Executive Summary – Microsoft released a total of 10 bulletins, most of which are rated critical and most of those can allow an attacker full access to a vulnerable computer remotely (remote code execution, or RCE). Once again, the first two bulletins address vulnerabilities in Internet Explorer and Edge (Edge is supposed to be a completely separate product from Internet Explorer, but the two seem to share a lot of similar vulnerabilities). Adobe has patched an impressive 81 vulnerabilities in it’s product line (including Acrobat, Reader and Flash, most notably) with several of those listed as critical with successful exploitation leading to remote code execution.
Microsoft – Microsoft released 10 bulletins this month (MS16-118 through MS16-127). Six of the 10 are rated critical, one is rated moderate (information disclosure) and the remaining three are rated important (privilege escalation) by Microsoft. Once again, the first two bulletins (both critical) address remote code execution vulnerabilities in Internet Explorer and Microsoft Edge, begging the question once again of just how much code do Internet Explorer and Edge share. Like last month, many of the CVE’s patched have an exploitability rating of 1 but, unlike last month, exploits are available for vulnerabilities in MS16-118, MS16-119, MS16-120 and MS16-121.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here, Threatpost and Here (SANS) .
Adobe – Adobe patched a whopping 81 vulnerabilities this month including 71 between Adobe Acrobat and Adobe Reader (expect a deluge of malicious PDF attachments). Vulnerabilities in Adobe Flash player were also patched. The patched vulnerabilities range from information disclosure all the way to remote code execution.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation. Additional information is available here (Threatpost).
Java – The latest version of Java is 8 update 101, with no updates released since last month. If you’ve got older versions, especially versions that start with 6 or 7, remove them. Also, we’re still seeing that the installation of newer versions of Java don’t remove the older (often vulnerable) versions so, while you’re installing the latest update, check for older versions that may still be there.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – The con season is over for us for the year and it’s time to get back to work. There’s no shortage of InfoSec in the news (500 million + accounts at Yahoo!, massive DDoS attributed mostly to the IoT and a significant breach of ePHI by a Georgia HIPAA Covered Entity Peachtree Orthopedics that’s sure to get interesting before it’s all over), but I want to make one point with this post and hope that it sinks in. The first step in any attack is intelligence gathering, finding everything you can about a target (including weaknesses and vulnerabilities but also employee names, trade partners, work schedules, etc.) to plan the attack. This may be a web site / server, email server, webmail login, web portal for a vendor or bank, VPN connection back to your office (or worse, exposed Remote Desktop Connection) or what time employees step outside for a smoke break (and who those employees are). Having the same information as a potential attacker and understanding where your organization is weak can make the difference in being notified of an attack or potential breach by a control that you have in place or on the nightly news. If you would like more information on how to identify potential vulnerabilities in your organization and how to implement controls to address them, let us know.
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter or via our free weekly email newsletter (signup available on our website here).
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.