Tag Archive for: patches

One 0-day; Win 7 and 8.1 get last-ever patches – Naked Security

/in


As far as we can tell, there are a whopping 2874 items in this month’s Patch Tuesday update list from Microsoft, based on the CSV download we just grabbed from Redmond’s Security Update Guide web page.

(The website itself says 2283, but the CSV export contained 2875 lines, where the first line isn’t actually a data record but a list of the various field names for the rest of the lines in the file.)

Glaringly obvious at the very top of the list are the names in the Product column of the first nine entries, dealing with an elevation-of-privilege (EoP) patch denoted CVE-2013-21773 for Windows 7, Windows 8.1, and Windows RT 8.1.

Windows 7, as many people will remember, was extremely popular in its day (indeed, some still consider it the best Windows ever), finally luring even die-hard fans across from Windows XP when XP support ended.

Windows 8.1, which is remembered more as a sort-of “bug-fix” release for the unlamented and long-dropped Windows 8 than as a real Windows version in its own right, never really caught on.

And Windows RT 8.1 was everything people didn’t like in the regular version of Windows 8.1, but running on proprietary ARM-based hardware that was locked down strictly, like an iPhone or an iPad – not something that Windows users were used to, nor, to judge by the market reaction, something that many people were willing to accept.

Indeed, you’ll sometimes read that the comparative unpopularity of Windows 8 is why the next major release after 8.1 was numbered Windows 10, thus deliberately creating a sense of separation between the old version and the new one.

Other explanations include that Windows 10 was supposed to be the full name of the product, so that the 10 formed part of the brand new product name, rather than being just a number added to the name to denote a version. The subsequent appearance of Windows 11 put something of a dent in that theory – but there never was a Windows 9.

The end of two eras

Well, this month sees the very last security updates for the old-school Windows 7 and Windows 8.1 versions.

Windows 7 has now reached the end of its three-year pay-extra-to-get-ESU period (ESU is short for extended security updates), and…

Source…

How to Prioritize and Apply Patches

/in


Every IT environment and cybersecurity strategy has vulnerabilities. To avoid damage or loss, organizations need to find and eliminate those vulnerabilities before attackers can exploit them.

Some of those vulnerabilities will be found and fixed by vendors, who will provide patches and updates for their products.

Other vulnerabilities cannot be patched and will require coordination between IT, cybersecurity, and app developers to protect those exposed vulnerabilities with additional resources that mitigate, or reduce, the risk of exploitation.

Regular and efficient execution of the following vulnerability and patch management stages can provide strong protection for organizations of all sizes:

Don’t want to handle it yourself? See also:

How to Find Vulnerabilities

Some vulnerabilities will be announced and other vulnerabilities need to be found through testing. However, every IT and cybersecurity team should designate specific people and processes to focus on detecting and managing vulnerabilities.

The first priority will be to collect the advertised vulnerabilities. Vendors will announce exploits and usually produce patches or mitigations for the vulnerability simultaneously.

Vulnerability detection teams need to monitor news feeds and vendor websites to act promptly because attackers move quickly. Mandiant’s research determined that: 

  • 42% of exploits occurred after a patch was issued
  • 12% of exploits occurred within the week after the patch availability date
  • 15% of exploits occurred within the month, but after the first week the patch was available

Of course, these will not be the only vulnerabilities that exist in the IT environment. Outdated or unpatched software is just one of the top seven types of vulnerabilities noted by Crowdstrike; the others are:

Source…

The resounding negative effects of silent patches

/in


The alert from the Zero Day Initiative (ZDI) announcing changes to its disclosure policy for ineffective patches has come at the perfect time. A recent yet alarming trend with silent patches has been brought to the surface, as the reduction in communications surrounding patches has been overlooked for quite some time. As a result, enterprises are losing their ability to accurately estimate the risk in their coordinated vulnerability disclosure (CVD) systems – further harming IT protectors.

The updates to ZDI’s policy are intended to incentivize vendors to correctly patch the first time around and effectively communicate patches to offer an accurate depiction of risk. While the need for shortened patch timelines for the public disclosure of vulnerabilities has become an urgent action, not everyone truly knows the hidden harm of silent patching and where to start.

To better grasp the concerns surrounding the matter, it’s important to understand three main areas: the history behind the silent patch, the repercussions of limiting researchers in the process, and how organizations must respond quickly and efficiently improve their patch rates and avoid long-term consequences.

What to know about the silent patch

To start, most major software vendors were once infamous for sweeping vulnerability reports under the rug, which made it challenging for researchers to report vulnerabilities. Bug reports from researchers were often housed in a quiet, unobserved space until, without notice, their proof-of-concept exploits no longer work. No credit, no explanation, no CVE ID – this was the standard silent patching model.

While this was the norm of a very standard plan – it’s very dangerous today, per the ZDI announcement. In most cases, when it comes to these software patches, many companies were not using exotic packers, nor were they employing anti-forensics. Despite any level of encryption of obfuscation of this patch data, it does eventually need to modify the code on the running software, exposing it to anyone with armed with a debugger and a disassembler. In these instances, there was a high risk for skilled exploit developers to sweep in and take advantage of patch…

Source…

Google and Apple both release patches against zero‑day vulnerabilities – Week in security with Tony Anscombe

/in


Zero-day vulnerabilities are super active and Google and Apple are acting to patch these vulnerabilities, some of which seen on-the-wild.

Google and Apple are both release patches for zero-day vulnerabilities that have already been exploited in the wild. ESET cybersecurity expert Tony Anscombe explains what those vulnerabilities are in simpler words, and reiterate the importance of keeping all your apps and devices up-to-date to stay cybersafe.

Watch the video to learn more.

Source…