Is it just me, or does it feel like Patch Tuesday rolled into this week? With the quarterly release from Oracle and new security patches from Microsoft over the past 7 days, 2019 has kept the world of patching busy to say the least.

A zero-day proof-of-concept has been released for an unpatched Windows vulnerability related to vCard files. According to ZDNet, this vulnerability was expected to be addressed in January’s Patch Tuesday, but ultimately did not make it into this month’s set of patches. After this vulnerability remained unpatched, the security researcher published the vulnerability under Trend Micro’s Zero Day Initiative under ZDI-CAN-6920. According to the advisory, an attacker can craft a vCard file that can execute malicious code when clicked by a user. It’s currently unknown whether this zero-day will be remediated before February’s Patch Tuesday, but given the disclosure, it might come sooner than later.

Security Releases

Oracle released their Critical Patch Update Advisory for this quarter, addressing a total of 284 vulnerabilities. Surprisingly enough, the release for Java was relatively uneventful, with only 4 CVEs listed for Java SE, with a maximum CVSS base score of only 5.3. VirtualBox saw a much larger update with a total of 27 CVEs remediated in this quarterly release. Two of these vulnerabilities (CVE-2018-11784 and CVE-2018-0734) can be exploited remotely without authentication so be sure to get these patched quickly.

Microsoft returned this week with patches for Team Foundation Server and Skype For Business 2015 Server. The 2 CVEs for TFS (CVE-2019-0646 and CVE-2019-0647) have both been publicly disclosed, affecting version 2017 and 2018. With any publicly disclosed vulnerability, the chances an attacker could develop an exploit increases dramatically, so be sure to begin scheduling a patching window for this software.

Third-Party Updates

While we did have our security releases this week, many vendors also released non-security updates for the week. The updates below contain valuable stability improvements and possibly other undisclosed vulnerabilities.

Software Title

Ivanti ID

Ivanti KB

Beyond Compare 4.2.9.23626

BEYOND-008

QBC42923626

CCleaner 5.52.6967

CCLEAN-074

QCCLEAN5526967

GOM Player 2.3.37.5298

GOM-021

QGOM23375298

Inkscape 0.92.4

INKS-006

QINKS0924

Microsoft Power BI Desktop 2.65.5313.1381

PBID-048

QBI26553131381

Node.JS 11.7.0 (Current)

NOJSC-006

QNODEJSC1170

RealVNC Connect 6.4.0

RVNC-027

QRVNC640

Royal TS 4.3.61314

RTS4-018

QRTS40361314

Royal TS 5.00.61315.0

RTS5-002

QRTS500613150

Skype 8.37.0.98

SKYPE-149

QSKY837098

Slack Machine-Wide Installer 3.3.7

SMWI-029

QSMWI337

TortoiseSVN 1.11.1

TORT-031

QTORT1111

XnView 2.47

XNVW-007

QXNVW247