Hurricanes hammered the United States last month and cyberattacks continue to rain down throughout the world.  The EternalBlue v1SMB vulnerability continues to be a focus of attacks.  Recent announcements include the introduction of a banking system Trojan in Europe and Japan, and a complex hotel reservation system attack in Europe and the Middle East.  In both situations, the objective of the attack was to collect a user’s login and password credentials.

Here in the US, the recent Equifax security breach is dominating the security news.  Details are continuing to emerge, but there was a clear breakdown of security process that affected 145 million people.  The exploited vulnerability was in the Apache Struts application used on the company web portal.  A patch for this vulnerability was released on March 6th; the first indication Equifax had a problem was not reported internally until May.  Equifax had a quarterly patch policy in place which clearly let them down.

My recommendation this month is to revisit your patch policy.  Considering these recent events, think about the level of risk you are willing to accept for both your critical and non-critical systems.  If you are running a quarterly patch cycle, are you willing to run with unpatched systems for up to three months when the next patch cycle begins?  It may be that you have mitigating controls in place, but at least think about the implications.  The vendors have been doing a much better job responding to reported vulnerabilities in their software, now it is up to us as security professionals to make sure we patch and protect our systems in a timely manner.

On a closing note, we mentioned the BlueBorne vulnerability last month on our September Patch Tuesday webinar but it warrants some additional commentary.  This vulnerability, originally reported by Armis security, exists in the BlueTooth protocol.  It can be a problem because BlueTooth runs with a high privilege level to effectively connect with a wide range of devices.  Patches have been released by Microsoft and Google, but may take time to reach the end devices so be aware of this issue.  Apple iOS 10 is not vulnerable.  You may want to issue a warning to your users to turn off BlueTooth on their mobile devices unless it is really needed.

October forecast:

  • Expect the usual Microsoft OS updates this month.  After the YUGE release for Office last month (51 KB articles) and the .NET release, we’re hoping for a small number of patches beyond the regular OS updates.
  • Mozilla just released a new major version of Firefox in the past week, so we probably will not see a new version next week.
  • History tends to repeat itself, so we should expect an update to Adobe Flash as usual.
  • October is an Oracle CPU. They update quarterly and this is the month, so Tuesday the 17th Oracle will release updates for all their software including Java.  We may see an announcement on the future of Solaris and SPARC support as well.   Oracle had a major layoff of those software and hardware employees the beginning of September.

As always tune into Ivanti’s Patch Tuesday landing page for updated analysis as Patch Tuesday unfolds and sign up for our monthly Patch Tuesday webinar.