Change Title NGINX to F5 Class 2 Customers should be prepared and take actions Change Summary Flexera is going to migrate all products/releases/mappings from NGINX to F5.   F5 Networks acquired NGINX on May 9, 2019. Reference: https://www.f5.com/company/news/press-releases/f5-completes-acquisition-of-nginx   F5 Networks will also change to F5 directly (the manufacturer ID will remain the same).  Impact  This change will impact Technopedia Manufacturer ID/Product ID/Release ID & Names and discovered data. The previously mapped data to the old manufacturer will change to the new manufacturer. This change requires customers to manage downstream processes and reporting in their organization.   The spreadsheet NGINX migrate to F5 Product List.xlsx provides the complete list of all the software products where the publisher name will be renamed from NGINX to F5.     ... View more

We had an issue with the previous ARL build 2593 with respect to the PointsRuleSet table, due to which ARL import was failing. We have identified and fixed it as part of the latest ARL build 2594.     ... View more

Change Title Service Pack 'version change' for IBM AIX and SuSE Enterprise Linux (SLES) Class 2 Customers should be prepared and take actions Change Summary 1.       We are adding TL (Technology Level) and ML (Maintenance Level) to the field 'Service Pack/Patch' rather than 'Version' for IBM AIX. For example, if the version value is 5.2 TL10, it will change to 5.2, and the Service Pack/Patch value will be TL10. 2.       We are also dividing the Service Pack information for SuSE Enterprise Linux Server when the version number includes the Service Pack. For example, if the version value is 12.4, it will change to 12, and the Service Pack/Patch value will be SP4. Impact This change will impact customers who rely on the Technopedia Version and its Service Pack information. The change needs the customer to manage downstream processes and reporting in their organization.   The spreadsheet SP Version change on AIX and SLES.xlsx provides the complete list of all the AIX and SLES products for which the Service Pack section of the Version field will be changing.    ... View more

Change Title: JDK and JRE version changes                Type: Class 1 Change Notification       On April 16, 2019, Oracle officially announced the commercialization of Java products. These are available under a new license termed OTN (Oracle Technology Network) and are free for personal individual desktop use,  development, testing, prototyping, and demonstration purposes. There were a few updates that were only available to Oracle licensed customers. These updates were not available publicly.   JDK 5 has reached the end of public updates. Releases after 1.5.0_22 are only available to Oracle Customers. [1] JDK 6 has reached the end of public updates. Releases after 1.6.0_45 are only available to Oracle Customers. [2] JDK 7 has reached the end of public updates. Releases after 1.7.0_80 are only available to Oracle Customers. [3] JDK 8 has reached the end of public updates. Releases after 1.8.0_202 for commercial/business use in production is restricted and requires a commercial license. [4] All updates of JDK 9 are licensed under the Oracle Binary Code License Agreement. [5] All updates of JDK 10 are licensed under the Oracle Binary Code License Agreement. [6] All updates of JDK 11 are licensed under Oracle Technology Network License Agreement. [7]   There is a challenge that Oracle also has some restricted and public builds for Java updates. BPR (Bundled Patch Release) builds are available only as commercial offerings to Oracle customers. JDK/JRE version Public releases Restricted releases JDK/JRE 5 Until Update 22 Update 23 & Up Update with BPR builds (build > 30) JDK/JRE 6 Until Update 45 Update 51 & Up Update with BPR builds (build > 30) JDK/JRE 7 Until Update 80 Update 85 & Up Update with BPR builds (build > 30) JDK/JRE 8 Until Update 202 Update 211 & Up Update with BPR builds (build > 30) JDK/JRE 9 All Updates   JDK/JRE 10 All Updates   JDK/JRE 11   All Updates What is changed? To accommodate the above changes, Flexera is going to update the Java applications (JDK and JRE) for version 5/6/7/8/9/10/11 in the Data Platform. There will be 2 separate products for each Java application (JDK and JRE), indicating whether the product is restricted or public.   We are going to create the new products with the 'Public' moniker. These public releases will be migrated to the newly created Java products. Java Development Kit (JDK) (Public) Java Runtime Environment (JRE) (Public)   The existed product ‘Java Development Kit (JDK)’ and ‘Java Runtime Environment (JRE)’ are represented as restricted. Those restricted releases will be reserved in the existing Java products.    Please notes this change does not apply to JRE 11; in Java release 11, the JRE or Server JRE is no longer offered. Only the JDK is offered. So Oracle Java Runtime Environment (JRE) version 11.0.x  to 15.0.x will be removed. [8]   All mappings will be reviewed and updated based on Java-specific update releases and builds Impact This change will impact customers who rely on Technopedia Product ID/Release ID & Names and discovered previously mapped data to major versions of JDK and JRE. They will be mapped to the new products and specific update releases.   The attached spreadsheet provides the full list of all releases in scope for this review which will be created or removed, or reserved.   Customers should expect these changes to have been completed within the next 2 weeks.   Reference [1] https://www.oracle.com/java/technologies/java-archive-javase5-downloads.html [2] https://www.oracle.com/java/technologies/javase/6u-relnotes.html [3] https://www.oracle.com/java/technologies/javase/7u-relnotes.html [4] https://www.oracle.com/hk/java/technologies/javase/javase8u211-later-archive-downloads.html [5] https://www.oracle.com/hk/java/technologies/javase/javase9-archive-downloads.htm [6] https://www.oracle.com/hk/java/technologies/java-archive-javase10-downloads.html [7] https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html [8] https://www.oracle.com/java/technologies/javase/jdk-11-relnote.html ... View more

