March saw a sizable release from Microsoft after a missed Patch Tuesday. Any way about it, April will be a lighter month than March. Windows 10 1703 has officially released to MSDN. Windows 10 1507 reaches end of service in May, so for those on the original release branch, now is the time. Start upgrading those systems still on 1507 to prevent not having security exposures.
Last month Microsoft was kind enough to break Internet Explorer updates out of the security only bundles on pre-Windows 10 systems. This was well-received by many companies I have spoken to, allowing them to push updates for IE or everything else but hold the other behind if there was an issue. It doesn’t bring us back to the bulletin level control previously available before the rollup model was implemented, but it’s something.
Some recent news regarding a vulnerability in IIS 6.0 is worth mentioning. The vulnerability in WebDAV could allow an attacker to execute malicious code on a Windows Server running IIS 6.0 with the privileges of the user running the application. IIS 6.0 extended support ended in July 2015 along with Windows Server 2003, but there are still reportedly servicing millions of public web sites, and many companies still host internal websites on Windows Server 2003 on IIS 6.0.
The vulnerability appears to have been known to attacks since at least July or August of 2016, but the proof of concept code being made available on GitHub has exposed the vulnerability and many more attackers will be working on exploits to take advantage of such low-hanging fruit. Mitigation options include disabling the WebDAV extension on these systems, but these systems should ultimately be removed from service and the sites migrated to newer web servers that can be updated. This brings me to the tip of the month: end of life software.
There is no greater threat of exposure than software that is no longer being updated. Software is like milk; it has an expiration date and past that date it will go bad. As software ages the underlying technology it is built on, components it integrates with and protocols it utilizes will be exposed over time.
Steps to Better Security Hygiene
Leaving EoLed software in your environment is like leaving all of the apples within reach on the tree and climbing a ladder to pick only the ones higher up. Now all that low-hanging fruit is waiting for the threat actor to come by and pick away. EoLed software should be eliminated as quickly as possible. If you plan to keep it around, you better have a number of mitigation strategies in place to ensure it is not exposed, including the following:
- Purchase extended support from the vendor (Java 7, Win XP and Server 2003 are good examples where the vendor offers additional support for a price)
- Remove it from public accessibility (like public web servers)
- Segregate from network — Move it into a VDI environment with accessibility only from essential personnel who are not running as full admins
- Add additional layers of defense like device control and application control
- Implement a form of identity access to the environment.
But best option is still to migrate critical apps or retire them.
Your Patch Tuesday Forecast
I would wager that we are going to see a much lighter set of updates from Microsoft this month, which was an easy guess.
From Microsoft we are likely looking at around 3-6 installable packages:
- With IE being broken out of the Security bundle you will see an OS and IE update for pre Win 10\Server 2016 systems.
- We have been seeing more Silverlight and other components lately. I am expecting 2 or 3 other components for things like .Net, Silverlight, etc.
- Office is likely since there were updates consistently pretty much every month in 2016. Expect at least a couple here, one of which will hopefully be a resolution to the Zero Day in Microsoft Word.
From Adobe you can expect 1-3 updates:
- Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all of 2016, so expect that update.
- Adobe Reader and Acrobat are due for updates.
From Oracle you can expect Java! No, not coffee… a critical update.
As always you can expect to catch our Patch Tuesday analysis shortly after Microsoft releases on Patch Tuesday and catch our monthly Ivanti Patch Tuesday webinar on Wednesday April 12th.