Patching in Review – Week 9 of 2019

We are still over a week away from Patch Tuesday, yet third parties are filling the gap with numerous security releases, with a high-profile vulnerability dropping this week.

In the news, IBM Security released a report covering the trends of cyberattacks detailing an interesting trend away from ransomware. ZDNet details the report, where the previously profitable practice of ransomware is being traded off for “cryptojacking” in which an attacker instead leverages the endpoint’s computing power to mine cryptocurrencies. Make sure to monitor endpoint resources as this load on endpoints can be hard to detect.

Security Releases

WinRAR leads this week with a fix for the recently discovered 19-year-old ACE vulnerability, where a specially crafted .ACE file renamed to .RAR could execute malicious code on the endpoint. Version 5.70 is detailed in WinRAR’s release notes with numerous fixes, including four CVEs. The urgency around this patch has elevated as well with BleepingComputer covering the first active malspam campaign, banking on the fact that so many endpoints contain this unpatched product. New languages are being released daily so make sure to deploy this patch when your affected language is available.

All four Node.JS branches have updated this week with a Denial of Service vulnerability shared between all branches. While these vulnerabilities are not too severe, this product can be present in critical production environments, so make sure to add these to your next cycle. A summary of the releases and applicable CVEs can be found below:

Third-Party Updates

Although WinRAR tops the stack of third parties, other vendors released non-security updates for the week. The titles below may contain valuable stability fixes as well as other undisclosed vulnerability fixes: