Patching in Review – Week 31
Brian Secrist
Good news, everyone! The world of patching has been quiet this week with no high-profile security releases!
Take this opportunity to deploy both the Microsoft OS and .Net non-security updates released over the past two weeks. This will clean up some of the stability issues left over from earlier in the month. In the wake of July’s quality concerns, patching veteran Susan Bradley wrote an open letter to Microsoft posted at ComputerWorld.
NetSpectre
2018 will be remembered as the year of Spectre/Meltdown, with still new variants being discovered throughout the year. Late last week, researchers from the Graz University of Technology in Austria released a research paper titled “NetSpectre: Read Arbitrary Memory over Network” describing where an attacker can exfiltrate data by targeting the computer’s network ports.
This exploit uses the Spectre variant 1 vulnerability (CVE-2017-5753) that was initially announced in January, but the complexity of remediation should not be underestimated. Although your operating systems are up to date, you may still be vulnerable. Full remediation requires a two-step process of OS patching and firmware updates.
First, the OS must be updated. For Windows, there are a dizzying number of patches that can be applied to remediate this vulnerability. With the cumulative patch model for Windows 10, any patch released on January Patch Tuesday or later will mitigate CVE-2017-5753. For Windows 8.1/2012 R2 and earlier, a Security-Only bundle released in January or February, or a Monthly-Rollup released on January or later will cover this vulnerability. But remember, to stay ahead of this game, you should always deploy the latest updates to get the latest security fixes.
Second, the computer’s firmware needs to be patched. This is usually in the form of a BIOS update. While there is no centralized location for these patches, here are links to a few common vendors:
Third-Party Updates
Here are the other updates we released in our content this week. These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes:
|
Ivanti ID |
Ivanti KB |
Bulletin Title |
|
ALLSYNC-006 |
QALLSYNC18711 |
Allway Sync 18.7.11 |
|
CHROME-231 |
QGC680344084 |
Google Chrome 68.0.3440.84 |
|
DROPBOX-089 |
QDROPBOX54490 |
DropBox 54.4.90 |
|
GOODSYNC-091 |
QGS1095 |
GoodSync 10.9.5 |
|
GOTOM-047 |
QGTM832 |
GoToMeeting 8.32.0 |
|
LIBRE-099 |
QLIBRE606 |
LibreOffice 6.0.6 |
|
MSNS18-08-VS2017 |
QVS20171576 |
Visual Studio 2017 version 15.7.6 |
|
PLXS-024 |
QPLXS11355291 |
Plex Media Server 1.13.5.5291 |
|
RTS4-013 |
QRTS40360729 |
Royal TS 4.3.60729 |
|
SM18-2494 |
QSM2494 |
SeaMonkey 2.49.4 |
|
TSF-012 |
QTSF421470 |
TreeSize Free 4.2.1.470 |
More Patch Resources:
