Skip to main content
Tag

third party patch management

||

Google Reveals Severe Zero-Day Vulnerabilities in Chrome

By Patch ManagementNo Comments

Google Reveals Severe Zero-Day Vulnerabilities in Chrome

Google has released a software update to the Chrome browser that patches two severe zero-day vulnerabilities that could allow the browser to be hijacked.
[vc_empty_space]
[vc_single_image image=”35547″ img_size=”full”]

Zero-Day Vulnerabilities Found in Google Chrome

Google has released a software update to the Chrome browser that patches two zero-day vulnerabilities that could potentially allow the browser to be hijacked by attackers.

One flaw affects the browser’s audio component (CVE-2019-13720) while the other vulnerability affects the PDFium library (CVE-2019-13721).

Google is urging users to update to the latest version as soon as possible. This includes Windows, Mac, and Linux devices as the version rolls out over the next few days.

“This version addresses vulnerabilities that an attacker could exploit to take control of an affected system, “ stated the Cybersecurity and Infrastructure Security Agency alert. “One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.”

Prevent Arbitrary Code Execution

The main bug (CVE-2019-13720) is a user-after-free flaw – a memory corruption flaw where an attempt is made to access memory after it has been freed. This typically causes a slew of malicious impacts from causing programs to become instable as well as potentially leading to execution of arbitrary code; sometimes even enabling full remote code execution capabilities.

The second bug (CVE-2019-13721) was discovered in the PDFium library, which was developed by Foxit and Google and provides developers with capabilities to leverage an open-source software library for viewing and searching PDF documents. This vulnerability is also considered use-after-free but has received no reports of it being exploited in the wild. It was disclosed by a researcher under the alias “bananapenguin” who received a $7500 bounty through Google’s vulnerability disclosure program.

These are considered the second round of Chrome zero-days detected this year, since back in March, Google patched another Chrome zero-day (CVE-2019-5786) which was being used together with a Windows 7 zero-day (CVE-2019-0859).

Google has stated that the update to the browser will be rolling out to users automatically over the coming days; however, all Chrome users should opt for a manual update as soon as possible.

How to Manage Chrome Vulnerabilities

Leveraging a systems management solution with an up-to-date library of third-party products could easily alleviate the issue across organizations. Syxsense provides Chrome updates same-day and allows for an exceptionally smooth process with a Patch Deploy task.

Simply target all devices for the newest Chrome 78 update and the pre-packaged detection will determine if devices do/do not require the update; if they require it, the update will be automatically applied and the vulnerability remediated.

[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

[vc_btn title=”Start a Free Trial” style=”gradient-custom” gradient_custom_color_1=”#da4453″ gradient_custom_color_2=”#8a2387″ shape=”round” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial|||” css=”.vc_custom_1573147510616{margin-top: 15px !important;}”]
|||

Adobe Patches Critical Flaw Twice in One Week

By News, Patch ManagementNo Comments

Adobe Patches Critical Flaw Twice in One Week

In a matter of days, Adobe has patched a critical information disclosure flaw in Reader twice.
[vc_empty_space]
[vc_single_image image=”27274″ img_size=”full”]

Adobe has been tripping over its own patches this week.

After its original fix failed, Adobe has issued yet another patch for a critical zero-day vulnerability in its Acrobat Reader. The previous vulnerability (CVE-2019-7089) was resolved last week in Adobe’s February 12 patch release. It was described as a sensitive data leak issue which can lead to information disclosure when exploited.

Cure53 researcher, Alex Inführ, originally reported the zero-day vulnerability in Adobe Reader. The exploit could permit attackers to steal victims’ hashed password values, known as “NTLM hashes.”

Despite an embarrassing few days, Adobe has issued a second patch (CVE-2019-7815) that will hopefully resolve the issue. This should serve as a reminder for the importance of third-party patching—ensure you never miss an update with Syxsense.

[vc_single_image image=”26424″ img_size=”full” alignment=”center” css=”.vc_custom_1550015169179{margin-top: -20px !important;}”]
[vc_separator]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:%2Fsyxsense-trial|||”]

January Third-Party Security Updates

By News, Patch Management, UncategorizedNo Comments
[vc_single_image image=”26909″ img_size=”full” alignment=”center”]

Latest Third-Party Updates

This month there are several notable updates with CVSS ratings. Apple has released critical fixes for two of their OS platforms. Adobe and Foxit both have patches with high ratings. Prioritize these updates when securing your environment.

Still using WSUS?

If so, how are you deploying third-party security updates?
It’s time to switch to an IT management solution that can deploy any security updates required. Don’t rely on an incomplete tool that can only deploy windows updates. Syxsense can deploy a wide-range of updates, including Windows, Mac, and Linux software.

