Are We Doing Better? Patch and Security in 2019 So Far
The year 2019 has been an interesting one for security so far. A record number of vulnerabilities have been reported with Microsoft, Adobe, Mozilla, Google, and others cranking out regular security updates. We’ve also seen some easily exploited vulnerabilities hit the public domain, with lots of media hype and the potential for catastrophic exploitation … but the number of associated and reported attacks have been relatively low. Are we finally getting ahead of the attackers and closing the gaping holes in our systems?
Plenty of Potential Risk but No WannaCry Scale Attacks
Let’s begin by reviewing the updates released by Microsoft this year up through August Patch Tuesday.
During this time period, there have been 10 zero-day and 18 publicly disclosed vulnerabilities reported. As expected, Windows 10 and its associated server versions continue to get the most attention having the most vulnerabilities addressed. The average number of CVEs fixed each month is 55, with a high of 78 in August and a low of 32 in January.
The legacy operating systems also get their fair share of attention. For example, Windows 7/Server 2008 R2 averages 32 CVEs fixed each month, as does Windows 8/Server 2012 R2. Like Windows 10, the low number of CVEs addressed occurred in January, with 15 and 18 respectively for those two groups. The high numbers occurred in June for Windows 7/Server 2008 R2 at 49 and in August for Windows 8/Server 2012 R2 at 43. The general trend has been a slow growth in the number of CVEs addressed each month, so we will see if that continues to the end of the year.
Microsoft Gets the Most Attention, But All Vendors Are Responding
Microsoft gets the bulk of the attention because of Patch Tuesday, but all vendors have been responding to the growing number of reported vulnerabilities. Oracle Java 8 and 11 updates have addressed 4, 5, and 10 vulnerabilities in the first three Critical Product Update releases this year.
Browser software is always in the spotlight because it’s so heavily used. The major security updates for Google Chrome and Mozilla Firefox have been addressed and average of 19 and 21 CVEs, respectively. These vendors also have to respond to zero-days from time to time, such as this Chrome issue back in March. Apple has been busy with regular bi-monthly releases for iTunes and iCloud, averaging 19 CVE fixes. These are just a few of the vendors Ivanti supports but provide a good example of the pace and volume of security updates that must be managed.
Microsoft is aggressively improving the overall security and stability of their upgrade process. They began a six-month campaign in March of this year to switch the digital signature on all operating-system and product updates from using Secure Hash Algorithm 1 (SHA-1) to SHA-2. This required installing the current SHA-2 algorithms in all the operating systems so they could read and deploy the newly signed patches.
Microsoft took a phased approach using both dual-signed patches in conjunction with the SHA-2 operating system upgrades where needed. The campaign came to completion on September Patch Tuesday, with operating system releases for Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 signed only with SHA-2. SHA-1 was an excellent algorithm when originally released but the latest advances in high-speed computing have put its security at risk, so Microsoft rightfully moved to the latest security standard in SHA-2.
Microsoft released regular Service Stack Updates (SSUs) to improve their update process. The SSUs essentially update the Windows Update components on the endpoint. These updates have been released for both Windows 10 and the legacy operating systems. Some are required in order to perform the next update, and ALL are strongly recommended by Microsoft. Major updates for almost all versions of Windows 10 were released in February and May. The “software as a service model” will continue to evolve as Microsoft provides regular adjustments to the process.
Remote Desktop Services Vulnerabilities – “BlueKeep”
The remote desktop services vulnerabilities, also known as “BlueKeep”, were first reported and addressed in the May Patch Tuesday release. The most publicized vulnerability was CVE-2010-0708, which is “wormable”. This means it could be exploited without authorization and without user interaction. An attack could propagate silently from computer to computer, supporting an Internet worm attack.
Found and fixed in Windows 7 and Server 2008 R2, updates were also released for out-of-support XP and Server 2003 also containing the vulnerability due to the high potential risk of exploitation. June Patch Tuesday continued to raise awareness around the BlueKeep vulnerability.
The first demos of exploitation by Sophos and others appeared in July, and not long thereafter an active exploit was found in a crypto-mining package. The media hype and threat of another WannCry-type event spurred the industry to apply the latest updates—and few known attacks were reported. Interestingly, a second round of remote-desktop vulnerabilities surfaced in August, so we’ll be monitoring them closely.
Spectre and Meltdown Vulnerabilities
Our “friends” from 2018—the Spectre and Meltdown vulnerabilities—were also in the news this year. Just as a reminder, Spectre is named after “Speculative Execution”, which is a vulnerability in the firmware of the CPU that allows an attacker to run tasks in advance of others. Updates from Microsoft help to mitigate some of the issues, but microcode updates from Intel are required to fix the actual vulnerability.
In the first part of 2019, we’ve seen updates for both Variant 2 in April and Variant 1 in August. In May, we saw the arrival of Microarchitectural Data Sampling (MDS) vulnerabilities. While similar, these are considered more dangerous than Spectre because the vulnerability allows information to be read directly from the CPU buffers. Unlike the BlueKeep vulnerabilities, those associated with Spectre and MDS are much more difficult to exploit, requiring highly specialized code to both access and process the data retrieved. While also getting some publicity, it’s not surprising there have been no known successful attacks exploiting these vulnerabilities.
We saw end-of-support on October 8 for Windows 10 Enterprise and Education Versions of 1703. The Home, Professional, and Professional for Workstations will do the same for Version 1803 on November 12. Microsoft is now only four months away from the end-of-life for Windows 7 and Server 2008/2008 R2. If you aren’t actively in migration to a newer workstation or server operating system, you should be budgeting for extended support. Microsoft has both cloud and on-premise options to consider. And on a final Windows 10 note, we are looking forward to Version 1909 and the changes it will bring.
In summary, I would characterize vulnerability remediation and patch operations so far in 2019 as extremely busy, but not frantic. Vulnerabilities are being addressed in a timely manner, the patches released and distributed, and IT administrators deploying them in the next patch cycle. The fact that a high-risk vulnerability like BlueKeep did not result in another WannaCry event supports this view.
For now, I’m going to continue wearing my “rose-colored” glasses and congratulate everyone on a job well done! Let’s continue the good work for the remainder of 2019 but be vigilant as always.