Ivanti Blog: Posts by

November 2023 Patch Tuesday

Tue, 14 Nov 2023 22:18:09 Z

November 2023 Patch Tuesday has arrived and has a lower overall CVE count than previous months, but includes some urgent fixes that organizations will want to take note of. This month is also the first patch cycle for Server 2012 and 2012 R2 extended support (ESU). On the third-party side, Adobe has released updates and an update from Google Chrome Stable Channel has been updated.

Microsoft updates

Microsoft has resolved 58 new unique CVEs this month, three of which are critical. Three CVEs have confirmed exploits in the wild. There are also some publicly disclosed vulnerabilities that could be considered at higher risk of being exploited. Products affected include Windows OS, Office 365, .Net, ASP.NET, Azure DevOps Server, Visual Studio, Exchange Server and SQL Server.

Microsoft Server 2012 and 2012 R2 officially reached their end-of-life in October. Today, there are updates available for these server editions if an organization has subscribed to Microsoft ESU.

Microsoft zero-day ulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability is Windows DWN Core Library (CVE-2023-36033). The CVE is rated as Important by Microsoft and has a CVSS score of 7.8, but exploits have been detected in the wild.

There is proof-of-concept code samples publicly available, making it easy for additional attackers to utilize. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-level privileges. The vulnerability affects all Windows 10, 11 and Server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2023-36036). The vulnerability is rated as Important and has a CVSS score of 7.8, but exploits have been detected in the wild. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-levelprivileges. The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions.

Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-36025). The vulnerability is rated as Important and has a CVSS score of 8.8, but exploits have been detected in the wild. An attacker can convince a user to click on a specially crafted URL and bypass Windows Defender SmartScreen checks.

The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions. Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions.

Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Denial of Server vulnerability in ASP.NET (CVE-2023-36038). The vulnerability is rated as Important and has a CVSS score of 8.2. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. Under the right conditions, an attacker who successfully exploits this vulnerability could cause a total loss of availability.

Microsoft has resolved a Security Feature Bypass in Microsoft Office that allows an attacker to bypass the Office Protected View and open in editing mode rather than protected mode (CVE-2023-36413). The vulnerability is rated as Important and has a CVSS score of 6.5. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. The vulnerability affects Microsoft Office and 365 Apps editions.

Microsoft has updated a previously published CVEs (CVE-2023-38039 and CVE-2023-38545) affecting HTTP headers and SOCKS5 heap buffer overflow to include an updated version of curl 8.4.0, which addresses the vulnerabilities. Organizations that implemented the mitigations provided on October 19th, 2023 should follow the guidance provided in the following documentation: Remove Windows Defender Application Control (WDAC) policies.

Microsoft Exchange vulnerabilities of note

Some of these exchange vulnerabilities caught some recent headlines in early November because of timing of the disclosures from the researcher not lining up with Microsoft’s release criteria. Some researchers have very hard timeframes, from informing the vendor to releasing details publicly. If the vulnerabilities didn't meet criteria for out-of-band release, then they would fall into the next release cycle. A few of these Exchange CVEs appear to fall into such a case. No exploits or disclosures were reported against the five Exchanges CVEs.

CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability (information only change)

Third-party updates

Adobe has released updates for 14 products including Adobe Acrobat and Acrobat Reader. Adobe resolved 76 CVEs across the product updates, including 40 Critical CVEs. No exploits or public disclosures have been reported.

Based on Adobe's priorities, these would all fall into their Priority 3 as most of the products are less likely to be targeted (like ColdFusion, InCopy, etc.) Adobe Acrobat and Acrobat Reader is the most likely to be targeted as it is more widely available on systems. Recommendation would be to prioritize APSB23-54 : Security update available for Adobe Acrobat and Reader for remediation to be safe.

Google Chrome has moved to a weekly release cadence for security updates. Chrome's stable channel has been updated to 119.0.6045.159 for Mac and Linux and 119.0.6045.159/.160 for Windows and includes 4 CVEs. Expect Chromium-based browsers to update shortly.

October 2023 Patch Tuesday

Tue, 10 Oct 2023 22:03:02 Z

There's been a long string of zero-day events through September and into the October Patch Tuesday lineup. Apple had five zero-day vulnerabilities across most of their products culminating in their updates that were released on September 26th (which also included the EoL of Big Sur).

Google and Mozilla continued to be busy with several zero-day vulnerabilities in the open-source library, Libwebp. This also impacted chromium-based browsers like Microsoft Edge, Opera and others. For more details on the lineup of CVEs leading up to October Patch Tuesday, check out our Patch Tuesday Forecast on HelpNetSecurity.

Microsoft has resolved 104 new CVEs this month, three of which are flagged as exploited. The lineup from Microsoft includes Windows, Office 365, SQL Server, Exchange Server and multiple Azure components. Along with the large lineup of fixes, October also marks the end-of-life for Windows Server 2012 and 2012 R2.

Microsoft zero-day vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Skype (CVE-2023-41763) which allows an attacker to send a specially crafted network call to a target Skype for Business server. The network call could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. The CVE is rated as important and has a CVSSv3.1 of 5.3, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.
Microsoft has resolved an information disclosure vulnerability in WordPad (CVE-2023-36563) which allows the disclosure of NTLM hashes. The CVE is rated as Important and has a CVSSv3.1 of 6.5, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.
Microsoft has resolved a Denial of Service vulnerability in the HTTP/2 protocol (CVE-2023-44487) which allows request cancellation that can reset many streams quickly. The vulnerability has been exploited in the wild since August. The vulnerability has been resolved in the Windows OS and in Visual Studio, .Net and ASP.Net. The CVE doesn't have a CVSS calculated, and Microsoft’s severity is only rated as Important, but due to active exploitation this CVE should be treated as a higher severity.

Windows Server 2012\2012 R2 and Windows 11 21H2 end-of-life

This patch Tuesday will include the latest updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. The later go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week.

End-of-life software poses a risk to an organization. No public updates will be available for these OS versions going forward. For Windows 11 users, this means upgrading to a new Windows 11 branch. For Server 2012\2012 R2 it'shighly recommended to subscribe to ESU or migrate to a newer server edition.

Linux zero-day vulnerabilities

CVE-2023-42115 has a whopping 9.8 CVSS and affects the Exim software solution, a message transfer agent (fancy way of saying email server) that’s very popular on Linux (including web hosters), which wasvulnerable to remote code execution. This vulnerability had been reported for over a year to the original developers but never addressed properly and is now public. There's exploit code available in the wild. It particularly affects servers configured with centralized identity management, including in mixed Windows/Linux environments with Active Directory.
Exim announced on October 2nd that a security update for exim-4.96.1 and 4.97 has been created to mitigate this CVE and two other zero-days (with three other zero-days remaining unpatched). Exim is an important MTA software because it’s bundled with “control panel” web hosters, including in docker images.
CVE-2023-4863 is a 9.1 CVSS heap-based buffer overflow that affects libwebp, which is a library used by countless applications (for example Google Chrome, Firefox or Brave) to render images on screen. It's beenfound to be vulnerable to an exploit, which is already in the wild, and all the applications using it'll be affected — which are essentially any applications that show or process images in the "webp" format (or its derivatives). This is remotely exploitable and requires no interaction to trigger – simply viewing a malicious image is enough to trigger it.

