Tag Archives: OpenSSL

August 2018 Update Summary

Today Microsoft released updates to resolve 63 vulnerabilities (more formally known as CVEs (defined)).

This month also brings a new set of vulnerabilities affecting only Intel CPUs. I detail these more thoroughly in a separate post. However high level details are provided below.

Compared to previous months updates these have a smaller list of known issues (most of which have workarounds). Links to the relevant knowledge base (KB) articles are provided below:

KB4340731

KB4340733

KB4343885

KB4343892

KB4343897

KB4343900

KB4343909

====================

Adobe also released update for the following products:

Adobe Acrobat and Reader DC (priority 2, 2x CVEs)

Adobe Creative Cloud Desktop (priority 3, 1x CVE)

Adobe Experience Manager (priority 2, 3x CVEs)

Adobe Flash (priority 2, 5x CVEs)

As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC. Updates for Google Chrome will be available shortly either via a browser update or their component updater.

Please also review the out of band updates for Photoshop CC and Creative Cloud Desktop and apply them if you use these products.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Font Library

Malicious LNK File

Microsoft Exchange

Foreshadow (L1TF) Vulnerabilities: Allow information disclosure via speculative execution; are only locally executable (rather than remotely). This vulnerability may allow one virtual machine to improperly access information from another. More details in my dedicated blog post.

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Nvidia Geforce Experience Software:
=======================
In late August, Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 3 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be obtained from here.

=======================
VideoLAN VLC:
=======================
On the final day of August, VideoLAN made available VLC 3.0.4. This appears to be a security update for Apple macOS due to the following entries within the releases notes (however it is unclear if this overflow is exploitable by an attacker):

=======================
Text renderer:
* Fix head buffer overflow on macOS with some fonts
=======================

For Linux and Windows this version provides fixes numerous non-security issues. Please update to version 3.0.4 to benefit from these improvements.

=======================
Wireshark 2.4.9 and 2.6.3
=======================
v2.4.9: 3 security advisories

v2.6.3: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.3) or v2.4.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
WinSCP:
=======================
In late August; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2p (which addresses 2x low severity CVEs (Link1 and Link2).

=======================
OpenSSL
=======================
On the 12 June and 16th April 2018; the OpenSSL Foundation issued 2 updates for OpenSSL to address 2x low severity security vulnerabilities as detailed in these security advisories (Link1 and Link2). To resolve these issues please update your OpenSSL installations to 1.1.0i (released 14th August) or 1.0.2o (released 14th August) (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued two security advisories for the following products during August:

Security advisory 1 (addresses 1 vulnerability of Important severity):

  • VMware Horizon 6
  • VMware Horizon 7
  • VMware Horizon Client for Windows
  • VMware Horizon View Agent
  • VMware Horizon Agents Installer (HAI)

Security advisory 2 (addresses 1 vulnerability of Critical severity):

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

June 2018 Update Summary

=======================
Update: 12th June 2018:
=======================
As scheduled Microsoft released their monthly security updates earlier today resolving 50 vulnerabilities. Further details are available within their Security Updates Guide.

In addition; there are 5 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4284819
4284835
4284826
4284867
4284880

====================
Adobe have not released any further updates since their out of band (un-scheduled) update last week.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page.
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here courtesy of BleepingComputer:
====================

CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability (a zero day (defined) vulnerability disclosed last month)

Microsoft Edge and Internet Explorer (similar to many other months; multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability

CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability (especially if your server hosts a Microsoft IIS installation)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Original Post:
=======================
I usually write this post on or very shortly after Update Tuesday (the second Tuesday) of the month but with an Adobe Flash zero day vulnerability (defined) already patched and given that Mozilla have also released an update this month; I felt an earlier post would be appropriate.

I’ll update this post as further updates are made available. Thank you.

=======================
Mozilla Firefox:
=======================
Early in June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

6th June: Firefox 60.0.2 and Firefox ESR 52.8.1 and Firefox ESR 60.0.2: Resolves 1x high CVE (defined). This was a heap buffer overflow.

