Tag Archives: Update Tuesday

July 2019 Update Summary

As predicted; earlier today Adobe and Microsoft made available their usual monthly security updates addressing 5 and 77 vulnerabilities (respectively) more formally known as CVEs (defined):

====================
Adobe Bridge CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Dreamweaver: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Experience Manager: 3x Priority 2 vulnerabilities : 2x Important, 1x Moderate severity resolved

If you use any of these Adobe products, please apply the necessary updates as soon as possible.

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Just like last month; Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Servicing stack update for Windows Server 2008 SP2

4507434                Internet Explorer 11

4507435                Windows 10, version 1803

4507448                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4507449                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4507450                Windows 10, version 1703

4507453                Windows 10, version 1903, Windows Server version 1903

4507455                Windows 10, version 1709

4507457                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4507458                Windows 10

4507460                Windows 10 1607 and Windows Server 2016

4507462                Windows Server 2012 (Monthly Rollup)

4507464                Windows Server 2012 (Security-only update)

4507469                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Zero-day (defined) vulnerabilities:
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability

CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability

====================
Critical
====================
CVE-2019-0785  Windows DHCP Server Remote Code Execution Vulnerability

CVE-2019-1072  Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

CVE-2019-1056  Scripting Engine

CVE-2019-1106  Scripting Engine

CVE-2019-1092  Scripting Engine

CVE-2019-1103  Scripting Engine

CVE-2019-1107  Scripting Engine

CVE-2019-1062  Scripting Engine

CVE-2019-1004  Scripting Engine

CVE-2019-1001  Scripting Engine

CVE-2019-1063  Internet Explorer Memory Corruption Vulnerability

CVE-2019-1104  Microsoft Browser Memory Corruption Vulnerability

CVE-2019-1102  GDI+ Remote Code Execution Vulnerability

CVE-2019-1113  .NET Framework Remote Code Execution Vulnerability

Servicing Stack Update

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
Today, Mozilla released Firefox 68.0 to address the following vulnerabilities and to introduce new features:

Firefox 68.0: Resolves 2x critical CVEs (defined), 3x high CVEs, 10x moderate and 4x low CVEs

Firefox 60.8 ESR (Extended Support Release): Resolves 1x critical CVE, 4x high CVEs and 5x moderate CVEs

Firefox now also includes cryptomining protection and fingerprinting protections and improved add-on security (my thanks to Softpedia for this information, more details on other security features are here).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware ESXi
=======================
Earlier today VMware made available an update for ESXi version 6.5. Version 6.0 is unaffected and a patch for 6.7 is pending. This update resolves a denial of service vulnerability.

If you use VMware ESXi, please update when you can.

Thank you.

RAMBleed: What you need to know

Yesterday; security researchers disclosed a vulnerability relating to how data is accessed after it is stored within computer memory modules eventually leading to partial data disclosure

================
TL DR:
================
This is a low severity (CVSS Base Score: 3.8) but notable vulnerability which cannot be exploited remotely. For organisations and customers; no action is required. It is up to software developers to use trusted execution environments (TEE) e.g. AMD SEV, ARM TrustZone or Intel SGX to protect important data or clear such data from memory after use. Some DDR4 modules are not vulnerable to Rowhammer.

================
How does this attack take place?
================
An attacker would first need to compromise your system and persuade you to run an application. Due to the physical effects of creating memory modules which are smaller and smaller the space between memory cells used to store data are subject to electrical interference. This can be exploited by an attacker by reading the data from a memory address of interest over and over again which eventually leads to data corruption causes the binary contents (0 or 1) used to store data to change/”flip” from 0 to 1 or vice versa.

This effect has been seen before in an attack dubbed “Rowhammer” in 2014. That attack can be mitigated by the use of memory modules that use ECC (Error Correction Code). However, this new technique RAMBleed cannot be mitigated by ECC (defined).

================
What must an attacker do to exploit this vulnerability?
================
An attacker must first map the memory which contains the data they wish to acquire. They can then work to control data each side in memory of the target data. Accessing this data over and over “hammers” the row with the data within it. If the data is 0, it will flip to 1 and if 1 becomes a zero (0). The attacker can then proceed to repeat this for one column down in the memory segment to obtain the next piece of target data. Researchers were able to obtain 3 to 4 bits (either 0 or 1) per second.

Researchers used this technique to obtain a 2048 bit OpenSSH key from the memory of a server. They did so by first using a technique they named “Frame Feng-Shui” that allows them to place the target data within a physical memory frame (area) of their choice in. The speed was 0.3 bits per second with an accuracy of 82%. By only obtaining some of the data and using a variant of the technique documented within the Heninger-Shacham algorithm they succeeded in obtaining the remainder of the key.

================
How can an organisation or a consumer/end-user defend against this attack?
================
Encrypted memory achieved by the use of trusted execution environments (TEEs) e.g. AMD Secure Encrypted Virtualization (SEV), ARM TrustZone or Intel Software Guard Extensions (SGX) will mitigate this attack since the attackers will obtain encrypted rather than ready to use/plain text data.

Alternatively; software developers can clear encryption keys or other sensitive data from memory after using it. Intel recommends it’s guidelines for resisting side-channel and timing side channel attackers:

A lesser known mitigation is the use of DDR4 memory modules that should disrupt the success of the Rowhammer attack. The Maximum Activation Count (MAC) of a memory row is not vulnerable to Rowhammer when the MAC has a value of “unlimited”.

This field exists within the SPD (Serial Presence Detect) technique of accessing memory. From the following page, many but not all of the examined DDR4 modules feature this setting. For example, my 4x 16 GB (64GB) Corsair Dominator Platinum PC4-21300 (CMX64GX4M4A2666C15) modules feature this setting and so appear not to be vulnerable to the Rowhammer technique. You can see this from the first attached screenshot (denoted by the value “Unlimited MAC”):

These screenshots were obtained from the RAMMon application available from PassMark.


Thank you.

Mitigating Microsoft’s June 2019 NTLM Vulnerabilities

Microsoft issued an update yesterday to resolve 2 vulnerabilities within Windows that can be used to allow an attacker to authenticate and run code remotely.

TL DR: Install the updates for CVE-2019-1019 and CVE-2019-1040 and follow the recommend guidelines in Preempt’s blog post:

================
If attackers exploited these issues; what would the result be?
================
Preempt responsibly disclosed 2 vulnerabilities as a result of 3 logic flaws in NTLM to Microsoft. As a result of previous disclosures Microsoft added the Message Integrity Code (MIC) field designed to guarantee that attackers cannot tamper with NTLM messages in any way. Preempt bypassed this allowing them to change NTLM authentication fields, reducing security.

Next; Server Message Block (SMB) Session Signing was bypassed by Preempt allowing attackers to relay NTLM authentication messages and establish SMB and DCE/RPC sessions. Enhanced Protection for Authentication (EPA) was bypassed allowing the altering of “NTLM messages to generate legitimate channel binding information.” Finally, their bypasses could allow “attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution.” This potentially could lead to the entire Active Directory domain becoming compromised by moving laterally from system to system.

================
How can an organisation or a consumer/end-user defend against these attacks/bypasses?
================
Install the updates for CVE-2019-1019 and CVE-2019-1040:

Moreover; Preempt’s blog post provides the necessary recommendations to fully mitigate these issues.

================

For reference I have linked to how to enable the following mitigations:

Enforce SMB Signing

Block NTLMv1
Part 1

Further information link

Enforce LDAP Signing

Enforce EPA:
Part 1

Part 2

================

Thank you.

Microsoft re-issues warning to patch BlueKeep Vulnerability

=======================
Update: 30th June 2019
=======================
A Microsoft employee (Raviv Tamir, Group Program Manager, Microsoft Threat Protection) has provided an update on the global status of patching the BlueKeep vulnerability. The most recent update is from 20th June; at 83.4% coverage an increase from 72.4% on 5th June and 57% on May 30th.

Keep up the great work. Thank you.

=======================
Update: 21st June 2019
=======================
The current situation with the BlueKeep vulnerability continues to increase in scope with Windows 2000 and it’s server variants (Windows 2000 Server, Advanced Server and Datacentre Server) now confirmed as vulnerable after the Department of Homeland Security (DHS) created a working BlueKeep exploit. Given that Windows Server 2003 and XP share much of their codebase with Windows 2000; this announcement isn’t entirely surprising. Microsoft separately confirmed there are no plans to issue updates for Windows 2000.

For any business or consumer still using Windows 2000; they have much more than just this vulnerability to be concerned about given that there have been no security updates since July 2010. The advice is as always to upgrade to supported version of Windows:

Thank you.

=======================
A BlueKeep short story:
=======================
Separately; last weekend I had the opportunity to “practice what I preach” when a friend came to me with a Windows XP laptop dating back to 2008. Surprisingly it was in almost new condition and was remarkably fast to use given it’s age. It had an Intel Core Solo CPU and 2 GB of RAM.

He no longer uses it online preferring an iPad Pro instead but needs to keep it online within his home network to administer his security single CCTV camera using an application (strangely the camera isn’t administered via a web browser). He had heard about BlueKeep and wondered could I patch it for him?

The laptop was connected via Ethernet to his router. I had asked him to send me a photo of the installed programs on the computer to see what I was going to deal with. I found the system had Windows XP SP3 (but no further updates), Office 2007, Adobe Reader 10 and VLC 1.1.5.

The Windows firewall was enabled and set to default settings. I verified using Nmap that port 3389 and other commonly exploitable ports like 445 (SMB) and Telnet (23); weren’t open.

Installed almost 150 updates for Windows XP using Microsoft Update (http://update.microsoft.com) , installed SP3 for Office 2007 and a further 37 updates for it after SP3.

Next, I installed Adobe Reader 11.0.10 and VLC 3.0.7.1. I also installed the 13 updates from Microsoft for Windows XP in 2017 (resolving DoublePulsar and EternalBlue; among others) and finally the BlueKeep security update. In less than 2 hours of me just reviewing the results of update checks and some very quick update installs his system was patched and continued to work perfectly.

From past experience of manually removing malware from really old systems this laptop was far better than expected. All of the updates installed quickly and with no errors. I estimate more than 1000 CVEs were resolved by the updates I installed.

He easily committed to continue not using it for website or email access since his iPad Pro fulfills that role and is faster. He was impressed that the laptop continues to work perfectly despite the vast number of updates it received.

Finally; yes I realize I should suggest upgrading from Windows XP but he doesn’t use the system for online use; just inside his network. His router is adequately protecting his network with it’s settings and most recent firmware updates installed. Given this use case and surrounding infrastructure; I see the risk as minimal. Plus he also told the system doesn’t have important data on it; he just wanted it patched in order to keep using it uninterrupted.

A really good outcome; case closed 😊

=======================
Update: 12th June 2019
=======================
TL DR:
Install the RDP patch if you have not already done so. Use the paid-for micropatch if you can’t take a system offline to reboot it. If you can’t do either of these follow Microsoft’s or the NSA’s advice to mitigate the vulnerability.
=======================

Microsoft on the 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible.

Meanwhile; multiple proof of concepts of who to exploit the vulnerability have been developed by security researchers:

This story continues with another security researcher creating a proof of concept Metasploit exploit for this vulnerability. The exploit works on Windows XP, Windows 7, Server 2008 and Server 2008 R2. Windows Server 2003 has the RDP vulnerability but the vulnerability couldn’t be exploited.

The NSA have since issued an advisory in addition to the two notifications from Microsoft linked to above.

For systems which cannot spare the down-time needed to reboot after installing the Microsoft patch, a micropatch from 0Patch is available for their Pro version subscribers:

As a proof of concept of how long it may take to patch a system; I used a VMware snapshot taken from a test Windows XP SP3 system I used back in 2012. The installation had no updates apart from SP3. After 40 minutes; all missing patches (2008 – 2014), the updates from 2017 (resolving EternalBlue; amongst others) and this year’s RDP update were installed. Patching the RDP vulnerability took less than a minute (including the restart and start-up of the system).

I repeated the above using the Automatic Updates feature of Windows XP. I was able to full patch the system in 30 minutes.

Systems which are better maintained than this would easily take less time (even if patched manually like I did); especially if tools such as WSUS or SCCM are used where vast number of systems can be patched very quickly.

Thank you.

=======================
Original Post: 4th June
=======================
Earlier this month Microsoft issued an update to resolve a critical vulnerability in Remote Desktop Services making use of the RDP protocol, port 3389.

TL DR: If you use Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 or Windows XP, if you have not done so already, please install this update.

Why should this vulnerability be considered important?
As Microsoft reminded us when issuing the patch; this vulnerability requires no authentication or user interaction. It has the potential to spread just like the WannaCry and NotPetya infections did in 2017. Windows 8.1 and Windows 10 (and their Server equivalents) are NOT vulnerable.

Robert Graham from Errata Security on the 28th of May issued a report of the scan results from a widespread scan of the internet. He found approximately 950,000 vulnerable systems.

How can I protect my organisation or myself from this vulnerability?
The easiest method is to install the update available from Microsoft.

For Windows Server 2003 or Windows XP and Windows Vista; the update must be manually downloaded and installed from this link below since this update was not made available by the previous automatic mechanisms these versions of Windows had namely, Microsoft Update, Automatic Updates and Windows Update.

If you cannot install this security update; you can protect from this vulnerability by following the Workarounds listed in this link. Further explanation from Microsoft is also available from this link.

Microsoft on the 30th and 31st of May re-iterated it’s warning to patch vulnerable systems as soon as possible. Meanwhile; at least proof of concepts of who to exploit the vulnerability have been developed by at least 3 security researchers.

Thank you.

May 2019 Update Summary

====================
Note to my readers:

Due to professional commitments over the last several weeks and for the next 2 weeks; updates and new content to this blog have been and will be delayed. I’ll endeavour to return to a routine manner of posting as soon as possible.

Thank you.
====================

Earlier today Microsoft and Adobe released their monthly security updates. Microsoft resolved 79 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 87 vulnerabilities.

Adobe Acrobat and Reader: 84x priority 2 vulnerabilities (48x Critical and 36x Important severity)

Adobe Flash: 1x priority 2 vulnerability (1x Critical severity)

Adobe Media Encoder: 2x priority 3 vulnerabilities (1x Critical severity and 1x Important severity)

If you use Acrobat/Reader or Flash, please apply the necessary updates as soon as possible. Please install their remaining priority 3 update when time allows.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4493730   Windows Server 2008 Service Pack 2 (Servicing Stack Update)

4494440   Windows 10, version 1607, Windows Server 2016

4494441   Windows 10, version 1809, Windows Server 2019

4497936   Windows 10, version 1903

4498206   Internet Explorer Cumulative Update

4499151   Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4499154   Windows 10

4499158   Windows Server 2012 (Security-only update)

4499164   Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

4499165   Windows 8.1 Windows Server 2012 R2 (Security-only update)

4499167   Windows 10, version 1803

4499171   Windows Server 2012 (Monthly Rollup)

4499179   Windows 10, version 1709

4499180   Windows Server 2008 Service Pack 2 (Security-only update)

4499181  Windows 10, version 1703

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows RDP: CVE-2019-0708 (also includes an update for Windows Server 2003 and Windows XP)

Scripting Engine: CVE-2019-0924 ,  CVE-2019-0927 , CVE-2019-0922 , CVE-2019-0884 , CVE-2019-0925 , CVE-2019-0937 , CVE-2019-0918 , CVE-2019-0913 , CVE-2019-0912 , CVE-2019-0911 , CVE-2019-0914 , CVE-2019-0915 , CVE-2019-0916 , CVE-2019-0917

Windows DHCP Server: CVE-2019-0725

Microsoft Word: CVE-2019-0953

Microsoft Graphics Component: CVE-2019-0903

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Error Reporting: CVE-2019-0863

Microsoft Advisory for Adobe Flash Player

Microsoft Windows Servicing Stack Updates

For the Intel Microarchitectural Data Sampling (MDS) vulnerabilities, please follow the advice of Intel and Microsoft within their advisories. A more thorough list of affected vendors is available from here.

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Nvidia Graphics Drivers:
=======================
3 security vulnerabilities with the most severe having a CVSS V3 (defined) base score of 7.7 have been resolved within Nvidia’s graphics card drivers (defined) in May. These vulnerabilities affect Windows only. All 3 are local vulnerabilities rather than remote meaning that an attacker would first need to compromise your system before exploiting the Nvidia vulnerabilities to elevate their privileges. The steps to install the drivers are located here. If you use affected Nvidia graphics card, please consider updating your drivers to the most recent available.

=======================
VMware
=======================
VMWare has released the following security advisories:

Workstation Pro:

Security Advisory 1: Addresses 1x DLL hijacking vulnerability (defined)

Security Advisory 2: Addresses 4x vulnerabilities present in Workstation Pro and the products listed below. Please make certain to install Intel microcode updates as they become available for your systems as they become available in addition to these VMware updates:

VMware vCenter Server (VC)
VMware vSphere ESXi (ESXi)
VMware Fusion Pro / Fusion (Fusion)
vCloud Usage Meter (UM)
Identity Manager (vIDM)
vCenter Server (vCSA)
vSphere Data Protection (VDP)
vSphere Integrated Containers (VIC)
vRealize Automation (vRA)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

Thank you.

April 2019 Update Summary

Yesterday Microsoft and Adobe made available their scheduled security updates. Microsoft addressed 74 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 42 vulnerabilities.

Adobe Acrobat and Reader: 21x priority 2 vulnerabilities (11x Critical and 10x Important severity)

Adobe Flash: 2x priority 2 vulnerabilities (1x Critical and 1x Important severity)

Adobe Shockwave Player: 7x priority 2 vulnerabilities (7x Critical severity)

Adobe Dreamweaver: 1x priority 3 vulnerability (Moderate severity)

Adobe XD: 2x priority 3 vulnerabilities (2x Critical severity)

Adobe InDesign: 1x priority 3 vulnerability (Critical severity)

Adobe Experience Manager Forms: 1x priority 2 vulnerability (Important severity)

Adobe Bridge CC: 8x priority CVEs (2x Critical, 6x Important)

If you use Acrobat/Reader, Flash or Shockwave, please apply the necessary updates as soon as possible. Please install their remaining priority 2 and 3 updates when you can.

Please note; as per Adobe’s notice Shockwave Player has now reached it’s end of life. No further updates will be made available.

====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. All issues however do have at least 1 workaround:

4487563                Microsoft Exchange Server 2019, 2016, and 2013

4491413                Update Rollup 27 for Exchange Server 2010 Service Pack 3

4493441                Windows 10 version 1709, Windows Server Version 1709

4493446                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4493448                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

4493450                Windows Server 2012 (Security-only Rollup)

4493451                Windows Server 2012 (Monthly Rollup)

4493458                Windows Server 2008 Service Pack 2 (Security-only update)

4493464                Windows 10 version 1803, Windows Server Version 1803

4493467                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4493470                Windows 10 version 1607, Windows Server 2016

4493471                Windows Server 2008 Service Pack 2 (Monthly Rollup)

4493472                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4493474                Windows 10 version 1703

4493509                Windows 10 version 1809, Windows Server 2019

4493730                Windows Server 2008 SP2

4493435                Internet Explorer Cumulative Update

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Win32k: CVE-2019-0803CVE-2019-0859 (both are being actively exploited in the wild)

Scripting Engine: CVE-2019-0861 ,  CVE-2019-0806 , CVE-2019-0739 , CVE-2019-0812 , CVE-2019-0829

Microsoft Graphics Component (GDI+): CVE-2019-0853

Microsoft Windows IOleCvt Interface: CVE-2019-0845

Microsoft Windows SMB Server: CVE-2019-0786

Microsoft (MS) XML: CVE-2019-0790 , CVE-2019-0791 , CVE-2019-0792 , CVE-2019-0793 , CVE-2019-0795

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================
Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Notepad++:
======================
As noted in the March Update Summary post (due to a critical regression for the version that was released in March) Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Wireshark 3.0.1 and 2.6.8
=======================
v3.0.1: 10 security advisories

v2.6.8: 6 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.1 or v2.6.8). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

March 2019 Update Summary

====================
Updated: 21st March 2019
====================
Two of the vulnerabilities patched by Microsoft (CVE-2019-0797CVE-2019-0808) were zero day (defined) vulnerabilities being actively exploited in the wild. Four other vulnerabilities were publicly known (CVE-2019-0683CVE-2019-0754CVE-2019-0757 and CVE-2019-0809).

Separately the Google Chrome vulnerability mentioned below namely CVE-2019-5786 was also being exploited by attackers.

After publishing my original post; Adobe and Microsoft jointly reported that while a newer version (32.0.0.156) of Flash Player was made available it only resolves non-security bugs.

I have updated the suggested installation order (below) to reflect this new information. Thank you.

====================
Original Post:
====================
As scheduled; earlier today Microsoft and Adobe made available their security updates. Microsoft addressed 65 vulnerabilities (more formally known as CVEs (defined)) with Adobe resolving 2 vulnerabilities.

For Adobe; if you have not already done so; if you manage an installation of Adobe ColdFusion or know someone who does, please apply the necessary updates made available earlier this month. That update addressed a single priority 1 zero day (defined) vulnerability being exploited in the wild. Today’s Adobe updates are as follows:

Adobe Digital Editions: 1x priority 3 CVE resolved

Adobe Photoshop CC: 1x priority3 CVE resolved

If you use the affected Adobe products; please install their remaining priority 3 updates when you can.

