November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.
The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!
This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.
A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.
This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.
Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.
November 2020 Patch Tuesday forecast
- Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
- Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
- Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
- Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
- Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.
It’s October and that means Halloween will be here at the end of the month. It won’t be much fun if we only get to ‘dress up’ and look at each other via video conference. But then, we’ve had a lot of ‘tricks’ thrown at us this last month – Zerologon, explosion of ransomware, COVID phishing attacks, and more. Will we get more tricks next week or are we in for a treat on Patch Tuesday?
The Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472, also referred to as the Zerologon vulnerability, dominated the news this past month. The US Department of Homeland Security issued Emergency Directive 20-04 on September 18, requiring all government agencies with a domain controller to update their servers within three days.
Microsoft has also issued updated guidance since the August Patch Tuesday release to clarify the steps needed to secure systems with this vulnerability. Per the outlined process in the article, the first step is to apply the August 11 updates which will begin enforcement of Secure RPC (Remote Procedure Call), but still allow non-compliant devices to connect and log the connections. Full enforcement will begin with the deployment of the February 9, 2021 updates.
All systems in your environment should be updated and monitored between now and February to verify they are configured and using the secure channels properly. Once the February updates are deployed, only vulnerable systems explicitly listed in group policy will be allowed to connect to the domain controller.
It’s not unexpected that the education community has been hit the hardest by cyberattacks in the past several months. Students of all ages are now spending many hours online in daily remote learning sessions and are constantly exposed to a full host of attacks. The Microsoft Security Intelligence center is showing that 62% of malware encounters are affecting this industry.
As funny as it may sound, this is partially an ‘education’ issue. Most students haven’t received any form of security training and need to be aware of phishing attacks and what to look for, the importance of strong passwords, the need to keep personal or ‘sensitive’ information private, and similar practices we in the industry often take for granted.
With the sudden increase of connections from personal computers, many of which are running out-of-date software, it is more important than ever to maintain solid security practices for the infrastructure and support systems. Teachers should be running authorized software and IT must be prepared to apply the latest security updates, especially for programs like Zoom, WebEx, GoToMeeting, etc., which are critical for remote learning. We’ll weather this storm and the good news is that we’ll have a more security-aware group entering the workforce in the upcoming years.
October 2020 Patch Tuesday forecast
- Microsoft continues to address record numbers of vulnerabilities each month. Expect that to continue in October. Microsoft Exchange Server received a major update last month, so I don’t expect another one. But we will see the standard updates for operating systems and Office, and extended support updates for Windows 7 and Server 2008.
- Select service stack updates (SSUs) should appear as they usually do.
- The last security updates for Adobe Acrobat and Reader were in August. There are no pre-announcements on their web site, but we may see an update.
- Apple will most likely release major security updates for iTunes and iCloud later in October if they maintain their quarterly schedule.
- Google Chrome 86 was released this Tuesday with significant security updates. Don’t expect any updates around Patch Tuesday.
- Security updates were released on September 22 for Mozilla Firefox and Thunderbird. We could see some additional updates next week.
In summary, expect the standard set of Microsoft releases, maybe some updates from Adobe, and probably two from Mozilla. Based on this limited list of updates, It sounds like we should be in for a treat!
On this September 2020 Patch Tuesday:
- Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
- Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
- Intel has released four security advisories
- SAP has released 10 security notes and updates to six previously released notes
Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.
Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.
“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.
“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.
Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.
CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.
He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.
“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.
Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.
The AEM and AEM Forms updates are more important than the rest.
The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.
None of the fixed vulnerabilities are being currently exploited in the wild.
Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.
SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).
Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.
Another month has passed working from home and September Patch Tuesday is upon us. For most of us here in the US, September usually signals back to school for our children and with that comes a huge increase in traffic on our highways. But I suspect with the big push for remote learning from home, those of us in IT may be more worried about the increase in network traffic. So, should we expect a large number of updates this Patch Tuesday that will bog down our networks?
The good news is that I expect a more limited release of updates from Microsoft and third-party vendors this month. In August, we saw a HUGE set of updates for Office and also an unexpected .NET release after just having one in July.
Also looking back to last month, there were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Let’s hope the updates are more stable this month without the need to re-apply, or worse, redistribute these large updates across our networks using even more bandwidth.
