Skip to main content
Tag

chrome patch

||

Google Chrome 86 Brings Massive Security Fixes

By Patch ManagementNo Comments

Google Chrome 86 Brings Massive Security Fixes

Google’s latest version of Chrome has been released with 35 security fixes, including a critical bug and a new password feature.

[vc_empty_space]
[vc_single_image image=”155170″ img_size=”full”]

Google Releases Chrome 86 with Critical Fixes

Google has leased its Stable channel version of Google Chrome 86. Contained within this release includes a massive amount of updates and bug fixes for security, features and API. This version is supported on both Windows, Android, Mac and Linux.

However, a critical flaw (CVE-2020-15967) in Chrome’s payments component has a CVSS score of 9.8, making this a Zero Day vulnerability. This severity rating means Google is recommending you deploy this version as soon as possible.

The flaw is a use-after-free bug. Use after free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause malicious impacts, from making a program to crash to potentially leading to arbitrary code execution.

Use-after-free bugs have been a frequent threat to the browser. Seven high-severity vulnerabilities fixed in Chrome 86 were use-after-free flaws, from ones affecting Chrome’s printing (CVE-2020-15971), audio (CVE-2020-15972), password manager (CVE-2020-15991) and WebRTC (CVE-2020-15969) components.

Keep Your Organization Protected

Customers of Syxsense Manage and Syxsense Secure can find these updates within the console.

Syxsense allows you to manage and secure vulnerabilities exposed by open ports, disabled firewalls, ineffective user account policies, and security compliance violations from remote workers.

Detecting software vulnerabilities isn’t enough—traditional security scanners only do half the job by identifying and tracking possible vulnerabilities and exposure without eliminating the risk.

With security scanning and patch management in a single console, our vulnerability scanning feature not only shows you what’s wrong, but also deploys the solution. Gain visibility into OS and third-party vulnerabilities while increasing cyber resilience through automated patching and security scans. Insights into the OS misconfigurations and compliance violations reduce your attack surface and increase peace of mind.

[vc_separator]

Experience the Power of Syxsense

Start a trial of Syxsense, which helps organizations from 100 to 100,000 endpoints secure and manage their environment, all from just a web browser.

[vc_btn title=”Start a Free Trial” style=”gradient-custom” gradient_custom_color_1=”#da4453″ gradient_custom_color_2=”#8a2387″ shape=”round” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fstart-a-free-trial-of-syxsense%2F|||” css=”.vc_custom_1590698033746{margin-top: 15px !important;}”][vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]
||

Google Chrome Zero-Day Vulnerability Under Attack

By Patch ManagementNo Comments

Google Chrome Zero-Day Vulnerability Under Attack

Google has patched a Chrome browser zero-day bug being actively exploited in the wild. The vulnerability affects installations of Chrome running on Windows, Linux, and macOS.

[vc_empty_space]
[vc_single_image image=”37070″ img_size=”full”]

Chrome Under Active Attack

Google has patched a Chrome web browser zero-day bug being actively exploited in the wild. The vulnerability affects installations of Chrome running on Windows, Linux, and macOS.

The zero-day vulnerability, tracked as CVE-2020-6418, has been described as a type confusion issue affecting the V8 open source JavaScript engine used by the browser. Google has credited Clement Lecigne of its Threat Analysis Group for reporting the vulnerability. Lecigne has discovered various vulnerabilities within the past year within Chrome, as well as Internet Explorer.

Government Says Update Chrome

The Cybersecurity and Infrastructure Security Agency (CISA) also posted a bulletin encouraging users and administrators to review the Chrome Release and “apply the necessary updates.”

Technical details of the vulnerability are being withheld pending patch deployment to a majority of affected versions of the browser, according to Google. Memory corruption vulnerabilities typically occur when memory is altered without explicit data assignments triggering function errors, which in turn enable an attacker to execute arbitrary code on targeted devices.

Google Warns of More Vulnerabilities

Google has also warned users of two additional high-severity vulnerabilities. The first (CVE-2020-6407) is an out-of-bounds memory access in streams flaw and the other (CVE unassigned) is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.

This is actually the third Chrome zero-day to have been exploited in the wild just this past year. Google patched the first Chrome zero-day in March of 2019 (CVE-2019-5786) and then a second in November of 2019 (CVE-2019-13720).

Patches for this zero-day have been released part of Chrome version 80.0.3987.122.

How to Manage Chrome Vulnerabilities

Leveraging a simple and powerful solution with an up-to-date library of third-party products could easily alleviate the issue across organizations. Syxsense provides Chrome updates same-day and allows for an exceptionally smooth process with a Patch Deploy task.

