Patching in Review – Week 49
Here we are at the week before the last Patch Tuesday of the year and it has been far from dull. With security releases from Adobe, Apple, and Google, you might want to consider a patching cycle this weekend. Don’t forget to register for our December Patch Tuesday webinar next week to get the latest information on Microsoft’s monthly release.
In the news, The Hacker News covered a fascinating story this week around a new ransomware spreading rapidly in China. While this ransomware does not appear to be spreading outside of China, the source of this vulnerability is alarming. The attackers added malicious code into programming software titled “EasyLanguage” that allowed the ransomware to spread rapidly. Since the application developers delivering the payload under their respective signatures, the malware has flown easily under the radar of most antivirus programs. Although the ransomware was easily bypassed and the culprit was arrested this week, it’s a great example of how supply-chain attacks can be so effective.
Security Releases
For the second time this month, Adobe released another zero-day flash update. This bulletin, titled APSB18-42, remediated two CVEs with CVE-2018-15982 as the Critical CVE. This vulnerability was discovered last week by researchers within Microsoft Word documents, where a crafted Word document contained an embedded Flash control that executes malicious code when rendered. Microsoft also released its version of Flash under KB4471311 that applies to all Windows versions after Windows 7.
Following a recent pattern before the week of Patch Tuesday, Google released a large security update for its web browser. Chrome 71.0.3578.80 was released with a total of 43 security fixes and 27 unique CVEs. This major release also contains an anticipated feature that will help users avoid abusive sites containing malicious forms to steal users’ data and money.
Lastly, Apple joins the pack with updates for iTunes and iCloud for Windows alongside releases for macOS, tvOS, and iOS. iTunes 12.9.2 and iCloud 7.9 remediate seven CVEs shared with Safari and WebKit.
Third-Party Updates
Of course, other vendors have been releasing updates for their respective software in this short week. While these updates might not have identified vulnerabilities, they still have helpful stability fixes as well as potential undisclosed security fixes:
Software Title |
Ivanti ID |
Ivanti KB |
AIMP 4.51.0.2084 |
AIMP-014 |
QAIMP4512084 |
Bandicut 3.1.4.480 |
BANDICUT-010 |
QBCUT314480 |
GoodSync 10.9.19 |
GOODSYNC-104 |
QGS109195 |
Node.JS 10.14.1 (LTS Upper) |
NOJSLU-002 |
QNODEJSLU10141 |
Node.JS 6.15.1 (Maintain) |
NOJSM-001 |
QNODEJSM6151 |
Opera 57.0.3098.91 |
OPERA-193 |
QOP570309891 |
Plex Media Player 2.23.0 |
PLXP-025 |
QPLXP2230 |
Thunderbird 60.3.3 |
TB18-6033 |
QTB6033 |
Cisco WebEx Meeting Center 32.15.32.8 |
WMC-013 |
QWMC3215328 |