Patching in Review – Week 40
Brian Secrist
For this week of the month, you usually find me talking about the “calm before the storm.” This is not one of those months. Between new security releases from Adobe and Mozilla as well as a quiet re-release from Microsoft, it has been far from calm.
Before we get onto the highlights of the week, Bloomberg released a shocking article detailing an intentionally placed hardware vulnerability in common datacenter hardware. I wish I could do justice to the scope of this article, but it’s really an incredible study. The year 2018 was already set to go down as the year of hardware vulnerabilities thanks to Spectre, Meltdown, and Foreshadow, but this cements it in the record books.
Security Releases
Patch week came early for Adobe alongside a release for its Acrobat products. APSB18-30 remediates an impressive 86 vulnerabilities. Of these vulnerabilities, 48 are classified as Critical, with CVE-2018-15966 standing out from the pack. This vulnerability could allow an attacker to gain privileges on the system to potentially leverage further system exploits.
Adobe’s Security Bulletin covers all three supported branches of both Acrobat and Acrobat Reader, so be sure to include this common software in this upcoming patching cycle.
Mozilla also joined the party with releases for Firefox, Firefox ESR, and Thunderbird:
- Thunderbird 60.2.1 remediates seven vulnerabilities previously remediated through past Firefox releases. These CVEs are only relevant through the browser-level features of Thunderbird, most of which are disabled by default.
- Firefox 62.0.3 and Firefox ESR 60.2.2 share two critical vulnerabilities, CVE-2018-12386 and CVE-2018-12387. Each vulnerability has a user-targeted component to compromise the web browser.
Microsoft Security Re-Release
Earlier this week, Microsoft released KB4463110 for Visual Studio 2015 to replace KB4456688, which was released for August Patch Tuesday remediating CVE-2018-0952. It appears that the vulnerability might not have been remediated completely, as no stability issues were mentioned in the new KB.
Third-Party Updates
These assorted updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes. These are the miscellaneous updates we released in our content for the week:
|
Bulletin title |
Bulletin ID |
KB |
|
Audacity 2.3.0 |
AUDACITY-230 |
QAUD230 |
|
Evernote 6.15.4.7934 |
ENOT-012 |
QENOT61547934 |
|
FileZilla Client 3.37.3 |
FILEZ-079 |
QFILEZ3373 |
|
FileZilla Client 3.37.4 |
FILEZ-080 |
QFILEZ3374 |
|
GoodSync 10.9.10 |
GOODSYNC-096 |
QGS10910 |
|
Nitro Pro 12.5.0.268 |
NITRO-017 |
QNITRO1250268 |
|
Opera 56.0.3051.36 |
OPERA-185 |
QOP560305136 |
|
PDF-Xchange PRO 7.0.327.0 |
PDFX-025 |
QPDFX703270 |
|
Plex Media Player 2.20.0 |
PLXP-022 |
QPLXP2200 |
|
Slack Machine-Wide Installer 3.3.3 |
SMWI-028 |
QSMWI333 |
|
Splunk Universal Forwarder 7.2.0 |
SPLUNKF-030 |
QSPLUNKF720 |
|
TeamViewer 11.2.2150 |
TVIEW-038 |
QTVIEW1122150 |
|
TeamViewer 13.2.26558 |
TVIEW-039 |
QTVIEW132265580 |
|
Visual Studio 2017 version 15.8.6 |
MSNS18-1002-VS2017 |
QVS20171586 |
|
VMware Tools 10.0.12 |
VMWT-026 |
QVMT10012 |
|
WinRAR 5.61 |
WRAR-016 |
QWRAR561 |
More Patch Resources:
- Patching in Review – Week 39
- Patching in Review – Week 38
- Patching in Review – Week 36
- Patching in Review – Week 35
- Patching in Review – Week 34
- Patching in Review – Week 32
- Patching in Review – Week 31
- Patching in Review – Week 30
- Patching in Review – Week 29
- Patching in Review – Week 27
- Patching in Review – Week 26
- Patching in Review – Week 25
- Patch Tuesday Blogs
- Patch Tuesday Resource Page
- Ivanti Security Products
