Patching in Review – Week 3 of 2019
Is it just me, or does it feel like Patch Tuesday rolled into this week? With the quarterly release from Oracle and new security patches from Microsoft over the past 7 days, 2019 has kept the world of patching busy to say the least.
A zero-day proof-of-concept has been released for an unpatched Windows vulnerability related to vCard files. According to ZDNet, this vulnerability was expected to be addressed in January’s Patch Tuesday, but ultimately did not make it into this month’s set of patches. After this vulnerability remained unpatched, the security researcher published the vulnerability under Trend Micro’s Zero Day Initiative under ZDI-CAN-6920. According to the advisory, an attacker can craft a vCard file that can execute malicious code when clicked by a user. It’s currently unknown whether this zero-day will be remediated before February’s Patch Tuesday, but given the disclosure, it might come sooner than later.
Security Releases
Oracle released their Critical Patch Update Advisory for this quarter, addressing a total of 284 vulnerabilities. Surprisingly enough, the release for Java was relatively uneventful, with only 4 CVEs listed for Java SE, with a maximum CVSS base score of only 5.3. VirtualBox saw a much larger update with a total of 27 CVEs remediated in this quarterly release. Two of these vulnerabilities (CVE-2018-11784 and CVE-2018-0734) can be exploited remotely without authentication so be sure to get these patched quickly.
Microsoft returned this week with patches for Team Foundation Server and Skype For Business 2015 Server. The 2 CVEs for TFS (CVE-2019-0646 and CVE-2019-0647) have both been publicly disclosed, affecting version 2017 and 2018. With any publicly disclosed vulnerability, the chances an attacker could develop an exploit increases dramatically, so be sure to begin scheduling a patching window for this software.
Third-Party Updates
While we did have our security releases this week, many vendors also released non-security updates for the week. The updates below contain valuable stability improvements and possibly other undisclosed vulnerabilities.
Software Title |
Ivanti ID |
Ivanti KB |
Beyond Compare 4.2.9.23626 |
BEYOND-008 |
QBC42923626 |
CCleaner 5.52.6967 |
CCLEAN-074 |
QCCLEAN5526967 |
GOM Player 2.3.37.5298 |
GOM-021 |
QGOM23375298 |
Inkscape 0.92.4 |
INKS-006 |
QINKS0924 |
Microsoft Power BI Desktop 2.65.5313.1381 |
PBID-048 |
QBI26553131381 |
Node.JS 11.7.0 (Current) |
NOJSC-006 |
QNODEJSC1170 |
RealVNC Connect 6.4.0 |
RVNC-027 |
QRVNC640 |
Royal TS 4.3.61314 |
RTS4-018 |
QRTS40361314 |
Royal TS 5.00.61315.0 |
RTS5-002 |
QRTS500613150 |
Skype 8.37.0.98 |
SKYPE-149 |
QSKY837098 |
Slack Machine-Wide Installer 3.3.7 |
SMWI-029 |
QSMWI337 |
TortoiseSVN 1.11.1 |
TORT-031 |
QTORT1111 |
XnView 2.47 |
XNVW-007 |
QXNVW247 |