windows-update

Microsoft today released its June 2020 batch of software security updates that patches a total of 129 newly discovered vulnerabilities affecting various versions of Windows operating systems and related products.

This is the third Patch Tuesday update since the beginning of the global Covid-19 outbreak, putting some extra pressure on security teams struggling to keep up with patch management while proceeding with caution that should not break anything during this lockdown season.

The 129 bugs in the June 2020 bucket for sysadmins and billions of users include 11 critical vulnerabilities—all leading to remote code execution attacks—and 118 classified as important in severity, mostly leading to privilege escalation and spoofing attacks.

According to the advisories Microsoft released today, hackers, fortunately, don’t appear to be exploiting any of the zero-day vulnerabilities in the wild, and details for none of the flaws addressed this month was disclosed publicly before this publication.

One of the notable flaws is an information disclosure vulnerability (CVE-2020-1206) in Server Message Block 3.1.1 (SMBv3) protocol that, according to a team of researchers, can be exploited in combination with previously disclosed SMBGhost (CVE-2020-0796) flaw to archive remote code execution attacks. You can find more details on this flaw here.

Three critical bugs (CVE-2020-1213, CVE-2020-1216, and CVE-2020-1260) affect the VBScript engine and exist in the way it handles objects in memory, allowing an attacker to execute arbitrary code in the context of the current user.

Microsoft has listed these flaws as “Exploitation more likely,” explaining that it has seen attackers consistently exploiting similar flaws in the past, and can be carried out remotely via browser, application or Microsoft Office document that hosts the IE rendering engine.

One of the 11 critical issues exploits a vulnerability (CVE-2020-1299) in the way Windows handles Shortcut files (.LNK), allowing attackers to execute arbitrary code on the targeted systems remotely. Like all previous LNK vulnerabilities, this type of attack could also lead to victims losing control over their computers or having their sensitive data stolen.

The GDI+ component that enables programs to use graphics and formatted text on a video display or printer in Windows has also been found vulnerable to a remote code execution flaw (CVE-2020-1248).

According to Microsoft, GDI+ RCE vulnerability can be exploited in combination with a separate critical security feature bypass vulnerability (CVE-2020-1229) affecting Microsoft Outlook software that could let attackers automatically load malicious images hosted on a remote server.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted image to the user. An attacker who successfully exploited this vulnerability could cause a system to load remote images. These images could disclose the IP address of the targeted system to the attacker,” the advisory says.

Besides these, the June 2020 update also includes a patch for a new critical remote code execution flaw (CVE-2020-9633) affecting Adobe Flash Player for Windows systems.

It’s recommended that all users apply the latest security patches as soon as possible to prevent malware or miscreants from exploiting them to gain remote control over vulnerable computers.

For installing the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.

Follow me for more information.

intel cpu side channel attack

Cybersecurity researchers have discovered two distinct attacks that could be exploited against modern Intel processors to leak sensitive information from the CPU’s trusted execution environments (TEE).

Called SGAxe, the first of the flaws is an evolution of the previously uncovered CacheOut attack (CVE-2020-0549) earlier this year that allows an attacker to retrieve the contents from the CPU’s L1 Cache.

“By using the extended attack against the Intel-provided and signed architectural SGX enclaves, we retrieve the secret attestation key used for cryptographically proving the genuinity of enclaves over the network, allowing us to pass fake enclaves as genuine,” a group of academics from the University of Michigan said.

The second line of attack, dubbed CrossTalk by researchers from the VU University Amsterdam, enables attacker-controlled code executing on one CPU core to target SGX enclaves running on a completely different core, and determine the enclave’s private keys.

A TEE, like Intel’s Software Guard Extensions (SGX), refers to a secure enclave, an area within a processor that ensures confidentiality and integrity of code and data. It offers safeguards against the modification of sensitive software and data by malicious actors that may have broken into the target (virtual) machine.

SGAxe Attack: Extracting Sensitive Data From SGX Enclaves

SGAxe builds on the CacheOut speculative execution attack to steal SGX data. According to the researchers, while Intel took steps to address side-channel attacks against SGX via several microcode updates and new architectures, the mitigations have proven ineffective.

That exploit, as a result, results in a transient execution attack that can recover SGX cryptographic keys from a fully updated Intel machine, which is trusted by Intel’s attestation server.

Attestation is a mechanism offered as part of SGX that lets enclaves prove to third parties that they have been correctly initialized on a genuine Intel processor. The idea is to ensure that the software running inside the CPU hasn’t tampered with and to have increased confidence that the software is running inside the enclave.

“In a nutshell, we use CacheOut to recover the sealing keys from within the address space of Intel’s production quoting enclave,” the researchers stated. “Finally, we use the recovered sealing keys in order to decrypt the long term storage of the quoting enclave, obtaining the machines EPID attestation keys.”

intel cpu side channel attack

By breaking this trust, SGAxe makes it easy for an attacker to create a rogue enclave that passes Intel’s attestation mechanism, resulting in loss of security guarantees.

