May Patch Tuesday Round-Up

SecurityImage

There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.

 

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

Critical Update for Shavlik Patch for Microsoft System Center

110931386-300x199You’ve probably heard by now that Shavlik is requiring all customers to install Update 1 for Shavlik Patch for Microsoft System Center 2.0 and 2.1, but did you know that the whole process takes less than two minutes? That’s right – less than two minutes.

Check out this video from John Rush where he demonstrates the process for applying Update 1 to Shavlik Patch. Did we mention it only takes two minutes?

Now, it’s your turn. Please install Update 1 today so you will not experience an interruption in receiving third-party patch data.

If you are a Shavlik Patch 2.1 user, complete the following actions:

  1. Download the updated version from www.shavlik.com/support/patch/downloads, and copy the executable file to your Configuration Manager console machine.
  2. Close System Center Configuration Manager.
  3. Run the Shavlik Patch executable (sccmpatchsetup_2_1_810.exe) and follow the on-screen instructions. For further details about this step, see the Shavlik Patch User’s Guide.
  4. Open System Center Configuration Manager and commence business as usual.

If you are running Shavlik 2.0, we encourage you to upgrade to 2.1 (see instructions above). In the same amount of time it takes to apply the patch to Version 2.0, you can complete your upgrade to Version 2.1 and enjoy all of the latest features in Shavlik Patch. If you are unable to update from 2.0 to 2.1 at this time, please contact Shavlik Support to obtain the 2.0 update.

This update does not affect customers using the catalog file version (1.0) of Shavlik Patch or Shavlik Protect.

If you have any questions or concerns about applying this patch, please contact Shavlik Support.

 

February Patch Day Round-Up

SecurityImage

February did not have a lot of issues from patches released on Patch Tuesday, but there are a couple of things that occurred that you may want to know about.

First is the update that was pulled from circulation after reports of systems hanging.  An update for Visual Studio 2010 Tools for Office Runtime (KB3001652) reportedly started causing issue on Patch Tuesday.  It was pulled later the same day.

Second, and probably the wider impacting issue this month, was update MS15-009 breaking Cisco AnyConnect VPN clients.  Microsoft has stated they will release a fix in March that should resolve the issue, but until then you have three work around options:

1. Windows 8 compatibility mode for the app

2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click “View installed updates” on the left and locate and uninstall the update labeled with KB3023607.  This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.

3. Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607
https://support.microsoft.com/kb/3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

You can the On Demand February Patch Tuesday webinar or download the presentation for this last months Patch Tuesday release.  Also, sign up for the March Patch Tuesday webinar to discuss the updates released on Patch Tuesday, recommendations, and things to watch out for.

The Communicator’s Corner: Secret Agent, Man

(Title inspired by a favorite song by Johnny Rivers that was a hit just a few years ago.)

Secret Agent

Did you know that Shavlik Protect provides all of this functionality using both agentless and agent-based technologies?

In my last few blog posts, I have talked about three prominent features in Shavlik Protect that go beyond the core patch management capabilities. The threat management, power management, and ITScripts features in Shavlik Protect make it much more than a utility used once a month at patch time. Rather, it is a multi-use, unified IT management platform that provides incredible value to your organization every single day.

Now that that secret is out of the bag, I thought I’d let you in on another. Did you know that Shavlik Protect provides all of this functionality using both agentless and agent-based technologies? It’s true! Most everyone is familiar with Shavlik Protect’s agentless capabilities – it is, after all, part of what helps you get up and running with the product in 30 minutes or less. But agents? That seems to be an untold story.

Here’s the scoop: Although performing actions on your target machines from a central console has many advantages, certain types of users or systems can pose problems for agentless solutions. For example, machines that must reside in a de-militarized zone (DMZ), roaming users, and disconnected or inactive machines can all prove problematic. In these cases an agent-based solution is often the best answer.

Implementing agents in Shavlik Protect is a relatively easy, two-step process. You first configure one or more agent policies on the console. Then, you install the agents on your target machines either by pushing them from the Shavlik Protect console or by manually installing them on individual machines. Once they are up and running, the agents will report all activity to the console so you can track their actions.

Depending on how they are configured when installed on a machine, an agent can:

  • Scan for and deploy missing patches
  • Scan for asset information
  • Provide real-time monitoring and protection against known and unknown threats
  • Scan for and remediate existing threats such as spyware, viruses, Trojans, and rootkits
  • Shut down or restart the agent machine on specific days and times
  • Listen to the console or the cloud for policy updates
  • Report the results to the local console

Not bad, huh? Here are a few options if you are interested in learning more.

 

Patch Tuesday February 2015

SecurityImageIt is February and already we have seen some excitement so far this year. Between Microsoft dissolving the ANS (Advanced Notification Service), to Google’s Project Zero team rigidly adhering to their 90-day disclosure policy (disclosing a Windows vulnerability days before the January Bulletin released, not to mention the disclosure of three high severity Apple vulnerabilities in late January), and a series of Flash Zero Day’s that were discovered in the wild and quickly turned around by Adobe. My take on each of these:

  • Microsoft ANS – I’m not a fan of dissolving this program. Not all companies may have used this to their full advantage, but customers of ours relied on the ANS to give them a couple of day jumpstart on prepping for their monthly maintenance. If Microsoft introduces patches to a product that has never been updated prior to the patch cycle, admins will need time to prep test machines. Now they will be condensing that time along with change control processes into a tighter window.
  • Google Project Zero disclosures – Anyone who has read my blogs or commentary before knows that I am a proponent for vendors being responsible about disclosures, but after a resolution is in place. Yes the time to resolution is important, and for vendors who are negligent I fully agree with the Google stance. By Chris Betz’s comments in a blog post just after Google’s disclosure of the Windows OS vulnerability, they had communicated to Google, prior to the 90-day date, that the update was coming just a couple of days later. What purpose did this disclosure serve other than to stir up a lively debate?
  • Flash Zero Day’s – I do not envy the Adobe Security Team so far this year. Browsers, browser plug-ins and media players are prime targets for hackers. They are on practically every device we use, so naturally they will become a target. I do think that the turnaround from discovery to resolution on these three instances was very fast and applaud the Adobe team for ensuring the resolutions were delivered quickly.

For February Patch Tuesday the non-Microsoft updates are going to be light this month. With three Zero Day’s in a row, Flash Player has had a number of updates pushed recently. Companies that have not pushed the most recent Flash Player updates should do so immediately. Since January there have been three Flash Player updates to cover a series of Zero Day’s discovered in the wild. The most recent update on Feb. 5 also included 17 other vulnerability fixes. The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January.

With the series of Flash Player updates, you will also need to push the latest IE Advisory 3021953 to update the Flash Plug-in, otherwise you have not fully plugged the three Zero Day’s and additional vulnerabilities from the Flash releases.

Google Chrome also released prior to patch Tuesday to accommodate the urgent Flash Player updates. The latest Chrome update resolves the Feb. 5 Flash Player plug-in update along with 11 security fixes. This should be another high priority update for you this month. Google has announced a Beta Channel Update for Chrome, which usually indicates a release is not far off. I would expect it to be a feature release since Google updated so many security fixes on Feb. 5.

Mozilla Firefox released an update last week including 10 security vulnerabilities. Four of these are Critical. This should be among your top priorities this month to get updated.

On the Microsoft front we will see a fairly average-sized Patch Tuesday. Three Critical and six Important updates have been released. The impact this month includes the operating system, Internet Explorer, Office, SharePoint and System Center Virtual Machine Manager.

Internet Explorer is a critical update this month. Having not pushed an update in January, it is not surprise that there are 41 vulnerabilities being resolved in this Security Rollup. Definitely a Priority 1 this month. One of these has been publicly disclosed.

There are two Critical updates for the Windows Operating System updates this month. The first is a Critical Kernel Mode Driver update this month, so test diligently lest you blow up the brains of the machine. Then we have a Critical update group policy that could allow remote code execution. The VMM update applies to both server and client installs. If you have the admin console installed on the VMM server you should update the VMM server patch first, then the administrator console patch.

There are no Critical updates for Office this month, but there are multiple Important updates including a SharePoint update. The thing about SharePoint updates is the lack of rollback. Test adequately, especially if you have a lot of SharePoint plug-ins. If you have not already done so, you should look into virtualizing your SharePoint servers. The ability to snapshot the VM prior to updating will allow you to rollback even if the patch does not support it. If you are running VMware vSphere and Shavlik Protect, you can take advantage of our snapshot feature to do a pre-deploy snapshot automatically during the patch process.

Here is a bulletin-by-bulletin summary of the updates you should be planning for this February (first three released prior to Patch Tuesday):

APSB15-04: Security updates available for Adobe Flash Player
Vendor Severity: Priority 1
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 18 (+2 more if you have not pushed APSB15-03 yet)
Impact: 1 Zero Day currently being exploited in the wild (+2 more if you did not push -03), use-after-free, memory corruption, type confusion, heap buffer overflow, buffer overflow, and null pointer vulnerabilities.

Chrome 40.0.2214.111 : Stable Channel Update
Vendor Severity: High
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 11 (Also includes support for latest Flash plug-in)
Impact: 3 Highs resolving use-after-free, cross-origin-bypass, and privilege escalation

Firefox: 34 and 35 updates
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 10
Impact: 4 critical updates resolving sandbox escape, read-after-free, memory safety, and update to the OpenH254 plug-in.  Also includes uninitialized memory use, origin header, memory use, wrapper bypass and other vulnerability fixes.

MS15-009: Security Update for Internet Explorer (3034682)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 41 (1 is publicly disclosed)
Impact: Remote Code Execution, Security Feature Bypass

MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 6 (1 is publicly disclosed)
Impact: Elevation of privilege, Security feature bypass,

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 1
Impact: Remote code execution

MS15-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 3
Impact: Remote Code Execution

MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1 (publicly disclosed)
Impact: Security Feature Bypass

MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Security Feature Bypass

MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

MS15-016: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Information Disclosure

MS15-017: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

Join us tomorrow on our monthly Patch Tuesday webinar as we discuss the priorities and pitfalls you will want to watch out for.

2015: The Year of the Healthcare Breach

HealthcareBreachOur own Rob Juncker, V.P. of research and development for Shavlik, has predicted that Healthcare breaches will rapidly increase in 2015. Now that hackers are getting smarter about attacking endpoints to glean credit card data from retailers, they are looking for more creative ways to make money. In the hacker’s community, credit card data is worth about $1 per card, whereas protected health information (PHI) is currently worth about $10 per record and rising.

Why the discrepancy in price? Because hackers can do more nefarious activities by submitting fraudulent healthcare claims or by buying and selling drugs and medical equipment for financial gain. Credit card companies are just plain better than insurance companies at detecting and shutting down fraudulent activity. Credit card companies also have the option to change your credit card number, whereas your patient data cannot change. Medical fraud could last for years before it is detected and corrected.

Now that Mr. Juncker has made the prediction, 2015 brings us our first major health record breach with Anthem, whose brands include Anthem Blue Cross/Blue Shield and others. The potential theft could be as big as 80 million records and include names, social security numbers, birth dates, policy numbers, diagnosis codes and billing information. The overall security problem is exacerbated by outdated equipment, demands from doctors to use mobile devices, and the loss or theft of devices used by multiple health workers.

So what can healthcare and IT organizations do? The first step is to simply keep up with the latest updates and patches. Once a software vendor such as Adobe releases a patch, hackers now know there is a security hole. Shavlik is seeing an increase of vulnerabilities coming from third-party applications outside of the OS. Patching both the OS and third-party applications is critical to keeping them secure and the data safe.

Vulnerabilities exist on the end-point because they are often unpatched and neglected. IT has enough on its plate to try and keep all the software on every system up-to-date. But in the wave of the latest breaches, it becomes imperative to do so.

As we see healthcare staff requesting more mobile devices such as tablets, we will see more loss and theft of devices that will contain PHI data. Having methods to encrypt the critical data such as email and attachments will greatly decrease the risk.

As a healthcare provider, what does it mean to you? As in retail, security is more and more of an issue that needs to be addressed. Healthcare organizations are now under scrutiny to comply with HIPAA regulations. Anchorage Community Mental Health Services (ACMHS) was fined $150,000 after 2,700 health records were stolen in an attack. They were attacked simply because they were not patching software!

Beware healthcare. 2014 was the year of retail breaches. 2015 is the year of healthcare breaches!

 

 

 

Some interesting stats regarding vulnerabilities in 2014

2014 was a big year.  We saw a large number of data breaches and a variety of vulnerabilities come to light from Heartbleed to Poodlebleed to BlackPOS.  Looking back on many of the major occurrences you can sometimes miss trends and interesting facts.  Here is a look at some of the highlights of 2014 for all your favorite vendors.

Microsoft released 85 security updates this year, 29 of which were Critical Updates.  Here is the breakdown by Severity:

MSSeverityBreakdown

Taking into account non-security updates and looking only at Critical updates, here is a breakdown by Windows Operating System.  Keep in mind XP was only under support for a short time this year (there are a lot of unpatched vulnerabilities and unreleased bug fixes for XP from this year alone).  Probably not surprising, but Windows 8.1 had a lot of Critical fixes this year.  This is likely due to the young age of the Operating System and the need to flush out many user experience issues and fix critical bugs found as usage increased.  Of the 290 critical updates, only 15 were Security Bulletins.

OSCriticalPatchCount

 

Let’s talk browsers.  This is always a fun topic.  Which is your favorite browser?  Everyone loves to hate on IE, and then you have the Chrome and FireFox fanboys.  Not sure how many Safari fanboys I have met.  Most of those would characterize as a Mac fanboy who didn’t care to find an alternate browser to use so continued to use the default that came with the OS (not unlike most IE users).  If you look at the trend it typically is Chrome, FireFox, IE, Safari as far as CVEs resolved in a year.  This year Microsoft had a trend starting back in June with a peak of 60+ CVEs resolved in a single update and remaining in the double digits for the remainder of the year.  Safari on the other hand, is a lot higher than their average, but in their case keep two things in mind.  Most of the hacker shows like Pwn2Own and many of the Zero Day teams target combinations of products like Java or Flash and the top three browsers in their exploits.  Apple also has a security by obscurity mentality where they do not disclose everything that is wrong.  Likely their counts are that much lower because they are not giving out bounties (to my knowledge), not targeted by the white hats or professional teams searching out vulnerabilities, and also possibly fix things ninja style and don’t open a CVE.

BrowserVulnCount

 

If you look at vulnerabilities by CVSS over all time Internet Explorer has the most vulnerabilities over 9+, followed by FireFox, Safari, then Chrome.  For those of you unfamiliar with CVSS, it is a scoring system for determining how severe a vulnerability is with a 10 being the highest rating a vulnerability can receive.

LifetimeVulnCVSS9

Fun fact time!

  • Adobe Flash released on Patch Tuesday every month, but February this year, but in February they released the week before and the week after Patch Tuesday.
  • Adobe Flash had 15 updates released in 2014 resolving 76 vulnerabilities.
  • 13 of those 15 were Priority 1 updates, meaning they resolved critical security vulnerabilities.
  • 11 of the vulnerabilities resolved by Flash updates in 2014 were publicly disclosed.  2 have been added to commercially available frameworks, and 2 were discovered in the wild in the form of Virus or Malware attacks.
  • When you update Flash, that only covers the application install.  You must also update Chrome to the latest version and deploy a Security Advisory from Microsoft for IE.  That’s a three’fer!  Three vulnerable points to update for the price of one!

Last, but not least, lets look at what products had the most vulnerabilities in 2014.  Based on CVEDetails.com the top 10 products by Distinct Vulnerabilities for 2014 are as follows.  A lot of browsers in this list along with Java and Flash Player.  A lot of Apple on the list as well.

Top10VulnProd2014

Shavlik Security Advisory: Insufficient Patch Management Could Lead to Attacks From More Than Just Hackers

Two months ago, Shavlik released a security advisory alerting our customer community to the availability of off-the-shelf, exploit kits that enable less sophisticated hackers to mimic a Target-like attack.

In that advisory, Rob Juncker, Vice President of R&D for Shavlik, accurately predicted the availability of these exploit kits would lead to the following.

  • More companies will be coming forward to report breaches.
  • The scope of these breaches will go beyond retailers to impact all types of business that have valuable and private information.

Earlier this month, the game changed again, but this time the threat doesn’t come from hackers alone; it’s coming from the court room, the halls of government, and maybe even from your own employees. For the first time we are seeing companies being held legally and financially responsible for security breaches that occurred due to insufficient and/or negligent security practices.

Today, Shavlik is issuing another security advisory to draw your attention to three landmark cases that made headlines earlier this month.

 

$150K HIPAA Fine for Unpatched Software  

Anchorage Community Health Services was fined $150,000 by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) for “failure to apply software patches [that] contributed to a 2012 malware-related breach affecting more than 2,700 individuals,” according to GovInfoSecurity.

This incident is the first where a company has been held liable by OCR for failing to patch software, and now a precedent has been set, making disciplined patch management a critical part of HIPAA compliance.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities,” OCR Director Jocelyn Samuels said to GovInfoSecurity.

 

Target Ruling Raises Stakes for Cybersecurity Vigilance 

U.S. District Court in Minnesota denied Target Corporation’s motion to have litigation dismissed that has been filed by financial institutions who suffered losses as a result of Target’s 2013 data breach.

According to Reuters, Judge Paul Magnuson found “…banks were foreseeable victims of Target’s allegedly negligent conduct.”The report went on to say, “Importantly, Judge Magnuson said that imposing a duty of care on Target ‘will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.’”

This case may set a precedent for companies to be financially liable to both consumers and financial institutions for breaches that compromise customer data.

 

Employee Data Breach the Worst Part of Sony Hack

Two employees filed a class action lawsuit against Sony for allegedly not taking adequate precautions to secure employee data.

According to an article posted on TechCrunch, “The complaint references a tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk.”

It has been confirmed that employee emails, website viewing activities, credit card website credentials, and social security numbers were among the data made public as a result of the Sony breach, and now after having already lost an estimated $100 million, Sony could be in for more expense at the hands of its own employees.

 

In a month where the security stakes have never been higher for corporations, CIO Magazine reported that Most Companies Fail at Keeping Track of Patches, Sensitive Data. According to its report,

  • 12% of companies have no patch management process at all
  • 58% of companies have a patch management process that is not fully mature (e.g. may patch the OS but not third-party applications)
  • 19% of companies have no control or tracking of sensitive data at all

If you see your organization in any of these statistics, now is the time to act. Your response will not only help keep your company out of the headlines but also out of the court room.

December Patch Day Round-Up

ShavlikSecurityAlthough it was not as large as the November Patch Tuesday, December’s Patch Tuesday still had some important updates to close out the year.  Microsoft released seven bulletins, three of which were critical.  The three critical updates affect Internet Explorer, Microsoft Office, and VBScript engine.  Also, the Exchange update (MS14-075), which was deferred from the November Patch Tuesday, did release this month.

The Microsoft side of Patch Tuesday does not seem all that daunting of a challenge aside from the Exchange update.  Adobe, on the other hand, has added a number of critical updates to the December Patch Tuesday, which effectively doubles the priority 1 list for the month.  Adobe pre-announced an update for Acrobat and Reader, but on Patch Tuesday they released updates for Flash, Shockwave, and ColdFusion.  Shockwave and ColdFusion were lower priority updates, but the Flash update is resolving a vulnerability which was already being exploited in the wild.  We also have a couple of things to for you to watch out for in today’s Patch Tuesday Round-Up.

Known issues to look out for:

  • KB3004394: An update Windows Root Certificate Program in Windows, has caused some issues for companies.  The update, when applied to Windows 7 or Server 2008 systems, has caused a few issues such as MMC functions requiring Administrator authentication even when logged on as an Administrator, Windows Defender Service failing to start, and Windows Update Service being unable to apply additional updates.  KB3024777 has been released to fix the issue by removing KB3004394.
  • An issue occurred on Windows 10 Technical Preview where some users had to remove Office before they could apply the December update.  Recommendation is to try applying the updates before going through the more tedious workaround of removing office, installing updates, then re-installing office.  Most users will not see the issue.
  • Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • Two of the November Bulletins had re-releases for specific affected products.  You will likely see some of those updates being reapplied this month.  Recommendation is to do so as the original fixes were not complete.  MS14-066 (Schannel) update on Vista and 2008 and MS14-065 (IE Cumulative) update on IE 8 for Windows 7 or 2008 R2 or IE10.  In the case of IE, applying the December IE Cumulative will also resolve the issues in the re-release.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

Normally I would start with Microsoft, but your highest priority this month should be Adobe Flash, the Advisory for updating the IE Flash Plug-In and the Google Chrome update to update Flash.

  •  APSB14-27 : Security updates available for Adobe Flash Player – This update resolves six vulnerabilities, one of which (CVE-2014-9163) was discovered being exploited in the wild.  The CVSSv2 base score for this vulnerability is a 10.0, which is the highest that can be assigned and it is Network Exploitable meaning an attacker does not need local network access or local access to exploit the vulnerability.  Admins should ensure they update Flash this month.  Not only for this update, but also for the other two Flash updates that occurred since November.  To fully patch Flash you must also update the Advisory for IE and the Chrome release so you have updated the plug-in for both browsers.
  • MSAF-034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer  – Updates the Flash Plug-In for IE.  Nuff said.
  • CHROME-119: Chrome 39.0.2171.95 – Ditto on the Flash Plug-In.  Update it.  In addition Google released a Chrome update just after the November Patch Tuesday that included 42 security updates, including many High priority updates.  That is two very good reasons to update Chrome ASAP.
  • MS14-080: Cumulative Security Update for Internet Explorer (3008923) – This update is rated as Critical and resolves fourteen privately reported vulnerabilities in Internet Explorer.  Many of the vulnerabilities involve memory corruption, continuing a trend we have seen for most of 2014.
  • MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) – This update resolves two privately reported vulnerabilities in Microsoft Word and Office Web Apps, which could lead to remote code execution if exploited.  The attacker would gain rights equal to the logged on user, so running as less than a full admin could reduce the impact of this type of attack if exploited.
  • MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) –  This update resolves one privately reported vulnerability in the VBScript engine.  If exploited an attacker would gain equal rights to the logged on user.  If the user is a full admin, the attacker would gain complete control of the affected system.
  • APSB14-28 : Security Updates available for Adobe Reader and Acrobat – This update resolves 20 privately reported vulnerabilities in Adobe Acrobat and Adobe Reader.  The impacts vary, but the worst of these could lead to code execution.  Adobe rated the update as a Priority 1, the highest priority Adobe assigns.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) – This update is rated as Important and resolves four privately reported vulnerabilities in Microsoft Exchange server.  Originally slated for November, this update was held until the December release.  Also, if you wait for the cumulative updates before updating, you may want to read up on the latest here.  The Exchange 2010 CU8 ran into some issues and was pulled from circulation then re-released.  The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package.
  • MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Office.  If you have not rolled this out yet please check on this article which I referenced in the known issues above.  “Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) – This update is rated as Important and resolves two privately reported vulnerabilities in Microsoft Excel.
  • MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) – This update resolves one privately reported vulnerability in Microsoft Graphics Component which could lead to information disclosure.

And that closes out December’s Round-Up.  Hopefully you all have your patching wrapped up before Christmas so you can relax, kick back, and enjoy the holidays.