Skip to main content
Tag

Windows Updates

Third Party Patch Updates: When the Wild Things Attack

By Patch ManagementNo Comments
[vc_single_image image=”11045″ img_size=”medium”]

Are You Lost in the IT Wild?

If you aren’t patching your third-party vulnerabilities, your business, your assets, your sales, are just that…. vulnerable. Adobe’s Flash has had a tough month.In October we’ve seen two different critical patches released to shore up security holes where attackers can take control of your devices.

“We are aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.”

These zero-day critical flaws aren’t patched by Windows, you have to know about them, find them, download the content, and then install them.

[vc_btn title=”Start A Patch Management Trial” style=”custom” custom_background=”#ff9900″ custom_text=”#ffffff” shape=”square” size=”lg” link=”url:%2Ftrial-sign-up%2F|||”]

Third-Party Updates

10/26/2016 – Updated debugger and standalone versions of Flash Player. These versions contain fixes for critical vulnerabilities identified in Security Bulletin APSB 16-36. The latest versions are 23.0.0.205 (Win & Mac) and 11.2.202.643 (Linux). All users are encouraged to update to these latest versions.

10/3/2016 – Earlier this this Adobe have released a Security Bulletin APSB16-25 to resolve issues with Flash Player on both Windows, OS X and Linux which allows attackers to execute arbitrary code via unspecified vectors.

Exploited  – Critical Patch Releases
Patch Details
Product: Flash Player

FlashPlayer_Plugin_PPAPI_v23.0.0.205

FlashPlayer_ActiveX_v23.0.0.205
FlashPlayer_Plugin_NPAPI_v23.0.0.205

  • These updates resolve memory corruption vulnerabilities that could lead to code execution
  • These updates resolve a memory leak vulnerability
  • These updates resolve type confusion vulnerabilities that could lead to viral code execution
  • These updates resolve use-after-free vulnerabilities that could lead to code execution
  • These updates resolve a security bypass vulnerability that could lead to information disclosure

Don’t miss the latest upgrades

Every month we see a bevy of new third party updates, and are always enhancing our library of supported vendors. Special requests and additions are welcomed. This month’s releases include: 

Patches with Content Updates, Bug fixes and Feature enhancements
Product Category Patch
Chrome Web Browser Chrome_v53.0.2785.143
Skype Online calls Skype_v7.28.101

Skype_v7.29.0.102

iTunes Music Player
Shockwave Media Player Shockwaveplayer_v12.2.5.195
Firefox Web Browser Web browser:  Firefox_v49.0.2
Notepad++ Source code editor Notepadpp_v7.1
CitrixReceiver File access CitrixReceiver_v4.5.0.14155
WinSCP File browser WinSCP_v5.9.2
Wireshark Network protocol analyzer Wireshark_v2.2.1
Foobar Audio player Foobar2000_1.3.12
Evernote Multi device Note pad Evernote_v6.3.3.3502
Glary Utilities PC cleanup Glary_v5.60

Glary_v5.61

MediaMonkey Media Manager MediaMonkey_v4.1.14.1813
Adobe Air AdobeAIR_v23.0.0.257
AIMP Audio Player AIMP_v4.11.1841

AIMP_v4.11.1839

Filezilla FTP Client FileZilla_v3.22.1

 

Specific details available on 3rd Party Patch releases
Patch Details
Product: Adobe Air

AdobeAIR_v23.0.0.257

  • Adobe has released a security update for Adobe AIR SDK and Compiler. This update adds support for secure transmission of runtime analytics for AIR applications on Android. Developers are encouraged to recompile captive runtime bundles after applying this update.
Product: AIMP Player

AIMP_v4.11.1841

AIMP_v4.11.1839

  • Fixed: Playlist – the “add entire folder if one file is sent” option does not work correctly in some cases (regression)
  • Fixed: Playlist – no ability to select few collapsed groups via keyboard
  • Fixed: music library – table – album thumbnails view – playback that invoked via mouse double click always started from the first track in group
  • Fixed: Music Library – small bugs were fixed
  • Fixed: Plugins – API – an error occurs when calculating the hash code for certain images (regression)
Product: Filezilla FTP Client

FileZilla_v3.22.1

  • Bugfixes and minor changes:
  • OS X: Work around a nasty bug in XCode where programs explicitly compiled for older versions of OS X were silently pulling in features exclusive to the new version, resulting in crashes at runtime
  • Fixed a potential crash when using SFTP
Firefox_v49.0.2
iTunes_v12.5.1
  • Apple has released iTunes v12.5.1 for OS X and Windows and the update has brought an all-new Apple Music design which brings greater clarity and simplicity to every aspect of the experience.
Notepadpp_v7.1
  • Fix x64 crash on macro recording
  • Fix x64 crash on new language dialog of UDL
  • Check plugin architecture (32-bit or 64-bit) before loading
  • Enhance Smart Highlighting feature: 1. match case 2. whole word only 3. use find dialog settings for both
  • Fix poor performance of hex XML entities
  • Reshow CallTip text on separator character
  • Skip Auto-Complete self-closing HTML tags (<br>, <base>, <track>… etc)
  • Fix 2 UI issues for RTL layout
  • Fix Folder as Workspace toolbar button inconsistent behavior
  • Add option to skip word completion on numbers (default: ON)
  • Fix bookmarks toggled off’s bug
  • Sort plugin menu by plugin name
  • Installer: Add 64-bit/32-bit old install detection, and old installation removal ability
  • Installer: Ask user for keeping user data during uninstallation
  • Installer: Fix uninstaller bug to not remove themes files from APPDATA
Opera_v40.0.2308.81
  • Fixes for Opera Stable running on Sierra. We have also fixed the backspace which stubbornly navigated back in history even when the address field was focused. And, now it is again possible to seamlessly import Firefox bookmarks
RevoUnistallerFree_v2.0.1

RevoUnistallerPro_v3.1.7

  • Fixed Minor bugs
  • Improved scanning for leftovers
Thunderbird_v45.4.0
  • Display name was truncated if no separating space before email address.
  • Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
  • Additional spaces were inserted when drafts were edited.
  • Mail saved as template copied In-Reply-To and References from original email.
  • Threading broken when editing message draft, due to loss of Message-ID
  • “Apply columns to…” did not honor special folders
WinSCP_v5.9.2
  • Translations completed: Brazilian Portuguese, Finnish, Kabyle and Ukrainian
  • Lots of usability improvements and bug fixes
|

December Patch Tuesday: Patching Through The Snow

By Patch Management, Patch Tuesday, UncategorizedNo Comments
[vc_single_image source=”featured_image” img_size=”medium”]

Add Some Layers… To Your Security

Grab your hot chocolate and bundle up: it’s time to stay inside and catch up on the latest Microsoft updates. On this day of December, Microsoft sent to us … 12 bulletins. The holiday month has come around again, and like last year Microsoft have delivered 12 more bulletins to keep us safe.

Of the 12 bulletins, 6 are rated Critical and 6 are rated Important. Last week Microsoft also released 31 KB updates covering Office version 2013 and 2016. Full details of that release can be found here.

What do you know about Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)? Microsoft have announced that on 31st July 2018, it will be no longer supported. Why is EMET important? It’s important because it is a freeware security toolkit for Windows.

It provides a unified interface to enable and fine-tune Windows security features. It can be used as an extra layer of defense against malware attacks, after the firewall and before antivirus software.

[vc_single_image image=”11077″]

Robert Brown, Director of Services for Verismic says, “Microsoft have suggested Windows 10 has all the protection it needs and therefore no longer has a need for another layer of security.

Without EMET, customers will have a need greater than ever before to implement a patching policy. Does Windows 10 offer the same level of security? See for yourself here.”

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big”]START FREE TRIAL[/dt_default_button]

Microsoft Updates

This month to help your IT Security Officer we have chosen a few updates from the Microsoft Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.

MS16-144 – This update addresses the vulnerabilities by correcting how Microsoft browser and affected components handle objects in memory, Microsoft browser checks Same Origin Policy for scripts running inside Web Workers and Scripting engines handle objects in memory. As it is publically disclosed and is used by a great number of our customers, we would recommend this be a priority this month.

MS16-145 – An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. As it is publically disclosed and is used by a great number of our customers, we would recommend this be a priority this month.

MS16-146 – This security update addresses the vulnerabilities by correcting how the Windows GDI component handles objects in memory.

]MS16-154 – The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.

Number Bulletin ID Description Impact Restart Requirement Publically Disclosed Exploited Severity CVSS Score
1 MS16-144 Cumulative Security Update for Internet Explorer (3204059)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Remote Code Execution Yes Yes No Critical 9.3
2 MS16-145 Cumulative Security Update for Microsoft Edge (3204062)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

Remote Code Execution Yes Yes No Critical 9.3
3 MS16-146 Security Update for Microsoft Graphics Component (3204066)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Remote Code Execution Yes No No Critical 9.3
4 MS16-147 Security Update for Microsoft Uniscribe (3204063)

This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

Remote Code Execution Yes No No Critical 9.3
5 MS16-148 Security Update for Microsoft Office (3204068)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

Remote Code Execution Maybe No No Critical 9.3
6 MS16-149 Security Update for Microsoft Windows (3205655)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.

 

Elevation of Privilege Yes No No Important 6.8
7 MS16-150 Security Update for Secure Kernel Mode (3205642)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).

 

Elevation of Privilege Yes No No Important 6.8
8 MS16-151 Security Update for Windows Kernel-Mode Drivers (3205651)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

 

Elevation of Privilege Yes No No Important 7.2
9 MS16-152 Security Update for Windows Kernel (3199709)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory.

 

Information Disclosure Yes No No Important 1.7
10 MS16-153 Security Update for Common Log File System Driver (3207328)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.

 

Information Disclosure Yes No No Important 7.2
11 MS16-154 Security Update for Adobe Flash Player (3209498)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

 

Remote Code Execution Yes NA NA Critical NA
12 MS16-155 Security Update for .NET Framework (3205640)

This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.

 

Information Disclosure Yes Yes No Important 2.1

Get Started

Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]
|

November Patch Tuesday: From Science Fiction to Fact

By Patch Management, Patch Tuesday, UncategorizedNo Comments
[vc_single_image source=”featured_image”]

Old School Macros Finally Get Blocked

Today Microsoft have released 14 bulletins in total of which 6 are rated Critical and 8 are rated Important. Last week Microsoft also released 25 KB updates covering Office version 2010, 2013 and 2016.

Full details of that release can be found here. A couple months back we observed a trend where new age hackers were using old school techniques to expose a vulnerability in a system and to use that vulnerability to exploit malicious attacks. One of the newest features of Microsoft Office 2016 allows enterprise administrators to block users from running Macros inside Office documents that have originated from the Internet.

It does appear that Microsoft have also witnessed this trend and have made changes in order to protect their customers. We have also just learned that shortly they will be downgrading that functionality to Office 2013 enabling the same security to work in the same way it does in Office 2016. Robert Brown, Director of Services for Verismic says, “It’s great Microsoft are listening to their customers and their concerns.”

Office 2013 still has a massive market share with customers either unwilling or unable to upgrade quickly, offering this safety feature to Office 2013 will enable those customers to plan their upgrades properly and without the immediate urgency.

Microsoft are also adding detections for the BrowserModifier:Win32/Soctuseer rootkit in this month’s security release, helping to lessen interference to your browsing experience. No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool (MSRT). We recommend our customers include this security update this within their monthly patching process, especially since it has been reported this month that one in three cyberattacks result in a security breach.

Twitter and Spotify “Dynied”

Shopping and social media sites were hit with a massive DDoS attack last week which caused three of the big names to be taken offline. Well known social media site Twitter and music sharing site Spotify are among the big names affected with many more suffering service disruptions. The focus of this attack was a company called Dyn who provide internet traffic to company websites as a service. It is believed by security analysts that the attack vector used “internet of things” as its way in.

For those not familiar, the internet of things or IoT is a term used to describe any user device which connects to the internet. Today’s IoT can be washing machines, heating controllers, IP CCTV, cars and even wireless baby monitors. Dyn provide a DNS service to large companies and was attacked using millions of devices commonly known as “bots” (unbeknown to the end user) on a “botnet” which were all infected with the “Mirai” malware.

The majority of these attacks originate in Asia and this DDoS was one was one of the largest out of China this year. Miari is a nasty little bug that trawls web for IoT devices with little or no protection and pre-set factory default access credentials. Once discovered, Mairi enlists the devices into its own botnet and proceeds to bombard targets with an overwhelming amount of requests / messages designed to overload the system and bring the website down. Cyber security expert Brian Krebs knows about this kind of attack all too well. A DDoS attack was launched on his site back in September with data overloads reaching 620 gigabits per second at its peak.

[vc_single_image image=”11071″]

James Rowney, Verismic Services Manager, commented “Attacks like these have been written into science fiction horror for decades, this is no longer science fiction, this is science fact. Be extra vigilant with your IT security.”

Set all network connected devices to use secure UserID and passwords, this is the first step to protecting yourself from being exploited in this manner.. If possible try to disconnect or power off devices that are not in use, might save you some electricity too!”

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]

Microsoft Updates

This month to help your IT Security Officers we have chosen a few updates from the Microsoft Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.

MS16-129 – The update addresses the vulnerabilities by modifying how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory and correcting how Microsoft Edge parses HTTP responses. This vulnerability has been publicly disclosed.

MS16-130 – The security update addresses the vulnerabilities by correcting how the Windows Input Method Editor (IME) loads DLLs requiring hardened UNC paths be used in scheduled tasks

MS16-132 – This update is actively being exploited which is why we recommend this be deployed as a priority this month. The security update addresses the vulnerabilities by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.

MS16-135 – Although this update is only marked as Important, the CVSS score tells us otherwise. It is also publically disclosed and has active exploits. We believe this should also be your priority this month.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.

Bulletin ID Description Impact Restart Requirement Publically Disclosed Exploited Severity CVSS Score
MS16-129 Cumulative Security Update for Microsoft Edge (3199057)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

Remote Code Execution Yes Yes No Critical 9.3
MS16-130 Security Update for Microsoft Windows (3199172)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a locally authenticated attacker runs a specially crafted application.

Remote Code Execution Yes No No Critical 9.3
MS16-131 Security Update for Microsoft Video Control (3199151)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

Remote Code Execution Yes No No Critical 9.3
MS16-132 Security Update for Microsoft Graphics Component (3199120)
This security update resolves vulnerabilities in Microsoft Windows. The most severe being of the vulnerabilities could allow a remote code execution vulnerability exists when the Windows Animation Manager improperly handles objects in memory if a user visits a malicious webpage. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
Remote Code Execution Yes No Yes Critical 9.3
MS16-133 Security Update for Microsoft Office (3199168)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution Maybe No No Important 9.3
MS16-134 Security Update for Common Log File System Driver (3193706)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit these vulnerabilities by running a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context.

 

Elevation of Privilege Yes No No Important 7.2
MS16-135 Security Update for Windows Kernel-Mode Drivers (3199135)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

 

Elevation of Privilege Yes Yes Yes Important 7.2
MS16-136 Security Update for SQL Server (3199641)

This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The security update addresses these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

 

Elevation of Privilege Maybe No No Important 9.0
MS16-137 Security Update for Windows Authentication Methods (3199173)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first need to authenticate to the target, domain-joined system using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then install programs; view, change or delete data; or create new accounts. The attacker could subsequently attempt to elevate by locally executing a specially crafted application designed to manipulate NTLM password change requests.

