Patching is Critical
This week, Microsoft released it’s September patch dump. 14 security bulletins. 50 vulnerabilities in Windows. 26 more vulnerabilities in Flash player that was bundled with the Edge browser. The patches affect Internet Explorer, Microsoft Edge, Microsoft Office, OLE Automation, VB Scripting and Flash, among others.
Other Microsoft products patched include Silverlight and Exchange server.
The Exchange server updates patch a hole in Oracle technology called Oracle Outside in Technology. Cisco found these bugs a few months ago and Oracle released patches for them in July, but Microsoft just released it’s incarnation of the fixes this week. The Oracle OIT bugs, apparently, affect a lot of vendors who have integrated that product into their solutions.
This is just one set of patches released this week.
Another big patch dump this week came from Adobe. Adobe patched more than 30 flaws in it’s products including 26 in Flash that Affect Windows, Mac and Linux. 23 of those bugs would allow an attacker to execute arbitrary code on a user’s computer, remotely.
At least some of the bugs will require developers to recompile their programs with the new Adobe code, so there will be trickle down effects over the next several months, like we are seeing this month with Microsoft. They integrated patches Oracle released in July and are just now releasing them.
As business users become more adept at using shadow IT – those services that the IT department doesn’t even know about – the patching problem becomes even more complex.
Just think about the number of software products in use at a particular business. There are likely hundreds.
For some vendors, they don’t proactively “push” those patches – you have to go looking for them.
For servers, since many times patches require a reboot, you don’t want those patches automatically installing because it may cause an outage and, in some cases, could cause data loss.
No platform is immune. Apple just released iOS 9.3.5 for phones and tablets that patch a very serious vulnerability called Pegasus that has been being exploited since the iPhone 4 days, years ago.
And don’t forget cloud solutions. Sometimes they have a piece that gets installed on user devices – think of Dropbox, for example. Although it is mostly a cloud application, it has pieces that have to be installed on any computer that wants to use the full functionality of Dropbox.
At the moment that these patches are released, hackers start taking them apart to figure out how to exploit them – how to use these vulnerabilities against people who don’t patch them.
So the warning is – if you don’t have an active patch program, you are a prime target for hackers. And, you can’t get away with just patching the operating system – Windows, Mac or Linux. You have to identify all of your apps on all platforms (including mobile!) and install those patches.
Unfortunately, there is no standard way for vendors to announce their patches, but you need to manage that process. Identify each product and how that vendor announces patches for that product. Remember, since vendors acquire other companies, a vendor might announce patches for one product one way and a different product which is part of a different acquisition a totally different way.
Some patches may require a reboot, interrupting the user or the server, while other products may not require a reboot.
Overall, it is just a bit of a mess, but hackers don’t particularly care that it is a problem for you. In fact, the bigger the problem for you, the better the news for the hacker.
So if you do not have a formal patch program for your business, now is a good time to create one.
Also, ALL users have to participate. If some users think patching is too big of a hassle, they are the vector for attackers to get into your network.
And as we have seen in the past couple of weeks, sometimes those hackers can wander around a network for years before being caught. In that amount of time there is no limit as to the amount of data they can steal, back doors they can create and time bombs they can leave behind.
In fact, just this week there have been reports of an unnamed nation state attacking our critical infrastructure for just that purpose – to leave time bombs inside, just in case they need them in the future.
Information on the Microsoft patches came from Network World.
Information on the Adobe patches also came from Network World.http://www.networkworld.com/article/3120346/adobe-fixes-critical-flaws-in-flash-player-and-digital-editions.html
Regarding patches incorporated into systems unknowingly…
Docker is a prime candidate for this because most tools have no visibility inside Docker containers, and there can be multiple levels of releases between the problem package and the vulnerable deployment that uses that package.
Each layer of provider in a Docker container is an additional delay in the release cycle for getting a problem fixed — if you even know the problem exists…