Aug 01 2023

A step-by-step guide for patching software vulnerabilities

Category: Security patching,Security vulnerabilitiesdisc7 @ 8:59 am

The Cyber Threat Index 2023 by the Coalition anticipates a 13% increase in the average rate of Common Vulnerabilities and Exposures (CVEs) compared to 2022, projecting it to surpass 1,900 per month in 2023. This surge in CVEs poses a challenge for organizations as they grapple with managing the release of thousands of patches and updates every month.

Streamline your patch management process

First a quick disclaimer. Proper patch management relies on important factors like size of an organization, complexity of an IT environment, criticality of systems, and number of resources allocated to manage it all, so plan accordingly. Also, this advice assumes you already have some sort of endpoint management solution or function in place for deploying patches. If not, that’s step one.

Assuming you have a solution in place, the next step is to evaluate and prioritize patches.

Not all vulnerabilities are created equally, which means not all patches are either. But as vulnerabilities like WannaCry demonstrated, delayed patching can have catastrophic consequences. Therefore, it’s important to prioritize updates that have the highest severity of non-superseded vulnerabilities and/or the highest exposure for each environment. For example, if you have an update that impacts only a few devices out of a thousand, and another that impacts 80% of devices, but both are critical, focus on the one that could have the biggest negative impact, and then address the others.

Once the critical updates are addressed, plan to move onto the non-critical patches, which are often driver updates or new software that enhances user experience and prioritize those based on importance to business operations.

Many use the Common Vulnerability Scoring System (CVSS) to help prioritize updates, which is a good starting point. Just remember that many vulnerabilities rated at a medium severity level are ignored – and found to be the source of a breach later.

Once you’ve prioritized the types of updates, the next step is to create guidelines for testing them before they go into production.

The last thing you want to do is break the system. Start by researching the criteria of each update and identifying which components require testing. Next, install each update on at least five off-network devices to be tested against proven success criteria. Record the evidence and have another person review it. Be sure to find out if the update has an uninstaller and use it to ensure complete and safe removal of outdated programs.

If you’re like most organizations, you’ll likely plan on having tons of updates/patches happening all the time. But the more updates installed at any given time increases the risk of end-user disruption (i.e., greater volume of data needing to be downloaded, longer installation times, system reboots, etc.).

Therefore, the next step is to assess your system’s bandwidth, calculate the total number and size of the updates against the total number of devices and types. This can prevent system overloads. When in doubt, just plan to start with five updates and then reassess bandwidth.

Additionally, if you follow any change management best practices (such as ITIL, Prince2, or ServiceNow), it’s important you adhere to those processes for proper reporting and auditability. They usually require documentation on which updates are needed, the impact on a user, evidence of testing, and go-live schedules. Capturing this data properly through the above steps is often required for official approvals as it serves as a single source of truth.

We’ve now gotten to the point of deployment. The next step is to ensure deployment happens safely. I recommend using a patch management calendar when making change requests and when scheduling or reviewing new patch updates. This is where you define the baselines for the number of updates to be deployed and in which order. This should utilize information gathered from previous steps. Once that baseline is set, you can schedule the deployment and automate where necessary.

At last, we’ve made it to the final step: measuring success. This can be handled in a variety of ways. For example, by the number of registered help desk incidents, the ease of which the process can be followed or repeated, or the number of positive reports provided by your toolsets. But ultimately what matters is swift deployment, streamlined repeatable processes, a reduction in manual requirements, and in the end, an organization that is less vulnerable to exploit.

A quick note on where patching often goes awry

Believe it or not, some organizations still allow users to have local admin rights for patching. This creates major attack surfaces, and the reality is, no IT team should rely on end-users for patching (blanket admin rights are just too risky).

Some also rely on free tools, but these often do not deliver all the security needed for patching. They also generally don’t provide the necessary reporting to ensure systems are 100% patched (i.e., validation). And finally, there is an over-reliance on auto-updates. Auto-updates can provide a false sense of security and can impact productivity if they are triggered during work hours.

Conclusion

Whether large or small, organizations continue to struggle with patching. I hope this quick step-by-step guide of key considerations for patch management helps your organization create a new framework or optimize an existing one.

Vulnerability And Patch Management A Complete Guide

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Vulnerability Management Program


Jan 31 2023

Hackers Exploiting Unpatched Exchange Servers in The Wild

Category: Hacking,Security patchingDISC @ 10:38 am

Microsoft has been strongly encouraging its customers to keep updating their Exchange servers, in addition to taking steps to ensure that the environment remains secured with robust security implementations.

