John Pescatore – SANS Director of Emerging Security Trends
Patching Over VPNs After Microsoft’s Voluminous “Vulnerability Tuesday”
This week’s Drilldown will focus on one item (included below) from NewsBites Issue 64 and the enormous amount of patching driven by August’s Microsoft Vulnerability Tuesday--and specifically the issues involved in patching devices used by a remote/work-fFrom-home (WFH) workforce over VPN connections.
Despite advances over the years, patching Microsoft Windows-based computers is still a tricky business. Making matters even worse, a record-breaking numbers of vulnerabilities being discovered in Windows has forced Microsoft to release huge numbers of patches each month.
It is hard to find meaningful statistics on what percentage of enterprise patch distribution efforts fail, but for LAN-connected, always-on PCs, it seems like between 5% and 20% of PCs that downloaded patches don’t end up actually patched--even though the IT statistics might show 100%. There are a variety of reasons for this, with organizations that have more mature configuration management processes and newer computers with more disc and volatile memory seeing higher levels of success.
However, intermittently or marginally connected devices have even higher patch fail rates. With a high percentage of the workforce working from home, patch failures will be higher than when user devices were always connected to the LAN and always on. Most home users will be on shared home wireless networks that will have connectivity that is less reliable than at the office.
The choice of remote access approach can also increase the patch failure rate. Many remote access approaches will drop the VPN connection after a time-out of no user input, which can interrupt update downloads. Some organizations allow split tunneling, some don’t. The complexities of DNS and address caching can cause patch system connections to fail in both scenarios. To help you think through the issues, Microsoft has a pretty good description of the issues.
Do you know what your patch failure rate was before WFH? Do you know what it is now? Enterprises should check patch success rates over all forms of remote access to get back to the same levels of up-to-date patches whether devices are LAN connected or VPN connected.
Patch Tuesday: Microsoft: Two Actively Exploited (incl. IE) and File Validation
(August 11 and 12, 2020)
On Tuesday, August 11, Microsoft released updates to address at least 120 vulnerabilities in Windows and other products and services. Two of these flaws are being actively exploited: a memory corruption vulnerability in the scripting engine in Internet Explorer and a spoofing flaw in Windows file validation that could be exploited to bypass security features.
[Pescatore] I really like The Register’s excellent headline, but I will add one thing: A lot of VPN approaches only support connectivity back to corporate data centers when the user has initiated the VPN and it hasn’t timed out. Other VPN approaches that are always on don’t handle intermittent or low-speed home internet connections very well. Patch success rates for those sporadically connected devices are always lower than LAN-connected or always-on VPN approaches on solid remote connections. Checking to make sure that remote laptops are up to date with patches is worth extra attention on this patch-filled vacation/holiday month.
[Neely] As IE is being actively exploited, it may also be time to change the default browser. Consider limiting IE through the perimeter to reduce the likelihood of interaction with malicious sites. While you're busy queueing up application of this month’s suite of patches, take a check of your backup system to make sure you’re covered in case something goes wrong.
[Murray] This is the third Patch Tuesday in a row when the number of vulnerabilities addressed exceeded 100. One does not know whether to credit Microsoft for its diligence or condemn it for the quality of its code. Suffice it to say that the next Patch Tuesday will address far more than zero vulnerabilities and most of them will be older than a month. While patching is mandatory, one cannot patch one's way to security. Use least privilege access control at all layers, internal firewalls, strong authentication, structured networks, and end-to-end application layer encryption to reduce your attack surface and hide potentially vulnerable processes. While I still do not like the expression "zero trust," it is an old idea whose time has come.
Read more in:
KrebsOnSecurity: Microsoft Patch Tuesday, August 2020 Edition
The Register: We spent way too long on this Microsoft, Intel, Adobe, SAP, Red Hat Patch Tuesday article. Just click on it, pretend to read it, apply updates
Duo: Microsoft Patches Zero Days Used in Targeted Attacks
Threatpost: Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft
Ars Technica: 0-days, a failed patch, and a backdoor threat. Update Tuesday highlights
Dark Reading: Microsoft Patches 120 Vulnerabilities, Two Zero-Days
SC Magazine: Microsoft patches 2 actively exploited zero-day flaws
ZDNet: Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Bleeping Computer: Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws
MSRC: Security Update Summary