Patching in Review – Week 34 of 2019
Microsoft as well as other 3rd party vendors have not slowed their cadence the week after Patch Tuesday. With a high profile stability fix for Windows alongside multiple software titles getting new security releases, there’s plenty to cover.
Security Releases
VLC released version 3.0.8 this week with 13 new CVEs. According to VLC’s security bulletin, the assorted vulnerabilities could be exploited through a malicious file or website. The two highest profile vulnerabilities are CVE-2019-13602 and CVE-2019-13962 with a very controversial severity. NIST considers these CVEs at a High (8.8) and Critical (9.8) severity while VLC disputes the claim, saying that the metrics point to a more benign base score of 4.3. Regardless of perceived impact, be sure to get this software update out in your next patching cycle.
Node.JS also released a series of security updates for their supported versions with 8 CVEs that were discovered by Netflix. All CVEs detail flaws in the implementation of HTTP/2 where an attacker can execute a denial of service against the target. In line with Netflix’s security bulletin, Microsoft has already remediated these vulnerabilities, but keep an eye out for other vendors in the future to cover these CVEs.
Microsoft Non-Securities
On an earlier than normal cadence, Microsoft released non-security updates for all supported platforms as early as last Saturday. These emergency updates resolve the widespread Visual Basic errors caused by August’s Patch Tuesday release. It appears that this issue is widespread enough that Microsoft also released a one-off standalone fix for those that implement the security-only bundle as opposed to the rollup. If you have been holding off for this release, this will give you the opportunity to patch the high-profile wormable vulnerabilities announced last week. See the table below to reference the needed patches for your environment:
Standalone |
Rollup/Cumulative |
|
Server 2008 |
||
Windows 7/Server 2008 R2 |
||
Server 2012 |
||
Windows 8.1/Server 2012 R2 |
||
Windows 10 LTSB 2015 |
||
Windows 10 LTSB 2016/Server 2016 |
||
Windows 10 1703 |
||
Windows 10 1709 |
||
Windows 10 1803 |
||
Windows 10 1809/Server 2019 |
Third-Party Updates
As always, our other supported third-party vendors have been releasing non-security updates for their respective products. While these updates might not have CVEs, they may also contain valuable stability updates for your end users:
Software Title |
Ivanti ID |
Ivanti KB |
AIMP 4.60.0.2144 |
AIMP-015 |
QAIMP4602144 |
Apache Tomcat 8.5.45 |
TOMCAT-142 |
QTOMCAT8545 |
Apache Tomcat 9.0.24 |
TOMCAT-141 |
QTOMCAT9024 |
BlueJeans 2.15.279.0 |
JEANS-023 |
QBJN2152790 |
CCleaner 5.61.7392 |
CCLEAN-083 |
QCCLEAN5617392 |
CoreFTP LE 2.2.1935 |
COREFTP-038 |
QCFTP221935 |
GoodSync 10.10.6.6 |
GOODSYNC-128 |
QGS101066 |
GoTo Opener 1.0.527 |
GOTOO-003 |
QGTO10527 |
Microsoft Power BI Desktop 2.72.5556.801 |
PBID-063 |
QBI2725556801 |
Node.JS 12.9.0 (Current) |
NOJSC-021 |
QNODEJSC1290 |
Opera 63.0.3368.35 |
OPERA-224 |
QOP630336835 |
Opera 63.0.3368.43 |
OPERA-225 |
QOP630336843 |
PeaZip 6.9.0 |
PZIP-017 |
QPZIP690 |
Plex Media Player 2.40.0 |
PLXP-044 |
QPLXP2400 |
Plex Media Server 1.16.5.1488 |
PLXS-042 |
QPLXS11651488 |
Skype 8.51.0.86 |
SKYPE-165 |
QSKY851086 |
Slack Machine-Wide Installer 4.0.2 |
SMWI-034 |
QSLACK402 |
TeamViewer 14.5.1691 |
TVIEW-051 |
QTVIEW1451691 |
Visual Studio Code 1.37.1 |
MSNS19-0815-CODE |
QVSCODE1371 |
Zoom Outlook Plugin 4.8.2721.0811 |
ZOOMOUT-011 |
QZOOMO482721 |