What’s New
- DEF CON 24 – Huge thank you to the folks at Piratica for the invite to DEF CON in Las Vegas, NV. Definitely an eye opening experience to see things from a different perspective.
- DC770 – A quick reminder that DC770 meets the first Tuesday of each month at 7:00pm EDT in the basement at Jefferson’s.
Updates
Executive Summary – No patches for Adobe Flash Player this month. For the first time since January, the monthly Adobe patch release does not include a patch for Flash Player. In an interesting bit of irony though, there is a bulletin from Microsoft (MS16-102) that patches a vulnerability in the Microsoft PDF Library that could lead to remote code execution. Also, MS16-099 affects multiple versions of Office including Office for Mac and the Word Viewer and can lead to remote code execution.
Microsoft – Microsoft released 9 bulletins this month (MS16-095 through MS16-103). Five of the 9 are rated critical and four are rated important (by Microsoft). It should come as no surprise that updates for Internet Explorer and Edge are leading the pack (again) with patches for 9 bugs in Internet Explorer and 8 in Edge which, as Johannes B. Ullrich noted at SANS, “Kind of makes you wonder how much Edge differs from Internet Explorer“, a thought that we’ve mentioned with the last couple of updates. Similar to previous months, many of the CVE’s patched this month have an exploitability rating of 1 (Exploitation More Likely) but no known exploits are listed on SANS at this time. All users are encouraged to install this month’s Microsoft Updates at their earliest convenience.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS) .
Adobe – The only update (so far) from Adobe this month is an update to resolve a number of important issues in the Adobe Experience Manager and affects multiple platforms (Windows, Mac, Linux / Unix).
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation. Additional information is available here (Threatpost).
Java – The latest version of Java is 8 update 101. If you’ve got older versions, especially versions that start with 6 or 7, remove them. Also, we’re still seeing that the installation of newer versions of Java don’t remove the older (often vulnerable) versions so, while you’re installing the latest update, check for older versions that may still be there.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – Another August and another DEF CON in the books and it seemed like a huge success. The last (unofficial) count that I heard on attendees was 22,000 +/-. As with any DEF CON, there was tons to do (contests, hardware hacking village, SoHopelesslyBroken, talks, etc) but I think the coolest thing there was the DARPA Cyber Grand Challenge. There’s a ton of information including history, rules and final scores here but the short story is that several teams built machines (computers) that competed in the first ever computer only capture the flag (CTF) contest. The computers were then ‘turned lose’ to attack one another, defend themselves and craft new attacks and defenses autonomously. Congratulations to all of those who competed this year and hat’s off to those who left Vegas with a black badge. Time to reset and get ready for DerbyCon v6.0!
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.