Weekly Infosec News Brief: 13-19 March 2017
Microsoft Releases Massive Amount of Updates, Fixing 135 Vulnerabilities in 17 Security Bulletins
After February's abortive Patch Tuesday, March's Patch Tuesday is predictably larger than usual. Nine of the bulletins are marked as critical. The Windows updates are bundled together per Microsoft's new patch distribution method, though the updates for the IE and Edge browsers are available separately. Several of the critical vulnerabilities fixed here are already publicly-known, and some are already being actively exploited. These include the GDI vulnerability fixed by MS17-013 and two of the browser vulnerabilities fixed in MS17-006/007. We recommend that organizations test and deploy these updates as quickly as possible.- https://technet.microsoft.com/en-us/library/security/MS17-MAR
- http://www.computerworld.com/article/3180996/security/largest-ever-patch-tuesday-from-microsoft.html
- http://www.csoonline.com/article/3181411/security/microsoft-fixes-record-number-of-flaws-some-publicly-known.html
Several Critical Vulnerabilities Fixed in Updated Versions of Flash and Shockwave
Last Tuesday Adobe released new versions of their Flash and Shockwave software. The Flash update, version 25.0.0.127, fixes seven vulnerabilities, six of which are critical. Given that Flash has been one of the biggest sources of serious vulnerabilities and intrusions in recent years, it is vital that organizations install this update as soon as possible. Flash updates can be complex, given that the process is different for different web browsers and different versions. While Flash can be configured to auto-update, we commonly find that organizations who think their machines are being automatically updated have many machines that are not. It is important to have some type of vulnerability management capability to verify what software and versions are installed on your systems.- http://www.zdnet.com/article/adobe-fixes-six-remote-code-execution-bugs-in-flash/
- https://helpx.adobe.com/security/products/flash-player/apsb17-07.html
- https://helpx.adobe.com/security/products/shockwave/apsb17-08.html
Microsoft Stops Providing Updates for Windows 7 or 8.1 on Newest PCs
Some Windows users and administrators had a rude awakening this week when trying to install Windows updates on some of their newer workstations. Starting this month, Microsoft has stopped supporting older versions of Windows (including Windows 8.1 and Windows 7, which is still the most widely-deployed desktop OS in US organizations) on the latest hardware. Microsoft made this announcement in January of 2016, saying that when Intel's seventh-generation "Koby Lake" processors came out Microsoft would only support the latest versions of Windows for systems running on those chips. The policy also applies to the 6th-generation "Skylake" processor, though Microsoft will continue to support the older operating systems on many of those machines until July of this year. After that time, new Windows updates will not install on older Windows versions running on those newer PCs (details here). This policy may cause some difficulty for some organizations that are still standardized on Windows 7, and if it means they aren't able to install security updates the policy could seriously harm their security. However, Windows 10 has some significant security benefits, so to the extent this policy encourages faster adoption of that OS this is a good development. In either case, it is important for organizations buying the latest PCs to realize that doing so means moving to Windows 10, whether they are ready or not.In other Windows desktop OS news, April marks the end of extended support for Windows Vista. Vista never saw widespread enterprise adoption, but if your organization does have any machines running Windows Vista it is vital to upgrade now; after April, no security updates will be available for Vista workstations.
W-2 Phishing Scams Growing Rapidly this Tax Season
The W-2 scam is an attack aimed at gaining personal financial information of a firm's employees. This is mostly a social-engineering scam, generally with little technical sophistication employed. The scammers email the HR or finance department posing as the CEO or other senior company official, and ask the recipient to send all the company's W-2 forms under some pretext. So far this year, it is estimated that this scam has netted W-2 forms on 120,000 or more persons working for companies where someone fell for the scam. This is a non-technical scam, and the primary solution is non-technical as well: ensure your company has a clear policy on what information is sensitive and how and to whom that information can be transmitted. Personal information of employees is definitely one type of information that should be covered in your organization's policy on sensitive information handling.- http://www.csoonline.com/article/3180684/security/more-than-120-000-affected-by-w-2-phishing-scams-this-tax-season.html
- https://krebsonsecurity.com/2017/03/govt-cybersecurity-contractor-hit-in-w-2-phishing-scam/
Comments
Post a Comment