Last week, Microsoft released their monthly patches to plug security holes and other bugs in their systems. As always, we need to pay attention to these patches because attackers immediately begin targeting these flaws.
There are many reasons why we don’t install patches right away. Some remote users may have their machines turned off, and some organizations need to test for compatibility with legacy software systems prior to updates.
Unfortunately, there are also some who simply don’t have the capacity to keep up with patching due to a lack of manpower or simply because other projects have priority. Regardless of the reason, researchers note that 15% of systems remain unpatched after 30 days even though the industry standard is 72 hours!
For those using Ideal Integration’s service to update their patches, we may already have your systems updated by the time you see this column. For those who need assistance catching up, don’t hesitate to call us at 412-349-6680 or fill out the form below.
Meanwhile, this week we’ll provide a brief overview of the patches from various vendors and discuss an important development. Microsoft is about to start forcing Windows 10 updates.
Windows 10, Version 1903 End of Service
Last week, Microsoft not only announced end of life for Microsoft Windows 10, version 1903, they also confirmed that they will start to force upgrades to Windows 10 1909 starting in December 2020. Version 1903, originally released in May 2019, will reach end of life on December 8, 2020 for all users from Home to IoT Enterprise.
This forced update will likely be followed by a forced update in May 2021 when Windows 10 1909 ends its support. Microsoft advocates the forced updates to eliminate security holes on obsolete operating systems, but for those organizations that have legacy system issues, the updates could prove problematic.
Organizations should consider upgrading users to Version 2004 or 20H2 (even if it is not fully available now) – while they can still fully control the process and the consequences.
Microsoft November Patches
November’s patches are modest in number and severity with only 17 of the 112 fixed issues rated critical. Interestingly, the most critical bug to fix, CVE-2020-17087, is only rated as “important” despite active exploitation!
Vulnerability CVE-2020-17087 is a privilege escalation flaw in the Windows kernel that only rates important because it cannot be executed directly. This vulnerability can only be exploited by an adversary that already has compromised the endpoint
However, Google researchers noted that a flaw in their browser was used in conjunction with CVE-2020-17087 to quickly compromise machines so they released an update for their Chrome browser to address this flaw and another zero day exploit.
This month’s patches also include 22 updates for 7 different Office products including a Remote Code Execution (RCE) bug within Microsoft SharePoint, CVE-2020-17061. Other exploits addressed by this update include RCE vulnerabilities for Excel, spoofing vulnerabilities for Word, and security feature bypass vulnerabilities for both Excel and Word.
Patches from Google, Intel, and More
Google’s latest Chrome patch (see above) addressed two zero day attacks, but there have been three other zero day attacks patches since October 20! Mozilla also released security updates for Firefox, Firefox ESR and Thunderbird to address a critical vulnerability, but did not reveal many details about it.
Of course, users don’t inform the IT department when they have downloaded alternative browsers. Therefore, we probably need to send out a notice or check our user’s endpoints to ensure the latest versions of these browsers have been installed.
Meanwhile, as if our IT teams were not busy enough, several other vendors released patches last week. Fortunately, some of the patches will be less urgent and are found in less common software so busy IT teams will be able to prioritize them.
Intel addressed 95 vulnerabilities affecting their Wireless Bluetooth and Active Management Technology (AMT) – including two flaws that could be exploited to gain unauthorized privilege escalation. SAP updated 3 previous patches and released 12 new patches to address RCE vulnerabilities and missing authentication checks.
Adobe published security bulletins for Adobe Reader Mobile and Adobe Connect that could allow arbitrary JavaScript execution, but the update is currently only available for hosted versions. On-prem updates are scheduled to be available November 13, but fortunately, this software is not an active target for attackers so this is considered a lower priority update.
Unpatched Equals Vulnerable
Researchers analyzing enterprise vulnerabilities found that 64% of them involve unpatched vulnerabilities that are over two years old!
Of all of the vectors of attack, this is one of the few that an organization can completely control, yet many fall behind.
Ideal Integrations offers IT services that cover patch management, network design to isolate legacy systems, and security monitoring services (through Blue Bastion) to constantly scan for attackers. Call us today or fill out the form below to help address your organization’s vulnerabilities.