Tag Archives: Windows Lnk

September 2019 Update Summary

Today is the 2nd Tuesday of the month, when both Adobe and Microsoft routinely release their scheduled security updates.

Similar to last month Microsoft have released many updates resolving 79 vulnerabilities more formally known as CVEs (defined). It was a light month for Adobe releasing 2 updates resolving 3 vulnerabilities.

====================
Adobe Application Manager: 1x Priority 2 vulnerability resolved (Important severity)
Adobe Flash Player: 2x Priority 3 vulnerabilities resolved (Critical severity)

If you use either of these Adobe products, please install the necessary updates as soon as possible prioritising the Adobe Flash Player update.
====================

This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Almost all issues have workarounds at this time and none appear to be serious issues. The up to date list is available from their summary page.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Windows LNK Remote Code Execution Vulnerability: CVE-2019-1280

Microsoft Scripting Engine: CVE-2019-1298

Microsoft Scripting Engine: CVE-2019-1300

Microsoft Scripting Engine: CVE-2019-1217

Microsoft Scripting Engine: CVE-2019-1208

Microsoft Scripting Engine: CVE-2019-1221

Microsoft Scripting Engine: CVE-2019-1237

Windows RDP: CVE-2019-1291

Windows RDP: CVE-2019-1290

Windows RDP: CVE-2019-0788

Windows RDP: CVE-2019-0787

Team Foundation Server/Azure DevOps: CVE-2019-1306

Microsoft Office SharePoint: CVE-2019-1295

Microsoft Office SharePoint: CVE-2019-1257

Microsoft Office SharePoint: CVE-2019-1296

Common Log File System Driver (defined): CVE-2019-1214

Microsoft Windows Elevation of Privilege Vulnerability (defined): CVE-2019-1215

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

====================
Mozilla Firefox
====================
On September the 3rd Mozilla released Firefox 69.0 to address the following vulnerabilities and to introduce new privacy features:

Firefox 69.0: Resolves 1x critical CVE (defined), 11x high CVEs, 4x moderate and 3x low CVEs

Firefox ESR 68.1 (Extended Support Release): Resolves 1x critical, 9x high, 4x moderate and 2x low CVEs

Firefox 60.9 ESR : Resolves 1x critical CVE, 7x high CVEs and 1x moderate CVE

Highlights from version 69 of Firefox include:
Blocks 3rd party cookies and cryptominers (using Enhanced Tracking Protection) by default (blocking of fingerprinting scripts will be the default in a future release)

Adobe Flash disabled by default (must be re-enabled if needed)

Separately Mozilla is facing criticism over their plans to gradually roll-out DNS over HTTPS (DoH) later this month since all DNS traffic would go to only one provider, Cloudflare. Google Chrome will implement a similar feature soon (further details are available in the above link also regarding Mozilla).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

Thank you.

August 2019 Update Summary

====================
Update: 13th August 2019
====================
Earlier today Adobe and Microsoft released large collections of security updates. They resolve 119 and 93 vulnerabilities (respectively).

====================
Adobe After Effects: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Character Animator: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Premiere Pro CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Prelude CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Creative Cloud Application: 4x Priority 2 vulnerabilities resolved (2x Critical and 2 Important severity)

Adobe Acrobat and Reader: 76x Priority 2 vulnerabilities resolved (76x Important severity)

Adobe Experience Manager:1x priority 1 vulnerability resolved (1x Critical severity)

Adobe Photoshop CC: 34x priority 3 vulnerabilities resolved (22x Critical and 12x Important)

If you use any of these Adobe products, please apply the necessary updates as soon as possible especially for Adobe Acrobat/Reader, Photoshop CC and Experience Manager

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. The up to date list is available from their summary page. For Windows 7, for customers with Symantec Antivirus or Norton Antivirus, a hold has been put on the updates from being offered in Windows Updates due to ”The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start”. The Symantec article linked to at this time is a blank template.

