Microsoft Patch Tuesday Fixes Nearly 120 Vulnerabilities; Mozilla Fixes Critical Flaw in Firefox; Microsoft: Cyberthreats are Compounded at Educational Institutions

Microsoft also released patches for Office, Azure, .Net, OpenSSH for Windows, Power BI, Windows Hyper-V, Mobile Broadband and Visual Studio. In addition to Microsoft's updates, make sure to also deploy the updates to Chrome/Chromium as well as the macOS 15.0.1 update which corrected the flaw affecting security tools on that platform.

Lee Neely

CVE-2024-9680 has a CVSS score of 9.8. Your standard Firefox deployments have likely already downloaded the update and just need a restart. You'll need to push the updated ESR. Not a bad time to see if you're ready to move from ESR 115 to 128 as your users are likely getting some old/unsupported browser warnings.

Lee Neely

Use-after-free vulnerabilities often point to poor secure software development practices by developers. What's interesting though is that Firefox has been relatively vulnerability-free these past few years, which speaks to good developer practices. Bottom line: if you're a Firefox user, simply restart your browser to get the latest update.

Curtis Dukes

Historically, universities have had a security model designed to enhance seamless collaboration and data exchange, often with a security line around their "business" systems. In addition, education environments have a significant proportion of BYOD devices accessing and processing data. In short, the call is to make current security practices and awareness pervasive across the board. On a positive note, with all the attacks against them, schools are starting to implement their own SOC, often manned by students, which not only helps with the institution's security response, but also provides hands-on training for those entering the workforce.

Lee Neely

The article isn't surprising, at least not to cybersecurity professionals and the education sector. Let's cut to the chase: implement a cybersecurity program using a well-established framework like NIST CSF, ISO 27001, or CIS Critical Security Controls, and actively monitor your enterprise.

Curtis Dukes

During the Clinton administration, Dick Clarke, who was then the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the National Security Council, told an audience of 25 college and university presidents that 75 percent of attack traffic could be traced back to open systems on their network and that if they did not fix it the government would. To their credit, the leadership of EDUCAUSE, and the example set by Stan Gatewood at both USC and Georgia, colleges and universities now have closed networks. They may still be targets but at least they are no longer tools of the rogues.

William Hugh Murray

There is a lot of 'nothing was being done that can't be done on non-AI search engines,' and 'we banned the bad actor accounts' and very little on 'we built safeguards in to prevent/make this harder the next bad actor.' This is very much like the early days of signature-based antiviral and IP address blocking for web security, which always remained reactive and could never keep up with threats.

John Pescatore

AI can be used to more rapidly detect untoward behavior as well as improve the efficiencies of creating that behavior. The trick is how to incorporate the mechanisms OpenAI has developed to detect malfeasance into other AI deployments to help us stay ahead of risks, ideally also helping us provide better tools to detect crafted/targeted information.

Lee Neely

The report makes me wonder what operations by sophisticated actors went undetected. Don't get me wrong, it clearly shows that bad people are using generative AI for malicious purposes, but is that surprising to security professionals? The one positive: as the adversary continues to use genAI tools, the vendors learn and hopefully build better safeguards in their product.

Curtis Dukes

Skynet is still not self-aware, even though it's well past August 29, 1997. Point being that we're still going to be guiding and controlling our use of AI, keeping a hand on the tiller, using our judgement. We know AI accelerates and simplifies many tasks to date, such as creating code or writing a report, and we still need to review that code or writing to ensure it's what we think it is.

Lee Neely

It's the people. AI does not relieve the users, both individuals and institutions, of the responsibility for the purpose to which the computer is put and all the properties of the results.

William Hugh Murray

Since Fidelity has over 50M customers this is a good example of how reducing time to detect (along with time to mitigate) can reduce the overall cost of an incident.

John Pescatore

Two data breaches in the past six months indicates that Fidelity needs to conduct a complete review of its cybersecurity program. The focus of the review should be on security controls and data retention policies used by third party service providers.

Curtis Dukes

While this only affects around 77,000 customers, knowing that doesn't help much if you're a Fidelity customer. Although Fidelity is keeping details close, they are stating customer information was accessed, not customer accounts. Fidelity sent breach notification letters offering 24 months of credit monitoring and identity restoration service to affected customers. While this sorts itself, make sure that your individual Fidelity account has a strong password with multi-factor authentication enabled and review your account for any suspicious activity regularly. At the corporate level, make sure you are following current security best practices.

Lee Neely

Australia has a goal of becoming a leader in cybersecurity by 2030. This bill, which involved input from a wide range of industry experts, is a framework aligned with that goal. The bill includes both requirements and consequences for security, e.g., devices not meeting security standards will effectively be disqualified from sale in Australia. The trick will be to balance regulatory requirements with funding to help not only implement the needed regulatory state regulatory bodies, but also to facilitate businesses meeting the expected standards.

Lee Neely

CVE-2024-43047, CVSS score of 7.8, affects the FASTPRC driver. Due to the known exploits, this is listed in the NIST KEV with a due date of October 29th. The thing is these are embedded chipsets. Qualcomm has provided updates to OEMs, now they need to push the updates to our devices. Keep an eye out for out-of-band updates and make sure they get applied.

Lee Neely

Once again the FTC is telling a business to get their security program in order. This goes back to breaches in 2015 and 2014, including a four-year compromise of the Starwood web servers which was not detected until 2018. Marriott needs to implement mandatory training, multi-factor authentication, and monitoring, and to follow more stringent reporting of future breaches as well as data minimization practices to reduce the impact of future breaches. Not a bad idea to make sure you're not over-collecting PII, that it is well protected, and that you're only storing it for the minimum possible time.

Lee Neely

Three comments: 1) Marriott International failed in its cybersecurity responsibilities and should be held accountable as they are with this consent order. 2) It is highly likely that Marriott International already has an information security (err cybersecurity) program. As such, they would benefit from reviewing the CIS 'Guide to Defining Reasonable Cybersecurity.' And 3) Is the biennial third-party assessment really of much value? In other words, should Marriott International suffer another breach any time within the next five years, they will be held accountable regardless of the assessment results. Perhaps put that money towards tools and training of the workforce.

Curtis Dukes

Not a good day for the Internet Archive. Related or otherwise, the breach plus DDoS attack is a frustrating one-two punch. While most of us don't have 31 million user accounts, we need to make sure those accounts are all still active/needed, as well as reviewing our security settings and anti-DDoS provisions. While you're automating your checks, don't forget processes to make sure you're following current security standards as well as incorporating current and emerging threats.

Lee Neely