June Third-Party Patch Updates

It’s been an interesting month for Microsoft updates, considering the June 2020 Patch Tuesday released patches for 129 CVEs covering Windows, Microsoft browsers, and other apps. But what about the other updates?

When it comes to Windows vulnerabilities, Microsoft’s updates only account for roughly 20%; the remaining 80% includes any other vendor, such as Adobe, Google, Mozilla, and Oracle. We’re going to highlight all of the updates released since the beginning of the month.

June 2020 Adobe Updates

Adobe has been widely recognized as releasing many critical security fixes for its software suite in every month. Surprisingly, this month only included a few updates (10 CVEs) for Adobe Flash, Experience Manager, and Framemaker. The critical flash update resolves a use-after-free bug that could allow remote code execution. For Framemaker, the update is also rated as Critical and corrects a single memory corruption as well as two Out-of-Bounds write bugs. The update for Experience Manager is instead rated as Important and addresses six various bugs. Most of these are related to cross-site scripting while a few are Server-side request forgery (SSRF) flaws.

It should be noted that none of the bugs Adobe has patched are listed as publicly known or currently being weaponized.

Google Chrome Patches

The Google Chrome browser is widely-used across the globe for consumers and businesses alike and should next be recognized because of its high-severity update at the very beginning of June, as well as latest release on June 15. The desktop client release at the beginning of the month (v.83.0.4103.97) included 5 security fixes pertaining to use-after-free exploits in WebAuthentication, incorrect security UI in payments, insufficient policy enforcement in developer tools, and use-after-free in payments. It also included medium-severity fixes for Chrome in iOS.

The latest release (v.83.0.4103.106) includes more high-severity fixes for use-after-free in speech, insufficient policy enforcement in WebView, and out-of-bounds write in V8. This desktop version also applies to all desktop versions (Windows, Mac, and Linux) and Google stated will “roll out over the coming days/weeks.”

Latest Firefox Updates

Mozilla Firefox, also a very popular web browser for enthusiasts, sported a number of security fixes across multiple releases in the beginning of June. On June 2, Firefox 77 and Firefox ESR 68.9 were released that included 6 high-severity fixes with 1 moderate- and 2 low-severity. These include resolution for timing attacks on DSA signatures in NSS library, use-after-free exploit in SharedWorkerService, JavaScript type confusion with NativeTypes, and memory safety bugs in v.77 and v.68.9. The lower bugs address WebRender leaking GPU memory when using border-image CSS directive as well as fixes for URL spoofing when using IP addresses or Unicode characters.

The next day after releasing Firefox 77, Mozilla released v.77.0.1 to “disable automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way,” Mozilla stated on their site. Mozilla also released a new update for its mail client, Thunderbird, in v.68.9.0. This version includes fixes for when custom headers are added for searching or filtering and cannot be removed, when the Calendar: Today Pane updates prior to loading all data, as well as stability improvements and various security fixes. There are 5 high-severity fixes including some mentioned in Firefox v.77 as well as a fix for a security downgrade with IMAP STARTTLS leading to information leakage.

Syxsense provides all of the updates previously mentioned same-day (including many more) and allows for an exceptionally smooth process with a Patch Deploy task. Simply target all devices for the newest update and the pre-packaged detection will determine if devices do/do not require the update. If they require it, the update will be automatically applied and the vulnerability remediated.

Zoom Continues to Release Updates

Zoom, which has received an exceptional influx of users, both consumers and businesses alike, has been receiving updates frequently due to mixed security concerns. Zoom v.5.0.5 (26213.0602) was released earlier this month and included a fix for supporting GIPHY again in Zoom chat as well as resolving minor bugs and adding new chat features (improved transparency of channel privacy controls and enabling public channel admins and members to add external users).

The latest release in Zoom v.5.1.0 (27830.0612) now allows meeting hosts to now unmute all for meetings of 200 participants or fewer. It also includes some minor bug fixes (not referenced in their release notes) and new/enhanced features (webinar option to delete questions and phone features including personal locations for nomadic emergency services, reconnect options, enhancements to hiding outbound caller ID, and display names for phone numbers). This update also includes enhancements and fixes for Mac, Linux, Android, iOS, and Web users.

Other June Third-Party Updates

Skype v.8.61.0.87 was released mid-June. Although Microsoft hasn’t updated FAQ (at this time) with the latest release notes, there are some changes such as one Microsoft moderator pointing out that the only “visible” change is that Moderated groups are now explicitly labelled as “Moderated Group” and TechSpot highlighting an improved chat experience with “more spacing between contacts and chats, as well as message previews for unread chats, making it even easier to follow conversations.”

Notepad++ is still extremely popular for enthusiasts as a better alternative than the standard Notepad included with Windows. The latest version (v.7.8.7) includes a number of enhancements and bug-fixes such as improving Document Map precision, fixing Find/Replace history lost issues, fixing a file reading failure (network problem) not detected issue, and assigning CTRL-M as default shortcut for invoking mark dialog.

Last, but not least, Cisco Webex released v.40.6.2 and included a few enhancements. These enhancements include the ability to see the participant’ view of what you’re sharing and now guest users can edit their name or email address from the Preview window. Cisco stated “there’s no more second-guessing whether you’re sharing, and you’ll be confident that attendees are seeing the right content,” as well as for guests able to edit their name or email not “having to go back to the pre-meeting window of the Webex Meetings desktop app[;] just hover over your name and click to change the information.” No security fixes were specified by Cisco at this time.

Managing Third-Party Updates

Even though third-party products open-up more vulnerabilities than OS updates typically do, it doesn’t have to be a difficult process to deploy them out. Leveraging a simple and powerful solution with an up-to-date library of third-party products could easily alleviate the issue across organizations.

Syxsense provides all of the updates previously mentioned same-day (including many more) and allows for an exceptionally smooth process with a Patch Deploy task. Simply target all devices for the newest update and the pre-packaged detection will determine if devices do/do not require the update. If they require it, the update will be automatically applied and the vulnerability remediated.