March kept us all very busy with the ongoing out-of-band Microsoft updates for Exchange Server and the printing BSODs, which plagued us since last Patch Tuesday. It looks like a standard release of updates from Microsoft next week, but before we get to patching vulnerabilities, I would like to focus on the need to discover and report on them.
I entered the software and security market back in the mid-1980s when the internet was growing rapidly and participating was like visiting uncharted territory. Ah yes, CompuServe, Netscape, Commodore VIC-20 – those were the days. There were few standards for interoperability and finding the right people to even discuss them was a challenge.
Those of us in the security industry saw the need to identify and share incident and vulnerability information, but unfortunately ‘security through obscurity’ was often the approach taken – operations over protection. Fast forward to today, and whether you agree or disagree with the state of software security, we at least have the forums and infrastructure to address the issues at a working level.
The Forum of Incident Response and Security Teams (FIRST) is an international organization that provides best practices and assistance when dealing with a security incident. If an attack is underway, there is often strength in numbers for all those being exploited, and this is an avenue to share that information. If you come across a vulnerability in the software you are using on your systems, you have some options on how to handle it.
Many reported vulnerabilities are characterized under the Common Vulnerabilities and Exposures tracked in the National Vulnerability Database (NVD) maintained by MITRE. You should check here first to see if the issue is already reported. If it exists in the database, then the vendor is aware of the issue and should be working to correct it. Though there is a level of confidentiality involved to prevent public disclosure and exploitation before a fix is available. While I mentioned FIRST and NVD, your company may have other reporting requirements, so check first.
In the news this week with their annual PWN2OWN 2021 competition, the Zero Day Initiative continues to discover new vulnerabilities that will need to be addressed. This is a valuable service that allows the vendors to fix the previously unknown issues, discovered by the security research experts, before they are publicly disclosed for open exploitation.
Like those experts, we have an obligation to take action on any vulnerabilities we may discover in performing our regular patch or IT activities. Take the time to see if the vulnerability has been reported and contact the vendor to see if it is a known issue. We all benefit in the long run.
April 2021 Patch Tuesday forecast
- We will see the Windows 10 cumulative updates, security-only and monthly updates for the actively supported operating systems, and, of course, the Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2. Now that Microsoft has settled on its new service stack update (SSU) strategy we may see fewer updates.
- Microsoft Office should get its usual set of updates. I would be surprised if Microsoft released another Exchange Server update.
- Adobe released security updates for many of their products last month, but Acrobat and Reader were last updated in February. We may see those updates next week.
- Apple released the last Big Sur update on March 8th, but we still haven’t seen an iTunes security release for quite a while. We are due for one soon.
- Google just released their beta for Chrome 90 on Windows, Mac, Linux, and iOS this week. We may see a small security fix for Chrome 89 next week.
- Mozilla released some minor security updates for Firefox, Firefox ESR, and Thunderbird back on March 23. They seem to be on a trend of once-a-month, smaller releases so we may not see anything next week.
Don’t forget that the Oracle Critical Patch Updates (CPU) are coming on April 20th.