Java Out of Band! This vulnerability fits the profile…

Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.

The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.

In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.

The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)

VerizonCVEFigure

As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.

Apple Mac OS X Updates for March 2016

AppleBuilding(own)(editorialuseonly)With Macs continuing to expand in the enterprise, and our increased focus on Mac patching, we are overdue to provide analysis on OS X updates as we do with those on Microsoft and third-party vendors on Patch Tuesday. Apple released a number of updates on March 21 that impact Mac OS X, including El Capitan 10.11.4, Security Update 2016-002 for Mavericks 10.9.5 and Yosemite 10.10.5, Safari 9.1, Xcode 7.3, and OS X Server 5.1. In total,

Before diving into the analysis, it is clear that Apple is much less transparent about their security than Microsoft and other vendors. While listing the Common Vulnerabilities and Exposures (CVE) IDs for their vulnerabilities, they did not reveal much information for proprietary components in the CVEs making it difficult to assess risk. Yet, analyzing the impact descriptions for their fixes gives one a sense of the risk.

OS X 10.11.4 and Security Update 2016-002

The last OS X security update was in mid-January and the latest brings fixes to 59 vulnerabilities. Interestingly, 36 of the vulnerabilities fixed were only fixed in El Capitan. Looking through the fixes that apply to Mavericks and Yosemite, they include vulnerabilities that allow malicious PNG and XML files to run arbitrary code and such vulnerabilities are prime candidates for phishing attacks. Among the El Capitan-only fixes was a fix in the FontParser for a vulnerability that could allow a malicious PDF to run arbitrary code that, again, is a prime candidate for phishing and other social engineering techniques. While it isn’t clear if this vulnerability, and others only fixed on El Capitan 10.11, are also found in older versions of OS X. The clear gap in fix applicability suggest that organizations should always update to the latest version of Mac OS X, and not just the latest security update. There were many other types of vulnerabilities fixed across numerous OS X components that have lower risk exposure, but bottom line is one should update their Macs to secure all exposures.

Safari 9.1

Safari 9.1 is available for Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11 to 10.11.3 (it’s included in 10.11.4). There where 12 vulnerabilities fixed, including three where arbitrary code could be executive through malicious XML or web content. These alone are a reason to upgrade. Other vulnerabilities compromise privacy, create denial of service, enable UI spoofing, or provide access to restricted ports. Safari 9.1 includes numerous new features that are the motivation for users to update and drag security fixes along.

Xcode 7.3

For developers, there is Xcode version 7.3 that fixed three vulnerabilities across two components: otool and subversion. The subversion vulnerabilities are the most significant where connection to a malicious server could allow arbitrary code execution. There were many new features in Xcode 7.3, like support for iOS 9.3, watchOS 2.2, tvOS 9.2, along with other improvements. Most developers will update for those features alone. However, the security fixes should be reason unto their own.

OS X Server 5.1

For those not familiar, OS X Server is an application that can be downloaded from the App Store (for $19.99 in the US) to enable server capabilities like website hosting, wikis, backups, file sharing, and many other features.

There were four vulnerabilities fixed in OS X Server that address RC4 exploits, access to sensitive information remotely, and storing backups on a volume without permissions enabled.

Summary

Apple is one of the best companies around for getting people to adopt new components by driving new features, interesting users and wrapping security in with the release. Most Apple users have grown accustomed to updating their devices when prompted. That said, it is still important to assess compliance and update systems in your organization to ensure there are no lingering risks.

How much could your world change in two weeks? From a Security perspective, everything could.

Cybersecurity(Own)

It has been just two weeks since RSA.  What has changed in this time frame?  Well, we had a Patch Tuesday, for one.  Barely two days later Adobe Flash released an update including fixes for known critical vulnerabilities including one that was observed in targeted attacks.

According to Verizon’s 2014 breach report, in just two to four weeks 50% of vulnerabilities that will be exploited, have already been exploited.  Verizon’s 2015 DBIR goes a step further and talks about ways to profile a vulnerability to start to identify those likely to be exploited in that first 30 days.  They said a CVE being added to Metasploit is pretty much the single biggest indicator it has or will be exploited in the wild.  Another interesting pattern was identified when they looked across the 67k CVEs and found the 792 that were exploited.  When you get down to the 24 there were exploited in the first month a pattern emerges.  The majority of the CVEs that were exploited were Access Vector – Network and Authentication – None.  The CVEs exploited in the first 30 days were predominantly CVSS 9 or 10 and Confidentiality, Integrity, and Availability were all Complete.

So 1 out of every 100 CVEs will be exploited and 50% of those will be exploited in 30 days or less from the date of publication.  If you saw my 2015: Top 5 Vulnerable Vendors in mid December you may recall the huge increase in the number of vulnerabilities identified last year.  Based on those numbers the top 5 vendors last year counted for 2624 vulnerabilities identified and addressed in 2015.  So 26 of those were exploited and one should have been in the 30 day Window.  Adobe Flash accounted for more than 5 Zero Days alone last year.

