Ivanti Blog: Posts by

Patching in Review – May 2020

Tue, 09 Jun 2020 21:53:37 Z

With June Patch Tuesday in full swing, let’s take a moment and look back at the last month of developments in the wonderful world of patching. Before we begin our upcoming analysis of this month’s releases, let’s reflect on the news from May. As always, be sure to join us on Wednesday, June 10, for our June Patch Tuesday analysis.

Microsoft News

KB4556799 for Windows 10 1903 and 1909 was littered with issues ranging from BSOD crashes and broken LTE connectivity to installation failures and audio issues. While Microsoft stated it was looking into issues mid-month, we did not see any non-security updates for the month. Here’s hoping June goes more smoothly.
Windows 10 2004 is finally out at the end of May, but not without its concerns. Before you begin rolling out this update, keep an eye on Microsoft’s 2004 status page to see active issues (currently 10 active bugs as I write this).

Security Round-Up

The wormable SMBv3 Windows 1903/1909 vulnerability disclosed in March 2020 under CVE-2020-0796 has confirmed reports of active exploitation according to CISA. This vulnerability, which earned the moniker “SMBGhost” or “EternalDarkness”, allows an unauthenticated attacker to execute arbitrary code on an endpoint. Given the lack of authentication and privilege necessary for a successful attack, this can spread through an unpatched network with ease.
Reverse RDP attacks are coming back for a third round with confirmation that there still exists a vulnerability in this protocol for all versions of Windows. When exploited, an attacker can gain access to read and write to the system’s files. For background, this was initially patched in July 2019 under CVE-2019-0887, then patched again in February 2020 under CVE-2020-0655 due to a discovered bypass. Discovered by Check Point Research, although the RDP client built into Windows is fixed, the API is still vulnerable, leaving any 3^rd party RDP solution exposed to this attack.

Third-Party Updates

Google Chrome took the lion’s share of CVEs for the month with a total of 33 vulnerabilities patched between two security releases under 83.0.4103.61 and 83.0.4103.97. Microsoft Edge (Chromium) also released shortly after each patch under their own advisory page.
Firefox released Version 77 covering only 7 vulnerabilities with only two of them affecting the corresponding ESR release. Nearing the tail end of the month, Mozilla also released Thunderbird 68.9.0 to remediate the shared CVEs.

Patching in Review – Week 6 of 2020

Fri, 07 Feb 2020 23:43:38 Z

It’s hard to believe the second Patch Tuesday of the year is around the corner. With an IE zero-day still expected to be fixed, let us hope that we find ourselves with a smooth rollout. Make sure to tune in to our Patch Tuesday webinar next week where we analyze the vulnerabilities and known issues from Microsoft for the month.

In the news, Microsoft delivered with final updates this week for Windows 7 and Server 2008 R2. This fix comes after a nasty wallpaper bug where the background would be replaced by a black screen. Surprisingly, a standalone fix under KB4539602 as well as a Monthly Rollup preview under KB4539601 have been released to remediate the wallpaper bug.

Security Releases

Google Chrome released a new major version this week with a total of 56 security fixes and 38 CVEs. Version 80.0.3987.87 released on Tuesday with 10 of the vulnerabilities acquiring a High severity. Expect a corresponding release for Microsoft’s Edge browser as it is now based on the chromium engine.

Node.JS released their February security updates for version 10, 12 and 13 with a total of 3 CVEs. The most notable vulnerability has been assigned CVE-2019-15605 with a Critical severity. Synk.io wrote a great article detailing this vulnerability where unpatched versions can fall victim to an HTTP smuggling attack.

Third-Party Updates

The final week before Patch Tuesday ended with a relatively light release. See the list of non-securities below to prepare for your next cycle.

Software Title	Ivanti ID	Ivanti KB
Box Drive 2.11.46	BOXD-200114	QBOXD21146
Dropbox 90.4.307	DROPBOX-200204	QDROPBOX904307
Evernote 6.23.2.8859	ENOT-200206	QENOT62328859
GoodSync 10.10.21.1	GOODSYNC-200205	QGS1010211
GoodSync 10.10.21.5	GOODSYNC-200207	QGS1010215
Opera 66.0.3515.72	OPERA-200205	QOP660351572
PeaZip 7.1.0	PZIP-200203	QPZIP710
Plex Media Player 2.50.0	PLXP-200205	QPLXP2500
RealVNC Server 6.7.1	RVNC-200207	QRVNC671
Royal TS 5.02.60204.0	RTS5-200204	QRTS502602040
Royal TS 5.02.60207.0	RTS5-200207	QRTS502602070
Visual Studio Code 1.42.0	MSNS20-0207-CODE	QVSCODE142

Patching in Review – Week 5 of 2020

Fri, 31 Jan 2020 23:36:20 Z

The echoes of Patch Tuesday past and anticipation of our next patch week are the themes here with Microsoft staying in the spotlight and Apple keeping things interesting this week.

It looks like the pesky wallpaper bug on Windows 7 from the final security release will indeed see a post end of life update for not just extended support customers, but all customers! The known issue listed in KB4534310 was just updated with an anticipated resolution in the coming week.

Mentioned in last week’s post, Microsoft released an advisory detailing a zero-day vulnerability that has yet to be patched but offered a workaround. According to BleepingComputer, this temporary fix is currently breaking windows printing with other unforeseen issues such as sfc failing when jscript.dll is read for integrity. It doesn’t look like we will see an out of band patch before February’s security release, so many environments may have to wait until then.

To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week!

Security Releases

Apple released updates for their iTunes and iCloud applications on Windows with a total of 8 vulnerabilities shared between the two. The most severe vulnerability is awarded to CVE-2020-3825, CVE-2020-3868, and CVE-2020-3865 with a CVSSv3 score estimated at 8.8. All 3 vulnerabilities could lead to arbitrary code execution if malicious web content were to be accessed.

Third-Party Updates

See the list of additional third-party updates below from our supported vendors to keep your environments up to date.

Software Title	Ivanti ID	Ivanti KB
Google Drive File Stream 36.0.18.0	GDFS-200130	QFS360180
GoToMeeting 10.7.0	GOTOM-200131	QGTM1070
LibreOffice 6.4.0	LIBRE64-200129	QLIBRE6403
Notepad++ 7.8.4	NPPP-200130	QNPPP784
Opera 66.0.3515.60	OPERA-200130	QOP660351560
Plex Media Server 1.18.5.2309	PLXS-200129	QPLXS11852309
Tableau Desktop 2019.4.3	TABDESK20194-200131	QTABDESK201943
Tableau Prep Builder 2020.1.2	TABPREPB20-200131	QTABPREPB202012
Tableau Reader 2019.4.3	TABREAD20194-200131	QTABREAD201943
TeamViewer 15.2.2756	TVIEW15-200129	QTVIEW1522756
VirtualBox 6.0.16	OVB60-200130	QOVB6016

Patching in Review – Week 4 of 2020

Fri, 24 Jan 2020 23:30:06 Z

We just wrapped up the first patch week of the year, and Microsoft is keeping things interesting with a newly announced IE zero-day vulnerability, but with no patch. According to Microsoft’s advisory, there are limited active attacks against CVE-2020-0674 where a malicious website could allow an attacker access to the system. For a temporary, but risky fix, Microsoft has provided a workaround within the advisory jscript would need to be restricted on the endpoint.

