As scheduled, on the 10th of December Adobe and Microsoft made available their monthly security updates.
Adobe resolved 25 CVEs this month with Microsoft separately patching 36 CVEs (defined).
Adobe Brackets (an open source (the source code (human readable code) is free to view and edit by the wider IT community) application development editor focused on web development): 1x Priority 3 CVE resolved (1x Critical severity)
Adobe ColdFusion: 1x Priority 2 CVE resolved (1x Important severity)
Adobe Photoshop CC: 2x Priority 3 CVEs resolved (2x Critical severity)
Adobe Acrobat and Reader: 21x Priority 2 CVEs resolved (14x Critical severity and 7x Important severity)
If you use the above Adobe products, please install these updates (especially in the case of the above critical vulnerabilities in all but ColdFusion).
Within Microsoft’s monthly summary; there are Known Issues for 17 Microsoft products but all have workarounds (some workarounds will be replaced by revised or further updates) or updates already available to resolve them.
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
For this month’s Microsoft updates, I will prioritize the order of installation below:
Microsoft Graphics Component (Win32k Graphics): CVE-2019-1468
Windows Hyper-V: CVE-2019-1471
Please install the remaining less severe updates at your earliest convenience.
As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have provided further details of updates available for other commonly used applications below.
Mozilla released new versions of Firefox to address the following vulnerabilities and to introduce new privacy features:
Highlights from version 71 of Firefox include:
An improved password manager which has the ability to recognise subdomains and to provide password breach notifications from Firefox Monitor for users with screen readers. Native MP3 decoding, kiosk mode and picture in picture support were also added.
The tracking protection enabled by default from Firefox 69 has been enhanced to add 3 different levels (similar to high, medium and custom) of protection and to provide a summary of the number of tracking preventative actions Firefox takes on your behalf. An in-depth description of this feature is available in this Softpedia article. My thanks as always to its author Bogdan Popa for this really well gathered information.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 vertically stacked dots) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
In early December AMD issued a security advisory for its GPU and APU (defined) drivers (defined). It resolves 2 vulnerabilities CVE-2019-5049 and CVE-2019-5098. The steps to install the drivers on Windows are located here with a guide for Linux available here. Please make certain the drivers are version 20.1.1 or later (as per multiple recommendations from Talos, 1 , 2 and 3). As per those same recommendations if you use VMware Player or Workstation Pro, please make certain it is version 15.5.1 or later. If you use the affected AMD graphics cards, please consider updating your drivers to the most recent available.
In late December Nvidia released a security update for Nvidia Geforce Experience to resolve a vulnerability that may lead to a denial of service (defined) issue or an escalation of privilege (defined) issue. This vulnerability is a local vulnerability rather than remote meaning that an attacker would first need to compromise your system before exploiting this vulnerability to elevate their privileges. To resolve this local vulnerability within Geforce Experience apply the necessary update by opening Geforce Experience which will automatically update it or the update can be obtained from here.
Intel Security Advisories
Intel have released a series of security advisories this month. The high priority advisories are the following:
The remaining advisories are of medium and low priority:
Similar to last month, VMware released 2 further security advisories, the first is of critical severity with the second being of moderate severity relating to the products:
VMware Horizon DaaS appliances
Moderate Severity Advisory:
VMware Workstation Pro / Player for Linux
VMware Horizon View Agent
If you use the above VMware products, please review the advisories and apply the necessary updates.
On the 6th December; the OpenSSL Foundation issued 1 update for OpenSSL to address a single low severity security vulnerability as detailed in this security advisory. To resolve this issue please update your OpenSSL installations to 1.1.1e-dev or 1.0.2u (as appropriate). Please note that OpenSSL 1.0.2 will be unsupported and thus will not receive any security updates after 31st December 2019. Please upgrade to version 1.1.1 or later.
FTP mirrors to obtain the necessary downloads are available from here.
Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.
It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.
Apple Security Updates
Throughout December Apple has released security updates for the following products:
Apple Safari 13.0.4: Resolves 2 CVEs
Apple macOS Catalina and macOS High Sierra: Resolves 52 CVEs
Apple tvOS 13.3: Resolves 11 CVEs
Apple Xcode 11.3: Resolves 1 CVE
Apple iTunes 12.10.3 for Windows: Resolves 4 CVEs
Apple iCloud for Windows 7.16 (includes AAS 8.2): Resolves 4 CVEs
Apple iCloud for Windows 10.9: Resolves 4 CVEs
As always; further details of these updates are available on Apple’s dedicated security updates page.
In early December the following Wireshark updates were released:
v3.0.7: 1 security advisory
v2.6.13: 1 security advisory
The above v3.0.7 version was later super seceded by v3.2 on the 18th of December. While it does not address security issues, it will be the version being updated going forward. Version 3.2 will also be the last version to support Windows Server 2008 R2 and Windows 7.
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v3.0.7 or v2.6.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.