July, 2020: Patch Monday: July Oracle Critical Patch Update

Welcome to this July Patch Monday Bulletin. This month there are patches from Adobe, Google, Mozilla, and Oracle. There were no reported attacks against vulnerabilities fixed this month. July was one of the critical patch updates for Oracle so their suite of products needs to be updated. The update for Java SE fixes 11 bugs with the most severe CVSS score at 8.3. Adobe updated numerous products including an out of band update for Prelude and Photoshop. None of the updates have been categorized as a Priority 1 which means the product is an attractive target for adversaries. All but one of the updates listed for Adobe are rated critical with arbitrary code execution vulnerabilities. Google released an update for Chrome but based on the reported bounty payments there was not anything egregious. Mozilla released updates for Thunderbird and Firefox. Make sure that Firefox is updated if it is in use within the organization.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

Multiple CVE’s

Adobe Prelude

9.0 and earlier

7/21/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Photoshop

CC 2019 20.0.9 and earlier

2020 21.2 and earlier

7/21/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Bridge

10.0.3 and earlier

7/14/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-9688

Adobe Download Manager

2.0.0.518

7/14/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Genuine Service

6.6 and earlier

7/14/2020

Privilege Escalation

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Media Encoder

14.2 and earlier

7/14/2020

Information Disclosure, Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Creative Cloud Desktop

5.1 and earlier

7/14/2020

Privilege Escalation, Arbitrary File System Write

Critical Priority 2: Update within 30 days

Multiple CVE’s

Google Chrome

Before 84.0.4147.89

7/14/2020

Information disclosure, Use After Free, Security Bypass

Update after testing

Multiple CVE’s

Mozilla Firefox

Before 78.0.2/ESR 68.10

7/8/2020

Security Bypass, Denial of Service, Information Disclosure

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 78

7/16/2020

Information Disclosure, Denial of Service, Arbitrary Code Execution, Security Bypass

Update after testing

Multiple CVE’s

Oracle Java

Before Java SE 7U261, 8u251, 11.0.7, 14.0.1

7/14/2020

Information Disclosure, Denial of Service

As soon as possible