This might be the end of Windows 7 servicing, but Microsoft left us with a final present. It appears the final security update is breaking desktop wallpaper of all things, leaving a black background instead. Currently there’s no word whether Microsoft will provide a non-security fix, or if the unlucky users are stuck with this bug on their unsupported OS.

To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week!

Security Releases

Snagit was the only security release from our vendors this week with a single vulnerability. Version 2018.2.5 covers CVE-2019-5100 where their third-party BMP library could be used to execute arbitrary code on the system.

Third-Party Updates

Even though we took a break this week in security releases, this non-security list is more than enough. See the summary of our additional patches for the week below.

Software Title	Ivanti ID	Ivanti KB
Adobe Flash Player 32.0.0.321	AFP32-200121	QAF3200321
Camtasia 2019.0.9	CAMTA19-200121	QCAMTASIA1909
Dropbox 89.4.278	DROPBOX-200123	QDROPBOX894278
Falcon sensor for Windows 5.24.10609	CSFS-200122	QFS52410609
GOM Player 2.3.49.5312	GOM-200128	QGOM23495312
GoodSync 10.10.20.7	GOODSYNC-200124	QGS1010207
Google Backup and Sync 3.48.8668.1933	GSYNC-200127	QGBS34886681933
Node.JS 13.7.0 (Current)	NOJSC-200122	QNODEJSC1370
Opera 66.0.3515.44	OPERA-200122	QOP660351544
Plex Media Player 2.49.0	PLXP-200122	QPLXP2490
Slack Machine-Wide Installer 4.3.2.0	SMWI-200122	QSLACK4320
Tableau Desktop 2018.3.14	TABDESK20183-200124	QTABDESK2018314
Tableau Desktop 2019.1.12	TABDESK20191-200124	QTABDESK2019112
Tableau Desktop 2019.2.8	TABDESK20192-200124	QTABDESK201928
Tableau Desktop 2019.3.4	TABDESK20193-200124	QTABDESK201934
Tableau Desktop 2019.4.2	TABDESK20194-200124	QTABDESK201942
Tableau Reader 2019.4.2	TABREAD20194-200124	QTABREAD201942
Thunderbird 68.4.2	TB-200124	QTB6842
WinZip 23.0.13431	WZ23-200128	QWZ23013431
Zoom Client 4.6.17409.120	ZOOM-200121	QZOOM4617409

Patching in Review – Week 3 of 2020

Fri, 17 Jan 2020 23:22:02 Z

What ever happened to the boring first Patch Tuesday of the year? Between the notorious CryptoAPI spoofing vulnerability and Oracle’s quarterly release, there is almost too much to cover! Without further ado, let’s get into this very dense week.

As always, here are the quick links to stay up to date on any developing known issues:

To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week!

Patch Tuesday Follow-up

As mentioned earlier, January is usually a very mundane Patch Tuesday. With a traditionally small patch count and short vulnerability list, no one was expecting the NSA disclosure to come out the day before.

Microsoft has since released patches for this alarming vulnerability, but security researchers have continued diving into the vulnerability with new developments. BleepingComputer has 2 great articles covering the CryptoAPI vulnerability for the week.

Proof of concepts have already come out 2 days after the respective patches were released where the researcher spoofed the github certificate on a compromised system.
As a refresher, an additional article was written explaining the chain of trust that is compromised in this attack.

Finally, we were all surprised this week to see an addition to the Windows 7 Monthly Rollup, which now will show unwanted upgrade alerts. Fortunately, there is a simple registry key to disable the nuisance.

Security Releases

Outside of Microsoft, there are more 3^rd party security patches than it’s even possible to talk about. Let’s cover this with h a quick rapid-fire summary:

The January 2020 CPU (Critical Patch Update) released on the same day as Patch Tuesday. For our patching content, this includes security fixes for Java 8 and 11, VirtualBox 5 and 6, as well as the related OpenJDK solutions such as Amazon Corretto.
VMware Tools 11.0.5 released with CVE-2020-3941 under VMSA-2020-0002.
Google Chrome released version 79.0.3945.130 with a rare critical vulnerability under CVE-2020-6378.
Foxit released version 9.7.1 for Reader and PhantomPDF with numerous CVEs.

It’s safe to say this will be a very substantial patching cycle for everyone! Make sure to include the patches above in your weekend push.

Third-Party Updates

Aside from the dizzying amount of security updates, there was an equally large amount of non-securities for the week. See the list below to include in this 3^rd-party-heavy patch week.

Software Title	Ivanti ID	Ivanti KB
Adobe Flash Player 32.0.0.314	AFP32-200114	QAF3200314
AIMP 4.60.2170	AIMP-200114	QAIMP4602170
Falcon sensor for Windows 5.23.10504	CSFS-200115	QFS52310504
Firefox 72.0.2	FF-200120	QFF7202
Firefox ESR 68.4.2	FFE-200120	QFFE6842
GIT for windows 2.25.0	GIT-200114	QGIT2250
GOM Player 2.3.49.5311	GOM-200114	QGOM23495311
GoodSync 10.10.19.5	GOODSYNC-200113	QGS1010195
GoToMeeting 10.6.1	GOTOM-200120	QGTM1061
KeePass Classic 1.38.0	KEEPC-200113	QKPC138
KeePass Pro 2.44	KEEP-200120	QKPP244
Notepad++ 7.8.3	NPPP-200116	QNPPP783
Opera 66.0.3515.36	OPERA-200116	QOP660351536
RealVNC Server 6.7.0	RVNC-200116	QRVNC670
RealVNC Viewer 6.20.113	VNCV-200116	QVNCV620113
Tableau Prep Builder 2020.1.1	TABPREPB20-200115	QTABPREPB202011
TeamViewer 11.3.27434	TVIEW11-200113	QTVIEW11327434
TeamViewer 12.3.27435	TVIEW12-200115	QTVIEW12327435
TeamViewer 13.2.36217	TVIEW13-200115	QTVIEW13236217
TeamViewer 14.7.13736	TVIEW14-200115	QTVIEW14713736
TeamViewer 15.1.3937	TVIEW15-200115	QTVIEW1513937
Wireshark 2.6.14	WIRES26-200116	QWIRES2614
Zoom Outlook Plugin 4.8.17303.0117	ZOOMOUT-200120	QZOOMO4817303

Patching in Review – Week 2 of 2020

Fri, 10 Jan 2020 23:11:28 Z

This week we can christen 2020 with our fist zero-day! Other patching news has been relatively quiet this week so let’s get to it.

To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week!

Security Releases

The highest profile releases this week are awarded to Firefox with not just one, but two releases including a zero day! Firefox and Firefox ESR initially released under version 72.0 and 68.4.0, but the next day released 72.1 and 68.4.1. The actively exploited vulnerability, CVE-2019-17206, details a flaw in the IonMonkey JIT compiler where an attacker can execute code within the application sandbox. This update comes 7 months after the Mozilla’s last patch containing a pair of zero-day vulnerabilities.

Third-Party Updates

The second week of the year has proven to be far more active with a substantial list of non-security patches. Review the list below for any patches relevant to your environment.

Software Title	Ivanti ID	Ivanti KB
AIMP 4.60.2169	AIMP-200109	QAIMP4602169
BlueJeans 2.18.39.0	JEANS-200106	QBJN218390
Cumulative Update 1 for SQL Server 2019	SQL2019-CU01	Q4527376
Dropbox 88.4.172	DROPBOX-200107	QDROPBOX884172
Google Backup and Sync 3.47.8667.1399	GSYNC-200109	QGBS34786671399
Google Chrome 79.0.3945.117	CHROME-200107	QGC7903945117
Node.JS 10.18.1 (LTS Lower)	NOJSLL-200109	QNODEJSLL10181
Node.JS 12.14.1 (LTS Upper)	NOJSLU-200108	QNODEJSLU12141
Node.JS 13.6.0 (Current)	NOJSC-200108	QNODEJSC1360
Opera 66.0.3515.27	OPERA-200108	QOP660351527
PDF-Xchange PRO 8.0.336.0	PDFX-200107	QPDFX803360
Plex Media Player 2.48.0	PLXP-200108	QPLXP2480
Plex Media Server 1.18.4.2171	PLXS-200107	QPLXS11842171
Snagit 2020.1.0	SNAG20-200107	QSNAG2010
Thunderbird 68.4.1	THUNDERBIRD-200110	QTB6841

Patching in Review – Week 1 of 2020

Fri, 03 Jan 2020 23:04:20 Z

Happy New Year, everyone! After a holiday hiatus, I’m back to talk about the riveting world of patching.

BleepingComputer kicks off the year with a reminder of the upcoming Microsoft products reaching end of life. Most notable of course is Windows 7 and Server 2008 R2 with January Patch Tuesday being the final set of patches (aside from the extended support updates). Office 2010 is also on the chopping block this year, with support ending after October Patch Tuesday, so make sure to stay aware of this ubiquitous software.

To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week:

Security Releases

Surprisingly enough, we had a security release from GIT for Windows, one of our newly supported products! This release includes the security fixes from GIT 2.24.1 as well as CVE-2018-19604 which is unique to this Windows client. Most of these CVEs are classified as “High” severity, with five of the vulnerabilities assigned a CVSSv3 score of 8.8, so make sure to roll out this update with urgency.

Third-Party Updates

As expected, the patching world was very quiet this week, with only a few additional updates released by our supported vendors. See the list below in case there was an update you were waiting for:

Software Title	Ivanti ID	Ivanti KB
AIMP 4.60.2167	AIMP-021	QAIMP4602167
GoodSync 10.10.18.8	GOODSYNC-200102	QGS1010188
PeaZip 7.0.1	PZIP-021	QPZIP701

Patching in Review – Week 47 of 2019

Fri, 22 Nov 2019 22:58:26 Z

Fallout from Patch Tuesday rolled into this week with Microsoft announcing a new issue surrounding Access databases. According to Microsoft’s support article, after systems were updated with specific Microsoft Office November Patch Tuesday patches, the end user would get an error stating “Query is Corrupt” in all versions of Access. As of writing this, Microsoft has released KB4484198 for Office 2016 MSI instances, but has yet to release updates for 2010 and 2013 installations. Interestingly enough, there was a release for all branches of O365 at the end of the week, but no documentation currently reflects the fix.

In the news, numerous security vulnerabilities have been found in four popular VNC titles. According to The Hacker News, Kaspersky discovered a total of 37 vulnerabilities throughout the products, some of which have existed over the last 20 years. Many of these vulnerabilities, if exploited, could lead to the attacker gaining control of the system where arbitrary commands could be executed on the endpoint. UltraVNC topped the list with a massive 22 vulnerabilities alone. Keep an eye out for releases on these software titles soon so your affected environments can be protected as soon as possible.

Security Releases

Google released a security update for its Chrome browser under version 78.0.3904.108, with a total of five security fixes. Two of the security fixes were assigned CVEs with “High” severity where an attacker could leverage the Bluetooth functionality to execute arbitrary code on the system. Let’s just hope this update doesn’t have any experimental features enabled on it like the last Chrome release!

Third-Party Updates

There might have only been a single security release for the week, but that’s far from all the updates we released in our content. Here’s a list of the non-security patches over this week to take note of:

Software Title	Ivanti ID	Ivanti KB
Apache Tomcat 8.5.49.0	TOMCAT-147	QTOMCAT85490
Apache Tomcat 9.0.29.0	TOMCAT-148	QTOMCAT90290
Audacity 2.3.3.0	AUDACITY-233	QAUD2330
CDBurnerXP 4.5.8.7128	CDBXP-049	QCDBXP4587128
CoreFTP LE 2.2.1947	COREFTP-041	QCFTP221947
GOM Player 2.3.47.5309	GOM-032	QGOM23475309
Microsoft Power BI Desktop 2.75.5649.801	PBID-073	QBI2755649801
Node.JS 12.13.1 (LTS Upper)	NOJSLU-013	QNODEJSLU12131
Node.JS 13.2.0 (Current)	NOJSC-029	QNODEJSC1320
Opera 65.0.3467.48	OPERA-239	QOP650346748
Royal TS 5.01.61114.0	RTS5-009	QRTS501611140
Snagit 2020.0.2	SNAG-032	QSNAG2002
Tableau Desktop 2019.1.10	TABDESK2019-021	QTABDESK2019110
Tableau Desktop 2019.2.6	TABDESK2019-020	QTABDESK201926
Tableau Desktop 2019.3.2	TABDESK2019-019	QTABDESK201932
TeamViewer 15.0.8397	TVIEW-059	QTVIEW1508397
TreeSize Free 4.4.1.510	TSF-020	QTSF441510
UltraVNC 1.2.3.0	UVNC-024	QUVNC1230

Patching in Review – Week 46 of 2019

Fri, 15 Nov 2019 22:39:05 Z

Against all odds, Microsoft gifted us with another relatively simple Patch Tuesday (aside from the surprise IE Zero Day CVE-2019-1429). Who knows what December will bring at this rate. Of course, Patch Tuesday wasn’t completely without issue with a few notable issues in the field, and not just from Microsoft!

As always, here are the quick links to stay up to date on any developing known issues:

Patch Tuesday Follow-Up

While this isn’t directly related to an update, Google Chrome graced headlines this week with an experimental feature that’s frustrating administrators across the globe.

According to BleepingComputer, Google remotely enabled “WebContent Occlusion” across all v77 and v78 major versions on Patch Tuesday. This caused terminal server environments to be plagued by the aptly named “White Screen of Death”. After a flood of complaints to Google’s support forums, the change was reversed on Thursday. In the aftermath of this issue, enterprise administrators have raised extreme concerns around Google’s ability to modify Chrome configurations without any opt-in or blocking method available, so we will have to see what position Google takes from here.

Administrators have been reporting issues with Microsoft’s Malicious Software Removal Tool since Patch Tuesday, with installation failures across whole environments. This has been covered in depth by Woody on Windows and Born City where it appears the issue was around an improperly signed binary. It appears this has since been fixed, so refreshing the binary on your patching solution should resolve the issue.

Third-Party Updates

While the Microsoft updates have defined the week, other vendors have been releasing updates for their respective products. See the list below as these updates can still contain valuable security fixes.

Bulletin title	Bulletin ID	KB
Adobe Acrobat DC and Acrobat Reader DC 19.021.20056	ARDC19-014	QADC1902120056
Adobe Flash Player 32.0.0.293	AFP32-00293	QAF3200293
DropBox 85.4.155	DROPBOX-125	QDROPBOX854155
GoodSync 10.10.12.2	GOODSYNC-134	QGS1010122
Google Backup and Sync 3.47.7654.0300	GSYNC-025	QGBS34776540300
Microsoft Power BI Desktop 2.75.5649.582	PBID-072	QBI2755649582
Nitro Pro 13.6.0.108	NITRO-029	QNITRO1360108
Nitro Pro Enterprise 13.6.0.108	NITROE-010	QNITROE1360108
NVivo 12.6.0.959	NVIVO-005	QNVIVO1260959
Opera 65.0.3467.38	OPERA-237	QOP650346738
Opera 65.0.3467.42	OPERA-238	QOP650346742
Paint.net 4.2.5	PDN-012	QPDN425
Plex Media Player 2.45.0	PLXP-048	QPLXP2450
Plex Media Server 1.18.1.2019	PLXS-050	QPLXS11812019
Plex Media Server 1.18.2.2029	PLXS-051	QPLXS11822029
RealVNC Viewer 6.19.1115	VNCV-003	QVNCV6191115
Skype 8.54.0.91	SKYPE-170	QSKY854091
Snagit 2020.0.1	SNAG-031	QSNAG2001
Thunderbird 68.2.2	TB19-6822	QTB6822
Visual Studio Code 1.40.0	MSNS19-1108-CODE	QVSCODE1400
Visual Studio Code 1.40.1	MSNS19-1114-CODE	QVSCODE1401
VMWare Horizon Client 5.2.0	VMWH-011	QVMWH5200
VMware Workstation 14.1.8 Pro	VMWW-026	QVMWW1418
Zoom Outlook Plugin 4.8.5743.1107	ZOOMOUT-013	QZOOMO485743

Patching in Review – Week 44 of 2019

Fri, 01 Nov 2019 20:16:20 Z

Boo! Google Chrome Zero-Day! Scared you, didn’t I? Unfortunately, this is not just a ghost story with a confirmed exploit in the wild for everyone’s favorite web browser.

In the news, Microsoft has acknowledged a new known issue from October Patch Tuesday where TLS and SSL connections will intermittently fail. Under Microsoft’s support article, the fix for CVE-2019-1318 may result in connections erroring out with 0x8009030f. Fortunately, multiple workarounds are now provided to those that are experiencing this issue. All Security-Only and Monthly Rollup patches released on Patch Tuesday are affected by this, so make sure to keep an eye out for this new issue in your environments.

Security Releases

Chrome is back for an encore this month with its second zero-day for the year. With an appropriate late release on Halloween, version 78.0.3904.87 includes two security fixes with CVE-2019-13720 taking the spotlight. Details on this use-after-free vulnerability are scarce at the time of writing other than Google’s acknowledgement of an exploit in the wild. In early March this year, a different use-after-free vulnerability under CVE-2019-5786 was exploited in the wild in conjunction with CVE-2019-0808, a Windows vulnerability.

Apple released iTunes 12.10.2 and iCloud 7.15 this week covering a total of 16 vulnerabilities. CVE-2019-8801 stands out from the group and is unique to iTunes where the installer could be used to execute an untrusted DLL under the signed installer process. The bulk of the other vulnerabilities are shared with Apple’s Safari browser on macOS to protect the application from exploitation if used to browse web content.

Third-Party Updates

Here are the other updates we released in our content this week. These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes:

Software Title	Ivanti ID	Ivanti KB
Adobe Acrobat DC and Reader DC 15.006.30505	ARDC19-012	QADC1500630505
Adobe Acrobat DC and Reader DC 17.011.30152	ARDC19-013	QADC1701130152
DropBox 84.4.170	DROPBOX-124	QDROPBOX844170
GIMP 2.10.14	GIMP-019	QGIMP21014
GoToMeeting 10.2.1	GOTOM-075	QGTM1021
LibreOffice 6.3.3.2	LIBRE-120	QLIBRE6332
Notepad++ 7.8.1	NPPP-095	QNPPP781
Opera 64.0.3417.83	OPERA-235	QOP640341783
Plex Media Server 1.18.1.1973	PLXS-049	QPLXS11811973
Slack Machine-Wide Installer 4.1.2	SMWI-037	QSLACK412
TortoiseSVN 1.13.0	TORT-035	QTORT1130
TreeSize Free 4.4.0.508	TSF-019	QTSF440508
Visual Studio 2019 version 16.3.7	MSNS19-1030-VS2019	QVS20191637

Patching in Review – Week 43 of 2019

Fri, 25 Oct 2019 17:23:44 Z

With major releases from both Firefox and Chrome this week, there has been enough to keep everyone busy for the month. In case you missed it, check out October Threat Thursday where we analyze the biggest security threats for the month!

In the news, Microsoft SQL 2012 and 2014 are being actively attacked in the wild with previously unknown malware. Dubbed “Skip-2.0” by ESET security researchers, this backdoor malware is designed to be laid down after a successful exploit. After implementation, remote attackers can then connect later with a known password. This allows the attackers to then access, modify, or delete data at their convenience without creating a larger footprint than is necessary.

Security Releases

Google released Chrome 78 on Tuesday with a total of 37 security fixes, including 21 CVEs. While this release contains valuable security fixes, it appears that Symantec Endpoint Protection is not playing nicely with the update. According to Symantec’s support article, all tabs will crash in a browser session with the notorious “Aw, Snap!” error page. This error appears to be caused by Microsoft’s Code Integrity feature and can be disabled as a workaround until SEP can be upgraded later.

Firefox 70 released on Tuesday as well, with a total of 13 CVEs listed in Mozilla’s security advisory. The most interesting feature is titled “Firefox Lockwise” that will keep track of the latest data breaches in relation to saved credentials and alert you if a breach occurs. As with most major releases by Mozilla, Firefox ESR 68.2 and Thunderbird 68.2 released as well, with many shared fixes to the vulnerabilities found in the leading branch.

Third-Party Updates

While Google and Mozilla were the high-profile releases this week, our other supported vendors were busy providing non-security updates for their products. Review the list below to make sure you stay up to date on your full environment.

Software Title	Ivanti ID	Ivanti KB
Adobe Acrobat DC and Acrobat Reader DC 19.021.20049	ARDC19-011	QADC1902120049
GoodSync 10.10.10.10	GOODSYNC-132	QGS10101010
GoToMeeting 10.1.2.15251	GOTOM-074	QGTM1012
Microsoft Power BI Desktop 2.74.5619.841	PBID-070	QBI2745619841
Microsoft Power BI Desktop 2.74.5619.862	PBID-071	QBI2745619862
Nitro Pro 13.2.6.26	NITRO-028	QNITRO132626
Nitro Pro Enterprise 13.2.6.26	NITROE-009	QNITROE132626
Node.JS 10.17.0 (LTS Lower)	NOJSLL-008	QNODEJSLL10170
Node.JS 12.13.0 (LTS Upper)	NOJSLU-012	QNODEJSLU12130
Node.JS 13.0.1 (Current)	NOJSC-027	QNODEJSC1301
Opera 64.0.3417.73	OPERA-234	QOP640341773
Snagit 2020.0.0	SNAG-030	QSNAG2000
Splunk Universal Forwarder 8.0.0	SPLUNKF-042	QSPLUNKF800
TeamViewer 11.3.17789	TVIEW-058	QTVIEW11317789
TeamViewer 12.3.17791	TVIEW-057	QTVIEWH12317791
TeamViewer 13.2.36216	TVIEW-056	QTVIEWH13236216
TeamViewer 14.7.1965	TVIEW-055	QTVIEWH1471965
VMware Tools 11.0.1	VMWT-030	QVMWT1101
Wireshark 2.6.12	WIRES-105	QWIRES2612
Wireshark 3.0.6	WIRES-104	QWIRES306

Patching in Review – Week 42 of 2019

Fri, 18 Oct 2019 17:02:23 Z

Where Patch Tuesday was relatively light, this week was destined to be a heavy one with the scheduled Oracle release, but I don’t think anyone was prepared for 106 new unique CVEs in our patching content so far!

Security Releases

Adobe kicked off the party early on Tuesday with APSB19-49 detailing security updates for Adobe Acrobat and Reader for a total of 68 vulnerabilities. Many of the vulnerabilities listed are classified as “Critical” where successful exploitation could lead to the execution of arbitrary code, most likely through a maliciously crafted document. Interestingly enough, Acrobat and Reader 19 got an out of cycle update two days later, with very few details on the stability fixes, so make sure to get this second patch out.

Oracle came in next with the expected September Critical Patch Update covering a total of 270 vulnerabilities for its extensive product portfolio. Java JRE and JDK updated with a total of 20 CVEs and a rather moderate maximum CVSS score of 6.8. For those that have migrated from Java SE, OpenJDK also released with patches for the same vulnerabilities on, including distributions such as Amazon Corretto. Oracle’s CPU also included VirtualBox with a total of 11 CVEs remediated this quarter.

Third-Party Updates

Other vendors have been hard at work releasing non-security fixes for their products. Review the list below to make sure you’ve included valuable updates for your end users.

Software Title	Ivanti ID	Ivanti KB
Adobe Acrobat DC and Acrobat Reader DC 19.021.20048	ARDC19-010	QADC1902120048
AIMP 4.60.2153	AIMP-017	QAIMP4602153
Apache Tomcat 8.5.47	TOMCAT-145	QTOMCAT8547
Apache Tomcat 9.0.27	TOMCAT-146	QTOMCAT9027
CCleaner 5.63.7540	CCLEAN-085	QCCLEAN5637540
DropBox 83.4.152	DROPBOX-123	QDROPBOX834152
GOM Player 2.3.46.5308	GOM-031	QGOM23465308
GoToMeeting 10.1.1.15160	GOTOM-073	QGTM1011
LibreOffice 6.2.8.2	LIBRE-119	QLIBRE6282
Microsoft Power BI Desktop 2.74.5619.621	PBID-069	QBI2745619621
Node.JS 12.12.0 (Current)	NOJSC-026	QNODEJSC12120
Opera 64.0.3417.61	OPERA-233	QOP640341761
Plex Media Server 1.18.0.1944	PLXS-048	QPLXS11801944

Patching in Review – Week 41 of 2019

Fri, 11 Oct 2019 22:09:46 Z

Happy Cybersecurity Awareness Month, everyone! With yet another unexpected IE release this week, I can’t think of a better way to usher in the month! As we prepare for the upcoming Patch Tuesday, make sure you’re registered for our webinar to get our analysis on high profile vulnerabilities and known issues.

After September’s Patch Tuesday, we’ve been lucky enough to get a slow week. Hopefully in the next coming weeks, we can deploy with piece of mind for a change!

Of course, here are the quick links to stay up to date on any developing known issues:

Patch Tuesday Follow-Up

For those who attended our Patch Tuesday Webinar, it was a relatively quiet month with very few known issues present. The rest of the week has been no different with a relatively quiet patching community.

Unexpectedly, the iTunes and iCloud security patch released on Tuesday has been promoted to a remediate a zero-day vulnerability! Morphisec discovered the vulnerability in Apple Software Update where an unquoted path has been exploited. This attack can go easily undetected as the malicious process will display as a child of the signed Apple executable. Morphisec also noted Apple Software Update is a separate component that needs to be uninstalled separately and many endpoints contained this out-of-date software.

Security Releases

Google finishes out Patch Tuesday week with Chrome 77.0.3865.120 with eight security fixes. Of the vulnerabilities, five have been assigned CVEs with “High” severity. Make sure to get this update rolled into the patching cycle this weekend.

