Patching in Review – Week 3 of 2020
Brian Secrist
What ever happened to the boring first Patch Tuesday of the year? Between the notorious CryptoAPI spoofing vulnerability and Oracle’s quarterly release, there is almost too much to cover! Without further ado, let’s get into this very dense week.
As always, here are the quick links to stay up to date on any developing known issues:
- Windows 10 / Server 2019 / Server 2016
- Windows 8.1 / Server 2012 R2
- Server 2012
- Windows 7 / Server 2008 R2
- Server 2008
To play a bit of catch up, I’m coming in with the whole month of January. Please see the other articles below to get prepared for February’s patch week!
Patch Tuesday Follow-up
As mentioned earlier, January is usually a very mundane Patch Tuesday. With a traditionally small patch count and short vulnerability list, no one was expecting the NSA disclosure to come out the day before.
Microsoft has since released patches for this alarming vulnerability, but security researchers have continued diving into the vulnerability with new developments. BleepingComputer has 2 great articles covering the CryptoAPI vulnerability for the week.
- Proof of concepts have already come out 2 days after the respective patches were released where the researcher spoofed the github certificate on a compromised system.
- As a refresher, an additional article was written explaining the chain of trust that is compromised in this attack.
Finally, we were all surprised this week to see an addition to the Windows 7 Monthly Rollup, which now will show unwanted upgrade alerts. Fortunately, there is a simple registry key to disable the nuisance.
Security Releases
Outside of Microsoft, there are more 3rd party security patches than it’s even possible to talk about. Let’s cover this with h a quick rapid-fire summary:
- The January 2020 CPU (Critical Patch Update) released on the same day as Patch Tuesday. For our patching content, this includes security fixes for Java 8 and 11, VirtualBox 5 and 6, as well as the related OpenJDK solutions such as Amazon Corretto.
- VMware Tools 11.0.5 released with CVE-2020-3941 under VMSA-2020-0002.
- Google Chrome released version 79.0.3945.130 with a rare critical vulnerability under CVE-2020-6378.
- Foxit released version 9.7.1 for Reader and PhantomPDF with numerous CVEs.
It’s safe to say this will be a very substantial patching cycle for everyone! Make sure to include the patches above in your weekend push.
Third-Party Updates
Aside from the dizzying amount of security updates, there was an equally large amount of non-securities for the week. See the list below to include in this 3rd-party-heavy patch week.
|
Software Title |
Ivanti ID |
Ivanti KB |
|
Adobe Flash Player 32.0.0.314 |
AFP32-200114 |
QAF3200314 |
|
AIMP 4.60.2170 |
AIMP-200114 |
QAIMP4602170 |
|
Falcon sensor for Windows 5.23.10504 |
CSFS-200115 |
QFS52310504 |
|
Firefox 72.0.2 |
FF-200120 |
QFF7202 |
|
Firefox ESR 68.4.2 |
FFE-200120 |
QFFE6842 |
|
GIT for windows 2.25.0 |
GIT-200114 |
QGIT2250 |
|
GOM Player 2.3.49.5311 |
GOM-200114 |
QGOM23495311 |
|
GoodSync 10.10.19.5 |
GOODSYNC-200113 |
QGS1010195 |
|
GoToMeeting 10.6.1 |
GOTOM-200120 |
QGTM1061 |
|
KeePass Classic 1.38.0 |
KEEPC-200113 |
QKPC138 |
|
KeePass Pro 2.44 |
KEEP-200120 |
QKPP244 |
|
Notepad++ 7.8.3 |
NPPP-200116 |
QNPPP783 |
|
Opera 66.0.3515.36 |
OPERA-200116 |
QOP660351536 |
|
RealVNC Server 6.7.0 |
RVNC-200116 |
QRVNC670 |
|
RealVNC Viewer 6.20.113 |
VNCV-200116 |
QVNCV620113 |
|
Tableau Prep Builder 2020.1.1 |
TABPREPB20-200115 |
QTABPREPB202011 |
|
TeamViewer 11.3.27434 |
TVIEW11-200113 |
QTVIEW11327434 |
|
TeamViewer 12.3.27435 |
TVIEW12-200115 |
QTVIEW12327435 |
|
TeamViewer 13.2.36217 |
TVIEW13-200115 |
QTVIEW13236217 |
|
TeamViewer 14.7.13736 |
TVIEW14-200115 |
QTVIEW14713736 |
|
TeamViewer 15.1.3937 |
TVIEW15-200115 |
QTVIEW1513937 |
|
Wireshark 2.6.14 |
WIRES26-200116 |
QWIRES2614 |
|
Zoom Outlook Plugin 4.8.17303.0117 |
ZOOMOUT-200120 |
QZOOMO4817303 |
