Tuesday, August 08, 2017

Microsoft Security Updates for August, 2017




The August security release consists of security updates for the following software:
    • Internet Explorer
    • Microsoft Edge
    • Microsoft Windows
    • Microsoft SharePoint
    • Adobe Flash Player
    • Microsoft SQL Server

      The updates address Remote Code Execution, Denial of Service, Information Disclosure and Elevation of Privilege in 48 CVE's in which 25 are Critical, 21 Important, and 2 Moderate in severity.

      For more information about the updates released today, see https://portal.msrc.microsoft.com/en-us/security-guidance/summary.  Updates can be sorted by OS from the search box. Information about the update for Windows 10 is available at Windows 10 Update history.

      For a list of the CVEs addressed in the August update requiring special attention, see the The August 2017 Security Update Review by Dustin Childs.

        Additional Update Notes

        • Adobe Flash Player -- For Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10, Adobe Flash Player is now a security bulletin rather than a security advisory and is included with the updates as identified above.
        • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 
        • Windows 10 -- A summary of important product developments included in each update, with links to more details is available at Windows 10 Update History. The page will be regularly refreshed, as new updates are released.

        References


          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...





          Adobe Flash Player Critical Security Updates

          Adobe Flashplayer

          Adobe has released Version 26.0.0.151 of Adobe Flash Player for Microsoft Windows, Macintosh, Chrome and Linux.

          These updates address vulnerabilities could lead to remote code execution, information disclosure and Memory address disclosure..

          Release date:  August 8, 2017
          Vulnerability identifier: APSB17-23
          CVE Numbers:   CVE-2017-3085, CVE-2017-3106
          Platform: Windows, Macintosh, Linux and Chrome OS

          Update:

          *Important Note:  Downloading the update from the Adobe Flash Player Download Center link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras that you do not want.  They are not needed for the Flash Player update.

            Verify Installation

            To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

            Do this for each browser installed on your computer.

            To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

            References



            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...









            Adobe Reader and Acrobat Critical Security Updates

            Adobe

            Adobe has released security updates for Adobe Reader and Acrobat XI for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

            Release date: August 8, 2017
            Vulnerability identifier: APSB17-24
            Platform: Windows

            Update or Complete Download

            Update checks can be manually activated by choosing Help > Check for Updates.

            Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

            Enable "Protected View"

            Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

            To enable this setting, do the following:

            • Click Edit > Preferences > Security (Enhanced) menu. 
            • Change the "Off" setting to "All Files".
            • Ensure the "Enable Enhanced Security" box is checked. 

            Adobe Protected View
            Image via Sophos Naked Security Blog

            References



            Home
            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...







            Mozilla Firefox Version 55 Released With Significant Changes and Security Updates


            FirefoxMozilla sent Firefox Version 55.0 to the release channel today.  Firefox ESR was updated to version 52.3.  There is no mention in the Release Notes of security updates.*  However, there are major changes that will affect users:
            1. Warningvia ghacks.net, "Firefox 55.0 breaks compatibility with older versions of the browser and Firefox ESR. Users who want to downgrade are advised to back up their profiles prior to installing the update." See "Changed" below.
            2. Important Note:  Although installations of 32x will upgrade with this version, the 64x version is now default on 64x systems with 2GB RAM.  Starting with version 56, Firefox will "silently and forcibly auto-upgrade" users running the 32-bit version of Firefox on 64-bit computers with more than 2GB of RAM to the 64-bit version. The next scheduled release is September 26, 2017 (5 week cycle with release for critical fixes as needed).  
            3. Adobe Flash Player is now click-to-activate. 
            4. Also, see the following regarding add-ons starting in Firefox 57:  Firefox add-on technology is modernizing 
            *UPDATE:  At the time of publishing the Release Notes, there was no indication of security fixes included.  In the interim, however, the Release Notes have been updated and Version 55 includes five (5) critical, ten (10 high, seven (7) moderate and six (6) low security updates.
            New
            • Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.
            • Added options that let users optimize recent performance improvements
              • Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
              • Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching
            • Simplified installation process with a streamlined Windows stub installer
              • Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
              • Full installers with advanced installation options are still available
            • Improved address bar functionality
              • Search with any installed one-click search engine directly from the address bar
              • Search suggestions appear by default
              • When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible
            • Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left
            • Added support for stereo microphones with WebRTC
            • Simplified printing from Reader Mode
            • Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences
            • Browsing sessions with a high number of tabs are now restored in an instant
            • Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
            • Added Belarusian (be) locale

            Changed

            • Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
            • Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.
            • Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)
            Update:

            To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

            References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...