Simply target all devices for the newest update and the pre-packaged detection will determine if devices do/do not require the update. If they require it, the update will be automatically applied and the vulnerability remediated.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

[vc_btn title=”Start a Free Trial” style=”gradient-custom” gradient_custom_color_1=”#da4453″ gradient_custom_color_2=”#8a2387″ shape=”round” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||” css=”.vc_custom_1572936982710{margin-top: 15px !important;}”][vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]
||

Ransomware Aftershocks: August Third-Party Patch Update

By News, Patch ManagementNo Comments
[vc_single_image image=”12822″ img_size=”medium”]

Ransomware Aftershocks

Even after remediation, the effects of ransomware can still be felt. The feelings of security have been stripped away and replaced with a nauseating sensation of vulnerability.

A public TV and radio station in San Francisco, KQED, knows this feeling. After being infected with ransomware demanding 1.7 bitcoin per PC, the FBI advised wiping the infected computes.

Even a month after the attack, the station is still doing work to fix the affected machines. But what has also been a surprise is the damage was to more than just their data. The wireless network and email servers went down at their headquarters, so they moved operations to UC Hastings. It has interrupted all levels of work, from broadcast to hiring of new employees.

This radio station isn’t the only company reeling long after a ransomware attack. Fedex has been reported as saying that was affected by NotPetya and that some damage was permanent. It’s expected that this business interruption will create significant decreases in revenue.

[vc_single_image image=”12386″ img_size=”200×200″]

The most effective way to protect yourself and your business against disaster is keeping your systems up to date. Malware relies on the idea that people won’t keep their software 100% up to date. And for good reason, keeping everything updated can be a nightmare. But utilizing a solution like Syxsense can simplify everything. CMS can show you at a glance which devices have out of date software. You can then quickly build a task to deploy needed updates.

Come check out Syxsense with a free trial today!

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
[vc_separator]

Third-Party Updates

Every month we see a bevy of new third party updates, and are always enhancing our library of supported vendors. Special requests and additions are welcomed. This month’s releases include:

 

 

Product Category Patch
Chrome Web Browser Chrome_v59.0.3071.134
Wireshark Network Protocol Analyzer Wireshark_v2.4
Firefox Web Browser Firefox_v54.0.1
Glary Utilities PC cleanup Glary_v5.80.0.101
Trillian Instant Messenger Trillian_v6.0 Build 60
WinSCP SFTP, SCP, and FTP client for Windows WinSCP_v5.9.6
WinMerge Open source differencing and merging tool for windows. WinMerge_v2.14
MediaMonkey Media manager MediaMonkey_v4.1.17.1840
PuTTY SSH and Telnet for windows and unix. PuTTY_v0.70
Foobar2000 Audio Player Foobar2000_v1.3.16
Java Programming language Java_v8u141
KeePass Password Safe KeePass_v2.36
Foxit Reader PDF reader FoxitReader_v8.3.1
FileZilla FTP solution FileZilla_v3.27.0.1
Paint.net Image editing software Paint.net_v4.0.17
iTunes Media player iTunes_v12.6.2
Adobe Reader DC Pdf reader AdobeReaderDC_v17.009.20058
Shockwave Multimedia platform Shockwave_v12.2.9.199
Flash Multimedia platform Flash_v26.0.0.137
AIR Runtime Code Distribution AIRRuntime_v26.0.0.127

 

Patch Details
Chrome_v59.0.3071.134 Includes bug fixes, security updates, and feature enhancements.

 

Wireshark_v2.4 Large number of new and updated features. New and updated protocol support. Major API changes. New and updated capture file support.

 

Firefox_v54.0.1 Now uses multiple operating system processes for web page content to increase speed and stability. Fixes: Display issue of tab title. Display issue of opening new tab. Display issue when opening multiple tabs. Tab display issue when downloading files. PDF printing issue. Netflix issue on linu.

 

Glary_v5.80.0.101
Optimized Disk Cleaner: added support for ‘PerfectDisk 13.0’ and ‘Adobe Reader 7.0

Optimized Tracks Eraser: added support for ‘Nero Burning ROM 15’ and ‘AceHTML 6 Pro

Optimized Quick Search: optimized the path sorting algorithm, and speed up by 100%

Minor GUI improvements

Minor bug fixes

Trillian_v6.0 Build 60 Fixed:

Media: Media may not correctly send if DNS is incorrectly set up.

