Patch All HTTP/2 Usage and Windows and Old Versions of iOS, Too; Use Google’s Move to Accelerate Passkey Use

The WordPad issue is interesting. Yet another way to trick Windows to send NTLM hashes to a malicious server. Can't wait for NTLM hashes to finally disappear. On the other hand, if you have halfway sane egress filter rules, this may be less of an issue.

Johannes Ullrich

CVE-2023-41763, Skype for Business, is a server rather than client flaw; now you just need downtime to patch those servers. The CVE-2023-4487 fix addresses the HTTP/2 Rapid Reset Attack, again necessitating server downtime to patch. The Skype, HTTP/2 and WordPad flaws are in CISA's KEV list with a remediation date of 10/31.

Lee Neely

I remember being at meetings in Microsoft in the early years of Vulnerability Tuesday releases and they had engineering efforts underway to make it much less risky to patch Windows faster than monthly. Unfortunately, as the iPhone, Android-based phones and the iPad all came out and quickly began to dominate mobile markets, the business side of Microsoft made the business decision to compete with a “Windows Everywhere” strategy. That seemed to doom any chance of the Windows OS getting simpler to secure and easier to patch. Anyone remember the Windows phone?

John Pescatore

It’s hard to believe that ‘Patch Tuesday’ began 20 years ago. Microsoft changed, for the better, how companies report security updates to their products. By moving to a monthly cadence, with some out-of-band updates along the way, it gave defenders the ability to plan for downtime in order to patch. Meanwhile, given that two of this month’s vulnerabilities are actively being exploited, prioritize them for patching.

Curtis Dukes

It's been twenty years since Patch Tuesday. Some early-in-career practitioners may have only been toddlers. That would mean this would be a small set of patches since we have been doing secure computing for so long, right?

Moses Frost

To me, the key takeaway from Cloudflare's blog post was that an attacker with an "average" botnet (20,000 bots) is able to create as much traffic as 1/10 of the entire internet combined. You will not defend against these types of attacks with on premise filtering.

Johannes Ullrich

HTTP/2 Rapid Reset Attack (flaw) was leveraged to create the largest DDoS attack to date, 201 million requests per second, with a relatively small botnet of 20,000 machines. This attack abuses a weakness in the HTTP/2 protocol which allows for repeatedly sent session cancellation requests, which overwhelm the server. You need to apply fixes to all your HTTP/2 enabled web servers. Additionally, check the components in your DDoS protection strategy, from boundary protection and load balancers to CDN and cloud service providers to see if mitigations are available and if they need to be activated. Many CDN and cloud providers have already made changes to mitigate this attack, so you may catch a break there.

Lee Neely

I am curious to see how this plays out. On the surface, not much was said, but under the hood, is this the current generation's version of Slow Loris? I wonder.

Moses Frost

2023 is turning out to be the rebirth of DDoS attacks. Check with your upstream service provider on what defenses they have in place for the rapid reset vulnerability.

Curtis Dukes

Since there are over 1.5 billion users of Gmail (including over half of US email users), this relatively gentle move by Google is obviously a huge step forward to making phishing attacks much harder to succeed. Also, it makes using Google credentials a safer and more appealing option than creating yet another website account password – this should spur Google’s competitors to follow suit. One caution: backup processes for authenticating when stuff happens (and stuff will happen) are needed, and will be a target of bypass attacks.

John Pescatore

Google was one of the first big players to offer and promote MFA (what they call two-step verification) and now one of the first to offer, promote and make default passkeys. Passkeys represent the gold standard in security: they make critical security behaviors simple. The simpler a behavior, the more likely people will exhibit it, something we too commonly forget when developing complex security policies and requirements. Unfortunately, passkeys are still offered on limited platforms, but that will change over time. In addition, you most likely will not need such strong authentication for every online account, just starting with the most important.

Lance Spitzner

Google supports multiple authentication options, you can add a passkey to your existing 2FA, providing a fall back. It's time to disable the SMS validation option. Apple and Microsoft are also supporting passkey options, which are based on FIDO standards; it's time to do that deep dive into adoption.

Lee Neely

Kudos to Google for making it the default option. By all accounts passkeys are far more secure than simply using [or overusing] a password. Making it the default option, forces users to manually change, and we know most users select the default configuration option. Between Google, Apple, and other third-party applications, we may, just may be seeing a fitting end to passwords.

Curtis Dukes

Apple, Google, and Microsoft are now on board. There are already more than a dozen videos on YouTube explaining and promoting Passkeys. Users will be seduced by the convenience of one-click sign-on. Hopefully they will demand that all applications and services offer Passkey's, at least as an option, thus overcoming the biggest remaining hurdle. Like all other security mechanisms, Passkeys have their limitations. We must take care not to let the perfect (once more) become the enemy of the good.

William Hugh Murray

This vulnerability wasn't as bad as some expected it to be. Still: Get it patched, but there is no rush to do so. curl and libcurl are ubiquitous in the Unix world, and can also be found on Windows.

Johannes Ullrich

The SOCKS5 proxy handshake flaw is triggered by hostnames over 255 characters; the conditions to exploit this are not particularly common. The cookie injection flaw is specific to a calling the curl_easy_duphandle function in libcurl for handling single transfers. The problem there is that the handles are cloned but the actual cookies are not. Curl is prevalent in Linux, and is also on your Mac and Windows systems: apply the updates when they are available. Not every platform/distribution has released updates, keep an eye on your provider for updates.

