Tag Archives: Oracle

April 2020 Update Summary

=======================
Update: 27th April 2020
=======================
Late last week, Microsoft issued a security advisory for Microsoft Office 2019, 365 ProPlus and Paint 3D (available within Windows 10).

These correct 4 remote code execution (an attacker can carry out any action of their choice on a compromised system) and 2 denial of service (in this instance the affected application will become unresponsive) vulnerabilities. These vulnerabilities also affect the following Autodesk products:

FBX-SDK
Maya
Motion Builder
Mudbox
3ds Max
Fusion
Revit
Flame
Infraworks
Navisworks
Autodesk AutoCAD

Please make certain your versions of the affected Autodesk products, Office 2019 or 365 ProPlus and Paint3D are up to date. The steps detailed in this linked to BleepingComputer article will guide you through doing so. The Paint3D app should have already installed the update automatically. However you can manually check for updates with these steps.

The necessary details to update the affected Autodesk products are available in the above linked to Autodesk security advisory. Details for verifying if Paint3D and Microsoft Office have been updated are provided in Microsoft’s advisory. Please see the questions titled: “I am running Office 2019 or Office 365 ProPlus. How do I tell if the security update for this vulnerability is included in my version of Office?” and “I have Paint 3D or 3D Viewer installed. How do I know if I have the security update installed?” Further details of the potential impact of these vulnerabilities as well as a recommended mitigation step are provided in this Sophos blog post.

Thank you.

=======================
Update: 15th April 2020
=======================
Yesterday Microsoft released their scheduled updates to resolve 113 CVEs (defined). Similarly Adobe released 3 security bulletins.

Microsoft’s monthly summary; lists Known Issues for 43 Microsoft products but all have workarounds or resolution steps listed.

To begin with, let’s look at Adobe’s updates:
Adobe After Effects: 1x Priority 3 CVE resolved (1x Important severity)
Adobe ColdFusion: 3x Priority 2 CVEs resolved (3x Important severity)
Adobe Digital Editions: 1x Priority 3 CVE resolved (1x Important severity)

Adobe later issued further updates:
Adobe Bridge: 17x Priority 3 CVEs resolved (14x Critical severity, 3x Important severity)
Adobe Illustrator: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Bridge and Illustrator).

====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
As always for this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Following disclosure last month, the Adobe Type Manager (ATM) vulnerabilities have been patched in addition to the following zero day vulnerabilities and a further publicly disclosed vulnerability;

Zero Days (defined):
Microsoft Adobe Type Manager: CVE-2020-0938 and CVE-2020-1020
Microsoft Scripting Engine: CVE-2020-0968
Windows Kernel: CVE-2020-1027

Publicly disclosed:
Microsoft OneDrive: CVE-2020-0935

====================
Microsoft Scripting Engine: CVE-2020-0970
Microsoft Chakra Scripting Engine: CVE-2020-0969
Microsoft Graphics: CVE-2020-0687
Microsoft Graphics Components: CVE-2020-0907
Windows DNS: CVE-2020-0993
Windows Hyper-V: CVE-2020-0910
Windows Codecs: CVE-2020-0965
Windows Media Foundation: CVE-2020-0948 , CVE-2020-0949 , CVE-2020-0950
Microsoft SharePoint: CVE-2020-0929 , CVE-2020-0931 , CVE-2020-0932, CVE-2020-0974
Microsoft Office SharePoint XSS: CVE-2020-0927
Microsoft Dynamics: CVE-2020-1022

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have also provided further details of updates available for other commonly used applications and devices below.

To all of my readers and your families, please stay safe during these challenging times. Thank you.

====================
Mozilla Firefox
====================
On the 7th of April, Mozilla released Firefox 75 and Firefox ESR (Extended Support Release) 68.7 to resolve the following vulnerabilities:

Firefox 75.0: Addresses 3x high severity CVEs, 3x moderate severity CVEs

Firefox 68.7 ESR: Addresses 4x high severity CVEs (1 of which only affects Firefox for Android) and 1x moderate severity CVE

Firefox 75 and the previous 74.0.1 reverse the removal of support for TLs 1.0 and TLS 1.1. due to the current COVID-19 situation. It offers improved performance when installed on systems powered by Intel GPUs (defined), is available in the Flatpak distribution format for Linux and offers improved performance by “locally cache all trusted Web PKI Certificate Authority certificates that Mozilla knows, improving security and HTTPS compatibility with misconfigured web servers as a direct result”. Moreover, an improved address bar is now present in Firefox 75. Its improvements are detailed in Firefox’s release notes. Please also be aware of the new telemetry Mozilla has begun to collect with Firefox 75, you may or may not wish to turn this off.