Message Window: History messages may incorrectly duplicate in the window from previous versions of Trillian.

 

WinSCP_v5.9.6 Hotfix. German translation updated.

·  Back-propagated some improvements and fixes from 5.10-5.10.2 beta releases:

  • SSH core and private key tools (PuTTYgen and Pageant) upgraded to PuTTY 0.69. It brings the following change:
    • WinSCP should work with MIT Kerberos again, after DLL hijacking defences broke it.
  • TLS/SSL core upgraded to OpenSSL 1.0.2l.
  • Allow using 64-bit version of PuTTY (and its tools), when available. 1522
  • XML parser upgraded to Expat 2.2.1.
  • Bug fix: Scripting open command without arguments issued irrelevant warning about use of stored site.
  • Bug fix: Generated code uses TransferOptions.Speed instead of TransferOptions.SpeedLimit. 1543
WinMerge_v2.14 Improvements

  • Improve startup time
  • Improve editing of linefilter regular expressions
  • Improve color options organization

Other changes

  • Update PCRE to version 8.10
  • Update SCEW to version 1.1.2
  • Add menuitems for selecting automatic or manual prediffing
  • Add accelerator keys for Shell context menu
  • Allow editing context line count in patch creator
  • Add /xq command line switch for closing WinMerge after identical files and not showing message
  • Allow setting codepage from command line
  • Allow giving encoding name as custom codepage
  • Add new options dialog panel for folder compare options
  • Add options GUI for quick compare limit
  • Write config log as UTF-8 file

Bugs fixed

  • Untranslated string (“Merge.rc:nnnn”) was displayed in status bar
  • Pane headers not updated after language change
  • Quick contents compare didn’t ignore EOL byte differences
  • Compare by size always checked file times too
  • Crash when pasting from clipboard
  • Keeps verifing path even turned off in options
  • Crash after deleting text
  • Added EOL chars between copied file/path names
  • Created new matching folder to wrong folder
  • Strange scrolling effect in location pane
  • Plugin error after interrupting folder compare
  • “+” and “-” from the number block don’t work in the editor
  • Date format did not respect Regional Settings
  • Shell extension used unquoted program path

New Translation

  • Basque

Translation updates

  • Hungarian
  • Turkish
  • Russian
  • Norwegian
  • Danish
  • Dutch
  • Slovenian
MediaMonkey_v4.1.17.1840 Various bug fixes and updates.

 

PuTTY_v0.70 Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even a name we missed when we thought we’d fixed this in 0.69. See vuln-indirect-dll-hijack-3.

Windows PuTTY should be able to print again, after our DLL hijacking defences broke that functionality.

Windows PuTTY should be able to accept keyboard input outside the current code page, after our DLL hijacking defences broke that too.

 

Foobar2000_v1.3.16 Fixed horrible, horrible bug with inverted checkmarks in advanced preferences at 150% text size.

Network streaming: added handlers for more HTTP redirect codes.

Fixed foobar2000 process not setting its working directory to its installation location on startup.

FLAC tagging fixes.

 

Java_v8u141 Fixing of bugs and updates to features.

 

KeePass_v2.36 New Features:

  • Added commands ‘Find Duplicate Passwords’ and ‘Find Similar Passwords’ (in ‘Edit’ -> ‘Show Entries’), which show entries that are using the same or similar passwords.
  • Added command ‘Password Quality Report’ (in ‘Edit’ -> ‘Show Entries’), which shows all entries and the estimated quality of their passwords.
  • Added option ‘String name’ in the ‘Edit’ -> ‘Find’ dialog (for searching entries that have a specific custom string field).
  • Added option for using a gray tray icon.
  • Added {CMD:/…/} placeholder, which runs a command line.
  • Added {T-CONV:/…/Raw/} placeholder, which inserts a text without encoding it for the current context.
  • Added optional ‘Last Password Modification Time (Based on History)’ entry list column.
  • The internal text editor now supports editing PS1 files.
  • The position and size of the internal data viewer is now remembered and restored.
  • For various dialogs, the maximized state is now remembered and restored.
  • Added configuration option for specifying an expiry date for master keys.
  • Added configuration option for specifying disallowed auto-type target windows.
  • Added workaround for Edge throwing away all keyboard input for a short time after its activation.
  • Added workaround for Mono not properly rendering bold and italic text in rich text boxes.
  • TrlUtil now performs a case-sensitive word validation.