Linux vulnerabilities can have a long tail, from the publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

September 2023 Patch Tuesday

Tue, 12 Sep 2023 21:17:26 Z

September 2023 Patch Tuesday has a lot of activity. The theme this month: "Everyone has a zero-day release!"

Microsoft has resolved 63 total vulnerabilities including two exploited zero-days (CVE-2023-36761 and CVE-2023-36802). Google Chrome resolved one zero-day vulnerability (CVE-2023-4863) on September 11, which is also included in the Microsoft Edge Chromium release. Adobe resolved a zero-day vulnerability in Acrobat and Reader (APSB23-34 CVE-2023-26369) on September 12. Apple resolved two zero-days on September 7 (CVE-2023-41064 and CVE-2023-41061). There aren’t any recent zero-day vulnerabilities on the Linux side, but there are three recent vulnerabilities that are affecting some core capabilities in the Linux Kernel that warrant some attention.

Microsoft updates

Microsoft has resolved a total of 63 vulnerabilities this month, including two exploited vulnerabilities. The zero-day vulnerabilities are in Word (CVE-2023-36761) and the Windows OS (CVE-2023-36802). Microsoft Edge (Chromium) should be releasing shortly and will include a fix for the Chrome zero-day CVE-2023-4863.

Microsoft has resolved an Information Disclosure vulnerability in Word (CVE-2023-36761) that has been exploited in the wild. The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 6.2, but the confirmed exploitation should raise this on your priority list. The Preview Pane can also be used as an attack vector, making it easier to target users to exploit the vulnerability. If exploited, the attacker could gain access to NTLM hashes.
Microsoft has resolved an Elevation of Privilege vulnerability in the Microsoft Streaming Service Proxy (CVE-2023-36802). The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 7.8, but the confirmed exploitation should raise this on your priority list. If exploited the attacker could gain SYSTEM privileges on the target system.

Third-party update

Google has resolved a Critical heap buffer overflow vulnerability in the Chrome browser (CVE-2023-4863). Google is aware that an exploit for CVE-2023-4863 exists in the wild. Windows instances should update to 116.0.5845.187/.188 and for MacOS and Linux 116.0.5845.187.
Adobe Acrobat and Reader released APSB23-34, resolving one critical vulnerability (CVE-2023-26369) that is confirmed to be exploited in the wild. The vulnerability is an out-of-bounds write vulnerability that could allow an attacker to execute arbitrary code.
Mozilla has released updates for Firefox and Firefox ESR. No zero-days, just a decent lineup of CVEs resolved.

Linux update

There are three CVEs of note on the Linux platforms:

CVE-2023-3111 is a use after free vulnerability in btrfs in the Linux Kernel affecting all versions of Linux. A use after free vulnerability could allow an attacker to leak data from memory, overwrite critical information, execute arbitrary code and bypass Address Space Layout Randomization (ASLR).
CVE-2023-3390 is a vulnerability in the Linux Kernel’s nftables API in the netfilter subsystem that could allow privilege escalation. The vulnerability affects Debian and Ubuntu.
CVE-2023-35001 is an out of bounds read\write vulnerability in nftables. These types of vulnerabilities can cause a crash, data corruption, code execution, or allow attackers to read sensitive information from other memory locations.

The changes affect two commonly used components in the Linux Kernel. These components are also used by a variety of solutions from Firewalls to SANs and could affect foundational capabilities.

Btrfs is the filesystem utilized by most Enterprise Linux distributions (Ubuntu, Debian, Redhat, etc.).
Nftables is used by any modern firewall solution. Regardless of distribution, it will either be built in through the system itself or third-party applications it will use. The component provides high-performance packet inspection and routing.

None of the vulnerabilities are currently exploited so there is time, but you should take advantage to ensure you are testing the changes across your environment adequately.

Linux vulnerabilities can have a long tail from publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

Apple update

Apple released updates resolving two exploited vulnerabilities on September 7. The updates affect iOS, iPadOS and macOS. The two CVEs have confirmed exploits in the wild and CISA has updated the KEV list adding these two vulnerabilities.

CVE-2023-41061 is a vulnerability in Apple Wallet affecting iPhone and iPad. The vulnerability allows an attacker to create a specially crafted attachment which could allow them to execute arbitrary code.
CVE-2023-41064 is a vulnerability in Apple ImageIO affecting iPhone, iPad and macOS. The vulnerability could be used to craft a malicious image which would allow an attacker to execute arbitrary code when processed.

Update priorities for September

Windows OS, macOS, iPhone, iPad, all browsers and Adobe Acrobat and Reader. Which pretty much feels like everything.

August 2023 Patch Tuesday

Tue, 08 Aug 2023 22:58:39 Z

2023 Year to Date: How Vulnerable Are We?

We are past the mid-way point of 2023. The average ransomware payment is up, but the percentage of victims paying the ransom are down. The shift toward a risk-based approach to vulnerability management is moving along, but slowly. Threat actors are fast to move on zero-day and recently resolved vulnerabilities, but just as likely to target vulnerabilities that have been exposed for years.

The shift to data exfiltration only ransoms

The Ransomware market is constantly shifting and rapidly innovating and trying new things. The latest shift in tactics to skip the encryption and focus on Data Exfiltration only has made a huge impact on the average ransoms being paid this year, but the drop in victims willing to pay is driving the overall percentage of ransoms paid to an all time low.

Coveware’s July 2023 Quarterly Report is tracking the Average Ransom Payment at $740k (+126% from Q1 2023) and attributes this spike to the massive MOVEit campaign executed by CloP impacting over 1000 companies. While the average ransom paid has spiked due to this massive DXF-Only campaign, it has also driven the overall percentage of victims willing to pay to an all time low of 34%.

The shift to risk-based vulnerability management continues

In Ivanti’s May Patch Tuesday Blog, I mentioned the CISA KEV (Known Exploited Vulnerabilities) list had reached 925 CVEs and predicted they would reach 1k CVEs by late August. CISA KEV has reached 982 prior to August Patch Tuesday and appears to be slowing down their additions to the list vs previous years. While my prediction is close, I may have been off by a month or so. We shall see as the month of August progresses.

For those who read Todd Schell’s Patch Tuesday Forecast on Help-Net Security last week or caught some of the recent news regarding the CVSS 4.0 public preview. CVSS 4.0 is the next step towards providing a better risk-based approach to assessing vulnerabilities and prioritizing remediation. The question is, will it be enough of a step forward?

A lot of news focuses on Zero-day vulnerabilities, but CISA KEV is still adding more older CVEs than new ones. Coming into August Patch Tuesday 2023 there have been 114 CVEs added to CISA KEV so far this year. 55 (48.2%) were CVEs first identified in 2023. The additional 59 CVEs (51.8%) were CVEs from 2022 or earlier dating as far back as 2004 (CVE-2004-1464). 76 of the CVEs added in 2023 were CVEs reported in 2022 or 2023 (66%), but one third of the additions were older than 2022. This is a pretty large gap in remediation of exploited vulnerabilities.

Risk-based vulnerability management vs ransomware

A risk-based vulnerability management solution can provide the visibility to shift vulnerability remediation to focus on the vulnerabilities actively being used by threat actors, especially ransomware threat actors. Comparing Ivanti Risk-Based Vulnerability Management data vs CISA KEV you can see that progress is being made, but there is still a gap.

CISA KEV is tracking 982 CVEs currently vs Ivanti RBVM is tracking almost 39k weaponized vulnerabilities.
Ivanti RBVM tracks vulnerabilities tied to Ransomware campaigns and is currently tracking 367 vulnerabilities. CISA KEV contains 132 (~40%) of those CVEs.
26 of the 367 CVEs tied to Ransomware campaigns were from 2022 or 2023. The majority (341 or ~93%) were older than 2022.
In the past 30 days there have been 104 CVEs that are trending amongst threat actors (Ransomware, Malware and other sources of exploitation). 18 of the 104 CVEs are from 2023. CISA currently is tracking only 40 of the 104 CVEs.

This is not a product pitch (although it is a good one) but calling out that we are still falling behind in the vulnerability remediation race. CVSS 4.0 is a step in the right direction, but not nearly good enough to keep up with the challenges we face. CISA KEV is a good start but has many gaps in visibility especially for the vulnerabilities that are trending and that are tied to ransomware campaigns.

August 2023 patch tuesday

Microsoft has released updates resolving 74 new CVEs this month, one of which is confirmed exploited and six are rated by Microsoft as Critical. Microsoft also updated CVE-2023-36884 released in July to split the Office products out into a separate Defense in Depth Advisory (ADV230003). Besides the OS and Office updates, Microsoft has updates for Exchange Server, .NET, Azure, SQL Server, and Teams making for a significant lineup this August.

Additional updates from Google Chrome released on August 3rd and Microsoft Edge (Chromium) updated on August 7th and a lineup of updates from Adobe should also be included in your update activities this month.

Ivanti EPMM vulnerability remediation update

Ivanti continues to collaborate with threat researchers after the joint release of Cybersecurity Advisories on CVE-2023-35078 and CVE-2023-35081 on August 1, 2023, and urged organizations to apply the patches released by the organization. Ivanti is continuing to work actively with customers to upgrade their appliances and helping them apply the fix.

An additional advisory (CVE-2023-35082 - Remote Unauthenticated API Access Vulnerability) was released on August 2nd and updated on August 7th. An update and additional script is required to remediate the vulnerability. Guidance on how to remediate can be found on the Ivanti Community. The update to resolve the previous two CVEs with the additional RPM script will remediate all three vulnerabilities.

While not confirmed to be used in active exploits in the wild, CVE-2023-35082 has been publicly disclosed by the researchers who discovered it. Ivanti is recommending customers update to the latest version and apply the script as soon as possible to respond to confirmed exploits of CVE-2023-35078 and CVE-2023-35081 and to stay ahead of any attempt to utilize CVE-2023-35082.

Microsoft updates

Microsoft updated the affected products listed in CVE-2023-36884 removing the Office products originally listed in the CVE. The Office products listed in ADV230003 are not directly vulnerable, but can be used in an attack chain to exploited CVE-2023-36884. Microsoft has clarified the changes in the Office updates were a Defense in Depth measure. Microsoft recommends applying the Office updates discussed in the advisory in addition to the August Windows OS updates.

Microsoft has resolved a Denial of Service vulnerability in .NET and Visual Studio (CVE-2023-38180). According to the CVE details code maturity has reached proof-of-concept and it is confirmed to be exploited in the wild. The CVE is only rated as Important and the CVSS v3.1 score is 7.5, but taking a risk-based approach this should be treated as a higher priority this month.

Third Party Updates for August 2023 Patch Tuesday

Google Chrome released Chrome 115.0.5790.171 on August 3 resolving 11 CVEs.
Microsoft Edge (Chromium 115.0.5790.171) released on August 7 resolving 11 CVEs.
Adobe released Acrobat and Reader (APSB23-30) resolving 30 CVEs.
Adobe released Commerce (APSB23-42) resolving 3 CVEs.
Adobe released Dimension (APSB23-44) resolving 3 CVEs.
Adobe released XMP Toolkit SDK (APSB23-45) resolving 1 CVE.

July 2023 Patch Tuesday

Tue, 11 Jul 2023 22:31:12 Z

This month is going to be a painful one, with:

Multiple zero-day exploits being resolved by Microsoft,
Some operational changes for Kerberos and Netlogon vulnerability resolutions, and
A large lineup of third-party updates releasing on and after July’s Patch Tuesday – including Oracle's quarterly CPU and Java updates.

Kerberos and Netlogon Vulnerability Changes

July is going to be a big month from an operational perspective.

A number of changes are going into effect regarding two previously resolved CVEs:

An Elevation of Privilege vulnerability resolution in Kerberos (CVE-2022-37967), and
An Elevation of Privilege vulnerability in Netlogon RPC (CVE-2022-38023).

Both CVEs were resolved in 2022, but the code change alone did not resolve the vulnerabilities.

What to expect in July 2023’s updates for Kerberos and Netlogon vulnerabilities

Microsoft outlined a phased rollout of enforcement for both vulnerabilities, due to the fact that they are changing some core behaviors in two commonly used authentication mechanisms.

KB5020805 outlines the timing of changes for the Kerberos vulnerability (CVE-2022-37967). For July, Microsoft is stepping up to initial enforcement. The earlier changes have been to add the capabilities to address the security bypass and audit logging to show if organizations had systems that needed attention to prepare for the change.
- This July 2023 OS update will default the behavior to Enforcement mode, but still allow an Administrator to override and set Audit mode explicitly.
- The future October 10, 2023, update will remove the Admin override and default to full enforcement.
KB5021130 outlines the timing of changes for the Netlogon vulnerability (CVE-2022-38023). For July, Microsoft is stepping up to full enforcement. The earlier changes have been to add the capabilities to address the security bypass and audit logging to show if organizations had systems that needed attention to prepare for the change.
- This July 2023 update will remove the ability to override enforcement and allow compatibility mode for RPC Sealing.
- After deploying the July update, Netlogon will fully enforce RPC Sealing.

Multiple Zero Days and Public Disclosures from Microsoft for July 2023

Microsoft has resolved 130 net new vulnerabilities this month, and there are updates to 9 previously released CVEs. Six CVEs and one Advisory have confirmed exploits.

One of the six exploited vulnerabilities released originally in May, and has been updated this month to address all versions of Microsoft Windows.

This month, I'd specifically like to highlight:

CVE-2023-24932 (Security Feature Bypass - Secure Boot): Critical Confirmed Exploits
CVE-2023-36871 (Security Feature Bypass - AD): Functional Code Maturity
CVE-2023-35311 (Security Feature Bypass - Outlook): Critical Confirmed Exploits
CVE-2023-36884 (Remote Code Execution - Office and Windows HTML): Critical Confirmed Exploits
CVE-2023-36874 (Privilege Escalation - Windows Error Reporting): Reported Exploits
CVE-2023-32049 (Security Feature Bypass - SmartScreen): Critical Confirmed Exploits
CVE-2023-32046 (Privilege Escalation - MSHTML): Important Confirmed Exploits
Microsoft Advisory ADV23001 - Malicious Signed Drivers

Microsoft CVE-2023-24932 (Security Feature Bypass - Secure Boot): Critical Confirmed Exploits

Microsoft has updated CVE-2023-24932, which is a Security Feature Bypass in Secure Boot.

The CVE was originally resolved in May 2023, but Microsoft has expanded the affected OS versions, and is recommending customers update to the July update on all affected Windows OS version this month. The vulnerability has confirmed exploits in the wild.

The CVSS v3.1 base score is 6.7 and it is rated as Important by Microsoft. However, with confirmed exploits and publicly disclosed functional code, this vulnerability should be treated as Critical.

Microsoft CVE-2023-36871 (Security Feature Bypass - AD): Functional Code Maturity

Microsoft has resolved a Security Feature Bypass in Azure Active Directory (CVE-2023-36871). The CVE is rated as Important and has a CVSS v3.1 base score of 6.5, but the temporal metrics list code maturity as functional.

An attacker would require a low privileged session on the user’s device to obtain a JSON web token. The token could thenbe used to create a long-lived assertion using the Windows Hello for Business Key from the victim’s device.

In this case, the fix is to:

Update to the July update on all AD FS servers.
Then, enable the setting required to turn on the EnforceNonceInJWT setting.
- The PowerShell command to enable this setting is provided in the CVE article.

Microsoft CVE-2023-35311 (Security Feature Bypass - Outlook): Critical Confirmed Exploits

Microsoft has resolved a Security Feature Bypass in Microsoft Outlook (CVE-2023-35311). This vulnerability has confirmed exploitation.

The attacker could send a user a specially crafted URL to bypass the Microsoft Outlook Security Notice prompt. The Preview Pane is an attack vector for this vulnerability, but user interaction is required.

Given the fact that phishing a user is a statistical challenge, the priority for getting this fix rolled out is Critical, even though Microsoft’s severity rating is only Important.

Microsoft CVE-2023-36884 (Remote Code Execution - Office and Windows HTML): Critical Confirmed Exploits

Microsoft has resolved a Remote Code Execution vulnerability in Office and Windows HTML (CVE-2023-36884). The CVE is rated as Important, but has confirmed reports of exploitation in the wild and functional code has been publicly disclosed for this vulnerability.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.

Microsoft has not yet released an update to fix this issue, but has provided a configuration level mitigation to block Office applications from creating child processes. Running as least privileged could also help to mitigate the attack and require the attacker to execute additional exploits to elevate their privilege level.

Microsoft has released a blog entry describing steps that can be taken to protect systems until a fix becomes available.

Microsoft CVE-2023-36874 (Privilege Escalation - Windows Error Reporting): Reported Exploits

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Error Reporting (CVE-2023-36874). The CVE is rated as important but has reported cases of exploitation. An attacker – with local access to the target machine with permission to create folders and performance traces on the machine – could gain administrator privileges.

Microsoft CVE-2023-32049 (Security Feature Bypass - SmartScreen): Critical Confirmed Exploits

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-32049). The CVE is rated as Important, but Microsoft has confirmed reports of exploitation for this vulnerability increasing the urgency to Critical.

The attacker can send a user a specially crafted URL that could allow the "Open File – Security Warning" prompt to be bypassed, opening additional opportunities to further compromise the target system.

Microsoft CVE-2023-32046 (Privilege Escalation - MSHTML): Important Confirmed Exploits

Microsoft has resolved an Elevation of Privilege vulnerability in Windows MSHTML (CVE-2023-32046). Microsoft has rated the CVE as Important and has reports of exploitation in the wild.

An attacker could target a user in a variety of ways, including email- and web-based attack scenarios. If exploited, the attacker would gain the rights of the user that is running the affected application. So, running least privilege would help to mitigate the impact of this vulnerability, forcing the attacker to take additional steps to take full control of the target system.

While IE 11 has been retired, you will see a reference to IE Cumulative updates listed for Windows Server 2008, 2008 R2, 2012 and 2012 R2 due to the MSHTML, EdgeHTML and scripting platforms still being supported.

If you are installing the Security Only updates on these platforms, Microsoft is recommending running the IE Cumulative update as well to fully resolve the CVE.

Microsoft Advisory ADV23001 - Malicious Signed Drivers

Microsoft has released an Advisory (ADV23001) providing guidance on Microsoft Signed Drivers being used maliciously.

Several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.

Microsoft has released Window Security updates (see their "Security Updates" table) that untrust drivers and driver signing certificates for the impacted files, and has suspended the partners' seller accounts. All the developer accounts involved in this incident were immediately suspended.

Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.391.3822.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.

For more information about how the Windows Code Integrity feature protects Microsoft customers from revoked certificates, see Microsoft Support's "Notice of additions to the Windows Driver.STL revocation list".

Third-Party Updates for July 2023 – Including Java Updates from Oracle

Mozilla has released updates for Firefox and Firefox ESR.
Adobe Acrobat and Reader has an update that appears to be non-security related, but has released updates for Adobe InDesign and ColdFusion.
Google Chrome is likely to update on July 11^th or shortly after.
Oracle’s quarterly CPU (Critical Patch Update) is due to release on July 18, with updates for the lineup of Oracle products – including Java.

As you begin your maintenance this cycle, keep in mind that – after the Oracle Java release – there is a stream of additional updates that will occur, including:

RedHat OpenJDK,
Amazon Corretto,
Azul Zulu,
Eclipse Adoptium,
Adopt OpenJDK, and
Other Java frameworks.

June 2023 Patch Tuesday

Tue, 13 Jun 2023 23:59:38 Z

We are at the half-way point for Patch Tuesday releases in 2023. Microsoft has resolved 78 new CVEs and has made updates to seven previously released CVEs for 85 CVEs in this month’s update. This month’s update will have a lot more operational focus for organizations as Microsoft has advanced changes in Kerberos and Netlogon to address vulnerabilities originally discovered in 2022.

Microsoft updates

Microsoft made updates to two previously resolved CVEs that were confirmed to be exploited in the wild.

CVE-2023-24880 is a Security Feature Bypass in Windows SmartScreen and was first resolved in March 2023. Microsoft updated the CVSS score of this vulnerability (CVSSv3.1 4.4/4.1). Most organizations have likely patched this already, but the fact that it is confirmed exploited supersedes the CVSS and Microsoft severity of Moderate and should be considered in your prioritization.

CVE-2021-34527 is a vulnerability in Windows Print Spooler that could allow Remote Code Execution. Yes, this is a blast from the past known as PrintNightmare! The change is documentation-specific. Microsoft “added all supported editions of Windows 10 version 21H2, Windows 11 version 21H2, Windows 11 version 22H2 and Windows Server 2022 as they are affected by this vulnerability.”

Drilling into the KB articles and looking at the downloads, if you have done any updates since November 8th, 2022 or later, you should be covered from an update perspective, so this should be an information only change for most organizations.

