Microsoft, Adobe, WordPress Issue Critical Patches -- Enterprises Falling Behind On Installing Them

In the current environment, two important points: (1) The NewsBites item last week about Rapid7 discovering over 80% of Microsoft Exchange servers had not installed a February critical patch indicates that IT operations may not be focusing on server patching while IT staff is working from home, and (2) Employees working at home from their own PCs should be reminded to make sure auto update is on and that these mega-patch releases are being successfully installed.

John Pescatore

Microsoft moved away from SMBv1 and introduced SMBv2 to reduce some of the attack surface created by many no-longer-used legacy features. In SMBv3, Microsoft started adding features like compression but apparently didnt learn from past mistakes and ended up with now three vulnerabilities that can be devastating if combined. In the end, the old rule still applies: Never allow SMB to pass your perimeter, and closely monitor SMB traffic internally. In March, we had SMBGhost (CVE-2020-0796). SMBGhost is a remote code execution vulnerability, but it is difficult to exploit, and it took until May for a working PoC exploit to be released publicly. This month, Microsoft patched another vulnerability in the exact same feature of SMBv3. SMBleed (CVE-2020-1206) sounds less severe at first, only allowing for information disclosure. But the information disclosed is Kernel memory, and paired with SMBGhost for privilege escalation, SMBleed can lead to devastating attacks. And finally, yes, we got another RCE in SMBv1 (SMBLost, CVE-2020-1301). But SMBv1 should have been disabled a long time ago.

Johannes Ullrich

On the heels of making sure the patch for SBMGhost was applied, MS releases added SMB fixes. While SMB is contained within the traditional corporate perimeter, the current work environment may not be as well contained, so timely patching is essential. As John reminds us, our environment is further complicated by personally owned systems which also need to be kept updated. Where possible, incorporate patch checking into your VPN posture check. Be sure to let users know the enforcement timeline and expectations around attempted use of an unpatched system.

Lee Neely

For the moment and for most enterprises "patching" remains mandatory; failing to do so not only puts one at risk but puts one's neighbors at risk. At what point do we decide that the cost of patching is too high? When do we realize that the attack surface of these widely used products is so big, so homogenous, and so porous, that collectively they weaken the entire infrastructure? When do we realize that the architectures (e.g., von Neumann), languages, and development processes that we are using are fundamentally flawed? That hiding these products behind local firewalls and end-to-end application layer encryption is a more efficient strategy? When do we acknowledge that we must fundamentally reform how we build, buy, pay for, and use both hardware and software? At what point do we admit that we cannot patch our way to security?

William Hugh Murray

The fix to CVE-2020-1317 is included in this months patches from Microsoft. CyberArk characterized this vulnerability as easy to exploit once logged into the system; Microsoft claims specialized software is also needed. Either way, applying this months update solves the problem.

Lee Neely

Another one to remind work-at-home employees to patch, with an additional caveat: Adobe and McAfee continue to try to persuade Adobe software users to install McAfee software as part of the Adobe patching process. Users should be told explicitly to not just click yes on Adobe update requests. Hard to believe this Adobe/McAfee deal continuesimagine if Band Aids tried to trick users into signing up for home alarm services

John Pescatore

I still get an occasional prompt to enable Flash to view content, so I just checked: the Flash end-of-life date is still December 31, 2020, so you need to keep it updated where its still being used. Make sure that the plans to retire Flash-based content, or provide an isolated browser for using it, are still completing this year.

Lee Neely

With ransomware operators offering purloined information for sale reminiscent of an eBay auction, its a good time to revisit your decision process regarding ransom payment as well as making sure you know what information resides in which locations so you can characterize affected data and respond appropriately if necessary.

Lee Neely

Three years in, all municipalities and healthcare institutions are responsible for knowing that they are targets of extortion attacks and for having a plan for resisting and mitigating such attacks. While paying ransom may, in at least some cases, be an appropriate part of such a plan, such a plan must have been made in advance of the attack, not simply as a convenient and expensive response to it.

William Hugh Murray

Dont expose UPnP devices to the Internet. Know what UPnP devices you have and what they can access. Paul Asadoorian of Security Weekly gave me this reference on discovering UPnP devices on your network using Nmap or the miranda-upnp python package: https://charlesreid1.com/wiki/Nmap/UPnP.

Lee Neely

Over this same time frame, back in 2003 British Telecom selected Huawei for the UK national network upgrade, and the British government dedicated resources to (and required Huawei to help fund) the Huawei Cyber Security Evaluation Centre to test all software and firmware from Huawei before allowing in on production systems. The UK has mitigated the risk successfully for 17 years with that supply chain security approach.

John Pescatore