Patching in Review – Week 10 of 2019
Speculative execution is back in the spotlight with old fixes and new vulnerabilities as well as a Google Chrome zero-day. Don’t forget that Patch Tuesday is next week where we have our Patch Tuesday analysis webinar!
Intel is victim to yet another speculative execution vulnerability. According to The Register, this architectural flaw, labeled “SPOILER”, allows a local attacker to read data from the memory buffer. This data can include any information, such as passwords, keys, or other critical data. This vulnerability is not related to the Spectre or Meltdown vulnerabilities and is not addressed by any current mitigations. In fact, the research paper states that a complete software mitigation may not be possible, with complete architecture modifications being the only solution. This flaw is unique to Intel processors; those systems with AMD or arm processors are not affected.
Security Releases
Google released a fix for a zero-day vulnerability present in its Chrome browser last Friday that is being actively exploited in the wild. Google Chrome 72.0.3626.121 remediates CVE-2019-5786, a use-after-free vulnerability in the FileReader component of the software where an attacker can escape Chrome’s sandbox and run commands on the underlying OS. Given how ubiquitous this browser is on endpoints and the severity of the vulnerability, updating your endpoints should be done far sooner than later.
Retpoline
When Spectre and Meltdown were first disclosed, performance issues were one of the main concerns around current fixes, with impacts of almost 20% depending on workload. During this time, Google had been working on a fix called “Retpoline” that remediates these vulnerabilities while preserving performance. In response to this fix, Microsoft announced that the newest release of Windows 10 would include Retpoline, reducing the performance impact to a negligible level.
Fortunately, Windows 10 19H1 will not be the only recipient of these fixes as Microsoft has released the first Windows 10 patch, back porting Retpoline to 1809 and Server 2019. KB4482887 contains this new remediation with further details on Microsoft’s related blog post where additional configuration will be needed initially to enable this feature.
Third-Party Updates
While Chrome was the only major third-party vulnerability for the week, other vendors released updates for their respective software. See the titles below as these might contain valuable stability features as well as undisclosed vulnerability fixes.
Software Title |
Ivanti ID |
Ivanti KB |
Blue Jeans 2.11.249.0 |
JEANS-014 |
QBJN2112490 |
CCleaner 5.54.7088 |
CCLEAN-076 |
QCCLEAN5547088 |
FileZilla Client 3.41.0 |
FILEZ-085 |
QFILEZ3410X64 |
FileZilla Client 3.41.1 |
FILEZ-086 |
QFILEZ3411X64 |
GoodSync 10.9.26 |
GOODSYNC-112 |
QGS109263 |
GoToMeeting 8.39.4 |
GOTOM-058 |
QGTM8394 |
LibreOffice 6.2.1 |
LIBRE-108 |
QLIBRE6212 |
Node.JS 10.15.3 (LTS Upper) |
NOJSLU-007 |
QNODEJSLU10153 |
Node.JS 11.11.0 (Current) |
NOJSC-011 |
QNODEJSC11110 |
Notepad++ 7.6.4 |
NPPP-089 |
QNPPP764 |
Opera 58.0.3135.90 |
OPERA-203 |
QOP580313590 |
Thunderbird 60.5.3 |
TB19-6053 |
QTB6053 |
TortoiseGit 2.8.0 |
TGIT-007 |
QTGIT280 |
XnView 2.48 |
XNVW-008 |
QXNVW248 |