Last month I talked about software end-of-life (EOL) and making sure you had a plan in place to properly protect your systems in advance. Just as an early reminder we have the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued Extended Security Updates (ESUs) for critical and important security updates just like they did for Windows 7 and Server 2008.
These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021 along with the announcement that Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience. These changes are all still a few months out but plan accordingly.
September 2020 Patch Tuesday forecast
- We’ll see the standard operating system updates, but as I mentioned earlier, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
- Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
- A security update for Acrobat and Reader came out last Patch Tuesday. There are no pre-announcements on their web site so we may see a small update, if any.
- Apple released security updates last month for iTunes and iCloud, so we should get a break this month if they maintain their quarterly schedule.
- Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
- We’re due for a Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.
Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.
A week after July 2020 Patch Tuesday, Adobe has released out-of-band security updates to fix thirteen vulnerabilities – twelve of which critical – in Adobe Photoshop, Bridge, Prelude, and Reader Mobile.
The good news is that none of these vulnerabilities are currently being exploited in the wild, and that most of them are in products that have historically not been a target for attackers.
Adobe considers the update for the mobile versions of Reader for Android to be the one users and admins should implement soon, even though it fixes “just” a single information disclosure flaw.
The Adobe Photoshop updates deliver fixes for Photoshop CC 2019 and Photoshop 2020 on Windows and macOS, which resolve five critical out-of-bounds read/write issues that could lead to arbitrary code execution.
The Adobe Prelude update (for Windows and macOS) fix four out-of-bounds read/write flaws that may allow successful arbitrary code execution, and the Adobe Bridge update (for Windows and macOS) three.
Aside from the Mobile Reader update, the others are not that pressing – although they are important for individuals and organizations that work on photo and video production: Photoshop is widely used for editing images and producing digital art, Adobe Prelude is a logging tool for tagging media with metadata for searching, post-production workflows, and footage lifecycle management, and Adobe Bridge is a digital asset management app.
All of the out-of-bounds read/write vulnerabilities fixed in this round of security updates were flagged by Mat Powell of Trend Micro Zero Day Initiative and, according to ZDI’s Dustin Childs, they can be triggered if the target opens a specially crafted file (MOV, MP4, 3GP) or visits a malicious website.
Last week, Adobe fixed a wide variety of flaws in Adobe ColdFusion, Adobe Genuine Service, Adobe Download Manager, Adobe Media Encoder and Adobe Creative Cloud Desktop Application.
Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life (EOL) and support (EOS) on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1.
Unfortunately, there are still too many (over 100,000) active Magento 1.x installations. The company is urging their owners and admins to migrate to Magento 2.x or risk being hit once another critical and easily exploited vulnerability is unearthed and its existence made public.
Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.
Nearly four years ago (and possibly even earlier), cyber crooks started concentrating on breaching Magento-based shops and injecting them with scripts that quietly grabbed users’ personal and payment card data information and sent it to a server they controlled.
Since then, the tactic has been used and continues to be used by many cyber criminal groups, which have been classified by security companies as “Magecart” attackers. As they are quick to exploit newfound vulnerabilities in the Magento core and third-party extensions, hardly a day passes without news about another online shop having been compromised.
If you decide to stick with Magento 1
“If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance,” Adobe warned.
Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorized accounts, using a web application firewall, and so on.
“General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data,” Adobe explained.
Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.
Another thing: the end of support for Magento 1 also means that some extensions merchants use will not be available anymore.
“We encourage Magento 1 merchants to download the Magento 1 extensions they plan to keep, since Magento 1 extensions will not be available in the Magento Marketplace after July 7, 2020, and will be removed from the Magento repository after August 6, 2020,” Adobe noted last week.
Magento 2 or something else?
PayPal, Visa and other payment processing companies and payment platforms have also been urging merchants to make the switch to Magento 2.
Even though Magento 2 was released five years ago and even though the migration from Magento 1 to Magento 2 can be performed by using an official Data Migration Tool the number of Magento 2 installations is still lagging (it’s currently around 37,500 installations).
As “painful” and costly as it maybe, this EOL will hopefully push many of them to finally make the switch – or make the switch to an alternative platform.
“2020 has been a tumultuous year for retailers. Merchants should not have to worry about security issues or upgrading their ecommerce platform while they are in the middle of adapting to drastically changed consumer behaviors and expectations. Amidst the list of business-critical priorities a merchant needs to focus on, worrying about what’s happening with a Magento migration or installation should not be included,” noted Jimmy Duvall, Chief Product Officer at BigCommerce.
A week after the June 2020 Patch Tuesday, Adobe has plugged more critical security holes in some of its well known graphic design and video and audio editing software. The company has also announced that it will be adding the Protected Mode feature (i.e., a sandbox) to the Windows version of Adobe Acrobat DC.
The security updates
Both the Adobe Illustrator and the Adobe After Effects updates fix five flaws that can lead to code execution. The Adobe Premiere Pro and Adobe Premiere Rush updates fix three of them, and the Adobe Audition update resolves two.
Finally, the update for Adobe Campaign, a software application for coordinating the creation of conversational marketing campaigns, fixes just one “important” vulnerability that ultimately could lead to information disclosure.
The priority rating for all of these updates is not high, because they resolve vulnerabilities in products that have historically not been a target for attackers. Also, none of the vulnerabilities are actively exploited by attackers. Nevertheless, admins should not take long to install the updates.
Protected Mode for Adobe Acrobat DC
Adobe Acrobat DC is the subscription versions of Acrobat combined with Document Cloud services, and allows users to create PDFs, export them, edit them, sign them, share them, etc.
“Enabling Protected Mode in Acrobat DC provides additional layers of protection that help you better protect desktop environments from potentially malicious code. Documents and application code are isolated within a ‘Sandbox’ (i.e. a confined execution environment). This offers additional protections should users inadvertently open malicious PDFs,” the company shared.
Protected mode is still in preview, and can be enabled through Acrobat’s security preferences (see image above) or by setting a specific registry key.
The move comes nearly ten years after Adobe added the feature to Acrobat Reader DC, its widely used (free) PDF reader.
It’s been a hectic month for everyone worldwide, but we may get a small break in the action this patch Tuesday. The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management.
Threat actor activity around COVID-19 exploitation increased dramatically in April. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity. This advisory provides a detailed summary of several attacks and valuable links to actions you can take for mitigation.
The number of reported COVID-themed attacks, particularly phishing, have risen more than 475 percent according to this blog from BitDefender Labs and that was in March. Coupled with this rising threat is the challenge of managing a now dispersed work force on previously unused remote and BYOD devices, resulting in a higher risk of a security breach.
IT departments are stretched to the limit, ‘keeping the lights on’ for many businesses and they have little time to deal with the added complexities of deploying regular security updates to these devices.
Oracle released their Critical Patch Updates (CPU) last month which happened to coincide with April Patch Tuesday (it is usually the week after). They had 399 updates across their entire product line. These included updates for Java 7, 8, 11, and 14. A total of 15 vulnerabilities were addressed with CVE-2020-2803 having the highest base CVSS 3.0 score at 8.3.
If you are running the Java JRE in your environment, please update your 7 or 8 versions. If you are developing applications with Java, get the latest 11 or 14 updates to ensure these vulnerabilities are addressed. The next Oracle CPU is scheduled for July.
One break last month came from Microsoft when they delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13, 2020 and the SharePoint 2010 Family – SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010 – to April 13, 2021. There was a sigh of relief from a few people.
Also last month, Microsoft addressed 113 CVEs in the patch Tuesday release, which included fixes to font vulnerabilities CVE-2020-1020 and CVE-2020-0938 associated with Advisory 20006. With record numbers of CVEs being fixed each month and the growing threat actor activity, it is more important than ever to keep your systems up-to-date with these latest releases.
May 2020 Patch Tuesday forecast
- Microsoft should release a.NET update this month in addition to the usual OS and application set. We’ll see if the high number of resolved CVEs continues.
- Expect new servicing stack updates (SSUs) for select operating systems this month; most have been getting periodic updates.
- The Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released on Patch Tuesday as usual. Also be aware that Microsoft released an updated licensing preparation package this week under KB 4538483.
- We should see Windows 10 2004, the May release as it is being called, either next Tuesday or soon thereafter.
- Google released a security update for Chrome 81 this week.
- Similarly, Mozilla provided security updates this week for Firefox 76, Firefox ESR 68, and Thunderbird 68.
- The last security updates for Adobe Acrobat and Reader were in March; we may see an update this month, but Adobe has been releasing major security updates quarterly, so this is more likely to occur in June.
The adage says we should soon see May flowers. With most of the third-party vendors releasing their security updates this week we should have a light patch Tuesday coming. Take some time and smell those roses. After this past month we’ve all earned it.
Adobe has pushed out security updates fixing critical flaws in Magento Commerce, Open Source Enterprise and Community editions, Adobe Illustrator 2020 for Windows, and Adobe Bridge for Windows.
Magento security update
According to the security bulletin published on Tuesday, thirteen flaws in all have been reported, all but one affecting all supported versions of Magento, the popular e-commerce platform.
Six of the Magento vulnerabilities are deemed critical: they are either command injection or security mitigation bypass flaws, and could be exploited to achieve arbitrary code execution by unauthenticated, remote attackers.
The rest are less severe and could lead to sensitive information disclosure, arbitrary code execution, unauthorized access to admin panel (only on Magento 1 versions), signature verification bypass, and potentially unauthorized product discounts.
Admins are advised to upgrade their installations to one of the fixed versions soon (within 30 days):
- Magento Commerce (2.3.4-p2 Commerce or 2.3.5 Commerce)
- Magento Open Source (2.3.4-p2 Open Source or 2.3.5 Open Source)
- Magento Enterprise Edition 18.104.22.168
- Magento Community Edition 22.214.171.124
Adobe Illustrator and Bridge vulnerabilities
The Adobe Illustrator vector graphics editor has been updated to close five critical memory corruption vulnerabilities that could be exploited for arbitrary code execution.
The security holes affect Illustrator 2020 versions 24.0.2 and earlier on Windows, and have been plugged in version 24.1.2.
Versions 10.0.1 and earlier of the digital asset management application Adobe Bridge for Windows sport seventeen vulnerabilities, fourteen of which are critical. Users are advised to upgrade to version 10.0.4.
The Magento update is considered more important than those for Illustrator and Bridge, mainly because the latter have, historically, not been a target for attackers. Magento, on the other hand, is famously and continuously targeted by Magecart attackers.
Adobe failed to release security updates on March 2020 Patch Tuesday, but has pushed them out this Tuesday, for Acrobat and Reader, Photoshop, ColdFusion, Experience Manager, Bridge, and Genuine Integrity Service.
41 vulnerabilities in all have been patched, 29 of which are considered critical and 11 important. None of them are under active exploitation.
The heftiest updates are those for Photoshop (CC 2019 and 2020) and Acrobat and Reader (DC, 2017 and 2015) for Windows and macOS.
The Photoshop updates fix 16 vulnerabilities that could be exploited for arbitrary code execution in the context of the current user and 6 that could lead to disclosure of information.
The Acrobat and Reader updates contain fixes for 8 flaws that could be exploited for code execution, 3 for information disclosure and 1 for escalating privileges on compromised systems.
Users of the ColdFusion web-application development platform should also update as soon as possible to plug two holes: one that could allow an arbitrary file read from the Coldfusion install directory and another that could lead to arbitrary code execution of files located in the webroot or its subdirectory.
ColdFusion versions 2016 and 2018 for all platforms are affected, but ColdFusion servers deployed with the recommended lockdown installer are not impacted by these flaws.
Adobe Bridge updates for Windows and macOS fix 2 two critical flaws, the Adobe Genuine Integrity Service update for Windows one insecure file permissions vulnerability that could be used for privilege escalation, and the Adobe Experience Manager updates (available for all platforms) plug a Server-side request forgery (SSRF) flaw that could lead to sensitive information disclosure.
It’s March 2020 Patch Tuesday and Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The good news is that none of them under active attack.
For the time being, Adobe seems to be skipping this Patch Tuesday and there’s no indication whether the customary security updates are just delayed or there won’t be any at all in the coming days.
Last month, Microsoft plugged 99 security holes in a variety of its products. Unexpectedly, this month the number is even higher.
The 26 critical flaws all allow remote code execution, but some are more easily exploited than others.
For example, CVE-2020-0852 affects Microsoft Word and exploitation can be achieved without the target having to open a specially crafted file that would trigger it.
“Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user,” noted Trend Micro’s Zero Day Initiative’s Dustin Childs, and pointed out that having a bug that doesn’t require tricking someone into opening a file should be enticing to malware and ransomware authors.
Also, once again, the company fixed yet another RCE (CVE-2020-0684) that can be triggered by a vulnerable target system process a specially crafted .LNK file.
CVE-2020-0872 is a RCE affecting Microsoft Application Inspector (version v1.0.23 or earlier), the recently released source code analyzer that comes in handy for checking open source components for unwanted or risky features.
“To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component,” Microsoft explained.
“Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January,” Childs noted. “It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.”
CVE-2020-0905 is a RCE affecting the Dynamics Business Central client and could allow attackers to execute arbitrary shell commands on a target system.
“While this vulnerability is labeled as ‘Exploitation Less Likely,’ considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations,” urged Animesh Jain, Product Manager of Vulnerability Signatures at Qualys.
Childs is of the same mind. “Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly,” he added.
It must also be pointed out that, in this batch of fixes, there is one for a spoofing vulnerability in Microsoft Exchange Server, but this flaw is less serious than CVE-2020-0688, a fix for which was released in February but is still being actively exploited in the wild. Admins are advised to plug that security hole ASAP (if they haven’t already).
Mozilla updates Firefox
Adobe might not have released security updates on this March 2020 Patch Tuesday, but Mozilla released Firefox 74, with TLS 1.0 and TLS 1.1 disabled by default, stricter rules for add-ons, a tool for preventing Facebook from tracking users around the web, and several developer features.
No critical flaws have been fixed in this edition of the popular browser and Firefox ESR68.6 (also released today).
Richard Melick, Sr. Technical Product Manager, Automox, pointed out that while none of the Firefox flaws patched this time are under active exploitation, the time to weaponization averages 7 days, so users/admins should upgrade as soon as possible.
“Impacting the iPhone, CVE-2020-6812 stood out as a vulnerability that would allow a website with camera or microphone access to gather information on the user through the connected AirPods. While not the most critical, this information could be gathered and help adversaries track a user and further gather more personally identifiable information if left unpatched. Essentially, if you’re listening in, someone else may be as well,” he added.
Did you survive the madness of February 2020 Patch Tuesday and its aftermath? We saw Windows 7 and Server 2008 finally move into extended security support and then Microsoft pulled a rare, standalone Windows 10 security patch following some unexpected results.
For some of us, these two events caused a bit of chaos until they were sorted out. Let’s take a quick look in the rearview mirror, before jumping ahead to what looks like an easy drive for March.
Microsoft did a great job providing information and testing tools in advance of the Windows 7 and Server 2008 end-of-life, but that doesn’t mean everyone was ready when it happened. The extended security updates (ESUs) are supplied as part of the update catalog, but installation on the endpoint fails without first installing and activating a subscription key. Other pre-requisites include the appropriate SHA-2 code signing update and latest service stack updates (SSUs) which, if you have been patching regularly, you will have already installed.
So, last Patch Tuesday, as you can imagine, getting the systems to the proper state with all three components in place – activated key, SHA-2 update, and latest SSU, and then applying the new ESU patches was disruptive for some. But now that everyone has been through the procedure, the process of applying the March updates should be much smoother.
The release and subsequent removal of KBs 4524244 and 4502496 created a lot of discussion and confusion. Woody Leonhard provided a detailed chronology and technical breakdown in his article. This is a complicated situation involving the Unified Extensible Firmware Interface (UEFI) boot loader.
In summary, Microsoft released this security update to fix an issue where a third-party UEFI boot manager could allow a reboot, bypassing secure boot entirely. By launching from a hostile operating system, the system would be compromised. Keep in mind this does require physical access to the system. Unfortunately, there were unexpected side effects to the fix which included breaking other boot routines, most notably on HP PCs with Ryzen processors. The updates were pulled, and we are waiting to see if Microsoft re-releases a more comprehensive fix this patch Tuesday.
I mentioned in the forecast last month that the Microsoft Security Advisory 190023 contained more detail on the upcoming security features for the Lightweight Directory Access Protocol (LDAP). This advisory was again updated on February 28, with recommendations on using the new options to harden this protocol.
