Patching in Review – Week 42
Brian Secrist
With security releases from Oracle, Google, and Wireshark, with a total of 45 CVEs, this week after Patch Tuesday is not to be ignored.
In the news, a vulnerability was found today in a common media streaming library that’s consumed by popular media players such as VLC and Mplayer. TheHackerNews details CVE-2018-4013 found by Cisco Talos Intelligence Group. VLC media player is one of those applications that can be unexpectedly common throughout your environment, leaving your network vulnerable to user-targeted attacks through media files. Keep an eye out for a VLC update in the near future.
Security Releases
As expected, Oracle released its quarterly Critical Patch Update Advisory detailing numerous product updates and vulnerabilities. Within this list, we will cover the commonly patched products of Java SE and VirtualBox.
Java 8 and 11 both see updates, with a total of 12 vulnerabilities remediated between the two. Java 8 has two updates with Java8u191 and Java8u192 covering 10 of the vulnerabilities. The update 191 will include all the security fixes detailed in the table below, where update 192 will include additional non-security fixes that may help with stability problems. Java 11 gets bumped up to 11.0.1 with 10 vulnerabilities as well. Eleven of these vulnerabilities do not require authentication and six require some form of user interaction. Further details around the CVEs can be found in the table below:
|
Java8u191 |
Java SE 11.0.1 |
CVSSv3 Base Score |
|
|
CVE-2018-3183 |
x |
x |
9.0 |
|
CVE-2018-3209 |
x |
8.3 |
|
|
CVE-2018-3169 |
x |
x |
8.3 |
|
CVE-2018-3149 |
x |
x |
8.3 |
|
CVE-2018-3211 |
x |
x |
6.6 |
|
CVE-2018-3180 |
x |
x |
5.6 |
|
CVE-2018-3214 |
x |
5.3 |
|
|
CVE-2018-3157 |
x |
3.7 |
|
|
CVE-2018-3150 |
x |
3.7 |
|
|
CVE-2018-13785 |
x |
x |
3.7 |
|
CVE-2018-3136 |
x |
x |
3.4 |
|
CVE-2018-3139 |
x |
x |
3.1 |
VirtualBox received an update to 5.2.20, with a total of 14 vulnerabilities this quarter. CVE-2018-3294 is at the top of the stack with a CVSSv3 score of 9.0 and is one of the few that can be exploited remotely. Although VirtualBox is not as common as Java on a network, it can be one of those tools left behind in a testing environment, leaving potential attack vectors open on your endpoints.
Google Chrome joins the pack with a major release incremented to 70. Twenty-three security fixes are included in 70.0.3538.67, with a total of 18 CVEs. Aside from the security fixes, Chrome 70 includes numerous improvements for developers.
Third-Party Updates
Here are the other updates we released in our content this week. These updates might not have CVEs, but they may still have helpful stability fixes as well as undisclosed security fixes:
|
Software Title |
Ivanti ID |
Ivanti KB |
|
MozyPro 2.38.2.674 |
MOZYP-036 |
QMOZYP2382674 |
|
MozyHome 2.38.2.674 |
MOZYH-039 |
QMOZYH2382674 |
|
Zoom Outlook Plugin 4.4.33279.0918 |
ZOOMOUT-002 |
QZOOMO4433279 |
|
GoToMeeting 8.35.2 |
GOTOM-052 |
QGTM8352 |
|
GoodSync 10.9.12 |
GOODSYNC-098 |
QGS10912 |
|
Visual Studio Code 1.28.2 |
MSNS18-1018-CODE |
QVSCODE1282 |
|
Opera 56.0.3051.52 |
OPERA-187 |
QOP560305152 |
|
Google Drive File Stream 27.1.49.1806 |
GDFS-004 |
QFS271491806 |
|
GOM Player 2.3.34.5295 |
GOM-018 |
QGOM23345295 |
|
Cumulative Update 14 for SQL Server 2014 SP2 |
SQL2014SP2-CU14 |
Q4459860 |
|
TortoiseHG 4.7.2 |
TOHG-020 |
QTOHG472 |
|
Notepad++ 7.5.9 |
NPPP-084 |
QNPPP759 |
|
Google Backup and Sync 3.43.1584.4446 |
GSYNC-015 |
QGBS34315844446 |
More Patch Resources:
