Microsoft MDS updates, Google Chrome 75 release and more: Patch Tuesday - Week 1, June 2019

Apple

Apple has released security updates to its now-discontinued AirPort series of products. The updates address multiple vulnerabilities that impact AirPort Extreme and AirPort Time Capsule base stations. Flaws include out-of-bounds read (CVE-2019-8581), use-after-free issues(CVE-2019-8578), null pointer dereference issues (CVE-2019-8588, CVE-2019-8572) and denial-of-service flaws(CVE-2018-6918, CVE-2019-7291). These flaws could be exploited by attackers to either execute arbitrary code or cause DoS in these devices.

Users are advised to apply these new firmware updates. The security advisory regarding the update can be found here.

Cisco

For this week, Cisco has released new updates to fix security flaws present in two software products. The products are Cisco IOS XR and Cisco NX-OS. While Cisco IOS XR housed a DoS vulnerability (CVE-2019-1849), two components of NX-OS: CLI (CVE-2019-1769) and Python scripting (CVE-2019-1727) had arbitrary command execution vulnerabilities. Among these three flaws, the IOS XR flaw is designated as high-impact with the other two rated medium. Users are advised to update to the latest version indicated in the advisories.

Google

Google announces the latest version of Chrome. This version, dubbed Chrome 75, comes with new features and has 42 security fixes out of which two flaws are rated as ‘High’ severity. Flaws mainly included use-after-free (CVE-2019-5828, CVE-2019-5829), out-of-bounds read (CVE-2019-5835), URL spoofing flaw(CVE-2019-5834) along with other issues. The flaws were discovered by external security researchers as well as with the help of Google’s projects such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Chrome users can update to this version by going to Settings > Help > About Google Chrome which starts an automatic update.

Microsoft

Microsoft has released standalone updates to resolve MDS flaws in older versions of Windows 10. These updates contain Intel microcode for Windows 10 version 1607 and Windows Server 2016, Windows 10 version 1709, Windows 10 version 1703 and Windows 10 RTM. The updates are mentioned below:

• KB4494175: Windows 10 version 1607 and Windows Server 2016
• KB4494452: Windows 10 version 1709
• KB4494453: Windows 10 version 1703
• KB4494454: Windows 10 RTM

Nvidia

Nvidia has released a security update for its GeForce Experience Center software that addresses several vulnerabilities including information disclosure, escalation of privileges, denial of service, or code execution. All versions prior to 3.19 are affected by the following two vulnerabilities:

• CVE‑2019‑5678: The Web Helper component contains a vulnerability, whereby attackers can perform code execution, denial of service, or information disclosure using malicious inputs. The CVSS v3 score for this flaw is 7.8.
• CVE‑2019‑5676: This flaw arises due to the loading of Windows system DLLs without proper path or signature validation, thereby allowing attackers with local access to execute DLL preloading attacks. The CVSS v3 score for it is 7.2.

Ubuntu

Ubuntu received six updates to address Linux Kernel vulnerabilities and 11 other updates to fix flaws in Berkeley DB, Qt, Doxygen, libseccomp, Corosync, GnuTLS, Evolution Data Server, sudo, and GNU Screen.

Below are all the advisories released in the last week.

• Linux kernel (HWE) vulnerabilities - USN-4007-2, USN-4006-2, USN-4008-1, USN-4007-1, USN-4005-1, USN-4006-1
• Berkeley DB vulnerability - USN-4004-2, USN-4004-1,
• Qt vulnerability - USN-4003-1
• Doxygen vulnerability - USN-4002-1
• libseccomp vulnerability - USN-4001-2, USN-4001-2
• Corosync vulnerability - USN-4000-1
• GnuTLS vulnerabilities - USN-3999-1
• Evolution Data Server vulnerability - USN-3998-1
• Sudo vulnerability - USN-3968-2
• GNU Screen vulnerability - USN-3996-1