Time to Patch


15
Aug 18

Patch Tuesday, August 2018 Edition

Adobe and Microsoft each released security updates for their software on Tuesday. Adobe plugged five security holes in its Flash Player browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two “zero-day” flaws that attackers were already exploiting before Microsoft issued patches to fix them.

According to security firm Ivanti, the first of the two zero-day flaws (CVE-2018-8373) is a critical flaw in Internet Explorer that attackers could use to foist malware on IE users who browse to hacked or booby-trapped sites. The other zero-day is a bug (CVE-2018-8414) in the Windows 10 shell that could allow an attacker to run code of his choice.

Microsoft also patched more variants of the Meltdown/Spectre memory vulnerabilities, collectively dubbed “Foreshadow” by a team of researchers who discovered and reported the Intel-based flaws. For more information about how Foreshadow works, check out their academic paper (PDF), and/or the video below. Microsoft’s analysis is here.

One nifty little bug fixed in this patch batch is CVE-2018-8345. It addresses a problem in the way Windows handles shortcut files; ending in the “.lnk” extension, shortcut files are Windows components that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu.

That description of a shortcut file was taken verbatim from the first widely read report on what would later be dubbed the Stuxnet worm, which also employed an exploit for a weakness in the way Windows handled shortcut (.lnk) files. According to security firm Qualys, this patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. “Simply viewing a malicious LNK file can execute code as the logged-in user,” Qualys’ Jimmy Graham wrote. Continue reading →


10
Jul 18

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.

Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.

One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.

Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Continue reading →


12
Jun 18

Microsoft Patch Tuesday, June 2018 Edition

Microsoft today pushed out a bevy of software updates to fix more than four dozen security holes in Windows and related software. Almost a quarter of the vulnerabilities addressed in this month’s patch batch earned Microsoft’s “critical” rating, meaning malware or miscreants can exploit the flaws to break into vulnerable systems without any help from users.

Most of the critical fixes are in Microsoft browsers or browser components. One of the flaws, CVE-2018-8267, was publicly disclosed prior to today’s patch release, meaning attackers may have had a head start figuring out how to exploit the bug to attack Internet Explorer users.

According to Recorded Future, the most important patched vulnerability is a remote code execution vulnerability in the Windows Domain Name System (DNS), which is present in all versions of supported versions of Windows from Windows 7 to Windows 10 as well as all versions of Windows Server from 2008 to 2016.

“The vulnerability allows an attacker to send a maliciously crafted DNS packet to the victim machine from a DNS server, or even send spoofed DNS responses from attack box,” wrote Allan Liska, a threat intelligence analyst at Recorded Future. “Successful exploitation of this vulnerability could allow an attacker to take control of the target machine.”

Security vendor Qualys says mobile workstations that may connect to untrusted Wi-Fi networks are at high risk and this DNS patch should be a priority for them. Qualys also notes that Microsoft this month is shipping updates to mitigate another variant of the Spectre vulnerability in Intel machines.

And of course there are updates available to address the Adobe Flash Player vulnerability that is already being exploited in active attacks. Read more on that here. Continue reading →


7
Jun 18

Adobe Patches Zero-Day Flash Flaw

Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed — and if you’re using Google Chrome or a recent version of Microsoft Windows you do — it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.

In an advisory published today, Adobe said it is aware of a report that an exploit for the previously unknown Flash flaw — CVE-2018-5002 — exists in the wild, and “is being used in limited, targeted attacks against Windows users. These attacks leverage Microsoft Office documents with embedded malicious Flash Player content distributed via email.”

The vulnerable versions of Flash include v. 29.0.0.171 and earlier. The version of Flash released today brings the program to v. 30.0.0.113 for Windows, Mac, Linux and Chrome OS. Check out this link to detect the presence of Flash in your browser and the version number installed.

Both Internet Explorer/Edge on Windows 10 and Chrome should automatically prompt users to update Flash when newer versions are available. At the moment, however, I can’t see any signs yet that either Microsoft or Google has pushed out new updates to address the Flash flaw. I’ll update this post if that changes. (Update: June 8, 11:01 a.m. ET: Looks like the browser makers are starting to push this out. You may still need to restart your browser for the update to take effect.)

Adobe credits Chinese security firm Qihoo 360 with reporting the zero-day Flash flaw. Qihoo said in a blog post that the exploit was seen being used to target individuals and companies in Doha, Qatar, and is believed to be related to a nation-state backed cyber-espionage campaign that uses booby-trapped Office documents to deploy malware.

In February 2018, Adobe patched another zero-day Flash flaw that was tied to cyber espionage attacks launched by North Korean hackers. Continue reading →


8
May 18

Microsoft Patch Tuesday, May 2018 Edition

Microsoft today released a bundle of security updates to fix at least 67 holes in its various Windows operating systems and related software, including one dangerous flaw that Microsoft warns is actively being exploited. Meanwhile, as it usually does on Microsoft’s Patch Tuesday — the second Tuesday of each month — Adobe has a new Flash Player update that addresses a single but critical security weakness.

First, the Flash Tuesday update, which brings Flash Player to v. 29.0.0.171. Some (present company included) would argue that Flash Player is itself “a single but critical security weakness.” Nevertheless, Google Chrome and Internet Explorer/Edge ship with their own versions of Flash, which get updated automatically when new versions of these browsers are made available.

You can check if your browser has Flash installed/enabled and what version it’s at by pointing your browser at this link. Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Continue reading →


3
May 18

Twitter to All Users: Change Your Password Now!

Twitter just asked all 300+ million users to reset their passwords, citing the exposure of user passwords via a bug that stored passwords in plain text — without protecting them with any sort of encryption technology that would mask a Twitter user’s true password. The social media giant says it has fixed the bug and that so far its investigation hasn’t turned up any signs of a breach or that anyone misused the information. But if you have a Twitter account, please change your account password now.

Or if you don’t trust links in blogs like this (I get it) go to Twitter.com and change it from there. And then come back and read the rest of this. We’ll wait.

In a post to its company blog this afternoon, Twitter CTO Parag Agrawal wrote:

“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

A message posted this afternoon (and still present as a pop-up) warns all users to change their passwords.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.” Continue reading →


10
Apr 18

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft each released critical fixes for their products today, a.k.a “Patch Tuesday,” the second Tuesday of every month. Adobe updated its Flash Player program to resolve a half dozen critical security holes. Microsoft issued updates to correct at least 65 security vulnerabilities in Windows and associated software.

The Microsoft updates impact many core Windows components, including the built-in browsers Internet Explorer and Edge, as well as Office, the Microsoft Malware Protection Engine, Microsoft Visual Studio and Microsoft Azure.

The Malware Protection Engine flaw is one that was publicly disclosed earlier this month, and one for which Redmond issued an out-of-band (outside of Patch Tuesday) update one week ago.

That flaw, discovered and reported by Google’s Project Zero program, is reportedly quite easy to exploit and impacts the malware scanning capabilities for a variety of Microsoft anti-malware products, including Windows Defender, Microsoft Endpoint Protection and Microsoft Security Essentials.

Microsoft really wants users to install these updates as quickly as possible, but it might not be the worst idea to wait a few days before doing so: Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release. However, depending on which version of Windows you’re using it may be difficult to put off installing these patches.

Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. In any case, don’t put off installing these updates too long. Continue reading →


13
Mar 18

Flash, Windows Users: It’s Time to Patch

Adobe and Microsoft each pushed critical security updates to their products today. Adobe’s got a new version of Flash Player available, and Microsoft released 14 updates covering more than 75 vulnerabilities, two of which were publicly disclosed prior to today’s patch release.

The Microsoft updates affect all supported Windows operating systems, as well as all supported versions of Internet Explorer/Edge, Office, Sharepoint and Exchange Server.

All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies, according to a post from security firm Qualys.

“It is recommended that these be prioritized for workstation-type devices,” wrote Jimmy Graham, director of product management at Qualys. “Any system that accesses the Internet via a browser should be patched.”

The Microsoft vulnerabilities that were publicly disclosed prior to today involve Microsoft Exchange Server 2010 through 2016 editions (CVE-2018-0940) and ASP.NET Core 2.0 (CVE-2018-0808), said Chris Goettl at Ivanti. Microsoft says it has no evidence that attackers have exploited either flaw in active attacks online.

But Goettl says public disclosure means enough information was released publicly for an attacker to get a jump start or potentially to have access to proof-of-concept code making an exploit more likely. “Both of the disclosed vulnerabilities are rated as Important, so not as severe, but the risk of exploit is higher due to the disclosure,” Goettl said. Continue reading →


13
Feb 18

Microsoft Patch Tuesday, February 2018 Edition

Microsoft today released a bevy of security updates to tackle more than 50 serious weaknesses in Windows, Internet Explorer/Edge, Microsoft Office and Adobe Flash Player, among other products. A good number of the patches issued today ship with Microsoft’s “critical” rating, meaning the problems they fix could be exploited remotely by miscreants or malware to seize complete control over vulnerable systems — with little or no help from users.

February’s Patch Tuesday batch includes fixes for at least 55 security holes. Some of the scarier bugs include vulnerabilities in Microsoft Outlook, Edge and Office that could let bad guys or bad code into your Windows system just by getting you to click on a booby trapped link, document or visit a compromised/hacked Web page.

As per usual, the SANS Internet Storm Center has a handy rundown on the individual flaws, neatly indexing them by severity rating, exploitability and whether the problems have been publicly disclosed or exploited. Continue reading →


10
Jan 18

Microsoft’s Jan. 2018 Patch Tuesday Lowdown

Microsoft on Tuesday released 14 security updates, including fixes for the Spectre and Meltdown flaws detailed last week, as well as a zero-day vulnerability in Microsoft Office that is being exploited in the wild. Separately, Adobe pushed a security update to its Flash Player software.

Last week’s story, Scary Chip Flaws Raise Spectre of Meltdown, sought to explain the gravity of these two security flaws present in most modern computers, smartphones, tablets and mobile devices. The bugs are thought to be mainly exploitable in chips made by Intel and ARM, but researchers said it was possible they also could be leveraged to steal data from computers with chips made by AMD.

By the time that story had published, Microsoft had already begun shipping an emergency update to address the flaws, but many readers complained that their PCs experienced the dreaded “blue screen of death” (BSOD) after applying the update. Microsoft warned that the BSOD problems were attributable to many antivirus programs not yet updating their software to play nice with the security updates.

On Tuesday, Microsoft said it was suspending the patches for computers running AMD chipsets.

“After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” the company said in a notice posted to its support site.

“To prevent AMD customers from getting into an unbootable state, Microsoft has temporarily paused sending the following Windows operating system updates to devices that have impacted AMD processors,” the company continued. “Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible.”

In short, if you’re running Windows on a computer powered by an AMD, you’re not going to be offered the Spectre/Meltdown fixes for now. Not sure whether your computer has an Intel or AMD chip? Most modern computers display this information (albeit very briefly) when the computer first starts up, before the Windows logo appears on the screen.

Here’s another way. From within Windows, users can find this information by pressing the Windows key on the keyboard and the “Pause” key at the same time, which should open the System Properties feature. The chip maker will be displayed next to the “Processor:” listing on that page.

Microsoft also on Tuesday provided more information about the potential performance impact on Windows computers after installing the Spectre/Meltdown updates. To summarize, Microsoft said Windows 7, 8.1 and 10 users on older chips (circa 2015 or older), as well as Windows server users on any silicon, are likely to notice a slowdown of their computer after applying this update.

Any readers who experience a BSOD after applying January’s batch of updates may be able to get help from Microsoft’s site: Here are the corresponding help pages for Windows 7, Windows 8.1 and Windows 10 users.

As evidenced by this debacle, it’s a good idea to get in the habit of backing up your system on a regular basis. I typically do this at least once a month — but especially right before installing any updates from Microsoft.  Continue reading →