Further details of the security issues resolved by these updates are available in the link above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

In the final week of June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

=======================
26th June:
=======================
Firefox 61: Resolves 6x critical CVEs (defined), 5x high CVEs, 6x moderate CVEs, 1x low CVE

Firefox ESR 60.1: Resolves 5x critical CVEs, 4x high CVEs and 6x moderate CVEs.

Firefox ESR 52.9: Resolves 2x critical CVEs, 4x high CVEs, 3x moderate CVEs.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
=======================

=======================
Update: 19th June
=======================
=======================
Apple Security Updates: Update: 19th June
=======================
Following Apple’s release of security updates in the final days of May; they have made available further updates detailed below:

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan: Resolves 39x CVEs (defined)

Safari 11.1.1: Resolves 14x CVEs

Apple iCloud for Windows (version 7.5): Resolves 17x CVEs

Apple Xcode version 9.4.1: Resolves 2x CVEs

Apple SwiftNIO 1.8.0: Resolves 1 CVE (For your reference: What is Apple SwiftNIO?)

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Please find below summaries of other notable updates released this month.

Thank you.

=======================
F-Secure Security Products:
=======================
As mentioned in a previous post; 7-Zip has been updated to version 18.05 to resolve a vulnerability in it’s RAR packing code. The F-Secure products listed in this security advisory utilise this 7-Zip DLL (defined) and are thus being updated for the same reason.

If you use these F-Secure products, please install this critical update as soon as possible.

=======================
Google Chrome:
=======================
Google released Google Chrome version 67.0.3396.87 to address 1 vulnerability.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMWare issued updates for the following products on the 11th and 28th of June to address 1 and 3 vulnerabilities respectively:

11th June:

  • VMware AirWatch Agent for Android (A/W Agent)
  • VMware AirWatch Agent for Windows Mobile (A/W Agent)

26th June:

  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

Please review the above linked to security advisories and apply the necessary updates if you use these products.

=======================
OpenSSL
=======================
On the 12th of June; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Intel Lazy Floating Point Vulnerability:
=======================
Please see my separate post for details.

April 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Engine. Further details are available in this separate blog post.

Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4073119

kb4093112

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
On Tuesday, 10th April Microsoft made available their scheduled security updates to resolve 63 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

There are 3 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4093112

4093118

4093108

====================

Alongside these updates; Adobe released updates for the following products:

Adobe ColdFusion (priority 2, 5x CVEs)

Adobe Digital Editions (priority 3, 2x CVEs)

Adobe Experience Manager (priority 3, 3x CVEs)

Adobe Flash Player v29.0.0.140 (priority 2, 6x CVEs)

Adobe InDesign CC (priority 3, 2x CVEs)

Adobe PhoneGap Push Plugin (priority 3, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Graphics Component consisting of the following 6 CVEs:

CVE-2018-1009

CVE-2018-1010

CVE-2018-1012

CVE-2018-1013

CVE-2018-1015

CVE-2018-1016

Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability : described in more detail here.

====================

Separately AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================

=======================
Apple Security Updates:
=======================
In late April Apple released updates for Safari, macOS and iOS:

Apple iOS v11.3.1

Apple Safari v11.1

Apple macOS High Sierra v10.13.4

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
7-Zip 18.05
=======================
In late April; version 18.05 of 7-Zip was made available resolving one security vulnerability in it’s RAR packing code. Further details are provided in this linked to blog post.

Other highlights include the inclusion of ASLR on the 32 bit version and high entropy (HE)(defined here and here) ASLR (defined) on the 64 bit version. While the above blog post mentions HEASLR is not enabled, when I tested it with Process Explorer it was showing HEASLR as enabled. That blog post also describes how to add Arbitrary Code Guard (ACG) (defined) protection for 7-Zip on Windows 10. Version 18.01 and later also come with Data Execution Prevention (DEP)(defined here and here).

While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from the resolved vulnerability and the new mitigations.

=======================
Wireshark 2.4.6 and 2.2.14
=======================
v2.4.6: 10 security advisories

v2.2.14: 8 security advisories

The security advisory wnpa-sec-2018-24 applicable to both of the above versions resolves 10 memory leaks (defined).

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.6) or v2.2.14). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
Wireshark 2.6.0
=======================
While this update is not listed as a security update; it is the latest version of Wireshark within the Stable release channel. The older 2.4.x version did not receive a further update. It is very likely version 2.6 will be required to receive future security updates. Further details are available in the release notes of version 2.6. If possible, please consider upgrading to this version in the near future.

Further installation tips are provided above (as per version 2.4.6 and 2.2.14).

=======================
Oracle:
=======================
Oracle issued updates to resolve 254 vulnerabilities. Further details and installation steps are available here. 14 vulnerabilities affect the Java runtime. 12 of these are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
OpenSSL
=======================
In mid April; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
A Closer Look at CVE-2018-0950
=======================
While Microsoft have addressed the vulnerability designated as CVE-2018-0950 (defined) this month; Will Dormann, a security researcher with the CERT Coordination Center has demonstrated further mitigations (defined) you may wish to take. These mitigations (listed at the end of his in-depth discussion) will better defend your system(s) against a variant of this vulnerability which still remains relatively easy for an attacker to exploit.

Thank you.

March 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Protection Engine. Further details are available in this separate blog post.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
Last Tuesday Microsoft began distributing their scheduled security updates to resolve 74 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

This month there are 12 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4088787

4088782

4088776

4088786

4088779

4088876

4088879

4088875

4088878

4089344

4089229

4090450

====================

In addition to these updates; Adobe released updates for the following products:

Adobe Connect (priority 3, 2 CVEs)

Adobe Dreamweaver CC (priority 3, 1 CVE)

Flash Player v29.0.0.113 (priority 2, 2 CVEs)

Non-Microsoft browsers should update automatically e.g. Google Chrome released an update on Tuesday which includes the new Flash Player. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out very soon):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Windows Shell (CVE-2018-0883)

CredSSP (CVE-2018-0886): Please also enable the Group Policy setting to fully mitigate this issue. Further updates will be made available in subsequent months.

Microsoft Office (consisting of CVE-2018-0903 and CVE-2018-0922)

====================

Similar to last month additional updates for Spectre vulnerability were made available for Windows 10 Version 1709. Further updates are planned and will be listed in this knowledge base article.

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

===============

=======================
Mozilla Firefox:
=======================
This month Mozilla issued 3 sets of security updates for Firefox and Firefox ESR (Extended Support Release):

16th March: Firefox 59.0.1: Resolves 2x critical CVEs (1 of which originated from Pwn2Own 2018).

13th March: Firefox 59: Resolves 2x critical CVEs, 4x high CVEs, 7x moderate CVEs, 5x low CVEs

13th March: Firefox ESR 52.7: Resolves 2x critical, 3x high CVEs, 2x moderate CVEs

26th March: Firefox 59.0.2: Resolves 2x high severity CVEs

26th March: Firefox 52.7.3 ESR: Resolves 1x high severity CVE

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Malwarebytes Anti-Malware
=======================
Earlier this month Malwarebytes made available version 3.4.4 of their anti-malware product. While the update provides stability and performance improvements it also updates the 7-Zip DLL (defined) within it to version 18.01.

Please install this update using the steps detailed in this Malwarebytes forum post. Further details of the improvements made are available in this BleepingComputer article.

