NewsBites Volume XXV – Issue 55

Top of the News

2023-07-12

Microsoft’s Patch Tuesday for July

On Tuesday, July 11, Microsoft released updates to address more than 130 security issues for its products including Windows, Office, .NET and Visual Studio, Azure Active Directory and DevOps, Dynamics, printer drivers, Microsoft DNS Server, and Remote Desktop. Of those vulnerabilities, nine are rated critical, and several are being actively exploited.

Editor's Note

Nine of the updates are rated as critical, six of which are being actively exploited in the wild. Realistically, it's long past cherry-picking which updates to apply. Focus instead on rapid deployment to commodity systems and regression testing for mission impact systems, reserving a small interval for patches which are pulled back or updated.

Lee Neely

I am somewhat alarmed by the number of patches this month and the breadth of how many products. There are a lot of RCEs in this one, and one is related to Azure AD, which is interesting. How much testing is this going to require? I’ll leave it at that; we are not writing less code. More code, more likelihood of bugs.

Moses Frost

Back in 2021, there were several months where Microsoft had to release patches for over 100 security issues. While it would be great to see a long-term trend of fewer flaws in production software, we really are not yet near hitting the knee in that curve – as evidenced by the number of times browsers update themselves, how frequently cloud services are updated, and all the vulnerabilities being found now in security products. Just like fleet owners have to forever budget and plan for maintenance, repair and down time, the same is going to be true for software for a long time to come.

John Pescatore

An above average patch Tuesday for Microsoft. If you haven’t done so already, prioritize patching of the actively exploited vulnerabilities first, followed by the remainder of the critical vulnerabilities. As always, review Microsoft advisories for additional mitigation details.

Curtis Dukes

The number of patches per unit time is a useful measure of software quality. It is also a measure of the developer's ability to find vulnerabilities. One would expect the number to go down over time. It is not. Moreover, patching is a very expensive way to achieve quality. We are doing something wrong.

William Hugh Murray

Microsoft is Investigating Report of Windows and Office Zero-days (CVE-2023-36884)

Microsoft is investigating reports that of unpatched remote code execution vulnerabilities in Windows and Office. To exploit the flaws, an attacker would need to convince the user to open a maliciously-crafted file. In a blog post, Microsoft Threat Intelligence says it “has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884.”

Microsoft: Hackers Used Stolen Cryptographic Key to Access US Government Agency eMail Systems

Microsoft has disclosed that Storm-0558, a hacker group with ties to China, used a stolen cryptographic key to access Outlook email systems at US government agencies and other organizations. In a June 12 cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) writes that an unnamed Federal Civilian Executive Branch (FCEB) agency detected anomalous activity in its M365 cloud environment and reported the issue to Microsoft. The company has taken steps to prevent the threat actors from accessing email systems with forged authentication tokens.

SonicWall: Patch GMS and Analytics Products

SonicWall has released fixes for 15 security issues in its Global Management System (GMS) and Analytics products. SonicWall urges users to apply the updates; there are no workarounds or temporary mitigations.

Fortinet Discloses Critical Flaw in FortiOS and FortiProxy

A critical stack-based buffer overflow vulnerability in Fortinet’s FortiOS and FortiProxy products. The flaw could be exploited to “allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.” Fortinet has made updates available to address the issue. If users are unable to update right away, Fortinet recommends “disable[ing] HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.”

The Rest of the Week's News

2023-07-12

Chainalysis: Crypto-Related Crime is Down, Except for Ransomware

According to a report from Chainalysis, cryptocurrency-related crime is on a downswing, but ransomware is on the rise. Inflows from multiple forms of cryptocurrency-related crime, such as hacking and other malware, darknet markets, fraud shops, and scams, are all down from the same time last year. Only ransomware saw an increase in revenue. Cryptocurrency wallets tied to ransomware groups have seen an inflow of nearly $450 million, approximately $176 million more that the same time last year.

Editor's Note

I’m going to skew a bit old here, but I’m pretty sure tulip-related crime saw a similar downswing after the tulip bubble burst in 1637. The values of virtual currencies and the valuations of startups that were based on use of virtual currencies have plummeted and criminal use has dropped – except for ransomware! Still need to prioritize moving to 2FA to defeat phishing and continuing security awareness and education to maintain low scam click rates.

John Pescatore

No surprise here, ransomware continues to be lucrative. Even though many resources have decryption keys available for free, the ransom still gets paid, particularly when coupled with threats to sell exfiltrated data. The drop in cryptocurrency crime seems to be tied to two large scale scams: VitiLook and Chia Tai Tianqing Pharmaceutical Financial Management seemingly calling it quits. Both of these were investment scams, promising crazy returns, reminiscent of old scams involving fiat currency. Beyond just social engineering awareness, users investing in crypto need to do their homework.

Lee Neely

The success of ransomware suggests that, both collectively and individually, the cost of attack against our systems is much lower than the value of success of the attack. Fortunately for us the measures that we need to implement to raise the cost of attack, e.g, strong authentication, structured networks, are efficient. At least collectively and over time, they will reduce the cost of losses many times their cost of implementation. Get on with it.

William Hugh Murray

Apple Re-Releases RSRs for Actively Exploited WebKit Vulnerability

Apple has re-released problematic Rapid Security Response (RSR) updates that it pulled earlier this week after reports of some websites not displaying properly after the updates were installed. The original RSR updates were released on Monday, July 10 to address a WebKit vulnerability that is being actively exploited. On Wednesday, July 12, Apple released macOS Ventura 13.4.1 (c), iOS 16.5.1 (c) and iPadOS 16.5.1 (c), all of which address the WebKit vulnerability (CVE-2023-37450) and fix the website display issue.

Rockwell Automation Released Firmware Updates to Fix ControlLogix Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an industrial control systems (ICS) advisory warning of two vulnerabilities affecting certain Rockwell Automation ControlLogix EtherNet/IP communication modules. Both are out-of-bounds write vulnerabilities and could allow attackers to attain remote access to running memory of vulnerable modules. Rockwell has released firmware patches to address the flaws.

US National Cybersecurity Strategy Implementation Plan

The White House has released the US National Cybersecurity Strategy Implementation Plan (NCSIP). The National Cybersecurity Strategy was published in March of this year. The plan is to update the guidance annually to reflect the changing threat landscape. NCSIP includes dozens of initiatives, each with its own strategic objective, timeline, and designated agency responsible for leading the initiative with other stakeholders.

AIOS WordPress Plugin Update Fixes Plaintext Password-Logging Vulnerability

All-in-One Security (AIOS) has released an update to fix a vulnerability in its WordPress plugin. Several weeks ago, a user discovered that the AIOS plugin was logging plaintext passwords and storing them in a database accessible to website admins. The flaw was introduced in May of this year with version 5.1.9. AIOS released version 5.2.0 on Thursday. The plugin has more than one million installations.