Microsoft has implemented the third phase of Windows security updates to address an Elevation of Privilege vulnerability in Windows Kerberos (CVE-2022-37967). The first phase was implemented in November 2022 and added PAC signatures to the Kerberos PAC buffer and added security measures to address the security bypass vulnerability.

Phase two was implemented with the December 2022 update and put all devices into Audit mode by default, but still allowed the authentication.

With this month’s release, Microsoft is removing the ability to disable PAC signature addition. Next month (July 11th, 2023), Microsoft will start the initial enforcement by default, but still allows some override. In October 2023, Microsoft will transition to full enforcement, meaning any service tickets without the new PAC signature will be denied. For more details, see the following.

Microsoft has implemented the second phase of Windows security updates to address an Elevation of Privilege vulnerability in Netlogon (CVE-2022-38023). The first phase was implemented in November 2022 and implemented a default compatibility mode that removed the ability to disable RPC sealing. This enforced RPC sealing for Domain Controllers and use of Trusted accounts.

In the June update, Microsoft has moved to Enforced mode by default unless an administrator is explicitly configured to be in compatibility mode. In next month’s release, Microsoft will implement Phase three of the Netlogon changes to remove the ability to run in compatibility mode. For more details, see the following.

Chrome and Adobe updates

Google Chrome has released a security update resolving five CVEs including one Critical and three High severity CVEs. The most concerning of these five is a use after free in Autofill payments (CVE-2023-3214).

Adobe has released four Priority 3 updates, three of which include one or more Critical CVEs. The updates affect Adobe Experience Manager, Commerce, Animate and Substance 3D Designer. Adobe’s priority definitions identify a priority 3 as an update that “resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”

May 2023 Patch Tuesday

Tue, 09 May 2023 20:22:47 Z

It’s Patch Tuesday once again. The CISA KEV database is now up to 925 CVEs and at the rate it’s increasing, it's likely we'll see it turn over the 1,000 mark around late August this year. Apple has released a new capability called Rapid Security Responses for iOS, iPad and MacOS. For systems running the latest version of each, they'll start receiving faster responses to security vulnerabilities, security improvements and mitigations. In general, the world is moving quickly toward a risk-based approach to security with the goal of taking faster action to reduce the most possible risk to your environment.

That's one of the key goals of Ivanti’s Patch Tuesday efforts. To provide quick analysis on what's released from Microsoft and other vendors, identify priorities from a risk perspective and give as much of a heads up as possible regarding changes and known issues that may impact your environment as you roll out the updates each month.

Microsoft updates

For May 9th, 2023, Microsoft has resolved 51 vulnerabilities, 13 of which were previously released and recently updated. There are three known exploited vulnerabilities resolved this month, one of which was previously released and recently updated. There's one additional publicly disclosed vulnerability that's reached proof-of-concept code maturity, meaning the risk of exploit is high. Six CVEs are rated as Critical, five affecting the Windows OS and one affecting Sharepoint.

The good news this month is all three known exploits and the public disclosure along with five of the six Critical CVEs will be resolved by pushing the Microsoft OS updates this month. That's going to be your highest priority on the Microsoft side.

Microsoft has resolved a Secure Feature Bypass vulnerability in Secure Boot (CVE-2023-24932). The vulnerability was reported by SentinelOne and ESET and has been confirmed to be exploited in the wild. The CVE is rated as Important by Microsoft’s assessment algorithms, but with the confirmed exploits you can ignore that severity rating and respond to the real-world risk indicators.

The vulnerability does require the attacker to have either physical access or administrative permissions on the target system, with which they can install an affected boot policy that'llbe able to bypass Secure Boot to further compromise the system. The vulnerability affects all currently supported versions of the Windows OS.

Microsoft has resolved a Win32k Elevation of Privilege vulnerability (CVE-2023-29336). The vulnerability was reported by analysts from Avast and has been detected in exploits in the wild. The CVE is rated as Important by Microsoft’s assessment algorithms, but with the confirmed exploits you can ignore that severity rating and respond to the real-world risk indicators. The exploit doesn't require user interaction and if exploited would give the attacker system-level privileges. The vulnerability affects Windows 10 and Server 2008 up to 2016.

Microsoft has resolved a Remote Code Execution vulnerability in Windows OLE (CVE-2023-29325). The vulnerability was reported by an analyst from Vul Labs. The CVE is rated as Critical and while it hasn't been detected in active exploits in the wild, it does have proof-of-concept level code samples and has been publicly disclosed, meaning the risk of exploit is high. The vulnerability can be exploited over the network and doesn'trequire user interaction, but can easily target a user to be exploited.

The vulnerability is in the Windows OS, but the Preview Pane in Outlook can be used as an attack vector. Microsoft has even recommended users read email messages in plain text format to mitigate the risk until you can get the update in place. There are other steps and a race condition to win for the attack to be successful, which gives the complexity to exploit as High and may reduce the possibility of this vulnerability being utilised in an attack.

Microsoft updated 13 CVEs this month. Most of the updates were only changes to CVSS or URL data in the CVE bulletins. The CVEs that were updated with more than an informational change are:

CVE-2013-3900 – WinVerifyTrust Signature Validation vulnerability which has a long history and was updated in April 2023 as well. This vulnerability is known to be exploited. The update this month states that supporting code to resolve this vulnerability has been incorporated into all current Windows OS editions already (as of April 2023 Patch Tuesday release), but a registry key must be set to turn on enforcement.
CVE-2022-26928 – Elevation of Privilege vulnerability in Windows OS. Originally released in September 2022. Microsoft expanded the affected products to include all currently supported versions of Windows OS. This will be taken care of as part of your OS updates this month.

Third party security updates

Mozilla has released security updates for Firefox and Firefox ESR, resolving 13 CVEs.

Firefox 113 released resolving 13 CVEs, five of which were rated as high.
Firefox ESR 102.11 released resolving eight CVEs, four of which are rated as high.

For more details from our graphic summary of this month's releases, read our blog post or register for the Ivanti Patch Tuesday webinar (live or on-demand) to get up to date analysis on priorities, known issues and other security news. Visit our Patch Tuesday page for more information.

April 2023 Patch Tuesday

Tue, 11 Apr 2023 21:20:41 Z

Microsoft released updates resolving 97 new CVEs and five older CVEs in the April Patch Tuesday release. Seven CVEs are rated as critical this month. The updates affect the Windows OS, Microsoft Office and 365 Apps, .Net Core, Visual Studio, Azure Machine Learning and Service Connector and updates for SQL Server and Microsoft ODBC and OLE DB.

There’s a new confirmed exploited vulnerability (CVE-2023-28252) resolved in the Windows OS update this month and Microsoft has updated the affected products list for CVE-2013-3900, a previously resolved vulnerability that has been confirmed to be exploited.

Microsoft updated the affected products list for a WinVerifyTrust Signature Validation vulnerability (CVE-2013-3900). The vulnerability has been publicly disclosed and has confirmed exploits in the wild. No changes have been made to the guidance from Microsoft. The April update just adds Server Core editions to the affected products list.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2023-28252) that if successfully exploited could allow the attacker to gain SYSTEM privileges. The vulnerability has been confirmed to be exploited in the wild. The vulnerability is rated as Important and affects all currently supported versions of the Windows OS.

Microsoft has resolved a vulnerability in SQL Server which could allow Remote Code Execution (CVE-2023-23384). The vulnerability is rated as Important and has a CVSS v3.1 score of 7.3. The crash required to exploit the vulnerability would not be easily achieved, but the attack could be attempted over the network as an unauthenticated user.

Azure vulnerabilities

Microsoft has resolved two Azure vulnerabilities this month. Depending on your configuration you may need to take manual steps to resolve these vulnerabilities.

The first is a Security Feature Bypass in Azure Service Connector (CVE-2023-28300). In order to gain unauthorized access to the target environment the attacker must have RBAC Reader role access or above and would need to chain additional vulnerabilities. The Azure Service Connector updates when Azure Command-Line Interface is updated to the latest version. If you have automatic updates enabled (not enabled by default), no action is needed. If you prefer to manually update Microsoft has an update article for the CLI.

The second is an Information Disclose vulnerability in Azure Machine Learning (CVE-2023-28312). The vulnerability could allow an attacker to disclose system logs but would not allow ability to modify data or make the service unavailable. To update the Azure Machine Learning Compute Instance you will need to reference Microsoft’s guidance. If a compute instance currently exists it will be overwritten by applying the update command.

Microsoft has resolved a Remote Code Execution vulnerability in Raw Image Extension Code (CVE-2023-28291), a Microsoft Store app. The store app should automatically update, but if you are running a disconnected environment the app would not be automatically updated.

Third-party updates

Apple released updates resolving two exploited Zero day vulnerabilities (CVE-2023-28205 and CVE-2023-28206). The vulnerabilities affect macOS, iOS and iPad OS. Apple started releasing updates on April 7, 2023. More details can be found on the following release pages: MacOS 13.3.1, iOS 16.4.1 and iPad OS 16.4.1, macOS 12.6.5 and 11.7.6, iOS/iPad 15.7.5 and Safari 16.4.1. A CISA advisory on April 7 warned of the active exploits of the two Apple CVEs and three additional 2021 CVEs for Veritas Backup Exec.
Mozilla Firefox 112 and Firefox ESR 102.10 were released resolving 22 unique vulnerabilities, including eight high severity vulnerabilities.
Adobe released an update for Acrobat and Reader (APSB23-24). The update is a priority 3 resolving 16 CVEs, 14 of which are rated as Critical.
Oracle CPU will be releasing on April 18. This will include many Oracle solutions including Java. After the Oracle Java release there is a stream of additional updates that will occur. RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and other Java frameworks will all begin updating once the Oracle Java release is out. Keep that in mind as you begin your maintenance this cycle.

Prioritization guidance

The Windows OS update should be the top priority this month for Microsoft updates to respond to the Zero day exploit (CVE-2023-28252).
Apple updates for macOS, iPad OS, iOS and Safari should also be on top of your priority list to respond to the pair of Zero day exploits (CVE-2023-28205 and CVE-2023-28206)
Updates for Microsoft Office, Mozilla Firefox and Adobe Acrobat and Reader should be secondary priorities. No active exploits or public disclosures have been reported at this time, but these are more commonly targeted applications and typically have a low risk of impacting users when updated.

March 2023 Patch Tuesday

Tue, 14 Mar 2023 21:17:06 Z

Microsoft has resolved 80 new CVEs this month and expanded four previously released CVEs to include additional Windows versions. This brings the total number of CVEs addressed this month to 84. There are two confirmed zero-day exploits resolved in this month’s updates that impact Microsoft Office and Windows Smart Screen.

Both exploits are user targeted. There is a total of nine CVEs rated as Critical this month. Eight of the nine Critical CVEs are in the Windows OS update this month. Mozilla has released updates for Firefox and Firefox ESR resolving 13 unique CVEs.

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-24880). The vulnerability has been detected in exploits in the wild. According to Microsoft’s FAQ:

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”

This CVE affects all currently supported versions of the Windows OS. The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations and on its own this CVE may not be all that threatening, but it was likely used in an attack chain with additional exploits. Prioritizing this month’s OS update would reduce the risk to your organization.

Microsoft has resolved an Elevation of Privilege vulnerability in Microsoft 365 Apps and Microsoft Office (CVE-2023-23397). The vulnerability has been detected in exploits in the wild. The vulnerability has a CVSSv3.1 of 9.8 and is rated as Critical by Microsoft. According to Microsoft’s FAQ:

“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the email server. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”

There are additional mitigations included in the CVE page to mitigate some of the risk for this vulnerability. There is also additional documentation for mitigating Pass-the-Hash attacks that is recommended by Microsoft to work along with the security update to provide a more effective defense. Microsoft Office and Microsoft 365 Apps should be a priority this month to reduce risk to your organization.

Microsoft updated four CVEs this month to expand the impacted software / applications. CVE-2022-43552, CVE-2022-23257, CVE-2022-23825 and CVE-2022-23816 all have added additional versions of Windows OS to the affected products list.

Remediation priorities this month:

Microsoft Office and Microsoft 365 Apps are the top priority. CVE-2023-23397 is able to be exploited before the message is even viewable in the preview pane. Also, look into the additional mitigations recommended in the CVE documentation.
Microsoft Windows should be updated soon if possible. CVE-2023-24880 has been exploited and could be used against your organization.
Ensure all of your browsers are up to date. Mozilla just released updates. Google Chrome and Microsoft Edge (Chromium) have had updates since February. Make sure all of your browsers are up to date.

February 2023 Patch Tuesday

Tue, 14 Feb 2023 21:12:53 Z

Microsoft updates

February 2023 Patch Tuesday includes fixes for 76 CVEs from Microsoft affecting Microsoft Windows, .NET Framework, Microsoft Office, SQL Server, Exchange Server, several Azure services, HoloLens and more. Nine CVEs are rated as Critical, 67 as Important and three CVEs have known exploits in the wild. The three zero-day vulnerabilities are all rated as Important and have CVSS ratings of 7.8 or less. Organizations are urged to expand their prioritization beyond just vendor severity and CVSS score alone, as many exploited vulnerabilities will be less than Critical or CVSS 8.0, which emphasizes the urgent need to utilize risk-based prioritization methods in your vulnerability management program.

Microsoft resolved a Remote Code Execution vulnerability in Windows Graphics Component (CVE-2023-21823), which has been exploited in the wild. The CVE was rated as Important and affects Windows 10 and Server 2008 and later Windows editions. The vulnerability also affects Microsoft Office for iOS, Android and Universal. If exploited, the vulnerability in the Windows OS could allow the attacker to gain SYSTSEM privileges. For the apps, the exploit could lead to Remote Code Execution. Windows customers are urged to update to the latest OS version. For the app updates, Microsoft included additional notes regarding how to update through the Microsoft Store or Play Store.

Microsoft resolved a Security Feature Bypass in Microsoft Publisher (CVE-2023-21715). The CVE was rated as Important and affects Microsoft 365 Apps for Enterprise and has been exploited in the wild. Microsoft noted that, “The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.” The exploit can bypass Office macro policies used to block untrusted or malicious files.

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which has been exploited in the wild. The CVE was rated as Important and affects Windows 10 and Server 2008 and later Windows editions. If exploited, the attacker could gain SYSTEM privileges. A privilege escalation vulnerability like this would be used in combination with other vulnerabilities in an attack chain.

The Microsoft SQL Server update resolves six CVEs, one of which is rated Critical. This is the most security fixes released in a single update for SQL Server in many years.

The Microsoft Exchange Server update resolves four CVEs, all of which are rated as Important. No public disclosures or known exploits have been included in this update yet, but Exchange has been targeted by sophisticated threat actors in the past couple of years. All four of these are Remote Code Execution vulnerabilities. They shouldn't be left too long.

Third-party update round-up

Mozilla has released updates for Firefox and Firefox ESR, resolving 19 and 14 CVEs, respectively.

Google Chrome released updates for Windows and MacOS editions on February 7th resolving 10 CVEs.

Microsoft Edge (Chromium) released an update on February 9th resolving 11 CVEs.

Apple released updates for MacOS BigSur (8 CVEs), Monterey (18 CVEs), and Safari (3 CVEs) in late January.

Oracle’s quarterly CPU released on January 17th and included an update for Java (4 CVEs). This event triggers the release of many Java frameworks in quick succession. There have been updates for Corretto, Azul Zulu, Node.JS and other Java frameworks since the CPU release.

January 2023 Patch Tuesday

Tue, 10 Jan 2023 21:58:12 Z

Microsoft has released updates resolving 101 total vulnerabilities (CVEs), 98 new and 3 revisions to CVEs from November and December of 2022. 11 CVEs are rated as Critical this month. The most urgent of these are one known exploited vulnerability (CVE-2023-21674), one publicly disclosed vulnerability (CVE-2023-21549) and an update to an advisory from December 2022 (ADV220005).

Advisory 220005 (ADV220005) provides “Guidance on Microsoft Signed Drivers Being Used Maliciously”. Microsoft has included a block list in the January 10, 2023, OS updates which blocks the signing certificates that were compromised. Microsoft recommends all customers update to the January 10, 2023 update to ensure they have the most up-to-date block list.

Microsoft has resolved a known exploited vulnerability (CVE-2023-21674) in Windows Advanced Local Procedure Call (ALPC) which could allow an Elevation of Privileges. The vulnerability is rated as Important and affects all Windows OS versions. The vulnerability could allow a browser sandbox escape and the attacker could gain SYSTEM privileges.

Microsoft has resolved a publicly disclosed vulnerability (CVE-2023-21549) in Windows SMB Witness Service which could allow an Elevation of Privileges. To exploit the vulnerability an attacker could execute a specially crated malicious script which executes an RPC call to an RPC host.

This could result in elevation of privilege on the server. The vulnerability is rated as Important and can be exploited over the network without need for user interaction. Public disclosure means enough information regarding this vulnerability has been disclosed publicly giving attackers a head start on reverse engineering the vulnerability to attempt to exploit it.

For January 10, 2023, Patch Tuesday the majority of the risk is in the Windows OS update across all current versions. It is recommended to prioritize the Windows OS updates as a high priority this month.

Adobe released updates for Adobe Acrobat and Reader (APSB23-01) that resolve a total of 15 CVEs, 8 of which are rated as Critical. The udpate is a Priority 3, which according to Adobe’s rating system means “This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”

Oracle’s quarterly CPU will be releasing on Tuesday, January 17. Be prepared for updates for all your favorite Oracle products, but more importantly expect updates for Java and additional updates for Java alternatives like Corretto, AdoptOpenJDK, RedHat OpenJDK, Azul Zulu JDK and others. Oracle’s quarterly CPU starts a domino update effect across the Java solutions.

Windows lifecycle update

January 2023 Patch Tuesday is the final extended support update (ESU) for Windows 7, Server 2008 and 2008 R2. Microsoft will be continuing one additional year of ESU support for Server 2008 and Server 2008 R2, but only if it is running in Azure.

January 2023 Patch Tuesday is also the last security update for Windows 8.1.

Windows Server 2012 and 2012 R2 will reach its end date on October 10, 2023. Microsoft will offer ESU support for three years starting from October 11, 2023. More details, including migration guidance and a lifecycle FAQ, can be found on the Server 2012 R2 lifecycle page.

Guidance for Exchange customers about ProxyNotShell and OWASSRF exploits with the recent Play Ransomware attack against Rackspace customers

Microsoft responded to the initial ProxyNotShell exploit with two recommendations. A “URL Rewrite rule” and “Disable Remote Powershell for non-admins”. Microsoft is still recommending the latter disabling of powershell for non-admins as general guidance. The URL Rewrite rule was modified many times between initial release and November 7th. On November 8th, 2022 when the update for Exchange Server was released, Microsoft’s guidance was updated:

Update 11/8/2022

We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are no longer recommended.

Rackspace stated the Nov 8th patch had caused performance issues for their hosted Exchange services, so they decided to continue to run with the mitigation. There is a lot of gray area for interpretation of what was the best or right answer, but this event brings up two critical points that I think all organizations should keep in mind.

Mitigations are not permanent fixes. In any case where there is a mitigation option it is meant as a short-term solution but will come with some tradeoffs. Log4J’s mitigation could still be protecting you today if you implemented the guidance specific to solutions in your environment. This would come at the cost of some logging features not being available, but the mitigation would still be effective.

PrintNightmare was a different story. You needed to turn off the print spooler and have no printing ability until the patch was released. In the case of ProxyNotShell and OWASSRF the original mitigation was intended to stop the initial steps used in the ProxyNotShell attack.

It did not account for other exploit methods that could bypass the URL Rewrite Rule mitigations created to mitigate ProxyNotShell, so it was very narrow in scope to prevent the original attack specifically.

In the case of the Play Ransomware attack the mitigations were never intended to stop OWASSRF’s attack method. Be careful how much long-term trust you put into mitigations as they were never intended to be permanent fixes.

Products and technologies have a shelf life. At some point a vendor does need to move beyond a solution as the cost of completely revamping said solution to meet more modern use cases and needs becomes very difficult. Exchange Server is a good example of the dangers of holding onto a technology too long.

Security researchers have stressed some fundamental risks with running Exchange Server. The complexities and difficulties of running an Exchange Server implementation with the level of security that Microsoft can deliver through O365 is really the key tradeoff.

OWASSRF and ProxyNotShell are the most recent, but the 2021 ProxyShell and HAFNIUM exploits were additional examples of high risk of continuing to invest in Exchange Server.

Can an organization run a secure Exchange server instance? Arguably yes, but a sophisticated threat actor with more intimate knowledge of Exchange Server than your organization will continue to find a way to circumvent how effectively you can secure your email services.

To properly assess this risk, you must assume you are competing with the concerted efforts of very knowledgeable adversaries. If you have not accounted for this in your risk assessment, chances are your organization is continuing to run Exchange Server under false assumptions.

