Microsoft Patch Tuesday; CISA Frees Next-Gen Analysis System; Critical Windows Issue Affecting Rust and Others; Help Us Improve NewsBites

This patch Tuesday was a bit odd. Many of the vulnerabilities are caused by a small number of components, and the only product affected by critical vulnerabilities is Defender for IoT. The already exploited vulnerability is a driver certificate that was abused and is being revoked with this update.

Johannes Ullrich

The glass half full of this record number of flaws found in Windows would be that Microsoft's recognition of lack of attention to security that was exposed last year has resulted in more investment in testing/finding/removing vulnerabilities. However, it will take several months of decreasing patch count, and faster releases of patches, to show that the glass is not still half empty. Also see the Adobe Patch item today.

John Pescatore

There are around 40 RCE patches for MS OLE driver for SQL Server and seven RCE fixes for their DNS server. As much as OLE is a fact of life, you want those updates deployed. Even though MS states you effectively need a perfect storm of events to exploit the DNS flaws, that service is critical enough to warrant deploying the patches rather than skipping or postponing until something happens.

Lee Neely

This free service has been available to .gov and .mil users since November and has been very successful. Don't miss out on the analysis results by submitting anonymously, that is the payout. Registration for a Login.gov account only takes 5-10 minutes, and if you already have one you can use it.

Lee Neely

This vulnerability affects several languages, not just Rust. Rust was just the first to offer a patch. The underlying problem affects languages allowing the execution of Windows commands via cmd.exe. Command line arguments are not always escaped properly, leading to OS command injection. The vulnerability has been named "BatBadBut", and details can be found here: https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

Johannes Ullrich

The Adobe Commerce vulnerabilities deserve some attention and likely expedited patching. Similar issues were widely exploited in the past.

Johannes Ullrich

Users with the Creative Cloud desktop app should have updates automatically downloaded. Even so, make sure they have been applied and applications restarted.

Lee Neely

Not a bad idea to add resetting/updating credentials associated with third party service providers after they suffer a breach. Note that you want to do that after they give the all clear, and likely disconnect or discontinue using their services between the notification of an incident and that point. This is another example of a joint tabletop exercise you could leverage.

Lee Neely

Not a lot of details (ok, any) on the compromise, but given the technology space where Sisense sits, could put lots of sensitive customer data into play. Rotating logon credentials is an easy first step that can help identify compromised accounts.

Curtis Dukes

A good reminder that while using the term ransomware attack increases click rates, the confidentiality and integrity of data gets breached, not just the availability it is the failure to protect the data that is important. But we never took bronchitis that seriously until it got the scary and hard to pronounce name Respiratory Syncytial Virus (RSV) a few years ago use the scary terms to get management attention but address the cause of the problem not the hype.

John Pescatore

Even though no evidence is shown of the data being posted or used, GHC-SCW is advising users to monitor all communications from healthcare providers, including electronic messages, billing statements and other communications and report any suspicious activity to them immediately. Health data stolen during the January ransomware attack includes affected individuals' names, addresses, telephone numbers, e-mail addresses, dates of birth and/or deaths, social security numbers, member numbers, and Medicare and/or Medicaid numbers.

Lee Neely

Ah, the tried and still true two-person rule for anything related to authentication and authorization! Given the use of AI to create fake audio and video, also throw in an out of band safe word so Party 1 and Party 2 can make sure Party 3 hasn't crashed the party.

John Pescatore

Multi-party controls are a powerful tool for mitigating the risk of privilege. They have all but been abandoned in the move from paper.

William Hugh Murray

These measures are urgent. Do not interpret the fact that the directive is not addressed to you as excluding you. Do not interpret the deadline as license to delay until it.

William Hugh Murray

The guidance here is simple and worth considering for any outsourced email or cloud services. In short, update any suspect credentials (user, API, or otherwise), deactivate/delete unused, look for unexpected account creation. We should all be keeping an eye on those things. Check your issued access tokens for really old ones and get those updated. If you have services to check for compromised passwords, make sure they are enabled/working. Now get strong MFA deployed. Note that a bad password, coupled with MFA, still needs resolution.

Lee Neely

It's been a horrible few months for Microsoft and the bad news continues. Unfortunately, this comes with the territory of being the largest provider of IT products to government, both federal and state. The directive does highlight the importance of actively managing authentication credentials for signs of compromise.

Curtis Dukes

There is a lot more rigor to getting a .gov domain approved to ensure they are legitimate, making impersonation and squatting far more difficult, which helps your users. Resist the temptation for an outsourced service to create a non-gov domain for your services for the same reasons.

Lee Neely

This capability has been available for a few years and frankly is a no-brainer for SLTTs to adopt. Yes, there will be some one-time transition costs, but the security protections are well worth the small investment and there are federal grants available.

Curtis Dukes

Having a guide like this is huge help if you're trying to implement or evaluate your incident response plans. Most importantly, NIST is striving to get companies to get common response scenarios documented, as they are needed in emergency response situations.

Lee Neely

On Wednesday, employees were told not to turn on their computers or access email via their phones. Email and phone services are down, and officials do not have access to their workspaces, files or business software. This is an all hands on deck situation, with twice daily updates/meetings on progress, where everyone is pulling together to restore services. This will be a good study in cross-jurisdictional incident response worth studying for applicability.

Lee Neely

Small towns simply lack cybersecurity resources, human and financial, to build and maintain an effective cybersecurity program. They become easy pickings for cyber criminals to attack, most often for ransom.

Curtis Dukes