July 2016 News and Updates
What’s New
- Windows 10 – Microsoft’s aggressive push to get every Windows 7 and Windows 8 computer upgraded to Windows 10 has gone from light speed to ludicrous speed. Per Microsoft, Windows 7 is still supported until January of 2020 and we have had very good results with the Never10 utility from GRC. If you have Windows 8, Windows 10 may be a better option. Otherwise, it may be worth delaying the Windows 10 upgrade.
- DEF CON 24 – Piratica has invited the crew from Cyber Tech Cafe to join them at DEF CON 24 this year (4 August to 7 August) in Las Vegas. Most of us will be leaving Thursday evening but we will be leaving a skeleton crew behind Friday and Monday to cover things. Everyone will be back for normal business hours Tuesday.
Updates
Executive Summary – We have the expected volley of updates from Microsoft this month covering the browser (more on that in a moment), Office, .NET and components inside Windows (the kernel, print spooler and Secure Boot). All of this has become pretty standard but one thing that I did want to note was that MS16-084 and MS16-085 for Internet Explorer and Edge seem *very* similar with 14 and 13 CVE’s respectively issued. Wasn’t Edge the browser that was redesigned and rebuilt from the ground up? Isn’t it weird that, for the last several months (since it was released), it’s patches have looked a LOT like those for IE? Just sayin’. The bigger news though is that we have a 52 updates from Adobe to it’s Flash Player and 30 updates to Adobe Reader. If divesting yourself and your organization of all things Adobe is an option, I’d start considering it. If it’s not, I’d start on a roadmap, but that’s just me. Java is, again, all quiet.
Microsoft – Microsoft released 11 bulletins this month (MS16-084 through MS16-094). MS16-083 was released earlier to address a problem with Adobe Flash Player. Six of the bulletins are rated critical (by Microsoft) and all address vulnerabilities that could allow remote code execution. The remaining are rated important (by Microsoft) and range from information disclosure to remote code execution. The SANS summary basically mirrors Microsoft’s and lists the exploitability index for each of the vulnerabilities being patched. Most of the CVE’s listed in the SANS report have an exploitability of 1 but I did not note any that currently have a known exploit.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Additional details are available Microsoft Here and Here (SANS) .
Adobe – Adobe has released updates to it’s XMP toolkit for Java (APSB16-24), Adobe Flash Player (APSB16-25) and Adobe Acrobat and Reader (APSB16-26). There’s additional information in the links below but the short story is that, once again, Adobe Flash Player is a problem (Acrobat and Reader are as well, but Flash seems to be a more popular target at the moment). Remove if possible, patch and pray otherwise.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Additional details are available from Adobe Here including links to download the update(s) and instructions for installation. Additional information is available here (Threatpost).
Java – The latest version of Java is 8 update 91. If you’ve got older versions, especially versions that start with 6 or 7, remove them. Also, we’re still seeing that the installation of newer versions of Java don’t remove the older (often vulnerable) versions so, while you’re installing the latest update, check for older versions that may still be there.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.
Additional details are available from Oracle here.
Security News, Sponsored by Piratica – A couple of big things on the Piratica radar this month include the Teamviewer breach and the Symantec breach. Teamviewer customers reported having their computers taken over and bank accounts drained as a result of the breach. To my knowledge, Teamviewer has still not acknowledged that there was a breach (though several affected users claim to have had strong passwords and 2 Factor Auth setup AND, in addition to the customers being affected, the Teamviewer DNS was pointing to Chinese nameservers for a while). Symantec got hit with a zero day late last month that was remotely exploitable and required zero user interaction, basically a home run for an attacker. One thing that these should reinforce is that *anything* on your network is a potential for a determined attacker and, just because it’s not vulnerable now, that doesn’t mean that it won’t be tomorrow. A layered defense (egress filtering on your firewall, IDS / IPS, someone *watching* the logs, etc.) is crucial and there is no silver bullet.
Piratica is a risk management firm and we work with client organizations to help them identify and understand the risks to their organizations from cyber criminals.. We believe that the first step in any solution is to correctly and completely identify the problem. Additional information is available on our website, Facebook and Twitter.
These updates will be automatically reviewed, approved and installed for MyIT Customers. If you would like more information about the Cyber Tech Cafe MyIT services for your business, please let us know. The Cyber Tech Cafe MyIT services are availalbe in three different levels (Bronze, Silver and Gold) and can provide updates only (Bronze), updates and proactive network auditing and monitoring (Silver) or updates, proactive auditing and monitoring and up to 10 hours of priority support at a significantly discounted rate (Gold). Pricing is based on the number of physical locations, servers and workstations that you have.