Hi Micronet, I typically send these security updates out to UCB Security list and if you are responsible for the security of machines on campus, you should be on that list. However, since there are updates that may have a broader appeal this month such as deprecation of IE browsers older than IE 11, the OS X Sparkle vulnerability, and the eventual deprecation of the Java browser plugin and a broad array of critical security updates, I thought it might be also useful to send the note to Micronet.
You can find instructions on subscribing to the security list on its information page below. The UCB-Security Mailing List | Information Security and Policy https://security.berkeley.edu/resources/mailing-lists-workgroups/ucb-security-mailing-list In addition, I'd like to add that there was a new critical security fix to Firefox today. Firefox - Notes (44.0.2) - Mozilla https://www.mozilla.org/en-US/firefox/44.0.2/releasenotes/ Security Advisories for Firefox - Mozilla https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2 ---------- Forwarded message ---------- From: Ben Gross <bengr...@berkeley.edu> Date: Tue, Feb 9, 2016 at 8:02 PM Subject: Patch Tuesday updates for February 2016 Hi Everyone, It's every sysadmin's favorite day of the month, Patch Tuesday, which you can enjoy for a little bit longer before Exploit Wednesday tomorrow. This month there are twelve security bulletins, of which five critical. Also this month the version of Flash embedded in IE now receives a separate security bulletin. Microsoft Office for Windows had a number of vulnerabilities patched including Microsoft Security Bulletin MS16-015, which fixes a remote code execution vulnerability. This is also the first month where IE 11 is the only supported version of IE for nearly all systems so if you are still running versions of IE older than IE 11, you should assume that security updates will stop shortly although there was a patch that affected IE 9 and 10 this month. The same is true for versions of .NET 4.x other than .NET 4.5.2. Adobe released security patches for Adobe Flash Player, Adobe Photoshop CC, Bridge CC, and Adobe Experience Manager, and Adobe Connect. The Adobe Flash update version 20.0.0.306 contains fixes for 22 vulnerabilities, all of them rated critical. Note Adobe Experience Manager, and Adobe Connect are not part of the Berkeley Desktop patching service and are also not patched by Adobe RUM so those would need to be patched manually. Google released a Chrome update version 48.0.2564.109 that has six security fixes and includes the most recent version of Flash. Mozilla released Firefox 44.0.1 yesterday, but the last version with security fixes is 44.0, which was released on January 26. The last version of Thunderbird was 38.5.1, released on January 7, 2016 Last Friday Oracle announced Security Alert CVE-2016-0603 for Java and updated to 8u73, although it appears to only affect new installations and possibly older upgrades. Late last month, Oracle announced that it will not create new Java plugins for the upcoming Java 9 and that Java 8 will be the last version with browser plugins. Java 9 is schedule for September 2016. Oracle will support Java 8 through September 2017. Apple released its last round of security updates on January 19. The updates included OS X El Capitan / 10.11.3, iOS 9.2.1, and Safari 9.0.3. Many OS X applications that rely on the Sparkle updater are vulnerable to a man-in-the-middle upgrade attack including Adium, and VLC. These applications are all updated or will likely be updated in the near future. Note, not all applications that use the Sparkle updater are vulnerable. Berkeley Desktop machines with patching service enabled will be patched on the regular schedule including all of the above updates. Microsoft announced that it would provide more detailed information about Windows 10 updates. Microsoft also announced a release of EMET 5.5 with support for Windows 10. All current Berkeley Desktop images include EMET. A production release for a Windows 10 Berkeley Desktop is on track for July 2016. References: Microsoft Security Bulletin Summary for February 2016 https://technet.microsoft.com/en-us/library/security/ms16-feb.aspx Security Advisories 2016 https://technet.microsoft.com/en-us/library/security/mt631688.aspx Readable summaries: Patch Tuesday February 2016 - Qualys Blog https://blog.qualys.com/laws-of-vulnerabilities/2016/02/09/patch-tuesday-february-2016 Microsoft Security Bulletins For February 2016 - gHacks Tech News http://www.ghacks.net/2016/02/09/microsoft-security-bulletins-for-february-2016/ InfoSec Handlers Diary Blog - Microsoft February 2016 Patch Tuesday https://isc.sans.edu/diary/Microsoft+February+2016+Patch+Tuesday/20711 Microsoft Office updates February 2016 Office Update Release - Office Updates - Site Home - TechNet Blogs http://blogs.technet.com/b/office_sustained_engineering/archive/2016/02/09/february-2016-office-update-release.aspx