Patching in Review – Week 5 of 2019

This week’s theme encompasses all web browsers, with major security releases for Chrome and Firefox as well as upcoming support changes for Internet Explorer.

Microsoft announced the end to Internet Explorer 10 this week, with an upcoming upgrade path for Server 2012 and Windows Embedded 8 systems. Detailed on its blog post, Internet Explorer 11 will be available for these platforms this spring, with support for Internet Explorer 10 ending in 2020. For 2019, it looks like separate updates for each major version will be supported to assist with this transition.

Security Releases

For the first time this year, Google Chrome saw a major update this week with version 72. According to Google’s release blog, this release includes 58 security fixes with 29 having CVE assignments. A rare critical vulnerability, CVE-2019-5754, is disclosed in this release where an attacker could execute code on an endpoint by simply visiting a malicious website. On Week 52 last year, I covered a Google Chrome exploit where a website can force a system’s resources to max out at 100%. This issue (917493, currently behind a login now) is not listed within the fixes list, so make sure to avoid these malicious pages until a proper fix is released.

Following the trend, Mozilla released security updates for Firefox, Firefox ESR, and Thunderbird. A total of eight CVEs are included in these releases, with two critical CVEs shared between all releases. With Firefox 65, Mozilla has also released MSI installers for the first time for enterprise users. A list of CVEs with affected products as well as color-coded severity is below:

Third-Party Updates

Alongside these browser updates, other vendors released non-security updates for the week. These patches may contain undisclosed security fixes as well as valuable stability fixes.