It’s Patch Tuesday redux this week with a re-release from Adobe and an additional vulnerability addressed by Microsoft.

Before we get to the security releases this week, WinRAR made the headlines this week with the discovery of a 19-year-old vulnerability. TheHackerNews details the vulnerability in unacev2.dll where an attacker can create an .ACE file, then rename it to a .RAR file to increase the chances of user interaction. On extraction, a special-crafted file can take full control over the targeted system through arbitrary code execution. This vulnerability is currently resolved in version 5.70 beta 1, but it has yet to be included in a production release.

Security Releases

Adobe comes in as the headliner this week with an out-of-band Acrobat release to remediate a previously addressed critical CVE on Patch Tuesday. APSB19-13 details the release for all currently supported versions of Acrobat and Acrobat Reader where a bypass for CVE-2019-7089 is addressed. After the release of APSB19-07, Alex Infuhr of Cure53 commented that the information disclosure vulnerability had not been fully remediated and his discovered bypass would be reported to Adobe. Make sure to get APSB19-13 added to a patching cycle soon so this critical CVE can be fully remediated.

Microsoft has spilled into this week with a new security advisory detailing a vulnerability where IIS servers can be compromised through a DoS attack. ADV190005 details the vulnerability that affects Server 2016 as well as Windows 10 1607 through 1803. To remediate this vulnerability, Microsoft has provided a feature to define thresholds on the number of HTTP/2 SETTINGS included in a request as defined in KB4491420. Interestingly enough, this feature has been included in the latest Windows non-securities released this week. For reference, see the table below with the affected platforms and associated patches:

Affected Platform

KB

Windows 10 Version 1607 and Windows Server 2016

KB4487006

Windows 10 Version 1703

KB4487011

Windows 10 Version 1709 and Server (1709)

KB4487021

Windows 10 Version 1803 and Server (1803)

KB4487029

Third-Party Updates

Other third-party vendors have been busy this week with numerous non-security releases. While these releases are not associated with a CVE, they can include valuable stability fixes as well as undisclosed security fixes:

Software Title

Ivanti ID

Ivanti KB

7-Zip 19.00

7ZIP-013

Q7ZIP1900

CCleaner 5.53.7034

CCLEAN-075

QCCLEAN5537034

Google Chrome 72.0.3626.119

CHROME-245

QGC7203626119

DropBox 67.4.83

DROPBOX-103

QDROPBOX67483

Firefox ESR 60.5.2

FFE19-6052

QFFE6052

Foxit Reader 9.4.1.16828

FI19-941

QFI941

Foxit Reader Consumer 9.4.1.16828

FIC-004

QNFOXITC941

Foxit PhantomPDF 9.4.1.16828

FIP-019

QFIP941

GoodSync 10.9.4

GOODSYNC-110

QGS109244

GoToMeeting 8.39.3

GOTOM-057

QGTM8393

Node.JS 11.10.0. (Current)

NOJSC-009

QNODEJSC11100

Opera 58.0.3135.68

OPERA-201

QOP580313568

Plex Media Player 2.28.0

PLXP-030

QPLXP2280

PSPad 5.0.1

PSPAD-006

QPSP501

Snagit 2019.1.1

SNAG-023

QSNAG1911

Apache Tomcat 7.0.93

TOMCAT-128

QTOMCAT7093

TreeSize Free 4.3.1.493

TSF-017

QTSF431493

Zoom Outlook Plugin 4.5.46881.0214

ZOOMOUT-006

QZOOMO4546881