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Remote Desktop Services (RDS):  CVE-2019-1181 CVE-2019-1182  CVE-2019-1222, and CVE-2019-1226 (CVE, defined)

Microsoft Graphics Component CVE-2019-1144  CVE-2019-1152  CVE-2019-1150 CVE-2019-1145 CVE-2019-1149

Microsoft Word CVE-2019-1201 CVE-2019-1205

Microsoft Outlook CVE-2019-1200 CVE-2019-1199

Scripting Engine CVE-2019-1133

Chakra Scripting Engine CVE-2019-1141 CVE-2019-1131 CVE-2019-1196 CVE-2019-1197 CVE-2019-1140 CVE-2019-1139

LNK Remote Code Execution Vulnerability CVE-2019-1188

Windows DHCP Client CVE-2019-0736 CVE-2019-1213

Windows Hyper-V CVE-2019-0720 CVE-2019-0965

Windows VBScript Engine CVE-2019-1183

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
In mid-August Mozilla released Firefox 68.0.2 and Firefox ESR 68.0.2 to resolve a moderate information disclosure vulnerability. Please make certain your installation is version 68.0.2 or above to resolve this issue.

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
Google Chrome
=======================
In late August the Centre for Internet Security released a security advisory for users of Google Chrome to update to version 76.0.3809.132 or later. Prior versions were vulnerable to a use-after-free (defined) vulnerability which could have allowed remote code execution (allowing an attacker to carry out any action of their choice).

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.

=======================
VMware
=======================
VMware earlier this month released a security advisory to resolve 2 Important severity vulnerabilities within the following products:

VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)

An attacker could leverage the vulnerability CVE-201-5521 (from the above linked to advisory) to also exploit CVE-2019-5684 to exploit Nvidia’s GPU driver (see below) to gain arbitrary code execution on a system.

If you use the above VMware products particularly with a Nvidia GPU, please review the advisory and apply the necessary updates.

=======================
Nvidia
=======================
Nvidia late last week issued a related security advisory to that of the above VMware advisory. Nvidia’s advisory resolves 5 locally exploitable vulnerabilities meaning that an attacker would first need to compromise your system before exploiting the vulnerabilities to elevate their privileges (defined). The steps to install the drivers are located here. If you use affected Nvidia graphics cards, please consider updating your drivers (defined) to the most recent available.

=======================
Canon Digital Cameras PTP (Picture Transfer Protocol) Vulnerabilities
=======================
Canon digital cameras utilising this protocol are potentially vulnerable to a complete takeover of the device while connected to a host PC or a hijacked mobile device.

As per this Canon advisory, please ensure your camera is using the most recent firmware update and that you follow the workarounds listed in the above advisory.

=======================
VideoLAN VLC
=======================
On the 19th of August, VideoLAN released VLC version 3.0.8 resolving 13 security issues (some assigned more than one CVE). In a recent presentation their President, Jean-Bapiste Kempf explains the challenges they face in maintaining the security of the project. The short slide deck gives a behind the scenes look at their work including the tools they use to make their code safer.

The list of challenges isn’t too dissimilar from a regular commercial company e.g.: a complex piece of software (15 million lines of code) with approximately 100 dependencies but does highlight issues with hostile bug bounty hunters etc. Future releases will include security bulletins where relevant.

=======================
Valve Steam Gaming Client
=======================
In late August, Valve released 2 security updates for their Steam gaming client. Further information on the disclosure (defined) is detailed here while details of the updates are available here and here (albeit in summary only). The Steam client by default updates automatically. Please open it and allow it to update to resolve these vulnerabilities.

