Ivanti Blog: Posts by

How Risk-Based Patch Management Prioritizes Active Exploits

Fri, 03 Jan 2025 18:10:36 Z

Resistance to change is always present, especially if you think the processes you have in place are efficient and effective. Many organizations feel this way about their software management procedures until they have a security breach or incident and are left wondering where they went wrong.

The reality is that most patch management programs are built on assumptions and recommendations, rather than facts about actively exploited vulnerabilities. Risk-based patch management is the answer to this issue.

In this article, find:

What’s wrong with keeping typical prioritizations.
What risk-based patch management is.
Why it’s the perfect time to adopt risk-based patch management.

The problems with typical patch prioritization

Software feature updates, security fixes, bug fixes, performance enhancements and many other types of software releases have existed since the software industry started. Vendors often assign a severity rating or other score to each of these to let customers know what they think is most important.

Unfortunately, there’s no industry standard associated with these ratings, so we are left to compare and prioritize releases for deployment on our systems based on recommendations. On top of that, such ratings are rarely updated to account for active threat context even as vulnerabilities change.

Overlooking an actively exploited vulnerability

While better than nothing at all, vendor severity ratings often come up short. Consider the Follina vulnerability (CVE-2022-30190) published in May of 2022. This vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows for remote code execution.

Follina was under attack for several months before Microsoft finally responded with several updates. Alarmingly, Microsoft only assigned this vulnerability a Common Vulnerability Scoring System (CVSS) v3 rating of 7.8 and severity of Important. If you’re only patching based on Critical severity, you'd have missed this one, leaving a significant gap in your attack surface.

Worse yet, Follina’s CVSS score remained at 7.8 even after it was revealed the vulnerability was being actively exploited to distribute Bisamware ransomware, exposing organizations that had overlooked the vulnerability to even more risk.

Intelligence on the ransomware threat associated with CVE-2022-30190 displayed in Ivanti Neurons for VULN KB

CVSS shortcomings

Severity ratings are ‘augmented’ with CVSS scores from FIRST. Each CVE is assigned a CVSS number, such as the 7.8 given to CVE-2022-30190 in the example above.

One of the major objectives behind calculating the actual CVSS number is to ensure standardization so all CVEs are scored consistently and can be accurately compared. The higher the CVSS score for a vulnerability and the associated patch, the more critical it is to deploy in most environments.

For software updates that address multiple CVEs, the highest CVSS value is usually considered for prioritization. But is this value even accurate?

The results of an analysis of CVSS scores in a recent article showed there's a discrepancy for nearly 20% of CVSS scores (25,000). This analysis was based on a comparison of the scores reported in the NIST National Vulnerability Database (NVD) and those reported directly by the vendors themselves.

Vendor severity inconsistencies

One important point to keep in mind is vendors have historically assigned their own terminology to severity (e.g., critical, important). Using vendor severity scoring as a priority mechanism may work well when comparing all patches by a given vendor, but doesn't always provide an accurate comparison of patches between vendors. In fact, many use different terminology entirely.

Likewise, vendor severity isn't always a positive indicator. Many zero-day vulnerabilities are only rated Important by Microsoft but have high CVSS numbers. You can see how patching using severity and CVSS for prioritization is using assumptions and recommendations and can result in a vulnerable environment.

Why prioritize active exploits over any other prioritization method?

According to the US Cybersecurity and Infrastructure Security Agency (CISA), an actively exploited vulnerability is “one for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.” In layman’s terms, a vulnerability under active exploitation is one that's been used by a threat actor to launch a cyberattack.

Thus, to minimize the risk of an attack on your organization, you must prioritize actively exploited vulnerabilities above all others. This is good news as most vulnerabilities aren't being actively exploited and thus pose little to no risk to your organization. You can identify those that have been exploited through risk-based patch management.

What is risk-based patch management?

Risk-based patch management is an extension of risk-based vulnerability management, which goes beyond vendor severity and basic CVSS scores to identify and qualify the specific vulnerabilities that pose the most significant risk to an organization. This brings real-world risk context into the patch management process so that IT teams can focus their efforts on updates with known exploited vulnerabilities that matter most to an organization’s security posture.

How can my organization adopt risk-based patch management?

For organizations ready to adopt a risk-based approach to patch management, a good place to start is the CISA Known Exploited Vulnerabilities (KEV) catalog. CISA took a major step forward to help prioritize vulnerabilities when it introduced Binding Operational Directive 22–01 along with its KEV catalog. When originally released, the catalog contained some 200 actively exploited vulnerabilities. It has since grown to almost 900.

CISA builds the list with the knowledge the vulnerabilities it contains are being exploited in the wild by active threats. However, the list does have its shortcomings, as it currently excludes 131 vulnerabilities associated with ransomware.

Is the CISA KEV catalog the only resource available for risk-based patch management?

Organizations with more mature risk-based patch management practices leverage advanced risk scoring methodologies in place of or in addition to CVSS. These methodologies assign scores to every vulnerability identified in an organization’s environment, allowing those organizations to expand their risk-based approach beyond the CISA KEV.

Many vendors in the risk-based vulnerability management space have developed proprietary scoring methodologies that represent the true risk posed by a vulnerability. They do so by delivering dynamic risk ratings that give extra weight to actively exploited vulnerabilities.

For example, Ivanti’s Vulnerability Risk Rating (VRR) has assigned Follina a score of 10, a score that more accurately represents the risk posed by that vulnerability than its CVSS score of 7.8.

The difference between the VRR and CVSS v3 scores and severity levels for CVE-2022-30190 as shown in Ivanti Neurons for VULN KB

Why it’s the perfect time to adopt risk-based patch management

If you feel you’ve fallen behind on system updates or are overwhelmed by new systems and applications in your company, now is the perfect time to adopt risk-based patch management.

Even if you feel you have a solid program in place based on severity ratings and CVSS scores, it’s time to remove the resistance to change and start a new process before your business is devastated by a data breach stemming from an exploited vulnerability.

Start by using the CISA KEV to prioritize your updates and earmark a budget for a risk-based vulnerability and patch management solution. With the proper tools in place, you can quickly identify the highest risk systems to patch first and work down the list to ensure your systems are secure.

Looking to take the first step? Dive into this eBook for a one-stop guide for implementing a modern risk-based patch management program.

Effective Modern Patch Management Processes and Best Practices for Patch Operations

Thu, 01 Aug 2024 06:01:00 Z

Running a risk-based vulnerability management program is essential to maintaining a secure business computing environment. In a previous blog, “How Implementing Risk-Based Patch Management Prioritizes Active Exploits,” I provided perspective on how to prioritize vulnerabilities. Honing the operational aspect of securing your systems is essential to that process.

Conducting patch operations in your organization can be a complicated process. Even with some perspective on vulnerability priority, you still need to consider:

The release cadence of patches.
Supporting policies to make this process effective.
Campaigns to deploy the updates.
Service-level agreements (SLA) and compliance measurement.

This may seem like a lot to balance – but a flexible system that manages planned events and can account for the unplanned will put you in total control.

Do you have control?

There are some facets of patch releases you can plan for and others you can’t.

Take for example the cadence of security patch releases. On Patch Tuesday, the second Tuesday of each month, Microsoft attempts to release all its latest updates. These include updates for operating systems, Office and other user applications, development tools like Visual Studio and cloud components in Azure to name a few.

Patch Tuesday, which celebrated its 20th anniversary in October 2023, is the foundation for many patch programs – providing a point in time to distribute all the latest Microsoft and available third-party updates. No other vendor has had such a profound impact on driving organizational patch programs – and to this day the monthly patch cycle, anchored on Patch Tuesday, remains a standard in the industry.

Other vendors have attempted to follow suit and release their updates on a schedule:

Oracle releases its Critical Patch Update once a quarter.
Adobe typically releases its updates once a month, often in sync with Patch Tuesday.
Google recently began releasing a single update each week.

However, most vendors release security updates as soon and as often they can to make sure they are addressing vulnerabilities as quickly as possible. This results in a random and never-ending stream of updates that need to be constantly prioritized and distributed across an organization.

Patch management process for policies and campaigns

Bringing the chaos of patch releases under control requires a clearly defined set of rules and an infrastructure to enforce them. In the patch realm these translate to policies and campaigns.

Patch policy requires a wide range of considerations beyond prioritizing vulnerabilities, including the impact of updates on business operations, applicability to different types of systems, degree of control over the updates and other factors.

Patch policies offer a study in contrast, depending on your business. For a server hosting critical business applications, its policy involves a clearly defined set of updates under strict configuration control, occurs only during a defined maintenance window, and always enforces a reboot upon completion to ensure the system is fully updated. The patch policy for a marketing user’s laptop identifies a series of applications with approved updates that may or may not be present and lets the user delay updates and reboot when convenient.

Campaigns take these policies into account but also bring control to the myriad patches constantly being released.

Modern patch management best practices require more frequent patching than just once a month. Google Chrome patches are being released weekly, and zero-day patches can be released at any time. A monthly campaign will leave many systems vulnerable for extended periods of time.

Establish three types of campaigns

A best practice is to establish three types of campaigns: regular maintenance, priority updates and critical deployments.

Regular maintenance campaign

Regular maintenance campaigns enforce the standard monthly ringed rollout of patches most organizations use today. This campaign includes:

Initial testing in a controlled environment to ensure patches install as planned.
Rollout to a larger pilot group of early adopters who are on the lookout to report issues.
Rollout to the pre-defined groups of production systems to complete the overall distribution.

The patches in a maintenance campaign include security updates that are released less frequently, like Microsoft Patch Tuesday releases, as well as performance or application upgrades. The targeted systems in this campaign may also be those that have limited maintenance windows and cannot be interrupted without major business impact. Most patches will most likely fall into the priority updates campaign.

Priority updates campaign

The priority updates campaign is designed to quickly address those systems that have ongoing exposure to new vulnerabilities but can be updated more frequently. User systems running productivity applications and browsers fall under this campaign and are often at the highest risk with exposure to phishing, malware and ransomware.

The patches associated with this campaign are often the highest priority due to vulnerabilities with known exploitation but may also be of relatively low business impact requiring a browser or application restart. As a result, the policies may have a shorter test cycle before release and may be more quickly distributed to larger groups of systems which are not business critical, e.g. servers may not have a browser installed, but sales laptops do.

Zero-day response campaign

The zero-day response campaign is reserved for the “hair on fire” company- or industry-mandated emergency patch deployment that must be in place within a short period of time. This campaign takes precedence over all others.

The policy for this campaign could shorten the time or lower the standards between gated rollout – or it could ignore them altogether depending upon the SLA which must be met. Most importantly with zero-day response campaigns: This is still a controlled distribution of patches, and all activity is still reported to accurately track campaign events to completion.

Exposure time determines compliance

If compliance is measured in terms of fully patched machines, then under this metric most systems are only compliant for a limited number of hours each month. While technically accurate, this is a poor indicator to show the security of the system over time under a risk-based program. Showing the “exposure time” to a given vulnerability or group of vulnerabilities provides a better indicator of risk.

Here’s an example: CVE-2024-4761 was reported fixed in a Google Chrome update released May 14, which happened to be May Patch Tuesday. The next day, this Chrome patch was added to a priority update campaign that included a two-week distribution period across 500 systems in Group 1 and 1,000 systems in Group 2. Assuming most systems were successfully updated within that two-week window, a report would show when each system was updated, but more importantly how long each of these 1,500 systems remained unpatched – exposed to the vulnerability and at risk.

This is a simple one-vulnerability, one-patch example. But if there were multiple patches in the campaign with several vulnerabilities, the information could be aggregated to provide a more comprehensive campaign view. If multiple campaigns were run over the same period, the result could be overlaid or combined to provide an even more accurate risk assessment.

Armed with this data, you can show an auditor the true security state of your systems. Perhaps more importantly, you can start to assess the results and improve the effectiveness of your modern patch management operation. At that point, you are running the operation – it’s not running you.

June Patch Tuesday 2022

Tue, 14 Jun 2022 22:55:13 Z

June Patch Tuesday is here, and we’ve now reached the midway point of 2022. It’s been and up and down six months so far with a wide swing in the number of vulnerabilities Microsoft has been addressing each month. We started off with 85 CVEs addressed in Windows 10 in January, dropped to a low of 21 CVEs in February, and are back up to 97 CVEs addressed in May. This month, we saw 33 vulnerabilities fixed in Windows 10 and its associated servers. The hot discussion topic this past month was CVE-2022-30190, also known as the Follina vulnerability, which was fixed today with updates from Windows 7 through Windows 11. The second phase of the DCOM server security update was also implemented this month. Don’t forget to upgrade Windows 10 1909 and others that reached end-of-life last month and have a plan in place if you still need Internet Explorer 11 for any of your applications. Despite a standard set of updates from Microsoft, there is plenty of additional work to keep us busy this month.

Microsoft Patch Tuesday update

Microsoft has released their updates resolving 61 unique vulnerabilities, 5 of which are re-issued vulnerabilities from April and May. Only 3 of the new CVEs are rated as Critical. CVE-2022-30190, surprisingly rated as Important, is the only one reported known to be known exploited and publicly disclosed this month. Updates this month affect the Windows Operating System, O365 applications, Exchange Server, .Net, Visual Studio, RDP, Hyper-V and a rare security update to SQL Server as well.

The most important of the 3 new Critical updates is for CVE-2022-30136, a network file system remote code execution vulnerability impacting Windows Server 2012, Server 2016, and Server 2019. It has a CVSS score of 9.8 due to its Network attack vector and Low complexity to exploit. In addition to updates which were released, Microsoft has provided detailed mitigation options in the CVE KB. The other two Critical CVEs – CVE-2022-30139 and CVE-30163 are also remote code execution vulnerabilities in Lightweight Directory Access Protocol (LDAP) and Hyper-V respectively; these are more difficult to exploit with lower CVSS scores. All three should be given priority depending upon the level of risk they impart on your systems.

Microsoft has also re-issued an update from June 2021 to CVE-2021-26414 DCOM Server Security Feature Bypass. This is phase 2 of 3 in the process of improving overall server security. With the month’s release, the registry key RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers is now enabled by default. Administrators can still manually disable it if needed for their environment. The final phase will occur with the March 2023 Patch Tuesday update where it will be permanently enabled. Complete details surrounding DCOM can be found in KB 5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).

Take note that Microsoft also released Advisory 220002 Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities which describes several CVEs addressed this month as part of a set of Intel updates.

The Follina vulnerability

The hot topic this month has been around CVE-2022-30190, also known as the Follina vulnerability. This vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows for remote code execution. This diagnostic tool sends troubleshooting information back to Microsoft when you have a problem on your local machine. The vulnerability is exploited via malicious code included in a Word document, and what makes it particularly troublesome is the user doesn’t even have to open the document directly. Any Office program that provides a preview mode will trigger the exploit. This vulnerability has been under attack for several months. This vulnerability fix must have been a late addition this month, because although it shows up in the Vulnerabilities list of the Security Guide, it was not shown in the breakdown of CVEs for each patch.

EOL and EOS

Internet Explorer is officially (almost) coming to an end tomorrow - June 15^th. Internet Explorer 11 (IE 11) is the last of the line and will no longer be supported in Teams, Office 365, and most versions of the Windows operating system. If you still need IE 11 for critical business functionality, Microsoft recommends using IE mode in the Edge browser. This functionality is scheduled to be supported in Edge until 2029. The IE 11 desktop application will continue to get security updates in Windows 8.1, Windows 7 (ESU), and Windows Server LTSC until they reach their respective EOL dates. This Microsoft FAQ provide the best details on the end of this longtime favorite application.

