This month’s Microsoft Patch Tuesday addresses 50 vulnerabilities with only 8 of them labeled as Critical. Of the 8 Critical vulns, one is for browser and scripting engines, 3 are for .NET Framework and one for ASP.NET. In addition, Microsoft has patched 3 critical RCEs in Remote Desktop Gateway and Remote Desktop Client. Adobe issued patches today for Illustrator CC and Experience Manager.
This month’s Microsoft Patch Tuesday addresses 74 vulnerabilities with 13 of them labeled as Critical. Of the 13 Critical vulns, 5 are for browsers and scripting engines. Out of the 8 remaining Critical vulns, 4 are potential hypervisor escapes in Hyper-V, as well as vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType. Adobe’s Patch Tuesday was on time this month, and covers 11 vulns spread across Animate, Illustrator, Media Encoder, and Bridge.
UPDATE
There are reports that the CVE-2019-1402 patches are causing issues with all supported versions of Microsoft Access. Microsoft has posted a document on the issue with upcoming fix dates and workarounds.
A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.
Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.
Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.
On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero-day vulnerabilities in Operating Systems, you can use your existing asset inventory information from Qualys AssetView, and search for any OS to determine how many vulnerable assets are deployed. This can be done without additional scanning if the data is relatively fresh.
Google’s threat analysis group has observed active attacks for Windows kernel win32k.sys vulnerability and has therefore disclosed this previously unknown vulnerability. It’s a local privilege escalation issue which implies that an attacker would need valid local credentials to trigger the issue. If exploited an attacker with low privilege could obtain higher privilege like that of an administrator. The only technical details known at this point is that the issue can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
There is currently no patch or acknowledgement from Microsoft about the issue. Please stay tuned for updates. For reference, see the Google disclosure blog post.
It is Windows 10 first Patch Tuesday and 40% of the August bulletins for generic Windows apply to the newest version of the operating system: Windows 10. In addition there is an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities. Windows 10 fares a bit better than WIndows 8, which had 60% in its first two months, where three out of five bulletins were applicable. From a security perspective Windows 10 brings much improvement and we are curious to see how the acceptance of Windows 10 will play out, especially comparing the enterprise side and consumer side. On the Enterprise level we think the Virtual Secure Mode that takes credential hashes out of the Windows kernel the biggest advance, while for the consumer it is the new patching schedule, which basically keeps Windows always updated with the latest updates.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) is responsible for IT security within the German Federal government. In addition they work on IT security standards for Germany and are moving into a national incident tracking function as well. In December 2014 they published their yearly report summarizing the IT security state in Germany as "critical", with attacks rising, German companies leaking data and exposing their infrastructure to even physical damage. Much of it is due to a 'Digitale Sorglosigkeit', a digital carelessness where the IT industry does not pay attention to avoidable threats.
Summary: This is a minor change to add flexibility in expanded platform support. There will be no downtime with this update, but you will need to make changes to policies and possibly some controls being used against Windows 2012 R2 or Windows 8.1.
While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published their Advance Notice for the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.
