As we wind down from the Patch Tuesday grind, less common vendors are surprising us with security releases for their software titles such as PuTTY and WinSCP.

BlueKeep is back in the news this week with multiple articles referencing the notorious vulnerability.

  • ZDNet covers the first public example of an effective, productized version of the exploit. Immunity Inc.’s pen-testing tool, Canvas 7.23 now includes the exploit leading to full remote execution capabilities. This release is the first time that CVE-2019-0708 is so readily available, for a price.
  • In addition, The Hacker News released and article detailing a variant of the Linux cryptocurrency malware known as WatchBog. This variant’s notable detail lies in an additional process that scans networks for machines still vulnerable to BlueKeep. While the intentions behind this data is unknown, this data will be valuable to those with a working exploit.

While we all have been anxiously anticipating the first spread of this vulnerability, it is not too late to ensure our environments are properly secured against the inevitable first wave of this wormable flaw. For a review of previous developments around BlueKeep, see our dedicated blog post.

Security Releases

PuTTY 0.72 released this week with a total of 3 vulnerabilities discovered through the 2019 EU-funded HackerOne bug bounty. The most notable 2 vulnerabilities relate to the SSH-1 protocol where successful exploitation could lead to a man-in-the-middle attack leading to a trusted connection with the wrong server. WinSCP 5.15.3 also released alongside PuTTY containing the same 3 security fixes.

A higher severity SnagIt vulnerability was patched on all supported versions by the vendor. CVE-2019-13382 was discovered by Capital Group’s Security Testing Team and is detailed further on enigma0x3.net. The vulnerability details a flaw within TechSmith’s Uploader Service where a malicious file can lead to an elevation of privilege. Given the severity of this CVE, the vendor released 2019.1.3, 2018.2.4, and 13.1.7 so be sure to roll these out as soon as possible.

Third-Party Updates

Here are the other updates we released in our content this week. These updates might not have identified CVEs, but they still have helpful stability fixes as well as potential undisclosed security fixes:

Software Title

Ivanti ID

Ivanti KB

Blue Jeans 2.14.456.0

JEANS-021

QBJN2144560

Box Edit 4.5.7.609

BEDIT-005

QBEDIT457609

Firefox 68.0.1

FF19-017

QFF6801

GOM Player 2.3.43.5305

GOM-028

QGOM23435305

GoToMeeting 8.45.4

GOTOM-067

QGTM8454

Microsoft Power BI Desktop 2.71.5523.941

PBID-062

QBI2715523941

Node.JS 12.7.0 (Current)

NOJSC-018

QNODEJSC1270

Opera 62.0.3331.99

OPERA-222

QOP620333199

Plex Media Player 2.38.0

PLXP-042

QPLXP2380

Plex Media Server 1.16.3.1402

PLXS-040

QPLXS11631402

Skype 8.50.0.38

SKYPE-163

QSKY850038

Tableau Desktop 2018.1.15

TABDESK2018-016

QTABDESK201815

Tableau Desktop 2018.2.12

TABDESK2018-017

QTABDESK2018212

Tableau Desktop 2018.3.9

TABDESK2018-018

QTABDESK201839

Tableau Desktop 2019.1.6

TABDESK2019-008

QTABDESK201916

Tableau Desktop 2019.2.2

TABDESK2019-009

QTABDESK201922

Tableau Reader 2019.2.2

TABREAD2019-006

QTABREAD201922

TortoiseHG 5.0.2

TOHG-022

QTOHG502