“Software rots over time”
Patch Tuesday? How very yesterday.
For IT teams it’s Woe Wednesday as they try to convince upstairs that systems need a reboot. (“Yes, we did that last month too. No, these are fresh vulnerabilities).
Among their tasks on the table today: prioritising which patches to install. As ever, there’s no shortage, including some high priority, alarming new bugs.
Microsoft has released updates for Windows, Internet Explorer, Office, .Net, and a variety of developer tools. These resolve 49 distinct CVEs.
A critical patch update from Oracle meanwhile contains a hefty 334 new security patches across over 100 different products and versions.
(Look out for holes in Oracle’s Web Logic server, including a handful with a CVSS score of a critical 9.8: e.g. CVE-2020-2551 and CVE-2020-2546. There are 30 vulnerabilities that are remotely exploitable without authentication — i.e., may be exploited over a network without requiring user credentials — in Oracle Fusion Middleware alone).
Adobe’s January Patch Tuesday security update contains five critical patches for Illustrator CC and four non-critical vulnerabilities for Experience Manager. Intel has pushed out six security advisories including one with a high CVSS score of 8.2 in its VTune Amplifier for Windows that may allow escalation of privilege.
I actually had a director get mad at me. "We just went through a huge patching effort last month and said you were good. Now it's Tuesday and you're saying you have all these windows vulns. Why didn't you patch them last month! Why did you say the scans were clean!" https://t.co/24Z5IWen4S
— Chris Rooney (@Renegade0x6) January 14, 2020
With the patches including the last batch for the now-unsupported Windows 7 and Server 8, IT teams will also be needing to consider their next steps to keep those systems secure. As IT asset management specialist Ivanti notes: “If you are continuing to run these systems in your environment, you should make sure you are prepared for February and beyond. If you are engaging with Microsoft to continue support, [ask]:
- Do you have your ESU agreement in place?
- Have you configured all systems that are continuing support with your ESU key?
- Have you applied the latest Service Stack Update to these systems? (Microsoft just released an updated SSU for these platforms with the January release.)
- Have you applied the SHA2 Cert update?
The company adds: “If you are not purchasing an ESU you will want to consider mitigation options:
- Get systems up to January 2020 patch levels.
- Virtualise workloads and reduce access to these systems
- Remove direct internet access from these systems.
- Segregate these systems into a network segment, separate from other systems.
- Lock down application control policies to prevent running anything other than the critical applications that rely on the legacy OS, etc.
Jonathan Knudsen, senior security strategist at Synopsys, notes: “Software rots over time [as] vulnerabilities that were already in the software and its component building blocks are discovered over time… People often say ‘if it ain’t broke, don’t fix it.’
“Unfortunately, this attitude is disastrous in software security, where the expression should be ‘if it ain’t broke, it will be soon… if you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems.”
He adds: “Unfortunately, updating software sometimes causes things to stop working. Many organizations are reluctant to update as soon as patches are available because of the risk of losing functionality. Each organization must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability.”
It’s a delicate balance to strike. Marco Rottigni, CTSO, EMEA at Qualys emphasises that early visibility is key to getting the balance right. He said in an emailed comment: “Getting your priorities right depends very much on the specific IT set-up you have, their dependencies and how quickly you can implement those necessary changes.
” To sustain [software hygiene] efforts, it is crucial that organisations maximise their observability about what to fix, where it is deployed and when to plan it.
“This requires deep visibility, the ability to monitor specific situations and to gain answers about difficult simple questions such as ‘Where is this service running? Where is this software component active?’ or ‘Where is this application installed?’ with a velocity that many organizations don’t currently have.”