Remember, you won’t see any updates for Windows 10 1909 Enterprise and Education, 20H2 Professional, or Windows Server 20H2 this month. May contained the last Patch Tuesday updates for those operating systems, so you should be moving to an updated and supported version as soon as possible to minimize your exposure. Under the Microsoft SaaS model, the next Windows 10 EOLs come in December so you have a little breathing room until the next round.

Are We Doing Better? Patch and Security in 2019 So Far

Mon, 07 Oct 2019 17:35:26 Z

The year 2019 has been an interesting one for security so far. A record number of vulnerabilities have been reported with Microsoft, Adobe, Mozilla, Google, and others cranking out regular security updates. We’ve also seen some easily exploited vulnerabilities hit the public domain, with lots of media hype and the potential for catastrophic exploitation … but the number of associated and reported attacks have been relatively low. Are we finally getting ahead of the attackers and closing the gaping holes in our systems?

Plenty of Potential Risk but No WannaCry Scale Attacks

Let’s begin by reviewing the updates released by Microsoft this year up through August Patch Tuesday.

During this time period, there have been 10 zero-day and 18 publicly disclosed vulnerabilities reported. As expected, Windows 10 and its associated server versions continue to get the most attention having the most vulnerabilities addressed. The average number of CVEs fixed each month is 55, with a high of 78 in August and a low of 32 in January.

The legacy operating systems also get their fair share of attention. For example, Windows 7/Server 2008 R2 averages 32 CVEs fixed each month, as does Windows 8/Server 2012 R2. Like Windows 10, the low number of CVEs addressed occurred in January, with 15 and 18 respectively for those two groups. The high numbers occurred in June for Windows 7/Server 2008 R2 at 49 and in August for Windows 8/Server 2012 R2 at 43. The general trend has been a slow growth in the number of CVEs addressed each month, so we will see if that continues to the end of the year.

Microsoft Gets the Most Attention, But All Vendors Are Responding

Microsoft gets the bulk of the attention because of Patch Tuesday, but all vendors have been responding to the growing number of reported vulnerabilities. Oracle Java 8 and 11 updates have addressed 4, 5, and 10 vulnerabilities in the first three Critical Product Update releases this year.

Browser software is always in the spotlight because it’s so heavily used. The major security updates for Google Chrome and Mozilla Firefox have been addressed and average of 19 and 21 CVEs, respectively. These vendors also have to respond to zero-days from time to time, such as this Chrome issue back in March. Apple has been busy with regular bi-monthly releases for iTunes and iCloud, averaging 19 CVE fixes. These are just a few of the vendors Ivanti supports but provide a good example of the pace and volume of security updates that must be managed.

Microsoft is aggressively improving the overall security and stability of their upgrade process. They began a six-month campaign in March of this year to switch the digital signature on all operating-system and product updates from using Secure Hash Algorithm 1 (SHA-1) to SHA-2. This required installing the current SHA-2 algorithms in all the operating systems so they could read and deploy the newly signed patches.

Microsoft took a phased approach using both dual-signed patches in conjunction with the SHA-2 operating system upgrades where needed. The campaign came to completion on September Patch Tuesday, with operating system releases for Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 signed only with SHA-2. SHA-1 was an excellent algorithm when originally released but the latest advances in high-speed computing have put its security at risk, so Microsoft rightfully moved to the latest security standard in SHA-2.

Microsoft released regular Service Stack Updates (SSUs) to improve their update process. The SSUs essentially update the Windows Update components on the endpoint. These updates have been released for both Windows 10 and the legacy operating systems. Some are required in order to perform the next update, and ALL are strongly recommended by Microsoft. Major updates for almost all versions of Windows 10 were released in February and May. The “software as a service model” will continue to evolve as Microsoft provides regular adjustments to the process.

Remote Desktop Services Vulnerabilities – “BlueKeep”

The remote desktop services vulnerabilities, also known as “BlueKeep”, were first reported and addressed in the May Patch Tuesday release. The most publicized vulnerability was CVE-2010-0708, which is “wormable”. This means it could be exploited without authorization and without user interaction. An attack could propagate silently from computer to computer, supporting an Internet worm attack.

Found and fixed in Windows 7 and Server 2008 R2, updates were also released for out-of-support XP and Server 2003 also containing the vulnerability due to the high potential risk of exploitation. June Patch Tuesday continued to raise awareness around the BlueKeep vulnerability.

The first demos of exploitation by Sophos and others appeared in July, and not long thereafter an active exploit was found in a crypto-mining package. The media hype and threat of another WannCry-type event spurred the industry to apply the latest updates—and few known attacks were reported. Interestingly, a second round of remote-desktop vulnerabilities surfaced in August, so we’ll be monitoring them closely.

Spectre and Meltdown Vulnerabilities

Our “friends” from 2018—the Spectre and Meltdown vulnerabilities—were also in the news this year. Just as a reminder, Spectre is named after “Speculative Execution”, which is a vulnerability in the firmware of the CPU that allows an attacker to run tasks in advance of others. Updates from Microsoft help to mitigate some of the issues, but microcode updates from Intel are required to fix the actual vulnerability.

In the first part of 2019, we’ve seen updates for both Variant 2 in April and Variant 1 in August. In May, we saw the arrival of Microarchitectural Data Sampling (MDS) vulnerabilities. While similar, these are considered more dangerous than Spectre because the vulnerability allows information to be read directly from the CPU buffers. Unlike the BlueKeep vulnerabilities, those associated with Spectre and MDS are much more difficult to exploit, requiring highly specialized code to both access and process the data retrieved. While also getting some publicity, it’s not surprising there have been no known successful attacks exploiting these vulnerabilities.

We saw end-of-support on October 8 for Windows 10 Enterprise and Education Versions of 1703. The Home, Professional, and Professional for Workstations will do the same for Version 1803 on November 12. Microsoft is now only four months away from the end-of-life for Windows 7 and Server 2008/2008 R2. If you aren’t actively in migration to a newer workstation or server operating system, you should be budgeting for extended support. Microsoft has both cloud and on-premise options to consider. And on a final Windows 10 note, we are looking forward to Version 1909 and the changes it will bring.

In summary, I would characterize vulnerability remediation and patch operations so far in 2019 as extremely busy, but not frantic. Vulnerabilities are being addressed in a timely manner, the patches released and distributed, and IT administrators deploying them in the next patch cycle. The fact that a high-risk vulnerability like BlueKeep did not result in another WannaCry event supports this view.

For now, I’m going to continue wearing my “rose-colored” glasses and congratulate everyone on a job well done! Let’s continue the good work for the remainder of 2019 but be vigilant as always.

September Patch Tuesday 2019

Wed, 11 Sep 2019 01:30:57 Z

September marks the second month in a row with a relatively light set of updates, but that doesn’t mean the threat of attack has gone down. In fact, there have been an escalating number of recent ransomware attacks in the public sector. With the slowdown in patch activity and ransomware back in the news, it’s a good time to take a look at the rest of your IT operations program, especially your cyber-attack and disaster recovery plan. Before we dig into those topics, let’s review this month’s Patch Tuesday updates.

Microsoft resolved a total of 79 unique CVEs this month. Among the vulnerabilities were three publicly disclosed CVEs. Public Disclosed is an indicator of risk that can be used to better prioritize remediation of vulnerabilities. In this case details of the three vulnerabilities have been made public giving threat actors a head start on engineering an exploit.