While doing so, users can do the following things:-

The number of attacks against unpatched Exchange servers will not diminish as long as unpatched servers remain unpatched. The unpatched environment of on-premises Exchange provides threat actors with too many opportunities for exfiltrating data and committing other illegal activities.

Numerous security flaws in Exchange Server have been uncovered in the past two years, leading to widespread exploitation in some cases.

Updating Unpatched Exchange Servers

Microsoft stresses that their security measures are temporary fixes and may not defend against all attack variations, thus requiring users to update security through provided updates.

Recent years have seen Exchange Server become an advantageous target for attackers due to numerous security vulnerabilities that have been exploited as zero-day attacks to penetrate systems.

Ensure the protection of your Exchange servers from exploits targeting recognized vulnerabilities by installing the latest cumulative update and the most recent security update that is supported.

The cumulative updates are available for:-

  • CU12 for Exchange Server 2019
  • CU23 for Exchange Server 2016
  • CU23 for Exchange Server 2013

The available security update:-

  • January 2023 SU

The cumulative updates and security updates for Exchange Server are cumulative, which means that only the most recent one needs to be installed.

It’s crucial to run Health Checker post-update installation to identify any manual tasks required by the admin. Using Health Checker, you can access step-by-step guides and articles that provide you with all the information you need.

Recommendations

Here below we have mentioned all the recommendations offered by Microsoft:-

  • Always pay attention to the blog post announcements that Microsoft publishes, to keep informed of known issues and any manual actions Microsoft recommends or requires.
  • Make sure that you always review the FAQ before installing an update.
  • If you are looking for ways to inventory your servers and find out which of them need to be updated, then the Exchange Server Health Checker may help you.
  • Use the Exchange Update Wizard to upgrade your environment by selecting your current and target Cumulative Updates (CU) after determining the required updates.
  • The SetupAssist script can assist you in troubleshooting any errors that may occur during the update installation process.
  • There might be certain updates that you need to install on your Exchange server(s) in order to keep them up-to-date, so you should make sure that you do so.
  • Ensure to update dependent servers, such as Active Directory, DNS, and other servers utilized by Exchange, prior to installing necessary updates.

There is never an end to the amount of security work that needs to be done in order to keep your Exchange environment secure. However, the Exchange Server update process is constantly being reviewed by Microsoft in order to find ways to simplify it and make it more reliable.

Unpatched Exchange Servers

Mastering Windows Server 2019: The complete guide for system administrators to install, manage, and deploy new capabilities with Windows Server 2019

Tags: Unpatched Exchange Servers


Nov 22 2022

How to hack an unpatched Exchange server with rogue PowerShell code

Category: Hacking,Security patchingDISC @ 11:01 am

ust under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange.

As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082:

[were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.

The first vulnerability was reminiscent of the troublesome and widely-abused ProxyShell security hole from back in August 2021, because it relied on dangerous behaviour in Exchange’s Autodiscover feature, described by Microsoft as a protocol that is “used by Outlook and EAS [Exchange ActiveSync] clients to find and connect to mailboxes in Exchange”.

Fortunately, the Autodiscover misfeature that could be exploited in the ProxyShell attack by any remote user, whether logged-in or not, was patched more than a year ago.

Unfortunately, the ProxyShell patches didn’t do enough to close off the exploit to authenticated users, leading to the new CVE-2022-40140 zero-day, which was soon laconically, if misleadingly, dubbed ProxyNotShell.

Not as dangerous, but dangerous nevertheless

Tags: Exchange server, PowerShell code


Oct 11 2022

Move over Patch Tuesday – it’s Ada Lovelace Day!

Category: Security patchingDISC @ 9:30 pm

The second Tuesday of every month is Microsoft’s regular day for security updates, still known by almost everyone by its unofficial nickname of “Patch Tuesday”.

But the second Tuesday in October is also Ada Lovelace Day, celebrating Ada, Countess of Lovelace.

Ada was a true pioneer not only of computing, but also of computer science, and gave her name to the programming language Ada.

The Ada language, intriguingly, emerged from a US Department of Defense project aimed at “debabelising” the world of governmental coding, where every department semed to favour a different language, or a different language dialect, making it more difficult, more expensive, and less reliable to get them to work together.

Ada Lovelace’s era

You might be surprised to find, given how strongly Ada’s name is associated with the beginnings of computer science, that she lived in the first half of the nineteenth century, long before anything that we currently recognise as a computer, or even a calculator, existed.

