November, 2018: Patch Tuesday: One CVE Attacked in the Wild and BitLocker Guidance

Welcome to this November Patch Monday Bulletin. This month we have patches for Photoshop, Acrobat/Reader, iCloud/iTunes, Chrome, Firefox, and Thunderbird. The top priority this month is patching CVE-2018-15979 that affects Adobe Acrobat and Reader. This vulnerability has proof of concept code available and could cause a user to send their NTLM password hash to malicious external resources. An attacker would have to convince a user to open a maliciously crafted PDF to exploit this vulnerability. Follow up with Adobe Flash since it is a Critical Priority 1 update but keep in mind there are no known attacks leveraging any of the remediated vulnerabilities in this product. Next, review and update 3rd party browsers Chrome and Firefox since these browsers are widely deployed and are affected by multiple vulnerabilities. The remaining products may be present but are not widely deployed in the enterprise. Review your environment for the existence of the following products and test updates for iCloud for Windows, iTunes for Windows, Thunderbird, and Photoshop.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches that affect Windows platforms in the past month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

CVE-2018-15981

Adobe Flash

31.0.0.148 and earlier

11/20/2018

Arbitrary Code Execution, Information Disclosure

Critical Priority 1: Update within 72 hours

CVE-2018-15980

Adobe Photoshop CC

19.1.6 and earlier

11/13/2018

Information Disclosure

Important Priority 3: Update at admin’s discretion

CVE-2018-15979

Adobe Acrobat and Reader

Continuous 2019.008.20080 and earlier

Classic 2017 2017.011.30105 and earlier

Classic 2015 2015.006.30456 and earlier

11/13/2018

Information Disclosure

Important Priority 1: Update within 72 hours

Multiple CVE’s

iCloud for Windows

Before 7.8

10/30/2018

Arbitrary Code Execution, Denial of Service, Cross Site Scripting

Update after testing

Multiple CVE’s

iTunes for Windows

Before 12.9.1

10/30/2018

Arbitrary Code Execution, Denial of Service, Cross Site Scripting

Update after testing

Multiple CVE’s

Google Chrome

Before 70.0.3538.110

11/19/2018

Denial of Service, Information Disclosure

Update after testing

Multiple CVE’s

Mozilla Firefox

Before 63/ESR 60.3

10/23/2018

Denial of Service, Privilege Escalation, Security Bypass, Information Disclosure

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before ESR 60.3

10/31/2018

Security Bypass, Denial of Service

Update after testing


Send me this chart next Patch Tuesday.
Email:

We will not share your address. Unsubscribe anytime. By clicking "Submit",
you're agreeing to our Privacy Policy and consenting to be contacted by us.