As we find ourselves in between Patch Tuesdays, our third-party vendors have kept this week interesting with both Mozilla and Apple releasing critical security updates to respective software.

The highlight in security news this week surrounds a supply-chain attack in ASUS’s updater software. Dubbed Operation ShadowHammer, a currently unidentified group of hackers exploited the “ASUS Live Update” software and distributed their malicious code through ASUS’ content delivery network. This software avoided detection for as long as the installers were digitally signed using legitimate ASUS certificates. Shortly after the public announcement, ASUS confirmed that the malicious binary has been replaced with version 3.6.8 that includes additional security mechanisms to prevent further exploits.

Security Releases

Firefox released updates for Firefox, Firefox ESR, and Thunderbird for the second time within a week, with an additional two Critical CVEs. Each CVE was discovered during day two of Pwn2Own 2019 where researchers were able to execute code at the SYSTEM level through a specially crafted website. The proof of concept has already been published for CVE-2019-9810, so the patching urgency around these releases is much higher than a more routine release.

Apple had its own “Patch Tuesday” this week with a series of high-profile security fixes for MacOS and iOS. Alongside these updates, iCloud 7.11 and iTunes 12.9.4 were released, remediating a total of 21 unique CVEs between the two products. Most of these vulnerabilities are present within Apple’s WebKit browser engine where an attacker could execute arbitrary code, circumvent the software’s sandbox, or read sensitive system data.

Third-Party Updates

In addition to the security updates for the week, numerous non-security updates were also released from our other supported vendors. Be sure to review the list below to include these updates in your next patching cycle:

Software Title

Ivanti ID

Ivanti KB

Adobe Shockwave 12.3.5.205

SW12-35205

QSW1235205

Apple Mobile Device Support 12.2.0.15

AMDS-024

QAMDS122015

Bandicut 3.1.5.508

BANDICUT-011

QBCUT315508

Bandicut 3.1.5.509

BANDICUT-012

QBCUT315509

CDBurnerXP 4.5.8.7042

CDBXP-048

QCDBXP4587042

CoreFTP LE 2.2.1931

COREFTP-036

QCFTP221931

DropBox 69.4.102

DROPBOX-105

QDROPBOX694102

GoodSync 10.9.28

GOODSYNC-113

QGS109288

Google Earth Pro 7.3.2.5776

GEP19-001

QGEP7325776

LibreOffice 6.2.2

LIBRE-109

QLIBRE6222

LogMeIn 4.1.12382

LMI-016

QLMI4112382

Nitro Pro 12.11.0.509

NITRO-023

QNITRO12110509

Nitro Pro Enterprise 12.11.0.509

NITROE-004

QNITROE12110509

Opera 58.0.3135.118

OPERA-206

QOP5803135118

Plex Media Player 2.30.0

PLXP-032

QPLXP2300965

Plex Media Player 2.30.1

PLXP-033

QPLXP2301966

RealVNC Connect 6.4.1

RVNC-028

QRVNC641

Skype 8.42.0.60

SKYPE-155

QSKY842060

WinSCP 5.15.0

WINSCP-026

QWINSCP5150

How Ivanti Endpoint Security Customers Can Achieve a 176% ROI Over 3 Years - DOWNLOAD THE STUDY