Patching in Review – Week 20 of 2019
With the variety of stability issues present in April’s Patch Tuesday, we were hoping for a slow month, but that couldn’t be further from the truth! If you didn’t have the opportunity to see our Patch Tuesday webinar, please watch our recording to get all the important details.
As always, here are the quick links to stay up to date on any developing known issues:
- Windows 10 / Server 2019 / Server 2016
- Windows 8.1 / Server 2012 R2
- Server 2012
- Windows 7 / Server 2008 R2
- Server 2008
Patch Tuesday Follow-Up
While this has been one of the more substantial Patch Tuesdays in the variety of disclosures, the list of known issues has not expanded like the month before.
Where the Remote Desktop Services vulnerability (CVE-2019-0708) is one of the most urgent cases since WannaCry, Microsoft and Intel also released a disclosure on another set of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling (MDS). The four vulnerabilities detailed in the advisory (ADV190013) cover different attack vectors into reading information from the processor’s level 1 data cache where application and operating system data can be leaked to external parties. Security researchers have created a dedicated site, bringing together all of the discovered attacks with links to additional research papers and sites.
Like Spectre and Meltdown, the steps to complete remediation are not fixed by a simple patch with multiple steps necessary.
- Operating System Update – Microsoft has provided updates for all supported operating systems that are detailed under their advisory. This vulnerability also affects the Mac and Linux platforms with updates released by most vendors already.
- Firmware/Microcode Update – As with Spectre and Meltdown, additional BIOS/Firmware updates will be required for full remediation. Microsoft and Intel have worked to release updates through the update catalog, but currently these are only available for Windows 10 and exclude version 1803 and higher. Other hardware vendors will be rolling out updates on their support pages, so make sure to track your hardware models.
- Configuration Changes – When the two-step process isn’t available, it’s recommended that disabling Hyper-Threading will eliminate these attack vectors on your hardware at the cost of potential performance degradation.
- Verification – Once some or all of the steps have been taken above, Microsoft has provided a helpful PowerShell cmdlet called SpeculationControl that will return a status on all of the known vulnerabilities and their various aspects.
Security Updates
In addition to the numerous vulnerabilities covered in our Patch Tuesday webinar, Citrix released a security patch Monday for its Workspace and Receiver applications. Citrix’s Security Bulletin details CVE-2019-11634 where an attacker could gain access to a client’s local drives to plant and execute code on the endpoint. This has been resolved under Receiver for Windows LTSR 4.9 CU7, so make sure to include this in this urgent patching cycle.
Third-Party Updates
While Patch Tuesday has been in the spotlight, other vendors have also released potentially valuable non-security updates this week. See the list below and be sure to add these to your patching cycle.
Bulletin title |
Bulletin ID |
KB |
Apache Tomcat 8.5.41 |
TOMCAT-134 |
QTOMCAT8541 |
Apache Tomcat 9.0.20 |
TOMCAT-135 |
QTOMCAT9020 |
Audacity 2.3.2 |
AUDACITY-232 |
QAUD232 |
CCleaner 5.57.7182 |
CCLEAN-079 |
QCCLEAN5577182 |
GoodSync 10.9.33 |
GOODSYNC-118 |
QGS109333 |
Google Drive File Stream 31.0.13.0 |
GDFS-013 |
QFS310130 |
IrfanView 4.5.3 |
IVIEW-008 |
QIVIEW453 |
LogMeIn 4.1.12624 |
LMI-018 |
QLMI4112624 |
Opera 60.0.3255.95 |
OPERA-214 |
QOP600325595 |
Skype 8.45.0.41 |
SKYPE-158 |
QSKY845041 |
VirtualBox 5.2.30 |
OVB-023 |
QOVB5230 |
VirtualBox 6.0.8 |
OVB-022 |
QOVB608 |
Visual Studio Code 1.34.0 |
MSNS19-0517-CODE |
QVSCODE1340 |