“Do you know the way to San Jose?”

Another cyberattack targets the San Fran Transport Agency.

san fran

Normally the 181 Express to San Jose will cost you about $10 and take about 1 hour and 42 mins. But this weekend you could travel for free, thanks to another demonstration of cybercrime—this one reconfirming the dangers of ransomware and its potentially devastating effects when used against public service networks.

In this case, screens that would normally show train departure and arrival times displayed a message informing users they had been hacked, and that MUNI, San Francisco’s Municipal Transportation Agency, had one more day to pay the bitcoin ransom equivalent to $73K.

While it’s not yet known who’s responsible for the attack, nor exactly how they did it, numerous reports suggest the hacker used the email address previously linked to the Mamba ransomware strain first seen in September 2016.

mamba

A screen at a Muni train station shows the malware message from HDDCryptor. (Click for image source.)

Assuming this attack is linked or similar to Mamba, it’s worth looking at in a little more detail.

Mamba, named after the deadly snake, takes a different approach to encrypting files than other ransomware strains by trying to encrypt the entire drive—not just your data files. This means it’s not just your files but the whole OS, including the master file table, that could get encrypted.

Mamba uses the freeware DiskCryptor software to encrypt your files. It’s highly likely that unaware users are clicking on targeted emails, which download both scripts and the tools to encrypt the drive.

This type of ransomware is perfect for an attack on an organization like MUNI. Why? Unlike other attacks we have seen (like in healthcare), where the encrypted data and personal files are worth big money on the black market, knocking operating systems out at a public transportation agency brings operations to a screaming halt, causing service disruption, revenue loss, and a ransomware fine well worth paying. And what commuters don’t think about while they are enjoying a free ride is that the lost revenue and ransom costs are more than likely going to be recouped through increased commuter costs.

So, in the long run, everyone but the hacker loses out in the aftermath of an attack. That’s why organizations must do more to prevent attacks rather than simply detecting them.

Wherever you are in the world, you probably have organizations, governments, and security authorities providing recommendations on how to protect your organization from threats like Mamba. The FBI, the Australian Signals Directorate, the UK’s National Technical Authority for Information Assurance (CESG), and the SANS institute are just some examples.

These experts all agree that to protect against attack you should:

  • Patch the OS
  • Patch apps (not just Microsoft ones)
  • Remove local administrative privileges from the desktop estate
  • Implement application control or whitelisting to allow only the known good

Shavlik offers a solution that addresses all four of these prevention approaches: Shavlik Patch patches the OS and third-party applications, and Application Manager for SCCM removes local administrative privileges and application control.

Latest Updates for macOS Sierra and more…

Early last week Apple released update 10.12.1 for macOS Sierra, Security Update 2016-002 for El Capitan, and Security Update 2016-006 for Yosemite.  Updates were also released for 10.0.1 Safari and 10.1.1 for iOS. These updates were released just in time for an Apple hosted Mac-centric product event.

With update 10.12.1 for macOS Sierra being the first update available to Sierra since it was released, there are a number of fixes included for some of the most pressing issues identified in this latest operating system. Here are some of the fixes that are available with the 10.12.1 macOS Sierra:

  • An automatic smart album in Photos for Depth Effect images taken on iPhone 7 Plus
  • Improved compatibility between Microsoft Office and iCloud Desktop and Documents
  • Improved security and stability in Safari
  • Improved reliability of Auto Unlock with Apple Watch
  • Fixed issue where mail was prevented from updating when using a Microsoft Exchange account
  • Fixed issue where text was sometimes pasted incorrectly when using Universal Clipboard

macOS Sierra/El Capitan/Yosemite

macOS Sierra 10.12.1 includes fixes for 14 vulnerabilities, 2016-002 El Capitan includes fixes for 8 and 2016-006 Yosemite includes fixes for 5.

Many of the vulnerabilities relate to escalation of privilege, arbitrary code execution, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4661: An application may be able to cause a denial of service.
  • CVE-2016-4675: a libxpc component vulnerability where a local application may be able to execute arbitrary code with root privileges.
  • CVE-2016-4669: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel.

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10.0.1

This update includes fixes for 4 vulnerabilities, all of which address the issue where processing malicious web content may lead to arbitrary code execution.  Since these vulnerabilities have to do with users visiting bad websites or web ads which may result in running malware, this update should be applied on all systems.

iOS 10.1.1

This update includes fixes for 17 vulnerabilities, one of which was just added today. These vulnerabilities span issues from arbitrary code execution to the leaking of sensitive user information.

Summary

It is highly likely that additional fixes will be added to the iOS update in the upcoming days. You can also expect to see a macOS Sierra 10.12.2 update released to the general user base real soon since the macOS Sierra 10.12.2 update is already in beta.

Windows 7 and 8.1 servicing changes!?!?

Keep-Calm-and-Carry-OnI have had this question come at me from a dozen directions today, so I thought I would provide my thoughts on these changes in a more consumable and easily shared format.

First off, lets summarize the changes. Microsoft has announced that it is changing the servicing model for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.  There will be a monthly roll-up similar to Windows 10 where all security and non-security updates will be bundled in a single cumulative update.  This means that starting in October the OS and IE updates will consolidate from several individual updates into a single cumulative bundle.  Come November the next cumulative will include the October updates as well and so on.

Microsoft is also going to provide a security only bundle for each month which is a little different.  The security bundle will allow enterprises to download only the security updates, but it will still be a single package with all security updates for that month bundled together in a single package.

.Net Framework will have a separate monthly roll-up and security only option that will update only existing versions of .Net installed on the system.  This update would not upgrade the .Net version to a newer one.

FAQ:

We will start with my favorite one.  Q: Did this change surprise you?

Chris: No, I actually made a prediction internally and had a bet with one of our content team members.  The prediction occurred when Microsoft first released the Convenience Roll-up.  I predicted that Microsoft would make this change before the year was out.  It just seemed like a logical next step.  Tylere owes me a six pack of good craft beer now.

Q: Why did Microsoft make this change?

Chris: They state similar reasons in their blog post that I linked to above.  I will state one other reason that I expect had a little something to do with it.  This was one of the final barriers to many companies making the switch to Windows 10.  Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks had many companies holding back from moving to Windows 10.  Moving to the bundled approach has removed this convenience, although they are providing the security only bundle for each month.  One thing to note, in the write-up Microsoft did not state that this security only bundle was cumulative so we will have to wait and see if they are cumulative or not.

Q: Why is the cumulative bundled approach a deterrent for enterprises?

Chris: The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle which may include many security fixes or breaking a business critical application if the two conflict.  On pre Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire months patch bundle.

If you recall the Windows 10 cumulative for January that broke the Citrix VDA client, Microsoft and Citrix had to coordinate a window of opportunity for Citrix to release an update to resolve the issue.  In this case it was a pretty quick turn around and customers with the VDA client installed on Windows 10 were able to apply the VDA update a week later then apply the Windows 10 January cumulative.

It did not seem too bad with just one week of lag time, but what if the cumulative breaks an application that is home grown or one that is from a vendor who may no longer be in business?  If a fix is either not forthcoming or comes months later this means that you cannot apply the next months cumulative or the month after, etc until the issue is fixed.  I have talked to many companies about concerns regarding the cumulative bundled service model for this reason.

Q: What does this mean for the Shavlik or LANDESK products I use to patch my environment?

Chris: Like Windows 10 for us it is business as usual.  We will continue to support updates for these updates as they release.  It really is just a change from 6-10 OS patches each month down to 1 patch that needs to be applied for the OS and IE.  So expect a cumulative roll-up or security only bundle for the OS, a .Net roll-up, and other Microsoft apps like Office, SQL, SharePoint mixed in depending on the month.

As always, we will be keeping an eye on any changes that develop and providing guidance and recommendations.  Sign up for our Patch Tuesday webinars to keep up to date on the latest from Microsoft and 3rd Party Vendors like Adobe, Google, Mozilla, Apple, Oracle and more.  From our Patch Tuesday page you can find future webinar registrations, previous Patch Tuesday infographics, presentations, and on-demand webinar playback from previous months.

July Patch Tuesday 2016

Shavlik_Patch_July12

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

 

 

How much could your world change in two weeks? From a Security perspective, everything could.

Cybersecurity(Own)

It has been just two weeks since RSA.  What has changed in this time frame?  Well, we had a Patch Tuesday, for one.  Barely two days later Adobe Flash released an update including fixes for known critical vulnerabilities including one that was observed in targeted attacks.

According to Verizon’s 2014 breach report, in just two to four weeks 50% of vulnerabilities that will be exploited, have already been exploited.  Verizon’s 2015 DBIR goes a step further and talks about ways to profile a vulnerability to start to identify those likely to be exploited in that first 30 days.  They said a CVE being added to Metasploit is pretty much the single biggest indicator it has or will be exploited in the wild.  Another interesting pattern was identified when they looked across the 67k CVEs and found the 792 that were exploited.  When you get down to the 24 there were exploited in the first month a pattern emerges.  The majority of the CVEs that were exploited were Access Vector – Network and Authentication – None.  The CVEs exploited in the first 30 days were predominantly CVSS 9 or 10 and Confidentiality, Integrity, and Availability were all Complete.

So 1 out of every 100 CVEs will be exploited and 50% of those will be exploited in 30 days or less from the date of publication.  If you saw my 2015: Top 5 Vulnerable Vendors in mid December you may recall the huge increase in the number of vulnerabilities identified last year.  Based on those numbers the top 5 vendors last year counted for 2624 vulnerabilities identified and addressed in 2015.  So 26 of those were exploited and one should have been in the 30 day Window.  Adobe Flash accounted for more than 5 Zero Days alone last year.

Since RSA, LANDESK acquired AppSense! Among other things, AppSense provides Application Whitelisting and Privilege Management.  According to Australian Signals Directorate, SANS, and many other security agencies outline certain preventative strategies that should be at the heart of any security strategy.  Application Whitelisting (AppSense), Patching Applications (Shavlik), Patching the Operating System (Shavlik), Restricting Administrator Privileges based on user role (AppSense) can eliminate “At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to”.  

I read a few different perspectives on RSA this year after the show was over.  Having been there this year and experiencing it first hand, I found this blog post by Gartner’s Anton Chuvakin to be very close to the mark. It is a good read, but here are a couple of excerpts that I found interesting: 

“A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream.”

I saw a lot of this at the show as well.  Having an IT background and working on a product line that focuses on the Operations side of the house I can attest to the fact that there is still a gap between Operations and Security. Much of the focus and many of the “cool” solutions cater to the security 1%-ers.  Preventative measures are often overshadowed because they have been around for a long time and lack the glamour of the new security solutions, but they have a tried and true track record and can reduce risk to your environment significantly.

“Does this shit work and is it cost effective?!!”

This one actually cracked me up. Even more so because we are partnering with the team over at Bufferzone and I had a chance to listen to them position their offering.  Israel Levy delivered it in one simple statement, “You have heard of Bromium. Well this is Bromium, but it works.” I laughed when I first heard him and his team using this delivery, but after talking with them more I can absolutely understand and agree with it.  Bromium apparently has extremely high resource costs to run.  4GB RAM, i3 or better CPU, and Windows 7 or later.  Bufferzone will run lighter and across a broader set of hardware.

So, looking out two weeks, we will have a webinar with the Bufferzone team talking about how Shavlik and Bufferzone together give you a stronger layered security approach.  Check out our webinar: Don’t Let Hackers in Through the Front Door!

Year of breaches takes toll on IT professionals

Businessman tiring and sleeping on his laptop in outdoor scene - overworked conceptThe last 12 months was undoubtedly a year full of high profile incidents for the security industry, from hacks to botched product updates. Shavlik, a pioneer in agentless patching technology, conducted its annual research report to identify the key security challenges that IT professions are facing in their roles. This year, the results identified a strong shift in the risk associated with the security of assets and devices by this community.

Security Concerns

It’s been revealed that over half (58%) of IT professionals are more concerned about system security than they were 12 months ago. And this makes sense after going through the list of repeated security breaches and data losses that 2015 brought with it. Organisations are now very aware of the sophistication and tenacity of modern hackers – either through their own experiences or in seeing the impact on others.

Windows Updates

The research also found that when it came to operating system patching security, 86% of the respondents agreed that Microsoft operating systems were seen to pose the strongest and most consistent challenge to their respective organisations and workforce.

It is interesting to note here that when compared to the 2014 research study, this issues has seen a 33% spike in associated risk. Some have linked this spike with the poor level of Windows 10 updates for business driving a general feeling of lack of control by IT professionals in the industry.

As we know, Microsoft offers automatic patching updates for Office users, however many organisations may not want to have every user and every computer individually downloading the large updates that frequently come with new updates. This perceived lack of control is mainly concerning the potential for system downtime and data vulnerability – which is understandably an issue for IT professionals.

Device Management

Last year, the focus of the enterprise market was on BYOD/CYOD working structures and the promise of a truly flexible/remote workplace. The trend in the previous year’s study showed that 91% of respondents felt that they were unable to cope with patching mobile devices once users take them out of the office. Last year more than two-thirds (64%) of respondents also admitted they did not understand how vulnerable mobile users were to current or existing risks.  Now fast forward to 2016 and you see a significant fall in concern in these areas, as IT professional now have a better grasp of mobile device patching and security management.

This decreased concern for mobile devices indicates how much the industry has moved along as IT professionals have now stopped siloing mobile devices and systems within their organisation. Instead organisations are now moving toward strategies that cover all types of devices.

Truly good security management solutions enable mobile devices to be considered alongside laptops and other corporate systems, which is what we are seeing a many companies readily embracing for 2016.

This coming year is most definitely the year of cybersecurity and increased IT support, considering the variety of existing threats to the whole organisation – irrespective of selected devices. The sophistication of recent hacks has highlighted that companies need to consider organisation wide security approaches to vulnerabilities to better protect their assets. All the while making the process of patching easier to manage.

Take a look at our Infographic for all the key findings from the survey.

Leap Day: A Good Time to Leap Into Better IT Security

Cybersecurity(Own)(4)It’s February 29. Leap Day. The only day of the year that only happens every four years.

Leap Day and the entire leap year are opportunities to adjust our timekeeping methods and tools to realign them with those used by the rest of the Solar System.

Leap years have also seen some significant historical events—some good, some tragic.

1752: Benjamin Franklin is believed to have flown a kite in a storm to prove his theory that lightning is in fact electricity. (Thomas-François Dalibard of France did in fact perform the same experiment the same year, based on Franklin’s writings).

1848: gold is discovered in California.

1876: George Armstrong Custer and his troops fight the Battle of the Little Bighorn.

1912: RMS Titanic, the largest ship afloat at the time, strikes an iceberg and sinks.

Leap Day just might also be a great time to improve IT security at your organization. After all, it is an “extra” day, and what security team couldn’t take advantage of an extra day?

One suggestion: review your patch management processes. Look for ways to shorten the vulnerability gap—the time between when a vulnerability surfaces and when your organization deploys the patch delivered for it. Kenna Security research found in 2015 that 90 percent of vulnerabilities are exploited within 40 to 60 days, but enterprises can take 120 days or more to deploy patches. Whatever you can do to reduce this gap improves security at your organization, and is definitely worth doing.

For some additional suggestions, check out “New Year, No Fear: Lessons Learned from 2015 and Resolutions for 2016.” Then, make your own “great leap forward” toward better security at your organization.

Cybersecurity in 2016: Predictions from Elsewhere

Cybersecurity(Own)(4)One of the best things about this time of year is the spate of predictions that accompany the season. Herewith, a look at some of the more interesting security-related predictions from various IT and security industry observers.

Forrester Research “is one of the most influential research and advisory firms in the world”—according to the company’s website. Hard to argue. On Nov. 30, 2015, Health Data Management published “5 Cyber Security Predictions for 2016,” a summary of predictions from Forrester. Here’s what Forrester predicts, according to that article.

  • We’ll see ransomware for a medical device or wearable
  • The U.S. Government will experience another significant breach
  • Security and risk pros will increase spending on prevention by five to 10 Percent
  • Defense contractors will fail to woo private industry with “military grade” security
  • HR departments will offer identity and credit protection as an employee benefit

On Dec. 15, 2015, Network World published “A Few Cybersecurity Predictions for 2016,” an article by Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG). ESG is a firm with “a 360o perspective” and “remarkably detailed, nuanced views of technologies, industries, and markets”—according to the company’s website. Herewith, a summary of Mr. Oltsik’s predictions from that article.

  • Greater focus on cyber supply chain security
  • The consumerization of authentication
  • Cyber insurance continues to boom
  • A rise in ransomware

A wide range of predictions can be found in “The 2016 Websense Cybersecurity Predictions Report.” The report is produced by Raytheon|Websense Security Labs, part of a joint venture that combines Websense with Raytheon Cyber Products. The venture “brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats,” its website says. The predictions from its report appear below.

  • The U.S. elections cycle will drive significant themed attacks
  • Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
  • The addition of the gTLD [generic top-level domains] system will provide new opportunities for attackers
  • Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
  • DTP [data theft protection] adoption will dramatically increase in more mainstream companies
  • Forgotten ongoing maintenance will become a major problem for defenders [of IT security] as maintenance costs rise, manageability falls and manpower is limited
  • The Internet Of Things will help (and hurt) us all
  • Societal views of privacy will evolve, with great impact to defenders

Perhaps some of the most interesting predictions for 2016 and beyond can be found in “McAfee Labs Report 2016 Threats Predictions.” McAfee Labs, now part of Intel Security, “is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership,” according to the report’s introduction. The report begins with a five-year look into the future, created by 21 of Intel Security’s thought leaders. Here’s a summary of what they predict for the next five years.

  • The cyberattack surface will continue to grow, thanks to continuing explosive growth in users, devices, connections, data and network traffic
  • Attacks and defenses will continue and increase a shift in focus, away from systems and applications and toward firmware and chips themselves
  • Attacks will continue to become more and more difficult to detect
  • Virtualization will present more and different cybersecurity threats and opportunities, especially as network function virtualization (NFV) grows in popularity
  • New device types, including wearables and those connected to the Internet of Things (IoT), will challenge security efforts, and cyber threats will continue to evolve
  • IoT security standards will evolve and improve
  • The growing value of personal data will lead to more sophisticated thieves and markets, and more security and privacy legislation.
  • The security industry will fight back, with new and evolving tools including behavioral analytics, shared threat intelligence, cloud-integrated security and more automated detection and correction.

The range of these predictions and the common elements that link many of them provide valuable guidance and validation to any of you who are seeking to improve security at your enterprise. And of course, we at Shavlik have our own predictions to add to the mix, as well as a review of how well we did with our end-of-2014 predictions. You can download these here. We hope you’ll find all of these predictions, from Shavlik and elsewhere, helpful and inspirational. Here’s to a happy, productive, profitable and secure 2016 for you and your enterprise.

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

The Communicator’s Corner: Patching 101

PatchWithoutBorderIn this article, I’d like to get back to the basics and describe the best process for performing your patch management tasks. If you follow the steps provided here, you will reduce the number of deployments to your machines and make your workflow more effective.

Start with the Big Stuff: Apply all Service Packs

The best approach to maintaining patch levels on a machine is to start with service packs. Service packs are very involved. Vendors typically recommend installing service packs one at a time. Shavlik Protect enforces this recommendation programmatically by not allowing more than one service pack in a deployment. You will almost always want to perform a reboot before applying additional service packs or patches.

Detailed Course of Action

Here is your best course of action when applying service packs and patches.

  1. Start with any operating system service packs.

Be sure to adequately test the service pack before deploying it to your entire organization. After deploying the service pack you should reboot the target machines and then perform a fresh scan. Rescanning will give you the new state of the machine so you can continue applying service packs.

  1. Apply major product service packs such as Office, Visio, and SQL.

Order does not matter here, but we do recommend rebooting in-between each of these major service packs. Though not as common, these product service packs can also change the state of a machine considerably.

  1. Deploy any remaining service packs and then rescan the target machines.

The remaining service must be pushed in separate deployments but you can perform the deployments with no reboot. Provide an adequate delay between each deployment. When the last service pack is applied, reboot and rescan the target machines.

  1. Deploy any missing patches and perform a reboot.

This will include patches for:

  • Microsoft operating systems
  • Microsoft product such as Office, Internet Explorer, etc.
  • Third-party patches

You may need one or more additional reboots here, depending on the state of the machine.

  1. Rescan and confirm that everything has been applied.

Notes and Tips

The steps described above may span several maintenance windows. In the case that you cannot perform all of the above in a single maintenance window, each step should be followed by a patch deployment to ensure you are not open to security vulnerabilities between maintenance windows.

Ideally, the steps above should be built into your machine build policy. This will ensure that your machines go into the field in the best shape possible. It is much easier to simply maintain your machines than it is to be in catchup mode and constantly be late applying many months’ worth of service packs and patches.

If you have more tips for patching, leave them in the comments below.