Tag Archives: Oracle

April 2017 Security Updates Summary

As expected earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s set of updates are much lighter in volume this month addressing 45 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month sees four known issues listed for this months updates all relating to the AMD Carrizo processor experiencing an issue which prevents the installation of future Windows Updates. Microsoft states in all four knowledge base articles (listed below) they are aware of this issue and are working to resolve it in upcoming updates:

KB4015549
KB4015546
KB4015550
KB4015547

At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues (although it has not been updated since November 2016, I’m unsure why).

====================
Adobe issued five security bulletins today affecting the following products:

Adobe Campaign (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)
Adobe Acrobat and Reader (47x priority 2 CVEs)
Adobe Photoshop (2x priority 3 CVEs)
Adobe Creative Cloud Desktop (2x priority 3 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

=======================
Update: 8th May 2017:
=======================
I wish to provide information on other notable updates from April 2017 which I would recommend you install if you use these software products:

=======================
Skype: While the Skype update to version 7.34.0.102 was released in March; details of the vulnerability it addressed were not made public until April.
=======================

=======================
Putty 0.69: while released in March; it contains important security changes. It is downloadable from here.
=======================

=======================
Wireshark 2.2.6 and 2.0.12
=======================
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.2.6) or v2.0.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Oracle:
=======================
There was a record 299 vulnerabilities addressed by Oracle’s updates in April. Further details and installation steps are available here. A useful summary post from Qualys is here. Of the 299 fixes, 8 vulnerabilities were addressed in the Java runtime.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
=======================

=======================
Mozilla Firefox:
=======================
Firefox 53.0 and Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 45.9 and Firefox ESR 52.1.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 29 security fixes:

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Adobe Coldfusion:
=======================
Adobe Coldfusion: 2x priority 2 vulnerabilities resolved.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
For the Microsoft updates this month, I will prioritize the order of installation for you below:

====================
Critical severity:
Microsoft Office and Windows WordPad (due to a previously disclosed zero day vulnerability (defined))
Microsoft Edge
Internet Explorer
Microsoft .Net Framework
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Oracle Releases Scheduled Security Updates for April

The security updates continue apace for 2016 with Oracle yesterday releasing security updates for 46 of its products addressing 136 vulnerabilities. Full details are available within Oracle’s security advisory.

Of particular note are the updates for MySQL that addresses more security issues than any other update, 31 CVEs (defined) and Fusion Middleware with 21 of its 22 resolved issues remotely exploitable.

For business and consumers alike who use Java; the update this month (Java v8 Update 91 or Update 92 see the release notes for an explanation of the difference between Update 91 and Update 92) resolves 9 CVEs. More than half have a CVSS 3.0 base score greater than 6.0. A set of suggested practices for using Java on your computer are provided here.

A highlight coming later this year will be the deprecation (ending of support/end of life (EOL)) for Java Web Start, Oracle’s Java browser plugin. This will occur in a future Java JRE (Java Runtime Environment) update and in September 2016 for the JDK (Java Development Kit) when JDK version 9 is expected to be made available.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Oracle Releases Another Out of Band Java Security Update

In a similar manner to an update published by Oracle in February they have again released a further out of band security update to address a critical security issue that was incorrectly patched/not fully resolved in 2013. Updated versions of Java 7 and Java 8 are now available.

Further highlights of this update are provided here and here. Further background info on this issue is available in this Qualys blog post.

A set of suggested practices for using Java on your computer are provided here. Please install the recommended update for your version of Java as soon as possible to protect against this re-patched security issue.

Thank you.

Oracle Releases Out of Band Java Security Update

Since Oracle’s previous security updates made available in the third week of January, they have released further updates for Java versions 6,7 and 8.

These updates address 1 security issue (more formally known as a CVE (defined). Further highlights of this update are provided here. Moreover, Qualys references the type of vulnerability this update addresses namely a binary planting vulnerability.

A set of suggested practices for using Java on your computer are provided here. Please install the recommended update for your version of Java as soon as possible to protect against this newly disclosed security issue.

Thank you.

Oracle Releases Record Number of Security Updates

Yesterday Oracle made available security updates for more than 50 of their products resolving 248 security issues (a record number). The full list of affected products is available here.

That Critical Update page will be of particular importance to organizations who use the affected products for their critical business functions. Further highlights of this update are provided here.

For consumers Oracle’s updates for Java (version 8 Update 71) will be a priority. This month 8 security issues are addressed in Java, of which 3 are critical and have a very high CVSS score (defined). A set of suggested practices for using Java on your computer are provided here.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Oracle Releases Security Updates Across It’s Product Range

Yesterday Oracle made available security updates for 54 of their products resolving 154 security issues. The full list of affected products is available here.

The update for Oracle Java resolves a second security vulnerability being used by the malicious hacking group known as Pawn Storm (another further flaw being exploited by them was by fixed by Adobe last week). The first flaw in Java was resolved by Oracle in July. Further details of the second flaw are available in this Trend Micro blog post. A set of suggested practices for using Java on your computer are provided here.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2015 Security Updates Summary

On Tuesday the 14th of July, Microsoft made available its monthly security updates resolving 59 CVEs (definition of the term CVE). Details of the affected products are provided in their Security Bulletin Summary. This page also details any Known Issues for these security updates. At the time of writing, only issues for the SQL Server bulletin were present. In addition, an excellent source for information on issues that arise from installing these updates is the IT Pro Patch Tuesday blog.

Adobe made updates available for Flash Player v18.0.0.203 to resolve 2 critical zero day CVEs, Adobe Shockwave Player resolving 2 CVEs and Adobe Acrobat/Adobe Reader resolving 46 CVEs.

In addition, Oracle made available security updates for Java resolving 25 CVEs, among them the zero day CVE-2015-2590.

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible.

If you wish to prioritize some of the updates I would recommend installing Adobe’s Flash Player update first due to the nature of the 2 critical flaws that it resolves. The next priorities should be Microsoft’s updates for Internet Explorer (it also includes a fix for the zero day flaw CVE-2015-2425), Remote Desktop Protocol, VBScript, Microsoft Office, ATM Font Driver and Windows Hyper-V due to their severity. In addition the ATM Font Driver vulnerability CVE-2015-2387 and Microsoft Office vulnerability CVE-2015-2424 have already seen exploitation. With high profile issues being resolved by Adobe’s updates it is recommended to install them before they begin to be incorporated into exploit kits for much wider exploitation.

I would also recommend using the Attack Surface Reduction (ASR) feature of Microsoft EMET 5.2 in order to mitigate Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. Details of the ASR feature are available on page 9 and 19 within the EMET user guide (follow this link and opt to download EMET, you can then choose to download only the PDF user guide). How to add Adobe Flash (flash*.ocx) is detailed in this news article. I suggest adding this file name (the full name including the wildcard * and the ocx file extension) to any application that you use that can open Microsoft Office documents or Adobe PDF files as a defence in depth measure. I have done this for all of my Microsoft Office applications and my PDF reader with no issues encountered.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.