Tim Lovegrove
Security Analyst
Welcome once again to the Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases.
Microsoft
74 vulnerabilities get patched by Microsoft this month, with 14 of those being considered Critical. Of these, a Remote Code Execution bug in Internet Explorer is already being used in the wild, making it a true zero-day and making it all the more urgent to get these patches out to desktops pronto.
The bug also affects Office and is exploited via specially crafted documents, however the bigger news for Office is a flaw in the Mac version, something of a rarity. This vulnerability involves a rarely-used variation on XML Macros, which don’t respect the usual “do not auto-run macros” controls in place in all versions of the product. This control typically prevents document macro attacks from happening just by opening the document, however this variant sneaks past the control and can execute arbitrary code without warning.
Also notable are a batch of Hyper-V bugs. As with any virtualisation tool, the worst-case scenario is hypervisor escape (or guest escape), whereby code run on the guest virtual machine allows the attacker to gain access to the underlying hypervisor. This is a bad situation, especially for cloud providers or other multi-tenant environments, as it could allow the attacker to gain access to other guest machines running on the hardware. In this case, all 4 bugs - CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, CVE-2019-1398 – provide the ability for an attacker to run malicious code on the underlying host.
Adobe
We’re hesitant to say the days of Flash are finally over, but with the functionality it provided being overtaken by HTML5 and other web technologies, and with the plugin’s legacy support being natively brought into the browser (and sandboxed in many cases), it seems Adobe is winding down support for it to a near-standstill. It’s been several months since any kind of security update for Flash, and November continues that trend. We get some updates for a few products, the less-widely deployed Illustrator, Animate CC, Adobe Media Encoder and Bridge CC, but nothing for Flash, Reader or Acrobat landed as part of Patch Tuesday.
VMware
ESXi gets minor patches most months, but the more substantial semi-annual Update X releases roll these up and add further features and bug fixes. There are a few things which stand out in the recent 6.7 Update 3, aside from some extra drivers and the new Hardware Version 15.
The ESXCLI command line functionality has been extended and now includes a standalone installer for Linux. The ESXCLI interface allows admins, scripts and other tasks to run ESXi command line activities remotely, allowing for a wide range of system functionality to be called or scheduled offboard. It makes things like taking snapshots, migrating VMs or standing up new guests much easier to manage and automate.
The Meltdown and Spectre side channel attack vulnerabilities were (and still are) a considerable headache in the world of virtualisation. On a regular server they’re potent enough, but for cloud providers and other multi-tenant environments they provide the potential for attackers to hop from one customer to another if they are hosted on the same tin. The mitigations for the vulnerabilities can also affect server performance to varying degrees, which has caused some reluctance to deploy them. Update 3 provides a Side Channel Aware Scheduler, which attempts to restore some of the performance hit of these mitigations.
Get in Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.