Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.
The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.
In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.
The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)
As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.
Shavlik is happy to announce that we have added a new product, Secure Mobile Email by LetMobile, to our product line. LetMobile is a secure email solution that brings the same effectiveness and ease of management that you have come to expect from Shavlik to the challenge of protecting corporate information on mobile devices.
Today, I sat down with product manager Eran Livne to learn more about Secure Mobile Email by LetMobile. Eran has led this product from its inception and has spent years studying the mobile device management space.
Anne: Why LetMobile? What problem does it solve for our friends in IT?
Eran: There’s a new challenge with all of these smart devices. Users buy devices and want to use them for work; however, they don’t want IT to control them and have less concern about security. IT is used to managing and controlling, owns security, and is held responsible if a data breach occurs. There is a huge gap between the interests of these two sides.
Anne: How do we bridge this gap?
Eran: LetMobile was built to find this balance and to bridge this gap. We provide the best of both worlds; IT gets security compliance management and data protection, and users get a native email experience on the device of their choosing. They don’t have to use subpar email clients to consume corporate emails or separate the process of reading work email from reading personal email.
With LetMobile security policies apply only to corporate data, so the solution has no knowledge or control over personal data or app’s. This means users are free to use their devices how they wish, do not need to fear corporate “big brother,” and don’t have to comply with annoying policies like being forced to lock their devices or granting the company access to wipe their devices.
Anne: Wow, that sounds almost too good to be true. How does LetMobile work?
Eran: LetMobile is a gateway solution. We offer on-premise and SaaS offerings that act as an intermediary between Exchange (or your email service) and user devices. The LetMobile gateway streams email to the device, so email and email attachments are never stored on the device. Additionally, corporate credentials are never stored on the mobile device, so if the device is lost, the user’s corporate creds cannot be compromised.
Anne: Beyond basic email security what are some of the other cool capabilities of LetMobile?
Eran: LetMobile includes data loss prevention (DLP) capabilities that look into the “body” of emails and attachments and can take action based on the presence of keywords or regular expressions. This coupled with LetMobile’s geo-fencing capabilities means say a financial institution could enforce a policy where customer account numbers are masked in emails unless the device is in a trusted location. LetMobile can keep confidential information from leaving the four walls of your corporate headquarters and even your country’s borders.
Anne: If readers want to learn more about LetMobile or see a demo, what should they do?
Eran: We have a wealth of information out there on our website. Check out…
Two months ago, Shavlik released a security advisory alerting our customer community to the availability of off-the-shelf, exploit kits that enable less sophisticated hackers to mimic a Target-like attack.
In that advisory, Rob Juncker, Vice President of R&D for Shavlik, accurately predicted the availability of these exploit kits would lead to the following.
More companies will be coming forward to report breaches.
The scope of these breaches will go beyond retailers to impact all types of business that have valuable and private information.
Earlier this month, the game changed again, but this time the threat doesn’t come from hackers alone; it’s coming from the court room, the halls of government, and maybe even from your own employees. For the first time we are seeing companies being held legally and financially responsible for security breaches that occurred due to insufficient and/or negligent security practices.
Today, Shavlik is issuing another security advisory to draw your attention to three landmark cases that made headlines earlier this month.
Anchorage Community Health Services was fined $150,000 by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) for “failure to apply software patches [that] contributed to a 2012 malware-related breach affecting more than 2,700 individuals,” according to GovInfoSecurity.
This incident is the first where a company has been held liable by OCR for failing to patch software, and now a precedent has been set, making disciplined patch management a critical part of HIPAA compliance.
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities,” OCR Director Jocelyn Samuels said to GovInfoSecurity.
U.S. District Court in Minnesota denied Target Corporation’s motion to have litigation dismissed that has been filed by financial institutions who suffered losses as a result of Target’s 2013 data breach.
According to Reuters, Judge Paul Magnuson found “…banks were foreseeable victims of Target’s allegedly negligent conduct.”The report went on to say, “Importantly, Judge Magnuson said that imposing a duty of care on Target ‘will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.’”
This case may set a precedent for companies to be financially liable to both consumers and financial institutions for breaches that compromise customer data.
Two employees filed a class action lawsuit against Sony for allegedly not taking adequate precautions to secure employee data.
According to an article posted on TechCrunch, “The complaint references a tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk.”
It has been confirmed that employee emails, website viewing activities, credit card website credentials, and social security numbers were among the data made public as a result of the Sony breach, and now after having already lost an estimated $100 million, Sony could be in for more expense at the hands of its own employees.
Shavlik is happy to announce the release of Shavlik Patch for Microsoft System Center. This follow-on to Shavlik SCUPdates provides third-party patching within Microsoft System Center Configuration Manager (SCCM) and does it in such a manner that third-party patching has never been easier.
What’s cool in Shavlik Patch?
If you are using SCCM 2012 (or later versions)…
Ability to patch more than 100 popular applications completely within Configuration Manager
An integrated add-in for the Configuration Manager console that no longer requires the use of System Center Updates Publisher (SCUP)
Automatically check for and download patch data from Shavlik
Publish new patches through SCCM manually or automatically
Smart handling of difficult to install patches like Java
If you are using SCCM 2007…
Continue to enjoy the goodness of SCUPdates just with a new name
Want to see it in action?
Join Shavlik Chief Marketing Officer Steve Morton, Systems Engineer John Rush, and I as we discuss the details of the new release and show you how Shavlik Patch will revolutionize the way you perform third-party patching within Configuration Manager.
Introducing the New Shavlik Patch for Microsoft System Center
Wednesday, February 12, 2014 10:00 a.m. CST Register Now
We have been developing a tool to easy the burden of moving a Shavlik Protect Console from one system to another. It could be done with some manual effort. Moving certificates, swapping out the name of the system so agents would just start talking to the new one once you had moved everything, but it was a pain. With the performance benefits of 64 bit and the EOL of Windows XP (Apr 2014) and Server 2003
The holidays are nearly over and many of us are starting to think of resolutions as we start a new year. You may be contemplating diets, kicking a habit, getting a gym membership or excise equipment at home, but at the office, think about ways to improve your security in 2014. Here are some suggestions to contemplate. These are probably already problems or projects you have been thinking about and maybe you already have them solved or planned out to solve this next year. If you haven’t, keep in mind all of these are possible with Shavlik Protect.
Increase patching frequency for your end user machines:
Microsoft may only release patches once a month, but the 3rd party apps on your systems are updated throughout the rest of the month. Products from vendors like Adobe, Java, Google, Apple, Mozilla, and others are a prime target for hackers as many companies neglect to update them. Our Content Team releases new data multiple times each week which includes security updates for these products.
Talk to vendors who are holding you on a vulnerable version of software due to a dependency on their application. A good example of this is Java Runtime. If you have software dependent on an older version of Java this is a risk to your environment. I can’t tell you how many companies I talk to that have a dependency on a version of Java 6 due to a software vendor who has a dependency on a specific version of Java. There are known exploits and off the shelf software to take advantage of them making this an easy target for hackers.
Check for End of Life software on your systems. Shavlik shows software titles that have reached EOL with their vendor. Any titles that are no longer supported become a risk to your environment and should be updated or removed if possible.
Secure your virtual infrastructure:
Securing the Guest OS is all fine and good, but if you do not patch the infrastructure it is running on you are still putting the most secure VM at risk. With Protect you can patch Citrix, Hyperv-V, and VMware ESXi (Protect 9.0+) infrastructures.
Update VMware Tools. VMware Tools are required for a lot of functionality on VMware VMs. They are also a security risk. Ensure you are updating the Tools version on your VMs. Keep in mind if you do not update the Hypervisor tools version then the status for VMware Tools being up to date is not accurate. You should ensure you have the latest tools updates applied to your Hypervisors. There can be a delay and possibly a VM reboot before the Tools version shows out of date after you update the tools version of your Hypervisor. Protect will detect and push the latest version of tools to systems which may be newer than the version your Hypervisor is evaluating against.
Extend your coverage outside your environment:
Laptops that move in and out of your network regularly can be a risk to your environment. It is important to ensure these systems are updated more frequently. They move beyond your corporate perimeter security measures and often reside on public networks exposing them to greater risk. With Protect 9.0 you can now enroll your console in the ProtectCloud. This enables agents on your laptops to keep up to date even outside your network. Policy updates and results are exchanged through the ProtectCloud so you are still able to see machines being updated and ensure they take policy changes you apply.
We recently caught up with Randy Bowman to learn more about how Shavlik helps him in his role as network engineer for the Presbyterian Church of the USA in Louisville, Kentucky.
The System: The Presbyterian Church of USA licenses Shavlik for 50 servers with 450 endpoints disbursed in Louisville and Stone Point, New York.
The Team: Consists of a two member networking team that takes care of the servers and server patching on a monthly basis as well as a team member that administers desktop support. The desktop team member also takes care of patching the individual computers, which frees up network staff.
Q: Shavlik: What motivated you to look for a security solution?
A: Randy Bowman: About 8 years ago I came on board after some significant staffing changes. For practical reasons we did not have very much available in the way of documentation. We had to make up for lost time in our patching and we ended up getting a virus. The result was that we were down for three days.
Q: Shavlik: How did you come to use Shavlik?
A: Randy Bowman: One thing I took on as legacy software was UpdateEXPERT (Shavlik acquired UpdateEXPERT in 2007). From there it was an easy transition to Shavlik Protect. We find it makes things a lot simpler for us. It allows us to patch several servers at one time and patch them in the evening when they are free of traffic. We have the flexibility to reboot the servers or do them manually. If the server is open we can throw on the patching right then and there and have it reboot.
Q: Shavlik: What made Shavlik so appealing?
A: Randy Bowman: Time savings. Being able to quickly implement the patches and download them when they come on Patch Tuesday is a huge benefit. We usually wait until Friday or wait for a notification from Shavlik saying it’s okay for the patches to be installed. Here we’ve got 50 plus servers. I can patch half one night and half the next night, and that would be the first patch. Even if it takes two passes to go through and get a server completely patched, it still saves us time. We are patched in less than a week, where before we would have to do some even manually. Patching is a piece of cake really. In comparison to what we’ve had before, it saves us so much time. Another thing is, if there’s an agent that needs to be on the server like if you brought a new server out, even if it’s just a test server, you can open Shavlik and tell it to push the new agent and BOOM it’s done.
Q: Shavlik: Once you chose to use Shavlik, how long did it take you to get up and running?
A: Randy Bowman: In 2 days we had it going. It actually would have taken 1 day but we were having some separate technical issues with the servers that caused delays.
Q: Shavlik: For this installation, did you have people helping you or was it just plug-and-play?
A: Randy Bowman: It was plug-and-play, more or less. A fellow network engineer did the last upgrade to 9.0. He was on the phone with support and got it done in an hour.
Q: Shavlik: What is your favorite Shavlik feature?
A: Randy Bowman: I like how you can go through and scan the machines in a machine group and it will tell you how many patches are missing. You can run the report and in 5 minutes you’ve got results emailed to you about what patches are missing. When it comes to critical security patches, we sat down years ago and decided this is what we need. It’s easy for Shavlik to go through and look for these and let us know what’s patched and what’s not, and if it’s critical or not.
Microsoft has announced this month’s Patch Tuesday release. There are 11 total patches – 5 Critical and 6 Important – expected to be released on Tuesday, December 10. Here is the breakdown for this month:
Five bulletins are rated as Critical.
Six bulletins are rated as Important.
Six bulletins address vulnerabilities that could allow Remote Code Execution.
One bulletin addresses a vulnerability that could lead to Information Disclosure.
Three bulletins address vulnerability that could allow Elevation of Privileges.
One bulletin addresses a vulnerability which could lead to a Security Feature Bypass.
All supported Windows operating systems
All versions of Office
Office Web Apps 2013
Lync 2010 and 2013
SharePoint Server 2010 and 2013
Exchange Server 2007, 2010, and 2013
Visual Studio Team Foundation Server
If all expected bulletins are released on Tuesday, Microsoft will close 2013 having released 23 more patch day bulletins than in 2012 and six more than in 2011.
Join us as we review the Microsoft and third-party releases for December Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, December 11 at 11 a.m. CST. We will also discuss other product and patch releases since the November Patch Tuesday.
You can register for the Patch Tuesday webinar here.
Thank you Shavlik users for making Shavlik Protect the Information Security ™ Magazine and SearchSecurity.com 2013 Readers’ Choice Award winner. Shavlik Protect received gold in the vulnerability management category and was among the highest scorers this year in any category.
“Shavlik is honored to receive Gold in the 2013 Readers’ Choice Awards,” said Steve Morton, Chief Marketing Officer for Shavlik. “This award not only validates the hard work of our employees but also reinforces and shows the high level of trust our clients place in us and their positive experience with Shavlik Protect.”
From all of us, thank you for this honor and more importantly, your continued confidence in and support of the Shavlik family of products.
If you have not ready up on the ZDNet and other posts regarding this exploit here is a link to an article talking in more depth. If you are still on Java 6 you are vulnerable to this Java vulnerability. Java 7 update 21 and earlier are also exposed. There is an exploit kit available to hackers for $450 dollars. They can purchase a way to exploit this vulnerability off the shelf. This means it is past time to upgrade your Java runtime.
So, Shavlik Protect users, here are some easy steps to create a scan template to allow you to deployupgrade Java 7 update 25 to your machines to ensure they are up to date.
For users on Protect 9.0 the steps are as follows:
Create a new Patch Group by clicking on the +New > Patch Group…
Name the Patch Group “Java 7 Software Distribution”
Click add and sort by QNumber column. Select QJAVA7U25N and QJAVA7U25X64N and save the patch group.
Click +New > Patch Scan Template… and name it Java 7 Software Distribution
On the Filtering tab uncheck the Patch Type > Security Patches and Patch filter settings set to “Scan Selected” and click the “…” button and select the “Java 7 Software Distribution” patch group.
Click on the “Software Distribution” tab and check the box to enable Software Distribution. Save the scan template.
Scan and Deploy the Java 7 update 25.
The best way to protect against this zero day is to eliminate the presence of Java 6 and this should be an easy way to do so.