It’s hard to believe it has only been one week since Patch Tuesday in wake of the numerous conflicts found with specific antivirus titles that we detailed in last week’s post.

Right after Patch Tuesday, a new vulnerability was disclosed where an attacker can gain file read permissions to exfiltrate a system. According to TechRadar, security researcher John Page published the details on April 10th after the vulnerability wasn’t remediated in this month’s release. Microsoft has already responded to this public disclosure saying that a fix will be considered in the near future.

It looks like the time has come for the next release of Windows 10 now available on MSDN. According to ZDNet, this version has been released to the developer network ahead of VLSC—this time to expand further testing to prevent the myriad issues that were found in the 1809 release. WindowsCentral has a great summary of all the new features within this release, including the new Windows Sandbox to securely open suspicious applications within an isolated environment.

Security Releases

Oracle released its April Critical Patch Update Advisory this week that covers a total of 297 vulnerabilities!

  • Once again, Java’s list of CVEs is relatively short, with only five vulnerabilities remediated, but the severity is much higher with a maximum CVSS score of 9.0. CVE-2019-2699 details a vulnerability related to the Windows DLL component where an attacker can use Java Web applications to exploit an endpoint. This is the first Java SE release that adheres to the new License Agreement for commercial use, so be sure to ensure your compliance.
  • VirtualBox 6.0.6 remediates 12 CVEs this quarter, with seven of the vulnerabilities receiving a CVSS score of 8.8. The two exploits discovered during day 1 of Pwn2Own 2019 received CVEs CVE-2019-2722 and CVE-2019-2723 where the Fluoroacetate team successfully escaped the virtual client to control the host.

Apache Tomcat also released updates for its three supported branches to remediate a discovered vulnerability through EU-FOSSA. Tomcat 9.0.18, 8.5.40, and 7.0.93 remediate CVE-2019-0232, where an attacker may execute unexpected commands directly on the operating system through the product’s required Java Runtime.

Third-Party Updates

While this week is filled with a new Windows 10 release and numerous security releases, other vendors were also supplying non-security patches for their products. Make note of the list below as you continue to roll out patches cautiously from last week:

Software Title

Ivanti ID

Ivanti KB

Adobe Acrobat DC 15.006.30495

ARDC19-003

QADC1500630495

Adobe Acrobat DC 17.011.30140

ARDC19-002

QADC1701130140

Adobe Acrobat DC Continuous 19.010.20100

ARDC19-001

QADC1901020100

Azure Information Protection Client 1.48.204.0

AIPC-008

QAIP1482040

GOM Player 2.3.40.5302

GOM-025

QGOM23405302

Google Drive File Stream 30.1.36.2348

GDFS-012

QGS301362348

GoToMeeting 8.42.0

GOTOM-062

QGTM8420

Mouse and Keyboard Center 11.1

MMKC-004

QMKC1110

Node.JS 11.14.0 (Current)

NOJSC-014

QNODEJSC11140

Node.JS 8.16.0 (LTS Lower)

NOJSLL-005

QNODEJSLL8160

Opera 60.0.3255.56

OPERA-209

QOP600325556

PeaZip 6.7.2

PZIP-014

QPZIP672

Plex Media Player 2.32.0

PLXP-035

QPLXP2320973

Skype 8.43.0.56

SKYPE-156

QSKY843056

Splunk Universal Forwarder 7.2.6

SPLUNKF-037

QSPLUNKF7260

TeamViewer 14.2.8352

TVIEW-046

QTVIEW14283520

TortoiseHG 4.9.1

TOHG-021

QTOHG491

Visual Studio Code 1.33.1

MSNS19-0412-CODE

QVSCODE1331

Zoom Client 4.4.52570

ZOOM-021

QZOOM44525700415

Zoom Outlook Plugin 4.7.52180.0404

ZOOMOUT-008

QZOOMO4752180
Reduce risks of cybersecurity threats