Updates are Light, But Ransomware Attacks Escalate

By Chris Goettl, Director of Product Management, Security, Ivanti

September marks the second month in a row with a relatively light set of updates, but that doesn’t mean the threat of attack has gone down. In fact, there has been an escalating number of recent ransomware attacks in the public sector. With the slowdown in patch activity and ransomware back in the news, it’s a good time to take a look at the rest of your IT operations program, especially your cyber-attack and disaster recovery plan. Before we dig into those topics, let’s review this month’s Patch Tuesday updates.

Microsoft resolved a total of 79 unique CVEs this month. Included in this list were two zero-days and three publicly disclosed vulnerabilities, all of which affect the Windows operating systems this month. The two zero-days are both elevation-of-privilege vulnerabilities fixed in the Windows 10 workstation and server operating systems as well as the legacy operating systems. The first zero-day, CVE-2019-1215, exists in the Winsock component and the second, CVE-2019-1214, exists in the Windows Log Common File System driver.

Microsoft continues to adjust its software update process, releasing service stack updates for all operating systems this month. Usually these release for one or a couple of Windows editions, so for all Windows OSs to be impacted by this one is a bit out of the ordinary. A couple of things to note about servicing stack updates. They are rated as Critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied. The shortest we have seen from availability to enforcement is two months. Our guidance is to begin testing as soon as possible and plan to have these in place before November to be on the safe side. Before October would be the best case on the off-chance Microsoft enforces these changes sooner.

For September Microsoft provided the usual set of operating systems and application security updates. In the pre-Windows 10 operating systems we see as many at 37 CVEs addressed, and 57 CVEs for the latest Windows 10 updates. A critical update addressing seven CVEs was released for all versions of the Sharepoint server, so pay close attention to that one. There are important updates for Office and Exchange server. In keeping with their usual bi-monthly release cadence, Microsoft also issued updates for .NET.  However, these updates were for 2012 and newer versions of operating systems.

In wrapping up this month we want to draw attention to some continuing ransomware trends.

Hardly a month has gone by this year without a report of ransomware attacks against state and local government systems. Ivanti CISO, Phil Richards, wrote a blog that provides an overview of many of these attacks and shared his insight on some dangerous trends. According to Phil, “Criminals are demanding higher ransoms of these government entities. They are targeting victims specifically, striking with greater precision and timing, and demanding large sums as ransom.” Of particular interest was an attack against several public school systems in the State of Louisiana. For the first time, a cyber-attack is being treated more like a natural disaster with cybersecurity experts pulled in from multiple state agencies plus Louisiana State University.

What is the state of your disaster preparedness plan (no pun intended)? Every month I talk about the importance of patching and remediating vulnerabilities, but the harsh reality is that sometimes these actions are not enough or not in time. Are you ready to respond to a cyber-attack? Do you have detection, isolation, and containment resources identified? Once you have the attack under control do you have the recovery process identified, including system restore/reimage and secure data backups to bring everything back online? And finally, make sure you include steps to handle legal and public relations issues. It is very important that everyone involved knows how information is to be shared both inside and outside your organization.

About the Author

Chris Goettl, is director of product management, security, Ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media.

Chris can be reached on Twitter @ChrisGoettl and at Ivanti’s website: www.ivanti.com.