Patching in Review – Week 13 of 2019

As we find ourselves in between Patch Tuesdays, our third-party vendors have kept this week interesting with both Mozilla and Apple releasing critical security updates to respective software.

The highlight in security news this week surrounds a supply-chain attack in ASUS’s updater software. Dubbed Operation ShadowHammer, a currently unidentified group of hackers exploited the “ASUS Live Update” software and distributed their malicious code through ASUS’ content delivery network. This software avoided detection for as long as the installers were digitally signed using legitimate ASUS certificates. Shortly after the public announcement, ASUS confirmed that the malicious binary has been replaced with version 3.6.8 that includes additional security mechanisms to prevent further exploits.

Security Releases

Firefox released updates for Firefox, Firefox ESR, and Thunderbird for the second time within a week, with an additional two Critical CVEs. Each CVE was discovered during day two of Pwn2Own 2019 where researchers were able to execute code at the SYSTEM level through a specially crafted website. The proof of concept has already been published for CVE-2019-9810, so the patching urgency around these releases is much higher than a more routine release.

Apple had its own “Patch Tuesday” this week with a series of high-profile security fixes for MacOS and iOS. Alongside these updates, iCloud 7.11 and iTunes 12.9.4 were released, remediating a total of 21 unique CVEs between the two products. Most of these vulnerabilities are present within Apple’s WebKit browser engine where an attacker could execute arbitrary code, circumvent the software’s sandbox, or read sensitive system data.

Third-Party Updates

In addition to the security updates for the week, numerous non-security updates were also released from our other supported vendors. Be sure to review the list below to include these updates in your next patching cycle: