Speculative execution is back in the spotlight with old fixes and new vulnerabilities as well as a Google Chrome zero-day. Don’t forget that Patch Tuesday is next week where we have our Patch Tuesday analysis webinar!

Intel is victim to yet another speculative execution vulnerability. According to The Register, this architectural flaw, labeled “SPOILER”, allows a local attacker to read data from the memory buffer. This data can include any information, such as passwords, keys, or other critical data. This vulnerability is not related to the Spectre or Meltdown vulnerabilities and is not addressed by any current mitigations. In fact, the research paper states that a complete software mitigation may not be possible, with complete architecture modifications being the only solution. This flaw is unique to Intel processors; those systems with AMD or arm processors are not affected.

Security Releases

Google released a fix for a zero-day vulnerability present in its Chrome browser last Friday that is being actively exploited in the wild. Google Chrome 72.0.3626.121 remediates CVE-2019-5786, a use-after-free vulnerability in the FileReader component of the software where an attacker can escape Chrome’s sandbox and run commands on the underlying OS. Given how ubiquitous this browser is on endpoints and the severity of the vulnerability, updating your endpoints should be done far sooner than later.

Retpoline

When Spectre and Meltdown were first disclosed, performance issues were one of the main concerns around current fixes, with impacts of almost 20% depending on workload. During this time, Google had been working on a fix called “Retpoline” that remediates these vulnerabilities while preserving performance. In response to this fix, Microsoft announced that the newest release of Windows 10 would include Retpoline, reducing the performance impact to a negligible level.

Fortunately, Windows 10 19H1 will not be the only recipient of these fixes as Microsoft has released the first Windows 10 patch, back porting Retpoline to 1809 and Server 2019. KB4482887 contains this new remediation with further details on Microsoft’s related blog post where additional configuration will be needed initially to enable this feature.

Third-Party Updates

While Chrome was the only major third-party vulnerability for the week, other vendors released updates for their respective software. See the titles below as these might contain valuable stability features as well as undisclosed vulnerability fixes.

Software Title

Ivanti ID

Ivanti KB

Blue Jeans 2.11.249.0

JEANS-014

QBJN2112490

CCleaner 5.54.7088

CCLEAN-076

QCCLEAN5547088

FileZilla Client 3.41.0

FILEZ-085

QFILEZ3410X64

FileZilla Client 3.41.1

FILEZ-086

QFILEZ3411X64

GoodSync 10.9.26

GOODSYNC-112

QGS109263

GoToMeeting 8.39.4

GOTOM-058

QGTM8394

LibreOffice 6.2.1

LIBRE-108

QLIBRE6212

Node.JS 10.15.3 (LTS Upper)

NOJSLU-007

QNODEJSLU10153

Node.JS 11.11.0 (Current)

NOJSC-011

QNODEJSC11110

Notepad++ 7.6.4

NPPP-089

QNPPP764

Opera 58.0.3135.90

OPERA-203

QOP580313590

Thunderbird 60.5.3

TB19-6053

QTB6053

TortoiseGit 2.8.0

TGIT-007

QTGIT280

XnView 2.48

XNVW-008

QXNVW248