 

Elevation of Privilege Yes No No Important 7.2
MS16-138 Security Update to Microsoft Virtual Hard Disk Driver (3199647)

This security update resolves vulnerabilities in Microsoft Windows. The Windows Virtual Hard Disk Driver improperly handles user access to certain files. An attacker could manipulate files in locations not intended to be available to the user by exploiting this vulnerability.

 

Elevation of Privilege Yes No No Important NA
MS16-139 Security Update for Windows Kernel (3199720)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information. A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application. An attacker can gain access to information not intended to be available to the user by using this method.

 

Elevation of Privilege Yes No No Important 7.2
MS16-140 Security Update for Boot Manager (3193479)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy.

 

Security Feature Bypass Yes No No Important 1.7
MS16-141 Security Update for Adobe Flash Player (3202790)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

 

Remote Code Execution Yes NA NA Critical NA
MS16-142 Cumulative Security Update for Internet Explorer (3198467)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Remote Code Execution Yes Yes No Critical 9.3
[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]

Get Started

Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.

|

October Patch Tuesday: Welcome to the Patchocalypse

By Patch Management, Patch Tuesday, UncategorizedNo Comments
[vc_single_image source=”featured_image” img_size=”medium”]

Major Changes Ahead for Patch Tuesday

Today Microsoft have released 10 bulletins in total of which 5 are rated Critical, 4 are rated Important and a single is rated Moderate. Our clients need to be aware of a change in release strategy announced by Microsoft today which has been branded ‘patchocalypse’ by many Microsoft users. Their aim is to combine all updates into a single deployment package instead of issuing individual patches to remediate individual vulnerabilities, however it is not envisaged that all parts of their anticipated “rollup” be completed until early 2017.

However, we do not expect this to be a major disadvantage. It offers a major improvement in efficiency as it means less content to scan and less singular patch binaries to deploy throughout your environment, which in turn makes securing your environment easier – something which is already being done on the Windows 10 operating systems.

One of the downsides we can see is the ability to “rollback” an individual patch should an issue occur. In this new form, if any patch causes an issue on your systems then the only choice you have is to exclude the entire rollup. Robert Brown, Director of Services for Verismic says, “This is a really challenging time for an IT Security Officer. On the one hand you have to balance the safety of your network, and on the other you have to ensure any deployments do not significantly impact your helpdesk with undesired negative issues caused by that patch deployment. You may delay a while to see if any issues become public but in our experience, nothing beats a rigorous & transparent test plan.” Further details of this process can be found here.

Microsoft Office KB Updates

Last week Microsoft released 17 KB updates covering Office versions 2013 & 2016. This is one of the smallest releases we have seen for a while, possibly due because of the amount of work Microsoft have been spending to prepare for the patch rollup process above. Full details of that release can be found here.

[vc_single_image image=”11058″]

Urgent Adobe Flash Update Needed

Earlier this week Adobe have released a patch called APSB16-25 to resolve issues with Flash Player on both Windows, OS X and Linux which allows attackers to execute arbitrary code via unspecified vectors. This vulnerability has been rated CVSS 10, if you have not already made preparations to deploy this update please start those immediately without delay. This particular vulnerability is a nasty one as it can exploit your systems over a network and does not require any authentication – meaning any user at any time.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
Bulletin ID Description Impact Restart Requirement Publically Disclosed Exploited Severity CVSS Score
MS16-118 Cumulative Security Update for Internet Explorer (3192887)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Remote Code Execution Yes No Yes Critical 9.3
MS16-119 Cumulative Security Update for Microsoft Edge (3192890)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

 

Remote Code Execution Yes No Yes Critical 9.3
MS16-120 Security Update for Microsoft Graphics Component (3192884)

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

Remote Code Execution Yes No Yes Critical 9.3
MS16-121 Security Update for Microsoft Office (3194063)

This security update resolves a vulnerability in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

 

Remote Code Execution Maybe No Yes Critical 9.3
MS16-122 Security Update for Microsoft Video Control (3195360)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

 

Remote Code Execution Yes No No Critical 9.3
MS16-123 Security Update for Windows Kernel-Mode Drivers (3192892)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

 

Elevation of Privilege Yes No No Critical 7.2
MS16-124 Security Update for Windows Registry (3193227)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.

 

Elevation of Privilege Yes No No Important 1.7
MS16-125 Security Update for Diagnostics Hub (3193229)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

 

Elevation of Privilege Yes No No Important 7.2
MS16-126 Security Update for Microsoft Internet Messaging API (3196067)

This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk.

 

Information Disclosure Yes No Yes Moderate 4.3
MS16-127 Security Update for Adobe Flash Player (3194343)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

 

Remote Code Execution Yes NA NA Critical NA
Patch Tuesday

HTTP.sys vulnerability fixed in April’s Patch Tuesday

By News, Patch Management, Patch TuesdayNo Comments

In this month’s patch updates from Microsoft there’s a total of 11 bulletins – four Critical and seven Important – covering 26 separate vulnerabilities. “We’re going to look at each of the four Critical updates in turn”, says Robert Brown, Director of Services at Verismic.

