Patching in Review – Week 8 of 2019
It’s Patch Tuesday redux this week with a re-release from Adobe and an additional vulnerability addressed by Microsoft.
Before we get to the security releases this week, WinRAR made the headlines this week with the discovery of a 19-year-old vulnerability. TheHackerNews details the vulnerability in unacev2.dll where an attacker can create an .ACE file, then rename it to a .RAR file to increase the chances of user interaction. On extraction, a special-crafted file can take full control over the targeted system through arbitrary code execution. This vulnerability is currently resolved in version 5.70 beta 1, but it has yet to be included in a production release.
Security Releases
Adobe comes in as the headliner this week with an out-of-band Acrobat release to remediate a previously addressed critical CVE on Patch Tuesday. APSB19-13 details the release for all currently supported versions of Acrobat and Acrobat Reader where a bypass for CVE-2019-7089 is addressed. After the release of APSB19-07, Alex Infuhr of Cure53 commented that the information disclosure vulnerability had not been fully remediated and his discovered bypass would be reported to Adobe. Make sure to get APSB19-13 added to a patching cycle soon so this critical CVE can be fully remediated.
Microsoft has spilled into this week with a new security advisory detailing a vulnerability where IIS servers can be compromised through a DoS attack. ADV190005 details the vulnerability that affects Server 2016 as well as Windows 10 1607 through 1803. To remediate this vulnerability, Microsoft has provided a feature to define thresholds on the number of HTTP/2 SETTINGS included in a request as defined in KB4491420. Interestingly enough, this feature has been included in the latest Windows non-securities released this week. For reference, see the table below with the affected platforms and associated patches:
Affected Platform |
KB |
Windows 10 Version 1607 and Windows Server 2016 |
|
Windows 10 Version 1703 |
|
Windows 10 Version 1709 and Server (1709) |
|
Windows 10 Version 1803 and Server (1803) |
Third-Party Updates
Other third-party vendors have been busy this week with numerous non-security releases. While these releases are not associated with a CVE, they can include valuable stability fixes as well as undisclosed security fixes:
Software Title |
Ivanti ID |
Ivanti KB |
7-Zip 19.00 |
7ZIP-013 |
Q7ZIP1900 |
CCleaner 5.53.7034 |
CCLEAN-075 |
QCCLEAN5537034 |
Google Chrome 72.0.3626.119 |
CHROME-245 |
QGC7203626119 |
DropBox 67.4.83 |
DROPBOX-103 |
QDROPBOX67483 |
Firefox ESR 60.5.2 |
FFE19-6052 |
QFFE6052 |
Foxit Reader 9.4.1.16828 |
FI19-941 |
QFI941 |
Foxit Reader Consumer 9.4.1.16828 |
FIC-004 |
QNFOXITC941 |
Foxit PhantomPDF 9.4.1.16828 |
FIP-019 |
QFIP941 |
GoodSync 10.9.4 |
GOODSYNC-110 |
QGS109244 |
GoToMeeting 8.39.3 |
GOTOM-057 |
QGTM8393 |
Node.JS 11.10.0. (Current) |
NOJSC-009 |
QNODEJSC11100 |
Opera 58.0.3135.68 |
OPERA-201 |
QOP580313568 |
Plex Media Player 2.28.0 |
PLXP-030 |
QPLXP2280 |
PSPad 5.0.1 |
PSPAD-006 |
QPSP501 |
Snagit 2019.1.1 |
SNAG-023 |
QSNAG1911 |
Apache Tomcat 7.0.93 |
TOMCAT-128 |
QTOMCAT7093 |
TreeSize Free 4.3.1.493 |
TSF-017 |
QTSF431493 |
Zoom Outlook Plugin 4.5.46881.0214 |
ZOOMOUT-006 |
QZOOMO4546881 |