It’s October, and that means it’s cyber security month, so the perfect time to take a long, hard look at your cyber security strategy and make any necessary changes.
The last month has seen a variety of worrying incidents come to light: Equifax saw 145 million people’s PII (Personally Identifiable Information) leaked; the EternalBlue v1SMB vulnerability continued to be a focus of attacks; and a banking system Trojan has been infiltrating businesses in Europe and Japan.
Cyber security month is as good a time as ever to think about the level of risk you are willing to accept for both your critical and non-critical systems. If you’re running a quarterly patch cycle, are you willing to run with unpatched systems for up to three months when the next patch cycle begins?
>See also: Top 9 tips for effective patch management
Vendors have been doing a better job responding to reported vulnerabilities in their software, but it is still up to internal security professionals to make sure we patch and protect our systems in a timely manner.
Before getting started with analysing this month’s Patch Tuesday updates, here is some advice on the BlueBorne vulnerability. This vulnerability, originally reported by Armis security, exists in the Bluetooth protocol. It can be a problem because Bluetooth runs with a high privilege level to effectively connect with a wide range of devices. Patches have been released by Microsoft and Google, but may take time to reach the end-devices so please be aware of this issue. Apple iOS 10 is not vulnerable. You may want to issue a warning to your users to turn off Bluetooth on their mobile devices unless it is really needed.
So, onto October’s Patch Tuesday update from Microsoft. This month, they resolved a total of 62 unique vulnerabilities, which is down nearly 20% from the 76 unique vulnerabilities resolved in September. There were 10 bulletins all up, with nine being rated as Critical and one as Important. The resolved vulnerabilities included two public disclosures and one vulnerability that has been both exploited in the wild and publicly disclosed.
There were a large number of Microsoft Products affected this month, namely: Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Skype for Business and Lync, and Microsoft SharePoint Server.
>See also: Equifax: The 143 million customer question
A question asked frequently is: is the Linux support that Microsoft is adding into their OS going to introduce additional vulnerabilities? The answer is yes – any time that new functionalities are added there is always the opportunity for new vulnerabilities to be introduced. We’ve seen them pop up from time to time and this month we have one that is publicly disclosed:
• CVE-2017-8703 | Windows Subsystem for Linux Denial of Service Vulnerability (Publicly Disclosed) – An attacker can execute a specially crafted application to affect an object in memory allowing them to cause the system to become unresponsive.
As well as this, it’s interesting that Microsoft chose to rate the severity of their Office updates this month as Important when there was both a publicly disclosed and exploited vulnerability resolved:
• CVE-2017-11777 | Microsoft Office SharePoint XSS Vulnerability (Publicly Disclosed) – An attacker can send a specially crafted request to an affected SharePoint server. The attacker would have the same security context as the current user allowing them to read data they should not have access to, use the victim’s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content into the user’s browser.
>See also: Why your business can’t afford not to patch
• CVE-2017-11826 | Microsoft Office Memory Corruption Vulnerability (Publicly DisclosedExploited) – An attacker could exploit this vulnerability by sending a specially crafted file to the user and convincing them to open it. An attacker could also host a website containing specially crafted files designed to exploit the vulnerability. If exploited, the attacker would have the same context as the user. In this case, least privilege would mitigate the impact of an exploited system.
Remember, this is the last month that Microsoft will release security updates for Windows 10 1511. It is really important that you move to the 1607 Anniversary Update – or even all the way to 1703 Creators update if you want to have the latest version. If you have any questions consult Microsoft’s help documentation.
>See also: The real damage of a ransomware attack is felt in the downtime
Other things to note from this month’s Patch Tuesday update:
For the first time in quite a long time, Adobe Flash does NOT include any security fixes. That’s right! A priority 3, feature bug fix-only release for Adobe Flash and no required update from Microsoft!
Oracle is not releasing today, but next week – on the 17th October. The company will be releasing its quarterly CPU, so expect critical updates for Java JRE and JDK as well as other Oracle products.
Sourced by Chris Goettl, product manager – Security, Ivanti
