Patch Tuesday gets off to a busy start for January
For this week’s Patch Tuesday, the first of the year, Microsoft addressed 97 security issues, six of them rated critical. Though six vulnerabilities have been publicly reported, I do not classify them as zero-days. Microsoft has fixed a lot of security related issues and is aware of several known issues that may have inadvertently caused significant server issues including:
- Hyper-V, which no longer starts with the message, “Virtual machine xxx could not be started because the hypervisor is not running.”
- ReFS (Resilient) file systems that are no longer accessible (which is kind of ironic).
- And Windows domain controller boot loops.
There are a variety of known issues this month, and I’m not sure whether we’ll see more issues reported with the January server patches. You can find more information on the risk of deploying these latest updates with our helpful infographic.
Key testing scenarios
There are no reported high-risk changes to the Windows platform this month. However, there is one reported functional change, and an additional feature added.
- Test local and remote printing and test printing over RDP.
- Test site-to-site VPN, including new and existing connections.
- Test reading or processing ETL files.
- Check starting and stopping Hyper-V on your servers.
- Run Transactional NTFS (TxF) and CLFS test scenarios while including tests for ReFS file I/O transfers.
Known issues
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I’ve referenced a few key issues that relate to the company’s latest builds, including:
- SharePoint Server: Most users cannot access Web.config files in SharePoint Server. The affected group of users does not include farm administrators, local administrators, or members who are managed by the system. For more information, see Users cannot access Web.config files in SharePoint Server (KB5010126).
- After installing the June 21, 2021 (KB5003690) update, some devices cannot install new ones, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For more information and a workaround, see Source…
January 2022 Patch Tuesday forecast: Old is new again
Welcome to 2022 and a new year of patch management excitement! I’m rapidly approaching 40 years working in this industry and I can honestly say there is rarely a dull day. If you are willing to take on the challenges presented, it is a great industry to work in and I hope you all are excited to start the new year too. Let’s look at some recent events which will be influencing this month’s patch releases.
I closed out last month’s forecast article calling 2021 the ‘year of supply chain attacks’ and that trend is continuing. Malware in the Atera Remote Management Software is taking advantage of Microsoft’s digital signature verification vulnerabilities from as far back as 2012 to load ZLoader and steal account credentials.
Even though these vulnerabilities were fixed, the changes are not enabled by default. Microsoft Security Advisory 2915720 from 2017 provides more details on the Authenticode and WinVerify Trust functionality with recommendations for action. Despite the old vulnerabilities, this is a new attack and I’m sure we will be hearing more from Microsoft, with potential changes in next week’s patches.
The zero-day vulnerability in the Apache Log4j Java-based logging library took the software industry by storm in mid-December. This library is widely used in both enterprise and cloud service software. Even though Apache released the zero-day fix for CVE-2021-44228, it takes a while for companies who use this library to update, test, and release a new version.
To complicate the situation, a total of four additional CVEs associated with the Log4Shell bug have been identified in the last month, the latest being CVE-2021-44832. Keeping the industry churning, Apache released multiple updates with this library, now up to version 2.17.1. SaaS products can be quickly updated under DevOps but updating traditional software products in the field can take much longer, leaving them vulnerable to exploitation.
Microsoft has been busy leading up to the first Patch Tuesday of 2022. It released an out-of-band update for Windows servers that “experience a black screen, slow sign in, or general slowness,” These updates were initially a limited release, but are…
Iran’s Lyceum threat group active against telcos, ISPs. Clopp hits unpatched SolarWinds instances. Mercenaries. Patch Tuesday.
Attacks, Threats, and Vulnerabilities
Iranian cyber group targets Israel, Saudis, Africans – report ( The Jerusalem Post | JPost.com ) An Iranian hacker group called Lyceum has targeted Israel, Saudi Arabia, Morocco, Tunisia and others.
Exclusive: A Cyber Mercenary Is Hacking The Google And Telegram Accounts Of Presidential Candidates, Journalists And Doctors (Forbes) An unprecedented peek inside an underground hacker-for-hire operation reveals 3,500 targets, including Belarusian presidential candidates, Uzbek human rights activists and a cryptocurrency exchange.
Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks (BleepingComputer) The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access (NCC Group Research) NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Clop ransomware. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach.
Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability (SecurityWeek) The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection.
Vulnerable smart contracts and fake blockchains: What do investors need to know? (Digital Shadows) Well, here we are again. Another blog on a topic that’s often spoken about but little understood: cryptocurrency. Cryptocurrency-related decentralized finance (DeFi) is seeing unprecedented interest from retail and institutional investors alike.
FBI: Scams Involving Cryptocurrency ATMs and QR Codes on the Rise (SecurityWeek) The Federal Bureau of Investigation (FBI) this week issued an alert on fraud schemes that direct victims to use cryptocurrency ATMs and Quick Response (QR) codes to…
Patch Tuesday, October 2021 Edition – Krebs on Security
Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month’s Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked.
Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of-concept exploit that was derived from reverse engineering Apple’s patch.
Abrams said the list of impacted Apple devices is quite extensive, affecting older and newer models. If you own an iPad or iPhone — or any other Apple device — please make sure it’s up to date with the latest security patches.
Three of the weaknesses Microsoft addressed today tackle vulnerabilities rated “critical,” meaning that malware or miscreants could exploit them to gain complete, remote control over vulnerable systems — with little or no help from targets.
One of the critical bugs concerns Microsoft Word, and two others are remote code execution flaws in Windows Hyper-V, the virtualization component built into Windows. CVE-2021-38672 affects Windows 11 and Windows Server 2022; CVE-2021-40461 impacts both Windows 11 and Windows 10 systems, as well as Server versions.
But as usual, some of the more concerning security weaknesses addressed this month earned Microsoft’s slightly less dire “important” designation, which applies to a vulnerability “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”
The flaw that’s under active assault — CVE-2021-40449 — is an important “elevation of privilege” vulnerability, meaning it can be leveraged in combination with…