Week 26! It’s hard to believe we’re already at the midway point of the year. For a quick review of these six months, CVEDetails has a great Top 50 Vendors chart covering the most vulnerable vendors so far. As of writing this article, Microsoft leads the pack with a whopping 363 vulnerabilities! The first half of 2019 has been far from calm, and I doubt the trailing half of the year will be any less so.

Speaking of top vendors, Microsoft Excel appeared twice this week in the security world with a new vulnerability and an attack campaign discovered:

  • Mimecast released an article this week revealing a method to exploit a feature called Power Query. Within this attack, malicious data could be included in a separate source, then executed when loaded onto the spreadsheet. Surprisingly enough, when Mimecast reached out to Microsoft, it declined to fix the feature directly, but released a Security Advisory with workaround recommendations.
  • Microsoft warned users via Twitter about a discovered malware campaign that’s able to compromise fully patched Windows PCs. Within this campaign, a malicious .xls file is attached to an email that will download and run the FlawedAmmyy remote access trojan on an endpoint. Since this malware runs within memory, it has a chance to avoid detection from common antivirus solutions.

Security Releases

Although not as high profile as Firefox and Firefox ESR from last week , Thunderbird 60.7.2 released with the same zero-day CVEs under MFSA2019-20. In this advisory, both CVE-2019-11707 and CVE-2018-11708 are remediated, which were used in combination to compromise cryptocurrency firms. The chances of exploitation on Mozilla’s email client is much slimmer than Firefox, but make sure to close this security vulnerability as soon as possible.

Third-Party Updates

Here are the other updates we released in our content this week. These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes:

Software Title

Ivanti ID

Ivanti KB

Box Edit 4.5.6.593

BEDIT-004

QBEDIT456593

Camtasia 2019.0.3

CAMTA-017

QCAMTASIA1903

CCleaner 5.59.7230

CCLEAN-081

QCCLEAN55907230

Citrix Receiver 4.9.7000, LTSR Cumulative Update 7

CTXR-019

QCTXR497000

DropBox 75.4.141

DROPBOX-111

QDROPBOX754141

Evernote 6.19.2.8555

ENOT-019

QENOT61928555

FileZilla Client 3.43.0

FILEZ-090

QFILEZ3430X64

GoodSync 10.9.35.5

GOODSYNC-121

QGS109355

Nitro Pro 12.16.3.574

NITRO-025

QNITRO12163574

Nitro Pro Enterprise 12.16.3.574

NITROE-006

QNITROE12163574

Node.JS 12.5.0 (Current)

NOJSC-016

QNODEJSC1250

Opera 62.0.3331.18

OPERA-218

QOP620333118

Plex Media Player 2.36.0

PLXP-039

QPLXP2360988

Skype 8.48.0.51

SKYPE-161

QSKY848051

Tableau Desktop 2018.1.14

TABDESK2018-015

QTABDESK2018114

Tableau Desktop 2018.2.11

TABDESK2018-014

QTABDESK2018211

Tableau Desktop 2018.3.8

TABDESK2018-013

QTABDESK201838

Tableau Desktop 2019.1.5

TABDESK2019-006

QTABDESK201915

Tableau Desktop 2019.2.1

TABDESK2019-007

QTABDESK201921

Tableau Prep Builder 2019.2.2

TABPREPB19-003

QTABPREPB201922

Tableau Reader 2019.2.1

TABREAD2019-005

QTABREAD201921

VMWare Horizon Client 5.0.0

VMWH-009

QVMWH5000

Protect yourself from the next wannacry