Only a few days before our favorite time of the month everyone! With Patch Tuesday around the corner, don’t forget to register for our Patch Tuesday Webinar for in-depth coverage and analysis!

A remote-execution vulnerability has been disclosed for OpenOffice and LibreOffice where an attacker can run arbitrary code through a malicious document. BleepingComputer details the vulnerability that was initially reported to the software vendors in October of 2018, and finally publicly disclosed earlier this month. LibreOffice has had this vulnerability covered since 6.0.7/6.1.3 was released on November 11, 2018, while Apache OpenOffice is still vulnerable to this attack. This is a great reminder around deploying “Non-Security” updates in a timely manner where undisclosed vulnerabilities could still be remediated in these releases.

Exchange Security Advisory

Although there were no major third-party releases for the week, Microsoft released a Security Advisory for all supported versions (2010 – 2019) of its on-premise Exchange server. This vulnerability, disclosed by Dirk-jan Mollema with a proof of concept, has been dubbed “PrivExchange” where an attacker can effectively gain Domain Administrator access through an unsecured Exchange instance. While this vulnerability does not have a patch for complete remediation, the advisory above covers actions that can be performed to mitigate against this attack. Microsoft did state that it’s working to release an update to patch this attack in the future, but it is unknown when we will see it available.

Third-Party Updates

Although there were no notable security releases this week, vendors did release “non-security” updates for their products. Like the LibreOffice article above, these updates may very well remediate security vulnerabilities even if they’re not detailed.

Software Title

Ivanti ID

Ivanti KB

Apache Tomcat 9.0.16

TOMCAT-126

QTOMCAT9016

DropBox 66.4.84

DROPBOX-102

QDROPBOX66484

Google Chrome 72.0.3626.96

CHROME-243

QGC720362696

Google Drive File Stream 29.1.81.1921

GDFS-010

QFS291811921

LibreOffice 6.1.5.2

LIBRE-107

QLIBRE6152

LibreOffice 6.2.0.3

LIBRE-106

QLIBRE6203

LogMeIn 4.1.12112

LMI-015

QLMI4112112

Plex Media Player 2.27.0

PLXP-029

QPLXP2270

Skype 8.38.0.161

SKYPE-151

QSKY8380161

Splunk Universal Forwarder 7.2.4

SPLUNKF-034

QSPLUNKF724

Visual Studio Code 1.31.0

MSNS19-0206-CODE

QVSCODE1310