Tuesday, February 13, 2018

Microsoft February Security Updates



The February security release consists of 50 CVEs, of which 14 are listed as Critical, 34 are rated Important, and 2 are rated Moderate in severity. The updates address Remote Code Execution, Elevation of Privilege, Information Disclosure and Security Feature BypassThe release consists of security updates for the following software: 

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash


More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Also see this month's Zero Day Initiative — The February 2018 Security Update Review by Dustin Childs in which he discusses several of the patches and includes a breakdown of the CVE's addressed in the update. 

Additional Update Notes

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Adobe Reader and Acrobat Critical Security Updates

Adobe

Adobe has released security updates for Adobe Reader DC and Adobe Acrobat DC for Windows and Macintosh.  These updates are rated as four (4) critical and one (1) rated important, addressing the CVE's from the vulnerability details listed below. 

Release date:  February 13, 2018
Vulnerability identifier: APSB18-02
Platform: Windows and Macintosh

Vulnerability Category Vulnerability Impact Severity CVE Number
Security Mitigation Bypass
Privilege Escalation
Critical CVE-2018-4872
Heap Overflow
Arbitrary Code Execution
Critical CVE-2018-4890, CVE-2018-4904, CVE-2018-4910, CVE-2018-4917
Use-after-free
Arbitrary Code Execution
Critical CVE-2018-4888, CVE-2018-4892, CVE-2018-4902, CVE-2018-4911, CVE-2018-4913
Out-of-bounds write
Arbitrary Code Execution
Critical CVE-2018-4879, CVE-2018-4895, CVE-2018-4898, CVE-2018-4901, CVE-2018-4915,
CVE-2018-4916, CVE-2018-4918
Out-of-bounds read
Remote Code Execution Important CVE-2018-4880, CVE-2018-4881, CVE-2018-4882, CVE-2018-4883, CVE-2018-4884,
CVE-2018-4885, CVE-2018-4886, CVE-2018-4887, CVE-2018-4889, CVE-2018-4891,
CVE-2018-4893, CVE-2018-4894, CVE-2018-4896, CVE-2018-4897, CVE-2018-4899,
CVE-2018-4900, CVE-2018-4903, CVE-2018-4905, CVE-2018-4906, CVE-2018-4907,
CVE-2018-4908, CVE-2018-4909, CVE-2018-4912, CVE-2018-4914

Update or Complete Download

Update checks can be manually activated by choosing Help > Check for Updates.  Reader DC was updated to 18.011.20036.and Acrobat DC to 18.011.20035.   
Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.


References





Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...







Wednesday, February 07, 2018

Mozilla Firefox Version 58.0.2 Released


FirefoxMozilla sent Firefox Version 58.0.2 to the release channel today.  The update addresses a number of bugs.

ESR remains at version 52.6.0.

Fixed


  • Avoid a signature validation issue during update on macOS
  • Blocklisted graphics drivers related to off main thread painting crashes
  • Tab crash during printing
  • Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook (OWA) webmail

Unresolved

  • Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions.
  • Users running certain screen readers may experience performance issues and are advised to use Firefox ESR until performance issues are resolved in an upcoming future release.
Update:
To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, February 06, 2018

Adobe Flash Player Critical Security Update Released

Adobe Flashplayer

Adobe has released Version 28.0.0.161 of Adobe Flash Player.  These updates address critical vulnerabilities that could lead to remote code execution in Adobe Flash Player 28.0.0.137 and earlier versions.  Successful exploitation could potentially allow an attacker to take control of the affected system. 

In particular, the update addresses CVE-2018-4878 which exists in the wild, and is being used in limited, targeted attacks against Windows users.  These attacks leverage Office documents with embedded malicious Flash content distributed via email. Also included in the update are functional fixes.

Release date:  February 6, 2018
Vulnerability identifier: APSB18--03
Platform:  Windows, Macintosh, Linux and Chrome OS

Update:

*Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...









    Thursday, February 01, 2018

    Pale Moon Version 27.7.2 Released


    Pale Moon
    Pale Moon has been updated to Version 27.7.2. This is a security and stability update.

    Linux versions will follow shortly.  Details from the Release Notes:

    Changes/fixes:
    • Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
    • Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
      This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
    • Improved the debug-only startup cache wrapper to prevent a rare crash.
    • Fixed a crash in the XML parser.
    • Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
    • Fixed a potential race condition in the browser cache.
    • Fixed a crash in HTML media elements (CVE-2018-5102)
    • Fixed a crash in XHR using workers.
    • Fixed a crash with some uncommon FTP operations.
    • Fixed a potential race condition in the JAR library.
    *DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. 
         Minimum system Requirements (Windows):
        • Windows Vista/Windows 7/8/10/Server 2008 or later
        • Windows Platform Update (Vista/7) strongly recommended
        • A processor with SSE2 instruction support
        • 256 MB of free RAM (512 MB or more recommended)
        • At least 150 MB of free (uncompressed) disk space
        Pale Moon includes both 32- and 64-bit versions for Windows:

        Update

        To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...