[dt_default_button link=”url:%2Fsyxsense-trial%2F|||” size=”big”]Start A Free Trial[/dt_default_button]
[vc_separator]

Third-Party Updates

Vendor Category Patch Version and Release Notes: CVSS Score and Rating
Adobe Multi-purpose software Flash Player, ActiveX, and AIR: v32.0.0.114Acrobat and Reader DC: v19.010.20069 N/A7.8 and High
Apple Operating Systems macOS: v10.14.3macOS High Sierra: v10.13.6

iTunes: v12.9.3.3

9 and Critical9 and Critical

N/A

Don Ho Text and Source Code Editor Notepad: v7.6.3 N/A
Evernote Organization App Evernote: v6.17.6.8292 N/A
FileZilla FTP application FileZilla: v3.40.0 N/A
Foxit Corporation PDF software FoxitReader: v9.4.0 6.3 and High
Google Browser Google Earth Pro: v7.3.2.5495 N/A
KeePass Open-source password manager KeePass: v2.41 N/A
Mozilla Browser and Email Application Firefox: v64.0.2 N/A
Opera Web Browser Opera: v58.0.3135.47 N/A
Oracle Computer Programing Language Java: v8u202 N/A
Peter Pawlowski Audio Player Foobar2000: v1.4.2 N/A
RealVNC Remote Access Software RealVNC Viewer: v6.19.1 N/A
WinSCP Web Client WinSCP: v5.13.7 N/A
Wireshark Open-source packet analyzer Wireshark: v2.6.6 N/A
|||

December Third-Party Security Updates

By News, Patch ManagementNo Comments
[vc_single_image image=”25879″ img_size=”full” alignment=”center”]

Business Evolves with Technology

Recently, Forbes outlined 5 ways retail is attempting to redefine itself. Overall, businesses are experimenting with new technologies, utilizing IoT devices to craft a more engaging shopping experience. But are they exposing themselves to security risks?

“Smart IoT devices such as beacons and smart shelves offer retail companies the efficiency to ensure their staff are effectively utilized, but physical IoT technology that is not secured properly can leave networks accessible to threats,” notes Rob Brown, director of services at Syxsense.

“Although smart in name, smart IoT uses open wireless networks and Bluetooth in order to communicate, creating more vulnerable endpoints in brick-and-mortar establishments,” he continues. “Tracking these IoT devices in retail companies is essential, because without knowing which ones you have, you cannot identify which ones are less secure or have known vulnerabilities which can be exploited.”

So, how can massive businesses with thousands of stores be expected to track a complex network of IoT devices? They can implement an IT management solution that leverages live, accurate, actionable, and secure data.

What Is Realtime Security?

  • Live:  Realtime Security pulls live data from thousands of devices, direct to a web console, in seconds. By eliminating stale data, IT management and security decisions are based on what is happening right now, not in the past.

 

  • Accurate: If device scans are run at night when devices are offline, hidden behind a firewall or roaming, security and IT teams have an incomplete view of their environment. Realtime Security eliminates blind spots enabling teams to manage their environment with 100% visibility.
[vc_single_image image=”25331″ img_size=”large” alignment=”center”]
  • Actionable: With no steep learning curve, Realtime Security’s simple to learn web interface leverages AI, and empowers teams with the information and skill to act instantly.

 

  • Secure:  Why juggle multiple consoles for device and security management? In a single place, security and IT operations can understand their exposed security risk, patch, deploy software, stop security breaches, satisfy compliance agencies and more.

Whether organizations are looking for endpoint security or IT management capabilities, including patch management, software distribution and remote control, Realtime Security is the only cloud-based approach to security and systems management which enables 10-second endpoint visibility and control thousands of devices.

[dt_default_button link=”url:%20https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
[vc_separator]

Third-Party Updates

[vc_single_image image=”25887″ img_size=”large” alignment=”center”]

 

Vendor Category Patch Version and Release Notes:
Apache Open-source Office Suite  

OpenOffice: v4.1.5 – https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.6+Release+Notes

 

 

Don Ho

 

Text and Source Code Editor  

Notepad: v7.6 – https://notepad-plus-plus.org/news/notepad-7.6-released.html

 

Evernote Organization App  

Evernote: v6.16.4.8094 – https://evernote.com/security/updates

 

GNOME Foundation  

Open-source Graphics Editor

 

 

GIMP: v2.10.8 – https://www.gimp.org/release-notes/gimp-2.10.html

 

Google Browser  

Chrome: v70.0.3538.110 – https://chromereleases.googleblog.com/2018/11/stable-channel-update-for-desktop_19.html

 

Mozilla Browser and Email Application  

Firefox: v63.0.3 – https://www.mozilla.org/en-US/firefox/63.0.3/releasenotes/

 

Thunderbird: v60.3.1 – https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/

 

Peter Pawlowski Audio Player  

Foobar200: v1.4.1 – https://www.foobar2000.org/changelog

 

The Document Foundation Open-source Office Suite  

LibreOffice: v6.1.3 – https://www.libreoffice.org/download/release-notes/

 

Uvnc bvba Remote Desktop Access  

UltraVNC: v1.2.2.3 – http://forum.ultravnc.info/viewtopic.php?f=72&t=34183&sid=8cbefbea99d4d185644be65c43f30c70

 

WinSCP Web Client  

WinSCP: v5.13.6 – https://winscp.net/eng/docs/history

 

||

November Third-Party Security Updates

By News, Patch ManagementNo Comments
[vc_single_image image=”25539″ img_size=”full” alignment=”center”]

Critical Updates for Apple and More

On the same day that Apple announced their new set of products, they released a massive group of updates. These patches address critical vulnerabilities throughout their operating systems and software offerings. The OS vulnerabilities, both iOS and macOS, could allow arbitrary code execution.

