July 2016: A Perfect Vulnerability Storm

It turned out to be a tricky month for security admins to take that long-awaited summer vacation because July was one of the busiest months in recent memory in terms of vulnerabilities. The vulns were copious and severe, and all the big vendors seemed to suffer. And while every organization strives to keep all of their technology patched and updated, months like this one remind us that it is virtually impossible to be perfect. Let’s take a quick look at all the recent action and recap what you need to know.

Microsoft’s 20-Year Vulnerability

Microsoft’s Patch Tuesday release contained several important fixes, but one in particular is likely to keep security teams busy patching Windows machines in their networks. MS16-087 is one of those scary vulnerabilities that has more or less been sitting in plain sight for the better part of two decades, and it creates a potential goldmine for attackers.

The issue centers around the way the Windows operating system deals with printers. To make it easy for users to find and use printers, the Windows operating system trusts the printer to automatically deliver the appropriate printer driver to the end-user machine, where the OS would dutifully install the driver. The problem is that these drivers were not being checked, not generating User Account Control messages, and were system-level drivers. 

As a result, if an attacker could compromise a printer – or simply impersonate one – the attacker could deliver code to the victim that the machine would trust and run with system-level privileges.  The attacker could run this scam repeatedly as users connect to the printer, effectively turning it into a malicious watering-hole to progressively infect host after host in the network. Making matters worse, the same mechanism works over web-based connections using the MS-WPRN protocol, enabling users to be infected over the Internet. A deeper dive into the issue is available here.

The staggering number of end-user laptops running Windows ensures that this vulnerability will require a lot of time and attention from security teams. Virtually every version of Windows was affected reaching back Windows 95, so pretty much everything that runs Windows will need to be patched, and that is a lot of cats to herd. 

Oracle’s Colossal CPU

Oracle posted the largest Critical Patch Update in the company’s history to address a total of 276 vulnerabilities. The issues were spread across a wide variety of Oracle products and technologies including Java, Oracle E-business Suite, Oracle Retail Applications, Fusion Middleware, and Supply Chain Products Suite. Of the 276 vulnerabilities, 159 were remotely exploitable without authentication, and 28 total vulns had a CVSS score over 9.0. The combination of high volume, severity, and the importance of the affected systems make this batch of vulnerabilities a very high priority for enterprises that use these products.

Flash Brings Up the Rear

While it didn’t keep up with the scale of Microsoft or Oracle, Adobe released 52 fixes for weaknesses in the much-maligned Flash Player. Of the 52 vulns, 33 of them enabled remote code execution. Much like the Microsoft bug discussed earlier, the ubiquity of Flash support within modern browsers creates a massive attack surface using end-users machines. It is incredibly difficult for security teams to track and ensure that individual plugins on a user’s device remains up to date. And once again, this leads to plenty of weak spots that attackers can take advantage of.

Altogether, this batch of vulnerabilities underlines the challenge of patching modern networks. Internet-facing plugins like Flash provide a large attack surface that attackers can use to get a foot in the door. Alternatively, attackers could use the Microsoft Point-and-Print vulnerability to both infect a user from the Internet, and then spread laterally within the network by turning a printer into a malicious watering hole. The Oracle vulnerabilities affect a wide variety of mission-critical systems that enterprises rely on in order to function.

July was a perfect storm where everything from the end-user’s browser to the underlying enterprise software for mission-critical systems received a black eye. It is also a reminder that while patch management is critical to security, it is a task where it is almost impossible to be perfect. And when our preventative measures can’t be perfect we have to depend on a layered approach to security to weather the storms.

Related: Oracle’s Critical Patch Update for July Contains Record Number of Fixes