=======================
Software Updates for HP , Lexmark, Kyocera , Brother , Ricoh and Xerox Printers
=======================
The following links details the vulnerabilities found by security researchers within these printers and link to the relevant software updates:

HP
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-hp-printers/?research=Technical+advisories

Lexmark
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-lexmark-printers/?research=Technical+advisories

Kyocera
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-kyocera-printers/

Brother
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-brother-printers/

Ricoh
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-ricoh-printers/

Xerox (PDF)
https://securitydocs.business.xerox.com/wp-content/uploads/2019/08/cert_Security_Mini_Bulletin_XRX19R_for_P3320.pdf

https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-xerox-printers/

=======================
Security Updates for Corporate and Consumer 4G Modems
=======================
G Richter a security researcher from Pen Test Partners disclosed the following vulnerabilities during DEF CON:

Netgear
Netgear Nighthawk M1 Mobile router (currently no vendor advisory):
Cross-site request forgery (CSRF)(defined) bypass: CVE-2019-14526
Post-authentication command injection: CVE-2019-14527

TP-Link
TP-Link’s M7350 4G LTE Mobile wireless router (currently no vendor advisory):
CVE-2019-12103 – Pre-Authentication Command Execution
CVE-2019-12104 – Post-Authentication Command Execution

ZTE
MF910 and MF65+ Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010203

MF920 Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010686

=======================
HTTP/2 Vulnerabilities
=======================
8 HTTP/2 DoS (defined) vulnerabilities have been responsibly disclosed by Netflix and Google. According to CloudFlare these vulnerabilities are already being exploited “We have detected and mitigated a handful of attacks but nothing widespread yet”.

Please review the affected vendors matrix within the following CERT advisory and apply the necessary updates:

https://kb.cert.org/vuls/id/605641/

Further information
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://www.theregister.co.uk/2019/08/14/http2_flaw_server/

https://www.bleepingcomputer.com/news/security/new-http-2-flaws-expose-unpatched-web-servers-to-dos-attacks/

Thank you.

August 2018 Update Summary

Today Microsoft released updates to resolve 63 vulnerabilities (more formally known as CVEs (defined)).

This month also brings a new set of vulnerabilities affecting only Intel CPUs. I detail these more thoroughly in a separate post. However high level details are provided below.

Compared to previous months updates these have a smaller list of known issues (most of which have workarounds). Links to the relevant knowledge base (KB) articles are provided below:

KB4340731

KB4340733

KB4343885

KB4343892

KB4343897

KB4343900

KB4343909

====================

Adobe also released update for the following products:

Adobe Acrobat and Reader DC (priority 2, 2x CVEs)

Adobe Creative Cloud Desktop (priority 3, 1x CVE)

Adobe Experience Manager (priority 2, 3x CVEs)

Adobe Flash (priority 2, 5x CVEs)

As always if you use any of the above Adobe software, please update it as soon as possible especially in the case of Flash and Acrobat DC/Reader DC. Updates for Google Chrome will be available shortly either via a browser update or their component updater.

Please also review the out of band updates for Photoshop CC and Creative Cloud Desktop and apply them if you use these products.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:

====================

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Windows Font Library

Malicious LNK File

Microsoft Exchange

Foreshadow (L1TF) Vulnerabilities: Allow information disclosure via speculative execution; are only locally executable (rather than remotely). This vulnerability may allow one virtual machine to improperly access information from another. More details in my dedicated blog post.

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Nvidia Geforce Experience Software:
=======================
In late August, Nvidia released a security advisory for their Geforce Experience software for Windows. This update resolves 3 high severity vulnerabilities (as per their CVSS base scores). The necessary updates can be obtained from here.

=======================
VideoLAN VLC:
=======================
On the final day of August, VideoLAN made available VLC 3.0.4. This appears to be a security update for Apple macOS due to the following entries within the releases notes (however it is unclear if this overflow is exploitable by an attacker):

=======================
Text renderer:
* Fix head buffer overflow on macOS with some fonts
=======================

For Linux and Windows this version provides fixes numerous non-security issues. Please update to version 3.0.4 to benefit from these improvements.

=======================
Wireshark 2.4.9 and 2.6.3
=======================
v2.4.9: 3 security advisories

v2.6.3: 3 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.3) or v2.4.9). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

=======================
WinSCP:
=======================
In late August; WinSCP version 5.13.1 was released upgrading it’s embedded OpenSSL version to 1.0.2p (which addresses 2x low severity CVEs (Link1 and Link2).

=======================
OpenSSL
=======================
On the 12 June and 16th April 2018; the OpenSSL Foundation issued 2 updates for OpenSSL to address 2x low severity security vulnerabilities as detailed in these security advisories (Link1 and Link2). To resolve these issues please update your OpenSSL installations to 1.1.0i (released 14th August) or 1.0.2o (released 14th August) (as appropriate).

FTP mirrors to obtain the necessary downloads are available from here.

Downloadable Tarballs (compressed/packaged code made for distribution) are available from here.

It should also be possible to use the package manager of a Linux/Unix operating system to update your OpenSSL installation as mentioned within the section titled “Installing updates for Linux distributions” on the “Protecting Your PC” page of this blog.

=======================
VMware
=======================
VMWare issued two security advisories for the following products during August:

Security advisory 1 (addresses 1 vulnerability of Important severity):

  • VMware Horizon 6
  • VMware Horizon 7
  • VMware Horizon Client for Windows
  • VMware Horizon View Agent
  • VMware Horizon Agents Installer (HAI)

Security advisory 2 (addresses 1 vulnerability of Critical severity):

  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

If you use the above VMware products, please review the security advisories and apply the necessary updates.

June 2017 Security Updates Summary

Yesterday Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft’s addressed a large number of vulnerabilities, 94 in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

At the time of writing there are three Known Issues for this month’s Microsoft updates (although all three knowledge base articles (4022717, 4022726, 4022715) describe the same iSCSI availability issue which is currently awaiting a resolution). The IT Pro Patch Tuesday blog hasn’t been updated since April and isn’t of assistance this time (and for that reason is becoming increasingly irrelevant).

====================

This month again breaks the usual trend with these updates to offer a collection of updates for Windows XP and Windows Server 2003 which address the remaining vulnerabilities disclosed by the ShadowBrokers hacking team back in April this year. The majority of these updates were already released for more modern versions of Windows after the end of support dates for Windows XP (April 2014) and Windows Server 2003 (July 2015) respectively. Please review the detailed security advisory to download the appropriate updates for your systems. Further information is available in Microsoft’s blog posts here and here.

As with the update made available in May, these updates will not be available via Microsoft Updates or Automatic Updates. The availability of these updates provides mixed meanings; namely that while they were made available is positive. However for those corporations, organisations and individuals sing out dated versions of Windows, it provides them less reasons to migrate since it hints at an attitude that Microsoft will patch those system if the situation get very bad. While Microsoft worked to dispel this point, not everyone will be aware of their statement on this matter.

In a further break from the routine of Update Tuesday, I wanted to mention a further set of vulnerabilities found in Windows Defender which Microsoft patched last month. Please ensure your version of Windows is using the patched version of Windows Defender as detailed in this news article to address these issues.

====================
Separately Adobe made available four security bulletins to updates for the following products:

Adobe Captivate (1x priority 3 CVE)

Adobe Digital Editions (9x priority 3 CVEs)

Adobe Flash (9x priority 1 CVEs)

Adobe Shockwave Player (1x priority 2 CVE)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For the Microsoft updates this month, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Windows Lnk

Windows Graphics

Microsoft Edge (CVE-2017-8498CVE-2017-8530 and CVE-2017-8523) and Internet Explorer

Microsoft Office  (CVE-2017-0260 and CVE-2017-8506)

Microsoft Outlook
====================

Install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
Update: 14th June 2017:
=======================
I wish to provide information on other notable updates from June 2017 which I would recommend you install if you use these software products. I only choose a small number of products to list here since it can easily become too many and I wish to highlight the security benefits of installing the latest version of applications many of us use everyday:

=======================
Mozilla Firefox:
=======================
Firefox 54.0

=======================
Mozilla Firefox ESR:
=======================
Firefox ESR 52.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google Chrome: includes 30 security fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
=======================

=======================
Wireshark 2.2.7 and 2.0.13
=======================
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.2.7) or v2.0.13). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
=======================