Microsoft Excel security patches

Microsoft has issued security updates for its Office software, patching  vulnerabilities in Excel.

CVE-2020-0650 | Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0651 | Microsoft Excel Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code

Adobe security patches

Adobe Inc. has issued its latest product security patches, including critical patches for the Windows platform:

APSB20-01: Adobe Experience Manager
Adobe has released security updates for Adobe Experience Manager (AEM). These updates resolve multiple vulnerabilities in AEM versions 6.5 and below rated Important and Moderate. Successful exploitation could result in sensitive information disclosure.

APSB20-03: Adobe Illustrator CC
Adobe has released updates for Adobe  Illustrator CC for Windows. This update resolves critical vulnerabilities that could lead to arbitrary code execution

Windows 10/Server extreme security flaw

An extremely bad security flaw in Microsoft Windows has just been reported and patched. Here’s more information from the NSA:

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

o HTTPS connections
o Signed files and emails
o Signed executable code launched as user-mode processes

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

Information from the Department of Homeland Security:

Emergency Directive 20-02
Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

Information from US-CERT:

Alert (AA20-014A)
Critical Vulnerabilities in Microsoft Windows Operating Systems

Brian Krebs had sounded early alerts:

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.

Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here.

SilentKnight, LockRattler, SysHist

SilentKnight is a Mac app from Howard Oakley (The Eclectic Light Co.) that fills a big gap in Apple’s Mac software, checking and displaying the status of Apple’s silent security updates — MRT, Gatekeeper, XProtect, TCC, the KEXT blocker, EFI firmware and System Integrity Protection (SIP) status.

LockRattler is an earlier app from the same developer with a less streamlined, more manual interface that may be preferable in certain cases, for example, if you don’t want to update all back-level versions of these Apple security components at once. Another related app, SystHist, offers a list of these security updates and versions that have been installed over time.

SilentKnight, LockRattler and SystHist are free downloads for OS X 10.11 and later.

To check your Mac, simply open [SilentKnight]. It then runs a series of automatic checks:
• whether your EFI firmware is current, against a list which I maintain for each model;
• settings of key security systems such as System Integrity Protection (SIP);
• security data files for MRT, Gatekeeper, XProtect, TCC, and the KEXT blocker, testing whether they are up to date;
• whether there are any security updates available from Apple.
If the answer to the last is that there are updates available, it provides a single button which will download and install them immediately.

… SilentKnight isn’t intended as a complete replacement for LockRattler, which offers similar coverage but without automatic comparison against expected results. LockRattler remains the preferred option when you need more flexibility, perhaps running deliberately with older EFI firmware, or only wanting to download and install certain named updates.

… SystHist is a clean and simple app which tells you all the OS X/macOS system and security updates which have been installed on that Mac. Now probes deep into protected territory to find even silent silent updates, and gives details of all the files updated.

SilentKnight 1.6 takes Apple’s abandonment of macOS 10.12 into consideration.

Discussions

MacInTouch Community discussions include the following topics (among others):

  • Apple Card – statement conversion hack (csv.wtf)
  • Apple security – Checkra1n/Ra1nUSB jailbreak; iCloud AI image scanning; FBI, end-to-end encryption
  • Backup – Time Machine failures (and ChronoSync contention)
  • Input devices – Logitech Triathlon vs. Microsoft Precision Mouse
  • Internet services – Verizon false advertising
  • iPhone SE – extended support in California
  • macOS Catalina – Apple update broke Canon camera connection
  • Quicken – APFS conflict with “lexicographical order”
  • SSDs – Samsung’s ultrafast PCIe 4.0 SSD previewed
  • Tax software – security/privacy and software archiving problems

CPUSetter

CPUSetter is a little Mac utility from Bryan Christianson that lets you set the number of active physical and logical CPU cores, as well as disabling hyperthreading on certain CPUs (e.g. quad-core i7), for various purposes, such as security issues, bug workarounds, power reduction, software license requirements, and pure experimentation.

Other features include built-in help, plus controls over process priority and limiting, as well as some very useful real-time displays of system/resource details — processes, priorities, and resource usage for CPU, GPU, RAM, disk, network, etc.

CPUSetter 1.5.0 is donationware for OS X 10.10 and up. The latest release adds a power usage graph and fixes a memory leak.

Thunderbird: important security patch (68.4.1)

The new Thunderbird 68.4.1 release brings an important security fix with targeted attacks in the wild abusing this flaw”, but “these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”

Thunderbird is Mozilla Corp.’s open-source, cross-platform email, chat, calendar, contacts and newsfeed (RSS) program, which features reliable email processing, smart folders, phishing protection and spam tools, special support for large-file transfers, quick filtering, Web searching, and plug-ins/add-ons for customization. See Thunderbird help topics for more information.

