Patching in Review – Week 51
Nothing is better than a proper gift for the holidays, and what could be a better gift than an out-of-band release from Microsoft? Spread the holiday cheer in your networks this week with the critical patches listed below!
Before we get to the patches, our favorite security researcher SandboxEscaper strikes again with her third disclosed zero-day of the year. BleepingComputer details the proof of concept where the vulnerability in ReadFile.exe allows an attacker to copy any files on the endpoint with SYSTEM privileges. The first two disclosed vulnerabilities, CVE-2018-8440 and CVE-2018-8584, were remediated on the next Patch Tuesday, so expect this to receive a patch in January.
Security Releases
Microsoft released an emergency patch Wednesday for a zero-day vulnerability in Internet Explorer’s scripting engine. The Jscript vulnerability (CVE-2018-8653) allows an attacker to leverage the scripting engine within IE by simply viewing a malicious website. Once successful, the attacker can gain control of the system with the user’s rights.
A total of seven distinct KBs were released for supported IE versions as well as actively supported versions of Windows 10. It is worth noting the delta patches that are released on Patch Tuesday for 1607, 1703, 1709, and 1803 were not included, so the full cumulative will need to be deployed for remediation. For reference, the table below summarizes the KBs and their affected products:
IE9 (Server 2008), IE10 (Server 2012), IE11 (Windows 7, 8.1 / Server 2008 R2, 2012 R2) |
|
Windows 10 LTSB 2015 |
|
Windows 10 Version 1607 / Server 2016 |
|
Windows 10 Version 1703 |
|
Windows 10 Version 1709 |
|
Windows 10 Version 1803 |
|
Windows 10 Version 1809 / Server 2019 |
Third-Party Updates
Outside of the critical release above, this week has not been boring with considerable non-security releases for the week. It is worth remembering that these updates may contain undisclosed security remediations as well as helpful stability fixes.
Bulletin title |
Ivanti ID |
Ivanti KB |
Apache Tomcat 8.5.37 |
TOMCAT-125 |
QTOMCAT8537 |
Citrix Receiver 4.9.5000, LTSR Cumulative Update 5 |
CTXR-016 |
QCTXR495000 |
GOM Player 2.3.36.5297 |
GOM-020 |
QGOM23365297 |
GoodSync 10.9.20 |
GOODSYNC-105 |
QGS10920 |
LibreOffice 6.1.4.2 |
LIBRE-105 |
QLIBRE614 |
Microsoft Power BI Desktop 2.65.5313.701 |
PBID-046 |
QBI2655313701 |
Node.JS 11.5.0 (Current) |
NOJSC-004 |
QNODEJSC1150 |
Node.JS 8.14.1 (LTS Lower) |
NOJSLL-002 |
QNODEJSLL8141 |
Opera 57.0.098.106 |
OPERA-195 |
QOP5703098106 |
PDF-Xchange PRO 7.0.328.1 |
PDFX-028 |
QPDFX703281 |
Plex Media Server 1.14.1.5488 |
PLXS-029 |
QPLXS11415488 |
R for Windows 3.5.2 |
R-002 |
QR352 |
Splunk Universal Forwarder 7.2.2 |
SPLUNKF-032 |
QSPLUNKF722 |
SQL Server Management Studio 17.9.1 |
SSMS17-010 |
QSSMS17289 |
VirtualBox 6.0.0 |
OVB-017 |
QOVB6000 |
Visual Studio Code 1.30.1 |
MSNS18-1219-CODE |
QVSCODE1301 |
Zoom Client 4.1.35374 |
ZOOM-014 |
QZOOM4135374 |
More Patch Resources: