Tag Archives: Patch

August Patch Tuesday closes CPU bug, two zero-day exploits

Microsoft closed two zero-day vulnerabilities and released a fix for a new exploit for Intel processors on August Patch Tuesday.

Microsoft released an advisory (ADV-180018) on the latest speculative execution side channel vulnerability in Intel Core and Xeon processors called L1 Terminal Fault. Dubbed Foreshadow by security researchers, the vulnerability lets an attacker read data as it passes between a host and a virtual machine and a hypervisor.

The earlier Spectre and Meltdown variants allowed process-to-process interactions, but this latest hardware exploit allows a guest system to retrieve data from another guest system, said Brian Secrist, content manager at Ivanti, based in South Jordan, Utah.  

Once again, we have a bunch of hoops to jump through to get to full remediation… 2018 is keeping us real busy.
Brian Secristcontent manager, Ivanti

Full protection from Foreshadow (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646) on Windows requires a registry change, Microsoft patch and Intel firmware update to close the vulnerability.

“Once again, we have a bunch of hoops to jump through to get to full remediation,” Secrist said. “2018 is keeping us real busy.”

Microsoft addresses two zero-day exploits

Microsoft also closed a pair of zero-day remote code execution vulnerabilities. The first (CVE-2018-8373), in the Microsoft Scripting Engine with known exploits that affect all versions of Internet Explorer, allows an attacker to run arbitrary code on unpatched machines in the context of users who visit a specially crafted website. Depending on the user’s rights, the attacker could install programs or view and delete data. The patch changes how the scripting engine handles objects in memory. This CVE is critical for Windows desktop systems and important for server versions.

Rated important, the second zero-day (CVE-2018-8414) uses a Windows Shell bug in Windows 10 and Windows Server SAC Server Core for remote-code execution attacks. This vulnerability requires the user to run a malicious file either from email or a web site, after which an attacker can run code at the privilege level of the current user. The patch makes Windows Shell validate file paths properly.

August Patch Tuesday closes more than 60 vulnerabilities

More than half of the 60 vulnerabilities disclosed in August Patch Tuesday affect browsers or the scripting engine. Administrators should prioritize patching workstations and servers for a critical remote code execution vulnerability (CVE-2018-8345) that triggers when viewed by a user. Microsoft resolved this exploit by correcting the processing of shortcut .LNK references.

“Because the user doesn’t have to click on the malicious .LNK file to actually exploit the vulnerability, compared to browser vulnerability, it’s more likely for a server admin to be browsing through files. If they see this shortcut and the system renders it, then that’s when the exploit runs,” said Jimmy Graham, director of product management at Qualys, based in Foster City, Calif.

Jimmy Graham, QualysJimmy Graham, Qualys

Almost every major third-party vendor released patches and updates between the July and August Patch Tuesday, said Secrist. Adobe released four updates, including fixes for Adobe Flash and Acrobat. Google Chrome released version 68, and Firefox released updates for Thunderbird.

“We haven’t seen any increase in attacks or anything, just an example of better research and better coverage of vulnerabilities,” Secrist said.

July Patch Tuesday issues anger IT workers

After the July Patch Tuesday releases, Microsoft warned customers of potential SQL Server startup problems on Windows desktop (7 and 8.1) and server (2008 R2 and 2012 R2) versions on July 26. The company released several hotfixes and recommended uninstalling the July patches. Such rollbacks of faulty Microsoft updates have become a recurring headache for administrators.

Microsoft security updates for July also caused problems for the .NET Framework. On July 16, Microsoft posted a blog that “encouraged” Exchange customers to delay applying the July 10 updates to avoid disruptions with mail delivery. Hotfixes for affected systems — all supported versions of Windows Server — did not arrive until July 17. Up until that point, the only remedy was to uninstall the .NET Framework 4.7.2 update.

“Clearly there is a quality assurance issue of some kind,” Secrist said. “There’s another .NET release this month. Hopefully they spend more time on this one. We always strongly recommend you run [patches] through a test group and make sure they are stable before you push them out.”

Jeff Guillet, CEO of EXPTA Consulting in Pacifica, Calif., reached out to the Exchange product group for more information when the disruptions first occurred and said it was a two-fold problem of “really bad patches and bad communication.”

“Nobody even acknowledged that there was a problem and then all of a sudden they said, ‘Oh, by the way, we fixed this.’ [Administrators] had to troubleshoot it themselves because there was no communication from Microsoft saying this was a problem,” said Guillet.

While the intent of Patch Tuesday is to protect systems from vulnerabilities, the recent spate of patching issues concerns some IT administrators.

“Everybody’s kind of come to terms with [monthly patching], but the expectation was that a patch isn’t going to break stuff,” said Guillet. “So if it’s going to start breaking things, now I need to worry about testing it and I don’t have time because the next patches are coming up next Tuesday.”

Microsoft Skype for Business update fixes Mac bugs

The latest software patch for on-premises Skype for Business eliminates bugs and adds features for users that run the Microsoft platform on Mac OS, narrowing an already minimal gap between the Mac and Windows clients.

For Mac users, the Skype for Business update lets delegates — users designated to receive someone else’s calls — create and edit a meeting on behalf of a colleague. Also, users can now be made a delegate even if their account isn’t part of an organization’s enterprise voice plan.

Microsoft has enabled video-based screen sharing for Mac users, the result of a next-generation screen-sharing protocol that the vendor added to Skype for Business earlier this year. The new system is faster and more reliable than the traditional method and works better in low-bandwidth conditions.

The Skype for Business update, available for download now, also fixes several bugs on the Mac client, including a flaw that prevented users from joining a meeting hosted by someone outside their organization.

Microsoft seems to announce updates to the Mac client more quickly than it does for other changes to the Skype for Business platform, and describes Mac upgrades in more detail, said Jim Gaynor, a vice president of the consulting group Directions on Microsoft, based in Kirkland, Wash.

“There are still a few gaps between SfB Mac and Windows clients, most around some of the advanced call control features, file upload/sharing, and the ability to upload PowerPoint decks for online presentations,” Gaynor said. “But they’re fairly minimal.”

Skype for Business 2015 server nears its end of life

The improvements to the Mac client were among roughly 40 enhancements released as part of Microsoft’s biannual update to the Skype for Business 2015 server.

This summer’s Skype for Business update introduces location-based routing for Skype for Business mobile clients. The feature gives businesses more control when steering calls between VoIP and PSTN endpoints based on geography.

Microsoft is expected to stop releasing feature updates and bug fixes for the 2015 server in fall 2020, the end of the typical five-year lifespan for the product.

The vendor recently published a preview of the 2019 server, which is due out by year’s end. That server will extend support for on-premises Skype for Business for at least another five years, primarily to serve large organizations that are not ready to migrate to Skype’s cloud-based successor, Microsoft Teams.

The 2019 server will encourage businesses to host some telephony and messaging features in the cloud. Meanwhile, Microsoft Teams, a team collaboration app similar to Slack, will soon replace Skype for Business Online within the cloud-based Office 365 suite.

July Patch Tuesday brings three public disclosures

Microsoft announced three public disclosures from the 54 vulnerabilities released in the July Patch Tuesday.

An elevation of privilege public disclosure (CVE-2018-8313) affects all OSes except Windows 7. Attackers could impersonate processes, cross-process communication or interrupt system functionality to elevate their privilege levels. The patch addresses this issue by ensuring that the Windows kernel API enforces permissions.

“The fact that there is some level of detailed description of how to take advantage of this out in the open, it’s a good chance an attacker will look to develop some exploit code around this,” said Chris Goettl, director of product management and security at Ivanti, based in South Jordan, Utah.

A similar elevation-of-privilege vulnerability (CVE-2018-8314) this July Patch Tuesday affects all OSes except Windows Server 2016. Attackers could escape a sandbox to elevate their privileges when Windows fails a check. If this vulnerability were exploited in conjunction with another vulnerability, the attacker could run arbitrary code. The update fixes how Windows’ file picker handles paths.

A spoofing vulnerability in the Microsoft Edge browser (CVE-2018-8278) tricks users into thinking they are on a legitimate website. The attacker could then extract additional code to remotely exploit the system. The patch fixes how Microsoft Edge handles HTML content.

“That type of enticing of a user, we know works,” Goettl said. “It’s not a matter of will they get someone to do it or not; it’s a matter of statistically you only need to entice so many people before somebody will do it.”

Out-of-band updates continue

Chris Goettl of IvantiChris Goettl

Before July Patch Tuesday, Microsoft announced a new side-channel attack called Lazy FP State Restore (CVE-2018-3665) — similar to the Spectre and Meltdown vulnerabilities — on supported versions of Windows. An attacker uses a different side-channel to pull information from other registers on Intel CPUs through speculative execution.

Jimmy Graham of QualysJimmy Graham

Microsoft also updated its Spectre and Meltdown advisory (ADV180012). It does not contain any new releases on the original three variants, but the company did update the Speculative Store Bypass, Variant 4 of the Spectre and Meltdown vulnerabilities. This completed coverage for Intel processors, and Microsoft is still working with AMD to mitigate its processors.

Microsoft released out-of-band patches between June and July Patch Tuesday for a third-party Oracle Outside In vulnerability (ADV180010) that affects all Exchange servers.

“We don’t have a lot of info on the exploitability,” said Jimmy Graham, director of product management at Qualys, based in Foster City, Calif. “It should be treated as critical for Exchange servers.”

New Windows Server 2008 R2 servicing model on its way

Alongside its June Patch Tuesday, Microsoft announced plans to switch the updating system for Windows Server 2008 SP2 to a rollup model. The new monthly model will more closely match the servicing model used for older Windows versions, enabling administrators to simplify their servicing process. This will include a security-only quality update, a security monthly quality rollup and a preview of the monthly quality rollup.

“The 2008 Server users out there now need to adopt the same strategy, where they had the luxury of being able to do one or two updates if they chose to and not the rest,” Goettl said.

The new model will preview on Aug. 21, 2018. Administrators will still receive extended support for Windows Server 2008 SP2 until January 2020. After that, only companies that pay for Premium Assurance will have an additional six years of support.

For more information about the remaining security bulletins for July Patch Tuesday, visit Microsoft’s Security Update Guide.

Security Servicing Commitment clarifies Microsoft patch policy

In an effort to be more transparent with customers, Microsoft is clarifying patch management policies that experts said have been generally understood, but never properly codified.

Alongside the June 2018 Patch Tuesday release, Microsoft published the Security Servicing Commitment, which it hopes will help customers understand whether a reported vulnerability will be addressed during the monthly patch cycle or in the next version of a product.

In order to make this determination, Microsoft has specified two key criteria for immediate security patching: whether the vulnerability is severe enough and whether it “violate[s] a promise made by a security boundary or a security feature that Microsoft has committed to defending.”

“If the answer to both questions is yes, then the vulnerability will be addressed through a security update that applies to all affected and supported offerings,” Microsoft wrote in the Security Servicing Commitment. “If the answer to either question is no, then by default the vulnerability will be considered for the next version or release of an offering but will not be addressed through a security update, though in some cases an exception may be made.”

The security boundaries described in the Security Servicing Commitment are the points of “logical separation between the code and data of security domains with different levels of trust,” including network boundaries, kernel boundary, virtual machine boundary and more. Security features include Windows Defender, BitLocker and Windows Resource Access Controls.

However, Microsoft makes a distinction between these features and boundaries and defense-in-depth features, which it claims “may provide protection against a threat without making a promise.” These features include address space layout randomization, data execution prevention, user account control and more.

Codifying understood policy

Experts said there wasn’t really anything new in Microsoft’s Security Servicing Commitment, although the clarification was welcomed.

Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, said the policy description was less of a change and more of a clarification.

Chris Goettl, director of product management for security for IvantiChris Goettl

“Some of this information was publicly available, but it wasn’t found in a consolidated source with full details,” Childs wrote via email. “It’s hard to say why they chose to publish this now. Perhaps there has been an increase in submissions that don’t meet their servicing bar and have caused confusion with researchers.”

Chris Goettl, director of product management for security for Ivanti, based in South Jordan, Utah, said it was good “to see some clarity regarding severity of vulnerabilities to better understand how updates are classified” with the Security Servicing Commitment.

“Public and private disclosure of vulnerabilities can be a messy ordeal. I think this commitment provides the ethical hackers of the world with rules of engagement for disclosing bugs with Microsoft,” Goettl wrote via email. “Overall, I think it provides transparency to those who are committing their time so they know it will be worth the effort and are not disappointed or surprised by a response where Microsoft is not committing to provide a fix or a bounty.”

Public and private disclosure of vulnerabilities can be a messy ordeal.
Chris Goettldirector of product management and security for Ivanti

Allan Liska, threat intelligence analyst at Recorded Future, based in Somerville, Mass., said the Security Servicing Commitment was “spot on and laid out in a smart, strategic way.”

“Given Microsoft’s breadth and depth of products and constant commitment to security, this is a good approach on their part. What stood out, especially, was that they made the distinction between a potential exploitable security vulnerability versus a defense in-depth feature,” Liska wrote via email. “While there will always be people who question security moves a company as large and impactful as Microsoft makes, overall, this is good step in the direction of transparency, and I think it should be applauded.”

Childs said the Security Servicing Commitment constituted “a pretty comprehensive list” of policies, but it could be better.

“Due to the complexities of modern code, it’s unlikely any list such as this could ever be 100% complete and cover every scenario,” Childs wrote. “While this level of transparency is good to see, it would be great if they also committed to fixing bugs — especially severe bugs — faster or committed to improving patch quality or communications.”

Spectre v4 fix and Windows DNS patch in June Patch Tuesday

The June 2018 Patch Tuesday release addressed a total of 51 vulnerabilities, 11 of which were deemed critical, but the headline fix was a Windows DNS patch.

Experts uniformly pointed to the Windows DNS patch (CVE-2018-8225) as the most interesting fix of the month and the one that should take priority for most enterprises. Microsoft described the Windows DNS patch as addressing a remote code execution (RCE) vulnerability that affects Windows desktop versions 7 through 10 and Windows Server 2008 and newer.

Microsoft wrote in the advisory for the Windows DNS patch that if an attacker used a malicious DNS server to send corrupted DNS responses to the target, the exploit could allow for running arbitrary code in the context of the local user permissions.

Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team, said the full impact of the Windows DNS vulnerability “is not entirely clear.”

“Microsoft describes it as a problem processing DNS responses. Normally, I would expect that to mean that the attacker must be in a position to respond to DNS requests from a victim. This would mean that the victim is either making a DNS request to a server the attacker controls or that the attacker has a privileged network position allowing them to spoof responses from a legitimate server,” Young wrote via email. “In this case, however, Microsoft’s CVSS v3 score indicates that there is no user interaction required to trigger the vulnerability. It could be that Microsoft did not score the vulnerability properly, but it could also mean that there are circumstances where a vulnerable system will process unsolicited responses.”

Jimmy Graham, director of product management at Qualys Inc., based in Redwood City, Calif., added in a blog post that “mobile workstations that may connect to untrusted Wi-Fi are at high risk” and the Windows DNS patch should be a priority for those users.

Spectre v4 gets OS fixes

Beyond the Windows DNS patch, another highlight of the June Patch Tuesday was an update to Microsoft’s advisory regarding Spectre v4 — the latest Spectre attack method discovered in May 2018.

According to Microsoft’s updated advisory, Windows now supports Speculative Store Bypass Disable (SSBD) in Intel processors, but this in itself will not protect against Spectre v4 and will require microcode patches from Intel to fully remediate.

Microsoft couldn’t provide a timetable for when those microcode updates would be available, but it did warn users that “in testing Microsoft has seen some performance impact when SSBD is turned on. However, the actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running.”

Another flaw to watch

The final critical flaw for enterprises to prioritize was CVE-2018-8267, a scripting engine memory corruption vulnerability in Internet Explorer. This patch should take priority because although there have not been any attacks seen in the wild, this flaw was publicly disclosed.

According to Microsoft, this RCE vulnerability could allow an attacker to run code in the context of the current user either by luring a target to a malicious website or by embedding a malicious ActiveX control in a Microsoft Office document.

Microsoft rushes Spectre patch to disable Intel’s broken update

Following Intel’s advisory for customers to stop deploying the Meltdown and Spectre patch, Microsoft has issued an out-of-band patch to disable the broken fix.

Microsoft announced the out-of-band Spectre patch on Saturday, Jan. 27, and included more information than Intel had previously given when pulling the original patch.

“Intel has reported issues with recently released microcode meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection) — specifically Intel noted that this microcode can cause ‘higher than expected reboots and other unpredictable system behavior’ and then noted that situations like this may result in ‘data loss or corruption.’ Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft wrote in a support advisory. “While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715. In our testing this update has been found to prevent the behavior described.”

For comparison, Intel’s announcement on Jan. 22 gave no indication it was the Spectre patch at fault — it did not mention the Meltdown or Spectre branding, nor did it say what CVE patch was causing problems — and only said that the company had “identified the root cause” of the rebooting issues, which affected systems are running Intel Broadwell and Haswell CPUs, and that it was working on a new fix.

Intel initially announced the “reboot issues” on Jan. 11 but again, the company didn’t specify which firmware updates were causing problems and didn’t cite either the Meltdown or Spectre vulnerabilities. In addition, it wasn’t until the chip maker’s fourth quarter 2017 earnings announcement that it acknowledged “data loss or corruption” was a possible side effect from its Spectre update.

Microsoft’s new Spectre patch will disable Intel’s fix and Microsoft is also offering an option for advanced users “to manually disable and enable the mitigation against Spectre variant 2 independently via registry setting changes.”

A source at Microsoft, who wished to stay anonymous, told SearchSecurity the Spectre patch was a difficult situation because “you can’t fix it in firmware alone or software alone.”

“The chip vendor releases a firmware capability, which the OSes use in a certain way in key situations to mitigate against potential abuse [or] attack. So, to mitigate, you need a firmware update plus an OS that leverages [that update]. It’s symbiotic [and] collaborative,” the source said. “Given that you need both, it was possible that an OS update would rollout on machines that didn’t yet have a firmware update, so the mitigation needed to be able to be ‘on’ or ‘off’ depending [on the presence of Intel’s microcode update].”

It is exceedingly odd for a software company to disable a patch from a hardware vendor.
Jake Williamsfounder of consulting firm Rendition InfoSec LLC

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., told SearchSecurity that Intel “isn’t helping anyone by not publishing this information, but the lack of the data won’t change how we action the vulnerabilities,” and added that it is “exceedingly odd for a software company to disable a patch from a hardware vendor.”

Microsoft claimed in its advisory that “as of January 25, there are no known reports to indicate that this Spectre variant 2 has been used to attack customers,” but Williams said it may not be possible to fully confirm that claim.

“Detecting a Meltdown or Spectre attack is exceedingly difficult. While there is some interesting research on novel methods to detect the attacks, nobody is instrumented for these detections,” Williams said. “It is true that we haven’t seen any attacks in the wild, but I’m near 100% certain that they are happening.”

Jeff Williams, co-founder and CTO at Contrast Security, said the infosec community shouldn’t assume that “any vulnerability means negligence.”

“These attacks are truly novel and tricky to fix. We wouldn’t like it if companies engineered everything like NASA — it would take decades, cost many times more, and execute slowly,” Williams told SearchSecurity. “We are all complicit. We have all reaped the benefits of an ecosystem that prioritizes speed to market over security. So instead of throwing bombs, how about we encourage collaboration and openness around the best ways to solve this new attack.”

December Patch Tuesday closes year on a relatively calm note

Administrators were greeted with a subdued December Patch Tuesday, a quiet end to what had been a somewhat tumultuous year early in 2017.

Of the 32 unique Common Vulnerabilities and Exposures (CVEs) that Microsoft addressed, just three patches were directly related to Windows operating systems. While not a critical exploit, the patch for CVE-2017-11885, which affects Windows client and server operating systems, is where administrators should focus their attention.

The patch is for a Remote Procedure Call (RPC) vulnerability for machines with the Routing and Remote Access service (RRAS) enabled. RRAS is a Windows service that allows remote workers to use a virtual private network to access internal network resources, such as files and printers.

“Anyone who has RRAS enabled is going to want to deploy the patch and check other assets to make sure RRAS is not enabled on any devices that don’t use it actively to prevent the exploitation,” said Gill Langston, director of product management at Qualys Inc., based in Redwood City, Calif.

The attacker triggers the exploit by running a specially crafted application against a Windows machine with RRAS enabled.

“Once the bad actor is on the endpoint, they can then install applications and run code,” Langston said. “They establish a foothold in the network, then see where they can spread. The more machines you have under your control, the more ability you have to move laterally within the organization.”

In addition, desktop administrators should roll out updates promptly to apply 19 critical fixes that affect the Internet Explorer and Edge browsers, Langston said.

“The big focus should be on browsers because of the scripting engine updates Microsoft seems to release every month,” he said. “These are all remote-code execution type vulnerabilities, so they’re all critical. That’s obviously a concern because that’s what people are using for browsing.”

Fix released for Windows Malware Protection Engine flaw

On Dec. 6, Microsoft sent out an update to affected Windows systems for a Windows Malware Protection Engine vulnerability (CVE-2017-11937). This emergency repair closed a security hole in Microsoft’s antimalware application, affecting systems on Windows 7, 8.1 and 10, and Windows Server 2016. Microsoft added this correction to the December Patch Tuesday updates.

“The fix happened behind the scenes … but it was recommended [for] administrators using any version of the Malware Protection Engine that it’s set to automatically update definitions and verify that they’re on version 1.1.14405.2, which is not vulnerable to the issue,” Langston said.

OSes that lack the update are susceptible to a remote-code execution exploit if the Windows Malware Protection Engine scanned a specially crafted file, which would give the attacker a range of access to the system. That includes the ability to view and delete data, and create a new account with full user rights.

Other affected Microsoft products include Exchange Server 2013 and 2016, Microsoft Forefront Endpoint Protection, Microsoft Security Essentials, Windows Defender and Windows Intune Endpoint Protection.

“Microsoft uses the Forefront engine to scan incoming email on Exchange 2013 and Exchange 2016, so they were part of this issue,” Langston said.

Lessons learned from WannaCry

Microsoft in May surprised many in IT when the company released patches for unsupported Windows XP and Windows Server 2003 systems to stem the tide of WannaCry ransomware attacks. Microsoft had closed this exploit for supported Windows systems in March, but it took the unusual step of releasing updates for OSes that had reached end of life.

Many of the Windows malware threats from early 2017 spawned from exploits found in the Server Message Block (SMB) protocol, which is used to share files on the network. The fact that approximately 400,000 machines got bit by the ransomware bug showed how difficult it is for IT to keep up with patching demands.

“WannaCry woke people back up to how critical it is to focus on your patch cycles,” Langston said.

More than three months elapsed between the time Microsoft first patched the SMB vulnerability in March that WannaCry exploited and when the Petya ransomware — which used the same SMB exploit — continued to compromise people. Some administrators might be lulled into a false sense of security from the cumulative update servicing model and delay the patching process, Langston said.

“They may delay because the next rollup will cover the updates they missed, but then that’s more time those machines are unprotected,” he said.

For more information about the remaining security bulletins for December Patch Tuesday, visit Microsoft’s Security Update Guide.

Tom Walat is the site editor for SearchWindowsServer. Write to him at twalat@techtarget.com or follow him @TomWalatTT on Twitter.

Emergency Microsoft patch out for Malware Protection Engine

Just four days before the final Patch Tuesday of 2017, an emergency Microsoft patch was pushed out for a critical anti-malware flaw.

The vulnerability in the Windows Malware Protection Engine (CVE-2017-11937) was first discovered by the UK National Cyber Security Centre and can affect systems running Windows 7, 8.1, 10 and Server 2016. A similar flaw was found in June by Tavis Ormandy, security researcher for Google’s Project Zero.

According to the security advisory, the emergency Microsoft patch addresses a critical remote code execution vulnerability that can be exploited if a malicious actor can get the Malware Protection Engine to scan a specially crafted file.

Microsoft noted this could happen automatically if the malicious file is delivered to a system with real-time scanning turned on, and could allow an attacker to “execute arbitrary code in the security context of the LocalSystem account and take control of the system … then install programs; view, change, or delete data; or create new accounts with full user rights.”

However, the emergency Microsoft patch should be automatically installed “within 48 hours of release,” according to the advisory.

Michael Patterson, CEO of Plixer International Inc., a network traffic analysis company based in Kennebunk, Maine, said that “although most consumers already have the necessary patch, this is no time to become overly confident in existing security defensive measures.”

“Malware will make it into every organization connected to the internet. This means all companies need to prepare for the inevitable breach,” Patterson told SearchSecurity. “When this happens, incident response systems need to have been rehearsed and the data necessary for network traffic analytics needs to have been collected. An archive of logs and flows is a critical source of forensic data when odd traffic patterns need to be investigated.” 

Anti-malware software is one of the most critical pieces of software on a modern desktop and also one of the most valuable targets for an attacker.
Tyler Regulymanager of the Vulnerability and Exposure Research Team, Tripwire

Tyler Reguly, manager of the Vulnerability and Exposure Research Team at Tripwire, said it was nice to see the emergency Microsoft patch released so quickly but said Microsoft also appears to be deprioritizing customer communication with these security releases.

“Anti-malware software is one of the most critical pieces of software on a modern desktop and also one of the most valuable targets for an attacker, especially products that have automated scanning of new files enabled. Most vendors will be plagued with issues like this from time to time and it shouldn’t scare people away from using the product but, rather, they should feel hopeful that Microsoft released the [out-of-band patch] to ensure quicker protection for their customer,” Reguly told SearchSecurity. However, Reguly added, “the update has been available for nearly 48 hours, but the security guidance page still does not have links to an advisory, bulletin, or KB article. The details have been published, but they are not available via the link that Microsoft provided in their own notification email, you need to know the format of their URLs to build it yourself.”

Apple High Sierra patch undone by macOS update

A critical patch for a vulnerability in Apple’s macOS High Sierra may not be properly applied if a user also updates the system software.

The vulnerability, which was made public on Nov. 28, could allow a malicious user to bypass authentication dialogs and even potentially acquire root system privileges. Apple released the High Sierra patch the following day, but users have reported the patch being undone depending on system updates that were applied.

According many users on Twitter — and first reported by Wired — if the Apple system was running macOS 10.13.0 and not the newer 10.13.1 version, the High Sierra patch would be undone after the system update was applied. Additionally, re-installing the High Sierra patch after the system update would require a reboot to properly apply the fix, but users were not getting the notification that a restart was necessary.

Apple has since updated its patch notes to include these issues: “If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.”

MacLemon, a Mac sysadmin and independent security researcher, said the system update downgrading the High Sierra patch shouldn’t be surprising.

It’s part of Apple growing carelessness for the Mac in general.
MacLemona Mac sysadmin and independent security researcher

“It’s mostly expected that an older updated installed over a newer system downgrades components. The failure here is that Apple doesn’t show the Security Update 2017-001 again after reinstalling 10.13.1,” MacLemon told SearchSecurity via Twitter Direct Message. “It’s part of Apple growing carelessness for the Mac in general. Since they changed the development process to release on time instead of when done Mac OS X/OS X/macOS quality and stability has been in steady decline. Banana software shipped green that ripens at the customer.”

Because of the confusion surrounding the High Sierra patch and the macOS update, users may not know if the patch was applied properly and whether or not they are protected against the root password flaw, as Marc Rogers, head of SecOps for DefCon and head of infosec for Cloudflare, said on Twitter.

Experts suggested checking for software updates and ensuring systems have been rebooted.

Root passwords and the High Sierra patch

When the High Sierra root flaw was first announced, an early suggestion from experts was to create a password for the root user. However, MacLemon noted this could cause security issues as well.

Additionally, Adam Nichols, principal of software security at Grimm, said creating this password would not be a full fix anyway.

Light workload awaits admins on November Patch Tuesday

Microsoft released updates to close 53 vulnerabilities on November Patch Tuesday. But, of the 14 vulnerabilities that affect Windows Server, none have a critical rating.

All the Windows Server-related vulnerabilities are listed as important, and, per Microsoft’s advice with patching, admins should address them as soon as possible.

CVE-2017-11847 uses an elevation of privilege vulnerability in the Windows kernel that affects Windows Server 2008 and up. An attacker who successfully uses this exploit can undertake a range of actions on the server, from deleting data to creating accounts with full user rights.

This vulnerability requires the attacker to first log on to the system, but Microsoft’s Exploitability Index Assessment gives it a rating of “Exploitation More Likely,” which should spur admins to take action without delay.

“You’d need to have someone who has access to the machines, but that’s how a lot of these guys operate these days,” said Gill Langston, director of product management at Qualys Inc., based in Redwood City, Calif. “They’re in the network for a while and they work their way from machine to machine. In that case, they could get on to that server, they could elevate and then get further access to get more information off the machines.”

Several vulnerabilities involve information disclosure in the Windows kernel: CVE-2017-11842, CVE-2017-11849, CVE-2017-11851 and CVE-2017-11853. An attacker can use these vulnerabilities together to compromise a server and attempt to stay undetected for a significant length of time to steal information from an organization.

“The more systems they have access to, the more privilege they have, the more opportunity they have to get into the network and get more information about the network,” Langston said. “This definitely wouldn’t be one of those crimes of opportunity where they enter remotely and grab some data. It would be a long game.”

Semi-Annual Channel release requires adjustments

Microsoft added Windows Server to a Semi-Annual Channel this fall, beginning with Windows Server version 1709. The company plans to release a new edition of Windows Server every six months that targets the needs of businesses that churn out rapid application updates in DevOps environments.

In Windows Server version 1709, Nano Server is a container-based image. It has no servicing stack. To patch Nano Server, admins replace the runtime image with the latest build of the runtime image.

“In the Linux world with containers, you always rebuilt the image with the new packages. I’m not sure on the Windows side if that’s completely figured out,” Langston said.

As with any new technology, users and vendors will need time to develop those habits.

“It took some time on the Linux container side too,” Langston said. “To this day, we talk to people who struggle with their strategy about containerization.”

For more information about the remaining security bulletins for November Patch Tuesday, visit Microsoft’s Security Update Guide.

Dan Cagen is the associate site editor for SearchWindowsServer.com. Write to him at dcagen@techtarget.com.