[Micronet] Fwd: Patch Tuesday updates for February 2016

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Fwd: Patch Tuesday updates for February 2016

Ben Gross
Hi Micronet,

I typically send these security updates out to UCB Security list and if you are responsible for the security of machines on campus, you should be on that list. However, since there are updates that may have a broader appeal this month such as deprecation of IE browsers older than IE 11, the OS X Sparkle vulnerability, and the eventual deprecation of the Java browser plugin and a broad array of critical security updates, I thought it might be also useful to send the note to Micronet.

You can find instructions on subscribing to the security list on its information page below.

The UCB-Security Mailing List | Information Security and Policy

In addition, I'd like to add that there was a new critical security fix to Firefox today.

---------- Forwarded message ----------
From: Ben Gross <[hidden email]>
Date: Tue, Feb 9, 2016 at 8:02 PM
Subject: Patch Tuesday updates for February 2016


Hi Everyone,

It's every sysadmin's favorite day of the month, Patch Tuesday, which you can enjoy for a little bit longer before Exploit Wednesday tomorrow.  This month there are twelve security bulletins, of which five critical. Also this month the version of Flash embedded in IE now receives a separate security bulletin. Microsoft Office for Windows had a number of vulnerabilities patched including Microsoft Security Bulletin MS16-015, which fixes a remote code execution vulnerability.

This is also the first month where IE 11 is the only supported version of IE for nearly all systems so if you are still running versions of IE older than IE 11, you should assume that security updates will stop shortly although there was a patch that affected IE 9 and 10 this month. The same is true for  versions of .NET 4.x other than .NET 4.5.2.

Adobe released security patches for Adobe Flash Player, Adobe Photoshop CC, Bridge CC, and Adobe Experience Manager, and Adobe Connect. The Adobe Flash update version 20.0.0.306 contains fixes for 22 vulnerabilities, all of them rated critical. Note Adobe Experience Manager, and Adobe Connect are not part of the Berkeley Desktop patching service and are also not patched by Adobe RUM so those would need to be patched manually.

Google released a Chrome update version 48.0.2564.109 that has six security fixes and includes the most recent version of Flash.

Mozilla released Firefox 44.0.1 yesterday, but the last version with security fixes is 44.0, which was released on January 26. The last version of Thunderbird was 38.5.1, released on January 7, 2016

Last Friday Oracle announced Security Alert CVE-2016-0603 for Java and updated to 8u73, although it appears to only affect new installations and possibly older upgrades. Late last month, Oracle announced that it will not create new Java plugins for the upcoming Java 9 and that Java 8 will be the last version with browser plugins. Java 9 is schedule for September 2016. Oracle will support Java 8 through September 2017.

Apple released its last round of security updates on January 19. The updates included  OS X El Capitan / 10.11.3,  iOS 9.2.1, and Safari 9.0.3.

Many OS X applications that rely on the Sparkle updater are vulnerable to a man-in-the-middle upgrade attack including Adium, and VLC. These applications are all updated or will likely be updated in the near future. Note, not all applications that use the Sparkle updater are vulnerable.

Berkeley Desktop machines with patching service enabled will be patched on the regular schedule including all of the above updates. Microsoft announced that it would provide more detailed information about Windows 10 updates. Microsoft also announced a release of EMET 5.5 with support for Windows 10. All current Berkeley Desktop images include EMET. A production release for a Windows 10 Berkeley Desktop is on track for July 2016.

References:

Microsoft Security Bulletin Summary for February 2016

Security Advisories 2016

Readable summaries:

Patch Tuesday February 2016 - Qualys Blog

Microsoft Security Bulletins For February 2016 - gHacks Tech News

InfoSec Handlers Diary Blog - Microsoft February 2016 Patch Tuesday

Microsoft Office updates

February 2016 Office Update Release - Office Updates - Site Home - TechNet Blogs

Microsoft Security Bulletin MS16-015 - Critical

February 9, 2016, update for Office

Microsoft EOL for older versions of IE and .NET Framework

Stay up-to-date with Internet Explorer | IEBlog

"After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. "

Moving to the .NET Framework 4.5.2 - .NET Blog - Site Home - MSDN Blogs

"Beginning January 12, 2016 only .NET Framework 4.5.2 will continue receiving technical support and security updates. There is no change to the support timelines for any other .NET Framework version, including .NET 3.5 SP1, which will continue to be supported for the duration of the operating system lifecycle."

Internet Explorer End of Support

Security updates available for Adobe Flash Player
Adobe Security Bulletin
Release date: February 9, 2016
Vulnerability identifier: APSB16-04
Priority: See table below
CVE number: CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0971, CVE-2016-0972, CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984, CVE-2016-0985
Platform: Windows, Macintosh and Linux

Security updates available for Adobe Photoshop CC and Bridge CC
Adobe Security Bulletin
Release date: February 9, 2016
Vulnerability identifier: APSB16-03
Priority: 3
CVE number: CVE-2016-0951, CVE-2016-0952, CVE-2016-0953
Platform: Windows and Macintosh

Security updates available for Adobe Experience Manager
Adobe Security Bulletin

Security update available for Adobe Connect
Adobe Security Bulletin

Chrome Releases: Stable Channel Update

"This update includes 6 security fixes. Below, we highlight fixes that were contributed by external researchers."

"Version 44.0.1, first offered to Release channel users on February 8, 2016"

Firefox - Notes (44.0.1) - Mozilla

It appears to be bug fixes only  for 44.01 as I don't see any security fixes listed on the security page. However, version 44.0 first offered to Release channel users on January 26, 2016 contains security fixes.

Firefox - Notes (44.0) - Mozilla

Security Advisories for Firefox - Mozilla

Security Alert CVE-2016-0603 Released (The Oracle Software Security Assurance Blog)

"To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system.

Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later."

No more Java browser plugins starting with Java 9

Moving to a Plugin-Free Web (Java Platform Group, Product Management blog)

NPAPI Plugin Perspectives and the Oracle JRE (Java Platform Group, Product Management blog)

Migrating from Java Applets to plugin-free Java technologies

Apple updates

Apple security updates - Apple Support

Sparkle vulnerability

MITM Security Mitigations (VulnSec)  Issue #722  sparkle-project/Sparkle

Vulnerable Security - There's a lot of vulnerable OS X applications out there.

Windows 10 

New Windows as a Service information published - Windows for IT Pros - Site Home - TechNet Blogs

Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available - Security Research & Defense - Site Home - TechNet Blogs

Berkeley Desktop Windows 10 Update | Berkeley Desktop

Thank you,
Ben Gross
Manager, Endpoint Engineering and Infrastructure
Information Services and Technology Division
University of California, Berkeley



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Fwd: Patch Tuesday updates for February 2016

John McChesney-Young
Ben, you mentioned:

> ...the eventual deprecation of the Java browser
> plugin...

Does the campus have a recommendation or instructions for how we will
be able to use the Java-based imaging function for vouchers in BFS,
imagineweb.berkeley.edu? We don't have occasion to use it very often
in our department but it does come up and I would think would be
common campus-wide. If there's a workaround in the three links you
provided about alternatives to Java browser plugins I didn't see it -
and if I'm not mistaken (which is entirely possible!) - the advice in
them wasn't directed at ordinary users. Good clear instructions usable
by department managers and financial assistants would be very helpful
when the deprecation happens.

Thanks for this and for the security update.

Best,

John



--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.