Agregátor RSS
For August, Patch Tuesday means patch now
Microsoft pushed out 90 updates this week in its August Patch Tuesday release, including fixes for five Windows zero-days (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107) and one zero-day affecting Office (CVE-2024-38189).
Unfortunately, this means a “Patch Now” recommendation for both Windows and Microsoft Office this month. Microsoft offered several (pretty useful) mitigations and recommendations to reduce the impact of these security issues; our testing guidance reflects this, with a focus on the networking related features of Windows.
Minor updates for the Microsoft development platforms can be added to your standard patch release schedule, while Microsoft did not release any patches for Microsoft SQL Server or Exchange Server. And Adobe Reader updates are back, though we assume this will be included in your Windows desktop Patch Now release cycle.
The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates. (See our running list of recent Patch Tuesday updates here.)
Known issuesEach month, Microsoft publishes a list of known issues affecting the operating system and platforms included in the latest update cycle, including these two reported minor issues:
- After installing the Windows update released on or after July 9, 2024, Windows Servers might (intermittently) affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Microsoft is working on a resolution.
- There’s an issue where “players” on Arm devices are unable to download and play Roblox via the Microsoft Store on Windows. This might be a good time to “block out” (sorry, not sorry) some time to look at potential compatibility issues on ARM platforms. Don’t forget to try to change your account profile photo — oh, wait!
This Patch Tuesday saw the following major revisions to past Microsoft security and feature updates, including:
- CVE-2024-29187: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM. Microsoft released updates on Tuesday for Microsoft Visual Studio 2017 version 15.9, Microsoft Visual Studio 2019 version 16.11, and Microsoft Visual Studio 2022 to address this GitHub-related issue.
- CVE-2024-35058: BitLocker Security Feature Bypass Vulnerability. Microsoft has added a FAQ to explain that because of firmware incompatibility issues, BitLocker would go into recovery mode on some devices; the fix for CVE-2024-38058 has been disabled with the release of this month’s updates. Customers who want to be protected can apply the mitigations described in KB5025885.
Microsoft published the following vulnerability-related mitigations for this month’s release cycle:
- CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability. Microsoft recommended as part of their mitigation strategy that all corporate users no longer install the LPD utility. Given that this reported vulnerability has been publicly disclosed, the Readiness team highly recommends a scan of your environment to ensure that this service is not running (and preferably not installed).
- CVE-2024-38159 and CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability. To reduce exposure to this vulnerability, Microsoft recommends that Hyper-V be disabled on the target machine.
- CVE-2024-38140: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability. Microsoft offers solid advice here. This vulnerability is only exploitable if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled, but no programs are actively listening, this vulnerability is not exploitable.
Each month, the team at Readiness analyses the latest updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows and app installations. We have grouped the critical updates and required testing efforts into separate product and functional areas, including:
Microsoft OfficeDue to the changes to Microsoft Outlook and .NET components, we recommend a full test of sending/receiving mails with HTML content.
Microsoft .NET and developer toolsMicrosoft updated both Microsoft .NET (Version 8) and Visual Studio 2022 with the following testing recommendations
- Due to the update to System.Net.Mail.SmtpClient a test of sending mail over TLS with a HTTP body will be required.
With the release of the Windows updates, Microsoft put a real focus on securing Windows networking features with updates to core system files such as AFD.SYS; these will require the following testing:
- Network packets: try using a web browser to download and upload large files from both internal and external websites. Multicast senders will require validation on packet returns.
- Network sockets: check that bind, connect and listen functions work as expected. Close socket functions will require testing this month, as well.
- Smartcards: full logon/logoff testing will be required.
- Network Bridges: This update will require testing across two or more network adapters. Try creating a bridge using IPv6 packets.
- Bluetooth: Sending files across two Bluetooth adapters will require testing.
- DNS: Recursive DNS queries will require a basic test. Have a look for any SERVFAIL returns or time-outs. We also suggest trying NETSH to configure proxy settings.
- Remote Desktop: Test remote configurations on RRAS platforms while using copy/paste functions over a VPN.
In addition to these networking-focused changes, Microsoft updated core features in the Windows desktop and server platforms, including:
- Windows Error logs: a complete CRUD test (create, read, update and delete) will be required for Windows log files.
- Kerberos: Logon and certificate workflows will require validation.
- Codec and camera updates will require a basic test of camera (both still and video) features.
- Hyper-V: With only minor changes to the Microsoft Hyper-V platform, a basic VM startup and shut-down test is recommended.
Microsoft made a number of significant changes to the Windows file system (NTFS) with changes to both the NtQueryEaFile and NtSetEaFile APIs. Unfortunately, a significant testing cycle is required that should include large file CRUD file tests — and remember to include a query component. The Readiness team suggests that a PowerShell test be included to assist with “pacing” rapid changes to the Windows file system.
Given recent challenges with CrowdStrike and BitLocker, Microsoft published changes that will require testing of the Microsoft BitLocker recovery environment.
Windows lifecycle update (now including enforcements)This section contains important changes to servicing, significant feature deprecations and security-related enforcements across the Windows desktop and server platforms.
- Enforcements: Now that we are past the July 2024 deadline for the enforcement phase, the Windows certificate “Windows Production PCA 2011” will be automatically revoked.
- Lifecycle: Both Windows 11 Enterprise, Versions 21H2 and 22H2, have an end of servicing date of Oct. 8.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office.
- Microsoft Exchange Server.
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe (if you get this far).
Browsers
Microsoft released 11 updates to the Edge browser platform. These low-profile changes have been rated as either important or moderate, reflecting their lower security and deployment risks. We recommend following the stable channel release of Microsoft Edge, as there will be mid-cycle releases at the end of this month. Add these browser updates to your standard release schedule.
Windows
Microsoft has released six critical and 60 updates rated as important by Microsoft with five zero-day patches (as already noted, they are: CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, and CVE-2024-38107.
In addition to these updates, Microsoft released patches that affect the following Windows feature groups:
- Windows DNS, broadband, routing, translation and multicast networking features.
- Kernel mode and system drivers.
- Line printer services (daemon).
- Windows OLE.
- Windows Kerberos.
Given the larger (and somewhat concerning) number of exploited and publicly disclosed vulnerabilities this month, we again recommend a “Patch Now” schedule for this update.
Microsoft OfficeMicrosoft returns to form with one critical rated update to Copilot (CVE-2024-38206) and nine other updates to the Microsoft Office suite, all rated important. Unfortunately, one of the vulnerabilities (CVE-2024-38189) that affects the entire Office platform has been reported as exploited. Add Microsoft Office to the Patch Now release schedule.
Microsoft SQL (nee Exchange) ServerGood news: no updates or patches for either SQL Server or Exchange Server.
Microsoft development platformsMicrosoft released four low-profile updates to the Microsoft .NET and Visual Studio 2022 platforms. We do not expect serious testing requirements for these lesser reported vulnerabilities. Add these updates to your standard developer release schedule.
Adobe Reader (and other third-party updates)Adobe Reader is back in the game with an important update, APSB24-57, which has addressed 12 memory and “use after free” (my favorite) security vulnerabilities; it can be added to your Windows update cycle.
Recenze hry Darkest Dungeon 2. Roguelite dobrodružství na pokraji šílenství
Intel má víc životů než kočka. Problémy se hromadí, ale on se z nich vylíže (Podcast Živě)
Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign
Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign
Netflix a další na víkend: Legendární Ztraceni, Predátor z doby kamenné, Emily v Paříži. A Furiosa z Šíleného Maxe
Germany’s BSI guns for better tech security
Every business using tech (which means every business) should now hope that the days of insecure platform design are numbered, as one of the most powerful cybersecurity agencies on the planet steps into the ring to demand tougher security.
Following the financial disaster of the Microsoft/CrowdStrike debacle, the BSI — Germany’s Federal Office for Information Security — is demanding that tech firms take swift steps to secure their products and prevent a repeat meltdown.
No more designer insecurityThe BSI is summoning Big Tech companies to a conference later this year and will be pushing for kernel access to be restricted or abandoned. That’s almost certainly going to mean Microsoft will need to cease allowing kernel access in Windows, just as Apple already did years ago. What Apple understood is that the risks of providing such access are too high and the consequences too great.