=======================
Google Chrome:
=======================
This month Google made available 4 updates for Google Chrome; one in early March and the other in mid-March. The more recent updates resolves 45 security issues while the update from the 20th of March resolves 1 security issue.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Nvidia Geforce Drivers:
=======================
This update (released on the 28th of March 2018) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
OpenSSL
=======================
On the 27th of March; the OpenSSL Foundation issued 2 updates for OpenSSL to address 1x moderate security vulnerability and 2x low severity issues as detailed in this security advisory. To resolve these issues please update your OpenSSL installations to 1.1.0h or 1.0.2o (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued update for the following products on the 15th of March to address one important severity security vulnerability:

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

Please review this security advisory and apply the necessary updates.

=======================
Apple security updates:
=======================
In the final week of March Apple made available security updates for the following products:

=======================
Apple tvOS 11.3

Apple iOS 11.3

Apple watchOS 4.3

Apple Safari 11.1

Apple macOS High Sierra 10.13.4, Sierra and El Capitan

Apple iTunes 12.7.4 for Windows

Apple iCloud for Windows 7.4
=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
WinSCP
=======================
In late March; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2o (which addresses 1x moderate CVE).

December 2017 Update Summary

Earlier this month Microsoft closed out the year with a small number of security updates. They resolved 32 vulnerabilities. Further details are provided within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

No Known Issues were listed as occurring for this months update.

====================

Meanwhile Adobe also completed their yearly updates with a single update for Flash Player resolving a single priority 2 CVE (defined).

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For December Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Important severity:

Windows RRAS (Routing and Remote Access) Service Remote Code Execution Vulnerability

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware AirWatch Console and other VMware Products
=======================
A security advisory for VMware AirWatch Console to address a moderate security vulnerability was made available in December. A further security advisory to address 4 important vulnerabilities within the products listed below was also published:

  • ESXi
  • vCenter Server Appliance
  • Workstation
  • Fusion

=======================
Google Chrome:
=======================
An update for Google Chrome included 37 security fixes while a second update included 2 further fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple security updates:
=======================
During the first half of December Apple made available security updates for the following products:

=======================

Apple tvOS 11.2 and 11.2.1

Apple iOS 11.2 and 11.2.1

Apple watchOS 4.2

Apple Safari 11.0.2

Apple macOS High Sierra 10.13.2, Sierra and El Capitan

Apple iTunes 12.7.2 for Windows

AirPort Base Station Firmware Update 7.6.9 and AirPort Base Station Firmware Update 7.7.9

Apple iCloud for Windows 7.2

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here. Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Mozilla Firefox and Firefox ESR
=======================
During December Mozilla released security updates for Firefox and Firefox ESR (Extended Support Release) raising their version numbers to 57.0.2 and 52.5.2 respectively.

  • Firefox 57.0.2 resolves 1 CVE
  • Firefox ESR 52.5.2 resolves 2 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57.0.2
Firefox 52.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
VideoLAN VLC:
=======================
In early December VideoLAN made available version 2.2.8 of VLC for Linux, Apple macOS  and Windows. It addresses 4 security vulnerabilities (3 of which were addressed in 2.2.7). If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

=======================
WinSCP
=======================
In mid-December; WinSCP version 5.11.3 was released upgrading it’s embedded OpenSSL version to 1.0.2n (which addresses 1x moderate and 1x low severity CVEs).

Google offers financial and technical support to open source projects

Early last week Google shared their results after beginning a project to fuzz (defined) test open source software (defined). Their project is currently processing 10 trillion test cases per day. Open source projects involved in this initiative include GNUTLS, BoringSSL, FFMpeg, JSON, Libpng, LibreOffice, LibSSH, OpenSSL and Wireshark (among many well-known others).

What is the purpose of their project?
The purpose of fuzzing is to repeatedly and thoroughly test how robust/secure the code of the enrolled open source projects is. More than 1000 bugs have found so far (approximately 264 of which were potential security vulnerabilities).

As Google points out, this also helps to increase the reliability of the software being created since regressions (defined) are fixed within hours before they ever affect a user. Another aspect of this is other software bugs e.g. logic errors can be detected and corrected sooner.

