I am about to head to Las Vegas for Ivanti’s Interchange 2017 at The Mirage hotel and feeling a bit in a gambling mood, so I am going to take a shot at this month’s forecast and see if luck is on my side.
This month we will also explore the dangers of phishing scams and hardware vulnerabilities. Let’s also recap the Java update which was part of the Oracle CPU the week after April Patch Tuesday for those who may not have updated it yet.
Starting with Java. The April CPU from Oracle released many updates, including Java. This quarter’s update for Java was a small one: eight total CVEs, seven of which can be exploited remotely without authentication. Two are rated at a CVSS of 8.3 and one is 7.7. All three fit the profile for vulnerabilities more likely to be exploited (based on Verizon Data Breach Investigation Report 2016 research).
Since 2015, Java exploits have been on the decline, which is good. This has been attributed to the release of Java 8 and more frequent updating by companies, efforts by Oracle to double-down on resolving vulnerabilities and removal of older Java versions from production systems. It’s great to see the decline of exploits in what used to be the number one exploited application.
Shifting gears, let’s talk about two recent incidents that are causing some concern. A phishing scam going viral that involves an email scam to share a Google Doc with you. The scam is an attempt to capture your Google credentials. A couple of things to help mitigate this type of scam are user training and awareness.
A healthy level of paranoia and attention to detail when sent invites to share, attachments from unknown sources, or even known sources that seem a bit out of the ordinary help to flush out scams like this. Also, implementing two-step authentication for accounts where available is important. This is the guidance that experts are recommending on this particular scam.
The second bit of significant news circulating is the 10-year-old vulnerability in Intel processors that has raised many concerns. On systems with the AMT feature enabled, you are pretty much exposed to remote exploit with very little ability to detect or stop the attack from happening. The vulnerability is at a firmware level, so there are no simple software updates here. Firmware updates are also slow to release (vulnerability was identified in March and Intel has just shipped updates to OEMs, which in turn will take some time to release as well). It’s possible to mitigate the vulnerability until firmware updates become available.
Since the vulnerability is so old, there are many processors that are no longer getting firmware updates. This means that older systems may never get an update to resolve the vulnerability. Hardware updates like this are also not typically seen as security related, which causes different complications, such as having infrastructure and solutions to rollout firmware updates quickly and efficiently.
Luckily, the consumer market is less likely to be impacted by this threat since the AMT features would not typically be turned on for those systems, reducing the threat to local access rather than over the network. The Mac platform is also in the clear as it does not ship AMT software. To validate if your system is at risk, you can use this document from intel.
Patch Tuesday forecast
Now to try my luck at the Patch Tuesday forecast! March was pretty big due to our double Patch Tuesday volume. April was still decent sized and came with a bit of confusion as Microsoft stepped away from the bulletin model.
We can expect an update for the OS, IE and Flash Player for IE of course. Also, count on at least a Flash update from Adobe, but maybe not much else. Beyond that I think we will see updates for Office. I am thinking Patch Tuesday will bring us at least five updates from Microsoft and at least one from Adobe. We’re going to be airing the monthly Ivanti Patch Tuesday Webinar live from The Mirage in Las Vegas this month, so a mix of web and live audience this month which will be a treat!