September Patch Tuesday 2019
September marks the second month in a row with a relatively light set of updates, but that doesn’t mean the threat of attack has gone down. In fact, there have been an escalating number of recent ransomware attacks in the public sector. With the slowdown in patch activity and ransomware back in the news, it’s a good time to take a look at the rest of your IT operations program, especially your cyber-attack and disaster recovery plan. Before we dig into those topics, let’s review this month’s Patch Tuesday updates.
Microsoft resolved a total of 79 unique CVEs this month. Among the vulnerabilities were three publicly disclosed CVEs. Public Disclosed is an indicator of risk that can be used to better prioritize remediation of vulnerabilities. In this case details of the three vulnerabilities have been made public giving threat actors a head start on engineering an exploit.
Microsoft continues to adjust their software update process, releasing service stack updates for all operating systems this month. Usually these release for one or a couple of Windows editions, so for all Windows OSs to be impacted by this one is a bit out of the ordinary. A couple of things to note about servicing stack updates. They are rated as Critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied. The shortest we have seen from availability to enforcement is two months. Our guidance is to begin testing as soon as possible and plan to have these in place before November to be on the safe side. Before October would be best case on the off-chance Microsoft enforces these changes sooner.
For September Microsoft provided the usual set of operating system and application security updates. In the pre-Windows 10 operating systems we see as many at 37 CVEs addressed, and 57 CVEs for the latest Windows 10 updates. A critical update addressing seven CVEs was released for all versions of Sharepoint server, so pay close attention to that one. There are important updates for Office and Exchange server. In keeping with their usual bi-monthly release cadence, Microsoft also issued updates for .NET. However, these updates were for 2012 and newer versions of operating systems.
In wrapping up this month we want to draw attention to some continuing ransomware trends.
Hardly a month has gone by this year without a report of ransomware attacks against state and local government systems. Ivanti CISO, Phil Richards, wrote a blog that provides an overview of many of these attacks, and shared his insight on some dangerous trends. According to Phil, “Criminals are demanding higher ransoms of these government entities. They are targeting victims specifically, striking with greater precision and timing, and demanding large sums as ransom.” Of particular interest was an attack against several public school systems in the State of Louisiana. For the first time, a cyber-attack is being treated more like a natural disaster with cybersecurity experts pulled in from multiple state agencies plus Louisiana State University.
What is the state of your disaster preparedness plan (no pun intended)? Every month I talk about the importance of patching and remediating vulnerabilities, but the harsh reality is that sometimes these actions are not enough or not in time. Are you ready to respond to a cyber-attack? Do you have detection, isolation, and containment resources identified? Once you have the attack under control do you have the recovery process identified, including system restore/reimage and secure data backups to bring everything back online? And finally, make sure you include steps to handle legal and public relations issues. It is very important that everyone involved knows how information is to be shared both inside and outside your organization.