What’s New
- Hacker Playdate – It’s a little early but, with the upcoming holidays, the next Hacker Playdate will be on us before you know it. We will be announcing more details in the December newsletter but the next Hacker Playdate is scheduled for 23 January 2016.
- Windows 10 – Most of you have heard about, many have signed up for and some have installed Microsoft’s new version of Windows, Windows 10. We have been testing Windows 10 for several months now in preparation for the release and can support it but our position has not changed regarding new Windows releases. If you have a business or other *requirement* pushing you to upgrade, do so in a planned / controlled fashion and test, test, test before installing into a production environment. Our standard approach has always been to wait until the release of Service Pack 1 but Windows 10 is changing this a bit with it’s rolling updates approach. Windows 7 will still be supported until 14 January 2020 so, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.
Updates
Executive Summary – This month brings updates from Microsoft, Adobe and Java with vulnerabilities patched from Microsoft and Adobe that could lead to remote code execution. Even with the large number of critical vulnerabilities being patched and the fact that most (if not all) could lead to the remote code execution (RCE), that wasn’t the big news. The big news was a bit of slight of hand by Microsoft with KB3097877. The short story is that Microsoft released the update (KB3097877), then quietly re-released a new update with the same KB number. The original KB3097877 reportedly caused Microsoft Outlook to crash and ‘other issues with Windows’. This is an excellent example of why it’s a bad idea to install updates the second / day that they’re available (i.e., blindly enable automatic updates).
Microsoft – Microsoft released 12 bulletins this month (MS15-112 through MS15-123). Four of the bulletins are rated as critical by Microsoft and all 4 address vulnerabilities that could lead to remote code execution. The remaining 8 were rated by Microsoft as important and addressed vulnerabilities ranging from information disclosure to remote code execution. SANS has 5 of the vulnerabilities listed as critical with exploitability ratings ranging from 4 to 1 but lists MS15-112 as 1 ‘and higher’. As of the time of this post, there are no known vulnerabilities listed by SANS. Several of the updates will require a reboot to complete the update.
As I noted briefly in the executive summary, the big news this month with the Microsoft updates wasn’t the number of updates or the fact that there were 4 were critical and could lead to remote code execution (2 of which were in Internet Explorer and Edge, which presents a nice target for drive by download attacks) but the fact that Microsoft released an update (KB3097877) and, when it began having problems, fixed it (sortof) and then re-released it with the same KB. Additional details on this little gaff are available here and here. The take-away from this should be that it’s still a really bad idea to just blindly install updates (by turning on or leaving on automatic updates).
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS).
Adobe – Once again, November was a big month for Adobe, releasing patches to update 17 vulnerabilities that could lead to remote code execution. For those keeping score, we had the fallout from the Hacking Team breack in July / August (and September, sort-of), an emergency out-of-band update last month and 17 vulnerabilities this month. I suspect that Adobe is a busy place right now. Additional information on this months patches are available here.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.
Java – Java quietly jumped Java 8 u60 to 8 u65 this month. Looking through the release notes, I didn’t see anything major but would recommend installing the update after testing. There was a good bit of activity in the Java / Oracle camp over the Apache Commons vulnerability so, if you’ve got any of the middleware noted in the article, some updates may be a good plan. Also, it’s worth checking to make certain that you do not have any older (vulnerable) versions of Java installed on your computer. In Windows, you can check this by going to Add / Remove Programs and looking for older versions.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – Experience has taught me a couple of things. First, stay away from the shiny boxes with the blinky lights during penetration tests. Second, there’s really no need to tinker with the shiny boxes with blinky lights if there are humans involved, anywhere. We generally have ‘flags’, or golden eggs, that we have to find / capture / etc. and the success of our team (or the success of the opposing Blue Team) is often gauged by our ability to gather these flags. Getting these flags can often be broken down into two simple steps. Step one, get inside the network (past the shiny boxes with blinky lights). This is rarely a privileged account (administrator, system, root, sa, etc.) and rarely has direct access to the flags (the golden egg). The second step then is to use that account to get an elevated account that does have access to the flags and one of the first things that I do to accomplish this is to do a search for the string ‘password’. Believe it or not, this is often all it takes. That network share that everyone has access to, buried deep in that share will be a passwords.txt, passwords.docx, passwords.csv, passwords.xls or something like security.txt, security.docs, security.csv or similar that contains a field ‘password’ (usually also contains a field for ‘username’, ‘name’, etc.). Sometimes this is a password-protected file, which is a 5 to 10 minute delay to either guess, brute force, social engineer or otherwise defeat that password and we’re good to go. Another favorite is the Administrative Assistant. I hadn’t really put it together until I heard it in a talk at Defcon but, often the Administrative Assistant will have a text document, spreadsheet, etc. that has not just usernames and passwords but also credit card numbers (with the CVV code, address and expiration dates), frequent flyer accounts, pet names, mother’s maiden names and more. The take away here, hopefully, will be that the reader looks for these caches of golden eggs and takes some action. That action may be encrypting the same files with something like Veracrypt or it may be rolling out something like Keepass. Ideally though, some action is taken to make it more difficult for an attacker or other threat actor than a simple search for the word ‘password’.
Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on the website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.