Posts Tagged: Tenable


12
May 20

Microsoft Patch Tuesday, May 2020 Edition

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to today, but as always if you’re running Windows on any of your machines it’s time once again to prepare to get your patches on.

May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software. At least 16 of the bugs are labeled “Critical,” meaning ne’er-do-wells can exploit them to install malware or seize remote control over vulnerable systems with little or no help from users.

But focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month. Todd Schell, senior product manager at security vendor Ivanti, notes that if one looks at the “exploitability assessment” tied to each patch — i.e., how likely Microsoft considers each can and will be exploited for nefarious purposes — it makes sense to pay just as much attention to the vulnerabilities Microsoft has labeled with the lesser severity rating of “Important.”

Virtually all of the non-critical flaws in this month’s batch earned Microsoft’s “Important” rating.

“What is interesting and often overlooked is seven of the ten [fixes] at higher risk of exploit are only rated as Important,” Schell said. “It is not uncommon to look to the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are rated as Important vs Critical.”

For example, Satnam Narang from Tenable notes that two remote code execution flaws in Microsoft Color Management (CVE-2020-1117) and Windows Media Foundation (CVE-2020-1126) could be exploited by tricking a user into opening a malicious email attachment or visiting a website that contains code designed to exploit the vulnerabilities. However, Microsoft rates these vulnerabilities as “Exploitation Less Likely,” according to their Exploitability Index.

In contrast, three elevation of privilege vulnerabilities that received a rating of “Exploitation More Likely” were also patched, Narang notes. These include a pair of “Important” flaws in Win32k (CVE-2020-1054, CVE-2020-1143) and one in the Windows Graphics Component (CVE-2020-1135). Elevation of Privilege vulnerabilities are used by attackers once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. There are at least 56 of these types of fixes in the May release.

Schell says if your organization’s plan for prioritizing the deployment of this month’s patches stops at vendor severity or even CVSS scores above a certain level you may want to reassess your metrics.

“Look to other risk metrics like Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritization process,” he advised.

Continue reading →


14
Apr 20

Microsoft Patch Tuesday, April 2020 Edition

Microsoft today released updates to fix 113 security vulnerabilities in its various Windows operating systems and related software. Those include at least three flaws that are actively being exploited, as well as two others which were publicly detailed prior to today, potentially giving attackers a head start in figuring out how to exploit the bugs.

Nineteen of the weaknesses fixed on this Patch Tuesday were assigned Microsoft’s most-dire “critical” rating, meaning malware or miscreants could exploit them to gain complete, remote control over vulnerable computers without any help from users.

Near the top of the heap is CVE-2020-1020, a remotely exploitable bug in the Adobe Font Manager library that was first detailed in late March when Microsoft said it had seen the flaw being used in active attacks.

The Adobe Font Manager library is the source of yet another zero-day flaw — CVE-2020-0938 — although experts at security vendor Tenable say there is currently no confirmation that the two are related to the same set of in-the-wild attacks. Both flaws could be exploited by getting a Windows users to open a booby-trapped document or viewing one in the Windows Preview Pane.

The other zero-day flaw (CVE-2020-1027) affects Windows 7 and Windows 10 systems, and earned a slightly less dire “important” rating from Microsoft because it’s an “elevation of privilege” bug that requires the attacker to be locally authenticated.

Many security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw (CVE-2020-0968) has been revised to indicate Microsoft has not yet received reports of it being used in active attacks. However, the advisory says this IE bug is likely to be exploited soon.

Researchers at security firm Recorded Future zeroed in on CVE-2020-0796, a critical vulnerability dubbed “SMBGhost” that was rumored to exist in last month’s Patch Tuesday but for which an out-of-band patch wasn’t released until March 12. The problem resides in a file-sharing component of Windows, and could be exploited merely by sending the victim machine specially-crafted data packets. Proof-of-concept code showing how to exploit the bug was released April 1, but so far there are no indications this method has been incorporated into malware or active attacks.

Recorded Future’s Allan Liska notes that one reason these past few months have seen so many patches from Microsoft is the company recently hired “SandboxEscaper,” a nickname used by the security researcher responsible for releasing more than a half-dozen zero-day flaws against Microsoft products last year.

“SandboxEscaper has made several contributions to this month’s Patch Tuesday,” Liska said. “This is great news for Microsoft and the security community at large.” Continue reading →


9
Jan 19

Patch Tuesday, January 2019 Edition

Microsoft on Tuesday released updates to fix roughly four dozen security issues with its Windows operating systems and related software. All things considered, this first Patch Tuesday of 2019 is fairly mild, bereft as it is of any new Adobe Flash updates or zero-day exploits. But there are a few spicy bits to keep in mind. Read on for the gory details. Continue reading →


19
Dec 18

Microsoft Issues Emergency Fix for IE Zero Day

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said. Continue reading →