Patching in Review – Week 12 of 2019
While another Patch Tuesday has come and gone, third-party vendors continue to drop security updates this week with our favorite SSH client releasing a substantial list of security fixes.
Microsoft released a new patch for Windows 7 this week containing notifications suggesting users upgrade to Windows 10. KB4493132 installs the support notification binaries, which will become active on April 18th with a pop-up including links to Windows 10 upgrade support. BleepingComputer covers this patch in a fantastic article with details on how these binaries work and how their behavior can be configured further. This patch will not be included in the WSUS catalog, but any endpoint using Windows Update will receive the notifications if the KB has not been blocked.
Security Releases
For the first time in 20 months, the popular SSH client PuTTY receives a pile of security fixes. Version 0.71 contains a total of eight vulnerability fixes, currently categorized under five CVEs. One of the most notable vulnerabilities is CVE-2019-9894, which details an integer overflow can occur during RSA key enforcement. An attacker can perform a man-in-the-middle attack where the attacker provides a key short enough to force the overflow, incorrectly setting up a trusted connection. Given the ubiquity of PuTTY, this particular vulnerability is present in FileZilla and WinSCP, so make sure to roll out these patches as soon as possible.
Mozilla released Firefox 66 this week with features to reduce the common annoyances of websites. One of the most notable and appreciated features is the default blocking of auto playing content by default! Aside from these features, a total of 21 CVEs are remediated in this release with five Critical vulnerabilities. A subset of these vulnerabilities are also remediated in Firefox ESR 60.6, with four of the Critical CVEs shared between the branches.
Third-Party Updates
Of course, other vendors have been releasing updates for their respective software. While these updates might not have identified vulnerabilities, they still have helpful stability fixes as well as potential undisclosed security fixes:
Software Title |
Ivanti ID |
Ivanti KB |
Apache Tomcat 8.5.39 |
TOMCAT-130 |
QTOMCAT8539 |
Apache Tomcat 9.0.17 |
TOMCAT-129 |
QTOMCAT9017 |
Blue Jeans 2.11.593.0 |
JEANS-015 |
QBJN2115930 |
Citrix Receiver 4.9.6000, LTSR Cumulative Update 6 |
CTXR-017 |
QCTXR496000 |
GOM Player 2.3.39.5301 |
GOM-024 |
QGOM23395301 |
Google Chrome 73.0.3683.86 |
CHROME-248 |
QGC730368386 |
GoToMeeting 8.40.1 |
GOTOM-060 |
QGTM8401 |
Microsoft Power BI Desktop 2.67.5404.801 |
PBID-052 |
QBI2675404801 |
Node.JS 11.12.0 (Current) |
NOJSC-012 |
QNODEJSC11120 |
Opera 58.0.3135.117 |
OPERA-205 |
QOP5803135117 |
Plex Media Server 1.15.2.793 |
PLXS-032 |
QPLXS1152793 |
Splunk Universal Forwarder 7.2.5 |
SPLUNKF-035 |
QSPLUNKF725 |
TeamViewer 14.2.2558 |
TVIEW-045 |
QTVIEW1422558 |
Thunderbird 60.6.0 |
TB19-6060 |
QTB6060 |