Third-Party Updates

Of course, other vendors have been releasing updates for their respective software. While these updates might not have identified vulnerabilities, they still have helpful stability fixes as well as potential undisclosed security fixes:

Bulletin title	Bulletin ID	KB
Adobe Flash Player 32.0.0.270	AFP32-00270	QAF3200270
Beyond Compare 4.3.0.24364	BEYOND-010	QBC43024364
DropBox 82.4.156	DROPBOX-122	QDROPBOX824156
Firefox 69.0.3	FF19-022	QFF6903
iTunes 12.10.1	AI19-006	QAI12101
Node.JS 8.16.2 (LTS Lower)	NOJSLL-007	QNODEJSLL8162
Notepad++ 7.8	NPPP-094	QNPPP78
Opera 64.0.3417.47	OPERA-231	QOP640341747
Opera 64.0.3417.54	OPERA-232	QOP640341754
Plex Media Server 1.18.0.1913	PLXS-047	QPLXS11801913
Skype 8.53.0.85	SKYPE-168	QSKY853085
Slack Machine-Wide Installer 4.1.1	SMWI-036	QSLACK411
Tableau Prep Builder 2019.3.2	TABPREPB19-006	QTABPREPB201932
Thunderbird 68.1.2	TB19-6812	QTB6812
Visual Studio Code 1.39.0	MSNS19-1010-CODE	QVSCODE1390
Visual Studio Code 1.39.1	MSNS19-1011-CODE	QVSCODE1391

Patching in Review – Week 40 of 2019

Fri, 04 Oct 2019 22:32:48 Z

Internet Explorer Out-of-Band

Following up from the zero-day release last week, Microsoft released an additional Internet Explorer update right before Patch Tuesday with vague origins. In review, on 9/23 Microsoft released a surprise zero-day patch for IE (KB4522007) and Windows 10 to remediate actively exploited CVE-2019-1367. The next day, a series of Quality Preview patches and again, Windows 10 cumulatives were released for all supported OSes that included the CVE (Windows 10 1903 was a few days later).

Third time’s the charm, right? On October 3, Microsoft surprised us all with yet another re-release of the Internet Explorer patches (KB4521435), a final set of Windows 10 cumulatives, and a surprising Monthly Rollup for all legacy OSes. There’s little evidence around the changes here, but it’s suspected that this new set of patches contains further bug fixes that the initial release contained.

Here’s a list of the final KBs in case you’d like to get these out before the Patch Tuesday cycle:

	IE	Cumulative/Rollup
Server 2008	KB4524135
Windows 7 / Server 2008 R2	KB4524135	KB4524157
Server 2012	KB4524135	KB4524156
Windows 8.1 / Server 2012 R2	KB4524135	KB4524154
Windows 10 1507		KB4524153
Windows 10 1607 / Server 2016		KB4524152
Windows 10 1703		KB4524151
Windows 10 1709		KB4524150
Windows 10 1803		KB4524149
Windows 10 1809 / Server 2019		KB4524148
Windows 10 1903		KB4524147

Security Releases

Foxit released version 9.7 this week with 10 CVEs with the most severe CVEs acquiring a CVSS score of 8.7. Most of the vulnerabilities detail Remote Code Execution vulnerabilities that are dependent on opening a specially crafted malicious file that’s most commonly distributed in phishing attacks. Make sure to get this rolled out in your next patching cycle.

Third-Party Updates

While the Microsoft update have defined the week, other vendors have been releasing updates for their respective products. See the list below as these updates can still contain valuable security fixes.

Bulletin title	Bulletin ID	KB
BlueJeans 2.16.324.0	JEANS-024	QBJN2163240
DropBox 82.4.155	DROPBOX-121	QDROPBOX824155
FileZilla Client 3.45.1	FILEZ-093	QFILEZ3451X64
Firefox 69.0.2	FF19-021	QFF6902
GoodSync 10.10.9.5	GOODSYNC-131	QGS101095
Google Backup and Sync 3.46.7175.2662	GSYNC-023	QGBS34671752662
Nitro Pro 13.2.6.26	NITRO-027	QNITRO132326
Nitro Pro Enterprise 13.2.3.26	NITROE-008	QNITROE132326
Node.JS 12.11.1 (Current)	NOJSC-025	QNODEJSC12111
Plex Media Server 1.17.0.1841	PLXS-046	QPLXS11701841
PuTTY 0.73	PUTTY-006	QPUTTY073
Slack Machine-Wide Installer 4.1.0	SMWI-035	QSLACK410
Splunk Universal Forwarder 7.3.2	SPLUNKF-041	QSPLUNKF732
Sublime Text 3 Build 3211	SUBL-006	QSUBL3211
Zoom Client 4.5.5422	ZOOM-029	QZOOM455422
Zoom Outlook Plugin 4.8.5336.0928	ZOOMOUT-012	QZOOMO485336

Patching in Review – Week 38 of 2019

Fri, 20 Sep 2019 19:25:48 Z

In last week’s blog post we covered a litany of issues plaguing September Patch Tuesday’s Windows 10 1903 (KB4515384) patch. It appears more issues are coming out in the week after Patch Tuesday. Bleeping Computer has reported on two additional issues (one that applies to all versions!):

Machines with certain Intel Centrino and Broadcom adapters have been rendered unusable on Windows 10 1903. While Microsoft reports this issue with a workaround, there is no current known resolution.
Systems that use Chinese IME have been experiencing scenarios where the system becomes unresponsive due to high CPU usage. All versions of Windows 10 are affected according to Microsoft so keep an eye out for a fix sooner than later.

Security Releases

Google Chrome released version 77.0.3865.90 this week with a total of four CVEs, including another rare “Critical” vulnerability for the month. CVE-2019-13685 details a use-after-free UI vulnerability where a specially crafted website could lead to code execution outside of the context of the browser.

Third-Party Updates

Software Title	Ivanti ID	Ivanti KB
Box Edit 4.6.0.647	BEDIT-006	QBEDIT460647
Citrix Workspace app 19.9.0.21	CTXWA-003	QCTXWA199021
DropBox 81.4.193	DROPBOX-119	QDROPBOX814193
DropBox 81.4.195	DROPBOX-120	QDROPBOX814195
Firefox 69.0.1	FF19-020	QFF6901
GOM Player 2.3.45.5307	GOM-030	QGOM23455307
GoodSync 10.10.8.8	GOODSYNC-130	QGS101088
Google Drive File Stream 33.0.16.0	GDFS-014	QFS330160
GoToMeeting 8.47.2	GOTOM-071	QGTM8472
LogMeIn 4.1.13002	LMI-020	QLMI4113002
Opera 63.0.3368.94	OPERA-229	QOP630336894
Plex Media Player 2.42.0	PLXP-046	QPLXP2420
Plex Media Server 1.16.6.1592	PLXS-044	QPLXS11661592
Skype 8.52.0.138	SKYPE-167	QSKY8520138
Splunk Universal Forwarder 7.3.1.1	SPLUNKF-040	QSPLUNKF7311
Tableau Desktop 2019.3.0	TABDESK2019-012	QTABDESK201930
Tableau Prep Builder 2019.3.1	TABPREPB19-004	QTABPREPB201931
Tableau Reader 2019.3.0	TABREAD2019-008	QTABREAD201930
Teamviewer 14.6.2452	TVIEW-053	QTVIEW1462452

Patching in Review – Week 37 of 2019

Fri, 13 Sep 2019 22:59:55 Z

Another Patch Tuesday in the books for the year, but not without its surprises. Have a look at the surprisingly long list of quirks and issues that emerged throughout the rest of the week.

