Time to Patch


11
Sep 18

Patch Tuesday, September 2018 Edition

Adobe and Microsoft today each released patches to fix serious security holes in their software. Adobe pushed out a new version of its beleaguered Flash Player browser plugin. Redmond issued updates to address at least 61 distinct vulnerabilities in Microsoft Windows and related programs, including several flaws that were publicly detailed prior to today and one “zero-day” bug in Windows that is already being actively exploited by attackers.

As per usual, the bulk of the fixes from Microsoft tackle security weaknesses in the company’s Web browsers, Internet Explorer and Edge. Patches also are available for Windows, Office, Sharepoint, and the .NET Framework, among other components.

Of the 61 bugs fixed in this patch batch, 17 earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to break into Windows computers with little or no help from users.

The zero-day flaw, CVE-2018-8440, affects Microsoft operating systems from Windows 7 through Windows 10 and allows a program launched by a restricted Windows user to gain more powerful administrative access on the system. It was first publicized August 27 in a (now deleted) Twitter post that linked users to proof-of-concept code hosted on Github. Since then, security experts have spotted versions of the code being used in active attacks.

According to security firm Ivanti, prior to today bad guys got advance notice about three vulnerabilities in Windows targeted by these patches. The first, CVE-2018-8457, is a critical memory corruption issue that could be exploited through a malicious Web site or Office file. CVE-2018-8475 is a critical bug in most supported versions of Windows that can be used for nasty purposes by getting a user to view a specially crafted image file. The third previously disclosed flaw, CVE-2018-8409, is a somewhat less severe “denial-of-service” vulnerability. Continue reading →


23
Aug 18

Experts Urge Rapid Patching of ‘Struts’ Bug

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.

On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

An alert about the Apache security update was posted Wednesday by Semmle, the San Francisco software company whose researchers discovered the bug.

“The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,” the alert warns.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.” Continue reading →


15
Aug 18

Patch Tuesday, August 2018 Edition

Adobe and Microsoft each released security updates for their software on Tuesday. Adobe plugged five security holes in its Flash Player browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two “zero-day” flaws that attackers were already exploiting before Microsoft issued patches to fix them.

According to security firm Ivanti, the first of the two zero-day flaws (CVE-2018-8373) is a critical flaw in Internet Explorer that attackers could use to foist malware on IE users who browse to hacked or booby-trapped sites. The other zero-day is a bug (CVE-2018-8414) in the Windows 10 shell that could allow an attacker to run code of his choice.

Microsoft also patched more variants of the Meltdown/Spectre memory vulnerabilities, collectively dubbed “Foreshadow” by a team of researchers who discovered and reported the Intel-based flaws. For more information about how Foreshadow works, check out their academic paper (PDF), and/or the video below. Microsoft’s analysis is here.

One nifty little bug fixed in this patch batch is CVE-2018-8345. It addresses a problem in the way Windows handles shortcut files; ending in the “.lnk” extension, shortcut files are Windows components that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu.

That description of a shortcut file was taken verbatim from the first widely read report on what would later be dubbed the Stuxnet worm, which also employed an exploit for a weakness in the way Windows handled shortcut (.lnk) files. According to security firm Qualys, this patch should be prioritized for both workstations and servers, as the user does not need to click the file to exploit. “Simply viewing a malicious LNK file can execute code as the logged-in user,” Qualys’ Jimmy Graham wrote. Continue reading →


10
Jul 18

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.

Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.

One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.

Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Continue reading →


12
Jun 18

Microsoft Patch Tuesday, June 2018 Edition

Microsoft today pushed out a bevy of software updates to fix more than four dozen security holes in Windows and related software. Almost a quarter of the vulnerabilities addressed in this month’s patch batch earned Microsoft’s “critical” rating, meaning malware or miscreants can exploit the flaws to break into vulnerable systems without any help from users.

Most of the critical fixes are in Microsoft browsers or browser components. One of the flaws, CVE-2018-8267, was publicly disclosed prior to today’s patch release, meaning attackers may have had a head start figuring out how to exploit the bug to attack Internet Explorer users.

According to Recorded Future, the most important patched vulnerability is a remote code execution vulnerability in the Windows Domain Name System (DNS), which is present in all versions of supported versions of Windows from Windows 7 to Windows 10 as well as all versions of Windows Server from 2008 to 2016.

“The vulnerability allows an attacker to send a maliciously crafted DNS packet to the victim machine from a DNS server, or even send spoofed DNS responses from attack box,” wrote Allan Liska, a threat intelligence analyst at Recorded Future. “Successful exploitation of this vulnerability could allow an attacker to take control of the target machine.”

Security vendor Qualys says mobile workstations that may connect to untrusted Wi-Fi networks are at high risk and this DNS patch should be a priority for them. Qualys also notes that Microsoft this month is shipping updates to mitigate another variant of the Spectre vulnerability in Intel machines.

And of course there are updates available to address the Adobe Flash Player vulnerability that is already being exploited in active attacks. Read more on that here. Continue reading →


7
Jun 18

Adobe Patches Zero-Day Flash Flaw

Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed — and if you’re using Google Chrome or a recent version of Microsoft Windows you do — it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.

In an advisory published today, Adobe said it is aware of a report that an exploit for the previously unknown Flash flaw — CVE-2018-5002 — exists in the wild, and “is being used in limited, targeted attacks against Windows users. These attacks leverage Microsoft Office documents with embedded malicious Flash Player content distributed via email.”

