As scheduled Microsoft released their monthly security updates earlier today. They address 62 vulnerabilities; more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.
This month there are 4 Known Issues (kb4041691, kb4042895 , kb4041676 and kb4041681) for this month’s Microsoft updates. 2 of these issues relate to an exception error dialog box appearing, with the others causing a black screen, updates not to install in express , a BSOD and changing of display languages. Microsoft states in each link above they are working on resolutions to these issues.
Update: 18th October:
On the 16th of October Adobe released Flash Player v220.127.116.11 to address a critical zero day (defined) vulnerability being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives)). The BlackOasis APT group are believed to operate in the Middle East. The group is using malicious Microsoft Office documents with embedded ActiveX controls which contain the necessary Flash exploit. This exploit later installs the FinSpy malware.
Please install this update as soon as possible for any device with Flash Player installed. Google Chrome has already automatically received the update while earlier today Windows 8.1 and Windows 10 began receiving it.
As always you can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):
A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).
If you like and use it, please also consider supporting that entirely volunteer run website by donating.
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
Microsoft Office Vulnerability : CVE-2017-11826 : While not critical severity since it is already being exploited by attackers namely a zero day (defined) vulnerability.
Windows DNS Vulnerabilities: Further details provided within this news article
Windows Search Service (CVE-11771): affects Windows 7 up to and including Windows 10
Windows Font Vulnerabilities: CVE-2017-11762 and CVE-2017-11763
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)
Please install the remaining updates at your earliest convenience.
As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.
Nvidia Geforce Drivers:
This update (released in September 2017) applies to Linux, FreeBSD, Solaris and Windows and resolves up to 8 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.
Google Chrome: includes 35 security fixes.
Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.
Wireshark 2.4.2 and 2.2.10
v2.4.2: 5 CVEs (defined) resolved
v2.2.10: 3 CVEs resolved
As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.4.2) or v2.2.10). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.
For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.
This month Oracle resolved 250 vulnerabilities. Further details and installation steps are available here. Within the 250 vulnerabilities addressed, 22 vulnerabilities were addressed in the Java runtime.
If you use any of the Oracle products listed here, please install the appropriate security updates as soon as possible.