Microsoft released details on August 6 regarding another variant of the Spectre Variant 1 speculative execution side channel vulnerability (CVE-2019-1125). The vulnerability was actually patched in the July 9 update for all currently supported Microsoft Windows operating systems, so if you are caught up on your OS security updates you are already covered. Unlike many of the Spectre and Meltdown vulnerabilities, this one did not require microcode updates from the device OEM.
Also, the mitigation went into effect with the update for all platforms, which was a little different than previous mitigations. Previous mitigations were enabled on workstation OSs but had to be enabled as a separate step on server operating systems.
Since July’s Patch Tuesday, a number of security updates have been released by a variety of vendors. Depending on what updates you may have already addressed, you may have paid down some of this accumulation. However, there has been a steady stream so it is likely there are some non-Microsoft updates that you will need to address in your next maintenance window.
- PuTTy: Released v0.72 which did not have identified CVE IDs, but did have a security warning that it resolved multiple vulnerabilities
- Virtual Box: 14 CVEs resolved
- Java 8: 10 CVEs resolved
- A huge list of other Oracle products like Oracle Middleware, MySQL, Oracle DB were also updated as part of the Oracle CPU on July 16
- SnagIT: 1 CVE resolved
- Apple iTunes: 23 CVEs resolved
- Apple iCloud: 23 CVEs resolved
- Google Chrome: 15 CVEs resolved
- Wireshark: 1 CVE resolved
Every month you can expect Microsoft to release updates for the Windows Operating System, IE & Edge, and Microsoft Office. SQL Server, Exchange, and .Net Framework updates are often mixed in sporadically from month to month. July was the largest Patch Tuesday release from Microsoft in 2019 and included updates for all of the above. Keep your fingers crossed we will see a light Patch Tuesday from Microsoft this month. Expect the normal lineup of OS, IE and Office for sure.
Adobe surprised us in July by not having a security update for Flash Player. This is the first time in a long time we did not see a Flash security update. Likely we will not see a repeat of that, so expect a Flash update for August. Acrobat has not had a security update since May so there is a strong chance that we may see an update there as well.
Mozilla had their most recent update (Firefox 68) on July Patch Tuesday. There are currently no scheduled updates for August. The next expected release will be Firefox 69 which has an expected release date of September 3rd.
August 2019 Patch Tuesday forecast:
- We are hoping for a light month from Microsoft (OS, IE, Office)
- Expect Flash and possibly Adobe Acrobat and Reader
- Expect a light third party set this month outside of Adobe
- Make sure to account for the many non-Microsoft updates that have released since July Patch Tuesday