Patching in Review – Week 43
Brian Secrist
With Halloween on the horizon, this week would not be complete without a good spooky story, and fortunately the internet delivered! 
Nearly two months ago we covered a security researcher named SandboxEscaper that released exploit code around the Windows ALPC vulnerability. On Tuesday, the same researcher delivered with another exploit including a proof of concept. According to The Hacker News this vulnerability affects all versions of Windows 10 where an attacker can delete critical files. In SandboxEscaper’s example, pci.sys is removed, bricking the target operating system. Microsoft released an update for the ALPC vulnerability on the following Patch Tuesday, so we might have to wait 2 more weeks until proper remediation is released.
Security Releases
Mozilla released updates for both Firefox and Firefox ESR this week with a total of 15 unique CVEs. The two critical CVEs (CVE-2018-12388, CVE-2018-12390) are both user targetable vulnerabilities where an end user could allow an attacker to execute arbitrary code on the system.
Further CVE details for each release with color coded vulnerabilities are listed below:
Further details are available on Mozilla’s security advisory pages:
Third-Party Updates
Here are the other updates we released in our content this week. These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes:
|
Software Title |
Ivanti ID |
Ivanti KB |
|
Adobe Acrobat and Reader DC Continuous 19.008.20080 |
ARDC18-006 |
QADC1900820080 |
|
Beyond Compare 4.2.7.23425 |
BEYOND-006 |
QBC42723425 |
|
CCleaner 5.48.6834 |
CCLEAN-070 |
QCCLEAN5486834 |
|
CDBurnerXP 4.5.8.7041 |
CDBXP-047 |
QCDBXP4587041 |
|
DropBox 60.4.107 |
DROPBOX-095 |
QDROPBOX604107 |
|
FileZilla Client 3.38.0 |
FILEZ-081 |
QFILEZ3380X86 |
|
Google Chrome 70.0.3538.77 |
CHROME-237 |
QGC700353877 |
|
Microsoft Power BI Desktop 2.63.3272.40461 |
PBID-041 |
QBI263327240461 |
|
PDF-Xchange PRO 7.0.327.1 |
PDFX-026 |
QPDFX703271 |
|
RealVNC Connect 6.3.2 |
RVNC-026 |
QRVNC632 |
|
Royal TS 4.3.61022 |
RTS4-017 |
QRTS40361022 |
|
Skype 8.33.0.41 |
SKYPE-146 |
QSKY833041 |
|
Snagit 2019.0.0 |
SNAG-020 |
QSNAG1900 |
|
Visual Studio 2017 version 15.8.8 |
MSNS18-1024-VS2017 |
QVS20171588 |
|
Webex Productivity Tools 33.0.5.1 |
WPT-024 |
QWPT33051 |
|
WinZip 23.0.13300 |
WZ23-001 |
QWZ23013300 |
More Patch Resources:
- Patching in Review – Week 42
- Patching in Review – Week 40
- Patching in Review – Week 39
- Patching in Review – Week 38
- Patching in Review – Week 36
- Patching in Review – Week 35
- Patching in Review – Week 25
- Patch Tuesday Blogs
- Patch Tuesday Resource Page
- Ivanti Security Products
