Patching in Review – Week 27
Only a few days before the monthly holiday! What holiday you ask? Why, Patch Tuesday of course! That’s everyone’s favorite holiday, right? No? Is it just me?
Before I get into the patches, our security team has been consistently providing us with a new article or interesting content we could share. Troy Hunt is a security expert who creates Pluralsight content and is the creator of “Have I Been Pwned?” which is a great website where you can find if your personal data has been compromised in a breach. Troy has put together some helpful tutorials recently around how to get HTTPS running as the default protocol for your sites.
Although most of the high-profile patches are due next week, here are some additional updates that you may want to consider throwing into your next patch cycle:
Mozilla Thunderbird released version 52.9 this week with a total of 12 CVEs resolved.
The first notable fixes are CVE-2018-12372 and CVE-2018-12373 which resolve S/MIME and PGP decryption leaking plaintext if a man in the middle attack was crafted. This is related to the EFAIL vulnerability detailed May 14th 2018 and while many email clients are still vulnerable to these attacks, Thunderbird was one of the mail clients vulnerable to the more severe direct exfiltration attacks described by the researchers.
All three critical CVEs are shared with Firefox’s release last week. CVE-2018-5188 is a memory corruption bug that could be exploited to run arbitrary code where the other two (CVE-2018-12359, CVE-2018-12360) consist of assorted vulnerabilities leading to a potentially exploited crash.
Here’s a list of the CVEs and their color-coded severity:
Further details are available on Mozilla’s security advisory page.
In the calm before the storm of Patch Tuesday comes the monthly release of Microsoft Office non-securities. The Office team released 16 new KBs for the month ranging from Office 2016 to Office 2010. These non-security patches are usually independent of the releases next week, so be sure to review some of the fixes here if you’re waiting for a stability fix.
Further details are available on Microsoft’s Office Sustained Engineering Team blog.
These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes. These are the updates we released in our content for the week:
More Patch Resources: