Tag Archives: Windows Graphics Component

March 2017 Security Updates Summary

As you know Microsoft and Adobe released their scheduled monthly security updates. For Microsoft this release was anticipated especially since last month’s set was delayed.

Within the above linked to post I predicted Microsoft would make a large number of updates and they did just that. 17 bulletins in total are now available. These updates address 138 vulnerabilities listed within Microsoft’s new Security Update Guide. These vulnerabilities are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within their March summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.
====================

Adobe issued two security bulletins today. One affecting Adobe Flash and the other for Adobe Shockwave Player. The Flash Player bulletin resolves 8x priority 1 vulnerabilities. While the Shockwave bulletin resolves 1x priority 2 vulnerability. These priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available last week.

If you use Flash or Adobe Shockwave, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

=======================
Update: 22nd March 2017:
=======================
I wish to provide information on other notable updates from this month which I would recommend you install if you use these software products:

Notepad++ version 7.3.3

VideoLAN VLC Media version 2.2.5 (release currently in progress)

Malwarebytes Anti-malware version 3.0.6 CU3 (with Component package version: 1.0.75):
It is unknown how many vulnerabilities this addresses but this forum post mentions their resolution.

Malwarebytes Anti-malware version 3.0.6 CU4 addresses further vulnerabilities.

More details of the vulnerabilities resolved by Malwarebytes 3.0.6 CU3 have emerged. Researchers responsibly disclosed a technique which uses Microsoft’s Application Verifier to hijack an anti-malware application. More details of this vulnerability are available here and here.

Mozilla Firefox 52.0.1 (more details in this post on Pwn2Own 2017)

VMware Workstation 12.5.4 (relevant security advisories are here and here)

VMware ESXi, Fusion and VMware Workstation 12.5.5 (the relevant security advisory is here). This advisory resolves the vulnerabilities disclosed during Pwn2Own 2017 for the above listed products.

Wireshark 2.2.5 and 2.0.11

Putty 0.68 (while released in February; it contains important security changes)

Apple Security Updates: updates are available for iTunes, iTunes for Windows, Pages, Numbers, Keynote (for macOS and iOS), Safari, macOS Sierra, El Capitan and Yosemite, iOS, watchOS, tvOS, macOS Server, iCloud for Windows.

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page). This link details how to update your Apple Watch.

=======================

For the 17 Microsoft bulletins this month, I will prioritize the order of updates for you below:

====================
Critical severity:
Windows Graphics Component

Windows SMB Server

Microsoft Edge

Internet Explorer

Windows Hyper-V

Windows PDF

====================
Important Severity
====================
The update for Microsoft Office should be installed next due to it’s criticality. With the follow updates after it:

Microsoft Exchange

Microsoft IIS

Active Directory Federation Server

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================
Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

November 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available many bulletins, 14 in total. These updates address 67 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================

Today Adobe made available one other security bulletin by Adobe affecting Adobe Connect (resolving 1x priority 3 issue) in addition to their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available very shortly after Adobe’s update.

The Flash Player update addresses 9 priority 1 CVEs. If you use either of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month the previously disclosed zero day (defined) vulnerability under attacker should take first priority, it is addressed in MS16-135 Next, please prioritise the deployment of the following updates:

Microsoft Internet Explorer, Microsoft Edge, Microsoft Graphics Component , Microsoft Office, Microsoft Video Control and the Windows Security Update bulletin.

Businesses and enterprise should priorities the deployment of the SQL Server update since it addresses 6 important vulnerabilities.

As always Adobe’s Flash Player update (to version 23.0.0.207) should also be on your shortlist this month.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

October 2016 Security Updates Summary

====================
Update: 2nd November:
Last week Adobe made available an out of band (unscheduled) security update to Adobe Flash. This was due to a zero day (defined) vulnerability being exploited in limited targeted attacks (using spear phishing (defined) emails sometimes originating from previous victims of this vulnerability).

To protect your organisation or yourself from this vulnerability please install the Adobe Flash update if you make use of Flash Player on your organisations devices or your own individual systems. This link can be used to test if Flash Player is already installed.

This vulnerability is related to an APT (defined) group’s activity that is detailed in a more recent post.

Thank you.

====================
Original Post:
====================
Yesterday Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available 10 security bulletins. These updates address 36 vulnerabilities listed within Microsoft’s security bulletin summary (excluding the Adobe bulletin). These are more formally known as CVEs (defined).

This month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages are the best first places to check for solutions.

====================
Tuesday also saw the release of 3 security bulletins by Adobe affecting Adobe Flash Player, Adobe Acrobat/Adobe Reader and Adobe Creative Cloud Desktop.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

The Flash Player update addresses 12 priority 1 CVEs while the Adobe Acrobat/Adobe Reader security bulletin resolves 71 priority 2 CVEs. The final security bulletin published by Adobe this month fixes 1 priority 3 CVE in the Adobe Creative Cloud Desktop application.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month saw an unusually high number of 5 Microsoft zero day (defined) vulnerabilities being addressed. For this reason, please prioritise the deployment of the following updates: Microsoft Graphics Component, Microsoft Internet Explorer, Microsoft Edge, Microsoft Internet Messaging API and Microsoft Office.