Thunderbird 68.4.1 is a free download for OS X 10.9 and up, as well as Linux and Windows. (Pre-release test versions are also available.)

 

Firefox: critical security patch (72.0.1)

The latest Firefox release, 72.0.1, brings a critical security patch with “targeted attacks in the wild abusing this flaw.”

Firefox is the free, cross-platform web browser from Mozilla, promising better privacy than Google’s Chrome and offering an appealing, open-source alternative to Apple’s Safari.

Version 72.0.0, the previous version released just a day earlier, also brought security fixes, plus additional privacy and security protections and feature updates:

  • Firefox’s Enhanced Tracking Protection marks a major new milestone in our battle against cross-site tracking: we now block fingerprinting scripts by default for all users, taking a new bold step in the fight for our users’ privacy.
  • Firefox replaces annoying notification request pop-ups with a more delightful experience, by default for all users. The pop-ups no longer interrupt your browsing, in its place, a speech bubble will appear in the address bar when you interact with the site.
  • Picture-in-picture video is now also available in Firefox for Mac and Linux: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs or apps.

Firefox 72.0.1 is a free download for OS X 10.9 and up, plus Linux, and Windows.

Firefox ESR 68.4.1 (see security notes and downloads) adds the critical security fix to the Extended Support Release family for OS X 10.9 or later, Linux, or Windows. A Firefox FTP server includes all the various versions for downloading.

Firefox Quantum Developer Edition is an alternate version for desktop systems that incorporates tools such as editors, debuggers and responsive design views.

Firefox Quantum for Enterprise is a version that lets people set up policies (e.g. proxy, restrict features) with Group Policy on Windows and a JSON file on Mac and Linux.

Firefox for iOS 20.2 is a free mobile version for iOS 11 and up, with automatic search suggestions, a private browsing mode, tracking protection and Siri Shortcut support for iOS 12.

Discussions

MacInTouch Community discussions include the following current topics (among others):

  • 2019 Mac Pro – gaming and GPU issues
  • Apple security – invisible updates, Apple Pay charges
  • Audio – Sonos port blocking and DNS blackholing
  • Bluetooth – new standard and audio capabilities
  • Competition – Intel Ghost Canyon NUC; Ryzen 4000, Tiger Lake
  • Fonts – Adobe changes, Affinity support, conversion, OpenType
  • Input devices – Contour and Logitech mice
  • Linux – MacBook Pro graphics failure workarounds
  • macOS Catalina – protection problems, Users location/migration
  • Malware – North Korean Mac malware, ad blockers, nasty phishing trick
  • Migration – missing macOS installers
  • Misc. – new vs. old tractors/technology
  • Photography – web hosting options, experiences, etc.
  • Security – IoT, firewalls and Ring cameras
  • Tax software – prices, capabilities, compatibility, etc.

Samsung Portable SSD T7 Touch

Portable SSD T7 Touch is a newly announced successor to Samsung’s popular Portable SSD T5 [Amazon] promising even higher performance, while adding a new fingerprint scanner and data encryption hardware. (A version without fingerprint reader – “Portable SSD T7” – is planned for later release.)

The new T7 SSDs feature read/write performance up to 1,050/1000 MB/s in a similar compact aluminum enclosure (58g.) with a 10Gbps USB-C port (USB 3.1 Gen 2). Both USB-C and USB Type-A cables are included.

Portable SSD T7 Touch is list-priced at $129.99, $229.99, and $399.99 for 500GB, 1TB and 2TB capacities, due this month, while the version without fingerprint reading/encryption is due by mid-2020.

Google Chrome security update

Google Chrome is the cross-platform web browser from Google Inc. with a hidden auto-update daemon and agent that has wrecked Mac systems and wreaked other havoc, plus proprietary Google additions on top of an open-source platform. The latest release brings high-priority security patches.

Google Chrome 79.0.3945.117 is a free download for OS X 10.10 and up, as well as Linux and Windows. (Google Chrome for iOS 79.0.3945.73 is a free download for iOS 12 and up.)

TenFourFox

TenFourFox is a Firefox-based web browser, reprogrammed for PowerPC-based Macs with separate downloads optimized for G3, G4 and G5 processors. Providing up-to-date security to the older Mac platform, it offers “the latest bug fixes, security improvements and all the powerful technology underlying Mozilla Firefox”, along with “AltiVec JPEG, HTML and WebM decoding acceleration for G4 and G5 Macintoshes” and JavaScript performance based on a “best-in-class, just-in-time PowerPC script compiler.
  TenFourFox Feature Parity Release 18 is free and open-source for PowerPC-based Macs running Mac OS X 10.4 and 10.5. Release 18 includes the latest security fixes plus privacy improvements, Reader Mode support and compatibility tweaks.