September marks the second month in a row with a relatively light set of updates. But that doesn’t mean the threat of attack has gone down; in fact, there have been an escalating number of recent ransomware attacks in the public sector. With the slowdown in patch activity and ransomware back in the news, it’s a good time to take a look at the rest of your IT operations program, especially your cyberattack and disaster recovery plan. Before we dig into those topics, let’s review this month’s Patch Tuesday updates.
Microsoft resolved a total of 79 unique CVEs this month. Included in this list were two zero days and three publicly disclosed vulnerabilities, all of which affect the Windows Operating Systems this month. The two zero-days are both elevation of privilege vulnerabilities fixed in the Windows 10 workstation and server operating systems as well as the legacy operating systems. The first zero-day, CVE-2019-1215 exists in the Winsock component and the second, CVE-2019-1214 exists in the Windows Log Common File System driver.
Update: After Microsoft released the September Patch Tuesday advisories, the company changed the Exploited status on CVE-2019-1214 and CVE-2019-1215 in an informational update on 9/11/2019. Microsoft said “previous information about the CVEs being ‘under attack’ is incorrect” and that the advisories had been updated.
Microsoft continues to adjust its software update process, releasing service stack updates for all operating systems this month. Usually these release for one or a couple of Windows editions, so for all Windows OSs to be impacted by this one is a bit out of the ordinary. A couple of things to note about Servicing Stack Updates. They are rated as Critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. They are a separate update that needs to be installed outside of the normal cumulative or security-only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot update the Windows updates on the system if the Servicing Stack update is not applied. The shortest we have seen from availability to enforcement is two months. Our guidance is to begin testing as soon as possible and plan to have these in place before November to be on the safe side. Before October would be the best case on the off-chance Microsoft enforces these changes sooner.
For September Microsoft provided the usual set of operating system and application security updates. On the operating system side, we see 29 CVEs addressed for pre-Windows 10 and 57 CVEs for the latest Windows 10 updates. There are the updates for Office and SharePoint. In keeping with their usual bi-monthly release cadence, we also saw updates for .NET; however, these updates were for 2012 and newer versions of operating systems. A critical update addressing 7 CVEs was released for all versions of Sharepoint server, so pay close attention to that one.
And finally, after a two-month break, Adobe Flash Player is back with a security update including 2 CVEs. Google Chrome has not released yet but expect it to be available either today or later this week and that it will contain many resolved CVEs.
In wrapping up this month, we do want to draw attention to some continuing ransomware trends.
Hardly a month has gone by this year without a report of ransomware attacks against state and local government systems. Our Ivanti CISO, Phil Richards, provided a blog describing and listing many of these attacks including some dangerous trends. According to Phil, “Criminals are demanding higher ransoms of these government entities. They are targeting victims specifically, striking with greater precision and timing, and demanding large sums as ransom.” Of particular interest was an attack against several public school systems in the State of Louisiana. For the first time, a cyberattack is being treated more like a natural disaster with cybersecurity experts pulled in from multiple state agencies plus Louisiana State University.
What is the state of your disaster preparedness plan (no pun intended)? Every month I talk about the importance of patching and remediating vulnerabilities, but the harsh reality is that sometimes these actions are not enough or not in time. Are you ready to respond to a cyberattack? Do you have detection, isolation, and containment resources identified? Once you have the attack under control, do you have the recovery process identified including system restore/reimage and secure data backups to bring back online? And finally, make sure you include steps to handle legal and public relations issues. It is very important everyone involved knows how information is to be shared both inside and outside your organization.