Patching in Review – Week 30 of 2019
As we wind down from the Patch Tuesday grind, less common vendors are surprising us with security releases for their software titles such as PuTTY and WinSCP.
BlueKeep is back in the news this week with multiple articles referencing the notorious vulnerability.
- ZDNet covers the first public example of an effective, productized version of the exploit. Immunity Inc.’s pen-testing tool, Canvas 7.23 now includes the exploit leading to full remote execution capabilities. This release is the first time that CVE-2019-0708 is so readily available, for a price.
- In addition, The Hacker News released and article detailing a variant of the Linux cryptocurrency malware known as WatchBog. This variant’s notable detail lies in an additional process that scans networks for machines still vulnerable to BlueKeep. While the intentions behind this data is unknown, this data will be valuable to those with a working exploit.
While we all have been anxiously anticipating the first spread of this vulnerability, it is not too late to ensure our environments are properly secured against the inevitable first wave of this wormable flaw. For a review of previous developments around BlueKeep, see our dedicated blog post.
Security Releases
PuTTY 0.72 released this week with a total of 3 vulnerabilities discovered through the 2019 EU-funded HackerOne bug bounty. The most notable 2 vulnerabilities relate to the SSH-1 protocol where successful exploitation could lead to a man-in-the-middle attack leading to a trusted connection with the wrong server. WinSCP 5.15.3 also released alongside PuTTY containing the same 3 security fixes.
A higher severity SnagIt vulnerability was patched on all supported versions by the vendor. CVE-2019-13382 was discovered by Capital Group’s Security Testing Team and is detailed further on enigma0x3.net. The vulnerability details a flaw within TechSmith’s Uploader Service where a malicious file can lead to an elevation of privilege. Given the severity of this CVE, the vendor released 2019.1.3, 2018.2.4, and 13.1.7 so be sure to roll these out as soon as possible.
Third-Party Updates
Here are the other updates we released in our content this week. These updates might not have identified CVEs, but they still have helpful stability fixes as well as potential undisclosed security fixes:
Software Title |
Ivanti ID |
Ivanti KB |
Blue Jeans 2.14.456.0 |
JEANS-021 |
QBJN2144560 |
Box Edit 4.5.7.609 |
BEDIT-005 |
QBEDIT457609 |
Firefox 68.0.1 |
FF19-017 |
QFF6801 |
GOM Player 2.3.43.5305 |
GOM-028 |
QGOM23435305 |
GoToMeeting 8.45.4 |
GOTOM-067 |
QGTM8454 |
Microsoft Power BI Desktop 2.71.5523.941 |
PBID-062 |
QBI2715523941 |
Node.JS 12.7.0 (Current) |
NOJSC-018 |
QNODEJSC1270 |
Opera 62.0.3331.99 |
OPERA-222 |
QOP620333199 |
Plex Media Player 2.38.0 |
PLXP-042 |
QPLXP2380 |
Plex Media Server 1.16.3.1402 |
PLXS-040 |
QPLXS11631402 |
Skype 8.50.0.38 |
SKYPE-163 |
QSKY850038 |
Tableau Desktop 2018.1.15 |
TABDESK2018-016 |
QTABDESK201815 |
Tableau Desktop 2018.2.12 |
TABDESK2018-017 |
QTABDESK2018212 |
Tableau Desktop 2018.3.9 |
TABDESK2018-018 |
QTABDESK201839 |
Tableau Desktop 2019.1.6 |
TABDESK2019-008 |
QTABDESK201916 |
Tableau Desktop 2019.2.2 |
TABDESK2019-009 |
QTABDESK201922 |
Tableau Reader 2019.2.2 |
TABREAD2019-006 |
QTABREAD201922 |
TortoiseHG 5.0.2 |
TOHG-022 |
QTOHG502 |