Patching in Review – Week 40 of 2019
Brian Secrist
Happy Cybersecurity Awareness Month, everyone! With yet another unexpected IE release this week, I can’t think of a better way to usher in the month! As we prepare for the upcoming Patch Tuesday, make sure you’re registered for our webinar to get our analysis on high profile vulnerabilities and known issues.
Internet Explorer Out-of-Band
Following up from the zero-day release last week, Microsoft released an additional Internet Explorer update right before Patch Tuesday with vague origins. In review, on 9/23 Microsoft released a surprise zero-day patch for IE (KB4522007) and Windows 10 to remediate actively exploited CVE-2019-1367. The next day, a series of Quality Preview patches and again, Windows 10 cumulatives were released for all supported OSes that included the CVE (Windows 10 1903 was a few days later).
Third time’s the charm, right? On October 3, Microsoft surprised us all with yet another re-release of the Internet Explorer patches (KB4521435), a final set of Windows 10 cumulatives, and a surprising Monthly Rollup for all legacy OSes. There’s little evidence around the changes here, but it’s suspected that this new set of patches contains further bug fixes that the initial release contained.
Here’s a list of the final KBs in case you’d like to get these out before the Patch Tuesday cycle:
|
IE |
Cumulative/Rollup |
|
|
Server 2008 |
||
|
Windows 7 / Server 2008 R2 |
||
|
Server 2012 |
||
|
Windows 8.1 / Server 2012 R2 |
||
|
Windows 10 1507 |
||
|
Windows 10 1607 / Server 2016 |
||
|
Windows 10 1703 |
||
|
Windows 10 1709 |
||
|
Windows 10 1803 |
||
|
Windows 10 1809 / Server 2019 |
||
|
Windows 10 1903 |
Security Releases
Foxit released version 9.7 this week with 10 CVEs with the most severe CVEs acquiring a CVSS score of 8.7. Most of the vulnerabilities detail Remote Code Execution vulnerabilities that are dependent on opening a specially crafted malicious file that’s most commonly distributed in phishing attacks. Make sure to get this rolled out in your next patching cycle.
Third-Party Updates
While the Microsoft update have defined the week, other vendors have been releasing updates for their respective products. See the list below as these updates can still contain valuable security fixes.
|
Bulletin title |
Bulletin ID |
KB |
|
BlueJeans 2.16.324.0 |
JEANS-024 |
QBJN2163240 |
|
DropBox 82.4.155 |
DROPBOX-121 |
QDROPBOX824155 |
|
FileZilla Client 3.45.1 |
FILEZ-093 |
QFILEZ3451X64 |
|
Firefox 69.0.2 |
FF19-021 |
QFF6902 |
|
GoodSync 10.10.9.5 |
GOODSYNC-131 |
QGS101095 |
|
Google Backup and Sync 3.46.7175.2662 |
GSYNC-023 |
QGBS34671752662 |
|
Nitro Pro 13.2.6.26 |
NITRO-027 |
QNITRO132326 |
|
Nitro Pro Enterprise 13.2.3.26 |
NITROE-008 |
QNITROE132326 |
|
Node.JS 12.11.1 (Current) |
NOJSC-025 |
QNODEJSC12111 |
|
Plex Media Server 1.17.0.1841 |
PLXS-046 |
QPLXS11701841 |
|
PuTTY 0.73 |
PUTTY-006 |
QPUTTY073 |
|
Slack Machine-Wide Installer 4.1.0 |
SMWI-035 |
QSLACK410 |
|
Splunk Universal Forwarder 7.3.2 |
SPLUNKF-041 |
QSPLUNKF732 |
|
Sublime Text 3 Build 3211 |
SUBL-006 |
QSUBL3211 |
|
Zoom Client 4.5.5422 |
ZOOM-029 |
QZOOM455422 |
|
Zoom Outlook Plugin 4.8.5336.0928 |
ZOOMOUT-012 |
QZOOMO485336 |
