Once again, we find ourselves in the shadow of another patch Tuesday. While we prepare ourselves for the upcoming patch cycle, be sure review the updates released throughout the month detailed in our previous articles linked at the bottom of the page.

In the news, Microsoft’s zero-day disclosed last week appears to be successfully exploited in the wild for almost a week now. A ZDNet article details an ESET researcher who has been tracking a hacking group under the codename “PowerPool”. The group has brought the Windows ALPC zero-day into their exploit toolset, sending out emails containing a first-stage exploit payload where the zero-day is downloaded and then executed. While there has been no official confirmation from Microsoft, we expect this vulnerability to be addressed next week.

While we eagerly anticipate the deluge of patches next week, our favorite web browsers have been busy gifting us with new major releases.

Security Releases

Mozilla released updates for Firefox and Firefox ESR this week. Both updates are classified as a Critical update due to CVE-2018-12376, which details multiple memory safety bugs within Firefox 61 and Firefox ESR 60.0.1 where arbitrary code could be run if successfully exploited.

Here’s a list of the CVEs and their color-coded severity for each branch:

Firefox 62.0

Firefox ESR 60.2.0

CVE-2018-12376

CVE-2018-12376

CVE-2018-12377

CVE-2018-12377

CVE-2018-12378

CVE-2018-12378

CVE-2018-12375

CVE-2017-16541

CVE-2017-16541

CVE-2018-12379

CVE-2018-12379

CVE-2018-12381

CVE-2018-12381

CVE-2018-12382

CVE-2018-12383

Total

9

6

Google joined the party as well with a major version release containing numerous security fixes. According to Google’s release notes, a total of 40 security fixes were addressed in 69.0.3497.81, with 24 CVEs. Seven of the CVEs are classified with a High severity by Google which primarily consists of assorted out of bounds read/writes where unauthorized code or commands could be executed.

Further CVE breakdown by classification can be found below:

Critical

High

Medium

Low

CVE-2018-16065

CVE-2018-16072

CVE-2018-16084

CVE-2018-16066

CVE-2018-16073

CVE-2018-16085

CVE-2018-16067

CVE-2018-16074

CVE-2018-16086

CVE-2018-16068

CVE-2018-16075

CVE-2018-16087

CVE-2018-16069

CVE-2018-16076

CVE-2018-16088

CVE-2018-16070

CVE-2018-16077

CVE-2018-16071

CVE-2018-16078

CVE-2018-16079

CVE-2018-16080

CVE-2018-16081

CVE-2018-16082

CVE-2018-16083

Totals

0

7

12

5

Third-Party Updates

Of course, other vendors have been releasing updates for their respective software. While these updates might not have identified vulnerabilities, but they still have helpful stability fixes as well as potential undisclosed security fixes:

Software Title

Ivanti ID

Ivanti KB

GoodSync 10.9.7

GOODSYNC-093

QGS1097

KeePass Classic 1.36

KEEP-027

QKPC136

Nitro Pro 12.3.0.240

NITRO-015

QNITRO1230240

Opera 55.0.2994.56

OPERA-181

QOP550299456

Paint.net 4.1

PDN-006

QPDN4100

Plex Media Player 2.18.0

PLXP-019

QPLXP2180

Slack Machine-Wide Installer 3.3.1

SMWI-027

QSMWI331

SQL Server Management Studio 17.9

SSMS17-009

QSSMS17285

TreeSize Free 4.2.2.474

TSF-014

QTSF422474

Visual Studio Code 1.27.1

MSNS18-0906-CODE

QVSCODE1271

VLC Media Player 3.0.4

VLC-304

QVLC304

VMWare Horizon Client 4.9.0

VMWH-007

QVMWH490

XnView 2.46

XNVW-006

QXNVW246

More Patch Resources: