summary

October 2017 Security Updates Summary

July 2017 Security Updates Summary