What’s New
- October is National Security Awareness Month – We should always observe security best practices, but October is National Security Awareness Month and is a good time to take a look at what we’re doing right, what we’re doing wrong and what we can do better from an InfoSec / NetSec / OpSec standpoint. Additional information is available here.
- Windows 10 – Most of you have heard about, many have signed up for and some have installed Microsoft’s new version of Windows, Windows 10. We have been testing Windows 10 for several months now in preparation for the release and can support it but our position has not changed regarding new Windows releases. If you have a business or other *requirement* pushing you to upgrade, do so in a planned / controlled fashion and test, test, test before installing into a production environment. Our standard approach has always been to wait until the release of Service Pack 1 but Windows 10 is changing this a bit with it’s rolling updates approach. Windows 7 will still be supported until 14 January 2020 so, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.
Updates
Executive Summary – There are critical updates in a number of Microsoft products, Adobe Flash and Adobe Reader this month. Perhaps the best write up that I’ve seen on the Microsoft updates this month are from Rapid 7, simply stating that this month is dominated by Remote Code Execution.
Microsoft – Microsoft released 6 bulletins this month (MS15-106 through MS15-111). Three of the bulletins are rated as critical by Microsoft and all 3 address vulnerabilities that could lead to remote code execution. There is also a bulletin rated as Important (MS15-110) that affects Microsoft Office that could lead to Remote Code Execution. In addition to the 3 or 4 remote code execution issues, there’s also an Elevation of Privilege (MS15-111) in the mix. SANS has four of the vulnerabilities listed as critical with exploitability ratings ranging from four all the way to zero. Several of the updates will require a reboot to complete the update.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS).
Adobe – There are two updates from Adobe this month, APSB15-24 and APSB15-25, affecting Adobe Reader and Adobe Flash Player respectively. The Reader vulnerability seems specific to Windows and Mac but the Flash vulnerability also mentions Linux, Chrome OS, Android and iOS. Both updates address vulnerabilities rated as Critical by Adobe. Additional details on this are available from Adobe here.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – Java is still sitting at Java 8 u60, with no updates since August. Also, it’s worth checking to make certain that you do not have any older (vulnerable) versions of Java installed on your computer. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – If nothing else, the past month has been a reminder of the need for and importance of user education as a part of the InfoSec process. We’ve spent so much time and money focusing on the shiny boxes with blinky lights that are supposed to protect all of the things that we’ve overlooked the human, entirely, in many cases. Two quick examples from the past 30 days, both of which should have failed but didn’t. First, the auto mechanic. I took my wife to get her car worked on and struck up a conversation with the lady at the counter about what I do (break things). She was fascinated and, when she asked about how I did it, I admitted that a majority of the time it was by tricking people into doing things that they shouldn’t do. She didn’t seem to believe me and ultimately the conversation changed course. Just before time for us to leave, I checked my watch and in a bit of a panic, pulled a USB disk out of my pocket. I told her that I was going to be late for a meeting and wasn’t going to have time to print my notes and asked if she could print them. She thought about it for a moment but finally relented and reached for the disk. I didn’t give it to her (it’s benign, it just opens Notepad and writes that it could have done something horrible and that it’s a bad idea to stick unknown devices into your computer) but she immediately recalled our earlier conversation. Second, the presentation. I was asked to give a presentation for an organization on security and how important it is for everyone in an organization to be aware of security risks and the roles they could play in mitigating them. While waiting for my turn to talk, I was chatting with random folks and a lady that was sitting at, presumably, her desk. She saw me wave to her boss and then she and I started talking (She had never met me and had no idea why I was there, but saw me wave at her boss, who waved back, so I was in.). I then told her that I was supposed to speak shortly and that I just realized I had forgotten my notes and asked if she could print them. She quickly offered to help but, again, I didn’t give her the [benign] USB disk. In both cases, it would have been trivial for an attacker to have gotten a payload onto a workstation and then simply disappeared into the crowd or walk away and it reinforced the point that, on the Blue Team, we’re missing the mark when it comes to educating users on their importance in the overall security of our networks. The perimeter is gone and maintaining the security (confidentiality, integrity and availability) of our infrastructure is now a responsibility that we all share (or should). I suspect that at least two networks are slightly more secure than they were 30 days ago.
Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on the website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.