Tuesday, June 12, 2018

Microsoft Security Updates for June, 2018



The June security release consists of 50 CVEs, of which 11 are listed as Critical and 39 are rated Important.  One is listed as being publicly known at the time of release, and none are listed as under active attack.

The updates address Security Feature Bypass, Information Disclosure, Remote Code Execution, Elevation of Privilege and Denial of Service.  The release consists of security updates for the following software:
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Adobe Flash Player (although Adobe released Flash Player updates last week)
In addition, Microsoft is releasing the following advisory:  Microsoft Security Advisory 4338110, "Guidance to mitigate speculative execution side-channel vulnerabilities".

Known Issues: 4284880, 4284819, 4284835, 4284826, 4284867

As usual, Dustin Childs has provided a closer look at some of the patches for this month.in this month's Zero Day Initiative — The June 2018 Security Update Review.

More:  For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

Additional Update Notes

  • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  Note:  Users who are paranoid about the remote possibility of a FP can opt to run this tool from a Command Prompt, appending a   /N   parameter [for "detect only" mode].
  • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...





Pale Moon Version 27.9.3 Released with Security Updates


Pale Moon
Pale Moon has been updated to version 27.9.3.  This is a security update.  From the Release Notes:

Changes/fixes:
  • (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to that report, the libopus maintainers state they don't believe remote code execution was possible, so this was not a critical patch.
  • Fixed an issue with task counting in JS GC.
  • Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks to Berk Cem Göksel for reporting).
  • Portable only: Included the previously omitted registry helper. This may in some cases help with file/type associations.
       Minimum system Requirements (Windows):
      • Windows 7/8/10/Server 2008 or later
      • A processor with SSE2 instruction support
      • 256 MB of free RAM (512 MB or more recommended)
      • At least 150 MB of free (uncompressed) disk space
      Pale Moon includes both 32- and 64-bit versions for Windows:

      Update

      To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.




      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...


      Thursday, June 07, 2018

      Adobe Flash Player Critical Security Update

      Adobe Flashplayer

      Adobe has released Version 30.0.0.113 of Adobe Flash Player.  The update address critical vulnerabilities that could lead to remote code execution affecting version 29.0.0.171 and earlier.

      Release date:  June 7, 2018
      Vulnerability identifier: APSB18-19
      Platform:  Windows, Macintosh, Linux and Chrome OS
       

      Vulnerability details


      Vulnerability Category Vulnerability Impact Severity CVE Number
      Type Confusion Arbitrary Code Execution Critical CVE-2018-4945
      Integer Overflow Information Disclosure Important CVE-2018-5000
      Out-of-bounds read Information Disclosure Important CVE-2018-5001
      Stack-based buffer overflow Arbitrary Code Execution Critical CVE-2018-5002

      Note that exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.  

      Note:  Microsoft has issued an out-of-band update for the critical Adobe Flash Player vulnerabilities:  Security update for Adobe Flash Player: June 7, 2018

      Update:

      *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

        Verify Installation

        To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

        Do this for each browser installed on your computer.

        To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

        References



        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...









        Wednesday, June 06, 2018

        Mozlla Firefox Version 60.0.2 Released


        FirefoxMozilla sent Firefox Version 60.0.2 to the release channel today.  The update includes developer and MacOS fixes.

        It wasn't listed in the Release Notes when I originally posted but, come to find out not only was Firefox ESR updated both ESR and Version 60.0.2 included two security fixes, one rated critical and one rated high.  Firefox ESR is now Version 52.8.1.

        Fixed
        • Fix missing nodes in the developer tools Inspector panel (bug 1460223)
        • Fix font rendering when using third-party font managers on OS X 10.11 and earlier (bug 1460917)


        Changed
        • Updated to NSS 3.36.4 from 3.36.1:
          • Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error (bug 1462303)
          • Fix crash on macOS related to authentication tokens, e.g. PK11 or WebAuthn (bug 1461731)
          See release notes for NSS 3.36.2 and 3.36.4

          Update:  To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...