(Ada died of uterine cancer in 1852 at just 36 years old.)

But although computers in their modern sense didn’t exist in the 1800s, they very nearly did.

Here’s how it almost happened.

Charles Babbage, in the early 1800s, famously devised a mechanical calculating device called the Difference Engine that could, in theory at least, automatically solve polynomial equations in the sixth degree, e.g. by finding values for X that would satisfy:

aX6 + bX5 +cX4 +dX3 +eX2 + fX + g = 0

The UK government was interested, because a device of this sort could be used for creating accurate mathematical tables, such as square roots, logarithms and trigonometric ratios.

And any machine good at trigonometric calculations would also be handy for computing things like gunnery tables that could revolutionise the accuracy of artillery at land and sea.

But Babbage had two problems.

Firstly, he could never quite reach the engineering precision needed to get the Difference Engine to work properly, because it involved sufficiently many interlocking gears that backlash (tiny but cumulative inaccuracies leading to “sloppiness” in the mechanism) would lock it up.

Secondly, he seems to have lost interest in the Difference Engine when he realised it was a dead end – in modern terms, you can think of it as a pocket calculator, but not as a tablet computer or a laptop.

So Babbage leapt ahead with the design of a yet more complex device that he dubbed the Analytical Engine, which could work out much more general scientific problems than one sort of polynomial equation.

Perhaps unsurprisingly, if regrettably in hindsight. the government wasn’t terribly interested in funding Babbage’s more advanced project.

Given that he hadn’t managed to build the mechanism needed for a much simpler equation solver, what chance did a giant, steam-powered, general-purpose computer have of ever delivering any useful results?

The European conference circuit

Tags: Ada Lovelace Day


Jul 28 2022

Critical Samba bug could let anyone become Domain Admin – patch now!

Category: Security patchingDISC @ 8:42 am

Tags: SAMBA


Dec 16 2021

Apple security updates are out – and not a Log4Shell mention in sight

Category: Log4j,Security patching,Security vulnerabilitiesDISC @ 10:26 am

Amongst all the brouhaha about Log4Shell, it’s easy to forget all the other updates that surround us.

Not only is it Patch Tuesday (keep your eye on our sister site news.sophos.com for the latest on that score later in the day)…

…but it’s also time to check your Apple devices, because Apple just pushed out a slew of its they-arrive-when-they’re-ready-and-don’t-expect-any-warning security patches.

The updated versions you’re looking for are:

As for iOS 14 and iOS 12, which are the official previous and pre-previous iPhone operating systems (in the same way that Big Sur and Catalina are the previous incarnations of macOS), there’s no sign of any updates for them.

Observant readers will notice that the URLs in the list above form an unbroken numeric sequence except for a gap at HT212977, so whether that’s a space left open for a delayed update for iOS 14 or not we can’t tell you…

…but we did notice that Apple’s main security noticeboard page, HT201222, still [2021-12-14T12:00Z] doesn’t mention the updates listed above.

In the past, we’ve noticed an apparent correlation between delayed updates for individual platforms and delayed listings on HT201222, but we have no idea whether that is coincidence rather that true correlation, or a desire on Apple’s part to hold off updating the central listing until all the new versions can be displayed in one go.

(Apple, as you know, has an official policy of saying as little as possible about updates and update cycles, so we shall have to wait and see.)

What about Log4Shell?

Apple Device Management

MacOS and iOS Internals

Tags: Apple Device Management, Apple security updates


Aug 17 2021

Fortinet FortiWeb OS Command Injection allows takeover servers remotely

Fortinet addresses a command injection vulnerability that can allow attackers to take complete control of servers running vulnerable FortiWeb WAF installs.

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw that could allow an attacker

The vulnerability impacts Fortinet FortiWeb versions 6.3.11 and earlier, an authenticated attacker could exploit the issue to take complete control of servers running vulnerable versions of the FortiWeb WAF.

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw (i.e. CVE-2020-29015) to allow an unauthenticated attacker to trigger the vulnerability.

The vulnerability was reported by the researcher William Vu from Rapid7.

“An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.” reads the post published by Rapid7. “An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. “

The flaw could allow an attacker to deploy a persistent shell, install crypto mining software, or other malware families. If the management interface is exposed to the internet, an attacker could trigger the issue to reach into the affected network beyond the DMZ. Rapid7 researchers discovered less than three hundred devices exposing their management interfaces online. Let’s remind that management interfaces for devices like FortiWeb should not be exposed online!