Of course, here are the quick links to stay up to date on any developing known issues:

Patch Tuesday Follow-Up

While we try to cover all the currently known issues in the Patch Tuesday Webinar, more issues tend to come out over the remainder of the week. Here’s a list of the interesting quirks and known issues that have been discovered:

It looks like the two “Zero-Day” CVEs that were reported by Microsoft have been updated to report that they’re not exploited. Both CVE-2019-1214 and CVE-2019-1215 have had their pages updated to reflect Microsoft’s change, but few details have been provided outside of this fact.
The Windows 10 1903 update (KB4515384) resolved the 100% CPU issue mentioned in last week’s post, but it appears new issues have taken its place:
- WindowsLatest is reporting audio issues on select machines where audio is no longer functional or is heavily reduced in applications.
- The Reddit sysadmin Patch Tuesday thread is mentioning issues with the Start Menu where an error is thrown when opened. Only rolling back to an earlier update has resolved the issue.
Users of Dell Encryption should be cautious as the Windows 10 1809 (KB4515384) and Windows 10 1903 (KB4515384) updates are running into blue screens displaying BAD SYSTEM CONFIG INFO.
On Patch Tuesday, we noticed issues with the Windows 10 1809 x64 update (KB4512578) where the patch binary would fail to download. In our testing, we found that depending on the file server, the download size would only return around 233MB instead of 262MB and the file would be corrupt. Attempting the download multiple times seems to eventually return the proper file.
KB4493730, the April servicing stack update for Server 2008 is required before the next servicing stack and September updates can be installed.
KB4490628, the March servicing stack for Windows 7 and Server 2008 R2 is required before the next servicing stack and September updates can be installed.

Third-Party Updates

Software Title	Ivanti ID	Ivanti KB
Apple Mobile Device Support 13.0.0.38	AMDS-026	QAMDS130038
CoreFTP LE 2.2.1941	COREFTP-040	QCFTP221941
iTunes 12.10	AI19-005	QAI1210
Microsoft Power BI Desktop 2.73.5586.661	PBID-064	QBI2735586661
Opera 63.0.3368.88	OPERA-228	QOP630336888
PDF-Xchange PRO 8.0.333.0	PDFX-033	QPDFX803330
Plex Media Player 2.41.0	PLXP-045	QPLXP2410
Thunderbird 68.1.0	TB19-6810	QTB6810
Visual Studio 2019 version 16.2.4	MSNS19-09-VS2019	QVS20191624
Visual Studio Code 1.38.1	MSNS19-0912-CODE	QVSCODE1381
Wireshark 2.6.11	WIRES-101	QWIRES2611
Wireshark 3.0.4	WIRES-102	QWIRES304
Zoom Client 4.5.3372	ZOOM-028	QZOOM453372

Patching in Review – Week 36 of 2019

Fri, 06 Sep 2019 17:01:56 Z

Is Patch Tuesday coming up so soon? It feels like we just had one! Make sure to register for our Patch Tuesday webinar if you haven’t already to get a detailed summary of Microsoft’s releases next week.

Microsoft finally released the mid-month non-security update for Windows 10 1903 under KB4512941. This patch came surprisingly late considering the high-profile bug around Visual Basic applications. The list of fixes is impressive, but it looks like a much more annoying bug is included. According to BornCity, a couple of issues around Search and RDP are causing high CPU usage, which has now been confirmed by Microsoft. Unfortunately, Microsoft’s expected ETA on a resolution is “mid-September” so there’s a high probability this bug will be present in September’s Patch Tuesday release.

Security Releases

Mozilla released a new major version of its Firefox browser this week with a total of 20 CVEs in the main release branch. CVE-2019-11751 stands out from the pack in this release where an exploit was found in the command line parameters. In the description, a user could click a malicious link that would launch Firefox and write a log file to an arbitrary location such as “Startup” for later execution. Aside from the CVEs, Firefox 69 contains two great new features, blocking third-party tracking cookies and cryptominers. It’s also worth noting that this is the end of Firefox ESR 60, so expect an upgrade to 68 in the next Firefox release! See the grid of CVEs and color-coded severities below for further details:

Firefox 69.0	Firefox ESR 68.1	Firefox ESR 60.9
CVE-2019-11751	CVE-2019-11751
CVE-2019-11746	CVE-2019-11746	CVE-2019-11746
CVE-2019-11744	CVE-2019-11744	CVE-2019-11744
CVE-2019-11742	CVE-2019-11742	CVE-2019-11742
CVE-2019-11736	CVE-2019-11736
CVE-2019-11753	CVE-2019-11753	CVE-2019-11753
CVE-2019-11752	CVE-2019-11752	CVE-2019-11752
CVE-2019-9812	CVE-2019-9812	CVE-2019-9812
CVE-2019-11743	CVE-2019-11743	CVE-2019-11743
CVE-2019-11748	CVE-2019-11748
CVE-2019-11749	CVE-2019-11749
CVE-2019-5849
CVE-2019-11750	CVE-2019-11750
CVE-2019-11737
CVE-2019-11738	CVE-2019-11738
CVE-2019-11747	CVE-2019-11747
CVE-2019-11734
CVE-2019-11735	CVE-2019-11735
CVE-2019-11740	CVE-2019-11740	CVE-2019-11740
CVE-2019-11741

Third-Party Updates

As always, our other supported third-party vendors have been releasing non-security updates for their respective products. While these updates might not have CVEs, they may also contain valuable stability updates for your end users:

Software Title	Ivanti ID	Ivanti KB
CoreFTP LE 2.2.1939	COREFTP-039	QCFTP221939
GoToMeeting 8.47.1	GOTOM-070	QGTM8471
LibreOffice 6.2.7.1	LIBRE-116	QLIBRE6271
LibreOffice 6.3.1.2	LIBRE-117	QLIBRE6312
Node.JS 12.10.0 (Current)	NOJSC-023	QNODEJSC12100
Opera 63.0.3368.71	OPERA-227	QOP630336871
PeaZip 6.9.2	PZIP-019	QPZIP692
RealTimes RealPlayer 18.1.18.202	RP18-019	QRP18118202
VirtualBox 6.0.12	OVB-026	QOVB6012
Visual Studio Code 1.38.0	MSNS19-0905-CODE	QVSCODE1380
XnView 2.49	XNVW-009	QXNVW249

Patching in Review – Week 35 of 2019

Thu, 29 Aug 2019 16:46:51 Z

As we approach Labor Day weekend, vendors have been busy releasing numerous updates, with Google Chrome getting a final security release for the month.

