Patching in Review – Week 25 of 2019
While the week after Patch Tuesday tends to be uneventful, Mozilla made sure such was not the case with two zero-days released back to back.
In the news, Danny Palmer of ZDNet wrote a great piece around the new trends of threat actors. While it appears that ransomware is on the decline, the cumulative damage by these attacks is increasing. The differentiating characteristic of these new attacks is in how specific and targeted they have become. No longer are attackers spraying out malware to infect users’ workstations like WannaCry. Instead, these attacks tend to target systems that are remaining out of date for a longer period. In the ZDNet article, Palmer quotes Chet Wisniewski, principal research scientist at Sophos:
"Servers don't have nearly the same protections in place that desktops do. The same company that tells me they do 'Patch Tuesday' within 10 days for desktops will tell me its 90 days for server. Those servers are glaring weak-spots in our strategy currently and the criminals are going straight for it."
These critical infrastructure points are also much more vulnerable to a successful ransomware attack as the ransom cost is far less than the disruption within the organization.
Security Releases
Firefox released not one but two updates this week to remediate an active attack against cryptocurrency firms such as CoinBase. Initially, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 under MFSA2019-18 to remediate CVE-2019-11707, which details a zero-day JavaScript vulnerability. Within this same week, Mozilla released Firefox 67.0.4 and Firefox ESR 60.7.2 under MFSA2019-19 to remediate CVE-2018-11708, a sandbox escape vulnerability where the attacker could then run arbitrary code on the endpoint.
These two vulnerabilities were used together to gain access to cryptocurrency information through phishing attacks. According to DigitalSecurity, the attackers sent out an email requesting the recipient to be a participant in the “Adams Prize” with a link to enroll. After the user navigated to the URL, a payload would be downloaded and executed on the endpoint to open a backdoor into the system. Alarmingly enough, this attack was not limited to Windows systems. The malicious website would drop a “Finder.app” on Mac systems for a successful exploit.
Third-Party Updates
While Mozilla was the highest-profile third-party application this week, other vendors also released updates with valuable stability fixes, as well as potential undocumented vulnerability fixes:
Software Title |
Ivanti ID |
Ivanti KB |
Blue Jeans 2.13.533.0 |
JEANS-018 |
QBJN2135330 |
GOM Player 2.3.42.5304 |
GOM-027 |
QGOM23425304 |
GoodSync 10.9.34.5 |
GOODSYNC-120 |
QGS109345 |
Microsoft Power BI Desktop 2.70.5494.761 |
PBID-060 |
QBI2705494761 |
Notepad++ 7.7.1 |
NPPP-093 |
QNPPP771 |
Plex Media Server 1.16.0.1226 |
PLXS-038 |
QPLXS11601226 |
Slack Machine-Wide Installer 3.4.3 |
SMWI-031 |
QSLACK343 |
Zoom Client 4.4.53901 |
ZOOM-024 |
QZOOM4453901 |