Microsoft Security Bulletin MS16-015 - Critical https://technet.microsoft.com/en-us/library/security/MS16-015 February 9, 2016, update for Office https://support.microsoft.com/en-us/kb/3137471 Microsoft EOL for older versions of IE and .NET Framework Stay up-to-date with Internet Explorer | IEBlog https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/ "After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. " Moving to the .NET Framework 4.5.2 - .NET Blog - Site Home - MSDN Blogs http://blogs.msdn.com/b/dotnet/archive/2014/08/07/moving-to-the-net-framework-4-5-2.aspx "Beginning January 12, 2016 only .NET Framework 4.5.2 will continue receiving technical support and security updates. There is no change to the support timelines for any other .NET Framework version, including .NET 3.5 SP1, which will continue to be supported for the duration of the operating system lifecycle." Internet Explorer End of Support https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support Security updates available for Adobe Flash Player Adobe Security Bulletin https://helpx.adobe.com/security/products/flash-player/apsb16-04.html Release date: February 9, 2016 Vulnerability identifier: APSB16-04 Priority: See table below CVE number: CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0971, CVE-2016-0972, CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984, CVE-2016-0985 Platform: Windows, Macintosh and Linux Security updates available for Adobe Photoshop CC and Bridge CC Adobe Security Bulletin https://helpx.adobe.com/security/products/photoshop/apsb16-03.html Release date: February 9, 2016 Vulnerability identifier: APSB16-03 Priority: 3 CVE number: CVE-2016-0951, CVE-2016-0952, CVE-2016-0953 Platform: Windows and Macintosh Security updates available for Adobe Experience Manager Adobe Security Bulletin https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html Security update available for Adobe Connect Adobe Security Bulletin https://helpx.adobe.com/security/products/connect/apsb16-07.html Chrome Releases: Stable Channel Update http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html "This update includes 6 security fixes. Below, we highlight fixes that were contributed by external researchers." "Version 44.0.1, first offered to Release channel users on February 8, 2016" Firefox - Notes (44.0.1) - Mozilla https://www.mozilla.org/en-US/firefox/44.0.1/releasenotes/ It appears to be bug fixes only for 44.01 as I don't see any security fixes listed on the security page. However, version 44.0 first offered to Release channel users on January 26, 2016 contains security fixes. Firefox - Notes (44.0) - Mozilla https://www.mozilla.org/en-US/firefox/44.0/releasenotes/ Security Advisories for Firefox - Mozilla https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44 Security Alert CVE-2016-0603 Released (The Oracle Software Security Assurance Blog) https://blogs.oracle.com/security/entry/security_alert_cve_2016_0603 "To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system. Because the exposure exists only during the installation process, users need not upgrade existing Java SE installations to address the vulnerability. However, Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later." No more Java browser plugins starting with Java 9 Moving to a Plugin-Free Web (Java Platform Group, Product Management blog) https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free NPAPI Plugin Perspectives and the Oracle JRE (Java Platform Group, Product Management blog) https://blogs.oracle.com/java-platform-group/entry/npapi_plugin_perspectives_and_the Migrating from Java Applets to plugin-free Java technologies http://www.oracle.com/technetwork/java/javase/migratingfromapplets-2872444.pdf Apple updates Apple security updates - Apple Support https://support.apple.com/en-us/HT201222 Sparkle vulnerability MITM Security Mitigations (VulnSec) Issue #722 sparkle-project/Sparkle https://github.com/sparkle-project/Sparkle/issues/722 Vulnerable Security - There's a lot of vulnerable OS X applications out there. https://vulnsec.com/2016/osx-apps-vulnerabilities/ Windows 10 New Windows as a Service information published - Windows for IT Pros - Site Home - TechNet Blogs http://blogs.technet.com/b/windowsitpro/archive/2016/02/09/new-windows-as-a-service-information-published.aspx Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available - Security Research & Defense - Site Home - TechNet Blogs http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available.aspx Berkeley Desktop Windows 10 Update | Berkeley Desktop https://desktop.berkeley.edu/news/berkeley-desktop-windows-10-update Thank you, Ben Gross Manager, Endpoint Engineering and Infrastructure Information Services and Technology Division University of California, Berkeley bengr...@berkeley.edu
------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