Lee Neely

Is this a “non-event?” The actual day came and went with very little fanfare but a lot of bluster. I think this is one of these Post-0-day events, and when someone properly weaponizes it, they will find many unpatched systems. cURL is one library that seems to be compiled widely into projects, IoT devices, embedded systems, and many other products. Your car may be running it. The only saving grace here may be the way you trigger the exploit.

Moses Frost

While the hype over these two vulnerabilities has dissipated somewhat, the heap buffer overflow can still be dangerous. Especially now as more details of the buffer overflow are reported. Prioritize downloading the latest version of the tool and update.

Curtis Dukes

The two flaws, CVE-2023-42824, privilege escalation, and CVE-2023-5217, WebKit buffer overflow, are actively being exploited. Make sure that you're pushing iOS/iPadOS 16.7.1 to your non iOS/iPadOS 17 devices. With version 17.1 just around the corner, it's getting to be time to set version 17 as your minimum. Start replacing your devices which cannot run this version now.

Lee Neely

With these updates Apple is acknowledging that there are a number of users that do not regularly update their Apple devices (hardware, software, or both). As iOS 16 was released just over a year ago, it’s prudent to provide the software update. Ditto for iPadOS.

Curtis Dukes

This is a weird story. I thought Apple addressed these issues together. It seems odd they were waiting almost a month or so to patch an earlier yet supported build?

Moses Frost

This is a rare move on Apple's part. Many versions of iPhones, iOS, and Macs are no longer supported.

William Hugh Murray

So far, the lobbying strength of the IT industry has been an immovable obstruction to real liability being assigned to software vendors and there really are no irresistible forces on the near horizon. But, there are certainly many, many Lilliputian lawsuits and fines that add up to real expenses. Take a shot at convincing your CFO that selling insecure products and services is actually less profitable than investing in “secure by design/default” just like quality was invested in.

John Pescatore

To date 58 lawsuits have been filed against Progress Software, with another 23 notices of intent to file being received from other customers and entities. Progress Software has already spent almost $2m related to the vulnerability. Estimates are that between $75 and $100 million in ransom was earned by the attackers just from the MOVEit campaign. The question is will Progress Software survive judgements in favor of those seeking retribution? If you're still a customer, you should be looking at alternatives in case that turns out to be a no.

Lee Neely

Both lawsuits and government investigation were to be expected given the impact of the vulnerability to their customer business operations. Progress Software’s software vulnerability will make for an excellent business case on downstream costs in dealing with a cyber incident. Those costs should be put in perspective to the cost of proactive cyber defense.

Curtis Dukes

Microsoft has been hinting about the deprecation of VBScript since around 2016. VBScript was a great tool for administration back when it was introduced. Today, PowerShell has effectively replaced the use of VBScript, so take a look around for any lingering VBScript use, migrate it, and let go. In case you missed it, the notice about deprecating WordPad came out September 1st, and while the reasons why are unclear, it's likely tied to the availability of free online (web) alternatives from Google, Drop Box, and even Microsoft.

Lee Neely

VBScript, we knew you well, and you'll still allow for vulnerabilities on older systems. By the way, Object Oriented BASIC scripting was as bad as it sounds… like ObjectOriented COBOL.

Moses Frost

Simpson Manufacturing, is a leader in its industry, operating seven research labs for testing new designs and materials as well as holding over 2000 patents, hinting the attackers are after their trade secrets. The attack is causing disruption of the business, coupled with not having a predicted ETA for resumption of services, hints of a ransomware attack recovery, likely preceded by data exfiltration. A couple of things you can take to your shop here: is your BC/DR plan such that you can meet the resumption expectations, so you can communicate accurate expectations to management? Do you know what your most valuable assets are, and are they adequately protected/monitored? Lastly, are your data exfiltration detections adequate and working?

Lee Neely

Not a lot of details in the SEC filing, but most likely a ransomware event. Simpson operates in a sector that hasn’t reported much in the way of cyber incidents. It does, however, indicate that all industry sectors are potential ransomware targets, and companies should prioritize cybersecurity as a business operation imperative.

Curtis Dukes

Kudos to Paul Asadoorian who explained this to me. In short, applications like tracker-miners, which use libcue to index files on your GNOME desktop for searching, respond immediately when a file is added or modified on your desktop, meaning a malicious .cue file can be dropped in your home directory, which is then read, triggering the exploit. As a bonus the exploit can be used to break out of a seccomp sandbox which is used to restrict privileges to container processes.

Lee Neely

Updating Adobe Acrobat and Reader and applying the Cisco and MS updates will get you most of the way done here. CVE-2023-44487, the HTTP/2 Rapid Reset Attack, applies to all your HTTP/2 enabled web servers, you'll need to apply those updates as well. Even though the due date on the KEV is 10/31, keep in mind these are being actively exploited.

Lee Neely

We are now at the point where some small and medium size organizations may be overwhelmed by the burden of patching. CISA offers welcome and useful guidance in prioritizing. Start with their recommendations and the KEVs. Be sure you know what software you are using. Demand that vendors include a digital software bill of materials in the description of their offerings.

William Hugh Murray