Mozilla released updates for Firefox and Firefox, ESR resolving 21 vulnerabilities and 10 vulnerabilities
respectively. Both are rated as critical and include vulnerabilities that could lead to information disclosure,
sandbox escapes and remote code execution.
Adobe released multiple updates today for Dreamweaver, Experience Manager, Bridge CC and Flash
Player. Dreamweaver and Bridge resolve a single CVE each which are rated as Important. Experience
Manager resolved three vulnerabilities including one Moderate and two Important. Flash Player did not
appear to include any CVEs.
Oracle is releasing their Critical Patch Update next week Tuesday, so expect updates from all your
favorite middleware and Java.
This is a good time to bring up development tools. As the industry continues the shift toward DevOps and
integrating with development binaries like Java, there are new considerations that you need to account
for in managing the vulnerabilities in your environment. Java 11 changed the paradigm. There is no longer
a JRE and a JDK. With Java 8 applications, a developer would build the application using the JDK and
when the application was deployed to a system it required Java JRE to run. Each quarter when Oracle
would release an update, the application did not require a change, but you needed to update the JRE
instance to remove vulnerabilities. With Java 11, the JRE components are built right into the application.
So as Oracle releases Java 11 updates resolving security vulnerabilities, a developer will need to update
their version of the JDK and build the application again to include the new JRE components if any were
vulnerable.
Microsoft released updates for several development tools including .Net Core and ASP .Net Core this
month that similarly need to update the SDK component, then build the application and redistribute to
resolve the vulnerabilities. Other examples of development binaries include Apache Struts, ChakraCore,
ASP.NET CORE, Open Enclave SDK and many others.
About the Author
Chris Goettl, is director of product management, security, Ivanti. Chris is a strong
industry voice with more than 10 years of experience in supporting,
implementing, and training IT Admins on how to implement strong patching
processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability
and related software security topics, and his commentary is often quoted as a
security expert in the media.
Chris can be reached on Twitter @ChrisGoettl and at Ivanti's website:
http://www.ivanti.com.