=======================
Update: 27th April 2020
=======================
Late last week, Microsoft issued a security advisory for Microsoft Office 2019, 365 ProPlus and Paint 3D (available within Windows 10).
These correct 4 remote code execution (an attacker can carry out any action of their choice on a compromised system) and 2 denial of service (in this instance the affected application will become unresponsive) vulnerabilities. These vulnerabilities also affect the following Autodesk products:
FBX-SDK
Maya
Motion Builder
Mudbox
3ds Max
Fusion
Revit
Flame
Infraworks
Navisworks
Autodesk AutoCAD
Please make certain your versions of the affected Autodesk products, Office 2019 or 365 ProPlus and Paint3D are up to date. The steps detailed in this linked to BleepingComputer article will guide you through doing so. The Paint3D app should have already installed the update automatically. However you can manually check for updates with these steps.
The necessary details to update the affected Autodesk products are available in the above linked to Autodesk security advisory. Details for verifying if Paint3D and Microsoft Office have been updated are provided in Microsoft’s advisory. Please see the questions titled: “I am running Office 2019 or Office 365 ProPlus. How do I tell if the security update for this vulnerability is included in my version of Office?” and “I have Paint 3D or 3D Viewer installed. How do I know if I have the security update installed?” Further details of the potential impact of these vulnerabilities as well as a recommended mitigation step are provided in this Sophos blog post.
Thank you.
=======================
Update: 15th April 2020
=======================
Yesterday Microsoft released their scheduled updates to resolve 113 CVEs (defined). Similarly Adobe released 3 security bulletins.
Microsoft’s monthly summary; lists Known Issues for 43 Microsoft products but all have workarounds or resolution steps listed.
To begin with, let’s look at Adobe’s updates:
Adobe After Effects: 1x Priority 3 CVE resolved (1x Important severity)
Adobe ColdFusion: 3x Priority 2 CVEs resolved (3x Important severity)
Adobe Digital Editions: 1x Priority 3 CVE resolved (1x Important severity)
Adobe later issued further updates:
Adobe Bridge: 17x Priority 3 CVEs resolved (14x Critical severity, 3x Important severity)
Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)
If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Bridge and Illustrator).
====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Following disclosure last month, the Adobe Type Manager (ATM) vulnerabilities have been patched in addition to the following zero day vulnerabilities and a further publicly disclosed vulnerability;
Zero Days (defined):
Microsoft Adobe Type Manager: CVE-2020-0938 and CVE-2020-1020
Microsoft Scripting Engine: CVE-2020-0968
Windows Kernel: CVE-2020-1027
Publicly disclosed:
Microsoft OneDrive: CVE-2020-0935
====================
Microsoft Scripting Engine: CVE-2020-0970
Microsoft Chakra Scripting Engine: CVE-2020-0969
Microsoft Graphics: CVE-2020-0687
Microsoft Graphics Components: CVE-2020-0907
Windows DNS: CVE-2020-0993
Windows Hyper-V: CVE-2020-0910
Windows Codecs: CVE-2020-0965
Windows Media Foundation: CVE-2020-0948 , CVE-2020-0949 , CVE-2020-0950
Microsoft SharePoint: CVE-2020-0929 , CVE-2020-0931 , CVE-2020-0932, CVE-2020-0974
Microsoft Office SharePoint XSS: CVE-2020-0927
Microsoft Dynamics: CVE-2020-1022
====================
Please install the remaining updates at your earliest convenience.
As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications and devices below.
To all of my readers and your families, please stay safe during these challenging times. Thank you.
====================
Mozilla Firefox
====================
On the 7th of April, Mozilla released Firefox 75 and Firefox ESR (Extended Support Release) 68.7 to resolve the following vulnerabilities:
Firefox 75.0: Addresses 3x high severity CVEs, 3x moderate severity CVEs
Firefox 68.7 ESR: Addresses 4x high severity CVEs (1 of which only affects Firefox for Android) and 1x moderate severity CVE
Firefox 75 and the previous 74.0.1 reverse the removal of support for TLs 1.0 and TLS 1.1. due to the current COVID-19 situation. It offers improved performance when installed on systems powered by Intel GPUs (defined), is available in the Flatpak distribution format for Linux and offers improved performance by “locally cache all trusted Web PKI Certificate Authority certificates that Mozilla knows, improving security and HTTPS compatibility with misconfigured web servers as a direct result”. Moreover, an improved address bar is now present in Firefox 75. Its improvements are detailed in Firefox’s release notes. Please also be aware of the new telemetry Mozilla has begun to collect with Firefox 75, you may or may not wish to turn this off.
Firefox 74.0.1 and Firefox ESR 68.6.1 were released on the 3rd of April to resolve the following zero day (defined) vulnerabilities actively being exploited in targeted attacks:
Firefox 74.0.1 and Firefox 68.6.1 ESR: Addresses 2x critical severity CVEs
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:
VMware vCenter Server
VMware vRealize Log Insight
VMware ESXi 6.5 up to and including 7.0
====================
Advisory 1: Severity: Critical:
VMware vCenter Server
Advisory 2: Severity: Important
VMware vRealize Log Insight
Advisory 3: Severity: Important:
VMware ESXi 6.5 up to and including 7.0
====================
If you use either of the above products, please review the above advisories and install the applicable security updates as soon as possible.
=======================
Oracle:
=======================
Oracle issued updates to resolve 405 vulnerabilities this month. Further details and installation steps are available here. 15 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).
Separately Oracle has issued a notice that attacks are being detected attempting to exploit a patched vulnerability (CVE-2020-2883) in Oracle Web Logic server. They strongly suggest installing this month’s update for that product to protect against these attacks.
If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
====================
OpenSSL
====================
On the 21st April the OpenSSL Foundation issued OpenSSL 1.1.1g which includes a high severity security fix.
FTP mirrors to obtain the necessary downloads are available from here. Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.
=======================
WinSCP:
=======================
In early April WinSCP version 5.17.3 was made available upgrading its version of OpenSSL to 1.1.1f (from the previous version of 1.1.1d). This update resolves 1x Low severity vulnerability.
On the 24th of April, WinSCP was upgraded to version 5.17.4 which also upgrades its version of OpenSSL to version 1.1.1g resolving a high severity vulnerability. Please install this update if you use WinSCP.
====================
VideoLAN VLC
====================
On the 28th of April, VideoLAN released version 3.0.10 resolving multiple security issues (version 3.2.12 for Android and version 3.2.7 for iOS were also released) assigned to 7 CVEs (various DOSes (Denial of Services) in the microDNS service discovery). 1 CVE has been rated as critical with the other 6 being of high severity. The most recent versions can be downloaded from:
====================
Wireshark
====================
In early April, Wireshark made available the following updates (I’ll detail only the 2 most recent versions here):
v3.2.3: Relating to 1 security advisory (relating to 1 CVE)
v3.0.10: Relating to 1 security advisory (relating to 1 CVE)
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.4 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
Thank you and please stay safe.