Federal agencies, cybersecurity, and an order from the White House to step up their game

168799504

Dateline 2015:

Scary stuff, right? Unfortunately, this should all sound very familiar as there has been a steady stream of headlines around the rising concerns of securing U.S. federal agencies from cyber attack.

I recently had a conversation with Ben Tacheny, the U.S. Federal Territory Sales Representative here at Shavlik. Needless to say, Ben has been very busy as of late. He had a lot of really good insights and guidance that I wanted to share.

Q: Ben, what kinds of security problems are federal government agencies facing today?

A: IT security has never been a more prevalent, everyday conversation than right now, and the battle is being fought on multiple fronts – authentication, cyber security policies and practices, privileged user management, mobile device management and, at the top of that list, patch management.

Just look at the recent hacking of OPM and the U.S. Army website, as well as the recent White House call to “tighten cyber defenses immediately” by specifically “patching critical-level software holes without delay.”

And then you have Terry Halvorsen, U.S. Department of Defense CIO, who just spoke publicly at the AFCEA Defensive Cyber Operations Symposium in Baltimore on June 16, who’s first major point in his presentation was stressing the need for all federal agencies to do a better job with patching and said that the industry needs to help the DOD do just that – be more efficient and help ensure that the patches themselves have a high degree of trust.

Q: And Shavlik can assist with this?

A: It’s exactly what we do! As you know, many DOD branches now have an enterprise license of Microsoft SCCM for their patch management needs. But SCCM only patches Microsoft applications, not the hundreds of “third-party” applications like Adobe, Java, etc., which are the most actively targeted applications, according to vulnerability experts. These patches are currently being built manually within the DOD, and DOD admins are struggling to keep up with the number of patches released and the deadlines set to be patch compliant.

Shavlik Patch (a third-party patch data plug-in for SCCM) will help increase both federal end-users patch management efficiency and accuracy, while at the same time drastically reducing the man-hours needed to complete a successful patch management process for over a thousand third-party applications/versions. We also guarantee that the patches we test will be the same patches our clients download direct from the vendor.

Shavlik Patch will enable federal end-users to further enhance their investment in SCCM and those admins to patch their entire networks within the SCCM framework with no additional infrastructure needed (no consoles, agents, training required) and also will work within the DOD IAVA framework (helping DOD admins search and patch by IAVA bulletin numbers).

Q: What if the federal agency or organization doesn’t have SCCM?

A: We have another purpose-built patch management tool for those clients as well. Shavlik Protect is our own on-premise console with agentless capabilities that allow you to scan and remediate all the physical and virtual machines in your environment, including online or offline VMs, VM templates, and hypervisors, all with full scheduling automation and reporting capabilities, as well as our built-in IAVA cross-reference reporter.

Q: I hear that, depending on what part of the federal government companies are with, certain processes and approvals are required to be able to even purchase a product. What are these roadblocks and how do we help companies out there?

A: Each federal organization is unique and although that can be somewhat discouraging for some vendors, that’s where Carahsoft, Shavlik’s exclusive Federal Distributor, has been able to help us so much. Whether our prospects are required to get multiple competitive open market quotes or purchase on GSA, SEWP, etc., we make it as easy as possible to allow our federal clients to purchase our Shavlik patch management offerings however they need to.

Q: Federal agencies need to ensure that the security products they use adhere to certain standards. What are we doing at Shavlik to ensure our customers can be confident in our solutions?

A: We have one of the best product management teams out there and they are constantly at work updating our current federal product certifications as our development team releases updated versions of our software. They also pursue new certifications as they’re adopted and required by our current and prospective clients. Currently, Shavlik is Common Criteria Certified and has additional certifications with all individual DOD organizations (current US Army CoN, US Navy DADMS approved, multiple individual AF ATO’s in place).

Both Ben and the team at Carahsoft are ready to answer any questions you may have. The Carahsoft team has provided some excellent guidance on 8 easy ways to lock down your agency’s cybersecurity systems. You can also view the OPM.Gov Cybersecurity Action Report which shows what steps the OPM is taking to prevent future incidents.

For more details on how Shavlik can help you can take a look at our solutions on our federal government landing page.

June Patch Tuesday Round-Up

We are at Patch Tuesday + 8 days and many of you are probably well in to your third round of patching machines or farther along.  Here is a recap of Patch Tuesday highlights and some things to watch out for:

  • Two Critical updates – MS15-056 and MS15-057
  • Two public disclosures – MS15-056 (CVE-2015-1765) and MS15-060 (CVE-2015-1756).  Public disclosure increases the risk of exploit significantly so MS15-060 should be a higher priority along with the two critical updates from this month.
  • Exploit detected – MS15-061 has been seen used in a targeted attack.  Even though this is rated as important it should be a higher priority to roll-out.  This update plugs a vulnerability used by Duqu 2.0 as discussed by Kaspersky.
  • MS15-061 in combination with certain software can cause Copy\Paste to stop working – In reports on Reddit and PatchManagement.org this can occur if Spector 360 is installed on systems where this occurred.  Still recommended to roll-out as a priority.
  • Adobe Flash update resolves 13 vulnerabilities – Priority 1 update, should be pushed ASAP along with Chrome release.
  • Google Chrome – Released update with support for Adobe Flash update.  This update inherits the Priority 1 from Adobe Flash and should also be pushed ASAP.

Check out our webinars page to sign up for upcoming webinars including our next three Patch Tuesday webinars.

Some interesting stats regarding vulnerabilities in 2014

2014 was a big year.  We saw a large number of data breaches and a variety of vulnerabilities come to light from Heartbleed to Poodlebleed to BlackPOS.  Looking back on many of the major occurrences you can sometimes miss trends and interesting facts.  Here is a look at some of the highlights of 2014 for all your favorite vendors.

Microsoft released 85 security updates this year, 29 of which were Critical Updates.  Here is the breakdown by Severity:

MSSeverityBreakdown

Taking into account non-security updates and looking only at Critical updates, here is a breakdown by Windows Operating System.  Keep in mind XP was only under support for a short time this year (there are a lot of unpatched vulnerabilities and unreleased bug fixes for XP from this year alone).  Probably not surprising, but Windows 8.1 had a lot of Critical fixes this year.  This is likely due to the young age of the Operating System and the need to flush out many user experience issues and fix critical bugs found as usage increased.  Of the 290 critical updates, only 15 were Security Bulletins.

OSCriticalPatchCount

 

Let’s talk browsers.  This is always a fun topic.  Which is your favorite browser?  Everyone loves to hate on IE, and then you have the Chrome and FireFox fanboys.  Not sure how many Safari fanboys I have met.  Most of those would characterize as a Mac fanboy who didn’t care to find an alternate browser to use so continued to use the default that came with the OS (not unlike most IE users).  If you look at the trend it typically is Chrome, FireFox, IE, Safari as far as CVEs resolved in a year.  This year Microsoft had a trend starting back in June with a peak of 60+ CVEs resolved in a single update and remaining in the double digits for the remainder of the year.  Safari on the other hand, is a lot higher than their average, but in their case keep two things in mind.  Most of the hacker shows like Pwn2Own and many of the Zero Day teams target combinations of products like Java or Flash and the top three browsers in their exploits.  Apple also has a security by obscurity mentality where they do not disclose everything that is wrong.  Likely their counts are that much lower because they are not giving out bounties (to my knowledge), not targeted by the white hats or professional teams searching out vulnerabilities, and also possibly fix things ninja style and don’t open a CVE.

BrowserVulnCount

 

If you look at vulnerabilities by CVSS over all time Internet Explorer has the most vulnerabilities over 9+, followed by FireFox, Safari, then Chrome.  For those of you unfamiliar with CVSS, it is a scoring system for determining how severe a vulnerability is with a 10 being the highest rating a vulnerability can receive.

LifetimeVulnCVSS9

Fun fact time!

