Newsletter

08.10.2021 | 5'' read

Patch Tuesdays will never end

by Ryan Naraine

* This newsletter is sponsored by Uptycs, the cloud-native security analytics platform with multiple solutions for EDRCWPPCSPM, asset insights and inventory, audit and compliance. 

The most clicked link from last week’s issue was this op-ed by Dave Aitel and friends suggesting a more responsible approach to cyber-offense by global governments.
Notes.
  • I’m honored to be on the agenda for this year’s SecurityWeek’s CISO Forum, coming up on September 14-15, 2021. This year we’ll be talking supply chain, SBOMs, ransomware and cyber insurance.

Monday Blues.

The newsletter is late today, because Patch Tuesday.  Over at SecurityWeek, I spent this morning writing about the 19th Windows zero-day attack so far this year, another Microsoft attempt to fix PrintNightmare, and Adobe shipping patches for critical flaws in the Magento e-commerce platform. These security defects are no joke and I recommend Windows users treat these updates with high priority.Speaking of security things with the highest of priorities, I saw a Black Hat presentation by hacker ‘Orange Tsai’ on new attack surfaces on Microsoft Exchange Server that was equally impressive and terrifying. On the heels of the March Exchange Server mega hacks, the researcher documented an entirely new attack surface that could will lead to a world of hurt down the road.

If you’re a Windows fleet admin, I’d start by carefully absorbing the warnings in this blog post on how the CAS (Client Access Service) in Exchange Server presents ripe hunting ground for malicious hackers.  Orange Tsai documents how this massive new attack surface led to the discovery of eight vulnerabilities that were chained into three different attacks — ProxyLogon (pre-auth RCE), Proxy Oracle (plaintext password heist), and ProxyShell (pre-auth RCE exploit used at Pwn2Own 2021).

Orange Tsai, who has worked closely with Redmond to get these issues fixed, has hinted at future exploitation examples.  See video of his Defcon presentation.

It’s even more disconcerting because of proven bug-discovery collisions and documentation that others — most noticeably the NSA and Chinese APT group HAFNIUM — are already poking around and finding success popping holes in this new Exchange attack surface.

A sobering reminder that Patch Tuesdays will never end. 

_ryan


A word from our sponsor – Uptycs 

The Uptycs Security Analytics Platform offers one platform with multiple solutions for EDRCWPPCSPM, asset insights and inventory, and audit and compliance. Many organizations have a number of tools targeting their productivity endpointsserver endpoints, and cloud-native applications.  Schedule a demo today.


The big story — Apple CSAM scanning concerns

The big story this week is the blowback against Apple’s plan to use a new hashing system on its platforms to detect and help limit the spread of CSAM (Child Sex Abuse Material).  Here’s your catch-up reading material:

Black Hat recap

A subdued and weird Black Hat/Defcon week came and went with worries about Covid overwhelming all other concerns in Las Vegas.  Still, the agenda was chock full of educational sessions, tools and utilities, and enough warnings to keep the industry afloat for another decade.  Some highlights:

Tool of the week.

Supply chain pain.

Tangentially.The list of vulnerabilities or design flaws Microsoft does not intend to fix includes a trio of PrintNightmare security defects

* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible

|

This site uses cookies and may process personal data based on our Privacy Policy