The vulnerable versions of Flash include v. 29.0.0.171 and earlier. The version of Flash released today brings the program to v. 30.0.0.113 for Windows, Mac, Linux and Chrome OS. Check out this link to detect the presence of Flash in your browser and the version number installed.

Both Internet Explorer/Edge on Windows 10 and Chrome should automatically prompt users to update Flash when newer versions are available. At the moment, however, I can’t see any signs yet that either Microsoft or Google has pushed out new updates to address the Flash flaw. I’ll update this post if that changes. (Update: June 8, 11:01 a.m. ET: Looks like the browser makers are starting to push this out. You may still need to restart your browser for the update to take effect.)

Adobe credits Chinese security firm Qihoo 360 with reporting the zero-day Flash flaw. Qihoo said in a blog post that the exploit was seen being used to target individuals and companies in Doha, Qatar, and is believed to be related to a nation-state backed cyber-espionage campaign that uses booby-trapped Office documents to deploy malware.

In February 2018, Adobe patched another zero-day Flash flaw that was tied to cyber espionage attacks launched by North Korean hackers. Continue reading →


8
May 18

Microsoft Patch Tuesday, May 2018 Edition

Microsoft today released a bundle of security updates to fix at least 67 holes in its various Windows operating systems and related software, including one dangerous flaw that Microsoft warns is actively being exploited. Meanwhile, as it usually does on Microsoft’s Patch Tuesday — the second Tuesday of each month — Adobe has a new Flash Player update that addresses a single but critical security weakness.

First, the Flash Tuesday update, which brings Flash Player to v. 29.0.0.171. Some (present company included) would argue that Flash Player is itself “a single but critical security weakness.” Nevertheless, Google Chrome and Internet Explorer/Edge ship with their own versions of Flash, which get updated automatically when new versions of these browsers are made available.

You can check if your browser has Flash installed/enabled and what version it’s at by pointing your browser at this link. Adobe is phasing out Flash entirely by 2020, but most of the major browsers already take steps to hobble Flash. And with good reason: It’s a major security liability. Continue reading →


3
May 18

Twitter to All Users: Change Your Password Now!

Twitter just asked all 300+ million users to reset their passwords, citing the exposure of user passwords via a bug that stored passwords in plain text — without protecting them with any sort of encryption technology that would mask a Twitter user’s true password. The social media giant says it has fixed the bug and that so far its investigation hasn’t turned up any signs of a breach or that anyone misused the information. But if you have a Twitter account, please change your account password now.

Or if you don’t trust links in blogs like this (I get it) go to Twitter.com and change it from there. And then come back and read the rest of this. We’ll wait.

In a post to its company blog this afternoon, Twitter CTO Parag Agrawal wrote:

“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

A message posted this afternoon (and still present as a pop-up) warns all users to change their passwords.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.” Continue reading →


10
Apr 18

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft each released critical fixes for their products today, a.k.a “Patch Tuesday,” the second Tuesday of every month. Adobe updated its Flash Player program to resolve a half dozen critical security holes. Microsoft issued updates to correct at least 65 security vulnerabilities in Windows and associated software.

The Microsoft updates impact many core Windows components, including the built-in browsers Internet Explorer and Edge, as well as Office, the Microsoft Malware Protection Engine, Microsoft Visual Studio and Microsoft Azure.

The Malware Protection Engine flaw is one that was publicly disclosed earlier this month, and one for which Redmond issued an out-of-band (outside of Patch Tuesday) update one week ago.

That flaw, discovered and reported by Google’s Project Zero program, is reportedly quite easy to exploit and impacts the malware scanning capabilities for a variety of Microsoft anti-malware products, including Windows Defender, Microsoft Endpoint Protection and Microsoft Security Essentials.

Microsoft really wants users to install these updates as quickly as possible, but it might not be the worst idea to wait a few days before doing so: Quite often, problems with patches that may cause systems to end up in an endless reboot loop are reported and resolved with subsequent updates within a few days after their release. However, depending on which version of Windows you’re using it may be difficult to put off installing these patches.

Microsoft says by default, Windows 10 receives updates automatically, “and for customers running previous versions, we recommend they turn on automatic updates as a best practice.” Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. In any case, don’t put off installing these updates too long. Continue reading →


13
Mar 18

Flash, Windows Users: It’s Time to Patch

Adobe and Microsoft each pushed critical security updates to their products today. Adobe’s got a new version of Flash Player available, and Microsoft released 14 updates covering more than 75 vulnerabilities, two of which were publicly disclosed prior to today’s patch release.

The Microsoft updates affect all supported Windows operating systems, as well as all supported versions of Internet Explorer/Edge, Office, Sharepoint and Exchange Server.

All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies, according to a post from security firm Qualys.

“It is recommended that these be prioritized for workstation-type devices,” wrote Jimmy Graham, director of product management at Qualys. “Any system that accesses the Internet via a browser should be patched.”

The Microsoft vulnerabilities that were publicly disclosed prior to today involve Microsoft Exchange Server 2010 through 2016 editions (CVE-2018-0940) and ASP.NET Core 2.0 (CVE-2018-0808), said Chris Goettl at Ivanti. Microsoft says it has no evidence that attackers have exploited either flaw in active attacks online.

But Goettl says public disclosure means enough information was released publicly for an attacker to get a jump start or potentially to have access to proof-of-concept code making an exploit more likely. “Both of the disclosed vulnerabilities are rated as Important, so not as severe, but the risk of exploit is higher due to the disclosure,” Goettl said. Continue reading →