This week Microsoft finally removed the WSUS hold for KB4512506/KB4512486. In review, the highest-profile bug from August’s Patch Tuesday originated from the SHA-2 migration for Windows 7 and Server 2008 R2 and its compatibility with Symantec Endpoint Protection. The issue stemmed from a fear that the software may not correctly identify system files being patched and might leave the machine in an incomplete state, which could affect stability. Woody on Windows via ComputerWorld wrote an article detailing the aftermath with a great point: “The block is gone, but questions remain. Nothing has changed, so why was it blocked in the first place?”

Security Releases

Google Chrome released version 76.0.3809.132 with a total of three security fixes reported by the vendor and a single CVE. Although CVE-2019-5869 was classified as a “High” severity, CIS released an advisory recommending expedited remediation. The vulnerability covers a scenario where an attacker could execute arbitrary code though a maliciously crafted website to perform numerous functions in the context of the user rights.

Third-Party Updates

Outside of the critical release above, this week has not been boring with considerable non-security releases for the week. It’s worth remembering that these updates may contain undisclosed security remediations as well as helpful stability fixes.

Software Title	Ivanti ID	Ivanti KB
AIMP 4.60.0.2146	AIMP-016	QAIMP4602146
Camtasia 2019.0.7	CAMTA-022	QCAMTASIA1907
Citrix Receiver 4.9.8000, LTSR Cumulative Update 8	CTXR-020	QCTXR498000
GoodSync 10.10.7.7	GOODSYNC-129	QGS101077
GoToMeeting 8.46.1	GOTOM-069	QGTM8461
Malwarebytes 3.8.3.2965	MBAM-014	QMBAM3832965
Node.JS 12.9.1 (Current)	NOJSC-022	QNODEJSC1291
Opera 63.0.3368.53	OPERA-226	QOP630336853
PDF-Xchange PRO 8.0.332.0	PDFX-032	QPDFX803320
PeaZip 6.9.1	PZIP-018	QPZIP691
Plex Media Server 1.16.5.1554	PLXS-043	QPLXS11651554
Skype 8.51.0.92	SKYPE-166	QSKY851092
Tableau Desktop 2018.1.16	TABDESK2018-019	QTABDESK2018116
Tableau Desktop 2018.2.13	TABDESK2018-020	QTABDESK2018213
Tableau Desktop 2018.3.10	TABDESK2018-021	QTABDESK2018310
Tableau Desktop 2019.1.7	TABDESK2019-010	QTABDESK201917
Tableau Desktop 2019.2.3	TABDESK2019-011	QTABDESK201923
Tableau Reader 2019.2.3	TABREAD2019-007	QTABREAD201923
TeamViewer 14.5.5819	TVIEW-052	QTVIEW1455819
Thunderbird 68.0	TB19-6800	QTB6800
Zoom Client 4.5.3261	ZOOM-027	QZOOM453261

Patching in Review – Week 34 of 2019

Thu, 22 Aug 2019 20:19:08 Z

Microsoft as well as other 3^rd party vendors have not slowed their cadence the week after Patch Tuesday. With a high profile stability fix for Windows alongside multiple software titles getting new security releases, there’s plenty to cover.

Security Releases

VLC released version 3.0.8 this week with 13 new CVEs. According to VLC’s security bulletin, the assorted vulnerabilities could be exploited through a malicious file or website. The two highest profile vulnerabilities are CVE-2019-13602 and CVE-2019-13962 with a very controversial severity. NIST considers these CVEs at a High (8.8) and Critical (9.8) severity while VLC disputes the claim, saying that the metrics point to a more benign base score of 4.3. Regardless of perceived impact, be sure to get this software update out in your next patching cycle.

Node.JS also released a series of security updates for their supported versions with 8 CVEs that were discovered by Netflix. All CVEs detail flaws in the implementation of HTTP/2 where an attacker can execute a denial of service against the target. In line with Netflix’s security bulletin, Microsoft has already remediated these vulnerabilities, but keep an eye out for other vendors in the future to cover these CVEs.

Microsoft Non-Securities

On an earlier than normal cadence, Microsoft released non-security updates for all supported platforms as early as last Saturday. These emergency updates resolve the widespread Visual Basic errors caused by August’s Patch Tuesday release. It appears that this issue is widespread enough that Microsoft also released a one-off standalone fix for those that implement the security-only bundle as opposed to the rollup. If you have been holding off for this release, this will give you the opportunity to patch the high-profile wormable vulnerabilities announced last week. See the table below to reference the needed patches for your environment:

	Standalone	Rollup/Cumulative
Server 2008	KB4517301	KB4512499
Windows 7/Server 2008 R2	KB4517297	KB4512514
Server 2012	KB4517302	KB4512512
Windows 8.1/Server 2012 R2	KB4517298	KB4512478
Windows 10 LTSB 2015		KB4517276
Windows 10 LTSB 2016/Server 2016		KB4512495
Windows 10 1703		KB4512474
Windows 10 1709		KB4512494
Windows 10 1803		KB4512509
Windows 10 1809/Server 2019		KB4512534

Third-Party Updates

Software Title	Ivanti ID	Ivanti KB
AIMP 4.60.0.2144	AIMP-015	QAIMP4602144
Apache Tomcat 8.5.45	TOMCAT-142	QTOMCAT8545
Apache Tomcat 9.0.24	TOMCAT-141	QTOMCAT9024
BlueJeans 2.15.279.0	JEANS-023	QBJN2152790
CCleaner 5.61.7392	CCLEAN-083	QCCLEAN5617392
CoreFTP LE 2.2.1935	COREFTP-038	QCFTP221935
GoodSync 10.10.6.6	GOODSYNC-128	QGS101066
GoTo Opener 1.0.527	GOTOO-003	QGTO10527
Microsoft Power BI Desktop 2.72.5556.801	PBID-063	QBI2725556801
Node.JS 12.9.0 (Current)	NOJSC-021	QNODEJSC1290
Opera 63.0.3368.35	OPERA-224	QOP630336835
Opera 63.0.3368.43	OPERA-225	QOP630336843
PeaZip 6.9.0	PZIP-017	QPZIP690
Plex Media Player 2.40.0	PLXP-044	QPLXP2400
Plex Media Server 1.16.5.1488	PLXS-042	QPLXS11651488
Skype 8.51.0.86	SKYPE-165	QSKY851086
Slack Machine-Wide Installer 4.0.2	SMWI-034	QSLACK402
TeamViewer 14.5.1691	TVIEW-051	QTVIEW1451691
Visual Studio Code 1.37.1	MSNS19-0815-CODE	QVSCODE1371
Zoom Outlook Plugin 4.8.2721.0811	ZOOMOUT-011	QZOOMO482721