The advisory specifically stated, “The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.” These features will be included in the March Patch Tuesday updates, so take advantage and enable them. Also follow best practices and experiment on your test systems before rolling out to production.
March 2020 Patch Tuesday forecast
- Microsoft addressed the highest number of CVEs in recent memory last month, so expect a lighter set of updates next week. The ESUs should again track the CVEs addressed with the other standard support operating systems. Office updates were light last month, so there may be a few more coming.
- Mozilla had some major updates for all products last month but expect a minor update next week. Vulnerabilities continue to pop up in browser-related products.
- Google just released their security update for Chrome this week, so I don’t expect to see anything on patch Tuesday.
- Apple released their first major updates in January, so we may see a minor update.
- Adobe issued major updates for Reader and Acrobat last month, so we should only see a minor update this month if any. I’ll go out on limb and say we won’t see a Flash update this month.
The forecast for updates looks light this month, so breathe a sigh of relief as we leave the February madness behind.
Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution.
About the fixed vulnerabilities
According to the newest Magento-themed security bulletin (now published as an Adobe security bulletin), three of the six fixed flaws are critical and three are important.
In the “critical” category are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718) that could lead to arbitrary code execution, and an SQL injection (CVE-2020-3719) that could be exploited to leak sensitive information.
In the “important” category are two stored cross-site scripting flaws (CVE-2020-3715, CVE-2020-3758) and a path traversal (CVE-2020-3717) vulnerability, all of which could lead to sensitive information disclosure.
All of these have been patched in:
- Magento Commerce versions 2.3.4 and 2.2.11
- Magento Open Source versions 2.3.4 and 2.2.11
- Magento Enterprise Edition (EE) version 126.96.36.199
- Magento Community Edition (CE) version 188.8.131.52
At the moment, there is no indication that any of these might be actively exploited by attackers. Nevertheless, users/admins are advised to update their installations as soon as possible.
Magento shops are a major target
Magento is one of the most popular open-source e-commerce platforms out there, but web stores running it have unfortunately become a prime – though not exclusive – target for card-skimming cybercriminals (aka Magecart attackers).
Vulnerabilities in the Magento core are just one vector through which attackers can gain access to online shops to insert card-skimming code into them. Other avenues of attack include bugs in popular extensions and plug-ins, phishing emails lobbed at site admins, and compromise of third parties that serve scripts on the target site(s).
Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home.
The most broadcast news of the year was the exposure of personal information in over 500 million Facebook accounts. This security incident was the result of servers not properly configured, allowing open public access. This was reported in April and additional accounts were exposed in September. Proper security configuration is definitely a challenge across thousands of servers, but it is THE fundamental security requirement before dealing with software vulnerabilities.
Next up in public view was the compromise of Epic Games’ servers that hosted the wildly popular Fortnite game. This security incident back in January was the result of several software vulnerabilities being exploited, resulting in another situation where personal account information was stolen. It is estimated that the security compromise impacted over 200 million gamers worldwide.
Breaches and data loss were not limited to these two social or consumer sites. Reported breaches included Capital One and First American from the financial industry, LabCorp and Quest Diagnostics from the medical field, and the Federal Emergency Management Agency (FEMA) from the government sector. From the report estimates I’ve seen, there will be an unprecedented 5+ billion records stolen this year.
Getting back to the Patch Tuesday forecast, the big news (maybe the elephant in the room to use an old phrase) is that next month, January Patch Tuesday, we’ll see the last free update of Windows 7 and Server 2008/2008 R2. Windows 7 continues to be a popular operating system only being overtaken by Window 10 in January 2019.
Despite the approaching end-of-life, Windows 7 slowly dropped from 36% to 28% in worldwide Microsoft market share throughout the year. After that final update, a lot of consumer desktops and laptops will go unpatched until they finally stop working and are replaced. Many will be compromised, resulting in stolen personal data, but even worse they will be used for additional attacks against our corporate systems.
It will be interesting to see how this possible threat plays out in 2020. In the meantime, be aware that Microsoft has released additional guidance on preparing your Windows 7 machines for extended security updates if you continue to subscribe.
This looks like a busy Patch Tuesday coming up, so I am going to trust all of you to configure and update your systems. It’s time to buy those last presents online. Now where did I put that credit card again?