Data Encryption The first of the Critical updates from Microsoft, MS15-032, covers 10 separate vulnerabilities in Internet Explorer – nine of which are the most severe and can allow for remote code execution. However, there are two other Critical updates that you should be paying attention to – MS15-033 and MS15-034.

MS15-033 addresses five separate vulnerabilities in Microsoft Office, all of which could allow remote code execution. If that doesn’t encourage you to apply this patch, perhaps you should consider that one of the vulnerabilities within the update is currently being exploited in the wild. This is the only vulnerability in this month’s update that is known to be actively exploited.

The third Critical vulnerability has a CVSS of 10.0 from US-CERT, which is the highest rating possible. This patch should be your first priority above all others. Although the likelihood of this vulnerability being exploited is low it is a credible threat to your business and the potential damage it could cause is massive. The vulnerability can be exploited if an attacker sends a specially crafted HTTP request to an affected Windows system. Unlike the other Critical patches this month, MS15-034 requires no user interaction whatsoever, which makes it so dangerous.

The final Critical bulletin for April, like the first two this month, has a CVSS of 9.3. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

The remaining Important bulletins address vulnerabilities that could allow elevation of privilege, bypassing security features, information disclosures, and denial of service vulnerabilities.

Once you’ve prioritised your patches, I would always advise that you stage your roll out by testing and piloting the updates before deploying widely. This will help identify any compatibility issues. This should be done as standard each month, which is something we’ll always do for customers and MSPs through Syxsense.

Update no.

CVSS Score Microsoft rating Affected software Details

MS15-034

10.0 Critical Microsoft Windows Vulnerability in HTTP.sys could allow remote code execution
MS15-032 9.3 Critical Microsoft Windows, Internet Explorer

Cumulative security update for Internet Explorer

MS15-033

9.3 Critical Microsoft Office Vulnerabilities in Microsoft Office could allow remote code execution
MS15-035 9.3 Critical Microsoft Windows Vulnerability in Microsoft Graphics Component could allow remote code execution
MS15-038 7.2 Important Microsoft Windows Vulnerabilities in Microsoft Windows could allow elevation of privilege
MS15-037 6.9 Important Microsoft Windows Vulnerability in Windows Task Scheduler could allow elevation of privilege
MS15-036 4.3 Important Microsoft Server Software, Productivity Software Vulnerability in Microsoft SharePoint Server could allow elevation of privilege
MS15-039 4.3 Important Microsoft Windows Vulnerability in XML Core Services could allow security bypass feature
MS15-042 2.7 Important Microsoft Windows Vulnerability in Hyper-V could allow denial of service
MS15-041 2.6 Important Microsoft Windows, Microsoft .NET Framework Vulnerability in .NET Framework could allow information disclosure
MS15-040 1.9 Important Microsoft Windows

Vulnerability in Active Directory Federation Services could allow information disclosure

|

Microsoft Patch Tuesday insight: FREAK, Stuxnet and more

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”3310″ img_size=”full” alignment=”center”]

Each month I’ll be offering insight into Microsoft’s Patch Tuesday updates, giving advice on which are the most serious vulnerabilities and how to prioritize them. Microsoft rates it’s own vulnerabilities internally, so whilst the ratings can give a good idea of severity, the scoring system isn’t infallible.

We generally compare two sources of information to try and understand the full impact of the patch update – Microsoft’s own rating as well as ratings from US-CERT [United States-Computer Emergency Readiness Team], which uses the Common Vulnerability Scoring System (CVSS).

By taking US-Cert’s independent ratings alongside Microsoft’s, you get a much clearer picture of which vulnerabilities are going to pose the biggest risk to your customers.

This month’s Microsoft Patch Tuesday is a relatively hefty one, with a total of 14 separate updates, with five rated Critical and the rest as Important, according to Microsoft. One update that surprises me is MS15-031, which resolves a major well-known issue with Windows called FREAK. This was serious enough a vulnerability that it was almost released as an out-of-band patch just last week, yet it’s only been rated as Important and not increased to Critical. Very odd!

The eagle-eyed will also notice MS15-020 is included in this month’s update that fixes the Stuxnet vulnerability, which is a virus/worm believed to have been developed by the US and Israel and used specifically to attack nuclear reprocessing plants in Iran. With a CVSS of 9.3 this should definitely be a priority for all businesses, whether you happen to be working at an Iranian nuclear plant or not.

Outlined below are the patches that you should actually consider rolling out first.

Critical patches
MS15-018 – CVSS: 9.3
This security update fixes a total of 13 separate vulnerabilities in Internet Explorer. The most serious flaw could allow remote code execution if a user were to a view a specially crafted webpage. An attacker would be able to gain the same access rights as the current user, so if you’re logged in as an administrator, that attacker can essentially have full control of the system.

The update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory, helps to ensure policies are properly enforced and by adding additional permission validations.

MS15-019 – CVSS: 9.3
This security update resolves a vulnerability in VBScript (a script language designed for interpretation by web browsers). Again, if a user visits a specially crafted webpage it could allow remote code execution. The update is rated Critical for the VBScript scripting engine in Microsoft Windows, but only moderate for affected versions of VBScript on Windows Servers.