Since RSA, LANDESK acquired AppSense! Among other things, AppSense provides Application Whitelisting and Privilege Management.  According to Australian Signals Directorate, SANS, and many other security agencies outline certain preventative strategies that should be at the heart of any security strategy.  Application Whitelisting (AppSense), Patching Applications (Shavlik), Patching the Operating System (Shavlik), Restricting Administrator Privileges based on user role (AppSense) can eliminate “At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to”.  

I read a few different perspectives on RSA this year after the show was over.  Having been there this year and experiencing it first hand, I found this blog post by Gartner’s Anton Chuvakin to be very close to the mark. It is a good read, but here are a couple of excerpts that I found interesting: 

“A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream.”

I saw a lot of this at the show as well.  Having an IT background and working on a product line that focuses on the Operations side of the house I can attest to the fact that there is still a gap between Operations and Security. Much of the focus and many of the “cool” solutions cater to the security 1%-ers.  Preventative measures are often overshadowed because they have been around for a long time and lack the glamour of the new security solutions, but they have a tried and true track record and can reduce risk to your environment significantly.

“Does this shit work and is it cost effective?!!”

This one actually cracked me up. Even more so because we are partnering with the team over at Bufferzone and I had a chance to listen to them position their offering.  Israel Levy delivered it in one simple statement, “You have heard of Bromium. Well this is Bromium, but it works.” I laughed when I first heard him and his team using this delivery, but after talking with them more I can absolutely understand and agree with it.  Bromium apparently has extremely high resource costs to run.  4GB RAM, i3 or better CPU, and Windows 7 or later.  Bufferzone will run lighter and across a broader set of hardware.

So, looking out two weeks, we will have a webinar with the Bufferzone team talking about how Shavlik and Bufferzone together give you a stronger layered security approach.  Check out our webinar: Don’t Let Hackers in Through the Front Door!

Shavlik Patch 2.2 available in early access!

ShavlikPatch

The Shavlik Team is proud to announce the availability of Shavlik Patch 2.2 in an early access delivery.  Check out what’s new!

  • Edit packages (watch the video) – Change the command line switches, return codes expected, etc for a given package.
  • IAVA Support – For our Federal customers we have extended our IAVA coverage into our Shavlik Patch offering making it much easier to automatically cross-reference DOD IAVAs.
  • Republish and resigning of packages – The manual steps for doing this are long and painful and going down that rabbit hole is not recommended.  It is also no longer necessary!  We are going to do all the heavy lifting on this one.
  • Manage vendor and product categories (watch the video) – We have a new interface that lets you monitor and manage the categories in use so, again, you do not have to go down a significantly long, manual process to reclaim a category that is no longer in use.

We have a webinar scheduled for April 6th, 2016 to walk through the Shavlik Patch 2.2 features and show you whats new! You can also download Shavlik Patch 2.2 here.

March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.

 

March Patch Tuesday 2016

MarchPatchTuesday2016Sum

March Patch Tuesday has a great deal of updates, but no public disclosures or exploited vulnerabilities as of yet. Let’s start with what we know for sure: Microsoft has released 13 bulletins, five of which are critical and eight are rated as important. With these bulletins, Microsoft is resolving 39 total vulnerabilities this month. On the non-Microsoft front, Adobe is releasing two bulletins, rated as Priority 2 and 3, that resolve four vulnerabilities. Additionally, Mozilla FireFox 45 has been released and is rated critical, as it resolves 22 vulnerabilities.

First, taking a closer look at Microsoft, we have critical updates for Internet Explorer (MS16-023) and Edge (MS16-024), as expected. These updates resolve 13 and 11 vulnerabilities, respectively. Microsoft’s claim that Edge is more secure appears to be valid, although this month’s activity does not make that big of a difference. So far in 2016, IE has had 27 vulnerabilities, as compared to Edge’s 19. As you would expect, the vulnerabilities resolved in both browsers involve exploiting a user through specially crafted web content. In this situation, an attacker who convinces a user to click on specific content can gain the same user rights as the actual user. If that user is a full admin, the attacker would gain complete control of the system, allowing them to create accounts, install, remove apps and delete data, among other things.

10 of the Microsoft updates affect Windows, including the other three critical updates from Microsoft. MS16-026 resolves vulnerabilities in graphic fonts, while MS16-027 resolves vulnerabilities in Windows Media and MS16-028 resolves vulnerabilities in Windows PDF Library. In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content. As a result, the attacker would gain equal privileges as the current user; so least-privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacks privileges because they can only execute out of the sandbox.

Microsoft Office and Sharepoint are both affected by MS16-029, which is rated as important and resolves three vulnerabilities. For all of you ops guys out there, I know there is some uneasiness around patching Sharepoint because the updates cannot be rolled back easily if something goes wrong. If you are on a virtual machine, you can take a snapshot prior to the update. That way, if anything goes wrong, you can quickly revert back. If you are not yet virtualized, consider making the switch – doing so will make life a lot easier.

There are six more important updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE. Last on the list is an update for .Net Framework. .Net is always interesting because you can have various versions on a machine. As a result, it can also take a bit longer to install updates for .Net. So, if your servers take a while to install updates, know that it’s due to multiple .Net versions requiring updates.

Now, switching to the non-Microsoft updates:

Mozilla has released FireFox 45, which resolves 22 total vulnerabilities, eight of which are critical. The vulnerabilities range from buffer overflows to font vulnerabilities, with the sheer number of updates making this update a priority for this month.

Adobe has released two bulletins so far. The first is APSB16-006, a Priority 3 update for Digital Editions that resolves a critical vulnerability. Although there is only one, it is critical and could lead to code execution; which makes me wonder about the priority. The second Adobe bulletin is for Adobe Acrobat and Reader. APSB16-009 resolves three vulnerabilities, including yet another critical that could lead to code execution. This bulletin is rated as a Priority 2.

While we haven’t seen it yet, there is evidence a Flash update could be on its way. If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it. This could signal the change in distribution that Adobe has warned us about for a few months now. Either way, if Flash Player drops, expect a bulletin from Microsoft for Flash for Internet Explorer, as well as an update from Google Chrome to support the latest plug-in and updates for Flash Player at the OS and FireFox plug-in levels.

Join us tomorrow for the March Patch Tuesday webinar where we will discuss the bulletins in more detail.

Year of breaches takes toll on IT professionals

Businessman tiring and sleeping on his laptop in outdoor scene - overworked conceptThe last 12 months was undoubtedly a year full of high profile incidents for the security industry, from hacks to botched product updates. Shavlik, a pioneer in agentless patching technology, conducted its annual research report to identify the key security challenges that IT professions are facing in their roles. This year, the results identified a strong shift in the risk associated with the security of assets and devices by this community.

Security Concerns

It’s been revealed that over half (58%) of IT professionals are more concerned about system security than they were 12 months ago. And this makes sense after going through the list of repeated security breaches and data losses that 2015 brought with it. Organisations are now very aware of the sophistication and tenacity of modern hackers – either through their own experiences or in seeing the impact on others.

Windows Updates

The research also found that when it came to operating system patching security, 86% of the respondents agreed that Microsoft operating systems were seen to pose the strongest and most consistent challenge to their respective organisations and workforce.

It is interesting to note here that when compared to the 2014 research study, this issues has seen a 33% spike in associated risk. Some have linked this spike with the poor level of Windows 10 updates for business driving a general feeling of lack of control by IT professionals in the industry.

As we know, Microsoft offers automatic patching updates for Office users, however many organisations may not want to have every user and every computer individually downloading the large updates that frequently come with new updates. This perceived lack of control is mainly concerning the potential for system downtime and data vulnerability – which is understandably an issue for IT professionals.

Device Management

Last year, the focus of the enterprise market was on BYOD/CYOD working structures and the promise of a truly flexible/remote workplace. The trend in the previous year’s study showed that 91% of respondents felt that they were unable to cope with patching mobile devices once users take them out of the office. Last year more than two-thirds (64%) of respondents also admitted they did not understand how vulnerable mobile users were to current or existing risks.  Now fast forward to 2016 and you see a significant fall in concern in these areas, as IT professional now have a better grasp of mobile device patching and security management.

This decreased concern for mobile devices indicates how much the industry has moved along as IT professionals have now stopped siloing mobile devices and systems within their organisation. Instead organisations are now moving toward strategies that cover all types of devices.

Truly good security management solutions enable mobile devices to be considered alongside laptops and other corporate systems, which is what we are seeing a many companies readily embracing for 2016.

This coming year is most definitely the year of cybersecurity and increased IT support, considering the variety of existing threats to the whole organisation – irrespective of selected devices. The sophistication of recent hacks has highlighted that companies need to consider organisation wide security approaches to vulnerabilities to better protect their assets. All the while making the process of patching easier to manage.

Take a look at our Infographic for all the key findings from the survey.

Leap Day: A Good Time to Leap Into Better IT Security

Cybersecurity(Own)(4)It’s February 29. Leap Day. The only day of the year that only happens every four years.

Leap Day and the entire leap year are opportunities to adjust our timekeeping methods and tools to realign them with those used by the rest of the Solar System.

Leap years have also seen some significant historical events—some good, some tragic.

1752: Benjamin Franklin is believed to have flown a kite in a storm to prove his theory that lightning is in fact electricity. (Thomas-François Dalibard of France did in fact perform the same experiment the same year, based on Franklin’s writings).

1848: gold is discovered in California.

1876: George Armstrong Custer and his troops fight the Battle of the Little Bighorn.

1912: RMS Titanic, the largest ship afloat at the time, strikes an iceberg and sinks.

Leap Day just might also be a great time to improve IT security at your organization. After all, it is an “extra” day, and what security team couldn’t take advantage of an extra day?

One suggestion: review your patch management processes. Look for ways to shorten the vulnerability gap—the time between when a vulnerability surfaces and when your organization deploys the patch delivered for it. Kenna Security research found in 2015 that 90 percent of vulnerabilities are exploited within 40 to 60 days, but enterprises can take 120 days or more to deploy patches. Whatever you can do to reduce this gap improves security at your organization, and is definitely worth doing.

For some additional suggestions, check out “New Year, No Fear: Lessons Learned from 2015 and Resolutions for 2016.” Then, make your own “great leap forward” toward better security at your organization.