Firefox 74.0.1 and Firefox ESR 68.6.1 were released on the 3rd of April to resolve the following zero day (defined) vulnerabilities actively being exploited in targeted attacks:

Firefox 74.0.1 and Firefox 68.6.1 ESR: Addresses 2x critical severity CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

====================
VMware
====================
VMware released 3 security advisories to resolve vulnerabilities within the following products:

VMware vCenter Server
VMware vRealize Log Insight
VMware ESXi 6.5 up to and including 7.0

====================
Advisory 1: Severity: Critical:
VMware vCenter Server

Advisory 2: Severity: Important
VMware vRealize Log Insight

Advisory 3: Severity: Important:
VMware ESXi 6.5 up to and including 7.0
====================

If you use either of the above products, please review the above advisories and install the applicable security updates as soon as possible.

=======================
Oracle:
=======================
Oracle issued updates to resolve 405 vulnerabilities this month. Further details and installation steps are available here. 15 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

Separately Oracle has issued a notice that attacks are being detected attempting to exploit a patched vulnerability (CVE-2020-2883) in Oracle Web Logic server. They strongly suggest installing this month’s update for that product to protect against these attacks.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

====================
OpenSSL
====================
On the 21st April the OpenSSL Foundation issued OpenSSL 1.1.1g which includes a high severity security fix.

FTP mirrors to obtain the necessary downloads are available from here. Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
WinSCP:
=======================
In early April WinSCP version 5.17.3 was made available upgrading its version of OpenSSL to 1.1.1f (from the previous version of 1.1.1d). This update resolves 1x Low severity vulnerability.

On the 24th of April, WinSCP was upgraded to version 5.17.4 which also upgrades its version of OpenSSL to version 1.1.1g resolving a high severity vulnerability. Please install this update if you use WinSCP.

====================
VideoLAN VLC
====================
On the 28th of April, VideoLAN released version 3.0.10 resolving multiple security issues (version 3.2.12 for Android and version 3.2.7 for iOS were also released) assigned to 7 CVEs (various DOSes (Denial of Services) in the microDNS service discovery). 1 CVE has been rated as critical with the other 6 being of high severity. The most recent versions can be downloaded from:

http://www.videolan.org/vlc/

====================
Wireshark
====================
In early April, Wireshark made available the following updates (I’ll detail only the 2 most recent versions here):

v3.2.3: Relating to 1 security advisory (relating to 1 CVE)
v3.0.10: Relating to 1 security advisory (relating to 1 CVE)

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.4 or v3.0.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you and please stay safe.

Highlights from Pwn2Own 2020

Leave a reply

====================
TL;DR:

The following products were successfully exploited, please install the necessary updates for them when they become available: Apple Safari, Apple macOS, Ubuntu Desktop, Windows, Oracle VirtualBox and Adobe Reader
====================
As long-time readers of this blog will know, the Pwn2Own security conference with its white hacking contest is my favourite event of the year. Sophisticated vulnerability exploitation is showcased, the contestants receive large sums of money and we as consumers receive safer products to use on a day to day basis. It took place late last week virtually due to the Coronavirus. The results from both days of competition can be found here. The total prize was USD $270,000.

The winners of the competition were Richard Zhu and Amat Cama of Team Fluoroacetate winning the Master of Pwn title and USD $90,000 in prize money.

Returning to the trend of previous years, exploits against the Apple macOS kernel (defined) and Windows kernel were common again. These are high severity vulnerabilities but when addressed will make our systems safer.

The vendors have up to 90 days to resolve the vulnerabilities before public disclosure. Please expect and apply the necessary security updates to the affected as they become available

Thank you.

January 2020 Update Summary

Leave a reply

====================
Update: 11th February 2020
====================
This Internet Explorer zero day (defined) vulnerability was resolved by the patch released by Microsoft today. If you use Internet Explorer (especially versions 8 or earlier), please install this update as soon as possible.

Thank you.

==============
Update: 27th January 2020
==============
Shortly after the release of Microsoft’s scheduled updates, on the 17th of January they issued a security advisory for a critical zero day (defined) vulnerability being exploited by attackers in targeted attacks.

