March 2017 Patch Tuesday Forecast

By the end of March will anyone remember that Microsoft missed a Patch Tuesday?  I am going to go with vague memories, but overcast by so much more excitement happening this month!

Have you heard about Vault 7? If you have not, here is a 10 minute video on Philip DeFranco’s YouTube TV channel that I think does a great job of breaking this thing down. This is the latest installment from Wikileaks and it is chalked full of nasty goodness. In their press release, Wikileaks described the first installment as “Year Zero”.

The first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia.  

There have been a few interesting events like this over the years, but this is definitely the biggest exposure of Zero Days I can recall.  Back in 2015 there was the Hacking Team breach that resulted in the leaking of several Zero Days including a few from Adobe.  Drop in the bucket compared to this.  Among the thousands of documents are descriptions of ways to exploit all manner of IoT devices, Android, iOS, and a slew of applications.  Some truly scary stuff.  As this is our Patch Tuesday Forecast we are going to “Zero” in on the DLL Hijacking list that was published and talk about the significance of this find.  On a page referred to as the “Fine Dinning Tool Module List” which has a list of execution vectors.  Each of these is a way to exploit a piece of software to allow the attacker to execute a malicious payload. There are some pretty common names on this list. Google Chrome, Mozilla Firefox, VLC Media Player, 7zip, and more.  Interestingly I see FoxIt Reader instead of Adobe Reader and Libre Office instead of Microsoft Office.  Takeaways from this list specifically:

  • How complete is this list or are there more DLL Hijacking vulnerabilities to come?
  • Definitely reinforces the need for more than just Microsoft patching solutions. (Yes there are still some of those out there who believe auto updaters are enough, but most of those require a user to accept updating of the app… Yeah, like that’s gonna happen!! I am crying a little laughing about that one… wooo.)
  • No vendor is “safe”. I hear a lot of people moving to PDF and Office alternatives (among others) to avoid the high security risks of their more market penetrated competitors, but as you can see by this list, alternatives are “safer” only in the fact that they are less targeted than the market leaders.  I say this about Mac vs Win, iPhone vs Android, Linux vs Win, do not get a false sense of security just because the device, OS, app is less targeted.  That just means more of the industry has let their guard down when it comes to those devices.
  • Expect a lot of vendors to respond to these updates and quickly.  In fact at least one vendor has already released an update. Props the to team over at Notepad++, who as far as I can tell are the first ones to release a fix for the vulnerability that was exposed by this leak.  Expect more vendors to be releasing and that March will be dragging on with additional security updates throughout the month.  In fact, I would call this the best opportunity ever to convince any naysayers that a more than once a month cadence for end user machines and especially laptops is not only recommended, but a really freaking good idea.

On to other news… heading into March here is what else to look out for.

Considering we have two months worth of updates you can expect a lot of vulnerabilities are going to be resolved this month.  Good news is the total number of updates to be applied won’t be double.  As many of the bulletins each month were OS related under the Cumulative Rollup and Security Bundle model they are mostly in one large package.  Products like Office, Exchange, SQL, and Sharepoint are still updates on their own, but I would wager we are going to have maybe 4-6 total updates to install.  OS rollup, IE (should break out into a separate update this month), Flash for IE, and we are likely going to get a mix of some office and other updates.

We have a lingering Zero Day (yes, not related to Vault 7).  Microsoft still owes their customers an update on the SMB exploit that was exposed on February 1st by researcher Larent Gaffie.  Gaffie wasn’t pleased with Microsoft’s plan to postpone releasing a fix until February when they were planning multiple fixes for SMB services and deliberately disclosed the vulnerability a week before Patch Tuesday February.  Little did he know that Patch Tuesday would receive a full month delay, so his intended week long punishment turned into 5 weeks of exposure for all of us.

Internet Explorer is supposed to finally be breaking out of the Security Bundles for Win 7 and 8.1 this month.  The details are not fully clear yet, but in an article by Peter Bright from Arstechnica he specifically calls out that the Security Only package will be splitting out IE.  The Cumulative Rollup would still bundle in the IE updates by the sound of things.

The bulletin change should be happening this month.  According to Microsoft they were going to move away from the bulletin system.  Since moving to the rollups tracking by bulletins has caused bit of a compliance headache.  You deploy one package that spans across multiple bulletins, but correlating that information is rather difficult unless you know exactly what bulletins are included in the rollup.  We have to see how they relate all the information under the new method, but will we get to a point where you can more accurately because of this change?  The Flash update for IE that released on February 21st was still using the old bulletin model and released under MS17-005, so we still have not seen an example of an update released under the “non-bulletin” model.

As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, March 15th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

Chris Goettl

Chris Goettl has over 15 years of experience in IT Management. He spent several years working in IT before joining Shavlik in 2004. Chris started in the Shavlik support team, supported OEM partners integrating Shavlik SDK's, worked in Sales as a Systems Engineer, and is now the Product Manager for the Shavlik Protect product line.