Patching in Review – Week 36
Brian Secrist
Once again, we find ourselves in the shadow of another patch Tuesday. While we prepare ourselves for the upcoming patch cycle, be sure review the updates released throughout the month detailed in our previous articles linked at the bottom of the page.
In the news, Microsoft’s zero-day disclosed last week appears to be successfully exploited in the wild for almost a week now. A ZDNet article details an ESET researcher who has been tracking a hacking group under the codename “PowerPool”. The group has brought the Windows ALPC zero-day into their exploit toolset, sending out emails containing a first-stage exploit payload where the zero-day is downloaded and then executed. While there has been no official confirmation from Microsoft, we expect this vulnerability to be addressed next week.
While we eagerly anticipate the deluge of patches next week, our favorite web browsers have been busy gifting us with new major releases.
Security Releases
Mozilla released updates for Firefox and Firefox ESR this week. Both updates are classified as a Critical update due to CVE-2018-12376, which details multiple memory safety bugs within Firefox 61 and Firefox ESR 60.0.1 where arbitrary code could be run if successfully exploited.
Here’s a list of the CVEs and their color-coded severity for each branch:
|
Firefox 62.0 |
Firefox ESR 60.2.0 |
|
|
CVE-2018-12376 |
CVE-2018-12376 |
|
|
CVE-2018-12377 |
CVE-2018-12377 |
|
|
CVE-2018-12378 |
CVE-2018-12378 |
|
|
CVE-2018-12375 |
||
|
CVE-2017-16541 |
CVE-2017-16541 |
|
|
CVE-2018-12379 |
CVE-2018-12379 |
|
|
CVE-2018-12381 |
CVE-2018-12381 |
|
|
CVE-2018-12382 |
||
|
CVE-2018-12383 |
||
|
Total |
9 |
6 |
Google joined the party as well with a major version release containing numerous security fixes. According to Google’s release notes, a total of 40 security fixes were addressed in 69.0.3497.81, with 24 CVEs. Seven of the CVEs are classified with a High severity by Google which primarily consists of assorted out of bounds read/writes where unauthorized code or commands could be executed.
Further CVE breakdown by classification can be found below:
|
Critical |
High |
Medium |
Low |
|
|
CVE-2018-16065 |
CVE-2018-16072 |
CVE-2018-16084 |
||
|
CVE-2018-16066 |
CVE-2018-16073 |
CVE-2018-16085 |
||
|
CVE-2018-16067 |
CVE-2018-16074 |
CVE-2018-16086 |
||
|
CVE-2018-16068 |
CVE-2018-16075 |
CVE-2018-16087 |
||
|
CVE-2018-16069 |
CVE-2018-16076 |
CVE-2018-16088 |
||
|
CVE-2018-16070 |
CVE-2018-16077 |
|||
|
CVE-2018-16071 |
CVE-2018-16078 |
|||
|
CVE-2018-16079 |
||||
|
CVE-2018-16080 |
||||
|
CVE-2018-16081 |
||||
|
CVE-2018-16082 |
||||
|
CVE-2018-16083 |
||||
|
Totals |
0 |
7 |
12 |
5 |
Third-Party Updates
Of course, other vendors have been releasing updates for their respective software. While these updates might not have identified vulnerabilities, but they still have helpful stability fixes as well as potential undisclosed security fixes:
|
Software Title |
Ivanti ID |
Ivanti KB |
|
GoodSync 10.9.7 |
GOODSYNC-093 |
QGS1097 |
|
KeePass Classic 1.36 |
KEEP-027 |
QKPC136 |
|
Nitro Pro 12.3.0.240 |
NITRO-015 |
QNITRO1230240 |
|
Opera 55.0.2994.56 |
OPERA-181 |
QOP550299456 |
|
Paint.net 4.1 |
PDN-006 |
QPDN4100 |
|
Plex Media Player 2.18.0 |
PLXP-019 |
QPLXP2180 |
|
Slack Machine-Wide Installer 3.3.1 |
SMWI-027 |
QSMWI331 |
|
SQL Server Management Studio 17.9 |
SSMS17-009 |
QSSMS17285 |
|
TreeSize Free 4.2.2.474 |
TSF-014 |
QTSF422474 |
|
Visual Studio Code 1.27.1 |
MSNS18-0906-CODE |
QVSCODE1271 |
|
VLC Media Player 3.0.4 |
VLC-304 |
QVLC304 |
|
VMWare Horizon Client 4.9.0 |
VMWH-007 |
QVMWH490 |
|
XnView 2.46 |
XNVW-006 |
QXNVW246 |
More Patch Resources:
- Patching in Review – Week 35
- Patching in Review – Week 34
- Patching in Review – Week 32
- Patching in Review – Week 31
- Patching in Review – Week 30
- Patching in Review – Week 29
- Patching in Review – Week 27
- Patching in Review – Week 26
- Patching in Review – Week 25
- Patch Tuesday Blogs
- Patch Tuesday Resource Page
- Ivanti Security Products