  • Adobe Flash released on Patch Tuesday every month, but February this year, but in February they released the week before and the week after Patch Tuesday.
  • Adobe Flash had 15 updates released in 2014 resolving 76 vulnerabilities.
  • 13 of those 15 were Priority 1 updates, meaning they resolved critical security vulnerabilities.
  • 11 of the vulnerabilities resolved by Flash updates in 2014 were publicly disclosed.  2 have been added to commercially available frameworks, and 2 were discovered in the wild in the form of Virus or Malware attacks.
  • When you update Flash, that only covers the application install.  You must also update Chrome to the latest version and deploy a Security Advisory from Microsoft for IE.  That’s a three’fer!  Three vulnerable points to update for the price of one!

Last, but not least, lets look at what products had the most vulnerabilities in 2014.  Based on CVEDetails.com the top 10 products by Distinct Vulnerabilities for 2014 are as follows.  A lot of browsers in this list along with Java and Flash Player.  A lot of Apple on the list as well.

Top10VulnProd2014

Different vendor perspectives on security and vulnerabilities. Which is right? You decide.

ShavlikSecurity

We rely on a lot of software in this highly connected world. We have things such as The Internet of Things, BYOD, Shadow IT. All of these trendy phrases mean we have a lot more riding on the software vendors that provide our connected world, but what are their views on security? By taking a look at some recent press you can start to paint a picture on some of the different perspectives that vendors have on security.

First, let’s take a look at Microsoft. Microsoft has a large following around Patch Tuesday and there is a lot of press and awareness about their security updates. They provide strong recommendations that updates should be applied on a regular basis. Microsoft also has a series of advisories they put out regarding issues that exist when no update has yet to be released. This proactive approach, and open disclosure about the risks to their customers, has been applauded by many, but also brings Microsoft under the gun when things go sour. This year, there have been a few patches that were either pulled or postponed due to quality issues.

For example, a recent Secure Channel (Schannel) update resolved a critical issue that experts say would be an enticing target for hackers. The update, however, has some known issues and has caused problems when applied to some systems. Despite these problems, Microsoft urged the update be applied as soon as possible. This article discusses the update and the impact of the known issues. What is the key take-away from this? That Microsoft prefers full disclosure when it comes to security issues.

Apple, on the other hand, has typically had a very closed-mouth take on security. Updates are typically released without much fanfare. When asked directly about security-related issues, they tend to deny an issue, or play it down, until a fix is available. They tend to lean more towards security by obscurity, or play down issues to be less than they are. While saying less, and preventing as many facts from being released as possible, may prevent some hackers from finding leads to where and what they can exploit, it has brought some scrutiny on Apple.

In this article, Apple addresses the ‘Masque Attack’ and plays it down, saying customers are safe. While Apple’s statement about the risk of exploit coming from third party sources may be true, the majority of exploits on any platform have some form of social engineering involved. The user is the weakest link in many exploits that occur. The Team at FireEye definitely stress a lot more concern than Apple regarding this form of exploit.

A third perspective is the vendor who is providing an application that is used by millions and is quite popular. Many other vendors fall into this category as well. The social media apps that are such an addiction for today’s culture often overlook security. The promises made by these vendors are taken at face value, but are they being met?

Snapchat recently had some issues that were in the news. ‘The Snappening’ was an attack dubbed by 4chan users, which ended up with over 100,000 pictures being captured and shared across the web. This included many questionable photos of a lot of minors. Snapchat has been criticized for misleading users about personal information privacy. The way Snapchat is designed has allowed third party developers to enhance the Snapchat experience, but the design also allowed account information and photos to be stolen. Snapchat’s response? Ban any accounts that utilize a third party app.

So what is the hypothetical result? An account is created by a hacker, the hacker gets x amount of hours exploiting the weaknesses in the Snapchat API, gets some amount of data (accountpersonal info, pictures), then is banned. The hacker then starts the process over again. They create software to replicate the process of creating an account and going through the process over and over. How well do we think this will play out? Kids, nothing ever really goes away. Conduct yourself in all things on the Internet as if you were standing in front of a crowd. You never know where it may end up.

So we have three perspectives on software security. You can argue the benefits and deficits to each (and there are continuing arguments). Which do you feel is right? Which do you feel is effective? Let us know.

 

 

Integrating with 3rd Party Components: Why Java is still not being updated in your environment.

