While it has been a relatively quiet week for third-party vendors, Microsoft has kept us very busy in the wake of Patch Tuesday. With two re-releases and a net new patch, your patching cycle isn’t over yet!

Before we cover the notable updates, The Hacker News details a critical vulnerability in the Apache Struts framework where an attacker can execute arbitrary code remotely on the affected server. This framework may exist as a foundation to many web applications and needs to be updated at a library level. Don’t forget that under a year ago, Apache Struts was central to the Equifax breach where the data of 147 million consumers was exposed.

Visual Studio 2015

On Patch Tuesday, Microsoft detailed a vulnerability for Visual Studio 2015, but did not offer any patch for remediation. Earlier this week, KB4456688 released with affected products including Visual Studio 2015 Update 3 as well as the isolated shell component. The isolated shell component can be included with a variety of Microsoft software such as SQL Server and Visual Studio Tools for Applications, leaving your environment exposed in many configurations.

Microsoft SQL Security Re-Releases

Following the trend from last month, Microsoft re-released two of the six SQL patches this week. Both patches address critical stability issues that were present in the Patch Tuesday release. For quick reference, here is a table of the new updates, the replaced KBs, and the affected products.

New KB

Replaced KB

Affected SQL Version

KB4458621

KB4298307

2016 SP2 CU

KB4458842

KB4293801

2016 SP1 GDR

KB4458621 fixes a major bug where certain debug flags were enabled, causing unintended tracing to be exposed. Though there is no official statement on the effects of this tracing, Microsoft recommends applying this fix as soon as possible, especially if KB4293807 has already been applied. This patch affects the SQL 2012 SP2 branch when a CU has been applied previously.

KB4458842 released next with a stability fix for those that are enrolled in the Customer Experience Improvement Program (CEIP). The Patch Tuesday update, KB4293801, has a bug where sqlceip.exe experiences an unhandled exception. This patch affects SQL 2012 SP1 on the GDR branch where no CU has been applied previously.

Here are Microsoft’s blog posts for each release:

Microsoft Intel Microcode Patches

The first Intel Microcode updates were released this month to cover the new speculative execution vulnerability known as Foreshadow, or L1 Terminal fault (L1TF). Full remediation of this vulnerability requires the OS patches released on Patch Tuesday as well as a firmware update.

Due to the additional steps, Intel has partnered with Microsoft to supply the necessary firmware updates in an easy-to-deploy package. To those that are using SCCM or WSUS, these patches will not download by default, but can be imported through the Microsoft catalog.

These microcode updates apply to all supported versions of Windows 10 as well as Server 2016. For earlier operating systems, a firmware update is still necessary and can be acquired from each respective vendor.

Here is Microsoft’s summary of Intel microcode updates.

Third-Party Updates

As always, numerous third parties have been released this week. These updates may not have any CVEs, but they may still have undisclosed security fixes as well as helpful stability fixes for your organization. Here are the updates we released in our content this week:

Software Title

Ivanti ID

Ivanti KB

Apache Tomcat 8.5.33

TOMCAT-117

QTOMCAT8533

Apache Tomcat 9.0.11

TOMCAT-116

QTOMCAT9011

GIMP 2.10.6

GIMP-015

QGIMP2106

GoToMeeting 8.33.0

GOTOM-048

QGTM833

LogMeIn 4.1.11548

LMI-011

QLMI4111548

Microsoft Power BI Desktop 2.61.5192.601

PBID-037

QBI2615192601

Nitro Pro 12.2.0.228

NITRO-014

QNITRO1220228

Opera 55.0.2994.44

OPERA-180

QOP550299444

Plex Media Player 2.17.0

PLXP-018

QPLXP2170

Plex Media Server 1.13.6.5339

PLXS-025

QPLXS11365339

TortoiseGit 2.7.0

TGIT-006

QTGIT270

Zoom Client 4.1.30528

ZOOM-010

QZOOM4130528

More Patch Resources: