Tag Archives: VMware Workstation

October 2018 Update Summary

resolved 49 vulnerabilities more formally known as CVEs (defined).

At the time of writing; there are known issues with the Windows 7 NIC being an issue again this month:

4459266 : Can be resolved by installed the Microsoft Exchange update with administrative (defined) privileges.

4462917 : No workaround at this time.

4462923 : Workaround available.

As always; further details are available in Microsoft’s update summary for October. Moreover, Adobe issued 4 updates today patching the following products:
Adobe Digital Editions (priority 3, resolves 4x critical and 5x important CVEs)

Adobe Experience Manager (priority 2. 3x important and 2x moderate CVEs)

Adobe Framemaker (priority 3, resolves 1x important CVE)

Adobe Technical Communications Suite (priority 3, resolves 1x important CVE)

Earlier this month Adobe released updates for Acrobat DC and Reader DC resolving 86 CVEs (47x critical and 39x important). These were in addition to the updates made available in September (which resolved 1x critical and 6 important CVEs).

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Acrobat DC and Reader DC. No updates for Flash Player have been distributed so far this month.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

2x vulnerabilities  affecting Microsoft Hyper-V (affects Windows 10, Windows 8.1 (including Windows RT 8.1) and Windows 7 along with their Server equivalents)(the links above provide details on both vulnerabilities)

Microsoft JET database (resolved by installing the latest cumulative update for your version of Windows: Windows 10; Windows 8.1 or Windows 7.

Microsoft Exchange Server 2016, 2013 and 2010

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox:
=======================
In early September Mozilla made available updated versions of Firefox:

Firefox 62.0.3: Resolves 2x critical CVEs (defined)

Firefox ESR 60.2.2 (Extended Support Release): Resolves 2x critical CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
VMware
=======================
VMWare has issued 2 security advisories so far for October:

Security advisory 1 (addresses 1 critical vulnerability) in the following products:

  • AirWatch Console 9.1 to 9.7

Security advisory 2 (addresses 1 important vulnerability via a mitigation) in the following products:

  • ESXI
  • Fusion
  • Workstation Pro

If you use the above VMware products, please review the security advisories and apply the necessary updates/mitigations.

June 2018 Update Summary

=======================
Update: 12th June 2018:
=======================
As scheduled Microsoft released their monthly security updates earlier today resolving 50 vulnerabilities. Further details are available within their Security Updates Guide.

In addition; there are 5 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4284819
4284835
4284826
4284867
4284880

====================
Adobe have not released any further updates since their out of band (un-scheduled) update last week.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page.
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here courtesy of BleepingComputer:
====================

CVE-2018-8267 | Scripting Engine Memory Corruption Vulnerability (a zero day (defined) vulnerability disclosed last month)

Microsoft Edge and Internet Explorer (similar to many other months; multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

CVE-2018-8225 | Windows DNSAPI Remote Code Execution Vulnerability

CVE-2018-8231 | HTTP Protocol Stack Remote Code Execution Vulnerability (especially if your server hosts a Microsoft IIS installation)

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Original Post:
=======================
I usually write this post on or very shortly after Update Tuesday (the second Tuesday) of the month but with an Adobe Flash zero day vulnerability (defined) already patched and given that Mozilla have also released an update this month; I felt an earlier post would be appropriate.

I’ll update this post as further updates are made available. Thank you.

=======================
Mozilla Firefox:
=======================
Early in June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

6th June: Firefox 60.0.2 and Firefox ESR 52.8.1 and Firefox ESR 60.0.2: Resolves 1x high CVE (defined). This was a heap buffer overflow.

Further details of the security issues resolved by these updates are available in the link above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

In the final week of June Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

=======================
26th June:
=======================
Firefox 61: Resolves 6x critical CVEs (defined), 5x high CVEs, 6x moderate CVEs, 1x low CVE

Firefox ESR 60.1: Resolves 5x critical CVEs, 4x high CVEs and 6x moderate CVEs.

Firefox ESR 52.9: Resolves 2x critical CVEs, 4x high CVEs, 3x moderate CVEs.

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.
=======================

=======================
Update: 19th June
=======================
=======================
Apple Security Updates: Update: 19th June
=======================
Following Apple’s release of security updates in the final days of May; they have made available further updates detailed below:

macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan: Resolves 39x CVEs (defined)

Safari 11.1.1: Resolves 14x CVEs

Apple iCloud for Windows (version 7.5): Resolves 17x CVEs

Apple Xcode version 9.4.1: Resolves 2x CVEs

Apple SwiftNIO 1.8.0: Resolves 1 CVE (For your reference: What is Apple SwiftNIO?)