This month’s list of Known Issues is now sorted by Microsoft within their monthly summary page and applies to all currently supported operating systems:

KB4489878          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

KB4489881          Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

KB4489882          Windows 10 version 1607, Windows Server 2016

KB4489883          Windows 8.1, Windows Server 2012 R2 (Security-only update)

KB4489884          Windows Server 2012 (Security-only update)

KB4489885          Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)

KB4489891          Windows Server 2012 (Monthly Rollup)

KB4489899          Windows 10 version 1809, Windows Server 2019

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Kernel: CVE-2019-0797CVE-2019-0808

Windows DHCP Client: CVE-2019-0697 , CVE-2019-0698 , CVE-2019-0726

Microsoft XML: CVE-2019-0756

Scripting Engine: CVE-2019-0592 , CVE-2019-0746 , CVE-2019-0639 , CVE-2019-0783 , CVE-2019-0609 , CVE-2019-0611 , CVE-2019-0666 , CVE-2019-0769 , CVE-2019-0665 , CVE-2019-0667 , CVE-2019-0680 , CVE-2019-0773 , CVE-2019-0770 , CVE-2019-0771 , CVE-2019-0772

Visual Studio Remote Code Execution Vulnerability: CVE-2019-0809

Microsoft Active Directory: CVE-2019-0683

NuGet Package Manager Tampering Vulnerability: CVE-2019-0757

Windows Denial of Service Vulnerability: CVE-2019-0754

Microsoft Dynamics 365: a privilege escalation vulnerability (defined) has been addressed (this product is also widely deployed)

If you use Microsoft IIS (Internet Information Services), please review advisory: ADV190005

====================
Please install the remaining updates at your earliest convenience.

As always; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Google Chrome:
=======================
Google released Google Chrome version 72.0.3626.121 to address a single zero day (defined) vulnerability under active exploit. The vulnerability was a high severity use-after-free (defined) flaw in Chrome’s FileReader API (defined) which could have led to information disclosure of files stored on the same system as Chrome is installed.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Notepad++:
=======================
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. This version follows another from January which resolved 7 other vulnerabilities. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Notepad++ 7.6.6 was released to resolve a critical regression in 7.6.5 which caused Notepad++ to crash. Version 7.6.5 resolved a further 6 security vulnerabilities.

If you use Notepad++, please update to the newest version to benefit from these reliability and security fixes.

Thank you.

=======================
Mozilla Firefox
=======================
Update: 25th March 2019: As detailed in the Pwn2Own 2019 results post; Mozilla released a further update for Firefox and Firefox ESR bringing their version numbers to 66.0.1 and 60.6.1 respectively. Both updates resolve 2x critical CVEs. Please consider updating to these versions as soon as possible.

=======================
In the latter half of March Mozilla issued updates for Firefox 66 and Firefox ESR (Extended Support Release) 60.6:

Firefox 66.0: Resolves 5x critical CVEs (defined), 7x high CVEs, 5x moderate CVEs and 4x low CVEs

Firefox 60.6: Resolves 4x critical critical CVEs, 4x high CVEs and 2x moderate CVEs

Firefox 66 introduces better reliability (since crashes have been reduced) and improved performance. In addition, smooth scrolling has been added. The blocking of websites automatically playing audio or video content is now also present. These and other features are discussed in more depth here and here.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware:
=======================
VMware issued 2 security advisories during March:
Security Advisory 1: Addresses 2x important severity CVEs in the following products:

VMware Player
VMware Workstation Pro

Security Advisory 2: Addresses 1x moderate severity CVE in the following products:

VMware Horizon

If you use the above VMware products, please review the security advisories and apply the necessary updates.

=======================
Putty:
=======================
Putty, the open source and highly popular SSH (defined) client for Windows, was updated to version 0.71 in mid-March. It contains 8 security fixes (see below). They are a result of the bug bounties awarded through the EU-Free and Open Source Software Auditing (EU-FOSSA) (discussed previously in this post). Version 0.71 is downloadable from here.

If you use Putty, please update it to version 0.71. Thank you.

Security vulnerabilities fixed:

=======================

=======================
Nvidia Geforce Experience Software:
=======================
In late March , Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 1 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be applied by opening Geforce Experience which will automatically updated it or the update can be obtained from here.

=======================
GOG Galaxy
=======================
Golden Old Games (GOG) has published an update for their popular game distribution platform GOG Galaxy. It resolves 2 critical vulnerabilities. Additionally, 2 high severity and 2x medium severity vulnerabilities were also resolved. These vulnerabilities are discussed in more detail in this Cisco Talos blog post and within this Kaspersky ThreatPost article. Please update GOG Galaxy to version 1.2.54.23 or later to resolve these vulnerabilities.

I don’t often post about vulnerabilities in gaming clients/gaming distribution clients but like any software; security updates can and are made available for them.