March took us all by the ongoing off-brand Microsoft updates for Exchange Server and BSODs for printing, which have plagued us since last patch on Tuesday. It looks like a standard release of updates from Microsoft next week, but before we move on to fixing the vulnerabilities, I’d like to focus on the need to detect and report them.
I entered the software and security market in the mid-1980s, when the internet was growing rapidly and participation was like visiting unexplored territory. Ah yes, CompuServe, Netscape, Commodore VIC-20 – those were the days. There were few standards for interoperability, and finding the right people to even talk about them was a challenge.
Those of us in the security industry saw the need to identify and share information on incidents and vulnerabilities, but unfortunately, the “security through ambiguity” approach – protection operations – was often taken. Rewind to date and whether or not you agree with the state of software security, at least we have forums and infrastructure to solve problems at the working level.
The Forum of Incident Response and Security Teams (PRVI) is an international organization that provides best practices and assistance when dealing with a security incident. If an attack is ongoing, there is often numerical strength for all those who are exploited, and this is the way to share that information. If you encounter a vulnerability in the software you use on your systems, you have some options on how to resolve it.
Many reported vulnerabilities are characterized by common vulnerabilities and exposures monitored in the National Vulnerability Database (NVD) maintained by MITER. First you need to check here if the problem has already been reported. If it exists in the database, then the seller is aware of the problem and should work to correct it. Although there is a certain level of confidentiality to prevent public disclosure and exploitation before the correction is available. Although I mentioned FIRST and NVD, your company may have other reporting requirements, so check first.
In news this week with its annual PWN2OWN 2021 competition, the Zero Day Initiative continues to uncover new vulnerabilities that need to be addressed. This is a valuable service that allows vendors to fix previously unknown issues, discovered by security research experts, before they are made public for open use.
Like these experts, we are required to take action on any vulnerabilities we may discover when performing our regular patches or IT activities. Take the time to see if the vulnerability has been reported and contact the vendor to see if it is a known issue. In the long run we all benefit.
Forecast for Tuesday, April 2021
- We will see cumulative updates for Windows 10, only security and monthly updates for actively supported operating systems, and, of course, extended security updates (ESU) for Windows 7 and Server 2008/2008 R2. Now that Microsoft has decided on a new Service Stack (SSU) update strategy, we may see fewer updates.
- Microsoft Office should receive the usual set of updates. I would be surprised if Microsoft released another Exchange server update.
- Adobe released security updates for many of its products last month, but Acrobat and Reader were last updated in February. We may see these updates next week.
- Apple released the latest Big Sur update on March 8, but we still haven’t seen the security release of iTunes in a long time. We’re up for one soon.
- Google just released their beta version for Chrome 90 for Windows, Mac, Linux and iOS this week. We may see a small security fix for Chrome 89 next week.
- On March 23, Mozilla released some minor security updates for Firefox, Firefox ESR and Thunderbird. They seem to be in trend once a month, smaller releases, so we may not see anything next week.
Remember that Oracle Critical Patch Updates (CPUs) are coming on April 20th.