With the variety of stability issues present in April’s Patch Tuesday, we were hoping for a slow month, but that couldn’t be further from the truth! If you didn’t have the opportunity to see our Patch Tuesday webinar, please watch our recording to get all the important details.

As always, here are the quick links to stay up to date on any developing known issues:

Patch Tuesday Follow-Up

While this has been one of the more substantial Patch Tuesdays in the variety of disclosures, the list of known issues has not expanded like the month before.

Where the Remote Desktop Services vulnerability (CVE-2019-0708) is one of the most urgent cases since WannaCry, Microsoft and Intel also released a disclosure on another set of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling (MDS). The four vulnerabilities detailed in the advisory (ADV190013) cover different attack vectors into reading information from the processor’s level 1 data cache where application and operating system data can be leaked to external parties. Security researchers have created a dedicated site, bringing together all of the discovered attacks with links to additional research papers and sites.

Like Spectre and Meltdown, the steps to complete remediation are not fixed by a simple patch with multiple steps necessary.

  1. Operating System Update – Microsoft has provided updates for all supported operating systems that are detailed under their advisory. This vulnerability also affects the Mac and Linux platforms with updates released by most vendors already.
  2. Firmware/Microcode Update – As with Spectre and Meltdown, additional BIOS/Firmware updates will be required for full remediation. Microsoft and Intel have worked to release updates through the update catalog, but currently these are only available for Windows 10 and exclude version 1803 and higher. Other hardware vendors will be rolling out updates on their support pages, so make sure to track your hardware models.
  3. Configuration Changes – When the two-step process isn’t available, it’s recommended that disabling Hyper-Threading will eliminate these attack vectors on your hardware at the cost of potential performance degradation.
  4. Verification – Once some or all of the steps have been taken above, Microsoft has provided a helpful PowerShell cmdlet called SpeculationControl that will return a status on all of the known vulnerabilities and their various aspects.

Security Updates

In addition to the numerous vulnerabilities covered in our Patch Tuesday webinar, Citrix released a security patch Monday for its Workspace and Receiver applications. Citrix’s Security Bulletin details CVE-2019-11634 where an attacker could gain access to a client’s local drives to plant and execute code on the endpoint. This has been resolved under Receiver for Windows LTSR 4.9 CU7, so make sure to include this in this urgent patching cycle.

Third-Party Updates

While Patch Tuesday has been in the spotlight, other vendors have also released potentially valuable non-security updates this week. See the list below and be sure to add these to your patching cycle.

Bulletin title

Bulletin ID

KB

Apache Tomcat 8.5.41

TOMCAT-134

QTOMCAT8541

Apache Tomcat 9.0.20

TOMCAT-135

QTOMCAT9020

Audacity 2.3.2

AUDACITY-232

QAUD232

CCleaner 5.57.7182

CCLEAN-079

QCCLEAN5577182

GoodSync 10.9.33

GOODSYNC-118

QGS109333

Google Drive File Stream 31.0.13.0

GDFS-013

QFS310130

IrfanView 4.5.3

IVIEW-008

QIVIEW453

LogMeIn 4.1.12624

LMI-018

QLMI4112624

Opera 60.0.3255.95

OPERA-214

QOP600325595

Skype 8.45.0.41

SKYPE-158

QSKY845041

VirtualBox 5.2.30

OVB-023

QOVB5230

VirtualBox 6.0.8

OVB-022

QOVB608

Visual Studio Code 1.34.0

MSNS19-0517-CODE

QVSCODE1340

Protect yourself from the next wannacry