Over the last two weeks, Microsoft, Adobe, Mozilla, Google, and VMWare all released major security updates to their systems. Installing these updates, or ‘patches’ can be a key ingredient to your cybersecurity well-being. As we saw with the WannaCry outbreak back in May, failing to update your computer can have a devastating effect.
Microsoft’s security updates, dubbed as ‘Patch Tuesday,’ occur on the second and sometimes fourth Tuesday of every month. These patches include important security updates that fix vulnerabilities in their operating system.
On Tuesday, June 14th, Microsoft released their June security updates to fix almost a hundred flaws in the Windows operating system. However, this patch was rather unusual as it included updates for Windows XP and Windows Server 2003 which, up until now, were no longer receiving updates. These updates included patches to protect users from potential nation-state activity that could cause ravaging cyber attacks, similar to WannaCry.
According to cybersecurity firm Qualys, 27 of the patches could be exploited remotely by malware or cyber criminals to seize complete control over systems with little or no interaction on the part of the user.
Another notable patch involves a Server Message Block (SMB). The SMB handles files and print sharing capabilities and can be extremely dangerous if left unpatched on a corporate network. A single piece of malware that exploits the SMB flaw within a network could easily replicate itself to all unpatched systems on the same network. This wormlike feature is the reason that Windows XP and Windows Server 2003 received their first updates in years. The SMB flaw is extremely similar to the one exposed in WannaCry.
Adobe also released updates this week to fix critical problems in Flash Player and Shockwave Player. For starters, it’s recommended that if you have Flash Player and Shockwave Player installed on your system, remove them now. Both the programs are nearly obsolete and sites that require them allow you to enable the plug-in while using the site.
If you decide you want to keep the players, make sure that you have the most updated version: Version 18.104.22.168. As you can see from the version number, Adobe releases patches quite often. Adobe is one of the most frequently exploited programs by exploit kits. The malware places traps in hacked and malicious sites so that individuals who visit these sites, while running vulnerable Adobe versions, are automatically exposed to malware.
Mozilla Releases Four Critical Updates
Four of the twenty-five updates released by Mozilla were deemed as ‘critical.’ According to Mozilla’s website, the two following critical updates were identified as vulnerabilities that could be exploited by arbitrary code:
- CVE-2017-5471: Memory safety bugs fixed in Firefox 54. There was a memory safety bug present in Firefox 53 that showed evidence of memory corruption. It’s presumed that with enough effort, some of these could be exploited to run arbitrary code.
- CVE-2017-5472: Use-after-free using destroyed node when regenerating trees. A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash.
Google Patches Nexus and Pixel Devices
Google’s June security update includes two patches for Nexus and Pixel devices. The first patch fixes vulnerabilities in Bluetooth that date as far back as Android 4.4.4 but were also present in the latest version, Android 7.1.2. The other updates patch vulnerabilities in Qualcomm, MediaTek and NVIDIA processors, however, the exact details were not released which is typical, so potential hackers don’t attempt to exploit unpatched systems.
VMWare Security Update
VMWare released its latest update, VMSA-2017-0011 last week that addresses a command injection vulnerability. The update, specifically titled ‘Horizon View Client update addresses a command injection vulnerability’ documents an important command injection vulnerability in the service startup script that affects VMWare Horizon View Client for Mac versions 2.x, 3.x, and 4.x. Exploitation of this vulnerability could allow potential hackers to escalate their privileges to root on the MAC OS X system where the client is installed.
Anyone running VMWare products on their Mac should sign up for security updates from the company, here.
Why is it important to update?
As security professionals, we are never going to stop talking about the importance of patching. Whether the vulnerabilities are known before or after patches are released, cyber criminals are going to use hacking tools to exploit systems that haven’t been updated. As we have mentioned previously and several times throughout this article, WannaCry did that exact thing. WannaCry targeted machines running Windows that hadn’t installed the latest updates.
Everyone is guilty of postponing those annoying popup screens asking when we want to update our system. It’s time to stop doing that. Take 10 minutes out of your day to update your system; it could save you and your company from becoming a victim of the next big hack. From the sound of things, that next attack may be sooner than we all expect but make no mistake – it’s coming.