December 2019 Patch Tuesday Forecast
- Microsoft will provide the usual round of updates including the monthly rollups and security-only patches for all the operating systems, along with Office, SharePoint server, and Internet Explorer. Based on their current track record, expect another round of service stack updates as well. We may also see a .NET update this month.
- An update is coming for Acrobat and Reader; Adobe provided a pre-notification they will release APSB19-55 next week. The most recent security Flash release was September Patch Tuesday, so we may see a final one to close out the year, but no promises.
- Chrome 79 is scheduled for release from Google.
- We may see an ‘Apple Patch Tuesday,’ although they don’t always release on Tuesday, with security updates for macOS, iTunes and/or iCloud for Windows. Keep an eye on these because I suspect Apple wants to wrap up the year with up-to-date, secure software.
- Mozilla released security updates for Firefox 71, Thunderbird 68.3 and Firefox ESR 68.3 on Monday this week. Anything released next week would be minor bugfixes, but definitely make sure you install these security fixes.
Microsoft today released updates to plug security holes in its software, including patches to fix at least 74 weaknesses in various flavors of Windows and programs that run on top of it. The November updates include patches for a zero-day flaw in Internet Explorer that is currently being exploited in the wild, as well as a sneaky bug in certain versions of Office for Mac that bypasses security protections and was detailed publicly prior to today’s patches.
More than a dozen of the flaws tackled in this month’s release are rated “critical,” meaning they involve weaknesses that could be exploited to install malware without any action on the part of the user, except for perhaps browsing to a hacked or malicious Web site or opening a booby-trapped file attachment.
Perhaps the most concerning of those critical holes is a zero-day flaw in Internet
Exploder Explorer (CVE-2019-1429) that has already seen active exploitation. Today’s updates also address two other critical vulnerabilities in the same Windows component that handles various scripting languages.
Microsoft also fixed a flaw in Microsoft Office for Mac (CVE-2019-1457) that could allow attackers to bypass security protections in some versions of the program.
Macros are bits of computer code that can be embedded into Office files, and malicious macros are frequently used by malware purveyors to compromise Windows systems. Usually, this takes the form of a prompt urging the user to “enable macros” once they’ve opened a booby-trapped Office document delivered via email. Thus, Office has a feature called “disable all macros without notification.”
But Microsoft says all versions of Office still support an older type of macros that do not respect this setting, and can be used as a vector for pushing malware. Will Dormann of the CERT/CC has reported that Office 2016 and 2019 for Mac will fail to prompt the user before executing these older macro types if the “Disable all macros without notification” setting is used.
Other Windows applications or components receiving patches for critical flaws today include Microsoft Exchange and Windows Media Player. In addition, Microsoft also patched nine vulnerabilities — five of them critical — in the Windows Hyper-V, an add-on to the Windows Server OS (and Windows 10 Pro) that allows users to create and run virtual machines (other “guest” operating systems) from within Windows.
Although Adobe typically issues patches for its Flash Player browser component on Patch Tuesday, this is the second month in a row that Adobe has not released any security updates for Flash. However, Adobe today did push security fixes for a variety of its creative software suites, including Animate, Illustrator, Media Encoder and Bridge. Also, I neglected to note last month that Adobe released a critical update for Acrobat/Reader that addressed at least 67 bugs, so if you’ve got either of these products installed, please be sure they’re patched and up to date.
Finally, Google recently fixed a zero-day flaw in its Chrome Web browser (CVE-2019-13720). If you use Chrome and see an upward-facing arrow to the right of the address bar, you have an update pending; fully closing and restarting the browser should install any available updates.
Now seems like a good time to remind all you Windows 7 end users that Microsoft will cease shipping security updates after January 2020 (this end-of-life also affects Windows Server 2008 and 2008 R2). While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.
Standard heads-up: Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.
Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not freaking out when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.
As ever, if you experience glitches or problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a decent chance other readers have experienced the same and may even chime in here with some helpful tips.
Update, Nov. 13, 11:34 a.m.: An earlier version of this story misstated some of the findings from CERT/CC, and misspelled the name of the researcher. The above post has been corrected.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.
Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks.
Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.
Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse.
Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.
Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information.
As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.
A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included.
A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.
For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.
Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Consumer Data and Malware appeared first on .