boot13The change log for Chrome 58.0.3029.110 contains forty-four items, mostly minor bug fixes. Nothing related to security.
Daily Archives: May 9, 2017
Flash 25.0.0.171
Adobe’s software updates for April include Flash 25.0.0.171, which fixes seven security issues in previous versions. If Flash is enabled in your web browser, you should visit the official Flash About page to check its version and update if it’s not current.
As usual, Chrome will update itself with the latest Flash, and Internet Explorer and Edge get their new Flash via Windows Update.
Patch Tuesday for May 2017
Well, I was right. The announcement for May’s Patch Tuesday has almost exactly the same wording as last month’s. That’s because neither contains any useful information. No, it’s back to the new Security Update Guide, at least if you want to know what Microsoft wants to do to your computer this month.
According to my analysis of this month’s update information in the SUG, there are fifty distinct bulletins, affecting Flash, Internet Explorer, Edge, .NET, Office, and Windows. A total of fifty-six vulnerabilities are addressed. Fifteen of the vulnerabilities are categorized as Critical.
Today Microsoft also issued three advisories:
- Microsoft Security Advisory 4022345: Identifying and correcting failure of Windows Update client to receive updates
- Microsoft Security Advisory 4021279: Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege
- Microsoft Security Advisory 4010323: Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11
Vulnerability in Microsoft’s anti-malware software
All of Microsoft’s anti-malware software is based on a common core: MsMpEng, the Malware Protection service. That includes Microsoft Security Essentials, System Centre Endpoint Protection, and Windows Defender. If your PC is running Windows, there’s a good chance that MsMpEng is running as well.
Which is bad, because Google’s Project Zero just discovered a vulnerability in Microsoft’s anti-malware engine that has the potential to provide almost unlimited access to any computer running MsMpEng. The vulnerability can be exploited in various ways, including via specially-crafted email that can do its damage without even being opened.
Project Zero’s analysis includes a proof of concept, and shows that the vulnerable component of MsMpEng is nscript, which analyzes any file or activity that appears to be Javascript.
I just checked my Windows 8.1 test PC, and although Windows Defender is disabled, MpMpEng is running, describing itself as ‘Antimalware Service Executable’. On my Windows 7 test PC, I’ve installed Avast, which was supposed to have disabled Microsoft’s software; but again I see that MsMpEng is running.
If Windows Defender is disabled, why is MsMpEng running? If it’s disabled, is the computer still vulnerable to this exploit? I’d like to think that even though MsMpEng is running, it’s not actively analyzing file and network activity, in which case the vulnerability would be mitigated. But it’s difficult to know for sure.
In any case, Microsoft has issued an update, and since all of their various anti-malware offerings update themselves automatically, most Windows systems may already have the necessary fix in place. You can find out by checking your software’s ‘About’ information. For example, if you’re running Windows Defender for Windows 8.1, double-click the blue shield icon to open its interface, then click the small triangle next to Help and select About. In the About dialog, look for Engine Version; if it’s 1.1.13704.0 or later, it’s up to date.
Report from Ars Technica.