With the Oracle CPU fresh in our minds I thought this would be a good time to discuss a well-known issue for IT Admins around the world;  updating Java only to find it breaks something in your users environment.  More importantly updating Java only to find that a mission critical app is broken.  Java is running everywhere.  It is one of the most popular development languages and responsible for a significant chunk of cool web development that has occurred over the past decade.  The Jave Runtime Environment (JRE), which renders all of the awesomeness that is Java, quickly turned into the bane of many an IT Department.

According to Cisco’s 2014 Annual Security Report, Java was involved in 91% of web exploits and the majority of those exploits were for versions of Java that were outdated and vulnerabilities that the vendor had already plugged.  That is a pretty staggering number and The Java Logomakes one wonder why you would choose to utilize a product that relies on Java.  So where does the fault lay?  Is it Oracle and prior to them, Sun to blame for the vulnerability of their development toolkit?  To a point, yes, you can say they are responsible, but they also resolve MOST of the known vulnerabilities that are identified in a timely manner (and have improved significantly over time).  There is still a bit more blame to go around however.

You can google ‘java upgrade issues,’ and you will find ample evidence as to why an IT Admin would be a little gun shy around a Java update.  FireFox, Netscaler, printing issues, and especially Minecraft (heaven forbid!) can all be found in the first page of recent Java upgrade issues.  Some others that typically occur are those back office applications that make the business run.  ERP solutions or other critical apps that help you ship product, process orders, etc., could all rely on Java.  Break those and you may be talking about an RGE (Resume Generating Event).   So, no one party really is to blame here.  We have Oracle trying to resolve vulnerabilities in a timely manner and improving on that front.   How about the vendors and the companies who are running Java?  You may need to evaluate a little closer to home and see why you are not upgrading.

Ask your venders:

  • If the latest version of their product supports the most recent Java updates?
  • Do they support updating Java as new versions are released?
  • How do they communicate whether the latest Java update will be compatible with the version you are running?

Ask yourself:

  • Are we running the latest version of the vendors software?
  • What are the limitations to upgrading?  Customization that would not be supported if you upgrade, cost of upgrading, etc.
  • What is your exposure by not upgrading?

The IT world is full of exceptions to the rule.  For every exception there is some risk.  Have you evaluated that risk and have you mitigated your exposure?

Things you can evaluate if you know you have a dependency on an outdated version of Java:

  • Are only required users able to access the outdated versions of Java?
  • Can the privilege level of the users who need to run on the at risk machine be reduced to mitigate exposure if certain vulnerabilities are exploited?
  • Are the machines running Java able to be virtualized and segmented from parts of the network that have direct Internet access?
  • Can you lock down the machine in question to only allow access to the one application Java is needed for and all other web browsing, email, etc.  be locked down?

 

Security of Point-of-sale devices

POSDeviceAlong with the rise in successful attacks on retailers, there has also been a rise in concern about the vulnerability of point-of-sale (POS) devices. Target, Subway, Nieman Marcus are all good examples of why a hacker would choose the POS device as their target. The rewards are both far reaching and highly lucrative.

Particularly with POS devices, it’s impossible to emphasize enough the difference between compliance and security. These cannot be equated and sometimes are not even in the same ballpark. Taking the Subway breach as an example, you can be PCI and PA-DSS compliant and still be exploited if you leave other security measures untended.

Ensuring you are following the guidance in NACS/PCATS 8-point plan is a good way to stay on top of those other security measures that can improve not only compliance, but also security. It provides guidance to a layered security approach to protect the POS devices beyond the local device. One of the most important elements is keeping the PA-DSS compliant software up to date and compliant, but also keeping any other applications residing on these systems patched and updated is imperative. Segmenting the POS devices, and eliminating internet access directly from the POS device further protects them. CERT’s Alert (TA14-002A), released in January 2014, emphasizes many of the same points for protection of the POS devices.

As we approach the Windows XP End of Life (EOL) in April, concerns have been raised regarding the broad reliance of ATMs on Windows XP Embedded. While XP Embedded is still supported until 2016, many of the systems supporting the ATMs will remain dependent on Windows XP and will go unpatched after April. This raises the concerns around letting platforms that will increase the risk of exploitation come in contact with POS devices.

Many banks have already been in negotiations with Microsoft to extend support for the support of these dependent XP systems. Extending the support for these systems will allow banks to deploy private-release critical security patches to them, but this may require additional effort on the part of the IT teams to package the private patches for delivery to the EOL systems. For companies choosing to extend XP support beyond the April EOL date, you should contact your vendor regarding custom patch support. Shavlik has done this in the past with the EOL of Windows NT and 2000 systems. We are already discussing this type of service for customers who know they will have a prolonged dependency on Windows XP.

Many of the banks will be moving to Windows 7 Embedded, but are holding off for a few years to wait for the chip and pin rollouts before performing the migration to Windows 7 Embedded. That will occur over the next few years. By the time most have made the switch, it will be time to start looking at the next migration, as they will have about three years until Windows 7 Embedded reaches its own EOL and the problem repeats.

Last week our content team released support for Windows 8.1 Embedded. For the Shavlik customers who have already been requesting support for this platform, it is available for you now. For those customers upgrading to Windows 7 Embedded, that is already supported as well.  For more information, please visit http://www.shavlik.com/solutions/patch-management/ 

 

Protecting my Mom – New Generation of Attacks Threaten us All

Most days I sit comfortably at my desk behind multiple layers of defenses keeping myself and my machine from harm. I sip my coffee and don’t even think about defending threats from myself, instead most of my energy is focused on how do we push forward in our industry against those armies of darkness that seek to compromise our privacy, security and exploit information for their own cause. This week, was different. In three different cases, I found myself at the center of the attack. It was humbling, and at the same time reminded me of how much work we have to get done.

What scares me the most is the unsuspecting prey that countless hackers stalk?  I’m knowledgeable about what and how hackers try to exploit victims. But I worry about my friends and family members that don’t have that same savvy knowledge. I think about my Mom, using the internet for her banking and the occasional check of Facebook… little does she know she’s in the epicenter of the attacks.

So this Blog is the first of a series of three chronicling my last week. I want to share with you three attacks that happened to me in the hopes that it gives you a flavor for where attacks are coming from nowadays. No longer is it the rogue link to install software or the email bomb that just annoys you.  It’s a whole new world where callers, innocent internet checks, and group emails all lead towards exposure.

MONDAY:  Attack 1 – “Windows Service Center”

Last Thursday, I ended up getting home a bit early from a week of travel.  It was about 4:00 p.m. in the afternoon and the house phone rang. It was just me and my kids at home. My kids range in age from seven to eleven and in most cases, it would have been them to answer the phone, but I happened to be there. I grabbed the phone, looked at the number and saw it was a originating from New York. With family on the East coast, I didn’t think twice about grabbing the phone. After five seconds with no one speaking, I should have just hung up, but I stuck this one out. Then it happened… the attempted hack started.

Access DeniedThe caller identified himself and began, “Hello this is XXXXXX from the Windows Service Center.”  Intrigued, I decided to let him continue. “We have detected you have a computer virus on your machine and we’re here to help fix it.” At this point, my hack-o-meter instantly was pegged and I knew this was a scam, but for fun, I decided to let this play out. I asked, “how do you know I have a virus?”  He responded, “because we have systems that detect these sort of things.”  I asked, “how do you know it is my machine?” He retorted, “because we in America spy on our citizens.”  I had to laugh at this one, to use that approach was fascinating, and more curiously, based on background noise, I firmly believe this call was not originating in the United States. Again, I pushed a little bit harder, “I have two machines in my house, which one is it?”  He then responded, “I’m sure it is all of them, so we’ll fix them both.

If memory serves me right, I was cutting some tops off of strawberry’s at this point in the kitchen and he asked me to go over to my computer. I told him I was in front of my computer at this point even though I was still cutting up strawberry’s. He started off by asking me to go to my control panel in Windows and told me that my Windows Firewall wasn’t active. WOW! I thought to myself, this is an impressive scam!  Sure enough he successfully told me what to click (if I actually was in front of the computer) to navigate to my windows firewall and then told me the instruction to disable it because “bad software had taken it over.” Pretending I did, we continued. I asked him, “Are we done now?”  To which he responded that he’d need access to my machine to make sure. I told him that I didn’t know how to do that and he asked me to go to some website by an IP address. Of course, at this point he began to see through my ruse. I told him I couldn’t get there but asked him what was there and he told me it was something “like a WebEx or online meeting” where he could control my machine.

He pushed really hard to get me there, but after a few more questions from me he started to get VERY mad. Not to mention I had moved onto rinsing some peppers and the water running was likely giving me away too. He told me, “You could be arrested if you don’t eradicate this virus” and even played off the emotional heart-strings, “you are exposing your family to harm.”  Then he crossed a line that I’ve never seen before, “I’m not asking you to go here, I’m telling you that you must” as his voice took on a threatening tone.

At this point, I told him that I needed to speak with a supervisor to validate this was the right thing to do. A man got on the line, didn’t identify himself and when I asked where they were and what company they worked for, you could tell I now was the one trying to go after them.  After I told them how shallow it was to attack innocent people like this, he blurted out a few expletives and mumbled some other inappropriate comments before hanging up.

If I had played his game, I have no doubt that the website I would have gone to likely would have been a way for them to remote control into my computer and more than likely it would have been used to download some Malware onto my machine. Things like key-loggers to capture my every password, my access, and even troll around my machine for some good documents that I might have. No doubt, my machine would have gone from a well-protected one to one that was riddled with Malware with a firewall turned off. All scary realizations for me.

…But could this have turned out differently?

What’s more scary though is I still play this story out with the “what-if” scenarios. What if my son had answered the phone? What if my wife had answered the call? Would they have played along or have gotten off the phone before damage was done? If they had played along, would the call have ended so innocently that they’d not have shared what happened with me? Could they have used my home machines (which don’t have valuable data) as a conduit to my work one, which definitely is more sensitive? The caller had the skills to make themselves sound believable, and the pressure-cooker capabilities of a time-share salesperson. They were well skilled to have seen this be a success.

On the heels of this event, I did everything I could to trace this attack back. It turns out the NY phone number was masked and it was originating from an exchange in India. The IP address website I was asked to access was from China. The call-back information was obviously invalid and I didn’t take the charade far enough to get more data to track them Typing on computerdown. Hindsight being 20/20, I wish I had spun up one of my Malware Virtual Machines to access their website and see what else they did or at least trace the traffic from that event back to a more authoritative location so I could snoop back at them. More than likely they were using the computer of their previous victim, so that likely would have led nowhere, but nonetheless, I came up short on sleuthing this one.

Beyond the attack on me, I went online and began to search for the keywords from this conversation, “Windows Service Center” and a few others. It turns out there were more than a few dozen of these attacks reported, each recounted a story like mine, and in many cases, the victims acknowledged they were successfully exploited as part of this attack.

The Moral of Part One

What’s the moral of this story?  There is no safe phone call and there is no innocent phone call. Unfortunately, it won’t take you long to go online and search and find other scams like this. Just this week we heard of the IRS phone scam defrauding millions from people impersonating the IRS. Some tips for all of us (and my mom) on this one:

  1. If someone calls, unfortunately, don’t trust them and make sure you validate their identity.
  2. Watch for key signs that the call is illegitimate. Ask yourself, does the caller ID number make sense? If it is “Unknown” really question it. If it is from outside of your home country, question it as well.
  3. If they are legitimate, they should be fine with you calling them back. Ask for their number and extension and ring them to validate you have a good number for them. At the same time however, if they give you an out of country number, DON’T CALL IT. This is a different type of scam…
  4. Never put yourself at risk doing something you know is wrong. Your firewall is there for a reason. We write patch-management software for a reason, never let someone ask you to take it down.
  5. If someone asks you to do something suspicious like go to an unverified website… don’t do it.
  6. Never… EVER… let them pressure you with commands or threats to do something you don’t want to.
  7. Call the authorities and email us. This activity is illegal and is a cybercrime. By you reporting it, people like me find out about it and then we go after these criminals.
  8. When in doubt, call/email me before you do anything… and I’m not just talking about emails from my mom… I’ll take emails from anyone on subjects like this.

I wish there was a switch on the wall that I could flip for us all to turn off the darkness.  Unfortunately, there isn’t. In the interim though, we’re here to make it safe for us all as best as we can. Be safe everyone.

December Patch Tuesday Advanced Notification

Microsoft has announced this month’s Patch Tuesday release.  There are 11 total patches – 5 Critical and 6 Important – expected to be released on Tuesday, December 10. Here is the breakdown for this month:

Security Bulletins:

  • Five bulletins are rated as Critical.
  • Six bulletins are rated as Important.

Vulnerability Impact:

  • Six bulletins address vulnerabilities that could allow Remote Code Execution.
  • One bulletin addresses a vulnerability that could lead to Information Disclosure.
  • Three bulletins address vulnerability that could allow Elevation of Privileges.
  • One bulletin addresses a vulnerability which could lead to a Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All versions of Office
  • Office Web Apps 2013
  • Lync 2010 and 2013
  • SharePoint Server 2010 and 2013
  • Exchange Server 2007, 2010, and 2013
  • ASP.NET SignalR
  • Visual Studio Team Foundation Server

If all expected bulletins are released on Tuesday, Microsoft will close 2013 having released 23 more patch day bulletins than in 2012 and six more than in 2011.

Join us as we review the Microsoft and third-party releases for December Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, December 11 at 11 a.m. CST.  We will also discuss other product and patch releases since the November Patch Tuesday.

You can register for the Patch Tuesday webinar here.

 

Microsoft released details and means to mitigate a Zero-Day exploit through Word documents

Microsoft released Security Advisory 2896666 yesterday which describes a vulnerability in Microsoft graphics component that is being actively exploited in targeted attacks using crafted Word documents sent by email.  The attacks are limited as the exploit does need some user interaction to be exploited.  The end result, however, makes the attacker able execute code on the target system.  The attacks that have been identified were located mostly in the Middle East and South Asia.

Office 2003 and 2007 are affected by this vulnerability.  Office 2010 is affected only when installed on Windows XP or Server 2003.  Office 2013 is not affected.  Microsoft Lync 2010 and 2013 are also affected.  The Security Advisory includes a “Fix It” to mitigate the risk of being exploited by turning off the TIFF Codex which would effectively block the attack, but also affect any TIFF files that a user would attempt to open.  The “Fix It” also comes with a second tool to back out the change once Microsoft has provided a patch to resolve the vulnerability.

A blog post on TechNet does provide other layers of defense that can reduce the potential risk as well.  The suggested use of the EMET, Protected View, and blocking of ActiveX controls in office documents will help reduce your potential risk.

October Patch Tuesday Advanced Notifications

Patch Tuesday October is nearly upon us!  The theme this month… Remote Code Execution!  4 critical’s, 4 important’s, and 7 of 8 are Remote Code Execution exploits.  There is a IE patch that covers every OS and version of IE, but no word yet if it covers the Zero Day exploit that is currently being exploited in the wild.  Here is the breakdown:

Security Bulletin Breakdown:

  • Four bulletins are rated as Critical.
  • Four bulletins are rated as Important.

Vulnerability Impact:

  • Seven bulletins address vulnerabilities that could lead to Remote Code Execution.
  • One bulletins address a vulnerability that could lead to Information Disclosure.

Affected Products:

  • All Internet Explorer versions
  • All supported Windows operating systems
  • All versions of Office
  • SharePoint Server 2007 SP3 (32- and 64-bit), 2010 SP1 & SP2, 2013
  • Office Web apps 2010 SP1 and SP2
  • Microsoft Silverlight 5

I will review the Microsoft releases for the October Patch Tuesday in our next monthly patch Tuesday webcast which is scheduled for Wednesday, October 9th at 11 a.m. CDT. I will also discuss other non-Microsoft releases that have occurred since the September Patch Tuesday. You can register for the Patch Tuesday webcast here.

Chris Goettl