Lenovo releases Security Advisory... more
FYI...
Lenovo Releases Security Advisory
- https://www.us-cert.gov/ncas/current-activity/2018/01/19/Lenovo-Releases-Security-Advisory
Jan 19, 2018 - "Lenovo has released security updates to address a vulnerability affecting Enterprise Network Operating System (ENOS) firmware. An attacker could exploit this vulnerability to obtain sensitive information.
NCCIC/US-CERT encourages users and administrators to review the Lenovo Security Advisory* for more information and apply the necessary updates or mitigations."
Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products
* https://support.lenovo.com/us/en/product_security/len-16095
Lenovo Security Advisory: LEN-16095
Potential Impact: An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service.
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2017-3765 ...
___
Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch
Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs
- http://www.zdnet.com/article/meltdo...ips-also-hit-by-unwanted-reboots-after-patch/
Jan 18, 2018
Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
- https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Last revised: Jan 17, 2018
___
Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
- http://www.dell.com/support/article...cve-2017-5754-impact-on-dell-products?lang=en
Last Date Modified: 01/19/2018 07:46 AM
___
More Windows patches, primarily previews, point to escalating problems this month
Five Windows patches and nine for .NET released yesterday, Patch Wednesday “C,” leave many of us wondering what we did to deserve such abuse. Yes, there are bugs
- https://www.computerworld.com/artic...-point-to-escalating-problems-this-month.html
Jan 18, 2018
___
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Security Advisory
Published: 01/03/2018 | Last Updated : 01/19/2018
Revisions
Version Date Description
1.0 01/03/2018 Information published.
2.0 01/03/2018 Revised ADV180002 to announce release of SQL 2016 and 2017 updates.
3.0 01/05/2018 The following updates have been made: Revised the Affected Products table to include Windows 10 Version 1709 for x64-based Systems because the update provides mitigations for ADV180002. Corrected the security update numbers for the 2016 and 2017 SQL Server Cumulative Updates. Removed Windows Server 2012 and Windows Server 2012 (Server Core installation) from the Affected Products table because there are no mitigations available for ADV180002 for these products. Revised the Affected Products table to include Monthly Rollup updates for Windows 7 and Windows Server 2008 R2. Customers who install monthly rollups should install these updates to receive the mitigations against the vulnerabilities discussed in this advisory. In the Recommended Actions section, added information for Surface customers. Added an FAQ to explain why Windows Server 2008 and Windows Server 2012 will not receive mitigations for these vulnerabilities. Added an FAQ to explain the protection against these vulnerabilties for customers using x86 architecture.
4.0 01/09/2018 Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008, and Microsoft SQL Server 2016 because these updates provide mitigations for ADV180002.
4.1 01/10/2018 Added FAQs to provide more details about the following: the vulnerabilities described in this advisory, what systems are at risk from the vulnerabilities, how customers can be protected against each specific vulnerability, information for customers with AMD-based devices.
5.0 01/12/2018 Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2014 because these updates provide mitigations for ADV180002.
6.0 01/16/2018 Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2012 because these updates provide mitigations for ADV180002.
7.0 01/18/2018 On January 5, 2018, Microsoft re-released KB4056898 (Security Only) for Windows 8.1 and Windows Server 2012 R2 to address a known issue. Customers who have installed the original package on 1/3/2018 should reinstall the update.
8.0 01/18/2018 Microsoft has released security update 4073291 to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”). Microsoft recommends that customers running Windows 10 Version 1709 for 32-bit systems install the update as soon as possible. Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time. The update is currently available via the Microsoft Update Catalog only, and will be included in subsequent updates. This update does not apply to x64 (64-bit) systems.
9.0 01/19/2018 1 - Updated FAQ #10 to announce that Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown. See the FAQ for links to information on how to download the update for your operating system. Customers with AMD-based devices should install the updates to be protected from the vulnerabilities discussed in this advisory. 2 - Added an update to FAQ #7 that security update 4073291 is available to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”).
___
Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook
If you thought this month’s Windows/Office/.NET patching debacle couldn’t get any worse...
- https://www.computerworld.com/artic...oppy-net-warnings-about-word-and-outlook.html
Jan 19, 2018
:fear::fear::fear:
FYI...
