Patching in Review – Week 26
This week brings us right between June’s and July’s patch Tuesdays, but that doesn’t mean the updates stop coming. Although Microsoft was free of any notable CVEs, other vendors remediated critical vulnerabilities.
Security also transcends patching only and needs to be considered in all facets of your infrastructure. This week, more information was discovered about the Satori IoT botnet that refuses to fade away by infecting D-Link DSL modems.
Mozilla comes in as the headliner this week with a Firefox release for all three branches, with a total of six critical CVEs. CVE-2018-5186, CVE-2018-5187, and CVE-2018-5188 are all memory corruption bugs that could be exploited to run arbitrary code, whereas the other three (CVE-2018-12359, CVE-2018-12360, CVE-2018-12361) consist of assorted vulnerabilities leading to a potentially exploited crash.
Here’s a breakdown of CVE by product and color-coded by severity:
Further details are available on Mozilla’s security advisory pages:
Next in line is Tomcat under CVE-2018-8014. This CVE was publicly disclosed on May 16, 2018 and has a CVSS v3 score of 9.8. Apache states that only users of the CORS filter are vulnerable, so your mileage may vary on exposure here. Currently only Tomcat 9 and Tomcat 8.5 have proper remediation around this, so stay tuned for Tomcat 8 and Tomcat 7 releases soon.
Finally, Opera 54 released this week with its chromium engine updating to 67.0.3396.87, which contains CVE-2018-6149 from June Patch Tuesday. Be sure to patch this as soon as possible.
Another week, another set of third-party updates. Even though these updates do not list any CVEs, they may still have undisclosed security fixes as well as helpful stability fixes for your organization. Here are the updates we released in our content this week:
More Patch Resources: