Dedicate Resources to Patching for Microsoft Vulnerability Tuesday, Especially Sysmon; After Microsoft Flaws, Patch VMware Workspace ONE Assist; If You Use ABB Flow Controls, Patch Those, Too

Lots of interesting patches this time. One not to overlook is the patch for the sysmon issue. It could be devastating to a network that has sysmon deployed throughout the network. You essentially instrumented the network with a tool to assist attackers. Patch quickly and monitor what sysmon is doing (with sysmon?)

Johannes Ullrich

Don't you wish we just had to watch the election returns this Tuesday? Fixing six zero-days is awesome, particularly as these are being actively exploited in the wild. And the most severe four (CVE-2022-41091, CVE-2022-41073, CVE-2022-41125 and CVE-2022-41128) are in the CISA KEV catalog with remediation dates of 11/29. CVE-2022-41128 is a fix to Microsoft scripting languages, which can be leveraged to infect users who browse to a malicious site; CVE-2022-41073 is another Windows Print Spooler fix, CVE-2022-41125 addresses a privilege escalation flaw in the Windows Cryptographic API; CVE-2022-41091 addresses a security bypass to "Windows Mark of the Web" - that flag that marks the files as being from an untrusted source. The last two are Exchange flaws (CVE-2022-41040 and CVE-2022-41082) addressing remote code execution when PowerShell is accessible to the attacker. Check out the SANS ISC link below for a rundown on the rest of the story.

Lee Neely

Given the large number of critical vulnerabilities (11), several of which have been actively exploited, priority has to be given to this patch update.

Curtis Dukes

Older VMware flaws are already heavily targeted by attackers. This will provide them with yet another avenue. And remember: This isn't just a "Patch Now" issue. Because there will likely be more issues like that. This is a "Figure out how to build a moat" issue.

Johannes Ullrich

There are no workarounds here, this is a patch it to fix it scenario. An attacker can exploit the flaws if they can reach your network with Workspace One Assist without authentication to obtain administrative access. The update addresses five CVEs in total - including XSS and an authentication token exploit, seems like a good idea to just apply the update.

Lee Neely

I like the first bullet item in the Claroty executive summary on their findings: “Flow computers calculate oil and gas volume and flow rates; these measurements are critical not only to process safety, but are also used as inputs in other areas, *including billing*.” Note that many news reports picked up on the “including billing” and the connection to the Colonial Gas pipeline ransomware attack that caused gas shortages because billing apps went down. If you are using ABB controllers, use that same focus on the business/billing disruption to get patching prioritized.

John Pescatore

These are driven by an ARM v8 processor running Linux. The flaw can be leveraged to get root on those devices, read/write files - these computers calculate volume and flow rates used by alarms, safety and billing systems. An attack could impact a company's ability to bill and/or disrupt the flow altogether. If you have some of these, apply the update as well as make sure that they are properly isolated/segmented. Read the report from Claroty if you've wondered what these can do.

Lee Neely

This update fixes two specific XML parser issues. Details about these issues, with proof of concept code, were released the same day the update was released. I don't care if you wait patching this. If you don't, it may make for a neat future NewsBites story about how your organization was compromised.

Johannes Ullrich

I know, you are still finishing rolling out iOS/iPadOS 16.1, and you noticed 16.2 is only a few weeks away, so you were hoping for breathing room. The good news is users who haven't updated will get 16.1.1 when they do, and that these updates are only for iOS/iPadOS 16, as well as macOS Ventura. Exploiting the flaws allows an attacker to terminate a running application or execute arbitrary commands on the device. There are also unspecified bug fixes in these updates which help with some petty annoyances your users may be facing.

Lee Neely

Back in 1994, NIST put out FIPS 140-1, Security Requirements for Cryptographic Modules. In 1995, Netscape came out with SSL 2.0 for transport security in their Navigator browser. When the US Federal government started requiring government agencies require FIPS 140-1 compliance, it drove testing of SSL 2.0 and vulnerabilities were quickly found and fixed – and anyone (OK, back then mostly Microsoft) wanting to provide a browser for government use had to get their crypto tested and validated. SSL didn’t solve all security problems, but it did raise the bar and it is good to see the US government using its buying power to do the same thing for device security.

John Pescatore

One of the challenges is that traditional IT security follows frameworks like NIST SP 800-53, while our OT operators are following the Purdue model. Having guidance to help crosswalk the two universes is critical to success. Keep an eye on SP 800-82, SP 800-181 and SP 800-313. NIST publications often include guidance and insight which is applicable beyond the federal government, consider leveraging these to raise the bar on your IoT acquisitions.

Lee Neely

While mandated for federal agencies, every Industry sector will benefit by following the cybersecurity guidance in NIST Special Publication 800-213. Now is the time to build IoT cybersecurity requirements into your IT risk management process for the entire connected enterprise.

Curtis Dukes

A tool like the SSVC can help prioritize remediation efforts, but before you run out and grab something new, check your inventory for products which may already have this (or similar) capability and look at leveraging that first. We all have "shelfware" or narrowly implemented products, and as tempting as best-of-breed is, it's still generally easier to use all the features in existing products than trying to integrate several disparate products which are "supposed" to be able to talk to each other.

Lee Neely

In this case, I have to treat CISA like I would any vendor. The Security Content Automation Protocol (SCAP) standards first came out of the US government in 2009 – announcing more such standards really does not equate to CISA “transforming the vulnerability management landscape.” They need to focus on helping government agencies overcome the obstacles they faced trying to make automation work, which had more to do with overhyping what would and would not make sense to automate than it did with needing new ways to find out and rank vulnerability severity. I’d like to see a focus on a simple use case: reduce average time to patch servers from months to days to hours. Then start thinking about automation overall.

John Pescatore

The idea is this is private notification of flaws, and package maintainers can elect to ignore or seek more information. I know it's upsetting to have someone tell you your code is broken, you worked really hard on it, but it's better to have a direct approach than learning it's being spread over social media. Learn to embrace and respond to the feedback, the goal is to raise the bar, not denigrate the developer. make sure that your company has a security link on their web site which leads to clear flaw reporting instructions for the same reasons.

Lee Neely

Microsoft acquired GitHub a bit over 4 years ago and GitHub just announced it had passed $1B in revenue – good to see more (needed) investment by GitHub in security. If your company’s product is software, this is also a good reminder to check if you have the processes and contact points in place to rapidly learn of and deal with vulnerabilities in your product. All too often, for example, www.yourcompany.com/security is hyping up product security features vs. making it easy for someone to report a bug and get an acknowledgement.

John Pescatore

The flaws allow the secure boot database (DBX) to be reset. That resets what is allowed and denied by the secure boot process, allowing a hacker's code to be loaded at boot time. If you're not managing the firmware on your fleet of laptops, you need to start figuring that out before your attackers do. Even so, test your process, BIOS updates can brick or otherwise be disruptive to users. The timing of which is never convenient, in fact, quite the opposite. At a bare minimum, track the versions and watch for unexpected updates.

Lee Neely

Your Chrome and Chromium browsers are affected here. Odds are, by now, the user's browsers have already downloaded the update and the browser needs a relaunch. This update includes more updates to the V8 JavaScript engine (the last Chrome KEV update was also a V8 fix) speech recognition, WebWorkers and WebCodecs. These new updates are not yet in the CISA KEV catalog.

Lee Neely