June, 2020: Patch Monday: Netgear Zero-Day

Welcome to this June Patch Monday Bulletin. This month there are patches from Adobe, Apple, Google, and Mozilla. There were no Priority 1 updates from Adobe so it is recommended that organizations start with updating 3rd party browsers Google Chrome and Mozilla Firefox. Google Chrome identifies several High severity vulnerabilities with decent bug bounty pay outs at $15k and $20k. None of the vulnerabilities were said to be actively attacked at this time. Adobe updated 10 products but prioritize the three “Priority 2” updates for Flash, Experience Manager, and Magento. This is the last year for Adobe flash so it may be time to think about uninstalling it. Support for Magento is ending this month as well so there will be no more security updates provided by Adobe. Apple updated iCloud for Windows and iTunes for Windows as well so review the environment for these applications. We typically do not cover updates to consumer hardware but a recent zero-day affecting many Netgear models was released this month. The surge in users that are working from home could result in consumer security and enterprise security merging. It may be worthwhile to review this bulletin that outlines the 79 affected models. Exploit code exists that would allow an attacker to obtain unauthenticated access to the router.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

Multiple CVE’s

Magento

Commerce 1 1.14.4.5 and earlier

Open Source 1 1.9.4.5 and earlier

6/22/2020

Arbitrary Code Execution, Sensitive Information Disclosure

Critical Priority 2: Update within 30 days

Multiple CVE’s

Adobe Audition

13.0.6 and earlier

6/16/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Premiere Rush

1.5.12 and earlier

6/16/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Premiere Pro

14.2 and earlier

6/16/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Illustrator

24.1.2 and earlier

6/16/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe After Effects

17.1 and earlier

6/16/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2020-9666

Adobe Campaign Classic

20.1 and earlier

6/16/2020

Information Disclosure

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Framemaker

2019.0.5

6/9/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Experience Manager

6.5 and earlier

6/9/2020

Sensitive Information Disclosure, Arbitrary Browser Script Execution

Important Priority 2: Update within 30 days

CVE-2020-9633

Adobe Flash Player

Desktop and Chrome 32.0.0.371 and earlier

Edge and IE 11 32.0.0.330

6/9/2020

Arbitrary Code Execution

Critical Priority 2: Update within 30 days

Multiple CVE’s

iTunes for Windows

Before 12.10.7

5/26/2020

Arbitrary Code Execution, Information Disclosure, Cross Site Scripting

Update after testing

Multiple CVE’s

iCloud for Windows

Win 7 before 7.19

Win 10 before 11.2

5/26/2020

Arbitrary Code Execution, Information Disclosure, Cross Site Scripting

Update after testing

Multiple CVE’s

Google Chrome

Before 83.0.4103.116

6/22/2020

Use After Free, Security Bypass

Update after testing

Multiple CVE’s

Mozilla Firefox

Before 77/ESR 68.9

6/2/2020

Information Disclosure, Denial of Service, Arbitrary Code Execution, Spoofing

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 68.9.0

6/2/2020

Information Disclosure, Arbitrary Code Execution, Security Bypass

Update after testing