November, 2019: Patch Monday: Chrome 0-Day Exploited in the Wild

Welcome to this November Patch Monday Bulletin. This month we have patches from Adobe, Apple, and Google. The biggest news this month is CVE-2019-13720 which affects Google Chrome and was being exploited in the wild. This vulnerability may allow an attacker to execute arbitrary code. Make sure that Chrome is updated as soon as possible. There were no known attacks against vulnerabilities patched in the remaining products. Adobe has updates for 4 products but all of them are priority 3. Review and update those products as needed. iTunes and iCloud for Windows remediated arbitrary code execution vulnerabilities this month. These may not be typical in most production environments but could be present, especially in environments where users have local administrative privileges.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

Multiple CVE’s

Adobe Bridge CC

9.1 and earlier versions

11/12/2019

Information Disclosure

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Media Encoder

13.1 and earlier versions

11/12/2019

Information Disclosure, Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Illustrator

23.1 and earlier versions

11/12/2019

Arbitrary Code Execution, Privilege Escalation

Critical Priority 3: Update at admin’s discretion

CVE-2019-7960   

Adobe Animate CC

19.2.1 and earlier versions       

11/12/2019

Privilege Escalation

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

iTunes for Windows

Before 12.10.2

10/30/2019

Arbitrary Code Execution, Cross Site Scripting

Update after testing

Multiple CVE’s

iCloud for Windows

Before Windows 10.8/7.15

10/30/2019

Arbitrary Code Execution, Cross Site Scripting

Update after testing

Multiple CVE’s

Google Chrome

Before 78.0.3904.108

11/18/2019

Arbitrary Code Execution, Information Disclosure, Use After Free

Update as soon as possible