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

Please find below summaries of other notable updates released this month.

Thank you.

=======================
F-Secure Security Products:
=======================
As mentioned in a previous post; 7-Zip has been updated to version 18.05 to resolve a vulnerability in it’s RAR packing code. The F-Secure products listed in this security advisory utilise this 7-Zip DLL (defined) and are thus being updated for the same reason.

If you use these F-Secure products, please install this critical update as soon as possible.

=======================
Google Chrome:
=======================
Google released Google Chrome version 67.0.3396.87 to address 1 vulnerability.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMWare issued updates for the following products on the 11th and 28th of June to address 1 and 3 vulnerabilities respectively:

11th June:

  • VMware AirWatch Agent for Android (A/W Agent)
  • VMware AirWatch Agent for Windows Mobile (A/W Agent)

26th June:

  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

Please review the above linked to security advisories and apply the necessary updates if you use these products.

=======================
OpenSSL
=======================
On the 12th of June; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
Intel Lazy Floating Point Vulnerability:
=======================
Please see my separate post for details.

Vendors Respond to Spectre NG Vulnerabilities

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================

April 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Engine. Further details are available in this separate blog post.

Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4073119

kb4093112

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
On Tuesday, 10th April Microsoft made available their scheduled security updates to resolve 63 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

There are 3 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4093112

4093118

4093108

====================

Alongside these updates; Adobe released updates for the following products:

Adobe ColdFusion (priority 2, 5x CVEs)

Adobe Digital Editions (priority 3, 2x CVEs)

Adobe Experience Manager (priority 3, 3x CVEs)

Adobe Flash Player v29.0.0.140 (priority 2, 6x CVEs)

Adobe InDesign CC (priority 3, 2x CVEs)

Adobe PhoneGap Push Plugin (priority 3, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Graphics Component consisting of the following 6 CVEs:

CVE-2018-1009

CVE-2018-1010

CVE-2018-1012

CVE-2018-1013

CVE-2018-1015

CVE-2018-1016

Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability : described in more detail here.

====================

Separately AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================

=======================
Apple Security Updates:
=======================
In late April Apple released updates for Safari, macOS and iOS:

Apple iOS v11.3.1

Apple Safari v11.1

Apple macOS High Sierra v10.13.4

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad.

As always; further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
7-Zip 18.05
=======================
In late April; version 18.05 of 7-Zip was made available resolving one security vulnerability in it’s RAR packing code. Further details are provided in this linked to blog post.

Other highlights include the inclusion of ASLR on the 32 bit version and high entropy (HE)(defined here and here) ASLR (defined) on the 64 bit version. While the above blog post mentions HEASLR is not enabled, when I tested it with Process Explorer it was showing HEASLR as enabled. That blog post also describes how to add Arbitrary Code Guard (ACG) (defined) protection for 7-Zip on Windows 10. Version 18.01 and later also come with Data Execution Prevention (DEP)(defined here and here).

While 7-Zip is extremely popular as a standalone application; other software such as Malwarebytes Anti-Malware, VMware Workstation and Directory Opus (among many others) all make use of 7-Zip. If you use these software applications or 7-Zip by itself, please update these installed applications to benefit from the resolved vulnerability and the new mitigations.

=======================
Wireshark 2.4.6 and 2.2.14
=======================
v2.4.6: 10 security advisories

v2.2.14: 8 security advisories

The security advisory wnpa-sec-2018-24 applicable to both of the above versions resolves 10 memory leaks (defined).

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.6) or v2.2.14). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
Wireshark 2.6.0
=======================
While this update is not listed as a security update; it is the latest version of Wireshark within the Stable release channel. The older 2.4.x version did not receive a further update. It is very likely version 2.6 will be required to receive future security updates. Further details are available in the release notes of version 2.6. If possible, please consider upgrading to this version in the near future.

Further installation tips are provided above (as per version 2.4.6 and 2.2.14).

=======================
Oracle:
=======================
Oracle issued updates to resolve 254 vulnerabilities. Further details and installation steps are available here. 14 vulnerabilities affect the Java runtime. 12 of these are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

=======================
OpenSSL
=======================
In mid April; the OpenSSL Foundation issued updates for OpenSSL to address 1x low security vulnerability detailed in this security advisory. To resolve this please update your OpenSSL installations to 1.1.0i or 1.0.2p (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
A Closer Look at CVE-2018-0950
=======================
While Microsoft have addressed the vulnerability designated as CVE-2018-0950 (defined) this month; Will Dormann, a security researcher with the CERT Coordination Center has demonstrated further mitigations (defined) you may wish to take. These mitigations (listed at the end of his in-depth discussion) will better defend your system(s) against a variant of this vulnerability which still remains relatively easy for an attacker to exploit.

Thank you.

March 2018 Update Summary

====================
Update: 5th April 2018:
====================
On the 3rd of April, Microsoft released an out of band security update for the Microsoft Malware Protection Protection Engine. Further details are available in this separate blog post.

====================
Separately Microsoft have since issued an update, KB4099950 to resolve the issue detailed below affecting the network adapter on Windows 7.

The new update KB4099950 must be installed before KB4088875 and KB4088878 (I assume if this is not the case that KB4088875 and KB4088878 could be uninstalled first?)

If you were experiencing any of the following issues on Windows 7 or Windows Server 2008 R2, please install the above update to resolve them:

====================
A new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues.

Static IP address setting are lost.

These symptoms may occur on both physical computers and virtual machine that are running VMware.
====================

Thank you.

====================
Update: 1st April 2018:
====================
Microsoft have issued an out of band update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit to resolve resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of these Windows version, please see my new post for further details.

This post has also been updated with further software releases (please see below).

If you have already checked for updates and are not seeing any being offered for your Windows 7 or Windows 8.1 system, please ensure your anti-malware software is up to date. This article explains why this change was implemented by Microsoft. It also provides recommendations of how to resolve the issue of no updates being available. Windows 10 is not affected by this issue.

A known issue of a second network adapter appearing within Windows 7 has also been documented. If this occurs for you with March’s updates, this news article may be of assistance in resolving it. It is anticipated that Microsoft will resolve this issue in this month’s upcoming security updates.

Thank you.

====================
Original post:
====================
Last Tuesday Microsoft began distributing their scheduled security updates to resolve 74 vulnerabilities assigned to the same number of CVEs (defined). Microsoft have provided further details are provided within their Security Updates Guide.

This month there are 12 knowledge base articles detailing potential issues (some of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4088787

4088782

4088776

4088786

4088779

4088876

4088879

4088875

4088878

4089344

4089229

4090450

====================

In addition to these updates; Adobe released updates for the following products:

Adobe Connect (priority 3, 2 CVEs)

Adobe Dreamweaver CC (priority 3, 1 CVE)

Flash Player v29.0.0.113 (priority 2, 2 CVEs)

Non-Microsoft browsers should update automatically e.g. Google Chrome released an update on Tuesday which includes the new Flash Player. Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI will be phased out very soon):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Windows Shell (CVE-2018-0883)

CredSSP (CVE-2018-0886): Please also enable the Group Policy setting to fully mitigate this issue. Further updates will be made available in subsequent months.

Microsoft Office (consisting of CVE-2018-0903 and CVE-2018-0922)

====================

Similar to last month additional updates for Spectre vulnerability were made available for Windows 10 Version 1709. Further updates are planned and will be listed in this knowledge base article.

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

===============

=======================
Mozilla Firefox:
=======================
This month Mozilla issued 3 sets of security updates for Firefox and Firefox ESR (Extended Support Release):

16th March: Firefox 59.0.1: Resolves 2x critical CVEs (1 of which originated from Pwn2Own 2018).

13th March: Firefox 59: Resolves 2x critical CVEs, 4x high CVEs, 7x moderate CVEs, 5x low CVEs

13th March: Firefox ESR 52.7: Resolves 2x critical, 3x high CVEs, 2x moderate CVEs

26th March: Firefox 59.0.2: Resolves 2x high severity CVEs

26th March: Firefox 52.7.3 ESR: Resolves 1x high severity CVE

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Malwarebytes Anti-Malware
=======================
Earlier this month Malwarebytes made available version 3.4.4 of their anti-malware product. While the update provides stability and performance improvements it also updates the 7-Zip DLL (defined) within it to version 18.01.

Please install this update using the steps detailed in this Malwarebytes forum post. Further details of the improvements made are available in this BleepingComputer article.

=======================
Google Chrome:
=======================
This month Google made available 4 updates for Google Chrome; one in early March and the other in mid-March. The more recent updates resolves 45 security issues while the update from the 20th of March resolves 1 security issue.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
Nvidia Geforce Drivers:
=======================
This update (released on the 28th of March 2018) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

=======================
OpenSSL
=======================
On the 27th of March; the OpenSSL Foundation issued 2 updates for OpenSSL to address 1x moderate security vulnerability and 2x low severity issues as detailed in this security advisory. To resolve these issues please update your OpenSSL installations to 1.1.0h or 1.0.2o (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued update for the following products on the 15th of March to address one important severity security vulnerability:

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

Please review this security advisory and apply the necessary updates.

=======================
Apple security updates:
=======================
In the final week of March Apple made available security updates for the following products:

=======================
Apple tvOS 11.3

Apple iOS 11.3

Apple watchOS 4.3

Apple Safari 11.1

Apple macOS High Sierra 10.13.4, Sierra and El Capitan

Apple iTunes 12.7.4 for Windows

Apple iCloud for Windows 7.4
=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here.

Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
WinSCP
=======================
In late March; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2o (which addresses 1x moderate CVE).

January 2018 Update Summary

====================
Update: 31st January 2018:
Please scroll down in this post to view more recent software updates available since the original posting date of the 16th of January 2018. Thank you.
====================

Last Tuesday Microsoft released their routine security updates to address 56 vulnerabilities more formally known as CVEs (defined). Further details are provided within Microsoft’s Security Updates Guide.

This month there are 11 knowledge base articles detailing potential issues (many of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4056890

4056891

4056892

4056893

4056888

4056895

4056898

4056894

4056897

4056896

4056899

====================

Separately Adobe released Flash Player v28.0.0.137 to address a single priority 2 CVE.

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For January’s Microsoft updates, I will prioritize the order of installation below. I will discuss this month’s out of band (outside of the regular schedule) patches for Meltdown and Spectre in a separate blog post; the relevant CVEs are still listed below. A useful list of all CVEs for this month is present here:

====================
CVE-2017-5753 – Bounds check bypass (known as Spectre Variant 1)

CVE-2017-5715 – Branch target injection (known as Spectre Variant 2)

CVE-2017-5754 – Rogue data cache load (known as Meltdown Variant 3)

CVE-2018-0802: Microsoft Office zero day (similar to Novembers Office equation editor vulnerability)

Microsoft Office (18 further CVEs)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

For this month; please take extra care with your back up to ensure you can restore your systems should you wish to revert your systems prior to installing the Meltdown and Spectre patches should you wish to uninstall the Security only bundle of updates or the updates are causing your system to become unstable.

Thank you.

=======================
Wireshark 2.4.4 and 2.2.12
=======================
v2.4.4: 3 CVEs (defined) resolved

v2.2.12: 4 CVEs resolved

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.4) or v2.2.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

====================
Update: 24th January:
====================
Oracle:
====================
Oracle have resolved 237 vulnerabilities with the security updates they have made available this month. Further details and installation steps are available here. Within the 237 vulnerabilities addressed, 21 vulnerabilities were addressed in the Java runtime. 18 of these 21 are remotely exploitable without an attacker needing to obtain a user’s username and password (their credentials).

If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.

Particular priority should be given to Oracle WebLogic Server and PeopleSoft due to documented incidents of attackers using such installations for crypto currency mining with one such incident resulting in more than USD $226,000 being mined. Further details are available in the following blog post from security vendor Onapsis.
=======================

=======================
Further updates released in January:
=======================
VMware Updates:
=======================
In early January; VMware issued security updates to address the Meltdown and Spectre vulnerabilities within some of their products. Another advisory  was also released later in January. The affected products/appliances are listed below. For virtual machines used with VMware Fusion and VMware Workstation, the steps listed within this knowledge base article should also be followed.

Please review the above linked to security advisories and knowledge base article and apply the necessary updates and mitigation steps.

