Welcome to the last Patch Roundup of 2019, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases.
A relatively light month from Microsoft, with just 37 vulnerabilities patched in this release. 7 of these are considered Critical, with one already known to be under attack.
That bug, CVE-2019-1458, is a memory handling flaw which enables privilege elevation, and various sources are speculating it may be being paired with other known bugs to ultimately create a sandbox escaper. This ultimately allows an attacker to break out of your browser’s built-in sandboxing protection to run code remotely on the victim’s machine.
The remaining notable bugs affect Visual Studio, a font parsing vulnerability (which could potentially be used in a malicious website to enable CVE-2019-1458 above), and a batch of Office flaws which enable the use of booby-trapped documents to carry out a variety of malicious acts.
After a couple of quiet months, Acrobat & Reader get a batch of updates from Adobe in December, with 21 bugs being fixed. Given the prevalence of Acrobat & Reader across enterprises, having a patching mechanism for third party apps such as these is critical. If an end user misses a couple of updates, they can easily find themselves with several hundred vulnerabilities which could be utilised just from loading malicious PDFs.
This situation tends to be more common on servers, as it’s much rarer for basic tools like this to be updated in the backoffice estate. An admin loads Acrobat Reader onto the server to read a manual, and it then doesn’t get used again for potentially years before another PDF is needed for an admin task, and so isn’t updated.
The risk is often viewed as lower, as the app is used less frequently and typically with documents from a trusted source, but the presence of an old Adobe Reader can wildly skew vulnerability scan results. And if the worst happens and an admin opens a malicious document on that server, the chances are high that it will be able to run code with admin privileges. When building out your patching & vuln scanning regimes, it’s worth making sure that the server estate is covered, either by including Adobe updates or ensuring that 3rd party minor apps aren’t loaded onto servers in the first place.
Get In Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.