With security releases from Oracle, Google, and Wireshark, with a total of 45 CVEs, this week after Patch Tuesday is not to be ignored.

In the news, a vulnerability was found today in a common media streaming library that’s consumed by popular media players such as VLC and Mplayer. TheHackerNews details CVE-2018-4013 found by Cisco Talos Intelligence Group. VLC media player is one of those applications that can be unexpectedly common throughout your environment, leaving your network vulnerable to user-targeted attacks through media files. Keep an eye out for a VLC update in the near future.

Security Releases

As expected, Oracle released its quarterly Critical Patch Update Advisory detailing numerous product updates and vulnerabilities. Within this list, we will cover the commonly patched products of Java SE and VirtualBox.

Java 8 and 11 both see updates, with a total of 12 vulnerabilities remediated between the two. Java 8 has two updates with Java8u191 and Java8u192 covering 10 of the vulnerabilities. The update 191 will include all the security fixes detailed in the table below, where update 192 will include additional non-security fixes that may help with stability problems. Java 11 gets bumped up to 11.0.1 with 10 vulnerabilities as well. Eleven of these vulnerabilities do not require authentication and six require some form of user interaction. Further details around the CVEs can be found in the table below:

Java8u191

Java SE 11.0.1

CVSSv3 Base Score

CVE-2018-3183

x

x

9.0

CVE-2018-3209

x

8.3

CVE-2018-3169

x

x

8.3

CVE-2018-3149

x

x

8.3

CVE-2018-3211

x

x

6.6

CVE-2018-3180

x

x

5.6

CVE-2018-3214

x

5.3

CVE-2018-3157

x

3.7

CVE-2018-3150

x

3.7

CVE-2018-13785

x

x

3.7

CVE-2018-3136

x

x

3.4

CVE-2018-3139

x

x

3.1

VirtualBox received an update to 5.2.20, with a total of 14 vulnerabilities this quarter. CVE-2018-3294 is at the top of the stack with a CVSSv3 score of 9.0 and is one of the few that can be exploited remotely. Although VirtualBox is not as common as Java on a network, it can be one of those tools left behind in a testing environment, leaving potential attack vectors open on your endpoints.

Google Chrome joins the pack with a major release incremented to 70. Twenty-three security fixes are included in 70.0.3538.67, with a total of 18 CVEs. Aside from the security fixes, Chrome 70 includes numerous improvements for developers.

Third-Party Updates

Here are the other updates we released in our content this week. These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes:

Software Title

Ivanti ID

Ivanti KB

MozyPro 2.38.2.674

MOZYP-036

QMOZYP2382674

MozyHome 2.38.2.674

MOZYH-039

QMOZYH2382674

Zoom Outlook Plugin 4.4.33279.0918

ZOOMOUT-002

QZOOMO4433279

GoToMeeting 8.35.2

GOTOM-052

QGTM8352

GoodSync 10.9.12

GOODSYNC-098

QGS10912

Visual Studio Code 1.28.2

MSNS18-1018-CODE

QVSCODE1282

Opera 56.0.3051.52

OPERA-187

QOP560305152

Google Drive File Stream 27.1.49.1806

GDFS-004

QFS271491806

GOM Player 2.3.34.5295

GOM-018

QGOM23345295

Cumulative Update 14 for SQL Server 2014 SP2

SQL2014SP2-CU14

Q4459860

TortoiseHG 4.7.2

TOHG-020

QTOHG472

Notepad++ 7.5.9

NPPP-084

QNPPP759

Google Backup and Sync 3.43.1584.4446

GSYNC-015

QGBS34315844446

More Patch Resources: