December is here and it finally snowed in Minnesota! In fact, we may get four to eight inches this weekend. So, my Patch Tuesday Forecast — like winter up here in MN was a little delayed — but better late than never! So get out your snow shovels and let’s dig in. There is already a little accumulation with a zero day hitting in late November. If you haven’t already done so, update your Mozilla Firefox browser!
On the Horizon
In the last week of November, it became clear to many security researchers that there was a flaw in Mozilla’s browsers and in TOR, a browser based on Firefox. CVE-2016-9079 is a critical use-after-free vulnerability affecting the SVG Animation component in Firefox. Researchers, such as Malwarebytes, have evaluated the vulnerability and have explained that the goal of this vulnerability “is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is run directly from memory.”
Although the observed exploits were only targeting windows, the vulnerability exists on Linux and Mac platforms as well. The exploit code also seems very similar to another Tor exploit used by the FBI as an investigative technique to track down child pornography suspects. It is not currently known where this code originated, but it’s a good example of a user-targeted vulnerability.
The Mozilla update became available on November 30 for Firefox, Firefox ESR and Thunderbird. If you are already caught up, you will want to make sure you include Mozilla in your updates this month.
Security Tip of the Month
December is also getting well into the cold and flu season, so this month’s security tip will follow the theme of security hygiene. I just returned from Las Vegas from the Gartner Data Center Conference where I attended a session by Neil MacDonald on security for cloud workloads. One of the things Neil mentioned was staring with a solid foundation, which he referred to as operations hygiene. I’m going to expand that out to a broader security hygiene message.
To stay well in the cold and flu season, you need to ensure you are getting rest and washing your hands, especially after coming into contact with someone who is sick or areas frequented by many people. You need to keep up on your vitamin C and drinking liquids in general. Similarly, with security we need to do the same.
- Wash your hands – Make sure you have sanitized incoming email with junk mail and phishing filters.
- Use some sanitizer after coming into contact with highly public areas – Your users who travel in and out of the company will come into contact with public Wi-Fi. Users will browse the internet, open email with attachments and, in general, be exposed to potential attack vectors daily. Make sure their machines are getting sanitized with good signature, non-signature and behavioral threat assessments. Signature-based threat assessment alone is not enough anymore.
- Get your daily dose of vitamin C – Preventive security measures can defend against 80 percent of the threats in today’s market. Make sure you give your systems their shot of vitamin C in the form of patching the OS and software, use of least privilege rules and proper application control.
Your Patch Tuesday Forecast
Based on what trends we have seen this year I think it’s safe to say the following:
From Microsoft, we are expecting around two to four installable packages:
- OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
- Office has been very consistent this year with updates pretty much every month. The question is will this be a single update or a couple for Office, SharePoint and Web Apps. I would say one for office and a 50 percent chance of SharePoint/Web Apps.
- .Net is also likely this month. .Net updates hit five of six patch Tuesdays in the first half of the year, and have been about every other in the later half.
- You can also expect an IE update for Flash Player.
From Adobe, you can expect one to three updates:
- Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all year, so expect that update.
- Adobe Reader and Acrobat both released an update back in October and have been pretty consistently having an update every two to three months this year. Those two are a possibility this month.
From Mozilla, you can expect one update this month:
- Mozilla’s update calendar is reflecting an update for Tuesday.
Total Update Accumulation four to eight updates for Patch Tuesday next week.
As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, December 14th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.