Executive Summary – Microsoft released a total of 12 bulletins, half of which are rated critical and most of those can allow an attacker full access to a vulnerable computer remotely (remote code execution, or RCE). As has been the theme of 2016, the first two bulletins address vulnerabilities in Internet Explorer and Edge (Edge is supposed to be a completely separate product from Internet Explorer, but the two seem to share a lot of similar vulnerabilities). Adobe has patched a handful of vulnerabilities in it’s product line (including Acrobat, Reader and Flash, most notably) with several of those listed as critical with successful exploitation leading to remote code execution.
Microsoft – Microsoft released 12 bulletins this month (MS16-144 through MS16-155). Six of the 12 are rated critical and the remaining are rated important (privilege escalation) by Microsoft. Once again, the first two bulletins (both critical) address remote code execution vulnerabilities in Internet Explorer and Microsoft Edge, begging the question once again of just how much code do Internet Explorer and Edge share. Like previous months, a good portion of the CVE’s patched have an exploitability rating of 1, and this month we are also seeing a number of the vulnerabilities reporting as having existing exploits and are being used in the wild.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are categorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critcial, it’s important that the updates are installed.
Additional details are available Microsoft, Here, and Here (ThreatPost).
Adobe – Adobe patched a total of 31 vulnerabilities this month including a particularly nasty zero-day vulnerability in Adobe Flash Player that Adobe reported is actively being used in targeted attacks against Internet Explorer users. Vulnerabilities in many other Adobe products were also patched. The patched vulnerabilities range from information disclosure all the way to remote code execution.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation. Additional information is available here (Threatpost).
Java – The latest version of Java is 8 update 111, with no updates released since October 18th of this year. If you’ve got older versions, especially versions that start with 6 or 7, remove them. Also, we’re still seeing that the installation of newer versions of Java don’t remove the older (often vulnerable) versions so, while you’re installing the latest update, check for older versions that may still be there.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here, and here.
Security News, Sponsored by Piratica – As is becoming common place in our world today, there is no lack of InfoSec news to fill your daily feed. This month we learned of another breach on Yahoo, this time more than doubling the number of leaked accounts (reports are in the 1 Billion + range….yes Billion with a B, making this the largest known breach to date), the CIA and other US Intelligence agencies attributed the DNC email leak and possibly other “election related” attacks to the Russian government (though it is worth noting they are confident that the integrity of the voting system was not compromised in any way), and malware found in APK files available from third party Android app stores has led to over 1 million + Google accounts being compromised (another reason to always get your apps from the official app store of your mobile OS). As always, you can read more on these stories by following the links or visiting the Piratica blog (linked below).
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter or via our free weekly email newsletter (signup available on our website here).
Finally, Cyber Tech Cafe and Piratica want to wish everyone a safe and merry holiday season this year.
We will be CLOSED on Monday December 26th for a holiday break, for emergency issues please follow our standard emergency process and we will respond as usual.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.