MS15-020 – CVSS: 9.3
This patch addresses the Stuxnet vulnerability, and while there were previous patches, they didn’t completely fix all of the vulnerable path code. Even if you aren’t working at an Iranian nuclear reprocessing plant its still worth patching as it can allow remote code execution if a user browses a specially crafted web page, open a specially crafted file, or browse a working directory that contains a specially crafted DLL file. Let’s stop Stuxnet once and for all!

MS15-021 – CVSS: 9.3
This update resolves eight privately reported vulnerabilities within Adobe Font Driver. The most serious of the eight could allow an attacker to take complete control of an affected system if a user views a specially crafted file or website.

MS15-022 – CVSS: 9.3
The final Critical update from Microsoft addresses vulnerabilities in Microsoft Office 2007, 2010 and 2013. This update patches five privately reported vulnerabilities, three of which could allow remote code execution.

Important updates
A further nine updates came from Microsoft this month that were all rated as Important. There is some discrepancy over the severity of the Important updates this month compared to US-CERT’s rating, so I’d recommend patching MS15-025 and MS15-030 once you’ve dealt with the Critical updates, and then take the rest from there.

Three of the Important updates [MS15-023, MS15-025, MS15-026] could allow an elevation of privilege. That is to say, an attacker that successfully gains access to your system can elevate their privilege to an administrator. From there, they could install programs; view, change or delete data; or create new accounts with full user rights.

Two updates (MS15-028, MS15-031) could allow security feature bypass, so an attacker with limited privileges could use the vulnerabilities to execute files that they do not have permission to run. MS15-031 resolves the FREAK vulnerability, an industry-wide issue that’s not specific just to the Windows operating system.

The final three updates resolve issues in Microsoft Windows and NETLOGON that prevent spoofing, information disclosure, and a denial of service attack.

Next steps
There’s rarely a Patch Tuesday that goes by where there isn’t an issue with one of the patches that can cause problems such as the dreaded blue screen of death. I’d advise that before you roll out patches to your customers, look at the binary code for each update and move to testing and piloting the updates before deployment. This is what we do for both our customers and MSPs and then work through the roll out of the patches through Verismic Syxsense.

Update no. CVSS Score Microsoft rating Affected software Details
MS15-018 9.3 Critical Microsoft Windows, Internet Explorer Cumulative security update for Internet Explorer
MS15-019 9.3 Critical Microsoft Windows Vulnerability in VBScript scripting engine could allow remote code execution
MS15-020 9.3 Critical Microsoft Windows Vulnerabilities in Microsoft Windows could allow remote code execution
MS15-021 9.3 Critical Microsoft Windows Vulnerabilities in Adobe Font Driver could allow remote code execution
MS15-022 9.3 Critical Microsoft Office, Microsoft Server Software Vulnerabilities in Microsoft Office could allow remote code execution
MS15-030 7.8 Important Microsoft Windows Vulnerability in Remote Desktop Protocol could allow denial of service
MS15-025 7.2 Important Microsoft Windows Vulnerabilities in Windows Kernel could allow elevation of privilege
MS15-023 5.6 Important Microsoft Windows Vulnerabilities in Kernel-Mode Driver could allow elevation of privilege
MS15-024 4.3 Important Microsoft Windows Vulnerability in PNG Processing could allow information disclosure
MS15-026 4.3 Important Microsoft Exchange Vulnerabilities in Microsoft Exchange Server could allow elevation of privilege
MS15-027 4.3 Important Microsoft Windows Vulnerability in NETLOGON could allow spoofing
MS15029 4.3 Important Microsoft Windows Vulnerability in Windows Photo Decoder Component could allow information disclosure
MS15-028 2.1 Important Microsoft Windows Vulnerability in Windows Task Scheduler could allow security feature bypass
MS15-031 5.0 Important Microsoft Windows Vulnerability in Schannel could allow security feature bypass

Our monthly blog post appears here.

|Patch Tuesday

Patch Tuesday: February 2015

By News, Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”3020″ img_size=”full” alignment=”center”]

This month’s Patch Tuesday is a bit of an interesting one…

MS15-011 affects all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 RT, and Windows RT 8.1. Essentially, any domain-joined Windows Clients and Servers may be at risk.

The flaw, dubbed JASBUG, was discovered by JAS Global Advisors back in January 2014. The company however, adhered to good disclosure practices and the vulnerability wasn’t made public until Microsoft had prepared a fix. The fact that it has taken Microsoft over a year to develop a fix should indicate just how wide ranging and complex the vulnerability is.

According to JAS Global Advisors: “The fix required Microsoft to re-engineer core components of the operating system and to add several new features.”

Outlined below are the critical updates you need to be focusing on. As usual, we have cross-checked Microsoft’s own rating with US-CERT’s independent assessment of the patches so you are in the best position to choose the most important updates for your business.

MS15-011

This security update, which I mentioned above, is a remote code execution vulnerability existing in how group policy receives and applies connection data when a domain-joined system connects to a domain controller. An attacker who successfully exploits this vulnerability could take complete control of an affected system, letting them install programs; change, view, or delete data; or even create new accounts with full user rights.

MS15-010

The most severe of the six privately reported vulnerabilities could, again, allow remote code execution if an attacker is able to convince a user to open a specially crafted document, or to visit an untrusted website that contains embedded TrueType fonts.

