Patch Tuesday Analysis - December 2016
•Als PPTX, PDF herunterladen•
0 gefällt mir•504 views
Ivanti December 2016 Patch Tuesday Analysis Webinar – Formerly Shavlik
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (16)
Andere mochten auch
Andere mochten auch (9)
Ähnlich wie Patch Tuesday Analysis - December 2016
Ähnlich wie Patch Tuesday Analysis - December 2016 (10)
Mehr von Ivanti
Mehr von Ivanti (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Patch Tuesday Analysis - December 2016
- 1. Patch Tuesday Webinar Wednesday, December 14th, 2016 Chris Goettl • Sara Otremba • Ryan Worlton Dial In: 1-855-749-4750 (US) Attendees: 921 738 737
- 2. Agenda December 2016 Patch Tuesday Overview Known Issues Bulletins Q & A 1 2 3 4
- 3. Best Practices Privilege Management Mitigates Impact of many exploits High Threat Level vulnerabilities warrant fast rollout. 2 weeks or less is ideal to reduce exposure. User Targeted – Whitelisting and Containerization mitigate
- 5. Industry News Is Edge the most secure browser? Microsoft likes to claim so, but researchers are arguing otherwise. Edge SMARTSCREEN can apparently be used to scam users into clicking malicious links. https://www.onmsft.com/news/flaw-in-microsoft-edge-can-turn-smartscreen-into-scamming-device-say-researchers Mozilla Zero Day! Update 50.0.2 was released on November 30th. If you have not already, update your Mozilla browsers. http://www.zdnet.com/article/firefox-zero-day-mozilla-tor-issue-critical-patches-to-block-active-attacks/ Adobe Flash Zero Day update released on Patch Tuesday. https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/ November Patches had a number of known issues reported later in the month. Most seem to be around Lenovo hardware that have an update available. https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx Some Lenovo servers do not start after this update is installed. Lenovo is aware of this problem and has released a UEFI update to address it. In the interim, Microsoft has changed the detection logic in the update to prevent additional customers from being affected. For more information, see https://support.lenovo.com/us/en/solutions/ht502912.
- 6. CSWU-043: Cumulative update for Windows 10: December, 2016 Maximum Severity: Critical Affected Products: Windows 10, Edge, Internet Explorer, Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are described in the following Microsoft security bulletins and advisory: MS16-144, MS16-145, MS16-147, MS16-149, MS16-150, MS16-151, MS16-152, MS16-153 Impact: Remote Code Execution, Elevation of Privilege, Fixes 26 vulnerabilities: CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284, CVE-2016-7287, CVE-2016-7181, CVE-2016-7206, CVE-2016-7280, CVE-2016-7286, CVE-2016-7288, CVE-2016-7296, CVE-2016-7297, CVE-2016-7257, CVE-2016-7272, CVE-2016-7273, CVE-2016-7274, CVE-2016-7219, CVE-2016-7292, CVE-2016-7271, CVE-2016-7259, CVE-2016-7260, CVE-2016-7258, CVE-2016-7295 Restart Required: Requires Restart
- 7. SB16-005, SB16-006, SB16-007: December, 2016 Security Only Update Maximum Severity: Critical Affected Products: Windows, Internet Explorer Description: This update is the Security Only Quality Update for Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 systems: MS16-144, MS16-146, MS16-147, MS16-149, MS16-151, MS16-153 Impact: Remote Code Execution, Elevation of Privilege, Fixes 17 vulnerabilities: CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284, CVE-2016-7287, CVE-2016-7257, CVE-2016-7272, CVE-2016-7273, CVE-2016-7274, CVE-2016-7219, CVE-2016-7292, CVE-2016-7259, CVE-2016-7260, CVE-2016-7295 Restart Required: Requires Restart
- 8. CR16-005, CR16-006, CR16-007: December, 2016 Security Monthly Quality Update Maximum Severity: Critical Affected Products: Windows, Internet Explorer Description: This update is the Security Only Quality Update for Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 systems: MS16-144, MS16-146, MS16-147, MS16-149, MS16-151, MS16-153 Impact: Remote Code Execution, Elevation of Privilege, Fixes 17 vulnerabilities: CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284, CVE-2016-7287, CVE-2016-7257, CVE-2016-7272, CVE-2016-7273, CVE-2016-7274, CVE-2016-7219, CVE-2016-7292, CVE-2016-7259, CVE-2016-7260, CVE-2016-7295 Restart Required: Requires Restart
- 9. MS16-144: Cumulative Security Update for Internet Explorer (3204059) Maximum Severity: Critical Affected Products: IE Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Impact: Remote Code Execution Fixes 9 vulnerabilities: CVE-2016-7202(Publicly Disclosed), CVE-2016-7278, CVE-2016-7279, CVE-2016-7281(Publicly Disclosed), CVE-2016- 7282(Publicly Disclosed), CVE-2016-7283, CVE-2016-7284, CVE-2016-7287 Restart Required: Requires Restart
- 10. MS16-145: Cumulative Security Update for Microsoft Edge (3204062) Maximum Severity: Critical Affected Products: Edge Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights. Impact: Remote Code Execution Fixes 10 vulnerabilities: CVE-2016-7206(Publicly Disclosed),CVE-2016-7279, CVE-2016-7280, CVE-2016-7281(Publicly Disclosed), CVE-2016- 7282(Publicly Disclosed), CVE-2016-7286, CVE-2016-7287, CVE-2016-7288, CVE-2016-7296, CVE-2016-7297 Restart Required: Requires Restart
- 11. MS16-146: Security Update for Microsoft Graphics Component (3204066) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Impact: Remote Code Execution Fixes 3 vulnerabilities: CVE-2016-7257, CVE-2016-7272, CVE-2016-7273 Restart Required: Requires Restart
- 12. MS16-147: Security Update for Microsoft Uniscribe (3204063) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Impact: Remote Code Execution Fixes 1 vulnerabilities: CVE-2016-7274 Restart Required: Requires Restart
- 13. MS16-148: Security Update for Microsoft Office (3204068) Maximum Severity: Critical Affected Products: Office, SharePoint and Office WebApps Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 16 vulnerabilities: CVE-2016-7257, CVE-2016-7262, CVE-2016-7263, CVE-2016-7264, CVE-2016-7265, CVE-2016-7266, CVE-2016-7267, CVE-2016- 7268, CVE-2016-7275, CVE-2016-7276, CVE-2016-7277, CVE-2016-7289, CVE-2016-7290, CVE-2016-7291, CVE-2016-7298, CVE-2016-7300 Restart Required: May Require Restart
- 14. MS16-154: Security Update for Adobe Flash Player (3209498) Maximum Severity: Critical Affected Products: Windows, Adobe Flash Player Description: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. Impact: Remote Code Execution Fixes 17 vulnerabilities: CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016- 7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7890, CVE-2016-7892 Restart Required: Requires Restart
- 15. MS16-155: Security Update for .NET Framework (3205640) Maximum Severity: Important Affected Products: Windows, .Net Framework Description: This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature. Impact: Information Disclosure Fixes 1 vulnerabilities: CVE-2016-7270 (Publicly Disclosed) Restart Required: Requires Restart
- 16. APSB16-39: Security Update for Adobe Flash Player Maximum Severity: Critical Affected Products: Adobe Flash Player Desktop Runtime, Google Chrome, Microsoft Edge and Internet Explorer 11 and Adobe Flash Player for Linux Description: This security update resolves use-after-free vulnerabilities that could lead to code execution, buffer overflow vulnerabilities and memory corruption issues in Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. Impact: Remote Code Execution Fixes 17 vulnerabilities: CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016- 7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE- 2016-7890, CVE-2016-7892 (exploited in the wild) Restart Required: Requires Restart
- 17. 2016-94: Security Update for Mozilla Firefox 50.1 Maximum Severity: Critical Affected Products: Firefox Description: This security update resolves a number of issues including use-after-free vulnerabilities that could lead to code execution, buffer overflow vulnerabilities and memory corruption issues. If you have not already applied 50.0.2, zero day (CVE-2016-9079) which was released on November 30th. Impact: Remote Code Execution Fixes 13 vulnerabilities: CVE-2016-9893, CVE-2016-9080, CVE-2016-9903, CVE-2016-9902, CVE-2016-9901, CVE-2016-9904, CVE-2016-9900, CVE-2016- 9898, CVE-2016-9897, CVE-2016-9896, CVE-2016-9895, CVE-2016-9899, CVE-2016-9894 Restart Required: Requires Restart
- 18. MS16-149: Security Update for Microsoft Windows (3205655) Maximum Severity: Important Affected Products: Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application. Impact: Elevation of Privilege Fixes 2 vulnerabilities: CVE-2016-7219, CVE-2016-7292 Restart Required: Requires Restart
- 19. MS16-150: Security Update for Secure Kernel Mode (3205642) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL). Impact: Elevation of Privilege Fixes 1 vulnerabilities: CVE-2016-7271 Restart Required: Requires Restart
- 20. MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651) Maximum Severity: Important Affected Products: Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. Impact: Elevation of Privilege Fixes 2 vulnerabilities: CVE-2016-7259, CVE-2016-7260 Restart Required: Requires Restart
- 21. MS16-152: Security Update for Windows Kernel (3199709) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory. Impact: Information Disclosure Fixes 1 vulnerabilities: CVE-2016-7258 Restart Required: Requires Restart
- 22. MS16-153: Security Update for Common Log File System Driver (3207328) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation. Impact: Information Disclosure Fixes 1 vulnerabilities: CVE-2016-7295 Restart Required: Requires Restart