Microsoft continues to adjust their software update process, releasing service stack updates for all operating systems this month. Usually these release for one or a couple of Windows editions, so for all Windows OSs to be impacted by this one is a bit out of the ordinary. A couple of things to note about servicing stack updates. They are rated as Critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied. The shortest we have seen from availability to enforcement is two months. Our guidance is to begin testing as soon as possible and plan to have these in place before November to be on the safe side. Before October would be best case on the off-chance Microsoft enforces these changes sooner.

For September Microsoft provided the usual set of operating system and application security updates. In the pre-Windows 10 operating systems we see as many at 37 CVEs addressed, and 57 CVEs for the latest Windows 10 updates. A critical update addressing seven CVEs was released for all versions of Sharepoint server, so pay close attention to that one. There are important updates for Office and Exchange server. In keeping with their usual bi-monthly release cadence, Microsoft also issued updates for .NET. However, these updates were for 2012 and newer versions of operating systems.

In wrapping up this month we want to draw attention to some continuing ransomware trends.

Hardly a month has gone by this year without a report of ransomware attacks against state and local government systems. Ivanti CISO, Phil Richards, wrote a blog that provides an overview of many of these attacks, and shared his insight on some dangerous trends. According to Phil, “Criminals are demanding higher ransoms of these government entities. They are targeting victims specifically, striking with greater precision and timing, and demanding large sums as ransom.” Of particular interest was an attack against several public school systems in the State of Louisiana. For the first time, a cyber-attack is being treated more like a natural disaster with cybersecurity experts pulled in from multiple state agencies plus Louisiana State University.

What is the state of your disaster preparedness plan (no pun intended)? Every month I talk about the importance of patching and remediating vulnerabilities, but the harsh reality is that sometimes these actions are not enough or not in time. Are you ready to respond to a cyber-attack? Do you have detection, isolation, and containment resources identified? Once you have the attack under control do you have the recovery process identified, including system restore/reimage and secure data backups to bring everything back online? And finally, make sure you include steps to handle legal and public relations issues. It is very important that everyone involved knows how information is to be shared both inside and outside your organization.

August Patch Tuesday 2019

Tue, 13 Aug 2019 22:19:45 Z

August Patch Tuesday was a pleasant relief after the massive release of updates in July. But don’t sit in your lawn chair and open that cold beverage just yet; you still have some things to do before you rest comfortably.

Microsoft provided a light set of operating system and application security updates. On the operating system side, we see 35 CVEs addressed for Server 2008 up through 78 CVEs for the latest Windows 10 updates. There are the updates for Office and SharePoint, but that’s about it. Microsoft has noAdobe Flash Player update this month either!

Microsoft resolved a total of 93 unique CVEs this month, but surprisingly there are NO zero days OR publicly disclosed vulnerabilities! It has been a long time since I remember that happening. Glancing through the list, I do see a lot of RDP vulnerabilities this month so make sure you apply these updates soon. Microsoft calls out two CVEs in particular CVE-2019-1181 and -1182 in their Response Center this month which could be exploited via a worm attack. All of the operating system updates are rated priority 1 due to critical vulnerability ratings and the possibility of remote code execution.

One vulnerability of interest is (CVE-2019-9506) titled Encryption Key Negotiation of Bluetooth Vulnerability. CERT/CC has issued CVE-2019-9506 and VU#918987 for this tampering vulnerability, which has a CVSS score of 9.3. It requires specialized hardware to exploit but can allow wireless access and disruption within Bluetooth range of the device being attacked. Microsoft provided an update to address the issue, but the new functionality is disabled by default. You must enable the functionality by setting a flag in the registry. Check out the KB for more details.

Microsoft may have had a slow day, but Adobe released 8 updates. If you are a Creative Cloud or Experience Manager user be sure to review the bulletins because several are rated Critical. Adobe also released updates for Acrobat and the more common Acrobat Reader with details under APSB19-41. This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important. There are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products. There was also a non-security update for Flash, but it was not included with the release from Microsoft.

With a light patch load this month, it may be a good time to revisit the asset inventory of systems you are patching. We often set up our patch groups of systems and go through the motions each month of applying the latest patches, but we may be missing the bigger picture. IT organizations are often dispersed and the systems they support are constantly changing. Without ongoing communication across the organization or dynamic settings in your patch products, you may be missing many machines that need updates. The good news is the patch tools we use each month have extensive discovery features and can help identify the latest systems on the network. Likewise, there are a whole host of network and system tools you can use. Don’t forget to coordinate with your security operations team. The vulnerability scanners they use have built-in discovery as well.

Armed with a consolidated list of systems on your network from all these sources, you can confirm your patch groups are up-to-date and investigate any suspicious devices you may have discovered. Finally, with an updated asset inventory and your patches all applied, you can now relax, enjoy the sun, and open that cold beverage!

Device Control – An Often-Overlooked Technology

Tue, 23 Oct 2018 23:00:12 Z

When it comes to IT security, Ivanti strongly supports the defense-in-depth strategy by providing products that underpin the Center for Internet Security (CIS) basic controls. The first and second CIS basic controls are 1) Inventory and Control of Hardware Assets, and 2) Inventory and Control of Software Assets. Device control provides direct enforcement of these controls yet is often overshadowed by patch and application control technologies.

A Quick Look at This Often-Overlooked Technology

Basic device control typically provides management of physical components that can be connected to a workstation, server, or mobile system such as a laptop. An agent is usually installed on the system that can then detect and inventory the currently installed hardware and monitor when other devices are attached.

Of prime concern are USB drives on which sensitive data can be copied and removed from a facility, often without a trace. Device control can be configured to block the attachment of these devices completely or can allow control over these devices by tracking at the vendor, model, or even serial number level. For example, you could allow SanDisk Model xy12 USB devices in your organization but disable use of all others. This would prevent the user from inserting an unknown USB device that may come with pre-installed malware.

We’ve seen cases where companies are blocking many types of devices that come with added risks—smart keyboards with data storage capability, Bluetooth transmitters, additional network cards, and so forth. The flexibility of device control to meet your needs in this capacity is almost endless for this mature technology.

Beyond Physical Device Management

There are additional aspects of device control to consider as the term ‘device control’ is often simply construed as management of physical devices only. Ivanti device control includes not only physical control, but encryption of data and monitoring/control of data from a perspective of data loss prevention (DLP).

The base operating system can be enabled to provide encryption of system disks, which provides laptops with an added level of security in case of theft. However, this encryption does not often extend to removable drives. Device control can provide this added protection, encrypting removable drives so they can be used on other machines with password authentication, or even locking them down further where they can only be used on machines with the device control agent.

Device control can also monitor the volume of data traffic to devices as well as the type of data. In the former case, limits can be set on the amount of data a machine or person can copy to removable media. Likewise, the device control agent can monitor and log the names and types of the files being used. File shadowing is an extension of this option, where copies of the entire file are sent to secondary storage for review. Key word searches can also be performed by device control agents looking within the files themselves as they are copied and then taking appropriate action based on the pre-established policy. As you can see, Ivanti device control is much more than just blocking USB devices.

Device Control Implementation

Device control implementation is a straightforward, logical process. The device control agents are installed across the desired set of endpoints and are first set to capture device usage. This information is collected as log activity and sent back to a central console for analysis. The administrator reviews the devices that are in use and constructs a policy based on company needs.

As covered throughout this blog, this policy can address the physical, encryption, and DLP aspects of security, and can be as simple or as complex as needed. Once the policy is established, it can be pushed out to the endpoints and they are placed in audit mode. Best practices dictate a subset of systems should be chosen as the sample test group. Audit mode will show how the policy performs identifying what is blocked and what is allowed. This is very similar in concept to how application control is typically rolled out. At this point, the policy can be updated or ‘fine-tuned’ and placed into enforcement mode. After a period of time and with sufficient positive feedback, the policy can be deployed to a larger group of systems. Again, you can implement at your own pace and ensure your security objectives are being met.

