While another Patch Tuesday has come and gone, third-party vendors continue to drop security updates this week with our favorite SSH client releasing a substantial list of security fixes.

Microsoft released a new patch for Windows 7 this week containing notifications suggesting users upgrade to Windows 10. KB4493132 installs the support notification binaries, which will become active on April 18th with a pop-up including links to Windows 10 upgrade support. BleepingComputer covers this patch in a fantastic article with details on how these binaries work and how their behavior can be configured further. This patch will not be included in the WSUS catalog, but any endpoint using Windows Update will receive the notifications if the KB has not been blocked.

Security Releases

For the first time in 20 months, the popular SSH client PuTTY receives a pile of security fixes. Version 0.71 contains a total of eight vulnerability fixes, currently categorized under five CVEs. One of the most notable vulnerabilities is CVE-2019-9894, which details an integer overflow can occur during RSA key enforcement. An attacker can perform a man-in-the-middle attack where the attacker provides a key short enough to force the overflow, incorrectly setting up a trusted connection. Given the ubiquity of PuTTY, this particular vulnerability is present in FileZilla and WinSCP, so make sure to roll out these patches as soon as possible.

Mozilla released Firefox 66 this week with features to reduce the common annoyances of websites. One of the most notable and appreciated features is the default blocking of auto playing content by default! Aside from these features, a total of 21 CVEs are remediated in this release with five Critical vulnerabilities. A subset of these vulnerabilities are also remediated in Firefox ESR 60.6, with four of the Critical CVEs shared between the branches.

Third-Party Updates

Of course, other vendors have been releasing updates for their respective software. While these updates might not have identified vulnerabilities, they still have helpful stability fixes as well as potential undisclosed security fixes:

Software Title

Ivanti ID

Ivanti KB

Apache Tomcat 8.5.39

TOMCAT-130

QTOMCAT8539

Apache Tomcat 9.0.17

TOMCAT-129

QTOMCAT9017

Blue Jeans 2.11.593.0

JEANS-015

QBJN2115930

Citrix Receiver 4.9.6000, LTSR Cumulative Update 6

CTXR-017

QCTXR496000

GOM Player 2.3.39.5301

GOM-024

QGOM23395301

Google Chrome 73.0.3683.86

CHROME-248

QGC730368386

GoToMeeting 8.40.1

GOTOM-060

QGTM8401

Microsoft Power BI Desktop 2.67.5404.801

PBID-052

QBI2675404801

Node.JS 11.12.0 (Current)

NOJSC-012

QNODEJSC11120

Opera 58.0.3135.117

OPERA-205

QOP5803135117

Plex Media Server 1.15.2.793

PLXS-032

QPLXS1152793

Splunk Universal Forwarder 7.2.5

SPLUNKF-035

QSPLUNKF725

TeamViewer 14.2.2558

TVIEW-045

QTVIEW1422558

Thunderbird 60.6.0

TB19-6060

QTB6060
Reduce risks of cybersecurity threats