While many in the industry seem to think it’s normal for a computer outage to generate billions of dollars of damage to global systems and businesses, those outside that bubble disagree. That’s why Apple doesn’t do that.
There is another wayApple’s approach to platform security isn’t foolproof. Security is ephemeral; delivering it is an eternal dance — and sometimes errors take place. But, at least in Apple’s case, it is an ongoing investment characterized by a high degree of proactive protection. Apple’s security teams identified the risks of kernel access and got rid of it — not without opposition.
(Microsoft has claimed it can’t get follow suit because of a 2009 agreement with the European Commission, but perhaps it could have argued already for the need to do so. I don’t know if it did.)
Chalk and cheese, and it goes way backThe difference between these approaches is not new. Think back to the early days of Mac OS X, when Apple introduced a virus-safe browser called Safari even when other browsers remained full of security flaws. I won’t say who made the dominant browser then, but you might be able to guess where that insecurity by design came from. Watch this 2006 ad for some insight into this continued commitment to platform insecurity.
It’s a commitment that seems to extend to the present day, given the TCO costs in terms of security and tech support when you compare Apples to Windows. (The University of Kentucky recently claimed its move to Apple devices cut IT costs by 50%.)
Perhaps it is unfair to expect Microsoft, still the world’s most widely used computing platform, to match Apple on security.
The argument is growingApple’s success in creating platforms developers can use while eradicating kernel access shows that it’s possible to create a secure platform without leaving the very heart of that platform exposed. The powerful cybersecurity regulator thinks so, too.
Not only does BSI want Microsoft to take urgent steps to secure its platforms (which it should have done years ago), but it also wants security firms such as CrowdStrike to redesign their tools to make such access unnecessary.
CrowdStrike, however, has argued that products like firmware analysis or device control “would not be possible” without it. The regulator doesn’t agree, telling the WSJ that it is, “positive that robust technical solutions which also respect EU regulation can be found for the problem at hand.”
Financial liabilityThe nature of regulation is that events take time to unfold. But it seems clear one approach that would help focus the mind of tech firms would be to make them financially responsible for outages of this kind.
We know business lost billions as a result of the CrowdStrike/Microsoft debacle; we also know the terms and conditions of the user agreements forced on those customers mean they’ll get little or none of that lost money back.
How does that lack of liability foster a security-first culture? Why bother being proactive about security if you face no consequences for your own failure?
Ensuring every tech firm delivers solutions at least as secure and reliable as Apple’s has to be the goal of any regulation. It seems to me that making tech firms financially responsible for such errors should help make that happen.
Of course, that means waiting for action. What if you can’t wait that long?
There is an alternativeFor many in business making purchasing decisions today, there is another approach: deploy Apple products, just like the German government has. After all, as well as plenty of solutions to help integrate those products into existing Microsoft infrastructure, the platform has a now-decades long track record for better security, regular updates, hardware-based encryption and data protection that is second to none in the business.
More from Jonny Evans- For IT, Jamf’s Microsoft Azure partnership means a lot
- Convenience has a cost, privacy has iPhone
- Apple, this is the time to seize the moment
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Windows 11 budou automaticky šifrovat úložiště. Počítače budou bezpečnější, ale pomalejší
Windows 11 budou automaticky šifrovat úložiště. Počítače budou bezpečnější, ale pomalejší
Navigating the future of cybersecurity
Webinar In a world where cyber threats are continually evolving, staying informed is critical for IT and security professionals.…
Debian slaví 31 let
První smartphone slaví 30 let. Některé jeho triky používáme dodnes
Epic Games Store nově na Androidu i iOS
Russian Hacker Jailed 3+ Years for Selling Stolen Credentials on Dark Web
Russian Hacker Jailed 3+ Years for Selling Stolen Credentials on Dark Web
Recenze filmu Vetřelec: Romulus. Pro fanoušky míchá to nejlepší, dechberoucí horor to ale není
Texas Instruments dostane dotaci 1,6 miliardy dolarů na financování výroby polovodičů v Texasu a Utahu
Ceny baterií pro elektromobily klesly od roku 2008 o neuvěřitelných 90 %. Teď se to možná na chvíli zastaví
Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware
Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware
- « první
- ‹ předchozí
- …
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- …
- následující ›
- poslední »