Lenovo Releases Security Advisory
- https://www.us-cert.gov/ncas/current-activity/2018/01/19/Lenovo-Releases-Security-Advisory
Jan 19, 2018 - "Lenovo has released security updates to address a vulnerability affecting Enterprise Network Operating System (ENOS) firmware. An attacker could exploit this vulnerability to obtain sensitive information.
NCCIC/US-CERT encourages users and administrators to review the Lenovo Security Advisory* for more information and apply the necessary updates or mitigations."
Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products
* https://support.lenovo.com/us/en/product_security/len-16095
Lenovo Security Advisory: LEN-16095
Potential Impact: An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service.
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2017-3765 ...
___
Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch
Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs
- http://www.zdnet.com/article/meltdo...ips-also-hit-by-unwanted-reboots-after-patch/
Jan 18, 2018
Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
- https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Last revised: Jan 17, 2018
___
Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
- http://www.dell.com/support/article...cve-2017-5754-impact-on-dell-products?lang=en
Last Date Modified: 01/19/2018 07:46 AM
___
More Windows patches, primarily previews, point to escalating problems this month
Five Windows patches and nine for .NET released yesterday, Patch Wednesday “C,” leave many of us wondering what we did to deserve such abuse. Yes, there are bugs
- https://www.computerworld.com/artic...-point-to-escalating-problems-this-month.html
Jan 18, 2018
___
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Security Advisory
Published: 01/03/2018 | Last Updated : 01/19/2018
Revisions
Version Date Description
1.0 01/03/2018 Information published.
2.0 01/03/2018 Revised ADV180002 to announce release of SQL 2016 and 2017 updates.
3.0 01/05/2018 The following updates have been made: Revised the Affected Products table to include Windows 10 Version 1709 for x64-based Systems because the update provides mitigations for ADV180002. Corrected the security update numbers for the 2016 and 2017 SQL Server Cumulative Updates. Removed Windows Server 2012 and Windows Server 2012 (Server Core installation) from the Affected Products table because there are no mitigations available for ADV180002 for these products. Revised the Affected Products table to include Monthly Rollup updates for Windows 7 and Windows Server 2008 R2. Customers who install monthly rollups should install these updates to receive the mitigations against the vulnerabilities discussed in this advisory. In the Recommended Actions section, added information for Surface customers. Added an FAQ to explain why Windows Server 2008 and Windows Server 2012 will not receive mitigations for these vulnerabilities. Added an FAQ to explain the protection against these vulnerabilties for customers using x86 architecture.
4.0 01/09/2018 Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008, and Microsoft SQL Server 2016 because these updates provide mitigations for ADV180002.
4.1 01/10/2018 Added FAQs to provide more details about the following: the vulnerabilities described in this advisory, what systems are at risk from the vulnerabilities, how customers can be protected against each specific vulnerability, information for customers with AMD-based devices.
5.0 01/12/2018 Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2014 because these updates provide mitigations for ADV180002.
6.0 01/16/2018 Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2012 because these updates provide mitigations for ADV180002.
7.0 01/18/2018 On January 5, 2018, Microsoft re-released KB4056898 (Security Only) for Windows 8.1 and Windows Server 2012 R2 to address a known issue. Customers who have installed the original package on 1/3/2018 should reinstall the update.
8.0 01/18/2018 Microsoft has released security update 4073291 to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”). Microsoft recommends that customers running Windows 10 Version 1709 for 32-bit systems install the update as soon as possible. Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time. The update is currently available via the Microsoft Update Catalog only, and will be included in subsequent updates. This update does not apply to x64 (64-bit) systems.
9.0 01/19/2018 1 - Updated FAQ #10 to announce that Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown. See the FAQ for links to information on how to download the update for your operating system. Customers with AMD-based devices should install the updates to be protected from the vulnerabilities discussed in this advisory. 2 - Added an update to FAQ #7 that security update 4073291 is available to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”).
___
Patching meltdown: Windows fixes, sloppy .NET, warnings about Word and Outlook
If you thought this month’s Windows/Office/.NET patching debacle couldn’t get any worse...
- https://www.computerworld.com/artic...oppy-net-warnings-about-word-and-outlook.html
Jan 19, 2018
:fear::fear::fear:
Last edited: