Eskenzi PR Eskenzi PR
  • About Us
Tuesday, 20 April, 2021
IT Security Guru
Eskenzi PR
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Patch Tuesday forecast and top tips for November

by The Gurus
June 16, 2020
in Opinions & Analysis
padlock
Share on FacebookShare on Twitter

Since October Patch Tuesday there has been a lot of activity. Oracle released their quarterly CPU including an update for Java JRE, Adobe resolved a Zero Day in Flash Player, a new form of attack call “Atombombing” was identified by a security researcher, and there is some rising discussion around the Server 2016 servicing model.
On the Horizon
Actually more of a continuation from last month. On October 17th Oracle released their quarterly CPU including an update for Java JRE resolving seven vulnerabilities. All seven are remotely executable without the need for authentication and three of these have a CVSS score of 9.6. Java was actually on the lower end of total vulnerabilities addressed in an individual Oracle product for this CPU.  Ensure to include this update in your November testing if you have not already deployed it out.
Later in the month Adobe released a Critical Update for Flash Player resolving a Zero Day vulnerability (CVE-2016-7855). On October 26th Adobe released the update for Flash Player (APSB16-36) which started the clock for all the other vendors using the Adobe Flash Plug-In. When a Flash update occurs the plug-ins for Internet Explorer, Firefox, and Chrome also need to be updated.
Firefox uses the NPAPI version of Flash which was also released on the 26th.  The update for Flash for IE (MS16-128) released on October 27th plugging the Flash vulnerability. Google Chrome has two install options for Flash, one which relies on Chrome updating.  If you are using the Pepper Plug-In it was released on October 26th.  If you are using the traditional plug-in, this requires Google Chrome to be updated which occurred on November 1st.
In October, Microsoft changed their servicing model for pre-Windows 10 systems. I covered this extensively in a previous blog post, but there is a little ambiguity with Server 2016’s servicing model options. In a blog post from Microsoft they talk about a Security Only and a Security Quality option each month. This statement specifically caused several people to ask me some questions about how exactly Microsoft is handling updates on Server 2016.
“You can then have the flexibility to choose the security only update, or the quality update to build your patch management strategy around.”
The reality right now is Server 2016 updates are exactly like Windows 10. Cumulative bundles that include all updates that came before.  It will be interesting to see if a Security Only option does make itself available in November or sometime in the near future.  I expect a number of Microsoft customers would appreciate Security Only as an option for Server 2016.
Patch Management Tip of the Month
Exceptions: You can never push all patches. There is always an update that will conflict with business critical apps which cause exceptions. Documenting these exceptions and the reason they occurred is very important, but documenting an exception is just the beginning.
With each exception you are increasing risk. Each exception is an exposure that will potentially allow malware or ransomware into your environment or allows a threat actor to gain a foothold or move closer to proprietary information or user data.  With an exception you should also identify mitigating steps to reduce the risk. This may come in many forms, but here are some examples:

  • Least Privilege Rules will often mitigate the impact if an attacker is able to exploit a vulnerability. If you take a look at our Patch Tuesday infographics on our Patch Tuesday page you will see a column labeled “Privilege Management Mitigates Impact”.  These vulnerabilities will only gain the attacker equal rights as the user who is exploited.  If they are a full Administrator the attacker gains pretty much full access to the system. If they are running reduced privileges then the attacker must use an escalation of privilege vulnerability to gain sufficient permissions to do more.
  • Application Control will allow you to control what applications can be installed or run on a system and can effectively block most malware, ransomware, and other forms of attack. Application control can take many forms like Whitelisting or Blacklisting. These would be static application controls. More dynamic forms would include Trusted Ownership or Trusted Vendor rules. These are significantly easier to implement and maintain and also allow you to more easily rollout an effective Application Control Policy. The dynamic approaches are less commonly found, but we have a solution that can help there.
  • Containerization can effectively contain the more highly vulnerable user experiences like browsing the web and accessing email. Anything that occurs during these user experiences happens in a virtual container. If you have an exception on the system that is exposed by a phishing attack or drive by download the malicious payload whether a malvertising attack, ransomware, or some other form of malware would execute in the container and be separated from the physical system. Close the container (Browser or email, etc) and the threat goes away.

There are many other strategies to reduce exceptions from exposing too much risk like moving the sensitive application into a virtual environment and locking down access to that system to only require users, but this gives you some ideas. With every exception we recommend documenting the reason why it was made and the additional steps taken to reduce risk to the system.
Your Patch Tuesday Forecast
We are less than a week away from Patch Tuesday and as you can see there is a significant buildup of issues to deal with already. I would forecast that the 3rd party front is going to be lighter than normal for Patch Tuesday and we can expect an average workload from Microsoft on the order of ten or so bulletins total being released.
As always, join us for our Monthly Patch Tuesday Webinar next Wednesday November 9th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.
By Chris Goettl, Program Product Manager/Product Owner at LANDESK Software

0 0 vote
Article Rating
FacebookTweetLinkedIn
Tags: Microsoftpatch tuesday
ShareTweetShare
Previous Post

Threat Intelligence Overload: Ponemon Report Says 70 Percent of Organisations Swamped by Cyber threat Data

Next Post

Citibank Phishing Scam on the rise

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

April 19, 2021
Dominos pizza

Domino’s India suffers data breach

April 19, 2021
whatsapp icon

Vulnerabilities found in older version of WhatsApp

April 19, 2021
Data Breach Cyber attack code

University of Hertfordshire suffers system outage due to cyberattack 

April 15, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept