Patch Tuesday; Microsoft president Brad Smith Appears Before US Congressional Committee; GAO: US Federal Agencies Still Have Not Implemented More Than a Third of Cybersecurity Recommendations

Don't let the small number of vulnerabilities, and the fact that only one is labeled "critical", fool you. The MSMQ issue has a lot of potential. The "no click code execution" in Outlook with be discussed in depth at Defcon, and it is very much possible that an exploit will emerge around that time, if not earlier. The patch for the DNSSEC vulnerability, while only a DoS issue, was long overdue and the issue has been known since February.

Johannes Ullrich

CVE-2024-30080, MSMQ flaw, CVSS score 9.8, can be exploited remotely without any user interaction to execute arbitrary code, and is accessed over port 1801. Make sure that you're not exposing that port to the Internet. CVE-2024-50868, DNSSEC DOS/CPU exhaustion, CVSS score 7.5, aka KEYTRAP, warrants pushing the update to your servers as it impacts not just the Microsoft DNS server.

Lee Neely

By all accounts Mr. Smith handled the heightened scrutiny of MSFT with aplomb. The takeaway is that even Fortune 50 companies can fall victim to lapses in adherence to security processes. Don't expect the federal government to switch out use of MSFT products and services any time soon.

Curtis Dukes

The testimony seems to range from how Microsoft is doing business in China to the SolarWinds compromise to Recall. Read the transcript and responses to consider if those types of responses would reflect well on your company were you in his spot, then take action to put your enterprise in a stronger position where needed. For example, raising the bar on security should not be a conversation about what has been done in the last few weeks for a mature company like Microsoft.

Lee Neely

Microsoft is learning the hard way that changing corporate culture is like changing the course of a super tanker. It takes more than a command from the top. Among other things, it takes time. The CSRB Report makes it clear that the present course ends up on the rocks. Given Microsoft's market dominance, the present course imperils the Ship of State.

William Hugh Murray

My guess is that the historical average percentage of agencies implementing GAO recommendations (security or otherwise) is at best in the 66% range. What is really needed across Federal IT is a focus on improving IT operations where most vulnerabilities originate: lack of inventory, using unpatchable/unsupported software, failure to require developed or acquired software to demonstrate security needs have been met, etc. If IT operations is constantly blowing on dandelion seed puffballs, security operations plucking 66% of the dandelions that sprout is probably the best most government agencies will be able to do.

John Pescatore

A recurring theme here is legacy, unsupported, systems are operating without needed fixes. Replacing these systems, particularly key business systems such as your ERP or HCM systems, require a lot of time and resources, which often has to come out of the mission budget, so youÕre going to find a lot of mitigations and stop-gap efforts. GAO is proposing an overarching approach focusing on four cybersecurity challenges and ten critical actions to build support and focus action to reduce the threat to the nation's essential technology systems.

Lee Neely

A troubling statistic given the report goes back to 2010. It highlights the fact that US Departments and Agencies do not regularly plan (budget) for HW/SW obsolescence leading to cybersecurity risks. Perhaps a relook at the Technology Modernization Fund is in order with a renewed focus on prioritizing expenditures to close more of these GAO cybersecurity recommendations.

Curtis Dukes

That might even be okay, provided that the 65% includes the most essential and efficient measures (e.g., strong authentication, network segmentation, least privilege). My experience suggests that auditors tend to view all recommendations as being of equal importance.

William Hugh Murray

I've commented in NewsBites in the past a big issue for Microsoft has been chasing cloud revenue but not updating a Secure Development Life Cycle that was used to working at operating system version release speed - definitely NOT 'agile' cloud speed. In his written testimony to Congress, Microsoft President Brad Smith says Microsoft has added close to 2,000 security engineers but barely mentioned development with one very high level promise: 'Secure by Design: Make security the first priority when designing any product or service.

John Pescatore

A few weeks ago we were praising Satya Nadella's statement about Microsoft refocusing on security before features. Sadly, this story and the debacle over Microsoft Recall highlights this will be not be an easy change to implement as Microsoft appears to need a major cultural change in how it develops and secures its products and services. As with many things in life actions speak louder than words and thus far Satya Nadella's statement is akin to a pinkie promise.

Brian Honan

One lesson here is to pay attention to vulnerability disclosure, internal and external. Before dismission or deciding that will never happen, consider an external assessment or demonstration of exactly how difficult and impactful exploiting the flaw is. The other lesson is to keep an eye on enabling technologies used to connect to service providers, cloud or otherwise, making sure that you continue to follow best practices and all components are kept updated.

Lee Neely

Two takeaways: 1) Ransomware continues to be a scourge against the cyber underserved; and 2) we, the cybersecurity community, must find ways to ease implementation and monitoring of cybersecurity best practices for resource-constrained organizations.

Curtis Dukes

Take a look at the communications from Newburgh and Traverse City below, noting elements that would aid your communication efforts in an incident. Note that Cleveland is posting on X, which may be necessary if your primary communications paths are impacted. Whether social media or web site updates, make sure (test) these can be securely updated by staff independent of being on your corporate network. Question the model of dropping security during a (security) incident for access. Creating these processes while the chips are down is unpleasant and stressful at best; practice ahead of time.

Lee Neely

The vulnerability was reported by an outside security researcher so Symantec could very well be right. Regardless, the vulnerability was quickly fixed by MSFT and a patch made available to limit further attack.

Curtis Dukes

The threat actors were exploiting CVE-2024-26169 prior to the fix being available, taking advantage of permission inheritance in how Windows wekernel.sys creates registry keys. When the fix was released, Microsoft reported no evidence of exploitation in the wild. Given the Symantec research, have your threat hunters check for IOCs while you're making sure the fix is in.

Lee Neely

When people ask me why I am against paying criminals money resulting from extortion attacks such as ransomware, this story, and the other on PHP flaws being exploited, is one of those reasons. Paying criminals provides them with funds to research and/or purchase exploits that they can then use to victimise others.

Brian Honan

While this only impacts Windows PHP servers, you're going to want to update your other PHP platforms as well for consistency. Note that PHP 8.0, 7 and 5 are impacted, but are discontinued so no fixes will be released. Note that moving between major PHP versions needs regression testing due to changes in security models and function calls, watch for warnings of soon to be deprecated behavior as you update. Even so, it's time to get current.

Lee Neely

MFA... The acronym to solve so many issues like this. Sadly, there has been some pushback from developers in the past as GitHub started to enforce MFA for some accounts. GitHub does a great job in making technologies like Passkeys approachable and usable. Take advantage of it.

Johannes Ullrich

This is a particularly sneaky phishing attack as it uses GitHub's comment feature to trigger a phishing email attack. By leaving comments in GitHub with the victim's username, the attacker triggers an official GitHub email using an official GitHub email address but with the attacker's comments making up the body of the email. Crafted this way, it can be hard to determine that the GitHub email is actually a phishing attack. I'm seeing more phishing attacks like this using the official email mechanism of legitimate companies (PayPay, Intuit, etc). So much for hovering over links. In addition, if you can trick someone into installing a malicious OAuth app, remember this not only bypasses MFA, but gives the attacker persistent access regardless if you change your password.

Lance Spitzner

Targeted Identity and Access Management (IAM) campaigns appear to be the new normal. Recently, in addition to GitHub, there has been Snowflake. For both, the evildoer exploits different weaknesses [not vulnerabilities] in their governance processes. For GitHub it is the automated legitimate email notification, for Snowflake lack of mandatory use of multi-factor authentication. For both, the evildoer is looking to obtain legitimate credentials to easily bypass security controls.

Curtis Dukes

Getting emails from mentions in repositories, ticketing systems or other platforms is pretty commonplace, and users are inclined to click the enclosing links to take actions, particularly where the message has a triggering topic like a security event or job offer. Make sure your training includes making sure users are checking these notifications are genuine. Encourage them to take advantage of the GitHub spam reporting system as well as verifying the sessions connected to your repos are legitimate.

Lee Neely

No shortcuts here: you need to roll out updates to FortIOS, FortiProxy, FortiPAM and FortiSwitchManager as these flaws are susceptible to remote exploitation. Make sure that you're targeting FortiOS 7.2.8 or 7.4.4, while affected, the older branches are not getting all the same fixes.

Lee Neely

CVE-2024-29855, authentication bypass, CVSS score 9.0, allows attackers to login to the Veeam Recovery Orchestrator with administrator privileges. While the exploit needs the exact username and role of an account with an active JWT token, there are only five roles and the meta-data in the SSL certificate typically has enough information to determine a valid username. The icing on the cake is a POC for this exploit is publicly available, so dawdle time is essentially non-existent.

Lee Neely