November Patch Tuesday forecast: .NET, Adobe, Firefox and more

November Patch Tuesday forecastFall is upon us and the holidays are right around the corner! But before we continue shopping, we need to cover a few security topics for this month.

KRACK vulnerability

The hot topic right now is the KRACK vulnerability which is named from the Key Reinstallation Attack. This is a vulnerability in the Wi-Fi WPA security protocol which allows a third party to eavesdrop on the information being sent. This can include passwords, credit card numbers, and any data being sent over the Wi-Fi connection.

Unlike most vulnerabilities which are device specific, this is a vulnerability in the protocol itself and therefore all devices using Wi-Fi are potentially vulnerable. So, if you are shopping in public and using your phone to pay transactions – beware!

The good news is that most vendors are providing updates to quickly address the problem, but you may not be able to rely on your local coffee shop or other public Wi-Fi to diligently update devices. So, take a look at this quick list of tips to keep secure this holiday season:

  • Make sure your devices are up to date. Laptops, phones, tablets, and home Wi-Fi devices. Pretty much anything with Wi-Fi is susceptible until the vulnerabilities are plugged. Some older devices may not receive updates.
  • Avoid connecting to public Wi-Fi if you are going to be transacting any sensitive information.
  • If you do connect to a public Wi-Fi make sure you stick to sites that are encrypted (the URL will start with HTTPS) as this will secure the sensitive transactions from prying eyes.
  • If possible it is always a good practice to use a VPN as this secure tunnel will also protect data from being exposed, so connect up to that hotel Wi-Fi, connect to your VPN and surf that secure tunnel in style!

Adobe

Other notable security considerations this month include the news that October 15th marked the end of support for Adobe Reader XI and Adobe Acrobat XI. Although the product will continue to function, Adobe strongly recommends you update to Adobe Reader DC and Adobe Acrobat DC.

Remember that end of support means there are no more features, but more importantly there are no more security updates. You should always have a plan to remove or update products that have reached this status. As new vulnerabilities are discovered and reported, these legacy products become instantly vulnerable and you are limited to migrating means to protect them as no patches are coming.

We expected October’s Patch Tuesday to be relatively calm with an average number of patches, but the floodgates opened quickly. Microsoft released several patches that caused BSODs for early adopters; they were quick to remedy the situation. For the first time in over a year Microsoft did not issue an update for Flash as part of their release. But the following Monday, Adobe provided us with a patch to address a zero-day vulnerability. You just never know how these patch cycles will unfold. I just hope November is light month so I can get out there to buy a Christmas gift for my wife.

November Patch Tuesday forecast

  • In addition to the usual Microsoft OS updates this month, we may see a new .NET release. This month will include a Flash release to cover the latest vulnerabilities.
  • Adobe will be releasing Flash, Acrobat and Reader updates.
  • Mozilla is scheduled to release an updated version of Firefox.