- 23. Between Patch Tuesdays New Product Support: Microsoft Enhanced Mitigation Experience Toolkit, Adobe Creative Cloud, TreeSize Free, SQL Server 2016 SP1 Security Updates: Chrome (3), Skype (2), Tomcat (5), Firefox (3), VMware Player (1), Microsoft (2), Foxit (2), Wireshark (1), Notepad++ (2), Thunderbird (2), Opera (1), TortoiseSVN (1), FileZilla (2), Non-Security Updates: AutoCAD Map (1), Dropbox (2), GoodSync (7), Microsoft (44), Ccleaner (2), Slack Machine-Wide Installer (3), Foxit Phantom (1), Xmind (1), Google Drive (2), CDBurnerXP (1), NitroPro (1), PDFCreator (1), RealVNC Connect (1), Adobe Creative Cloud (1), GoToMeeting (1), HipChat (2), TreeSize Free (1), TeamViewer (1), WinSCP (1), PDF-Xchange Pro (1), Programmers Notepad (1), Citrix Receiver (1), Malwarebytes (1), WebEx Productivity Tools (1) Security Tools: Software Distribution: Windows Management Framework
- 25. Resources and Webinars Get Shavlik Content Updates Get Social with Shavlik Sign up for next months Patch Tuesday Webinar Watch previous webinars and download presentation.
- 26. Thank you
Hinweis der Redaktion
- NEARLY 50% OPEN E-MAILS AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR.
- Edge Browser: https://www.onmsft.com/news/flaw-in-microsoft-edge-can-turn-smartscreen-into-scamming-device-say-researchers https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/ User Targeted - Privilege Management Mitigates Impact CVE-2016-7282 (Publicly Disclosed) CVE-2016-7281 (Publicly Disclosed) CVE-2016-7202 (Publicly Disclosed) CVE-2016-7206 (Publicly Disclosed)
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. The Security Only Quality Update is marked as Patch Type Security. This bundle includes multiple updates in a single installable package. This update does not include the Non-Security Updates and is not cumulative. https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/ User Targeted - Privilege Management Mitigates Impact CVE-2016-7282 (Publicly Disclosed) CVE-2016-7281 (Publicly Disclosed) CVE-2016-7202 (Publicly Disclosed)
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. The Security Only Quality Update is marked as Patch Type Security. This bundle includes multiple updates in a single installable package. This update does not include the Non-Security Updates and is not cumulative. https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/ User Targeted - Privilege Management Mitigates Impact CVE-2016-7282 (Publicly Disclosed) CVE-2016-7281 (Publicly Disclosed) CVE-2016-7202 (Publicly Disclosed)
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact CVE-2016-7202(Publicly Disclosed), CVE-2016-7281(Publicly Disclosed), CVE-2016-7282(Publicly Disclosed), In a web-based attack scenario an attacker could host a website in an attempt to exploit the vulnerabilities. Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit the vulnerabilities. However, in all cases an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact CVE-2016-7206(Publicly Disclosed), CVE-2016-7281(Publicly Disclosed), CVE-2016-7282(Publicly Disclosed), An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through affected Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact User targeted vulnerabilities There are multiple ways an attacker could exploit these vulnerabilities. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Windows Uniscribe Remote Code Execution Vulnerability CVE-2016-7274 A remote code execution vulnerability exists in Windows due to the way Windows Uniscribe handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities – Privilege Management Mitigates Impact Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. Vulnerability Details These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892). These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870). These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876). These updates resolve a security bypass vulnerability (CVE-2016-7890). Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/ CVE-2016-9079 Zero Day resolved in 50.0.2. A use-after-free vulnerability in SVG Animation has Critical CVEs resolved in 50.1: A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially exploitable crash. been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Mozilla developers and community members Kan-Ru Chen, Christian Holler, and Tyson Smith reported memory safety bugs present in Firefox 50.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
- Shavlik Priority 2: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
- Shavlik Priority 2: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
- Shavlik Priority 2: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
- Shavlik Priority 2: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
- Shavlik Priority 2: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
- Sign up for Content Announcements: Email http://www.shavlik.com/support/xmlsubscribe/ RSS http://protect7.shavlik.com/feed/ Twitter @ShavlikXML Follow us on: Shavlik on LinkedIn Twitter @ShavlikProtect Shavlik blog -> www.shavlik.com/blog Chris Goettl on LinkedIn Twitter @ChrisGoettl Sign up for webinars or download presentations and watch playbacks: http://www.shavlik.com/webinars/