Tag Archives: Putty

March 2019 Update Summary

====================
Updated: 21st March 2019
====================
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683CVE-2019-0754CVE-2019-0757 and CVE-2019-0809).

Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.

After publishing my original post; Adobe and Microsoft jointly reported that while a newer version (32.0.0.156) of Flash Player was made available it only resolves non-security bugs.

I have updated the suggested installation order (below) to reflect this new information. Thank you.

====================
Original Post:
====================
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.

For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:

Adobe Digital Editions: 1x priority 3 CVE resolved

Adobe Photoshop CC: 1x priority3 CVE resolved

If you use the affected Adobe products; please install their remaining priority 3 updates when you can.

This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:

KB4489878          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

KB4489881          Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

KB4489882          Windows 10 version 1607, Windows Server 2016

KB4489883          Windows 8.1, Windows Server 2012 R2 (Security-only update)

KB4489884          Windows Server 2012 (Security-only update)

KB4489885          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

KB4489891          Windows Server 2012 (Monthly Rollup)

KB4489899          Windows 10 version 1809, Windows Server 2019

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel: CVE-2019-0797CVE-2019-0808

Windows DHCP Client: CVE-2019-0697 , CVE-2019-0698 , CVE-2019-0726

Microsoft XML: CVE-2019-0756

Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772

Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809

Microsoft Active Directory: CVE-2019-0683

NuGet Package Manager Tampering Vulnerability: CVE-2019-0757

Windows Denial of Service Vulnerability: CVE-2019-0754

Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)

If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005

====================
Please install the remaining updates at your earliest convenience.

As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Google Chrome:
=======================
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Notepad++:
=======================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Mozilla Firefox
=======================
Update: 25th March 2019: As detailed in the Pwn2Own 2019 results post; Mozilla released a further update for Firefox and Firefox ESR bringing their version numbers to 66.0.1 and 60.6.1 respectively. Both updates resolve 2x critical CVEs. Please consider updating to these versions as soon as possible.

=======================
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:

Firefox 66.0: Resolves 5x critical CVEs (defined), 7x high CVEs, 5x moderate CVEs and 4x low CVEs

Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs

Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware:
=======================
VMware issued 2 security advisories during March:
Security Advisory 1: Addresses 2x important severity CVEs in the following products:

VMware Player
VMware Workstation Pro

Security Advisory 2: Addresses 1x moderate severity CVE in the following products:

VMware Horizon

If you use the above VMware products, please review the security advisories and apply the necessary updates.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.71 in mid-March. It contains 8 security fixes (see below). They are a result of the bug bounties awarded through the EU-Free and Open Source Software Auditing (EU-FOSSA) (discussed previously in this post). Version 0.71 is downloadable from here.

If you use Putty, please update it to version 0.71. Thank you.

Security vulnerabilities fixed:

=======================

=======================
Nvidia Geforce Experience Software:
=======================
In late March , Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 1 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be applied by opening Geforce Experience which will automatically updated it or the update can be obtained from here.

=======================
GOG Galaxy
=======================
Golden Old Games (GOG) has published an update for their popular game distribution platform GOG Galaxy. It resolves 2 critical vulnerabilities. Additionally, 2 high severity and 2x medium severity vulnerabilities were also resolved. These vulnerabilities are discussed in more detail in this Cisco Talos blog post and within this Kaspersky ThreatPost article. Please update GOG Galaxy to version 1.2.54.23 or later to resolve these vulnerabilities.

I don’t often post about vulnerabilities in gaming clients/gaming distribution clients but like any software; security updates can and are made available for them.

Notepad++ Update Results from Bug Bounty / 7-Zip Updates

====================
Updated: 11th March 2019
====================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Thank you.

====================
Original Post:
====================
On Sunday, 27th January; a new version of Notepad++ was released to address 7 vulnerabilities found by the EU-Free and Open Source Software Auditing (EU-FOSSA). Given that one of the vulnerabilities is potentially remotely exploitable and that Notepad++ is in such wide use both across the world and within the EU; we should update to version 7.6.3 to benefit from the remediation of these vulnerabilities.

TL DR: If you use Notepad++ or 7-Zip, please consider updating them (even if exploits for these vulnerabilities are rare or do not exist):

Other widely used software participating this bug bounty program are listed here (highlights include VLC, Putty, Apache Kafka, KeePass, Drupal, glibc and FileZilla). As I have previously discussed on this blog; if you use a 64 bit version of Windows, please consider using the 64 bit version of Notepad++; here’s why:

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

=======================
7-Zip Ranked as Number 5 in outdated software present on systems
=======================
On a separate but related note, earlier this month Avast made available a report that listed the most out of date software typically installed on systems. It was found that 7-Zip ranked number 5 with 92% of installs being out of date:

If you use 7-Zip, please consider upgrading it to version 18.06. I have previously provided descriptions of the vulnerabilities found in 7-Zip in 2018 and 2016 below. In addition; there have been several performance improvements in recent versions making the tool faster than before:

Updating 7-Zip is very easy. You should only download it from its official website. Installing the new version over an existing version takes only seconds.

Thank you.

July 2017 Security Updates Summary

Earlier today as expected Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved a relatively large number of vulnerabilities at 54 in total more formally known as CVEs (defined). However it’s less than last month at 94. These are detailed within Microsoft’s new Security Updates Guide.

After 2 months of updates being released for versions of Windows which were no longer supported, this month is a return to the usual expected patches.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog which I routinely referenced is no longer available.

====================

Adobe made available just two security bulletins for the following products:

Adobe Connect (priority 3, 2x important and 1x moderate CVE)

Adobe Flash (priority 1, 1x critical, 2x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Edge and Internet Explorer

NT LAN Manager Elevation of privilege (CVE-2017-8563)(Corporate users: please ensure to set a more secure LDAP setting as per this knowledge base article)

Windows Explorer (CVE-2017-8463)
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Note: This post marks the 300th post on this blog. Thank you very much to my readers and here’s to the next 300!

=======================
Update:8th August 2017:
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 9 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.70 in early July. It contains 1 security fix and 2 non-security bug fixes  (see below).  It is downloadable from here.

=======================
Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even a name we missed when we thought we’d fixed this in 0.69. See vuln-indirect-dll-hijack-3.
=======================

If you use Putty, please update it to version 0.70. Thank you.

April 2017 Security Updates Summary

As expected earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s set of updates are much lighter in volume this month addressing 45 vulnerabilities more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month sees four known issues listed for this months updates all relating to the AMD Carrizo processor experiencing an issue which prevents the installation of future Windows Updates. Microsoft states in all four knowledge base articles (listed below) they are aware of this issue and are working to resolve it in upcoming updates:

KB4015549
KB4015546
KB4015550
KB4015547

At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues (although it has not been updated since November 2016, I’m unsure why).

====================
Adobe issued five security bulletins today affecting the following products:

Adobe Campaign (1x priority 2 CVE)
Adobe Flash Player (7x priority 1 CVEs)
Adobe Acrobat and Reader (47x priority 2 CVEs)
Adobe Photoshop (2x priority 3 CVEs)
Adobe Creative Cloud Desktop (2x priority 3 CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated version installed automatically later this week.

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

=======================
Update: 8th May 2017:
=======================
I wish to provide information on other notable updates from April 2017 which I would recommend you install if you use these software products:

=======================
Skype: While the Skype update to version 7.34.0.102 was released in March; details of the vulnerability it addressed were not made public until April.
=======================

=======================
Putty 0.69: while released in March; it contains important security changes. It is downloadable from here.
=======================

=======================
Wireshark 2.2.6 and 2.0.12
=======================
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.2.6) or v2.0.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================

=======================
Oracle:
=======================
There was a record 299 vulnerabilities addressed by Oracle’s updates in April. Further details and installation steps are available here. A useful summary post from Qualys is here. Of the 299 fixes, 8 vulnerabilities were addressed in the Java runtime.

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.
=======================

=======================
Mozilla Firefox:
=======================
Firefox 53.0 and Firefox 53.0.2

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 45.9 and Firefox ESR 52.1.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 29 security fixes:

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Adobe Coldfusion:
=======================
Adobe Coldfusion: 2x priority 2 vulnerabilities resolved.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
For the Microsoft updates this month, I will prioritize the order of installation for you below:

====================
Critical severity:
Microsoft Office and Windows WordPad (due to a previously disclosed zero day vulnerability (defined))
Microsoft Edge
Internet Explorer
Microsoft .Net Framework
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Putty 0.67 Security Update Released

Yesterday an update to the open source Putty SSH client (Secure Shell, defined) for Windows was released (bringing it to version 0.67) resolving a high priority security issue and to “defend against malicious other processes reading sensitive data out of its memory” by setting it’s process ACL (defined) more restrictively.

This update also fixes other software bugs and it’s executable files and installer are now digitally signed (defined) using Authenticode. Full details of the changes in version 0.67 are available in the changelog.

The updated version is available for download from this page. Please ensure to only download Putty from the previously provided link since tampered versions have previously been made available in an effort to spread malware.

If you use Putty, please update as soon as possible to benefit from the security fixes version 0.67 includes as well as the general software bugs that were also addressed.

Thank you.