Device control provides a detailed hardware inventory, a strong degree of control over the use of these devices, and also control over the copying and storage of data on these devices. While not directly controlling your software assets, it does provide insight into what software assets are in use. Device control is not difficult to implement and can provide protection in an area frequently overlooked area when all the attention is on network-based attacks.

Consider device control as you build out your security program; it provides a valuable technology and added layer in the defense in depth strategy. Take a few minutes to learn more about proven device control technology from Ivanti.

Product manager for Ivanti’s patch-related products, including Patch for Windows, Patch for SCCM, and our OEM patch engines, Todd Schell has also worked in computer security as an officer in the United States Air Force.

October Patch Tuesday 2018

Tue, 09 Oct 2018 23:08:54 Z

Microsoft has given us a ‘Fall Break’ this October with a very light set of updates. We have one zero-day vulnerability and one publicly disclosed vulnerability and NO security updates for Adobe Flash this month... a break indeed!

The zero-day vulnerability is CVE-2018-8453. This vulnerability exists in the Win32 component of the operating system and fails to properly handle objects in memory. An attacker first needs to log into the operating system, but then can exploit this vulnerability to run code in the kernel and gain administrator privileges. This vulnerability has a Base CVSS score of 7 and is present in all operating systems with updates this month from Server 2008 through Windows 10.

The publicly disclosed vulnerability is CVE-2018-8423 Microsoft JET Database Engine Remote Code Execution Vulnerability. An attacker who successfully exploited this vulnerability could take control of an affected system; however, this vulnerability does not allow for elevation of privilege directly. A local user exploiting this vulnerability will have limited rights compared to an administrator. This vulnerability requires a specially crafted file to take advantage of the JET database engine. It also is addressed in all operating systems. The Base CVSS score for this vulnerability is 7.8.

There was a total of 49 CVEs addressed across the portfolio. As expected, the majority, 33 were fixed in Windows 10, Edge, and the associated Server versions. Also, please note that there was an update for Server 2019 which was made generally available last week. Microsoft continued the trend from last month where they introduced both a monthly rollup and a security-only release for Server 2008. Prior to that there was only a single security update. Updates were released for all supported versions of Exchange Server and Sharepoint Server this month as well.

Updates for Office

Office received updates for Excel, Outlook, Powerpoint, and Word and of course the Office Suite bundle. Office for Mac version 16.17 from last patch Tuesday, and all future 16.17+ releases are now officially “Office 2019”. “Office 2016” will continue to receive updates “as needed” until October 2020, and thankfully they now have a separate release notes page for this. Office 2016 will continue to support macOS all the way back to Yosemite (10.10), while Office 2019 requires Sierra (10.12) or later. Office 365 will work fine with either the Office 2016 or Office 2019 patches, though Office 365 is technically now on the Office 2019 branch.

Wait on Windows 10 Update

If you are looking for Windows 10, version 1809, also known as the Windows 10 October 2018 Update, you can’t download it right now. Microsoft has paused the rollout while they fix some significant issues. The biggest problem reported by many users, our content team included, is the update deletes all your files in the C:/Users/[username]/Documents/ folder. To add further concern, rolling back to the previous version does not restore the files. There were other problems reported including a compatibility problem with Intel Display Audio device drivers and Task manager not displaying proper CPU usage information. Like me, you are probably asking how can this happen? We’re not alone, with several articles questioning the Microsoft quality control process and the Insider program which is supposed to expose all these bugs prior to release.

But Wait, There's More

I mentioned in my introduction we did not have a Flash update from Microsoft, but Adobe did release a non-security update under APSB18-35. Apple released a security update for iCloud for Windows 7.7 that addresses 19 vulnerabilities, so definitely look into that if you use Apple products.

In closing, don’t forget Oracle has their Critical Patch Update (CPU) on October 16 so in addition to their application updates you can get the latest Java patches. Enjoy your fall break!

Stay informed by visiting Ivanti’s Patch Tuesday landing page for updated analysis and sign up for our monthly Patch Tuesday webinar.

Ivanti is the home of award-winning Patch Tuesday coverage. Check it out: Ivanti wins GOLD from PR World Awards for its Patch Tuesday Campaign!

Want to Increase Your Security? Start Thinking Like a Hacker

Mon, 01 Oct 2018 20:08:29 Z

Do you ever feel overwhelmed when it comes to updating your software? Not sure where to start and what to do first? Or maybe you’re not sure if the malware protection and other tools and processes you’ve used in the past are still providing the proper security? If so, it may be time to look at your enterprise from the outside and think like a hacker!

What’s of Most Value to an Outsider?

Securing your systems is all about using common sense and applying some simple risk-management principles. So let’s start by talking about value and targets.

You should ask yourself, what is the most valuable business information an outsider would want from my systems? What other valuable information do I have on my systems an attacker would want? It may be easy to identify the key business systems because those are critical to your day-to-day operations—and you should be monitoring them closely already. We automatically assume the hackers will be associated with organized crime, a competitor, or a state entity, so we have prioritized protection around these critical operational systems.

But what about other systems we often overlook? For example, your human resources (HR) systems contain critical personal data of all your employees. A random hacker gaining access to your intranet may not be able to penetrate your critical systems, but they still may be able to gather social security, date of birth, and other information from a less protected HR system. Keep this in mind as you identify and prioritize data assets in your organization.

How Would a Hacker Try to Gain Access?

Once our potential targets with their valuable data have been prioritized, we need to look at how a hacker would attempt to gain access. Looking at the Verizon 2018 Data Breach Investigations Report (DBIR), we see that our employees continue to be the weakest security links. “Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).”

The good news, according to the DBIR, is that more people are aware of the danger of opening attachments or clicking on suspicious website links, and a larger number than ever don’t fall prey to this attack. The bad news of course is that it only takes one employee to click and open the door.

So, thinking like a hacker, you would want to create a very realistic website or email attachment that may be appealing for your employees to open. To counter this, in addition to continuing your employee security awareness training, you’ll want to make sure these avenues of attack are restricted. Keep the web browsers and internet-facing components such as Flash updated to their latest version, ensuring the reported vulnerabilities are closed. And to cover that email threat, make sure you have a good spam-blocking and malware-detection capability in place.

But we know that hackers will get some malware onto your intranet. It could enter through that curious employee, or maybe via a direct network attack that found a hole in your firewall.

Now what do you do?

Again, turning to the Verizon 2018 DBIR, the most common file types of ‘first-stage’ malware, i.e., used to initially compromise a system, are: JavaScript (.js), 37.2%; Visual Basic Script (.vbs), 20.8%; MS Office, 14.8%; and PDF, 3.3%. Second-stage malware is typically a full executable of some type, but can be anything based on capabilities of the initial malware. It may be less clear what to do at this point.

Thinking like a hacker, my malware may attempt to grab a password file, open the firewall, search for keywords in files, encrypt files for ransom, delete log files, and so forth. As the administrator charged with combating all these vectors of attack, you’ll need to take a ‘multi-pronged’ approach as well.

First, as you did with the browsers, make sure your applications and software add-ons, like Java, are up-to-date. Some of this malware is successful because it exploits a known vulnerability. Second, enforce least privilege in your organization. Most malware break-ins assume the privilege level of the user who let them in the door. The malware will be limited in what it can do if it’s not running with administrator privileges. And finally, consider running security software that can detect and prevent unknown or unauthorized applications from running. This is often a big step up for most companies, but the addition of application control will stop many malware attacks before they ever get started.

Leverage the Hacker’s Perspective

Thinking like a hacker, you can gain a different perspective on your current security implementation and practices. You’ll probably see much more than the few basic ideas I’ve presented here. It may validate your security program or may propel you in a different direction. Don’t be afraid to challenge the status quo with your new perspective and combat the ‘that’s the way we’ve always done it’ mentality. Oh, and by the way, don’t forget that defense in depth still has its place, which I think we demonstrated in this discussion.

Carve out some time to consider what Ivanti’s Endpoint Security solutions could offer your organization. You can also request a free demo.

Shore Up Your Security: Visit Ivanti at Microsoft Ignite

Tue, 11 Sep 2018 17:23:25 Z

Do you ever have those days when you just dread going in to work? You know it’s coming and you avoid it like the plague. It happens at the same time each quarter and is just a struggle to deal with – tedious, time-consuming . . . sigh.

Yes, of course I’m talking about dealing with the latest vulnerability scan report from your security auditors!

Ivanti at Microsoft Ignite

But wait, are you coming to the Microsoft Ignite conference in Orlando this year? Are you using it as an excuse to push off the inevitable? What if I told you we a have an easy solution for handling that vulnerability scan issue and you will be excited to get back to work after the conference? If so you need to stop by Ivanti booth #1600 at the show!

Ivanti at Ignite: Sept. 24–28 in Orlando, Florida: Booth #1600

Schedule a demo now

The October release of Ivanti Patch for SCCM includes a new feature for managing the Common Vulnerability and Exposures (CVEs) found by a vulnerability scanner. This feature allows you import the most common vulnerability scan results, display the patches that address the CVEs, filter and identify the one you want to manage, and then publish them to your update point. From there, Configuration Manager will take over and deploy the third-party patches to your endpoints according to your Automatic Deployment Rules. Easy peasy!

So don’t dread dealing with vulnerability scans! Come by our booth at Ignite. The first 40 people to pre-register for a demo will receive a $20 Amazon gift card! You can also register at the show for a free set of airline tickets to a location of your choice in the United States. You can’t miss us! We will all be wearing the red and yellow aloha shirts.

August Patch Tuesday 2018

Tue, 14 Aug 2018 22:57:15 Z

The updates continued to flow today despite this being the time for summer vacations. Microsoft has released 17 updates today resolving 60 distinct vulnerabilities, and Adobe released security updates for several of their products. After two Patch Tuesdays with no zero-day vulnerabilities reported, we get two this month. Spectre and Meltdown continue to haunt us as well. So let’s dig into these recent releases.

The two zero-day vulnerabilities are CVE-2018-8373 and CVE-2018-8414. Both are publicly disclosed and exploited. CVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. Exploitation could result in remote code execution and grants the same privileges as the logged-in user including administrative rights. Because this vulnerability exists in IE 9, 10, and 11, it affects all Windows operating systems from Server 2008 to Windows 10. The second zero-day vulnerability, CVE-2018-8414, is a code execution vulnerability that exists when the Windows Shell does not properly validate file paths. Exploitation can also result in remote code execution with the privileges of the logged-in user. This vulnerability is not as widespread, existing on only Windows 10 1703 and newer, Server 1709 and Server 1803. Now that the fixes are available, and given there are known exploits, you should give these fixes top priority this month.

Microsoft also issued Advisory 180018 regarding a new Meltdown and Spectre variant. This advisory, Microsoft Guidance to mitigate L1TF variant, addresses three vulnerabilities – CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646. According to Microsoft, “Speculative execution side-channel vulnerabilities such as L1 Terminal Fault (L1TF) can be used to read the content of memory across a trusted boundary and if exploited, can lead to information disclosure.” Correcting these vulnerabilities requires both a software and firmware (microcode) update. As a temporary mitigation, Microsoft does recommend disabling Hyper-threading which can have a major performance impact. Like the previous guidance around these vulnerability variants, management and remediation is time-consuming and tedious. Read the Advisory carefully before you take action and test your non-production systems before proceeding. Incidentally, this variant is also known by the code name Foreshadow. If you are looking for more information, check out this Usenix page for a detailed explanation.

Microsoft released updates for many of their products this month. Of special note, there are new updates for .NET which interestingly only fix one vulnerability. The release of .NET caused a number of stability problems last month, so suspect a number of fixes besides the base security vulnerability are included. Test carefully before applying on production machines. Microsoft continues the variety with a critical vulnerability in SQL 2016 and 2017. Exchange was also patched with updates to Exchange 2010, 2013, and 2016 covering 2 CVEs. Visual Studio 2015 and 2017 round out the group with a single CVE.

In our July blog, we mentioned that Oracle was releasing their quarterly Critical Patch Update (CPU) on July 17^th. Make sure you take a look at their Advisory providing the latest updates including those for Java. Oracle also provided a rare out-of-band Advisory on August 10^th to address CVE-2018-3110. With a CVSS v3 base score of 9.9, this vulnerability is easy to exploit and can provide direct shell access to your database. If you are using Oracle database versions 11.2.0.4 or 12.2.0.1 on Windows, we strongly recommend you apply this latest patch soon. Note that updates for any version on Linux and Windows 12.1.0.2 were provided in the July CPU. This new advisory is for previous versions of the database.

After the large volume of non-Microsoft security releases in late July and earlier this month, we should have expected more Adobe updates. Flash Player, as usual, was updated to fix five vulnerabilities. However, after 104 vulnerabilities were addressed in a scheduled update last month, we didn’t expect another Reader and Acrobat update fixing two new critical vulnerabilities. There were updates for Creative Cloud and other Adobe products, so please revisit your Adobe patch routine this month.

This busy patch cycle continues. Take a close look at all the third party and Microsoft security updates that were recently released and plan accordingly. There is lots of work ahead.

Patching in Review – Week 25

Mon, 25 Jun 2018 20:49:52 Z

Happy summer solstice, everyone! Thursday, June 21, marked the longest day of the year, and while the remaining days of the year will slowly lead us into an arctic wasteland in Minnesota, the patches keep flowing. We always have a slide ‘Between the Patch Tuesdays’ on our Patch Tuesday webinar, so we’ve decide to expand our blog and get the information to you as it occurs. Stay tuned for regular updates.

Security Releases

Microsoft released its quarterly cumulative updates for Exchange 2010, 2013, and 2016 on Wednesday, June 19, which cover 3 CVEs (CVE-2018-2768, CVE-2018-2806, CVE-2018-2801). Microsoft Exchange is using a custom implementation of Oracle Outside in its libraries and could allow disruption of service through user interaction. See Microsoft’s advisory for further details.

These quarterly updates also have some new prerequisites of .Net 4.7.1 and VC++ 2013 runtime library, so be sure to apply those prerequisites before you patch your Exchange servers! See the Microsoft Exchange team’s blog post for further details.

OS Non-Securities

Last week Microsoft released their quality preview rollups for the month. Interestingly, all supported operating systems were updated except Windows 10 1803, so we might expect that to release before next Patch Tuesday.

Windows 10 1607/Server 2016 still has the May servicing stack (KB4132216) as a prerequisite, so be sure to apply that first

These patches contain a preview of the numerous bug fixes that will be included in the Patch Tuesday security monthly rollup. This provides a great opportunity to roll out the update to a test group before the next patching cycle.