An out of bound update has not been released by Microsoft since by default all support versions of Internet Explorer by default use Jscript9.dll rather than Jscript.dll However versions earlier then IE 9 face increased risk.

If you use Internet Explorer for day to day work or just general surfing, please consider implementing the workaround described within Microsoft’s security advisory. Please remember to remove the workaround prior to installing the relevant security update in February. Also, please note that this workaround is causing some printers not to print and the Microsoft Print To PDF function not to work. If this is the case, use another browser and disable the workaround or use the micropatch (discussed below).

An alternative which according to ghacks.net is free is to install the micro-patch for IE available from 0Patch. More information on the micropatch and how to install it is available in the previous link above. This micropatch does not come with side effects. A YouTube video of the micropatch in action is available from the following link:

https://youtu.be/ixpBN_a2cHQ

Thank you.

==============
Original Post
==============
Happy New Year to my dedicated readers!

Today Adobe and Microsoft released their first security updates of the year. Adobe resolved 9 vulnerabilities more formally known as CVEs (defined) with Microsoft addressing 50 vulnerabilities.

====================
Adobe
====================
Adobe Experience Manager: 4x Priority 2 CVEs resolved (3x Important severity, 1x Moderate severity)

Adobe Illustrator CC: 5x Priority 3 CVEs resolved (5x Critical severity)

If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities within Illustrator CC).
====================

Inside Microsoft’s monthly summary; there are Known Issues for 9 Microsoft products but all have workarounds (some workarounds will be replaced by further updates).

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows CryptoAPI Spoofing Vulnerability: CVE-2020-0601 (disclosed by the NSA to Microsoft). Further information on this vulnerability is available from KrebsonSecurity, within this CERT advisory and the detailed NSA PDF.

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0609

Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability: CVE-2020-0610

Remote Desktop Client Remote Code Execution Vulnerability: CVE-2020-0611

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020 0605

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0606

.NET Framework Remote Code Execution Injection Vulnerability: CVE-2020-0646

Please install the remaining less severe updates at your earliest convenience.

====================
Microsoft Edge Chromium
====================
Tomorrow, 15th January will mark the release of a new version of Microsoft Edge powered by the Chromium rendering engine. This version will be available for Windows 7, 8.1 and 10. This is especially relevant for Windows 7, Windows Server 2008 and Server 2008 R2 since while Windows itself ends its support lifecycle today, Edge Chromium will continue to be supported for a further 18 months. This matches similar statements from Google regarding Chrome and separately Vivaldi.

For details of which versions of Windows 10 will receive the new Edge via Windows Update and which versions will need to download it separately, please refer to this link. I wish to extend my thanks to Softpedia and Bleepingcomputer.com for these really useful links.

If for any reason, you wish to use the previous version of Edge (which uses the legacy rendering engine, please see this link for details of how to run the older version alongside its modern equivalent).

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
In early January Mozilla released new versions of Firefox to address the following vulnerabilities and to add new user privacy features:

Firefox 72.0: Resolves 5x high severity CVEs (defined), 5x moderate CVEs and 1x low CVE

Firefox ESR 68.4 (Extended Support Release): Resolves 4x high severity CVEs and 2x moderate CVEs

More recently Firefox 72.0.1 was released to address a single critical severity zero day (defined) vulnerability which was responsibly disclosed to Mozilla and fixed very quickly. Finally Firefox 72.0.2 was released on the 20th of January resolving inconsistent playback of full-screen HD videos among non-security other issues.

Highlights from version 72 of Firefox include:
In addition to picture in picture enabled by default for macOS and Linux, it blocks the use of fingerprinting by default (the collection of data from your system e.g. browser version, font size, screen resolution and other unique data. This protection is provided by Disconnect. There are multiple levels of fingerprinting protection provided with the standard level being enabled by default. The strict level however may lead to websites not functioning as expected. Further details are available here.

