For those that attended Interchange 2019 in Nashville this year, it was a pleasure talking with all of you about the wonderful world of patching! The constant flow of new vulnerabilities and updates, however, did not cease during the conference, so here we go again!

This week a team of security researchers released a report where they attempted to forge email signatures to various email clients on common desktop and mobile platforms. BleepingComputer summarizes the report well where the researchers attempted 14 attack variants ranging from spoofing the signature to generating UI elements that mimic the email client’s validation dialogues. Of the 22 email clients, 14 were vulnerable to a partial or perfect forgery where the end user would be misled by the authenticity of the sent email. While this report did not implement any level of social engineering, these vulnerabilities could be leveraged in a successful phishing attack, so be sure to keep an eye out for the 11 CVEs detailed in the report in future updates.

Security Releases

For the second time between the Patch Tuesdays, Google released an update to their browser with additional security fixes. Chrome 74.0.3729.131 remediates 4 additional vulnerabilities with 3 of the vulnerabilities earning a High severity. The most notable vulnerability, CVE-2019-5825 details a vulnerability in the V8 engine which had been fixed in one of the engine’s releases but had yet to be integrated into the latest Chrome release. Consequently, the security researcher associated with this vulnerability disclosed a proof of concept before April’s Patch Tuesday which we covered in that respective blog. This example is a great reminder that vulnerabilities within a software’s libraries can be shared by the parent program depending on its implementation.

Third-Party Updates

Alongside Chrome, many of our other products released non-security updates for the week. These releases might not detail any vulnerabilities, but they might also contain valuable stability fixes for your end users:

Software Title

Ivanti ID

Ivanti KB

Box Edit 4.5.3.571

BEDIT-003

QBEDIT453571

Camtasia 2019.0.0

CAMTA-013

QCAMTASIA1900

Google Chrome 74.0.3729.131

CHROME-251

QGC7403729131

Evernote 6.17.7.8474

ENOT-017

QENOT61778474

GoToMeeting 8.43.1

GOTOM-063

QGTM8431

KeePass Pro 2.42

KEEP-031

QKPP242

Node.JS 11.15.0 (Current)

NOJSC-015

QNODEJSC11150

Opera 60.0.3255.70

OPERA-211

QOP600325570

Plex Media Player 2.33.0

PLXP-036

QPLXP2331979

R for Windows 3.6.0

R-004

QR360

RealTimes RealPlayer 18.1.16.216

RP18-017

QRP18116216

Skype 8.44.0.40

SKYPE-157

QSKY844040

Tableau Prep 2018.3.3

TABPREP2018-001

QTABPREP201833

Tableau Prep Builder 2019.1.4

TABPREPB19-001

QTABPREPB1914

WinRAR 5.71

WRAR-018

QWRAR571

Reduce risks of cybersecurity threats