Patching in Review – Week 6 of 2019
Only a few days before our favorite time of the month everyone! With Patch Tuesday around the corner, don’t forget to register for our Patch Tuesday Webinar for in-depth coverage and analysis!
A remote-execution vulnerability has been disclosed for OpenOffice and LibreOffice where an attacker can run arbitrary code through a malicious document. BleepingComputer details the vulnerability that was initially reported to the software vendors in October of 2018, and finally publicly disclosed earlier this month. LibreOffice has had this vulnerability covered since 6.0.7/6.1.3 was released on November 11, 2018, while Apache OpenOffice is still vulnerable to this attack. This is a great reminder around deploying “Non-Security” updates in a timely manner where undisclosed vulnerabilities could still be remediated in these releases.
Exchange Security Advisory
Although there were no major third-party releases for the week, Microsoft released a Security Advisory for all supported versions (2010 – 2019) of its on-premise Exchange server. This vulnerability, disclosed by Dirk-jan Mollema with a proof of concept, has been dubbed “PrivExchange” where an attacker can effectively gain Domain Administrator access through an unsecured Exchange instance. While this vulnerability does not have a patch for complete remediation, the advisory above covers actions that can be performed to mitigate against this attack. Microsoft did state that it’s working to release an update to patch this attack in the future, but it is unknown when we will see it available.
Third-Party Updates
Although there were no notable security releases this week, vendors did release “non-security” updates for their products. Like the LibreOffice article above, these updates may very well remediate security vulnerabilities even if they’re not detailed.
Software Title |
Ivanti ID |
Ivanti KB |
Apache Tomcat 9.0.16 |
TOMCAT-126 |
QTOMCAT9016 |
DropBox 66.4.84 |
DROPBOX-102 |
QDROPBOX66484 |
Google Chrome 72.0.3626.96 |
CHROME-243 |
QGC720362696 |
Google Drive File Stream 29.1.81.1921 |
GDFS-010 |
QFS291811921 |
LibreOffice 6.1.5.2 |
LIBRE-107 |
QLIBRE6152 |
LibreOffice 6.2.0.3 |
LIBRE-106 |
QLIBRE6203 |
LogMeIn 4.1.12112 |
LMI-015 |
QLMI4112112 |
Plex Media Player 2.27.0 |
PLXP-029 |
QPLXP2270 |
Skype 8.38.0.161 |
SKYPE-151 |
QSKY8380161 |
Splunk Universal Forwarder 7.2.4 |
SPLUNKF-034 |
QSPLUNKF724 |
Visual Studio Code 1.31.0 |
MSNS19-0206-CODE |
QVSCODE1310 |