====================
Wireshark
====================
In mid-January the following Wireshark updates were released:

v3.2.1: Relating to 1 security advisory

v3.0.8: Relating to 1 security advisory

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.2.1 or v3.0.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Google Chrome
====================
Google made available two security updates during November; the first resolves 3 vulnerabilities while the second resolves 16 vulnerabilities. The second also provides mitigation for the vulnerability disclosed by the NSA to Microsoft more commonly known as the Chain of Fools/CurveBall or CVE-2020-0601 This test page from SANS will then show your system is no longer vulnerable after applying the second update. Please still apply the update from Microsoft to provide the most protection, Google’s changes are a mitigation only.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

====================
Intel Security Advisories
====================
Intel have released a series of security advisories this month. The advisories are prioritised below. If you use any of these products, software or devices, please update them as soon as possible especially in the case of the high severity advisories:

High
Intel VTune Amplifier for Windows Advisory

Medium
Intel Processors Data Leakage Advisory
Intel Processor Graphics Advisory
Intel RWC 3 for Windows Advisory
Intel Chipset Device Software Advisory
Intel SNMP Subagent Stand-Alone Advisory for Windows

Low
Intel Data Analytics Acceleration Library (DAAL)

====================
VMware
====================
VMware released 2 security advisories in January , the first is of moderate severity with the second being of important severity. The advisories relate to the following products:

Moderate Severity Advisory:

Workspace ONE SDK

Workspace ONE Boxer

Workspace ONE Content

Workspace ONE SDK Plugin for Apache Cordova

Workspace ONE Intelligent Hub

Workspace ONE Notebook

Workspace ONE People

Workspace ONE PIV-D

Workspace ONE Web

Workspace ONE SDK Plugin for Xamarin

Important Severity Advisory:
VMware Tools

If you use the above VMware products, please review the advisories and apply the necessary updates.

=======================
Oracle:
=======================
Oracle issued updates to resolve 334 vulnerabilities in January 2020. Further details and installation steps are available here. 12 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Pwn2Own 2019 Results

Leave a reply

TL DR: With popular products such as the Tesla Model 3, Apple Safari, Mozilla Firefox, Oracle VirtualBox, VMware Workstation Pro and Microsoft Edge being successfully exploited; please install the necessary updates when they become available.

The annual white hat hacking contest known as Pwn2Own took place last week. Detailed results from all 3 days are available from this link.

Day 3 saw initially two teams attempting to exploit a Tesla Model 3 before one withdrew. The team Fluoroacetate made up of both Richard Zhu and Amat Cama successfully exploited the infotainment system of the Tesla earning them a further $35,000 and the car itself. They earned $375k in total and became the Master of Pwn for 2019. The contest overall distributed $545k for 19 vulnerabilities.

In contrast to previous years the researchers have targeted vulnerabilities other than those within the operating system kernel (defined) to obtain a total system compromise. Only 3 times were exploits on the OS kernel used this year (one exploit was used in conjunction when exploiting each of the web browsers Apple Safari, Microsoft Edge and Mozilla Firefox).

We can expect updates for each of the exploited products over the coming weeks and months (the vendors have up to 120 days to resolve the vulnerabilities before public disclosure). Mozilla released Firefox 66.0.1 and 60.6.1 to resolve the 2 Firefox CVEs (defined) disclosed during the contest.

If you use the affected products, please keep current with the necessary updates. Thank you.

Oracle VirtualBox Zero Day Disclosed

Leave a reply

In early November a security researcher publicly disclosed (defined) a zero day (defined) vulnerability within Oracle’s VirtualBox virtualisation software.

How severe is this vulnerability?
In summary; this vulnerability is serious but it could have been worse. In order to exploit it, an attacker would first need to have obtained elevated privileges on your system; root (defined) in the case of Linux and administrator (defined) in the case of Windows. Using this privilege the attacker can leverage the exploit to escape from the confines of the virtual machine (VM)(defined) into the system which hosts the virtual machine (in other words; the system which houses the virtual machine within its physical infrastructure). Once outside of the virtual machine the attacker must then elevate their privileges again since breaking out of the VM only gives them user level/standard privileges and not elevated privileges in the physical system. Thus the attacker would then need to use a separate exploit for another vulnerability (not related to this VirtualBox flaw) to elevate their privileges again to become root/admin within the physical system.

Obviously; the consequences of exploiting this vulnerability on a shared service/cloud infrastructure system would be more serious since multiple users would be affected all at once and the further exploitation of the resulting host systems could potentially provide the attacker with control over all the virtual machines.

How can an attacker exploit this vulnerability?
VirtualBox makes use of the Intel Pro/1000 MT Desktop (82540EM) network adapter to provide an internet connection to the virtual machines it manages. The attacker must first turn off this adapter in the guest (virtualised) operating system. Once complete they can then load a custom Linux kernel module (LKM)(defined) (this does not require a reboot of the system). That custom LKM contains the exploit derived from the technical write up provided. That new LKM loads its own custom version of the Intel network adapter. Next the LKM exploits a buffer overflow (defined) vulnerability within the virtualised adapter to escape the guest operating system. The attack must then unload the custom LKM to re-enable the real Intel adapter to resume their access to the internet.

How can I protect myself from this vulnerability?
While this is a complex vulnerability to exploit (an attacker would need to chain exploits together in order to elevate their privilege on the host system after escaping the VM), the source code needed to do so is available in full from the researcher’s disclosure; increasing the risk of it being used by attackers.

At the time of writing; this vulnerability has not yet been patched by VirtualBox. It affects versions 5.2.20 and earlier when installed on Ubuntu version 16.04 and 18.04 x86-64 guests (Windows is believed to be affected too). While a patch is pending; you can change the network card type to PCnet or Para virtualised Network. If this isn’t an option available or convenient for you; you can an alternative to the NAT mode of operation for the network card.

Thank you.

Vendors Respond to Foreshadow (L1TF) Vulnerabilities

Leave a reply

Yesterday, academic and security researchers publically disclosed (defined) 3 new vulnerabilities affecting Intel CPUs (AMD and ARM are not affected).

What are these new vulnerabilities and what can they allow an attacker to do?
The first vulnerability known as Foreshadow or CVE-2018-3615 is used to extract data from an Intel SGX (Software Guard Extensions)(defined) secure enclave (area) by creating a shadow copy of the SGX protected data but that copy does not have the protection of SGX and can be read/accessed by the attacker. The attacker can also re-direct speculative execution into copying further private/sensitive into the shadow copied area while at the same time making it appear that area is genuine and thus has the same protection as the real SGX protected data.

The second vulnerability (part of a wider Foreshadow Next Generation (NG) group of two variants) known as CVE-2018-3620 allows the reading of data copied into the level 1 cache (defined) of a CPU (defined) when that data is in use by a computer operating system e.g. Red Hat Linux, Apple macOS or Microsoft Windows.

The third vulnerability is the second and final variant of the Foreshadow NG group known as CVE-2018-3646. This affects virtualised environments. If a CPU thread (defined) being directed by an attacker is able to read the level 1 cache of a CPU that is also shared by another thread by a victim user (within another virtualised environment but using the same physical CPU) while that request will be blocked; if the information the attacker is looking to steal is in the level 1 cache they may still get a glimpse of this information.

How can I protect myself from these new vulnerabilities?
For the first and second vulnerabilities; the microcode (defined)/firmware (defined) updates made available earlier this year coupled with the newly released updates for operating systems linked to below will mitigate these two issues.

====================

For the third vulnerability; affecting virtualised (defined) environments there are operating system updates and microcode/firmware updates available that will occasionally clear the contents of the level 1 cache meaning that when the attacker attempts to read it they will not receive any benefit from doing so. Partially removing the usefulness of the cache will have a performance impact from a few percent up to 15 percent in the worst case scenario.

However to completely mitigate this third vulnerability a capability known as Core Scheduling needs to be leveraged. This ensures that only trusted/non attacker controlled virtual machines have access to the same thread (this capability is already available in some virtual machine (hypervisor)(defined) environments).

However in some environments if it cannot be guaranteed that all virtual machines are trustworthy the disabling of Intel Hyper Threading (this means that only 1 thread will work per CPU core)(otherwise known as simultaneous multi-threading (SMT)(defined)) may be necessary and will more significantly impact performance than just the level 1 cache clearing.

In summary for this third vulnerability; depending upon the virtualised environment you are using and the trustworthiness of the virtual machines you are using will determine how many of the these extra security measure you will need to take.

To be clear I am NOT advocating that Intel Hyper Threading/SMT be disabled EN MASSE for security reasons. As per the advice in the linked to advisories (below)(specifically Intel and VMware) ; you MAY wish to disable Intel Hyper Threading/SMT to mitigate the third vulnerability (CVE-2018-3646) depending upon the environment your virtualised machines are operating.

This Ars Technica article explains it very well: “if two virtual machines share a physical core, then the virtual machine using one logical core can potentially spy on the virtual machine using the other logical core. One option here is to disable hyperthreading on virtual-machine hosts. The other alternative is to ensure that virtual machines are bound to physical cores such that they don’t share.”

====================

Please find below links to vendor responses on these vulnerabilities as well as videos that can help in understanding these vulnerabilities:

Thank you.

====================

Foreshadow Vulnerability Official Website:
https://foreshadowattack.eu/

Intel’s Blog Post:
https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/

Intel’s FAQ Page:
https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html

Intel’s Security Advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Intel’s Software Developer Guidance:
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

Red Hat’s Security Advisory:
https://access.redhat.com/security/vulnerabilities/L1TF

Linux Kernel Patch:
https://lore.kernel.org/patchwork/patch/974303/

Oracle’s Security Advisory:
https://blogs.oracle.com/oraclesecurity/intel-l1tf

Amazon Web Services’ Security Advisory:
https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

Google Cloud Security’s Blog Post:
https://cloud.google.com/blog/products/gcp/protecting-against-the-new-l1tf-speculative-vulnerabilities

Microsoft Windows Azure’s Guidance:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se

Microsoft’s Windows Security Advisory (high level details):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018

Microsoft’s Technical Analysis of the Foreshadow Vulnerabilities:
https://blogs.technet.microsoft.com/srd/2018/08/10/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

VMware Security Advisories:
https://www.vmware.com/security/advisories/VMSA-2018-0020.html

https://www.vmware.com/security/advisories/VMSA-2018-0021.html
====================

Videos:
Foreshadow Video (explains the first vulnerability very well):
https://www.youtube.com/watch?v=ynB1inl4G3c

Intel’s Video (explains all 3 vulnerabilities):
https://www.youtube.com/watch?v=n_pa2AisRUs

Demonstration of the Foreshadow attack:
https://www.youtube.com/watch?v=8ZF6kX6z7pM

Red Hat’s Video (explains all 3 vulnerabilities):
https://www.youtube.com/watch?v=kBOsVt0iXE4

Red Hat’s In-depth video of the 3 vulnerabilities:
https://www.youtube.com/watch?v=kqg8_KH2OIQ

====================

July 2018 Update Summary

Leave a reply

Earlier this month, Microsoft made available their usual monthly security updates. This month 53 vulnerabilities more formally known as CVEs (defined) were resolved.

Among these updates are further updates for Spectre NG vulnerabilities (also known as Speculative Store Bypass vulnerabilities) making them available for Windows Server 2008, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 in addition to last month’s updates. The vulnerability known as Lazy Floating Point (FP) was also addressed this month. Finally the Spectre 1.1. and Spectre 1.2 vulnerabilities will be discussed in a separate blog post.

This month’s Microsoft updates have a long list of Known Issues detailed in the knowledge base (KB) articles listed at the abovel ink (due to the length I won’t reproduce it here). At the time of writing some of these issues have begun to be addressed by further updates (Windows 7, Windows 8.1 and Windows 10) released by Microsoft. Others relating to the .Net Framework should be addressed soon.

====================

This month also saw Adobe release an update (priority 2) for Adobe Acrobat DC and Reader DC which addresses 104x CVEs alone. The remaining updates made available this month were:

Adobe Connect (priority 2, 3x CVEs)

Adobe Experience Manager (priority 2, 3x CVEs)

Adobe Flash (priority 2, 2x CVEs)

For Flash, updates for Google Chrome (not a separate update but via its component updater), Microsoft Edge and Internet Explorer were made available. As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))(a previous update from May may need a further non-security fix)

Microsoft PowerShell Editor Services

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Oracle:
=======================
Oracle issued updates to resolve a monthly record of 334 vulnerabilities. Further details and installation steps are available here. 8 vulnerabilities affect the Java runtime; all of which are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
Apple:
=======================
In early July released a group of updates to resolve a large number of vulnerabilities:

Wi-Fi Updates for Boot Camp 6.4.0: Addresses 3x vulnerabilities

Apple iOS 11.4.1: Addresses 22x vulnerabilities

Apple tvOS 11.4.1: Addresses 18x vulnerabilities

Apple watchOS 4.3.2: Addresses 14x vulnerabilities

macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan: Addresses 12x vulnerabilities (also resolves the Intel Lazy FP vulnerability)

Apple Safari 11.1.2: Resolves 16x CVEs

Apple iCloud 7.6 for Windows: Resolves 14x CVEs

Apple iTunes 12.8 for Windows: Resolves 14x CVEs

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Google Chrome:
=======================
Google released Google Chrome version 68.0.3440.75 to address 42 vulnerabilities. This version also marks all HTTP sites as “not secure.” This Google blog post discusses the change in more detail and this migration guide will be of assistance to website owners in migrating to HTTPS.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Wireshark 2.4.8 and 2.6.2
=======================
v2.4.8: 10 security advisories

v2.6.2: 9 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.2) or v2.4.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Vendors Respond to Spectre NG Vulnerabilities

Leave a reply

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================

April 2018 Update Summary

Leave a reply

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Engine. Further details are available in this separate blog post.

Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4073119

kb4093112

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
On Tuesday, 10th April Microsoft made available their scheduled security updates to resolve 63 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

There are 3 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4093112

4093118

4093108

====================

Alongside these updates; Adobe released updates for the following products:

Adobe ColdFusion (priority 2, 5x CVEs)

Adobe Digital Editions (priority 3, 2x CVEs)

Adobe Experience Manager (priority 3, 3x CVEs)

Adobe Flash Player v29.0.0.140 (priority 2, 6x CVEs)

Adobe InDesign CC (priority 3, 2x CVEs)

Adobe PhoneGap Push Plugin (priority 3, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Graphics Component consisting of the following 6 CVEs:

Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability : described in more detail here.

====================

Separately AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Please install the remaining updates at your earliest convenience.

Thank you.

=======================

=======================
Apple Security Updates:
=======================
In late April Apple released updates for Safari, macOS and iOS:

Apple iOS v11.3.1

Apple Safari v11.1

Apple macOS High Sierra v10.13.4

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
7-Zip 18.05
=======================
In late April; version 18.05 of 7-Zip was made available resolving one security vulnerability in it’s RAR packing code. Further details are provided in this linked to blog post.

Other highlights include the inclusion of ASLR on the 32 bit version and high entropy (HE)(defined here and here) ASLR (defined) on the 64 bit version. While the above blog post mentions HEASLR is not enabled, when I tested it with Process Explorer it was showing HEASLR as enabled. That blog post also describes how to add Arbitrary Code Guard (ACG) (defined) protection for 7-Zip on Windows 10. Version 18.01 and later also come with Data Execution Prevention (DEP)(defined here and here).

While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from the resolved vulnerability and the new mitigations.

=======================
Wireshark 2.4.6 and 2.2.14
=======================
v2.4.6: 10 security advisories

v2.2.14: 8 security advisories

The security advisory wnpa-sec-2018-24 applicable to both of the above versions resolves 10 memory leaks (defined).

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.6) or v2.2.14). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
Wireshark 2.6.0
=======================
While this update is not listed as a security update; it is the latest version of Wireshark within the Stable release channel. The older 2.4.x version did not receive a further update. It is very likely version 2.6 will be required to receive future security updates. Further details are available in the release notes of version 2.6. If possible, please consider upgrading to this version in the near future.

Further installation tips are provided above (as per version 2.4.6 and 2.2.14).

=======================
Oracle:
=======================
Oracle issued updates to resolve 254 vulnerabilities. Further details and installation steps are available here. 14 vulnerabilities affect the Java runtime. 12 of these are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
OpenSSL
=======================
In mid April; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

=======================
A Closer Look at CVE-2018-0950
=======================
While Microsoft have addressed the vulnerability designated as CVE-2018-0950 (defined) this month; Will Dormann, a security researcher with the CERT Coordination Center has demonstrated further mitigations (defined) you may wish to take. These mitigations (listed at the end of his in-depth discussion) will better defend your system(s) against a variant of this vulnerability which still remains relatively easy for an attacker to exploit.

Thank you.

January 2018 Update Summary

Leave a reply

====================
Update: 31st January 2018:
Please scroll down in this post to view more recent software updates available since the original posting date of the 16th of January 2018. Thank you.
====================

Last Tuesday Microsoft released their routine security updates to address 56 vulnerabilities more formally known as CVEs (defined). Further details are provided within Microsoft’s Security Updates Guide.

This month there are 11 knowledge base articles detailing potential issues (many of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

====================

Separately Adobe released Flash Player v28.0.0.137 to address a single priority 2 CVE.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For January’s Microsoft updates, I will prioritize the order of installation below. I will discuss this month’s out of band (outside of the regular schedule) patches for Meltdown and Spectre in a separate blog post; the relevant CVEs are still listed below. A useful list of all CVEs for this month is present here:

====================
CVE-2017-5753 – Bounds check bypass (known as Spectre Variant 1)

CVE-2017-5715 – Branch target injection (known as Spectre Variant 2)

CVE-2017-5754 – Rogue data cache load (known as Meltdown Variant 3)

CVE-2018-0802: Microsoft Office zero day (similar to Novembers Office equation editor vulnerability)

Microsoft Office (18 further CVEs)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

For this month; please take extra care with your back up to ensure you can restore your systems should you wish to revert your systems prior to installing the Meltdown and Spectre patches should you wish to uninstall the Security only bundle of updates or the updates are causing your system to become unstable.

Thank you.

=======================
Wireshark 2.4.4 and 2.2.12
=======================
v2.4.4: 3 CVEs (defined) resolved

v2.2.12: 4 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.4) or v2.2.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Update: 24th January:
====================
Oracle:
====================
Oracle have resolved 237 vulnerabilities with the security updates they have made available this month. Further details and installation steps are available here. Within the 237 vulnerabilities addressed, 21 vulnerabilities were addressed in the Java runtime. 18 of these 21 are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Particular priority should be given to Oracle WebLogic Server and PeopleSoft due to documented incidents of attackers using such installations for crypto currency mining with one such incident resulting in more than USD $226,000 being mined. Further details are available in the following blog post from security vendor Onapsis.
=======================

=======================
Further updates released in January:
=======================
VMware Updates:
=======================
In early January; VMware issued security updates to address the Meltdown and Spectre vulnerabilities within some of their products. Another advisory was also released later in January. The affected products/appliances are listed below. For virtual machines used with VMware Fusion and VMware Workstation, the steps listed within this knowledge base article should also be followed.

Please review the above linked to security advisories and knowledge base article and apply the necessary updates and mitigation steps.

Affected products/appliances:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

=======================
Mozilla Firefox:
=======================
In January Mozilla issued security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 57.0.4 (2 mitigations added)

Firefox 58: 3x critical, 13x high, 13x moderate, 2x low CVEs

Firefox 58.0.1: 1x critical CVE

Firefox ESR 52.6: 1 high CVE

Firefox ESR 52.6: 2x critical, 8x high, 1x moderate

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
In late January an update for Google Chrome was made available which included 53 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
7-Zip
=======================
In late January a security researcher located 2 vulnerabilities within 7-Zip. He reported them to the developer Igor Pavlov who very quickly released an updated version; v18.00 Beta. This has since been updated to 18.01 Stable to fix further issues (NOT security related).

The alternative Windows file manager Directory Opus will include the updated 7-Zip DLL (defined) within their next release. Their current beta already contains these fixes.

While 7-Zip does not have many vulnerabilities discovered within it (which has both advantages and disadvantages), there appears to be an increasing emphasis on it since it is used by anti-malware software and other applications e.g. VMware Workstation. Thus when a security update is issued; all of this software should eventually include the fixes. This occurred last year with the release of 7-Zip 16.00 to resolve 2 other security vulnerabilities.

Separately, Malwarebytes updated their Anti-Malware product to version 3.4.4 to update the 7-Zip DLL (defined) within it. Further details are available in my March 2018 Update Summary blog post.

If you use 7-Zip, please ensure it is updated to resolve both this year’s vulnerabilities and last year’s vulnerabilities (if you hadn’t already installed version 16 or later). Please also update Malwarebytes Anti-Malware or Directory Opus if you use them.

=======================
Nvidia Geforce Drivers:
=======================
This driver update applies to Linux, FreeBSD, Solaris and Windows and mitigates the Meltdown security vulnerability (CVE-2017-5753). While Nvidia’s GPUs are not vulnerable to Meltdown or Spectre, the GPUs interaction with an affected CPU has the potential for exploitation.The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post. More details about the Meltdown and Spectre vulnerabilities are available in this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.8.20 (Build 292). This update resolves 2 vulnerabilities relating to libraries (defined) the tool uses namely zlib and libpng. Any previous version of the tool should update automatically when opened to the most recent version.

securityinaction

A blog dedicated to sharing security best practice advice for organisations and individuals.

Tag Archives: Oracle

April 2020 Update Summary

Highlights from Pwn2Own 2020

January 2020 Update Summary

Pwn2Own 2019 Results

Oracle VirtualBox Zero Day Disclosed

Vendors Respond to Foreshadow (L1TF) Vulnerabilities

July 2018 Update Summary

Vendors Respond to Spectre NG Vulnerabilities

April 2018 Update Summary

January 2018 Update Summary