With yesterday being the second Tuesday of the month; it means it’s Update Tuesday again. Microsoft resolved 88 vulnerabilities (more formally known as CVEs (defined) with Adobe addressing 11 vulnerabilities of their own.
Adobe Campaign: 7x Priority 3 vulnerabilities (1x Critical, 3x Important, 3x Moderate)
Adobe ColdFusion: 3x Priority 2 vulnerabilities (3x Critical)
Adobe Flash Player: 1x Priority 1 vulnerability (1x Critical)
If you use Adobe ColdFusion, please apply the necessary updates as soon as possible. For that product, as per Adobe’s advisory, please make certain the Java JDK/JRE in use on the server is fully up to date in order to fully secure it. Please install the remaining updates for Campaign and Flash Player as soon as possible since they also resolve critical vulnerabilities.
====================
For Microsoft; this month’s list of Known Issues is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:
4493730 Windows Server 2008 Service Pack 2 Servicing stack update
4503027 Exchange Server 2019, Exchange Server 2016
4503028 Exchange Server 2010 Service Pack 3, Exchange Server 2013
4503263 Windows Server 2012 (Security-only update)
4503267 Windows 10, version 1607, Windows Server 2016
4503276 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
4503279 Windows 10, version 1703
4503284 Windows 10, version 1709
4503285 Windows Server 2012 (Monthly Rollup)
4503286 Windows 10, version 1803
4503290 Windows 8.1 Windows Server 2012 R2 (Security-only update)
4503291 Windows 10
4503292 Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)
4503293 Windows 10, version 1903
4503327 Windows 10, version 1809, Windows Server 2019
====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates.
News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer: CVE-2019-1038
Microsoft Speech API Remote Code Execution Vulnerability: CVE-2019-0985
Microsoft Scripting Engine:
Windows Hyper-V Remote Code Execution Vulnerability: CVE-2019-0709 , CVE-2019-0722 , CVE-2019-0620
ActiveX Data Objects (ADO) Remote Code Execution Vulnerability: CVE-2019-0888
Windows Task Scheduler: CVE-2019-1069 (disclosed by SandboxEscaper)
Windows AppX Deployment Service (AppXSVC): CVE-2019-1064 (disclosed by SandboxEscaper)
Windows Shell: CVE-2019-1053 (disclosed by SandboxEscaper)
Windows Installer: CVE-2019-0973 (disclosed by SandboxEscaper)
====================
Please install the remaining updates at your earliest convenience.
As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
I have provided further details of updates available for other commonly used applications below.
Thank you.
=======================
VideoLAN VLC:
=======================
A new version of VLC is available for Apple macOS, Linux, Windows (desktop and Windows Store), Google Android and Apple iOS with some great performance improvements and resolving 33 security vulnerabilities (2 of which are high severity) as a result of the EU-FOSSA bug bounty programme which opened in January this year.
Further details are below:
http://www.videolan.org/vlc/releases/3.0.7.html
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security
Version 3.0.7.1 has since been released to resolve other non-security issues. The most recent version can be downloaded from:
=======================
Mozilla Firefox
=======================
Yesterday (11th June), Mozilla released Firefox 67.0.2 to address a single moderate severity vulnerability.
Further to the above updates, on the 18th and the 20th June; Mozilla issued 2 updates for Firefox version 67.0.3 (ESR (Extended Support Release) 60.7.1) and 67.0.4 (ESR 60.7.2) to resolve 2x critical zero day (defined) vulnerabilities actively being exploited in the wild.
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.
=======================
Google Chrome:
=======================
Google released Google Chrome version 75.0.3770.80 to address 42 vulnerabilities in early June.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================
VMware:
=======================
Earlier this month VMware published a security advisory to address a single Important severity vulnerability in VMware Tools for Linux and Windows.
If you use VMware Tools on Linux or Windows, please review the security advisory and apply the necessary updates.
=======================
DOSBox
=======================
The retro gaming and legacy software emulator DOSBox in late June released an update to correct vulnerabilities discovered during a small code audit.
2 CVEs (CVE-2019-7165 and CVE-2019-12594) were assigned (that resolve critical vulnerabilities with CVSS 3.0 (defined) base scores of 9.8) but more out of bound access and buffer overflows (defined) were also resolved. Further details are available in their news post dated, 26th June 2019.
If you use DOSBox, please consider upgrading to version 0.74-3 which also includes many fixes for non-security bugs. The new version is available from here.
Thank you.
securityinaction 