September Patch Tuesday forecast: Evaluate third-party updates alongside Microsoft release
There’s some good and some bad news for the Patch Tuesday forecast this month. The good news is a number of vendors have just released last week, clearing the slate for what might be a fairly Microsoft-focused Patch Tuesday.
The bad news is there are a number of third-party updates already released this week that you will want to evaluate alongside the Microsoft release, if you have not already prioritized them for deployment. There is also a Windows APLC zero day that is being exploited in the wild and there are some other vulnerabilities of interest, but let’s start with the zero day.
Activity is rising around use of this vulnerability according to ESET. A group known as PowerPool has been using this in a spam campaign as a second-stage backdoor to elevate privilege levels if they have found something of interest to exploit.
This zero day was first disclosed on August 27, 2018 when a frustrated security researcher SandboxEscaper released her findings through Twitter. CERT/CC confirmed the vulnerability was real and the proof-of-concept code worked in an advisory also released on the 27.
“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges,” the alert stated.
According to an ESET security researcher, they have been monitoring a low-volume spam campaign that is targeted at selected victims around the globe. Their attack contains malicious attachments that will infect the user and open a first-stage backdoor where the attackers will evaluate what they have gained access to. From there, if they deem something of value to be on the system, they will download a second, more powerful backdoor to further compromise the system. The ALPC zero day allows them to gain the admin rights needed to implement their backdoors.
An update to resolve this zero day is likely to be coming on Tuesday.
Another recent security concern was in Apache Struts. Security firm Semmle discovered CVE-2018-11776 in Struts core, which can be used by multiple attack vectors. The vulnerability is exploitable if alwaysSelectFullNamespace flag is set to true in the Struts configuration, which is automatically the case when the Struts Convention plugin is in use, or if a user’s Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace.
This affects all versions of Apache Struts 2.
The last security awareness piece I wanted to talk about is around a very common risk in many environments—WordPress. This widely used platform has a regular stream of security vulnerabilities that should be a concern as WordPress sites are most often public-facing and can be used as an entry point into your network. A site I often visit to keep an eye on vulnerabilities on WordPress is the WPScan Vulnerability Database. There are a few recent plugin vulnerabilities that you may want to be aware of and look to update.
Let’s move on to the forecast itself:
Chrome and Firefox just released updates last week so we won’t likely see anything from them next week. Adobe has done a few Acrobat\Reader updates in a row over the past two months, so likely only Flash Player from them. Oracle is not due for another critical patch update (CPU) until next month so no Java next week. So for non-Microsoft updates I expect Adobe Flash is really the only one we will see on Patch Tuesday.
For Microsoft we have at least one zero day so everything OS-level will be Critical. August included updates for Office, .Net, Sharepoint, Exchange, and SQL—pretty much the full gambit. I expect we will see a smaller set of updates from Microsoft for September.
Fingers crossed that we may have a relatively easy September Patch Tuesday.