What are the benefits of automated, cloud-native patch management?

Could organizations recoup their share of more than $1 billion per quarter by moving away from legacy solutions to cloud-native patch management and endpoint hardening? A new report from Sedulo Group says yes.

cloud-native patch management

The 2020 TCO Study of Microsoft WSUS & SCCM report shows organizations using Microsoft endpoint management for patching and hardening spend nearly 2x as much as organizations using SaaS-based patch management platforms.

Microsoft System Center Configuration Manager (SCCM) and Microsoft Windows Server Update Services (WSUS) currently manage over 175 million endpoints and cost organizations more than $625 million per month to manage versus a cloud-native approach.

The report defines the hidden costs of legacy patching, analyzing several factors that can impact TCO such as the hardware, software, licensing, training, and personnel unique to an organization. Based on this analysis, the hardware requirements and operational costs for WSUS and SCCM have the ability to push the total organizational cost burden to over $6.6 million, or $11 per endpoint per month for typical customers.

The report found that the most significant cost savings were prevalent in “scenarios where multiple OS are in use, or workforces consist of heavily virtualized or entirely remote-based staff.”

“It’s not just operating systems that need to be regularly patched. Almost any piece of software can serve as an attacker’s entry point to a network, and each has its own patching or updating mechanism. It’s almost impossible for an administrator to learn in a timely manner when one of these apps has become vulnerable, and it’s very time-consuming to apply a patch on all instances of an app on the network,” Mitja Kolsek, co-founder of 0patch, told Help Net Security.

“I believe the optimal patching model for today’s organizations with complex, ever-changing network topology, countless software products, and attackers with 0-day and N-day vulnerabilities targeting them, comprises a cloud-based patching service for official vendor updates, combined with a cloud-based micropatching service for fixing critical 0-day vulnerabilities and N-day vulnerabilities on end-of-support systems. I envision future patching services to merge these two complementary concepts and even provide micropatches as an alternative to official vendor updates.”

The report highlights that “selecting a SaaS-based patch management solution over a legacy provider minimizes the risk of financial impact.” Cloud-native patching and endpoint hardening platforms reduce the impact of unplanned expenses and the total cost burden over time while providing greater value than WSUS or SCCM solutions by being able to rapidly deploy patches and easily meet the security needs of hybrod and remote workforces.

“Many organizations lack the ability to properly manage endpoints and are often paying too much for tools that simply cannot deliver enough value,” said Jay Prassl, CEO, Automox. “This study puts a spotlight on the cost burden that on-premise patching solutions create, and how making the switch to a cloud-native platform enables cost savings, increased capabilities, and the scalability today’s ever-changing businesses need to properly secure their workforces.”

Zoom zero-day flaw allows code execution on victim’s Windows machine

A zero-day vulnerability in Zoom for Windows may be exploited by an attacker to execute arbitrary code on a victim’s computer. The attack doesn’t trigger a security warning and can be pulled off by getting the victim to perform a typical action such as opening a received document file.

Zoom zero-day Windows

Acros Security, the creators of 0patch, have pushed out a micropatch that will close the security hole until Zoom Video Communications delivers a fix.

About the vulnerability

The vulnerability was discovered by an unnamed researcher and reported to Acros Security, who reported it to Zoom earlier today.

Is is present in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch for all (starting with v5.0.3 and all up to the latest one – v5.1.2).

The flaw is only exploitable if the client is installed on Windows 7 and older Windows systems, due to a specific system property.

“The flaw is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that; either way, our micropatch will protect you wherever you’re using the Zoom client,” Acros Security CEO Mitja Kolsek told Help Net Security.

“While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he noted.

He also says that the flaw can be exploited through several attack scenarios, but they will refrain from publishing more detailed information and the PoC exploit until Zoom fixes the issue or decides not to fix it.

Options available to users

Until Zoom pushes out a fix, the options for users who wish to stay safe are as follows:

  • Temporarily stop using Zoom
  • Update Windows to a newer version
  • Implement the micropatch.

“We were able to quickly create a micropatch that removes the vulnerability in four different places in the [software’s] code,” Kolsek noted. The micropatches are available for free to all 0patch users until a fix is released.

“0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows and you install it on your computer, our micropatch will become obsolete,” he explained.

“In case this updated Zoom Client does not fix this vulnerability, we’ll port the micropatch and make it available for free as quickly as possible.”

Micropatches block exploitation of Windows zero-days under attack

While we wait for Microsoft to provide fixes for the two new Windows RCE zero-days that are being exploited in “limited targeted Windows 7 based attacks,” ACROS Security has released micropatches that can prevent remote attackers from exploiting the flaws.

micropatches Windows zero-days

About the micropatches for Windows zero-days

In a blog post published on Thursday, ACROS Security CEO Mitja Kolsek explained which attack vectors can be used to exploit the vulnerabilities and why Windows 10 users are at a lower risk of attack.

He also went through the each of the mitigations recommended by Microsoft and explained the pros and cons of implementing each of them, as well as noted that their own micropatches protect only against remote attack vectors.

“Obviously we can’t patch these vulnerabilities because we don’t know what they are, but we can infer from Microsoft’s advisory that blocking Adobe Type 1 PostScript fonts from reaching the vulnerable kernel parsing code would block attacks,” he explained.

“So we decided to find the common execution point that various Windows applications such as Windows Explorer, Font Viewer, and applications using Windows-integrated font support are using to pass a font to Windows, then place a bouncer there that would keep Adobe Type 1 PostScript fonts out.”

And so they did.

0patch

The micropatches are implemented through 0patch, the company’s platform for distributing, applying and removing microscopic binary patches to/from running processes. For the time being (and until Microsoft releases the fixes), users of the free subscription tier will also be able to implement it.

Also for the time being, micropatches are only available for fully updated Windows 7 64-bit and Windows Server 2008 R2 without Extended Security Updates (ESU).

“This provides protection for our users who continue using these Windows versions but were unable or unwilling to obtain ESU, and are now, somewhat ironically, the only Windows users with a patch for these vulnerabilities,” Kolsek noted.

They will continue porting it to other affected Windows versions but not Windows 10 and newer Windows Server versions because the exploitation risk is lower on those.

Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects

ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674).

OPIS

Remote code execution vulnerability affecting IE

Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”.

Flagged by researchers from Qihoo 360 and Google’s Threat Analysis Group, the flaw has been filed under CVE-2020-0674, but no fix was released.

“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company explained, and offered information on mitigations and a temporary workaround.

Mitigation steps

Microsoft advised admins to implement the offered mitigation steps only if there is indication that the systems they are administrating are under elevated risk.

“If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected,” the company pointed out.

Also, the workaround changes the ownership of the vulnerable JScript.dll, which has to be reverted again when the workaround is undone (before patching).

“This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser,” explained Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, a solution that aims to provide fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, legacy operating systems, vulnerable third-party components and customized software.

The micropatch

Since the February Patch Tuesday is quite a while away and since Windows 7 and Windows Server 2008 R2 users without Extended Security Updates might not get the patch at all, ACROS Security decided to provide a micropatch that simulates the offered workaround (restricts access to the vulnerable JScript.dll) without its negative side effects (reduced functionality for components or features that rely on that particular .dll).

The company has ported the micropatch to Windows 7, Windows 10, Windows Server 2008 R2 and Windows Server 2019 (both 32-bit and 64-bit).

Those who already use 0patch can implement the micropatch immediately and remove it easily when Microsoft finally provides a patch (although, Microsoft’s patch will have precedence over the micropatch, so even removing it is not actually required).

Here is a video of the micropatch:

[embedded content]