Patch Management is Integral for Mature Risk-based Prioritization

Thu, 15 Apr 2021 22:46:34 Z

The term ‘patch’ triggers many familiar images – affixing a rubber patch to a blown bike tire, the ubiquitous duct tape repairs of myriad objects, and so on. While these temporary fixes won’t heal the underlying cause, they are a quick and easy solution.

Our applications and software frequently need patches as well, to fix bugs, security flaws and add feature enhancements. However, in this case, patching is not a temporary band-aid, but rather a proactive planned strategy.

Patch management is more than just repairing and updating IT software. It remediates vulnerabilities and manages risk. Patching is a subset of risk-based prioritization, and software life-cycle management. Once you identify a critical vulnerability in the operating system or applications, you must seek a resolution. It may require changing a configuration, removing an old certificate, or updating software with a patch.

Successfully reducing security risk requires extensive research and data analyses. Microsoft’s Patch Tuesday is a critical starting point and a great source for the latest information on security updates. Ivanti has put great effort and resources into providing in-depth analysis, commentary, bulletins, and tools on Patch Tuesday’s security relevance and operational impact. We cull Patch Tuesday information, along with third-party update data, and present it in a way that organizations can easily consume. Additionally, we identify the things they should be prioritizing. This enables your teams to better understand how to deal with the constant barrage of vulnerabilities and threats.

Accelerating risk prioritization requires knowing your top vulnerabilities

Effective risk management requires proper research and the assessment of extensive data. This is critical for helping organizations respond to ongoing vulnerabilities and apply risk-based prioritization. Defined policies, rationalized prioritization processes, and well-organized and analyzed data directly impact the reliability and effectiveness of how vulnerabilities are addressed.

A mature risk-based prioritization practice addresses known vulnerabilities that are rated by importance. On the day Microsoft releases updates, they include documentation that shows vulnerabilities known to be exploited in the wild. They also release other updates that are not known to be actively exploited, and those have lower priority. However, it’s important to understand how risk priorities can shift, so we can better prioritize our activities to best respond to all critical risks.

A mature risk-based prioritization approach leverages many data sources, including vulnerability trends by threat actors. It includes an automated process that feeds data sources in, analyzes and prioritizes risks, and lists activities in priority order to quickly mitigate risk.

Challenges with managing risk priority by vendor

Managing risk priority by focusing on vendor-defined severities can fall short of the mark. Risk-based prioritization takes a broad focus on risk metrics, rather than relying on a single vendor’s severity. The key is identifying, prioritizing and mitigating all critical vulnerabilities, including additional data points to classify the most critical risks to your environment. A single vendor severity simply isn’t enough.

There are many cases where the vendor’s prioritization does not reflect real world risk. Due to the nature of how vendors classify severity, a vulnerability could be classified as important, but known to be actively exploited on the day an update was released. Additional risk metrics like exploited and publicly disclosed vulnerabilities must be considered. Even telemetry on what is trending among threat actors will focus priorities to ensure the most dangerous threats are quickly resolved.

An evolutionary process

Mature risk-based prioritization encompasses an ecosystem with multiple solutions and vendors working cohesively together. An effective intelligence gathering and integration process must bridge the gap between security vulnerability assessments, threat intelligence solutions, and patch management.

Ivanti is helping to bridge this gap. We take the vulnerability assessment and other patch data, feed it into process management, prioritize vulnerabilities, and drive appropriate actions into the patch management system for rapid remediation. Ivanti Neurons for Patch Intelligence helps users easily research, prioritize, and receive better insights for best practice patch management, within one central location. We continue to expand these capabilities to create robust solutions around this evolving practice.

However, there is no panacea or silver bullet that fully automates processes and integrates everything - end-to-end. Like digital transformation, the alignment of patch management and risk-based prioritization is a layered process and an evolutionary journey.

Mature risk-based prioritization requires continuous vulnerability management. There are many challenges in overcoming the gaps between security vulnerability assessments, threat intelligence solutions, and patch management. The handoff process must take additional risk metrics into account, or crucial vulnerabilities will be overlooked.

Evolving Your Security Strategy Toward Self-Securing With Ivanti Neurons

Tue, 28 Jul 2020 15:46:41 Z

Threat actors move fast. They are agile and will shift tactics as opportunities present themselves. As the COVID-19 pandemic changed how we had to work and manage our users and environments, threat actors also made changes. They adapted to a new opportunity and they did so very quickly. ZScaler released a report in April showing the increase in COVID themed attacks increasing 30,000% between January and March this year. In just a few months, threat actors made a wholesale shift in tactics to take advantage of a large opportunity. Now that is business agility that many of us can only envy.

According to a research study from RAND, threat actor can exploit a vulnerability in a median 22 days and most exploits will have a shelf life of 7 years. An annual report from Recorded Futures that shows the most commonly exploited vulnerabilities from 2019 confirms this. Most exploits are compromising vulnerabilities that have been around for some time.

How do we counter this level of agility and adaptability from threat actors? By adapting ourselves. We need to shift toward a self-securing strategy. Yes, threat actors are gaining in sophistication, but at the root of that sophistication is the same tactical execution that they have been doing for years. Reconnaissance, exploit vulnerabilities, gain persistence, move laterally, exfiltrate/encrypt data. They are performing the same activities, just with more automated and augmented capabilities.

What do we mean by self-securing? Through analyzing attackers' methods and the use of automation and machine learning we can react more quickly to real threats. This adaptive security approach is made up of three parts: Sensing, Prioritization, and Remediation.

Sensing

Discover what is in your environment. Detect running software and configuration and analyze for vulnerabilities. Continuously monitor for changes; new devices being introduced and changes in state of devices in the environment.

Prioritization

Risk-based prioritization to identify what is actively being exploited and respond to highest risks quickly. Predictive algorithms to anticipate changes and threats and give prescriptive guidance on what to do next.

Noise reduction: There is always way to much data and way to many threats to manage everything, but that noise can be reduced to the critical activities that will mitigate the most risk quickly.

Remediation

Acting is the most critical part of the process. Identifying thousands or tens of thousands of threats does no good if action is not taken to eliminate those threats.

Proactive: As we discussed earlier, threat actors move quickly. We need to be proactive in our responses. The prioritized risks can quickly bubble up to be responded to first. Knowing what is being actively exploited helps optimize remediation efforts.
Adaptive: Our remediation capabilities (as well as assessment) need to be able to adapt to the environments and circumstances. The COVID pandemic is a good example of why this is necessary. As we rapidly shifted to a remote workforce, it is essential that our security capabilities can follow. Public or private clouds, on premises or off premises user systems, corporate devices or BYOD, we need to ensure we can manage and respond to threats to our environment. Finally, we come to Automation.
Automation: Threat actors are automating more and more of the attack. This means it can happen fast and at scale. We need to automate the response. Automating the steps, reducing time between steps, and removing human elements wherever possible increases response times and eliminates errors.

The biggest thing to keep in mind is that self-securing does not mean the human is eliminated from the equation. It is a focus on automating activities that can be automated, generating the analytical data needed to make decisions quickly and prioritizing actions for analysts to quickly approve and respond to urgent threats in a timely fashion, which again would be automated.

Learn more about Ivanti Neurons here.