December 2015 News and Updates

  

What’s New

• Hacker Playdate – We’re still ironing out a few details but the next Hacker Playdate is scheduled for 23 January 2016.  Expect additional details soon.
• Windows 10 –  We are seeing a LOT of folks who are installing Windows 10 ‘accidentally’.  Two very important things to note on this are that you have 30 days from the time you do the upgrade to revert back to the previous version of Windows and that Windows 7 will still be supported until 14 January 2020.  That said, unless you *need* to upgrade to Windows 10 (your software / hardware vendors require it), we recommend sticking with Windows 7 until a specific need to upgrade arises for production environments.

Updates

Executive Summary –  An appropriate theme for this month would be everyone is patching everything because, apparently, everything is broken.  Microsoft released 71 updates this month.  Adobe, not to be outdone, has released 79.  Apple, apparently wanting to get in on the Patch Tuesday madness, has decided to patch ‘everything’ (according to SANS).  Some particularly interesting things about the updates are that 3 of the Microsoft updates apparently address vulnerabilities that are being actively exploited in the wild and, according to some early reports, one of the Microsoft updates breaks Outlook so, I suspect a lot of folks with automagic updates enabled will have some email problems shortly (I expect more on this in the next few days).

Microsoft – Microsoft released 12 bulletins this month (MS15-124 through MS15-135).  Eight of the bulletins are rated as critical by Microsoft and all 8 address vulnerabilities that could lead to remote code execution. The remaining 4 were rated by Microsoft as important and addressed vulnerabilities that ranged from privilege escalation to remote code execution.  The summary from SANS has 10 of the 12 bulletins listed as critical and notes that an exploit is available for MS15-135 (CVE-2015-6175).  Several of the updates will require a reboot to complete the update.

It’s noted in the SANS article but MS15-127 looks particularly nasty, since DNS is an integral part of any Active Directory deployment and, according to the information available so far, the exploit can be triggered via a remote DNS query (especially worrisome if the DNS server is exposed to the Internet).

Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’.  These updates are catagorized as Low, Moderate, Important or Critical.  Details on the categories are available here.  The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server.  If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.

Additional details are available Microsoft Here, Here (SANS) and Here (Threatpost).

 

Adobe – Not to be outdone by Microsoft, Adobe has patched a total of 79 vulnerabilities with their December update.  On a positive side though, Adobe noted that none of the vulnerabilities are being exploited publicly (yet).  

Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month.  Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products.  Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).

Additional details are available from Adobe Here including links to download the update(s) and instructions for installation.

 

Java – Java quietly jumped Java 8 u65 to 8 u66 this month.  Looking through the release notes, I didn’t see anything major but would recommend installing the update after testing.  Also, it’s worth checking to make certain that you do not have any older (vulnerable) versions of Java installed on your computer.  In Windows, you can check this by going to Add / Remove Programs and looking for older versions.

Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections.  Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months.  It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.

Additional details are available from Oracle here.

 

Security News, Sponsored by Piratica – Black Friday, Cyber Monday, the holiday shopping season is officially on.  With activity at a fever pitch both online and at brick and mortar shoppes, it’s easier than ever for the bad guys to work their craft against unsuspecting targets.  Many vendors are working hard this year to make certain that they aren’t in the news as the next massive data breach, but there are things that you can do to further safeguard your personal information, credit card information, etc.  This is by no means an exhaustive list but will hopefully get you thinking in the right direction. 

 

• Beware of fake shopping sites.  Before you enter any information, verify that the site that you’re looking at is the site that you’re on.  A quick and easy way to do this is to look in the address bar (it should start with https://) to make sure that if, for example, you’re looking at www.amazon.com the address reflects that (and not something like amazon.com.fakesite.ru or similar).
• After you’ve confirmed that the site that you’re looking at actually is the site that you’re on, confirm that the site is encrypted.  In most web browsers, this means a green ‘lock’ icon in the address bar.  If you click on the lock,  you can confirm the name of the company that purchased the certificate.
• Beware of phishing emails tempting you to click on malicious links or open malicious attachments.  As a general rule, don’t click on links in emails and don’t open attachments from emails.  If you get a link or an attachment that you believe is legitimate, contact the sender (directly, not via reply) to confirm that that’s what they sent.
• Keep an eye on trusted sites like US CERT for updated information on the latest scams.

Piratica is an operational security company that works with client organizations to identify potential security vulnerabilities through vulnerability assessments, penetration tests and red / blue team exercises.  We believe that the first step in any solution is to correctly and completely identify the problem.  Additional information is available on the website, Facebook and Twitter.

 

 

These updates will be automatically reviewed, approved and installed for MyIT Customers.  If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know.  The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold).  Pricing is based on the number of physical locations, servers and workstations that you have.