“With the machine’s production attestation keys compromised, any secrets provided by [the] server are immediately readable by the client’s untrusted host application, while all outputs allegedly produced by enclaves running on the client cannot be trusted for correctness,” the researchers said. “This effectively renders SGX-based DRM applications useless, as any provisioned secret can be trivially recovered.”

Although Intel issued fixes for CacheOut back in January via a microcode update to OEM vendors and subsequently via BIOS updates to end-users, mitigations for SGAxe will require patching the root cause behind CacheOut (aka L1D Eviction Sampling).

“It is important to note that SGAxe relies on CVE-2020-0549 which has been mitigated in microcode (confirmed by the researchers in their updated CacheOut paper) and distributed out to the ecosystem,” Intel said in a security advisory.

The chipmaker will also perform a Trusted Compute Base (TCB) recovery to invalidate all previously signed attestation keys.

“This process will ensure that your system is in a secure state such that your system is able to use remote attestation again,” the researchers stated.

CrossTalk Attack: Leaking Information Across CPU cores

CrossTalk (CVE-2020-0543), the second SGX exploit, is what the VU University calls an MDS (Microarchitectural Data Sampling) attack. It takes advantage of a “staging” buffer that’s readable across all CPU cores to mount transient execution attacks across the cores and extract the entire ECDSA private key of a secure enclave running on a separate CPU core.

“The staging buffer retains the results of previously executed offcore-instructions across all CPU cores,” the researchers observed. “For instance, it contains the random numbers returned by the offcore hardware DRNG, bootguard status hashes, and other sensitive data.”

intel cpu side channel attack

Put differently, CrossTalk works by reading the staging buffer during transient execution in order to leak sensitive data accessed by previously executed victim instructions.

The fact that the buffer retains output from RDRAND and RDSEED instructions makes it possible for an unauthorized party to track the random numbers generated, and therefore compromise the cryptographic operations that underpin the SGX enclave, including the aforementioned remote attestation process.

With Intel CPUs released from 2015 to 2019, counting Xeon E3 and E CPUs, susceptible to the attacks, VU University researchers said it shared with Intel a proof-of-concept demonstrating the leakage of staging buffer content in September 2018, followed by a PoC implementing cross-core RDRAND/RDSEED leakage in July 2019.

“Mitigations against existing transient execution attacks are largely ineffective,” the team summarized. “The majority of current mitigations rely on spatial isolation on boundaries which are no longer applicable due to the cross-core nature of these attacks. New microcode updates which lock the entire memory bus for these instructions can mitigate these attacks—but only if there are no similar problems which have yet to be found.”

In response to the findings, Intel addressed the flaw in a microcode update distributed to software vendors yesterday after a prolonged 21-month disclosure period due to the difficulty in implementing a fix.

The company has recommended users of affected processors update to the latest version of the firmware provided by system manufacturers to address the issue.

Follow me for more information.

security-drift

Global spending on cybersecurity products and services is predicted to exceed $1 trillion during the period of five years, between 2017 to 2021, with different analysts predicting the Compound Annual Growth Rate (CAGR) at anywhere between 8 to 15%.

It is not surprising to see this growth in spending, which is primarily driven by the evolving sophistication and volume of attacks as well as the surmounting costs of a successful data breach.

And yet, data breaches continue.

The sad news is that about 80% of data breaches can be prevented with basic actions; such as vulnerability assessments, patching, and proper security configurations.

The specific reasons vary; but include staffing and resource issues, lack of expertise to optimize complex, multi-vendor security systems, and a host of other reasons. Whatever the specific cause, the common theme is that security lagged either internal IT changes or changes in the external threat landscape.

The phenomenon is well known in technology spheres – from things like configuration drift as applications and platforms change without reorganization; to Cloud drift as new serverless resources evolve to suite point-issues but are not accounted for in overall infrastructure growth estimates.

Because of this, we’re looking at a new form of drift centered primarily on changes that impact cybersecurity – essentially a security drift.

IT & Security Teams Face a Double Whammy

On the one hand, security teams have to continuously address evolving threats and adversarial sophistication, and on the other, IT teams are continually adapting to change and making alterations to environments that can create security drift, some addressed, and some invisible.

At the end of the spectrum are high-visibility changes revolving around hot topics like Information Technology and Operational Technology (IT/OT) convergence – and these usually (though not always) get concurrent attention from cybersecurity teams.

At the other end of the security drift spectrum, it’s day-to-day maintenance operations that may not get the deserved attention from security teams. These include routine activities such as software updates for new features, bug fixes, and vulnerability patching, and the upgrade or replacing of commodity software that does not require major planning.

No matter if the changes are happening to new systems going into production, or existing systems in production, the drift is created as the changes are made without security oversight or with insufficient security oversight.