Affected products/appliances:

  • VMware vCenter Server (VC)
  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)

=======================
Mozilla Firefox:
=======================
In January Mozilla issued security updates for Firefox and Firefox ESR (Extended Support Release):

Firefox 57.0.4 (2 mitigations added)

Firefox 58: 3x critical, 13x high, 13x moderate, 2x low CVEs

Firefox 58.0.1: 1x critical CVE

Firefox ESR 52.6: 1 high CVE

Firefox ESR 52.6: 2x critical, 8x high, 1x moderate

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
In late January an update for Google Chrome was made available which included 53 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
7-Zip
=======================
In late January a security researcher located 2 vulnerabilities within 7-Zip. He reported them to the developer Igor Pavlov who very quickly released an updated version; v18.00 Beta. This has since been updated to 18.01 Stable to fix further issues (NOT security related).

The alternative Windows file manager Directory Opus will include the updated 7-Zip DLL (defined) within their next release. Their current beta already contains these fixes.

While 7-Zip does not have many vulnerabilities discovered within it (which has both advantages and disadvantages), there appears to be an increasing emphasis on it since it is used by anti-malware software and other applications e.g. VMware Workstation. Thus when a security update is issued; all of this software should eventually include the fixes. This occurred last year with the release of 7-Zip 16.00 to resolve 2 other security vulnerabilities.

Separately, Malwarebytes updated their Anti-Malware product to version 3.4.4 to update the 7-Zip DLL (defined) within it. Further details are available in my March 2018 Update Summary blog post.

If you use 7-Zip, please ensure it is updated to resolve both this year’s vulnerabilities and last year’s vulnerabilities (if you hadn’t already installed version 16 or later). Please also update Malwarebytes Anti-Malware or Directory Opus if you use them.

=======================
Nvidia Geforce Drivers:
=======================
This driver update applies to Linux, FreeBSD, Solaris and Windows and mitigates the Meltdown security vulnerability (CVE-2017-5753). While Nvidia’s GPUs are not vulnerable to Meltdown or Spectre, the GPUs interaction with an affected CPU has the potential for exploitation.The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post. More details about the Meltdown and Spectre vulnerabilities are available in this blog post.

=======================
Hitman Pro:
=======================
As recommended on my Tools and Resources page, Hitman Pro (now part of Sophos Security) has been updated to version 3.8.20 (Build 292). This update resolves 2 vulnerabilities relating to libraries (defined) the tool uses namely zlib and libpng. Any previous version of the tool should update automatically when opened to the most recent version.

December 2017 Update Summary

Earlier this month Microsoft closed out the year with a small number of security updates. They resolved 32 vulnerabilities. Further details are provided within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

No Known Issues were listed as occurring for this months update.

====================

Meanwhile Adobe also completed their yearly updates with a single update for Flash Player resolving a single priority 2 CVE (defined).

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For December Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Important severity:

Windows RRAS (Routing and Remote Access) Service Remote Code Execution Vulnerability

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware AirWatch Console and other VMware Products
=======================
A security advisory for VMware AirWatch Console to address a moderate security vulnerability was made available in December. A further security advisory to address 4 important vulnerabilities within the products listed below was also published:

  • ESXi
  • vCenter Server Appliance
  • Workstation
  • Fusion

=======================
Google Chrome:
=======================
An update for Google Chrome included 37 security fixes while a second update included 2 further fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple security updates:
=======================
During the first half of December Apple made available security updates for the following products:

=======================

Apple tvOS 11.2 and 11.2.1

Apple iOS 11.2 and 11.2.1

Apple watchOS 4.2

Apple Safari 11.0.2

Apple macOS High Sierra 10.13.2, Sierra and El Capitan

Apple iTunes 12.7.2 for Windows

AirPort Base Station Firmware Update 7.6.9 and AirPort Base Station Firmware Update 7.7.9

Apple iCloud for Windows 7.2

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here. Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Mozilla Firefox and Firefox ESR
=======================
During December Mozilla released security updates for Firefox and Firefox ESR (Extended Support Release) raising their version numbers to 57.0.2 and 52.5.2 respectively.

  • Firefox 57.0.2 resolves 1 CVE
  • Firefox ESR 52.5.2 resolves 2 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57.0.2
Firefox 52.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
VideoLAN VLC:
=======================
In early December VideoLAN made available version 2.2.8 of VLC for Linux, Apple macOS  and Windows. It addresses 4 security vulnerabilities (3 of which were addressed in 2.2.7). If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

=======================
WinSCP
=======================
In mid-December; WinSCP version 5.11.3 was released upgrading it’s embedded OpenSSL version to 1.0.2n (which addresses 1x moderate and 1x low severity CVEs).