OWASP WEB APPLICATION SECURITY THREATS – MARKET INTEREST TREND : FULL REPORT PACKAGE by [CURIOSITY PUBLISHERS]

Tags: OS Command Injection


Apr 10 2021

April 2021 Patch Tuesday forecast: Security best practices

Category: Security patchingDISC @ 1:13 pm

Those of us in the security industry saw the need to identify and share incident and vulnerability information, but unfortunately ‘security through obscurity’ was often the approach taken – operations over protection. Fast forward to today, and whether you agree or disagree with the state of software security, we at least have the forums and infrastructure to address the issues at a working level.

The Forum of Incident Response and Security Teams (FIRST) is an international organization that provides best practices and assistance when dealing with a security incident. If an attack is underway, there is often strength in numbers for all those being exploited, and this is an avenue to share that information. If you come across a vulnerability in the software you are using on your systems, you have some options on how to handle it.

Many reported vulnerabilities are characterized under the Common Vulnerabilities and Exposures tracked in the National Vulnerability Database (NVD) maintained by MITRE. You should check here first to see if the issue is already reported. If it exists in the database, then the vendor is aware of the issue and should be working to correct it. Though there is a level of confidentiality involved to prevent public disclosure and exploitation before a fix is available. While I mentioned FIRST and NVD, your company may have other reporting requirements, so check first.

In the news this week with their annual PWN2OWN 2021 competition, the Zero Day Initiative continues to discover new vulnerabilities that will need to be addressed. This is a valuable service that allows the vendors to fix the previously unknown issues, discovered by the security research experts, before they are publicly disclosed for open exploitation.

Like those experts, we have an obligation to take action on any vulnerabilities we may discover in performing our regular patch or IT activities. Take the time to see if the vulnerability has been reported and contact the vendor to see if it is a known issue. We all benefit in the long run.

April 2021 Patch Tuesday forecast: Security best practices


Feb 10 2021

Patch now to stop hackers blindly crashing your Windows computers

Category: Security patching,Windows SecurityDISC @ 10:47 am

There were 56 newly-reported vulnerabilities fixed in this month’s patches from Microsoft, with four of them offering attackers the chance of finding remote code execution (RCE) exploits.

Remote code execution is where otherwise innocent-looking data that’s sent in from outside your network can trigger a bug and take over your computer.

Bugs that make it possible for booby-trapped chunks of data to trick your computer into executing untrusted code are much sought after by cybercriminals, because they typically allow crooks to break in and implant malware…

…without popping up any “are you sure” warnings, without needing niceties like a username and a password, and sometimes without even leaving any obvious traces in your system logs.

With all of that in mind, the statistic “56 fixes including 4 RCEs” signals more than enough risk on its own to make patching promptly a priority.


Mar 09 2019

Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7

Category: Information Security,Security patchingDISC @ 11:54 am

Hot on the heels of disclosing a critical zero-day vulnerability in Chrome that was being exploited in the wild by attackers, Google has now uncovered another critical zero-day that is being used alongside it to take over Windows machines.

Source: Google Says Upgrade To Windows 10 After Critical Flaws Found In Chrome And Windows 7






Mar 01 2019

Did you hear the one about Cisco routers using strcpy insecurely for login authentication? Makes you go AAAAA-AAAAAAArrg *segfault*

Category: Hacking,Security patchingDISC @ 3:18 pm

RV110W, RV130W, RV215W need patching to close remote hijacking bug

Source: Did you hear the one about Cisco routers using strcpy insecurely for login authentication? Makes you go AAAAA-AAAAAAArrg *segfault*


Enter your email address:

Delivered by FeedBurner





Feb 18 2019

Windows 7 and Server 2008 Updates to Require SHA-2 Support Starting July

Category: Security patchingDISC @ 6:43 pm

Microsoft announced on its support website that future Windows 7 and Windows Server 2008 updates will require SHA-2 code signing support to be installed starting with July 16, 2019.

Source: Windows 7 and Server 2008 Updates to Require SHA-2 Support Starting July






Jan 22 2019

Businesses can safely delay patching most vulnerabilities

Category: Information Security,Security patchingDISC @ 8:38 am

Patching vulnerabilities is often seen as a key element of keeping systems secure. But a new report suggests businesses could be ‘smarter’ in their patching regimes and prioritize the i…

Source: Businesses can safely delay patching most vulnerabilities

🔒 securing the business 🔒

DISC InfoSec