Patching in Review – Week 18 of 2019
For those that attended Interchange 2019 in Nashville this year, it was a pleasure talking with all of you about the wonderful world of patching! The constant flow of new vulnerabilities and updates, however, did not cease during the conference, so here we go again!
This week a team of security researchers released a report where they attempted to forge email signatures to various email clients on common desktop and mobile platforms. BleepingComputer summarizes the report well where the researchers attempted 14 attack variants ranging from spoofing the signature to generating UI elements that mimic the email client’s validation dialogues. Of the 22 email clients, 14 were vulnerable to a partial or perfect forgery where the end user would be misled by the authenticity of the sent email. While this report did not implement any level of social engineering, these vulnerabilities could be leveraged in a successful phishing attack, so be sure to keep an eye out for the 11 CVEs detailed in the report in future updates.
Security Releases
For the second time between the Patch Tuesdays, Google released an update to their browser with additional security fixes. Chrome 74.0.3729.131 remediates 4 additional vulnerabilities with 3 of the vulnerabilities earning a High severity. The most notable vulnerability, CVE-2019-5825 details a vulnerability in the V8 engine which had been fixed in one of the engine’s releases but had yet to be integrated into the latest Chrome release. Consequently, the security researcher associated with this vulnerability disclosed a proof of concept before April’s Patch Tuesday which we covered in that respective blog. This example is a great reminder that vulnerabilities within a software’s libraries can be shared by the parent program depending on its implementation.
Third-Party Updates
Alongside Chrome, many of our other products released non-security updates for the week. These releases might not detail any vulnerabilities, but they might also contain valuable stability fixes for your end users:
Software Title |
Ivanti ID |
Ivanti KB |
Box Edit 4.5.3.571 |
BEDIT-003 |
QBEDIT453571 |
Camtasia 2019.0.0 |
CAMTA-013 |
QCAMTASIA1900 |
Google Chrome 74.0.3729.131 |
CHROME-251 |
QGC7403729131 |
Evernote 6.17.7.8474 |
ENOT-017 |
QENOT61778474 |
GoToMeeting 8.43.1 |
GOTOM-063 |
QGTM8431 |
KeePass Pro 2.42 |
KEEP-031 |
QKPP242 |
Node.JS 11.15.0 (Current) |
NOJSC-015 |
QNODEJSC11150 |
Opera 60.0.3255.70 |
OPERA-211 |
QOP600325570 |
Plex Media Player 2.33.0 |
PLXP-036 |
QPLXP2331979 |
R for Windows 3.6.0 |
R-004 |
QR360 |
RealTimes RealPlayer 18.1.16.216 |
RP18-017 |
QRP18116216 |
Skype 8.44.0.40 |
SKYPE-157 |
QSKY844040 |
Tableau Prep 2018.3.3 |
TABPREP2018-001 |
QTABPREP201833 |
Tableau Prep Builder 2019.1.4 |
TABPREPB19-001 |
QTABPREPB1914 |
WinRAR 5.71 |
WRAR-018 |
QWRAR571 |