Good security always relies upon the execution of fundamental IT principles. Vulnerability patching provides fundamental defense against exploits – especially against actively attacked zero-day vulnerabilities that seem to occur every month.
If you’re not familiar with zero-day vulnerabilities, they’re simply ones in which a vendor or developer has only just learned of the flaw. Usually, that’s because attackers are already making use of weakness.
This, in effect, means they have “zero days” to correct it before problems arise.
This month, many vendors published updates defending against vulnerabilities, while the US Cybersecurity & Infrastructure Security Agency (CISA) recommends urgent patching for several key products.
Ah, yes; the world of cybersecurity always seems to move faster than expected.
Although patch management programs protect against most vulnerabilities, severe and active exploitation of certain flaws requires teams to double-check for rogue devices, or vulnerabilities out-of-scope for standard patch processes.
Let’s take a look at some of the latest issues requiring your attention, including zero-day vulnerabilities that require it now.
This week, Microsoft Windows leads the list of vulnerabilities, with an actively attacked zero-day local privilege-escalation (LPE) vulnerability that attackers use to obtain SYSTEM privileges.
With low complexity, no workaround, and possible execution without user action, Microsoft declined to provide additional details. They simply recommend immediate patching.
Four other critical vulnerabilities were also patched, including a ‘wormable’ or self-propagating vulnerability, among others that allow remote code execution (RCE). In total, 63 vulnerabilities were patched for Microsoft products.
That said, keep in mind that these patches are not available for the obsolete Windows 10 versions 1909 and 2004. (No, 1909 isn’t a typo; that’s simply the version, not the year.)
CISA even issued a warning and an urgent patch advisory regarding the actively exploited Microsoft vulnerability, as well as actively exploited Apple vulnerabilities.
Make sure you update yours today!
Apple Zero-Day Vulnerabilities Exploited
Although Apple products are known for their reliability, that doesn’t mean they’re completely without problem.
Recently, CISA’s Apple advisory focused on an arbitrary code execution vulnerability within the iOS and macOS kernel.
This actively-exploited flaw is the eighth Apple product with zero-day vulnerabilities to be found this year. Additionally, it applies to most iOS versions, from the just-released iOS 16 to older iOS versions that do not normally receive updates.
This patched vulnerability allowed attackers to gain full control over a phone, letting them install apps or extract data from other apps.
Apple also patched a similarly threatening out-of-bounds write issue earlier this month. That flaw didn’t require user action, and could execute dangerous code by constructing web pages in a certain way.
Although Apple devices usually update automatically, you’ll need to double-check for older devices that may not be actively used. Those devices might not be equipped for automatic updates, or have them disabled outright.
Trend Micro Patch
Multinational cybersecurity firm, Trend Micro, joined this month’s patch releases with an urgent warning to patch an actively exploited RCE flaw in their Apex One endpoint security platform.
This vulnerability allows attackers to push unverified downloads into defended endpoints through the security platform itself.
Fortunately, this flaw requires direct access to the Apex One server administration console.
However, Trend Micro admits that at least one customer already suffered an active attempt to exploit the vulnerability. In addition to applying the patch, you’ll want to check for signs of unauthorized or unusual activity within your Apex One systems.
Chrome CISA Warning
CISA issued a separate warning for actively exploited vulnerabilities in hardware, as well as two patched flaws in Google Chrome. Version 105 of Chrome, released September 1st, patched 24 security holes. Yet, just three days later, Google released Version 105.0.5195.102 to fix an actively exploited vulnerability.
This flaw also affects Microsoft Edge. Federal agencies only have until September 29th to update their browsers to come into CISA compliance.
While most browsers should update automatically, monitor or notify users to ensure they restart their browsers to allow the update to fully install.
Other Notable Patches
While these vulnerabilities and brand names capture headlines, you can’t overlook other released patches.
- 63 security holes patched for 7 Adobe products
- Cisco security updates
- SAP security updates
- VMware Security updates, including a privileged elevation flaw
Your IT teams and patch management contracts typically cover operating systems and major software packages. However, more unusual software may require special attention or specific requests.
Comprehensive Vulnerability Control
Of course, you can always request update reports from your IT teams or service providers to check for unpatched systems throughout your environment. However, these reports will only reflect known software packages within your organization.
To ensure comprehensive vulnerability control, perform regular vulnerability scans and software/hardware discovery to ensure accurate asset and vulnerability lists.
To protect against actively exploited zero-day vulnerabilities, you must also check for unauthorized access or activities on vulnerable devices or software that could indicate a compromised asset.
While such forensic examinations may be beyond the capabilities of average IT personnel assigned for patching, outsourced specialists can always be deployed.
To obtain short or long-term assistance developing comprehensive vulnerability controls, Ideal Integrations, in conjunction with cybersecurity division Blue Bastion, can help.
Simply contact us at 412-349-6680, or fill out the form below, and our experts will provide a no-obligation overview of options and solutions for vulnerability detection, asset discovery, and patching programs.