Third-Party Updates

As always, a series of third parties updated this week. Even though these updates do not have any CVEs, they may still have undisclosed security fixes as well as helpful stability fixes for your organization. Here are the updates we released in our content two weeks ago:

Software Title	Ivanti ID	Ivanti KB
Beyond Compare 4.2.5.23088	BEYOND-004	QBC42523088
Citrix Receiver 4.9.3000, LTSR Cumulative Update 3	CTXR-014	QCTXR493000
Dropbox 52.4.58	DROPBOX-085	QDROPBOX52458
FileZilla Client 3.34.0	FILEZ-073	QFILEZ3340
GoodSync 10.9.2	GOODSYNC-088	QGS1092
GoToMeeting 8.29.1	GOTOM-045	QGTM829
HipChat 4.30.6.7676	HCHAT-023	QHCHAT43061676
LibreOffice 6.0.5	LIBRE-098	QLIBRE605
LogMeIn 4.1.11340	LMI-010	QLMI4111340
Visual Studio 2017 version 15.7.4	MSNS18-0618-VS2017	QVS20171574
Opera 53.0.2907.106	OPERA-170	QOP5302907106
RealVNC Connect 6.3.0	RVNC-024	QRVNC630
Skype 8.24.0.2	SKYPE-137	QSKY82402
Snagit 2018.2.0	SNAG-016	QSNAG1820
Cumulative Update 12 for SQL Server 2014 SP2	SQL2014SP2-CU12	Q4130489
Cumulative Update 8 for SQL Server 2017	SQL2017RTM-CU08	Q4338363
TortoiseHG 4.6.1	TOHG-016	QTOHG461
WinSCP 5.13.3	WINSCP-019	QWINSCP5133

More Patch Resources:

Patch Tuesday Blogs
Patch Tuesday Resource Page: Infographics, presentations, webinars, etc.
Ivanti Security Products

October Patch Tuesday 2017

Tue, 10 Oct 2017 20:39:43 Z

Halloween might be just around the corner, but this Patch Tuesday wasn’t scary and we didn’t see Microsoft play any tricks. In fact, we were given a special treat!

Microsoft resolved a total of 62 unique vulnerabilities, down nearly 20% from the 76 unique vulnerabilities resolved last month. There were 10 bulletins, nine of which were rated Critical and one rated Important.

Be sure to check out all of Ivanti’s patch products:

Patch for SCCM

Patch for Windows

Patch for Linux, UNIX, Mac

Patch for Endpoint Manager

The resolved vulnerabilities included two public disclosures and one vulnerability that has been both exploited in the wild and publicly disclosed.

Affected Microsoft Products:

Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Skype for Business and Lync
Microsoft SharePoint Server

We’ve been asked quite often if the Linux support that Microsoft is adding into their operating system is going to introduce additional vulnerabilities. The simple answer is yes, since any time new functionality is added, there is always opportunity for new vulnerabilities to be introduced. We’ve seen them pop up from time to time, and this month we have one that is publicly disclosed.

• CVE-2017-8703 | Windows Subsystem for Linux Denial of Service Vulnerability (Publicly Disclosed) – An attacker can execute a specially crafted application to affect an object in memory allowing them to cause the system to become unresponsive.

It’s interesting Microsoft chose to rate the severity of their Office updates this month as Important when there was both a publicly disclosed and exploited vulnerability resolved.

• CVE-2017-11777 | Microsoft Office SharePoint XSS Vulnerability (Publicly Disclosed) – An attacker can send a specially crafted request to an affected SharePoint server. The attacker would have the same security context as the current user allowing them to read data they should not have access to, use the victim’s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content in the browser of the user.

• CVE-2017-11826 | Microsoft Office Memory Corruption Vulnerability (Publicly Disclosed\Exploited) – An attacker could exploit this vulnerability by sending a specially crafted file to the user and convincing them to open it. An attacker could also host a website containing specially crafted files designed to exploit the vulnerability. If exploited, the attacker would have the same context as the user. In this case, less privileges would mitigate the impact of an exploited system.

This is the last month that Microsoft will release security updates for Windows 10 1511. It is time to move to the 1607 Anniversary Update or all the way to 1703 Creators update if you want to have the latest version. If you have any questions, consult their help documentation.

Oracle will release its quarterly CPU next week on Tuesday, October 17, so expect critical updates for Java JRE and JDK as well as other Oracle products.

Special Treat

I mentioned we were given a special treat this month. For the first time in ages, Adobe Flash does not include any security fixes. That’s right! A priority three, feature bug fix-only release for Adobe Flash, and no required update from Microsoft!

In the News

The Equifax security breach and associated congressional hearing dominated the security news for most of September. The company testimony showed a breakdown in both the personnel and technology aspects of their patch program. Although the vulnerability was known for some time, the patch process was delayed due to employee initiative. And to add insult to injury, the tools they were using showed the systems as patched when they weren’t.

As I mentioned in my forecast blog, it may be time we all do a quick review of our patch policy and implemented processes to make sure we are minimizing our exposure and risk.

The complexity of attacks continues to rise, and the EternalBlue v1SMB vulnerability continues to be a an entry point. Recent announcements include the introduction of a banking system Trojan in Europe and Japan, and a complex hotel reservation system attack in Europe and the Middle East. Both attacks used a complex set of tools to gain access to the target systems and attempted to grab user credentials. This is just another example of why we need to remain vigilant and make sure we are keeping up with the latest patches to close these avenues of vulnerability.

For deeper analysis on the October Patch Tuesday release, join us live for the October Ivanti Patch Tuesday Webinar!

Patch Tuesday Forecast for October 2017

Fri, 06 Oct 2017 15:40:15 Z

Hurricanes hammered the United States last month and cyberattacks continue to rain down throughout the world. The EternalBlue v1SMB vulnerability continues to be a focus of attacks. Recent announcements include the introduction of a banking system Trojan in Europe and Japan, and a complex hotel reservation system attack in Europe and the Middle East. In both situations, the objective of the attack was to collect a user’s login and password credentials.

Here in the US, the recent Equifax security breach is dominating the security news. Details are continuing to emerge, but there was a clear breakdown of security process that affected 145 million people. The exploited vulnerability was in the Apache Struts application used on the company web portal. A patch for this vulnerability was released on March 6^th; the first indication Equifax had a problem was not reported internally until May. Equifax had a quarterly patch policy in place which clearly let them down.

My recommendation this month is to revisit your patch policy. Considering these recent events, think about the level of risk you are willing to accept for both your critical and non-critical systems. If you are running a quarterly patch cycle, are you willing to run with unpatched systems for up to three months when the next patch cycle begins? It may be that you have mitigating controls in place, but at least think about the implications. The vendors have been doing a much better job responding to reported vulnerabilities in their software, now it is up to us as security professionals to make sure we patch and protect our systems in a timely manner.

On a closing note, we mentioned the BlueBorne vulnerability last month on our September Patch Tuesday webinar but it warrants some additional commentary. This vulnerability, originally reported by Armis security, exists in the BlueTooth protocol. It can be a problem because BlueTooth runs with a high privilege level to effectively connect with a wide range of devices. Patches have been released by Microsoft and Google, but may take time to reach the end devices so be aware of this issue. Apple iOS 10 is not vulnerable. You may want to issue a warning to your users to turn off BlueTooth on their mobile devices unless it is really needed.

October forecast:

Expect the usual Microsoft OS updates this month. After the YUGE release for Office last month (51 KB articles) and the .NET release, we’re hoping for a small number of patches beyond the regular OS updates.
Mozilla just released a new major version of Firefox in the past week, so we probably will not see a new version next week.
History tends to repeat itself, so we should expect an update to Adobe Flash as usual.
October is an Oracle CPU. They update quarterly and this is the month, so Tuesday the 17th Oracle will release updates for all their software including Java. We may see an announcement on the future of Solaris and SPARC support as well. Oracle had a major layoff of those software and hardware employees the beginning of September.

As always tune into Ivanti’s Patch Tuesday landing page for updated analysis as Patch Tuesday unfolds and sign up for our monthly Patch Tuesday webinar.

A Delayed Start for Microsoft’s Security Bulletin Replacement Program

Tue, 14 Feb 2017 18:52:41 Z

Microsoft has delayed the release of this month’s security updates. Just minutes before the scheduled updates release, they provided a short statement on TechNet announcing a delay. No new timeline has been provided for the February updates but we will continue monitoring the situation and provide an update on the blog and in a bulletin to our customers when we learn more.

As announced last month, Microsoft will revise it’s 12-year old security bulletin system to the new Security Update Guide approach. This new tool provides a dashboard and API for users to search for needed updates for all products by unique vulnerability IDs or knowledge base article IDs. Security bulletin IDs will no longer be used though past bulletins will remain online for your reference and use as needed. One important item to note: the software maker says they will continue to issue out-of-band patch notifications as required although they opted not to do that when news of a SMB flaw zero-day broke on February 3. The vulnerability has yet to be patched.

For more, visit the frequently asked questions to the Security Update Guide.

A New Year Signals the End of Patch Tuesday as We Know It

Tue, 10 Jan 2017 19:07:29 Z

The big news in today’s January Patch Tuesday is that this release marks the end of the 12-year Patch Tuesday update cycle as we know it. Last month, Microsoft announced impending changes to their security update process, which is set to begin in February. Before jumping into more detail on what the coming year will look like for your patch team however, we have four updates to address now. You heard me right…only four. And none of them are reported under active exploit.

Of the four security bulletins released, just two are rated critical. And your first priority this month actually comes from Adobe. MS17-003 is an update for Adobe Flash Player when installed on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. You’ll find more in Adobe Security Bulletin APSB17-02.

Your second priority should be MS17-002 which resolves a vulnerability in Office which could allow a remote code execution if a user opens a malicious file. Microsoft Word 2016 and Enterprise Sharepoint Server are impacted.

If your users rely on Microsoft Edge, MS17-001 will take third priority. It’s an important, cumulative update for the browser and the vulnerability could result in elevation of privilege. Lastly, MS17-004 is an update for Local Security Authority Subsystem Service (LSASS). The update addresses a denial of service vulnerability in the way the LSASS handles authentication requests in older versions of Windows. The denial of service on the target system’s LSASS service could trigger an automatic reboot of the system. If you’re running old Windows, make this update or better yet, upgrade.

Next month, Microsoft will categorize needed updates by unique vulnerability IDs through the Security Update Guide which will be accessible by a dashboard and API. Security bulletin IDs will no longer be used, though past bulletins will remain online for your reference and use as needed. One important item to note: the software maker says they will continue to issue out-of-band patch notifications as required. For more, visit the frequently asked questions to the Security Update Guide.

November Patch Tuesday: Election Style

Tue, 08 Nov 2016 23:17:09 Z

November Patch Tuesday is forced to share the spotlight this month. It’s Election Day in the U.S. and likely on the minds of most people. However, Microsoft also released14 security updates today, 6 of which are rated critical. Thankfully, there is just one active exploit on an older version of Windows this month so once you’ve cast your vote, make sure to apply these updates.

First on your list of priorities this month should be your browser updates. MS16-129 is a critical, cumulative update for Edge. It addresses 17 unique CVEs, the most troublesome being the possibility of a remote code execution if a user views a malicious webpage while using Edge. Internet Explorer users also have a critical, cumulative update in MS16-142 which could also result in a remote code execution when successfully exploited.

MS16-141 is a critical update for Adobe Flash Player when installed on Windows 8.1, Server 2012, RT, Windows 10 and Server 2016. The update addresses 9 separate CVEs by updating the affected Flash libraries contained with IE 10 and 11 and Edge and are described in detail in APSB16-37.

Not rated critical but under active exploit on older versions of Windows is MS16-135, an update for Kernel-Mode Driver. The vulnerability could allow elevation of privilege, so you may want to give this some attention.

MS16-130 is a critical update for almost all versions of Windows, both desktop and server applications. Information seems light on this one however we do know exploitation could result in remote code execution. Another update, MS16-132 for Graphics Components also impacts all current versions of Windows. It addresses one information disclosure vulnerability that exists when the Windows font library incorrectly handles fonts.
Rounding out the critical updates this month is MS16-131, is a critical update for Video Control however a user must open either a file or program from a webpage or email message for this exploit to be successful.

The bulk of the important class bulletins impact a wide range of applications which allow elevation of privilege and definitely deserves your attention this month as well.

10 Bulletins Address Exploits on Oct Patch Tuesday

Wed, 12 Oct 2016 04:13:42 Z

Cyber criminals have plenty of opportunity this month with 5 vulnerabilities now under active exploit, 2 of which are shared. Microsoft has released 10 bulletins this October Patch Tuesday to address those and other vulnerabilities found in both current and old code. Quick response will be of particular importance this month.

As is often the case, we will start with the browsers. First on your list of priorities should be MS16-119, a critical update for Edge. Addressing 13 CVEs, this bulletin includes an active exploit against CVE-2016-7189 allowing remote code execution which could result in deep compromise of your system. Next up is MS16-118 a cumulative, critical update for IE but with many shared Edge vulnerabilities. CVE-2016-3298 is under active exploit for both the latest and older IE releases. This is another large bulletin with 11 CVEs addressed.

Next on your list of priorities for October should be MS16-120 which is for vulnerabilities found in older versions of Microsoft Graphics Component. This is a critical update for vulnerabilities found in Windows, .NET, Office, Skype for Business, Silverlight and Lync. Of the seven total CVEs addressed in this bulletin, one is under active exploit, CVE-2016-3393.

MS16-122 is the last of the Microsoft critical bulletins however user interaction is required for an attacker to be successful. It resolves a vulnerability in Windows which could allow a remote code execution if Video Control fails to handle objects in memory correctly.

We also have another update for Adobe Flash Player, MS16-127. This critical bulletin resolves vulnerabilities described in APSB16-32 and found in Flash Player when installed on Windows 8.1, Server 2012, RT 8.1 and Windows 10.

MS16-121 is a bulletin rated important for most versions of Office that patches a RTF remote code execution vulnerability. While the bulletin is only rated important, CVE-2016-7193 is being exploited now. MS16-126, though rated only as moderate, is also under active exploit. This security update addresses an information disclosure issue in Internet Messaging API that could allow an attacker to test for the presence of files on disk.

Lastly, Microsoft announced more details around its new cumulative patch update model which were first disclosed last month on Technet. The new patch strategy is a single monthly rollup designed to streamline patches and provide you with easier, more consistent patching. HEAT Software products support this new model and the first set of security and cumulative updates now appear in the various patch feeds. Pay special attention to the names of the new patches and be sure to read up on the topic from their latest blog post.

14 Bulletins for September Patch Tuesday

Wed, 14 Sep 2016 16:54:24 Z

The lazy days of summer are definitely over as Microsoft released 14 bulletins in today’s September Patch Tuesday. There are 7 updates rated critical so it is time to get to work. The bulletins also include an update for Adobe Flash Player that’s important for most Windows users to address so all in all, it’s a big month.

You will likely want to start with the update that addresses vulnerabilities under active exploit in all current versions of Internet Explorer. If your users still rely on the popular browser, apply cumulative update MS16-104 right away. You never know when one of your users may hit a malicious webpage resulting in unwanted code execution. While you’re at it, you might as well address MS16-116 too; it is a critical update in the OLE Automation for VBScript that also requires the patch provided by MS16-104. For those of you that use Microsoft Edge, that browser also has a cumulative update this month with MS16-105 and it too is rated critical.

Next on your list should be MS16-107, a critical update for most versions of Microsoft Office, including Office for Mac. A remote code execution could result if a user opens a malicious Office file using the widely used programs Excel, Outlook or PowerPoint.

Third in priority is MS16-117 which is a critical security update for Adobe Flash Player described in APSB16-29. The 29 unique vulnerabilities impact Flash when installed on recent versions of Windows including 8.1, Server 2012, RT 8.1 and 10.

There are 2 additional bulletins with the rating of critical this month. MS16-106 is a security update for Microsoft Graphics Component on all systems and MS16-108 resolves vulnerabilities found in Exchange Server.

The remainder of the bulletins are rated important and should be addressed as time permits. Lots of potential work for IT this month as our summer draws to an end.