MS15-009

This security update resolves one publicly disclosed and 40 privately reported vulnerabilities in Internet Explorer, with the most severe of these allowing remote code execution. If a user views a specially crafted web page it could allow an attacker to gain the same user rights as the current user.

Microsoft rates the remaining six patches in February’s update as Important. A full breakdown of these ratings compared to the US-CERT ratings can be found in the table below. I’d always advise to use US-CERT’s rating in conjunction with Microsoft’s, which will give you a much clearer picture of which patches you should be prioritising.

Update no.
CVSS score
Microsoft rating
Affected Software
Details
MS15-012 9.3 Important Microsoft
Office
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
MS15-011 8.3 Critical Microsoft Windows Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
MS15-010 7.2 Critical Microsoft Windows Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
MS15-009 6.8 Critical Microsoft Windows, Internet
Explorer
Security update for Internet Explorer (3034682)
MS15-017 6.8 Important Microsoft Server Software Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
MS15-015 6.0 Important Microsoft Windows Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
MS15-013 4.3 Important Microsoft
Office
Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
MS15-016 4.3 Important Microsoft Windows Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
MS15-014 3.3 Important Microsoft Windows Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)

Patch Tuesday; January 2015

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”2320″ img_size=”full” alignment=”center”]

As we enter another year and another Patch Tuesday, we see that Microsoft has now made the patch notifications that little bit harder for the average customer, by stopping the Advance Notification Service (ANS). Along with the regular Patch Tuesday updates, Microsoft publishes an advanced notification on the first Friday of each month, to give security teams a good idea of what to expect on Patch Tuesday.

They haven’t scrapped it altogether though, they are still offering ANS to paying users. The reasons, according to Microsoft, are that customers no longer use ANS with many simply waiting until Patch Tuesday. However, it could be argued that for smaller businesses that can’t afford a service like this, it could have an impact on how they deploy patches.

Fear not however, all of Verismic’s customers will still have all patches fully tested and rolled out as per agreed schedules via Verismic Syxsense.

A light patch update

We’ve all enjoyed our Christmas break and so, it would seem, have security researchers. This month’s Patch Tuesday is fairly light with only eight patch updates, with only one rated Critical. I’m in a good position to say that there appears to be nothing special or particularly significant about January’s updates – it’s especially rare to be in a position to say that as there are usually at least one or two updates that deserve special attention due to the seriousness or uniqueness of the vulnerability.

As ever, we have broken down the patch updates for you to give you a better understanding of what systems could be affected and have included the independently assessed Common Vulnerability Scoring System (CVSS) score from US-CERT.

Critical updates

MS15-002

The only Critical patch update this month, MS15-002 has a CVSS score of 9.3 [out of a possible 10], this is a relatively serious patch and definitely one that needs to be the top priority to patch. It’s a buffer overflow vulnerability that could allow remote code execution, which is caused by the Microsoft Telnet service improperly validating memory location. Attackers can exploit this vulnerability by sending specially crafted telnet packets to a Windows server that could then enable the attacker to run arbitrary code on a target server.

Important updates

Amazingly, the other seven updates are all rated Critical by Microsoft’s standard, but if we take a look at the table below, US-CERT thinks that only three are actually quite serious (MS15-001, MS15-003, MS15-004), whereas the other four updates are rated as 5.0 and below. Whilst these are vulnerabilities that need to be patched, US-CERT has identified that the chances of the vulnerability being exploited are probably quite low and having assessed the potential impact (again likely to be low), have given the vulnerabilities a low risk score.

It’s such a light Patch Tuesday this month that working out which patches to prioritise is fairly straightforward. Get the Critical update done first, and then work through the list. If, like Verismic, you want to take into account the CVSS scores, then the table below is listed in order of most serious to least – use this to prioritise your patch roll outs as we will for our customers.

Update no.
CVSS score
Microsoft rating
Affected Software
Details
MS15-002 9.3 Critical Microsoft Windows Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)
MS15-004 7.6 Important Microsoft Windows Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
MS15-001 7.2 Important Microsoft Windows Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
MS15-003 7.2 Important Microsoft Windows Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
MS15-007 5.0 Important Microsoft Windows Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
MS15-005 2.9 Important Microsoft Windows Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
MS15-008 2.1 Important Microsoft Windows Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)
MS15-006 1.7 Important Microsoft Windows Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
patch management

Prioritising patches properly – don’t always listen to Microsoft

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1935″ img_size=”medium”]

It seems that it was only yesterday that patch/update Tuesday came and went, yet the next one is looming already.

As an IT guy I actually look forward to seeing the types of vulnerabilities that have been discovered in Microsoft’s products. Some are obviously more interesting than others, such as the vulnerability in Schannel, but what they all have in common is that they actually do pose a threat to your business.

We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.

Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.

Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!

Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.

If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?

When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.

If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.

At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.

To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.

My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.

Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.

Robert Brown is Director of Services at Verismic

Originally published on IT Security Guru

Patch Tuesday: Largest of 2014

By Patch Management, Patch TuesdayNo Comments

With 14 bulletins this month across almost 40 individual Common Vulnerabilities and Exposures [CVEs] means that November Patch Tuesday is fairly significant in size, with one particular update considered fairly urgent; MS14-066, which fixes a vulnerability in Schannel. The component of Windows that implements SSL/TLS. Those of you with eagle eyes will have spotted that two bulletins are missing from the update (MS14-069 and MS14-075) – no release date has been confirmed by Microsoft as yet.

Microsoft’s advice is to apply all of the updates, which shouldn’t be an issue for home users, but for businesses that are geographically spread out, where there may be a slow internet connection, you’ll need to be very considered in the choice of patches you deploy first.

[vc_single_image image=”1712″ img_size=”full” alignment=”center”]

The Common Vulnerability Scoring System (CVSS), included in the table below, is provided independently by US-CERT and looks at the impact that certain vulnerabilities can have. Microsoft’s ‘Critical’ vulnerabilities are rated as such because there is a known active exploit, but using the CVSS score can give you a much better understanding of how easy your systems can be exploited and the potential impact each could have. Looking at the table below we can see some disparities between Microsoft’s rating and the independently scored CVSS.

Critical updates

MS14-064

The first update of November’s Patch Tuesday resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). With a CVSS of 9.3, this is the one of five updates that you need to patch sooner rather than later. The more severe of the two vulnerabilities could allow remote code execution enabling an attacker to run arbitrary code in the context of the current user. If that user has admin rights then the attacker could install programs; view, change, or delete data; or create new user accounts.

MS14-065

I’d argue that this by far the most important update for you to pay attention to as it affects the entire Microsoft estate from the operating system to Internet Explorer. The update resolves seventeen privately reported vulnerabilities in Internet Explorer. An attacker who exploits these vulnerabilities could gain the same user rights as the current user. The most severe of these vulnerabilities would allow for remote code execution if a user views a specially crafted web page using Internet Explorer. Once again, this update has a CVSS of 9.3.

MS14-066

This update has been the focus of most blogs and articles this month, with most suggesting that it is in fact the single most important update to implement – rather than MS14-065 It’s a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows Server. However, the Schannel is not so easy to crack and the extent of the damage that can be caused is not as severe as other Critical updates. With a CVSS score of 6.8 I’d argue that there are other updates you should be prioritising over this one.

MS14-067

This security update (CVSS of 9.3) resolves a vulnerability in Windows that could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke SML Core Services (MSXML) through Internet Explorer. However, in order for an attacker to take advantage of this exploit they would need to convince a user to visit a website using social engineering.

Other notable updates

There are, in fact, two other updates you should be paying close attention to: MS14-069 and MS14-072. Microsoft has rated both of these updates as ‘Important’ but they have each been given an independent CVSS score of 9.3, so US_CERT is saying that these two updates are just as severe as those noted above.

  • MS14-069 is a security update resolving three vulnerabilities in Microsoft Office that could allow remote code execution enabling an attacker to gain the same user access rights as the current user. It is exploited through a specially crafted file that is opened in an affected edition of Microsoft Office 2007.
  • MS14-072 resolves a vulnerability in the .NET framework, which could allow elevation of privilege. According to Microsoft, it is exploited through an attacker sending specially crafted data to an affected workstation that uses .NET Remoting. However, only custom applications that have been specifically designed to use .NET Remoting would expose a system to this vulnerability.

Next steps

Below is the full breakdown of this month’s patch updates. We recommend patching MS14-064, MS14-065, MS14-067, MS14-069, and MS14-072 in the first instance, before working through the rest of the updates. For our customers, we will be analysing the binary code for each update and will be rolling out the patches to all of our customers through the agreed deployment process using Verismic Syxsense.

Edit
Update no.
CVSS score
Microsoft score
Affected software
Details
MS14-064 9.3 Critical Microsoft Windows Vulnerabilities in Windows OLE could allow remote code execution (3011443)
MS14-065 9.3 Critical Microsoft Windows,
Internet Explorer
Cumulative security update for Internet Explorer (3003057)
MS14-067 9.3 Critical Microsoft Windows Vulnerability in XML Core Services could allow remote code execution (2993958)
MS14-069 9.3 Important Microsoft Office Vulnerabilities in Microsoft Office could allow remote code execution (3009710)
MS14-072 9.3 Important Microsoft Windows,
Microsoft .NET Framework
Vulnerability in .NET Framework could allow elevation of privilege (3005210)
MS14-073 8.5 Important Microsoft Server Software Vulnerability in Microsoft Sharepoint Foundation could allow elevation of privilege (3000431)
MS14-078 8.5 Moderate Microsoft Windows,
Microsoft Office
Vulnerability in IME (Japanese) could allow elevation of privilege (2992719)
MS14-070 7.2 Important Microsoft Windows Vulnerability in TCP/IP could allow elevation of privilege (2989935)
MS14-079 7.1 Moderate Microsoft Windows Vulnerability in Kernel-Mode driver could allow denial of service (3002885)
MS14-066 6.8 Critical Microsoft Windows Vulnerability in Schannel could allow remote code execution (2992611)
MS14-071 4.3 Important Microsoft Windows Vulnerability in Windows Audio Service could allow elevation of privilege (3005607)
MS14-074 4.3 Important Microsoft Windows Vulnerability in Remote Desktop Protocol could allow security feature bypass (3003743)
MS14-077 4.3 Important Microsoft Windows Vulnerability in Active Directory Federation Services could allow information disclosure (3003381)
MS14-076 2.6 Important Microsoft Windows Vulnerability in Internet Information Services (IIS) could allow security feature bypass (2982998)