While most of the IT world is waiting for more news around the Sony data breach (we know very little for sure see Kim Zettner’s piece in Wired for a good and level headed overview), things are continuing to move in our information security realm. More specifically Patch Tuesday for December is coming along with seven patches from Microsoft and probably two from Adobe.
We are getting a small Patch Tuesday this month, a real breather for IT administrators. Microsoft will release only four bulletins next Tuesday and only one of them is rated critical. Bulletin #1 is for Internet Explorer and affects all currently supported versions 6 to 11. It allows allows for remote code execution (RCE) through a malicious webpage and should be the highest priority for you whether you are enterprise or consumer.
The remaining bulletins #2 to #4 fix vulnerabilities that are rated as "important", which address Denial of Service (DoS) problems in .NET and Lync server and a local escalation of privilege (EoP) in Windows. These bulletins are not urgent and can be covered within your normal patching process.
We do not have information from Adobe yet to see if they have any patches, but they have been publishing an update for Adobe Flash every month of 2014, so it is safe to assume that we will get an update here as well. Oracle’s next update is scheduled for next month in their CPU October 2015.
Black Hat USA 2014 is one of the most widely attended security conferences of the year and this year there were a number of interesting briefings on a variety of topics such as automotive attack surfaces, POS malware, cloudbots and more. Qualys presented two pieces of research surrounding TSA vulnerabilities as well as hacking physical devices such as keyless cars and home alarm systems.
Update: Microsoft has modified the bulletin MS14-045 for Windows and excluded the patch for the font handling vulnerability CVE-2014-1819. The patch can cause the system to lockup (BSOD) and present problems with fonts that are not installed in the default location. Microsoft recommends uninstalling KB2982791 at this time. For more information take a look at the KB article itself. We are interested to know how widespread these problems are. Were you affected? Do you install important level patches immediately or do you wait for a cool-off period? These questions are important especially when you consider the availability of 1-day exploits, where attackers reverse engineer patches to find new attack vectors:
This example is taken from the capability description of commercial exploit tool (Gamma’s FinFly) but it illustrates the capabilities that a good attack team has.
Original: It is August Patch Tuesday, the week after Black Hat and DEF CON and we are getting nine bulletins from Microsoft with a total of 41 vulnerabilities addressed plus a new version of Adobe Flash. In addition Microsoft is introducing some new capabilities for automatic ActiveX blocking and announced the phase out of old browsers. All in all, a pretty busy Patch Tuesday with 2 patches that address 0-day vulnerabilities that are seeing attacks in the wild – Internet Explorer and Adobe Flash.
While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published their Advance Notice for the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.
In 2004 and 2009 we published research around the lifespan of vulnerabilities. One of the metrics was the half-life, i.e. how long does it take for a vulnerability to diminish by half its number occurrences. The data is extracted in an anonymous form out of the roughly 400 M vulnerability scans that run on the Qualys platform per year.
Microsoft has released six bulletins today, addressing a total of 29 vulnerabilities, plus three security related security advisories. Two of the bulletins are critical and can be used to get to Remote Code Execution (RCE). Overall a pretty normal Patch Tuesday even adding in the update for Flash that Adobe is coming out with. But July has also the release of the Oracle Critical Patch Update which will give IT administrators an additional 100+ updates to look at and decide how to apply them to their infrastructure taking exploitability and reachability of their devices into account.
July’s Advance Notice by Microsoft has just arrived. This month, Microsoft is publishing six bulletins in July, affecting all versions of Internet Explorer, Windows and one server components. Two bulletins are rated “critical,”, as they allow for Remote Code Execution (RCE), three are rated “important” as they allow for elevation of privilege inside on Windows.
The most critical patch to consider is Bulletin 1 is for all versions of Internet Explorer (IE), all the way from Internet Explorer 6, but only supported on Windows Server 2003 since XP has been retired, to the newest IE 11 on Windows 8.1 and R. This patch should be top of your list, since most attacks involve your web browser in some way. Take a look at the most recent numbers in Microsoft SIR report v16, which illustrate clearly that web- based attacks, which include Java and Adobe Flash are the most common.
Bulletin 2 is a critical update for Windows and all desktop versions of Vista, WIndows 7, 8 and RT are affected. On the server side all but the the oldest Windows server 2003 are affected. The update will require a reboot, which is something to include in your planning, especially on the server side.
Bulletin 3, 4, and 5 are all elevation of privilege vulnerabilities in Windows. They are affect all versions of Windows. They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user. Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.
Lastly, Bulletin 6 is a Denial of Service vulnerability in the Service Bus for Windows. The Service Bus is a newer component of Windows in use in the Windows Azure environment for the development of loosely coupled applications. In our estimate few companies will have installed that component and on Azure, Microsoft will take of the patching for you.
Later Also this month Oracle is publishing their Critical Patch Update (CPU) July 2014. It is expected to come out on July 15 and typically contains fixes for hundreds of vulnerabilities. How applicable the patches are for your organization depends on your software inventory, but at least the update for Java will be important for most organizations.
Please stay tuned to this blog for next week’s release and further updates from Oracle.
Update: we have released QID 38602, a remote check for the OpenSSL issues. For a full list of QIDs (remote and authenticated) see QIDs for OpenSSL Security Advisory [05 Jun 2014]
Original: It’s the Thursday before June’s Patch Tuesday, and Microsoft’s Advance Notice just has gone live. In addition, there was an advisory about new fixes for OpenSSL, which comes quite soon after the Heartbleed vulnerability and the numerous exploits it enabled.