While Apple won’t reveal much about how potential exploitation of these bugs might work, they are rated as critical. It’s important to assess how many Apple devices are lurking within your network. Then implement a strategic rollout of the needed updates.

One-Third of Oracle Updates are Critical

The latest release of Java contains fixes for multiple critical vulnerabilities. Surprisingly, this number is down from the same time last year. Could Java be trending in the right direction? Only time will tell, but for now, this is positive news.

Legacy Java still needs to be monitored, as well. Java 8 ends public support in January 2019, but many companies still use Java 8, 9, 10, and 11. It’s important to track what versions of Java are running in an environment. Legacy software still gets regularly targeted for exploitation.

How does Syxsense help?

Syxsense displays graphs and icons that illustrate, at a glance, the vulnerability of your devices.

By clicking on a gadget, you’ll jump right into a patch deployment process, prepopulated to deploy all related updates to all devices that need them. You can easily modify this task to be more specific or start the task as-is, to save time.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
[vc_separator]

Third-Party Updates

Vendor Category Patch Version and Release Notes:
Adobe Media Software Flash and Air: v31.0.0.122

Acrobat and Reader DC:

v15.006.30456 (Classic Track 2015)

v17.011.30105 (Classic Track 2017)

v19.008.20080 (Continuous Track)

Apple Media Software iTunes: v12.9.1

Safari: v12.0.1

Don Ho

 

Text and Source Code Editor Notepad: v7.5.9
Evernote Organization App Evernote: v6.15.4.7934
FileZilla FTP Solution FileZilla: v3.38.1
Google Browser Chrome: v70.0.3538.77
Mozilla Browser and Email Application Firefox: v63.0.1

Thunderbird: v60.3.0

Oracle Java JDK and JRE: v8u192
VSRevo Group Revo Uninstaller Pro: v4.0.1
WireShark Wireshark: v2.6.4
|||||

Major Third-Party Security Updates

By News, Patch ManagementNo Comments
[vc_single_image image=”25141″ img_size=”full” alignment=”center”]

Google Polishes Chrome

With an apparent rise in malicious extensions, Google has announced five changes that aim to secure their product. These should be incorporated into their next release in the later half of this month, Chrome 70.

1. Expanded controls for determining Chrome extension permissions

According to an article by Chrome developers, “users [will] have the ability to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.”

2. Code obfuscation banned

Google argues this was the main way in which malicious Chrome extensions made it onto the Chrome Web Store.

3. Two-factor authentication required for developers

Phishing attacks over the last year have targeted browser extensions as a means of mass infection. This new requirement should reduce the change of hackers getting direct access to the code of extensions.

4. New review process

Google is watching! Implementing a deeper review process and monitoring with remotely hosted code, Google hopes to quickly spot if malicious changes are taking place.

5. Updated manifest for stronger security

In 2019, Manifest version 3 will be released. The goal is to create “stronger security, privacy and performance guarantees.”

Google has taken notice of the attacks aimed at manipulating their extension functions. When Chrome 70 releases, be prepared to update it across all your systems.

[vc_separator]

Adobe Alert

Additionally, Adobe has released it’s regularly-scheduled October security updates. More than half of the 85 vulnerabilities are critical flaws, and the rest are rated as important. This is the latest update since Adobe’s critical out-of-band update from September.

The critical vulnerabilities allow arbitrary code execution. That includes 22 out-of-bounds write flaws, seven critical heap overflow glitches, seven use-after-free bugs, three type confusion bugs, three buffer error bugs, three untrusted pointer dereference flaws and a double free vulnerability.

A competing PDF software, Foxit, has also had a spike in discovered vulnerabilities. This is both good and bad news.

[vc_single_image image=”25154″ img_size=”medium” alignment=”center”]

The bad is that malicious actors are getting more aggressive by the day. The good news is that companies are taking their software flaws seriously and proactively looking for issues.

All of these vulnerabilities highlight one key lesson: keeping your systems up to date is the vital step for secure environments.

Patch Everything

Syxsense facilitates easy update deployments. A rapid patch scan can identify which devices need which updates. Then, from the Patch Manager, it’s simple to target a specific update and deploy it to any devices that require it.

Whether its deploying one update or hundreds, Syxsense will handle the task with ease.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]