Tuesday, June 12, 2018

Microsoft Security Updates for June, 2018

The June security release consists of 50 CVEs, of which 11 are listed as Critical and 39 are rated Important.  One is listed as being publicly known at the time of release, and none are listed as under active attack.

The updates address Security Feature Bypass, Information Disclosure, Remote Code Execution, Elevation of Privilege and Denial of Service.  The release consists of security updates for the following software:
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash Player (although Adobe released Flash Player updates last week)
In addition, Microsoft is releasing the following advisory:  Microsoft Security Advisory 4338110, "Guidance to mitigate speculative execution side-channel vulnerabilities".

Known Issues: 4284880, 4284819, 4284835, 4284826, 4284867

As usual, Dustin Childs has provided a closer look at some of the patches for this month.in this month's Zero Day Initiative — The June 2018 Security Update Review.

More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Pale Moon Version 27.9.3 Released with Security Updates

Pale Moon
Pale Moon has been updated to version 27.9.3.  This is a security update.  From the Release Notes:

  • (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to that report, the libopus maintainers state they don't believe remote code execution was possible, so this was not a critical patch.
  • Fixed an issue with task counting in JS GC.
  • Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks to Berk Cem Göksel for reporting).
  • Portable only: Included the previously omitted registry helper. This may in some cases help with file/type associations.
       Minimum system Requirements (Windows):
      • Windows 7/8/10/Server 2008 or later
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:


      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Thursday, June 07, 2018

      Adobe Flash Player Critical Security Update

      Adobe Flashplayer

      Adobe has released Version of Adobe Flash Player.  The update address critical vulnerabilities that could lead to remote code execution affecting version and earlier.

      Release date:  June 7, 2018
      Vulnerability identifier: APSB18-19
      Platform:  Windows, Macintosh, Linux and Chrome OS

      Vulnerability details

      Vulnerability Category Vulnerability Impact Severity CVE Number
      Type Confusion Arbitrary Code Execution Critical CVE-2018-4945
      Integer Overflow Information Disclosure Important CVE-2018-5000
      Out-of-bounds read Information Disclosure Important CVE-2018-5001
      Stack-based buffer overflow Arbitrary Code Execution Critical CVE-2018-5002

      Note that exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.  

      Note:  Microsoft has issued an out-of-band update for the critical Adobe Flash Player vulnerabilities:  Security update for Adobe Flash Player: June 7, 2018


      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.


        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...