Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

July 2016: A Perfect Vulnerability Storm

It turned out to be a tricky month for security admins to take that long-awaited summer vacation because July was one of the busiest months in recent memory in terms of vulnerabilities. The vulns were copious and severe, and all the big vendors seemed to suffer.

It turned out to be a tricky month for security admins to take that long-awaited summer vacation because July was one of the busiest months in recent memory in terms of vulnerabilities. The vulns were copious and severe, and all the big vendors seemed to suffer. And while every organization strives to keep all of their technology patched and updated, months like this one remind us that it is virtually impossible to be perfect. Let’s take a quick look at all the recent action and recap what you need to know.

Microsoft’s 20-Year Vulnerability

Microsoft’s Patch Tuesday release contained several important fixes, but one in particular is likely to keep security teams busy patching Windows machines in their networks. MS16-087 is one of those scary vulnerabilities that has more or less been sitting in plain sight for the better part of two decades, and it creates a potential goldmine for attackers.

The issue centers around the way the Windows operating system deals with printers. To make it easy for users to find and use printers, the Windows operating system trusts the printer to automatically deliver the appropriate printer driver to the end-user machine, where the OS would dutifully install the driver. The problem is that these drivers were not being checked, not generating User Account Control messages, and were system-level drivers. 

As a result, if an attacker could compromise a printer – or simply impersonate one – the attacker could deliver code to the victim that the machine would trust and run with system-level privileges.  The attacker could run this scam repeatedly as users connect to the printer, effectively turning it into a malicious watering-hole to progressively infect host after host in the network. Making matters worse, the same mechanism works over web-based connections using the MS-WPRN protocol, enabling users to be infected over the Internet. A deeper dive into the issue is available here.

The staggering number of end-user laptops running Windows ensures that this vulnerability will require a lot of time and attention from security teams. Virtually every version of Windows was affected reaching back Windows 95, so pretty much everything that runs Windows will need to be patched, and that is a lot of cats to herd. 

Oracle’s Colossal CPU

Oracle posted the largest Critical Patch Update in the company’s history to address a total of 276 vulnerabilities. The issues were spread across a wide variety of Oracle products and technologies including Java, Oracle E-business Suite, Oracle Retail Applications, Fusion Middleware, and Supply Chain Products Suite. Of the 276 vulnerabilities, 159 were remotely exploitable without authentication, and 28 total vulns had a CVSS score over 9.0. The combination of high volume, severity, and the importance of the affected systems make this batch of vulnerabilities a very high priority for enterprises that use these products.

Advertisement. Scroll to continue reading.

Flash Brings Up the Rear

While it didn’t keep up with the scale of Microsoft or Oracle, Adobe released 52 fixes for weaknesses in the much-maligned Flash Player. Of the 52 vulns, 33 of them enabled remote code execution. Much like the Microsoft bug discussed earlier, the ubiquity of Flash support within modern browsers creates a massive attack surface using end-users machines. It is incredibly difficult for security teams to track and ensure that individual plugins on a user’s device remains up to date. And once again, this leads to plenty of weak spots that attackers can take advantage of.

Altogether, this batch of vulnerabilities underlines the challenge of patching modern networks. Internet-facing plugins like Flash provide a large attack surface that attackers can use to get a foot in the door. Alternatively, attackers could use the Microsoft Point-and-Print vulnerability to both infect a user from the Internet, and then spread laterally within the network by turning a printer into a malicious watering hole. The Oracle vulnerabilities affect a wide variety of mission-critical systems that enterprises rely on in order to function.

July was a perfect storm where everything from the end-user’s browser to the underlying enterprise software for mission-critical systems received a black eye. It is also a reminder that while patch management is critical to security, it is a task where it is almost impossible to be perfect. And when our preventative measures can’t be perfect we have to depend on a layered approach to security to weather the storms.

Related: Oracle’s Critical Patch Update for July Contains Record Number of Fixes

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.