May, 2016: Patch Monday: Flash Exploit in the Wild

Welcome to this May Patch Monday Bulletin. This month patches are available for Adobe Flash, Adobe Air, Adobe ColdFusion, Adobe Acrobat/Reader, Apple Safari, Apple iTunes, Google Chrome, Mozilla Firefox and Mozilla Thunderbird. The top priority this month is Adobe Flash due to a report of an exploit for CVE-2016-4117. The Microsoft Patch Tuesday bulletin addresses this particular CVE but there are several additional vulnerabilities that are remediated by this Flash patch that Microsoft did not originally address. Chrome, Mozilla or Safari should be next and prioritized based on their prevalence within the environment. Follow up with the remaining Adobe products ColdFusion, Air and Acrobat/Reader. Finally apply Thunderbird and iTunes updates as necessary.

It just came to me that many of you, like me, probably have 10's or 100's of online website logins. Many years back I ran into the problem of having to remember so many unique logins. It wasn't secure to use one password for every login and it was unthinkable to keep a notepad (physical or virtual) with all my logins recorded. Visit my latest blog article, “Secure, Fast and Efficient Password Management”, to see how we've successfully handled this at my company.

I was talking to a fellow InfoSec guru last week and we got on the subject of patching workstations and the headaches that comes along with it. He mentioned that at one of the largest financial institutions he previously worked at the in-house developers spent years on an internal software solution dedicated to patching the tens of thousands of workstations on their network. Shortly after it was deployed there was a merger and the entire project was left at the wayside. I thought to myself, “If only they had SolarWinds Patch Manager” they could have been installing patches across their domain in hours. Whether it's Microsoft patches or 3rd party patches like the chart below, SolarWinds Patch Manager provides inventory (using WMI) and 3rd party patching (using WSUS) without requiring you to deploy an agent to every machine on the network. By utilizing WMI and WSUS it allows you to take advantage of technologies that are already baked into the OS of your existing machines. If you want to try it out you can download SolarWinds Patch Manager for free and test it for 30 days at this URL.

 So, without further ado, here's the chart of MS patches for this month.

Patch data provided by:


https://www.ultimatewindowssecurity.com/images/LOGbinderCH.png

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

Multiple CVE’s

Adobe Flash Player

Win/Mac

21.0.0.226 and earlier

Win/Mac ESR

18.0.0.343 and earlier

IE 11/Edge

21.0.0.241 and earlier

5/12/2016

Arbitrary Code Execution

Critical: Priority 1/ Upgrade as soon as possible

Multiple CVE’s

Adobe Air

Win/Mac

21.0.0.198 and earlier

5/12/2016

Arbitrary Code Execution

Critical: Priority 3/ Update at admin’s discretion

Multiple CVE’s

Adobe ColdFusion

ColdFusion 2016

2016.0.0

ColdFusion 11

Update 7 and earlier

ColdFusion 10

Update 18 and earlier

5/10/2016

Arbitrary Code Execution, Spoofing

Important: Priority 2/ Update within 30 days

Multiple CVE’s

Adobe Acrobat/Reader

Win/Mac DC Continuous 15.010.20060 and earlier

Win/Mac DC Classic 15.006.30121

Win/Mac XI

11.0.15 and earlier

 

5/5/2016

Arbitrary Code Execution, Denial of Service, Information Disclosure

Critical: Priority 2/ Update within 30 days

Multiple CVE’s

Apple Safari

Before 9.1.1

5/16/2016

Arbitrary Code Execution, Denial of Service, Information Disclosure

Update as soon as possible

CVE-2016-1742

Apple iTunes

Win

Before 12.4

5/16/2016

Arbitrary Code Execution

Update at admin’s discretion

Multiple CVE’s

Google Chrome

Win/Mac/Linux Before

50.0.2661.102

5/11/2016

Denial of Service, Security Bypass, Information Disclosure, Spoofing

Update as soon as possible

Multiple CVE’s

Mozilla Firefox

Before 46/ESR 45.1

4/26/2016

Arbitrary Code Execution, Denial of Service, Security Bypass, Cross Site Scripting, Information Disclosure

Update as soon as possible

Multiple CVE’s

Mozilla Thunderbird

Before 45.1

4/26/2016

Arbitrary Code Execution, Denial of Service

Update as soon as possible


Send me this chart next Patch Tuesday.
Email:
We will not share your address. Unsubscribe anytime.