In return for a project signing up to this initiative, Google have pledged to provide extra funding:

  1. $1,000 USD for initial integration of the OSS-Fuzz tests into their development process
  2. Up to $20,000 USD for ideal integration (an itemised list of how this figure is obtained is detailed here).

How this project become to be developed?
I have mentioned the Core Infrastructure Initiative (CII) on this blog before. This fuzzing project was created with assistance from the CII to benefit projects critical to the global IT infrastructure. This project is in progress alongside Project Wycheproof (with its objective to strengthen cryptographic implementations by having new implementations pass a series of tests to verify they are not affected by these particular implementation issues being checked for).

How does this project help the wider industry/community?
With projects such as those mentioned above used by large corporations, small business and consumers alike; the regular feature/security updates we all receive make these projects more stable and secure than they otherwise would be. The outcomes will be very similar to that of Pwn2Own.

With these benefits for the projects as well as all of their users, I hope projects such as this continue and expand in scope as time progresses.

Thank you.

OpenSSL Heartbleed persists on 200,000 systems/devices

April 2014 saw the worldwide public disclosure of the Heartbleed vulnerability (a difficult to detect and easy to exploit information disclosure issue) within the open source OpenSSL encryption library. Almost 3 years on, approximately 200,000 servers/devices remain vulnerable.

Shodan, the search engine that can detect vulnerable devices connected to the internet released these findings in their Heartbleed report during the weekend of January 21. The report highlights approximately 52,000 Apache web servers with version numbers 2.2.2 and 2.2.15 remain critically vulnerable. Amazon Web Services and Verizon Wireless were the largest hosts of these vulnerable systems with the United States being the location for the most vulnerable internet service providers (ISPs). Another significant finding of the report is that many organizations/businesses are unware their physical and virtual servers are vulnerable.

How Can I Protect Myself from This Vulnerability?
If you or someone in your organisation uses physical or virtual servers, please ensure these servers have all vendor security updates installed, specifically updates from OpenSSL. Unsupported web servers (physical or virtual) or software (which uses the OpenSSL libraries) should be upgraded/replaced. Moreover, OpenSSL versions prior to 1.0.2 are no longer supported; please upgrade to version 1.0.2 or 1.1.0.

Due to the increasing numbers of devices connected to the internet, organizations and individuals need to be aware if their devices or software are vulnerable. For example, earlier this month vulnerable MongoDB, Elastic Search, Hadoop and CouchDB servers. Any software that connects to the internet especially VPN (Virtual Private Network) (defined) software may be vulnerable to the Heartbleed vulnerability.

Thank you.

=======================
Aside:
=======================
What is Shodan?
Shodan was originally created as a project in 2003 by a computer programmer John Matherly who launched the Shodan website in 2009. It is named after the enemy AI of the System Shock series of video games.

It is a search engine like Google, Bing and Yahoo but it isn’t searching for websites that best match the text that we enter. Instead it indexes and categorizes all devices connected to the internet. It does this by searching for and interpreting their banner e.g. Apache 2.4.3, OpenSSL/1.0.1c PHP/5.4.7

It is usually webservers that use such banners but many devices (e.g. FTP and mail servers) use banners to describe the services they offer, what operating system they are using e.g. Red Hat/Linux and the ports they have open e.g. 80 for HTTP, 443 for HTTPS, 21 for FTP, 25 for SMTP, 23 for Telnet, 22 for SSH etc. For example, we use ports 80 and 443 everyday as well port 25 for email.

What can it be used for?

  • Shodan can be used to detect the types of devices on your network and what types of ports (entry points to and from those devices) they are using. This is good to know since you can then better secure them against possible attack. Shodan can also be used to look for and access any device that is poorly configured namely that it allows access to it’s configuration/admin page from the Internet.
  • You can also use it to check if there are any unknown devices on your devices that arrived through social engineering e.g. a new router/access point in a conference room or shadow IT (devices installed by staff without the knowledge of the IT team).