I hope you and your families are doing well.
As scheduled, Adobe and Microsoft earlier today made available their monthly security updates. They address 29 and 117 vulnerabilities (respectively) also known as CVEs (defined).
Let us begin with summarising Adobe’s updates for this month:
Adobe Acrobat and Reader: Addresses 20x Priority 2 CVEs (14x Critical Severity and 6x Important Severity)
Adobe Bridge: Addresses 5x Priority 3 CVEs (4x Critical Severity and 1x Moderate Severity)
Adobe Dimension: Addresses 1x Priority 3 CVE (1x Critical Severity)
Adobe Framemaker: Addresses 1x Priority 3 CVE (1x Critical Severity)
Adobe Illustrator: Addresses 3x Priority 3 CVEs (2x Critical Severity and 1 Important Severity)
If you use any of the above Adobe products, please make certain to install the relevant updates as soon as possible. This is especially important in the case of the critical severity updates.
====================
A useful source of update related information is the US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
====================
For this month’s Microsoft updates, I will prioritise the order of installation below:
The most important update this month was released earlier in July. It is the Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-34527 which addresses the vulnerability known as PrintNightmare. After installing this update, please make certain that steps 1, 2 and the Group policy setting from this KB article are also implemented (both registry DWORD entries should be zero) to better protect against other related exploits.
The image below is a flow diagram (courtesy of Carnegie Mellon University, image is Copyright ©2021 Carnegie Mellon University. My thanks to them for publishing this diagram) which details how an exploit may attempt to either remotely or locally compromise your Windows system. In addition, the diagram shows how the extra registry values described in this KB article help to protect your system from the locally exploitable aspect of this vulnerability.
Image is Copyright ©2021 Carnegie Mellon University
====================
Windows Print Spooler Remote Code Execution Vulnerability: CVE-2021-34527
Microsoft Exchange Server Remote Code Execution Vulnerability: CVE-2021-34473
Windows Kernel Elevation of Privilege Vulnerability: CVE-2021-31979
Windows Kernel Elevation of Privilege Vulnerability: CVE-2021-33771
Scripting Engine Memory Corruption Vulnerability: CVE-2021-34448
Microsoft Exchange Server Elevation of Privilege Vulnerability: CVE-2021-34523
Windows Kernel Remote Code Execution Vulnerability: CVE-2021-34458
Active Directory Security Feature Bypass Vulnerability: CVE-2021-33781
Windows ADFS Security Feature Bypass Vulnerability: CVE-2021-33779
Windows Certificate Spoofing Vulnerability: CVE-2021-34492
Windows DNS Server Remote Code Execution Vulnerability: CVE-2021-34494
Windows Hyper-V Remote Code Execution Vulnerability: CVE-2021-34450
Dynamics Business Central Remote Code Execution Vulnerability: CVE-2021-34474
Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-34464
Microsoft Defender Remote Code Execution Vulnerability: CVE-2021-34522
Microsoft Windows Media Foundation Remote Code Execution Vulnerability: CVE-2021-34439
Microsoft Windows Media Foundation Remote Code Execution Vulnerability: CVE-2021-34503
Windows Media Remote Code Execution Vulnerability: CVE-2021-33740
Windows MSHTML Platform Remote Code Execution Vulnerability: CVE-2021-34497
====================
Following standard best practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have also provided further details of updates available for other commonly used applications below. I will add to this list over time.
To all of my readers, I hope you and your families are safe and well during these continuing uncertain times. Thank you.
====================
Mozilla Firefox
====================
Earlier today Mozilla released Firefox 90 and Firefox ESR (Extended Support Release) 78.12 to resolve the following vulnerabilities:
Firefox 90: Addresses 5x High Severity CVEs and 4x Moderate Severity CVEs
Firefox ESR 78.12: Addresses 3x High Severity CVEs
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above change. Firefox 90 also introduced the features listed at this link.
====================
VMware
====================
VMware has released 2 security advisories so far in July to resolve vulnerabilities within the following products:
====================
Advisory 1: Severity: Important
VMware ESXi and VMware Cloud Foundation (Cloud Foundation)
Advisory 2: Severity: Moderate:
VMware ThinApp
If you use any of the above VMware products, please review the above advisories and install the applicable security updates as soon as possible.