====================
Updated Post
====================
To my readers; I hope you and your families are safe and well during these on-going challenging times. Sorry once again for the delay in publishing this post. However, it does contain information made available after the 9th March and should still prove useful.
On Tuesday, 9th March saw the usual release of security updates by both Adobe and Microsoft. Adobe’s updates addressing 17 and Microsoft’s updates addressing 89 vulnerabilities more formally known as CVEs (defined).
====================
Before we begin with Adobe’s updates, Microsoft’s updates for Windows 10 have caused and are continuing to cause issues when printing. Revised updates to resolve these issues partially fixed them and yet more updates to resolve the remaining issues are themselves sometimes failing to install.
Microsoft have since released revised updates which have resolved the installation issues while printing as expected. You should now be able to update your systems (Windows 10 and Windows 8.1) as normal.
====================
Adobe released 2 sets of updates this month to resolve vulnerabilities in the following products:
Adobe Animate: Addresses 7x Priority 3 vulnerabilities (2x Critical Severity and 5x Important Severity)
Adobe ColdFusion: Addresses 1x Priority 3 vulnerability (1x Critical Severity)
Adobe Connect: Addresses 4x Priority 3 vulnerabilities (1x Critical Severity and 3x Important Severity)
Adobe Creative Cloud Desktop: Addresses 3x Priority 3 vulnerabilities (3x Critical Severity)
Adobe Framemaker: Addresses 1x Priority 3 vulnerability (1x Critical Severity)
Adobe Photoshop: Addresses 2x Priority 3 vulnerabilities (2x Critical Severity)
As always, if you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.
====================
A further useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
https://www.us-cert.gov/
====================
For this month’s Microsoft updates, I will prioritise the order of installation below:
====================
Important
====================
If you use Microsoft Exchange (the on-premises, non-cloud Office 365 version); please follow the steps below first to make sure your Exchange server is secure:
It is recommended to first check if a vulnerable system has been compromised before installing the necessary security updates.
You can inventory your systems to check which systems require patching using the guidance from the first Microsoft reference below. You can then use Microsoft Exchange On-Premises Mitigation Tool to temporarily mitigate some of the known security issues and scan for and remove any traces of compromise placed there by threat actors. More thorough investigation of system logs may be necessary if any evidence of compromise is found. Finally; the vulnerable systems can be patched to prevent further exploitation.
Further defence in depth measures are recommended to further harden servers from attacks resulting in web shells being placed upon them.
Microsoft stated recently that 92% of Exchange servers globally were updated against these vulnerabilities but more work still needs to be done to bring the figure as high as possible:
====================
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26855
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26412
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26857
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-27065
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-26858
Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-26897
Windows Hyper-V Remote Code Execution Vulnerability: CVE-2021-26867
Microsoft Azure Sphere Unsigned Code Execution Vulnerability: CVE-2021-27080
Git for Visual Studio Remote Code Execution Vulnerability: CVE-2021-21300
OpenType Font Parsing Remote Code Execution Vulnerability: CVE-2021-26876
Microsoft Internet Explorer Memory Corruption Vulnerability: CVE-2021-26411
Microsoft Windows Win32k Elevation of Privilege Vulnerability: CVE-2021-27077
HEVC Video Extensions Remote Code Execution Vulnerabilities: CVE-2021-24089, CVE-2021-26902 and CVE-2021-27061
Microsoft Azure Sphere Unsigned Code Execution Vulnerability: CVE-2021-27074
A revised fix was made available for PsExec in March 2021 following an initial update in February 2021.
As per standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications below (I will continue to add to this list).
To all of my readers; I hope you and your families continue to stay well during these challenging times. Thank you.
====================
Mozilla Firefox
====================
In the third week of March Mozilla made available Firefox 87 and Firefox ESR (Extended Support Release) 78.9 to resolve the following vulnerabilities:
Firefox 87: Resolves 2x High severity CVEs, 4x Moderate severity and 2x Low severity
Firefox 78.9: Resolves 2x High Severity CVEs and 1x set of security issues (rated High) and 2x Moderate severity CVEs
Firefox 87 also introduces the following new features (my thanks to ghacks.net for this):
- Firefox 87 introduces SmartBlock, a feature to reduce website breakage when using private browsing or strict enhanced tracking protection.
- The default HTTP Referrer policy will trim the path so that only the domain name is submitted for cross-origin requests.
====================
Google Chrome
====================
Google has released 4 Chrome updates in March version 89.0.4389.72 , version 89.0.4389.90 and version 89.0.4389.114 for Linux, Mac and Windows to resolve 47, 5 and 8 security vulnerabilities (respectively). Version 89.0.4389.82 for does not contain security updates.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
====================
Netmask Library
====================
The netmask npm library disclosed a security issue that was addressed in version 2.0.0. Version 2.0.2 has since been released with the previous version 2.0.1 providing a more complete fix for CVE-2021-29418. Further details are available from BleepingComputer.
The relevant security advisory is here with details of how to download version 2.0.2 available from here. Please update to this version if you use this library.
====================
Original Post
====================
To my readers; I hope you are doing well.
In advance of next Tuesday’s security updates by Adobe and Microsoft I wanted to highlight the following emergency updates from Microsoft intended for Microsoft Exchange. Google also released an important update for Chrome.
If you use Microsoft Exchange 2013, 2016 or 2019, please make certain to install the following updates as soon as possible. Attackers are already seeking to advantage of these vulnerabilities:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
BleepingComputer also provided the following helpful links:
How to install the Microsoft Exchange Updates
Provided PowerShell console commands to scan event logs for traces of attacks against these vulnerabilities
An Nmap script to scan your network for vulnerable Exchange servers (provided by Microsoft Senior Threat Intelligence Analyst Kevin Beaumont)
Special thanks to BleepingComputer for the above links and advice. Thank you.
====================
Google Chrome
====================
Google released Google Chrome v89.0.4389.72 for Linux, Mac and Windows on the 2nd March to resolve 47 security vulnerabilities. One; CVE-2021-21166 is being exploited by attackers.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
securityinaction 