Executive Summary – 2017 is starting out with a relatively low number of updates with only four bulletins from Microsoft (Edge, Office and Windows [LSA]) and two updates from Adobe (Flash, Acrobat & Reader) but all resolve issues that could allow an attacker full access (remote code execution or RCE) to vulnerable systems.
Microsoft – Microsoft released 4 bulletins this month (MS17-001 through MS17-004). The bulletins affect Microsoft Edge (oddly enough, nothing mentioned about Internet Explorer), Microsoft Office, Adobe Flash and an internal component of Windows called LSA (Local Security Authority). The bulletins for Microsoft Office and Adobe Flash Player are rated critical and allow remote code execution (RCE) and the bulletins for Microsoft Edge and LSA are rated important allowing privilege escalation and denial of service respectively. Multiple restarts will be required for these updates and it looks like, currently, the bulletins cover about 17 CVE’s with exploitability ratings between 1 (exploitation likely) and 2 (exploitation less likely).
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are categorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critcial, it’s important that the updates are installed.
Additional details are available Microsoft, Here, and Here (SANS).
Adobe – Adobe released two updates affecting Adobe Flash Player, Adobe Acrobat and Adobe Reader to get 2017 started. The Flash update addresses 13 vulnerabilities (12 of which enable RCE) and the Adobe Acrobat and Reader update addresses 29 vulnerabilities (28 of which enable RCE). Google and Microsoft last month announced that they will be accelerating the deprecation of Flash in Chrome and Edge in an attempt to push users (and developers) to less vulnerability laden HTML5 alternatives.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation. Additional information is available here (Threatpost).
Java – The latest version of Java is 8 update 111, with no updates released since October 18th of this year. If you’ve got older versions, especially versions that start with 6 or 7, remove them. Also, we’re still seeing that the installation of newer versions of Java don’t remove the older (often vulnerable) versions so, while you’re installing the latest update, check for older versions that may still be there.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here, and here.
Security News, Sponsored by Piratica – If 2016 is any indication of what’s to come, 2017 is going to be an interesting year. I’m generally not one for predictions but there are a few that I think are probably safe to make. First, ransomeware seems to be working very well (for the criminals) and will continue to evolve and plague the Internet. One recent evolution is that attackers are moving from encrypting files to encrypting databases, significantly increasing the visibility of the attack and the motivation for the victim to pay up. Second, as a result of the success of ransomware, the crimeware-as-a-service frameworks like Avalanche will continue to grow in popularity, complexity and demand. Third, I believe that 2017 will be the year that we start to see the demise of the password as the primary and / or only means of authentication in favor of technologies like the Yubikey and U2F as the technologies continue to get cheaper, easier and more secure. I could be wrong and it will be interesting to look back at this post in January 2018 but, for now, that’s my story and I’m sticking to it.
2016 was an incredible year for Piratica, taking us from the southeastern United States to Alaska and several . I want to take this opportunity to say thank you to all of the people (clients, partner companies, etc.) who made it possible and that I’m looking forward to even bigger and better things in 2017.
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter or via our free weekly email newsletter (signup available on our website here).
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.