Unfortunately, there are many examples of security drift situations where routine software updates and IT changes introduce vulnerabilities that require discovery and patching.

A high-tech company that had a robust (or so they thought) A/V solution allowed for a three-week patch drift for 2% of its systems. This was because some systems required testing before patching (due to OS and application concerns), and others were delayed due to operational constraints. The company was hit by a worm that was propagated to almost all unpatched systems, close to 3,000 machines.

The consequence was a denial of service from within that disrupted business and hampered remediation and restoration of the company’s IT systems.

A multinational outsourcing company deployed FTP servers for the purpose of dedicated file sharing with their customer. Their procedure for onboarding a new customer was to clone an existing service, change the default credentials, exclude the new system from DNS, and test the new system within a week of deployment.

Unfortunately, in one case, the lag between deploying and testing was enough for a hacker to find a system that was inadvertently left with default credentials and penetrate the customer’s data at great cost to the outsourcing company. The security drift created by the new instance created the opening that an adversary needed to initiate and successfully complete an attack.

These examples are significant in size and impact, but it’s the small examples of security drift that are the true silent killers, the proverbial loss of a nail in a horseshoe that loses the kingdom.

For example, a Web Application Firewall that was misconfigured and placed into learning mode (monitoring only) and a case in which IT changed the name of a server that had restricted access. The name-change inadvertently made the server accessible to everyone. Luckily, this was detected before any damage was incurred, and the rule that enforces the access policy was updated.

There is one thing that links all of these incidents together. Security drift is the consequence of change, and security operations are either unaware of the change or its significance. In some cases, it will create manageable risk, and in other cases, the risk demands immediate attention; but in all cases, the drift exists and puts the organization at risk. This lack of insight makes security drift the silent killer.

Avoiding the Silent Killer

The traditional practice for identifying and dealing with security drift is a combination of IT procedures and policies, vulnerability management systems, and pen-testing. While vulnerability scanning provides near-real-time results; pen testing does not. This may provide a lengthy window for security drift to occur that is unacceptable.

A new paradigm of security validation is becoming widely available for the security Blue Team, one that automates security validation in production environments. Complementing periodic pen testing by filling in the void between tests, continuous security validation becomes a powerful way to reduce the impact of security drift by detecting and identifying instances of drift in near-real-time.

Continuous security validation with Breach and Attack Simulation platforms can match the rate of internal and external change with the ability of the organization to detect changes that create weaknesses and gaps to help manage security drift better. Don’t let the silent killer getya’.

For more information, visit www.cymulate.com and register for a Free Trial.

Follow me for more information.

cynet

As cyber threats keep on increasing in volume and sophistication, more and more organizations acknowledge that outsourcing their security operations to a 3rd-party service provider is a practice that makes the most sense.

To address this demand, managed security services providers (MSSPs) and managed service providers (MSPs) continuously search for the right products that would empower their teams to deliver high-quality and scalable services.

Cynet 360 Autonomous Breach Protection platform offers a multitenant security solution for MSSP/MSP, providing automated, all-in-one products that include a robust SOAR layer, on top of attack prevention and detection. (Learn more about Cynet’s partner program for MSPs and MSSPs here).

Service providers typically have a skilled security team at their disposal. The challenge is how to leverage this skill to serve as many customers as possible without compromising on the quality of the service. That makes each minute of each team member a precious resource.

As a result, when shortlisting security technologies, MSSP and MSP look for products that would enable their teams to deliver the most value with minimum operational investment.

Cynet 360’s autonomous breach protection highlights:

  • All in one – single solution that includes EPP, EDR, MDR with additional SIEM and SOAR capabilities, empowering the MSSP/MSP team to master and deliver full breach protection across users, networks, and endpoints from one interface.
  • Multitenancy – easy and scalable service to multiple customers, running a dedicated Cynet instance for each and monitoring all from a central dashboard tailor-made for MSP/MSSP needs.

cybersecurity software
Tailored Security Policies for each Customer
network security software
Granular Site-level Alert Visibility
  • CyOps – 24/7 MDR services delivering alert monitoring, attack investigation, proactive threat hunting, and assistance in remote IR operations.
  • Inventory visibility – monitoring and control of all assets within the environment: machines, installed software, user accounts, and all related activity.
  • Rapid deployment – zero time to value with seamless distribution across thousands of endpoints within hours.
  • Partner enablement program – easy onboarding with continuous technical support and SE onboarding together with sales enablement collateral (decks, webinars, training materials, etc.)
  • Automated remediations – an end to end automation of the response process, from the root cause and impact analysis to active remediation of infected hosts, malicious files, C2C traffic, and compromised user accounts.

On top of optimizing existing MSSP\MSP operations, Cynet 360 multitenant architecture, high automation capabilities, and 24\7 MDR can enable any VAR or IT service provider to add security services to its portfolio.

Learn more on Cynet 360 for MSSP\MSP here.

Follow me for more information.

Product categories

Post

June 2020
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930 
X