It’s a record month for Microsoft this month, according to Paul Henry, security and forensic analyst at Lumension. With just five bulletins, June marks the lowest number of bulletins we’ve seen from Microsoft to date this year, making it a light month for IT admins. It’s also the halfway point for the year, which is always a good time to look back at last year and compare. With 50 total bulletins for the year, Microsoft has issued a total of eight more bulletins this year than at the same time last year. Interestingly, the company has issued exactly the same number of critical bulletins so far this year at 16. That means the balance is made up of important bulletins, which are the type of bulletins we prefer to see.
Click through for a rundown of the Microsoft patches for June, as well as updates on the upcoming release of Windows 8.1.
This month, your top priority is the single critical vulnerability, Bulletin 1, which is a cumulative update for all versions of IE. This bulletin accounts for the bulk of the CVEs being fixed this month – 19 of 23. Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system. An attacker could not get in without some user participation. Many of the successful hacks we’ve seen lately have been through phishing attacks, so remember to take the time to educate your users about security and mitigation.
Your next priority should be bulletin 5, which is an Office vulnerability. Though this is ranked important, it’s your second priority because there have been limited attacks using this vulnerability in the wild. Though it’s not considered to be publicly known, it is being actively exploited to some extent, so be sure to patch it immediately. It can be exploited through the distribution of a malicious file, which hopefully your users know better than to click on.
Your next two priorities will be bulletins 3 and 4. Bulletin 3 is an important denial of service issue affecting kernel mode drivers. It does affect the newest operating systems, Windows 8 and Windows RT. This vulnerability occurs in the TCP/IP stack when handling SYN cookies. To trigger the issue, you have to flood the system with a bunch of SYN packets and have the SYN protection and tracking turned on. Once that happens, an attacker could trigger a denial of service vulnerability. There should be network-level mitigation in place already to stop the flooding.
Bulletin 4 is an important elevation of privilege issue in Windows print spooler. In order to execute this vulnerability, an attacker would need credentials that are authenticated before the attack can be executed. Print spooler can also be disabled as a mitigating factor.
Bulletin 2 is an important information disclosure affecting Windows kernel. It affects many of the operating systems, including Windows 8, though it doesn’t affect Windows RT. It is not being actively exploited in the wild.
One thing to note is an additional advisory from Microsoft slated for later this month. It’s an update to improve the photography and digital certificate handling in Windows, adding additional functionality to allow admins to more granularly handle certificate trust lists.
A few days ago, Microsoft released new information about the upcoming release of Windows 8.1, which includes updates to the security features. They are definitely steps in the right direction.
One of the first things that jumps out is what Microsoft is calling “Remote Business Data Removal,” which amounts to a remote wipe capability that enables a level of protection for personal or non-corporate documents to avoid being wiped. This added granularity to the MDM-like functions is a good thing.
Another important feature that is of particular interest to Henry as a forensic professional is the encryption feature using the TCM chip in Windows. This encryption is enabled by default. This is great for users, but for forensics and incident response folks charged with removing data from devices on behalf of law enforcement, this could make their jobs a little more difficult. It’s similar to the default encryption on the iPhone 5. However, there’s a three- to seven-month delay from Apple for law enforcement requests for decryption. In cases such as a missing child, where time is of the essence, this is particularly troubling. With Microsoft also adding this capability, the days of “knock and look,” where law enforcement can gain immediate access to data to solve crimes, may be over. It is Henry’s hope that Microsoft is able to avoid that same issue, perhaps by providing a decryption key to law enforcement.
Windows 8.1 will be optimized for biometrics – particularly fingerprint readers. This is great. The cross-over error rate for biometric readers, which is where you get false positives and negatives, has been drastically improved over the last few years. With this improvement comes a renewed hope that passwords may someday go the way of the dodo bird. Henry thinks eventually a mix of biometric technologies – iris recognition, facial recognition, behavioral patterns and of course fingerprints – will become the norm.
Microsoft is also adding improvements to IE 11, including an anti-malware solution to scan the input for a binary extension before it’s passed onto the extension for execution. IE 11 represents the most secure browser Microsoft has released to date. Henry always recommends that users run the latest version of any software and would highly encourage users to upgrade to IE 11. If you’re running non-compatible operating systems (such as XP, for which Microsoft will discontinue support in 2014), be sure to update those as well.
There are some updates to Windows Defender, including network behavior monitoring. This behavioral capability is great to see, supplementing signature-based technology that has been largely obsolete for some time now. It allows systems to make decisions based on known malicious behavior, even in the absence of a signature.
Finally, the device lockdown Assigned Access provides additional security for public-facing corporate devices, such as ATMs, kiosks or hardware used in an education setting. This could prevent those machines from being used for tasks that they were not intended to be used for and it reduces risks in educational environments.