Once these updates are deployed, please move onto Adobe’s Flash Player update (to version 23.0.0.185) addressing 12 critical vulnerabilities, should be installed next if you already have a previous version installed. Due to the high number of vulnerabilities patched this month in Adobe Acrobat/Adobe Reader this should be installed next if you use their PDF creation/reader software.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

September 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s updates consist of 14 security bulletins. These bulletins address 50 vulnerabilities more formally known as CVEs (defined)(not including the Adobe vulnerabilities mentioned below).

Only the Internet Explorer security bulletin currently lists a Known Issue (discussed below). However as always please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates. At this time it does not list any Known Issues.

Update: 15th September 2016:

It has been reported that the security updates for Internet Explorer MS16-104 and Microsoft Edge (MS16-105) patches a zero-day (defined) vulnerability that has been publicly exploited. Further details of this vulnerability have since been disclosed and are available in this ThreatPost article.

The Known Issue for this update now mentions “Microsoft is aware of limited issues in which an ActiveX install may fail when using the ActiveX Installer Service (AXIS) with Internet Explorer 10 or Internet Explorer 11.” However, at this time no workaround or solution is available.

Moreover, the Microsoft Office security bulletin resolves an Important severity level ASLR (defined) bypass designated CVE-2016-0137 within the Microsoft Detours DLL (defined) that applications such as Microsoft App-V use. This issue has the potential to affect a lot of other 3rd party products and is discussed in more detail in this ThreatPost article. Further information/resources concerning this vulnerability are available on this GitHub page. A possibly related issue was found in Nvidia’s graphics driver (defined) (within detoured.dll) late last year which they issued a patch for.

This month also marks the final month that Windows 7 and Windows 8.1 will receive security updates packaged in the traditional format. From October the updates will be offered in packages similar to that of Windows 10 which will mean fewer individual updates will need to be installed to bring systems up to date. The updates will also replace updates from previous months again reducing the volume of updates needing to be installed. There will be single security and reliability updates.

While I am in favour of the simplification of updates, the “Known Issues” that I mention each month will become even more important since you won’t have the option of choosing which updates to install. This will lead to more outages and compatibility issues especially for corporate environments which is discussed in this article. Microsoft provides more details of these changes in their Windows IT Pro blog post. This additional Microsoft blog post and this Windows IT Pro blog post provide further coverage.

Further to this, next month Microsoft plans to begin to block out dated versions of Adobe Flash Player ActiveX controls (defined). Further details are available in their blog post.

====================
For Adobe’s scheduled released they made available an updated version of Flash Player that addresses 29 priority 1 vulnerabilities.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

Adobe also released a security bulletin for Adobe AIR SDK and compiler (AIR is its application runtime) to address a single priority 3 vulnerability. More information as well as installation steps are available in the relevant security bulletin. Finally, Adobe released a security bulletin for Digital Editions that addresses 8 priority 3 vulnerabilities.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

With Adobe’s Flash Player update (to version 23.0.0.162) addressing 29 critical vulnerabilities, this should be installed first if you already have a previous version installed.

For the Microsoft updates, for corporate environments/server operating systems please first install the Microsoft Exchange update (if you use it within your environment). This should be followed by Microsoft Office, Security Update for Windows (MS16-110) and the Microsoft Graphics Component.

For desktop workstations / small business environments please make Internet Explorer, Microsoft Edge, Microsoft Office and the Microsoft Graphics Component your first priorities due to their severities and prevalent use. The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is available in this Computerworld article (a new article is published each month within their Patch Tuesday Debugged column).

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

May 2016 Security Updates Summary

Earlier today Microsoft and Adobe made their scheduled monthly security updates available.

Microsoft’s updates consist of 17 security bulletins one of which relates to an upcoming Adobe Flash Player update (more details below). These bulletins resolve 36 vulnerabilities more formally known as CVEs (defined).

One point to note that should make deploying these updates easier is that Microsoft’s Security Bulletin Summary doesn’t list any Known Issues at this time. However please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates.

====================
Update: 25th June 2016:
Microsoft’s Security Bulletin Summary was updated to include known issues with the Microsoft .Net Framework update. Workarounds and resolutions to these issues are available here.
====================

As mentioned above one of Microsoft’s bulletins relates to Adobe’s Flash Player update; however, that update will be made available later this week (scheduled for May 12th according to Adobe). This update will resolve a zero day (defined) vulnerability that is currently being exploited.

In addition, Microsoft made available a security advisory yesterday applicable to Windows 8.1 (and later)(and equivalent Windows Server OSes) for the FalseStart facility of TLS. Please review the advisory and install the applicable update for your systems.

It wasn’t just Flash Player being updated by Adobe today; updates for Adobe Acrobat DC, Acrobat XI, Acrobat Reader DC and Adobe Reader XI address 92 CVEs within those products. These vulnerabilities have been classified as critical but have been assigned Priority 2 by Adobe, meaning that these updates should be installed sometime within the next 30 days. Further details of these updates are available in this security bulletin. An update for Adobe ColdFusion was also made available resolving 3 high severity CVEs.

====================
Update: 11th May 2016:
Microsoft have released their Adobe Flash Player (for Windows 8.1 and later) security bulletin earlier than anticipated. It addresses 24 critical CVEs. Please re-run a check for updates on your Windows PC and install any necessary updates for Flash Player. Further information is available in the relevant security bulletin.

Thank you.
====================

====================
Update: 12th May 2016:
As scheduled Adobe have released an updated version of Flash Player v21.0.0.242 as well as Adobe AIR (its application runtime). It addresses 25 CVEs (the extra CVE is the zero-day vulnerability that Adobe has now resolved). It’s unclear when Microsoft will re-release their update to address this remaining CVE or if the existing update already includes it. However, Google Chrome’s update earlier this week already includes Flash Player v21.0.0.242.

Further information about the Flash Player update is available in this Sophos blog post. Separately, I will continue to update this post as more information becomes available. Thank you.
====================

====================
Update: 15th May 2016:
As expected Microsoft revised their security bulletin for Adobe Flash to include the update that Adobe made available last Thursday. Their update now addresses 25 CVEs rather than the previous 24 CVEs.

Please ensure that you install this update as soon as possible. Thank you.
====================

If you use any of Adobe’s PDF applications mentioned above or Adobe ColdFusion, please follow the above product links to the appropriate security bulletins and apply the necessary updates. This is especially important for the Adobe Reader update since it resolves a very large number of critical severity vulnerabilities among them use-after-free vulnerabilities (defined), heap (defined) overflows and an integer overflow (defined).

As mentioned in January; Adobe no longer supports Acrobat X and Adobe Reader X. They did not receive any updates within that bulletin and will no longer do so. Please upgrade to Adobe Acrobat DC/Acrobat Reader DC or Acrobat XI/Adobe Reader according to your preference.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

Please make the Microsoft Internet Explorer update your first priority since CVE-2016-0189 (which it resolves) is currently under attack in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives)). Follow this with Microsoft Edge, Microsoft Office, Microsoft Graphics Component, Windows Shell, Windows Kernel-Mode Drivers (defined), JScript and VBScript, Windows Journal and Windows IIS due to their severities and prevalent use.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Aside:
=======================
I wanted to apologise for the lack of recent blog posts being published. The PC that I primarily use to write and publish the content for this blog has suffered a hard disk failure. While I have not lost any data (which is a relief!); the system is non-operational until a suitable replacement can be obtained and installed.

That may be sometime in the next 2 weeks. In the meantime, I will continue to publish using an alternate personal system of mine. This may sound like a perfect substitute, but for a number of reasons I have been finding it far from ideal. But not to worry.

However, posts will be sporadic and will not be as timely as I would like. Some interesting high impact vulnerabilities have been disclosed since my most recent blog post (in April) as well as a large number of security updates. I will endeavour to discuss all of these with you as soon as possible.

Thank you for your understanding and patience as I resolve this issue.

December 2015 Security Updates Summary

Today Microsoft released it’s final scheduled collection of security bulletins for 2015. There are 12 bulletins in total addressing 71 security issues more formally known as CVEs (defined)(only 58 of those are unique CVEs since some updates address the same issue within different updates).

The Security Bulletin Summary at this time does not list any Known Issues. An excellent additional source for information on Known Issues is the IT Pro Patch Tuesday blog which is usually updated shortly after the release of the updates if any issues are encountered.

Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve a record number of 79 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this); this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

—————-
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):
https://www.us-cert.gov/
—————-

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

I would recommend installing the update to Adobe Flash Player first if you make use of this web browser plugin. Their update addresses 79 critical security issues which may be exploited by exploit kits (defined) within a short timeframe. In addition, it has been a very eventful year for Adobe with a record number of security issues patched making this update even more important to install.

With regards to prioritizing Microsoft’s updates I would recommend installing the Windows Kernel update first since it addresses a zero day (defined) vulnerability. Next install the updates for Internet Explorer, Microsoft Edge Microsoft Office, JScript and VBScript, Windows DNS, Windows Graphics Component, Silverlight and Microsoft Uniscribe due to their critical severities. You can then install any remaining applicable updates. The DNS, Internet Explorer, Edge and Office updates will be of particular importance to large organizations due to the prevalence of this software.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.