Patch Monday July 2024 - Oracle Quarterly Update

***If you are receiving this email, it is because you subscribed to it. If you have not subscribed and want to unsubscribe, click here. Please do not mark as spam instead. We've had some problems lately with email blacklisting. We'd appreciate if you unsubscribe if you don't want mailings from us.***

Welcome to my July 2024 Patch Monday newsletter! It was a very slow month for 3rd party patching, at least for our regular vendors/providers. Adobe only had updates for three products this month and Apple did not release any relevant security updates in the past 30 days.

From what has been published on the patches below we don't have any zero days to be concerned about either. I'll start with Citrix this month. They had to CVE's rated high that are being patched. CVE-2024-5491 has a CVSS score of 7.1 and CVE-2024-6286 has a CVSS score of 8.5 which is pretty high. These affect Citrix NetScaler ADC and Gateway and also Citrix Workspace app for Windows. So please check the chart below to see if you are running any of the affected versions. I recommend you test the patches and update as soon as possible.

Chrome had two updates over the past 30 days that patched 15 different vulnerabilities. Twelve of these fifteen are rated "High" by Google. So, make sure all your Chromium based browsers get updated and restarted.

Zoom also had a handful of updates this past month. The way they format their update information is a bit unconventional so you will see a change in the chart below for their information. The change is that the links to the CVE's are in the "Vulnerability Info" column for Zoom. Of the updates published, the Improper Input Validation for Zoom Apps for Windows is rated "High". You will want to get that updated as soon as possible.

The big release this month is from Oracle. On July 16th Oracle released their quarterly "Critical Patch Update Advisory", their third for the year. I only included Java in the chart below but there are 386 patches across a long list of products and versions. You can see them all here.

I do want to bring attention to a webinar I have this week. The title is "Linux Privilege Elevation: Breaking out of SUDO with GTFOBins". If you want to learn about thoroughly implementing least privilege on Linux then you will want to register here.

So that's about it for the month. Be sure to browse the chart below and happy patching!

So, without further ado, here’s the chart of non-Microsoft 3rd party patches that affect Windows platforms in the past month.

Patch data provided by:
Identifier	Vendor/ Product	Affected Versions	Date Released by Vendor	Vulnerability Info	Vender Severity / Our Recommedation
CVE-2024-34123	Adobe Premiere Pro	24.4.1 and earlier 23.6.5 and earlier	7/9/2024	Arbitrary Code Execution	Critical Priority 3: Update at admins discretion
Multiple CVE's	Adobe InDesign	ID19.3 and earlier ID18.5.2 and earlier	7/9/2024	Application Denial of Service, Arbitrary Code Execution	Critical Priority 3: Update at admins discretion
Multiple CVE's	Adobe Bridge	13.0.7 and earlier 14.1 and earlier	7/9/2024	Arbitrary Code Execution, Memory Leak	Critical Priority 3: Update at admins discretion
Multiple CVE's	Citrix NetScaler	ADC and Gateway 14.1 before 25.53 ADC and Gateway 13.1 before 53.17 ADC and Gateway 13.0 before 92.31 ADC 13.1-FIPS before 37.183 ADC 12.1-FIPS and NDcPP before 55.304	7/9/2024	Denial of Service, Open Redirect	Update after testing
CVE-2024-6150	Citrix Provisioning	CR before 2402 LTSR before 2203 CU5 LTSR before 1912 CU9	7/9/2024	Improper Access Control	Update after testing
CVE-2024-6286	Citrix Workspace App	CR before 2403.1 LTSR before 2402 LTSR before 2203.1 CU6 Hofix 2	7/9/2024	Improper Privilege Management	Test and Update As Soon As Possible
Multiple CVE's	Citrix Workspace App for HTML5	Before 2404.1	7/9/2024	Incorrect Default Permissions, URL Redirect	Update after testing
Multiple CVE's	Google Chrome	Before 126.0.6478.182/183 for Windows/Mac Before 126.0.6478.182 for Linux	7/16/2024	Inappropriate Implementation, Out of Bounds, Race Condition, Type Confusion, Use After Free	Update after testing
Multiple CVE's	Mozilla Thunderbird Firefox ESR	Before 115.13	7/9/2024 (FF ESR) 7/15/2024 (Thunderbird)	Memory Corruption, Race Condition	Update after testing
Multiple CVE's	Mozilla Firefox	Before 128	7/9/2024	Arbitrary Code Execution, Cross-site Navigation, CSP Violation, Memory Corruption, Out-of-Bounds Read, Race Condition, Security Feature Bypass, Tapjacking, Unintended Permissions	Update after testing
Multiple CVE's	Oracle Java	GraalVM for JDK 17.0.11, 21.0.3, 22.0.1 SE 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1 GraalVM Enterprise Edition 20.3.14, 21.3.10	7/16/2024	Denial of Service, Race Condition, Unauthorized Access	Update after testing
Multiple CVE's (see vulnerability info)	Zoom Apps	Workplace Desktop App for Windows/macOS/Linux before 6.0.0 Workplace Desktop App for Windows/macOS before 6.0.10 Workplace VDI Plug-in for Windows before 5.17.13 Workplace VDI App for Windows before 5.17.13 Rooms App for Windows/Mac/iPad before 6.0.0 Rooms App for Windows before 5.17.13, 6.0.10 Workplace App for iOS/Android before 6.0.0 Meeting SDK for Windows/iOS/Android/macOS/Linux before 6.0.0 Meeting SDK for Windows before 6.0.10	7/9/2024	Improper Input Validation, Race Condition, Path Traversal, Uncontrolled Search Path, Improper Privilege Management	Update after testing

Thanks as always for reading and best wishes on security,

Randy Franklin Smith

Click here to unsubscribe

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.

9450 SW Gemini Drive #53822, Beaverton, OR 97008

Note: We do our best to provide quality information and expert commentary but use all information at your own risk.