Improvements:

  • The password input controls in the IO connection dialog and the proxy dialog now are secure edit controls.
  • The icon of the ‘Save’ command in the main menu is now grayed out when there are no database changes (like the toolbar button).
  • Auto-Type: improved support for target applications that redirect the focus immediately.
  • Auto-Type: improved compatibility with VMware vSphere client.
  • When an error occurs during auto-type, KeePass is now brought to the foreground before showing an error message box.
  • Entries in groups where searching is disabled (e.g. the recycle bin group) are now ignored by the commands that show expired entries.
  • Improved scrolling when moving entries while grouping in the entry list is on.
  • Improved support for right-to-left writing systems.
  • Improved application and system tray icon handling.
  • Updated low resolution ICO files (for Mono development).
  • Moved single-click tray icon action option from the ‘Integration’ tab to the ‘Interface’ tab of the options dialog.
  • Synchronization file path comparisons are case-insensitive now.
  • Improved workaround for Mono clipboard bug (improved performance and window detection; the workaround is now applied only if ‘xsel’ and ‘xdotool’ are installed).
  • Enhanced PrepMonoDev.sh script.
  • KPScript: times in group and entry lists now contain a time zone identifier (typically ‘Z’ for UTC).
  • Various code optimizations.
  • Minor other improvements.

Bugfixes:

  • The drop-down menu commands in the entry editing dialog for setting the expiry date now work as expected.

 

FoxitReader_v8.3.1 New Feature and Improvements:

Easy and Secure File-sharing

Provides a plugin to share your file by generating a file link and sending it via email or to social media, under your full control by advanced settings to share content quickly, easily, and securely.

Some ease of use enhancements.

 

Issues Addressed:

Fixed some issues that could cause Foxit Reader launch slowly.

Fixed some security and stability issues. Click here for details.

 

FileZilla_v3.27.0.1 Bugfixes and minor changes:

MSW: Add missing file to .zip binary package

MSW: Fix toolchain issues breaking the shell extension

 

Paint.net_v4.0.17
  • Added: “Fluid mouse input” option in Settings -> UI -> Troubleshooting. If you see major glitches while drawing, try disabling this.
  • Improved: Default brush size, font size, and corner radius size now scales with major DPI scaling levels (brush size of 2 at 100% scaling, brush size of 4 at 200% scaling, etc)
  • Improved: Default image size now scales with major DPI scaling levels (800×600 at 100%, 1600×1200 at 200%, etc.)
  • Improved performance and drawing latency by removing explicit calls to System.GC.Collect() except when low memory conditions are encountered
  • Improved performance by greatly reducing object allocation amplification by reducing the concurrency level when using ConcurrentDictionary, and by removing WeakReference allocations in favor of direct GCHandle usage
  • Improved: Performance and battery usage by ensuring animations always run at the monitor’s actual refresh rate
  • Improved (reduced) CPU usage when moving the mouse around the canvas
  • Removed: “Hold Ctrl to hide handle” from the Text tool because it was not useful and caused lots of confusion
  • Fixed: Various high-DPI fixes, including horrible looking mouse cursors caused by a bug in the latest .NET WinForms update
  • Fixed: Gradient tool no longer applies dithering “outside” of the gradient (in areas that should have a solid color)
  • Fixed: Very slow performance opening the Effects menu when lots of plugins are installed after installing the Windows 10 Creators Update
  • Fixed: When cropping and then performing an undo, the scroll position was totally wrong
  • Fixed a rendering glitch in the Save Configuration dialog (it would “wiggle”)
  • Fixed: At certain brush sizes, the brush indicator on the canvas had a visual glitch in it due to a bug in Direct2D
  • Fixed: Text tool buttons for Bold, Italics, Underline were not localized for a few languages
  • Fixed a rare crash in the taskbar thumbnails
  • Fixed: Drawing with an aliased brush and opaque color (alpha=255) sometimes resulted in non-opaque pixels due to a bug in Direct2D’s ID2D1RenderTarget::FillOpacityMask
  • Fixed: “Olden” effect should no longer cause crashes (it still has some rendering artifacts due to its multithreading problems, however)
iTunes_v12.6.2 This update is designed for high DPI displays so text and images appear sharper and clearer. It also includes minor app and performance improvements.

 

AdobeReaderDC_v17.009.20058 This release puts in place the infrastructure for simplifying the sign-in process within Acrobat & Reader. This enhancement will be rolled out for Acrobat and Reader users in near future.

 

Shockwave_v12.2.9.199 Fixes a critical memory corruption vulnerability that could lead to code execution.

 

Flash_ v26.0.0.137 These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

 

AIRRuntime_v26.0.0.127 These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

 

Get Started

Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]