Class 1 Change Notification   On April 16, 2019, Oracle officially announced the commercialization of Java products. This was made available under a new license termed OTN (Oracle Technology Network). Java is free for personal individual desktop use and free for development, testing, prototyping, and demonstration purposes.   Before this announcement, there were a few builds for version 8, which were only available to Oracle licensed customers. These builds were not available publicly. i.e. for version 8 builds after 1.8.0_202 update is only available to Oracle Customers version 8 reference. Any updates with BPR builds (build > 30) are considered commercial.   What is changed?   Flexera will update the Java applications for version 8 in ARL – Application Recognition Library to accommodate the above changes.   Both Installer and File Evidence will be separated based on build information into free and commercial application.   For reference, on the Java version nomenclature: for instance, for 8.0.2020.34 8 is the version. 202 is the update. 34 is the build.     Installer Evidence   Evidence for Version Application Classification JDK 1.8.0_202 Java Development Kit (Public) 8 Standard Freeware JDK 1.8.0_281 Java Development Kit 8 Standard Commercial JRE 1.8.0_202 Java Runtime Environment (Public) 8 Freeware JRE 1.8.0_281 Java Runtime Environment 8 Commercial Java Platform 1.8.0_202 Java Platform (Public) 8 Standard Freeware Java Platform 1.8.0_281 Java Platform 8 Standard Commercial   Existing update version applications will be removed from ARL, and all the evidence will be added to the respective single version.   Example:   Existing Application Proposed new application Classification Java Development Kit 8.0.211 Standard Java Development Kit 8 Standard Commercial   Similarly, the other applications update versions available in ARL will be merged into their public or respective restricted versions of Java Platform or Development Kit (8, 11,12,13 and 14).   File Evidence File Evidence will be associated with the respective application based on the build version for all Java version 8,11,12,13 and 14. For instance, Java.exe 8.0.202.29 is free, while 8.0.202.34 is “restricted” (BRP build). Note: We will be verifying or updating the recognition rule for file evidence having a name as java.exe javaw.exe javaws.exe jdk.exe jre.exe javadoc.exe   As per Oracle, Java version 9 and 10 are available for the public. Hence, the  product names will change to Java development Kit (Public), Java Runtime Environment (Public) and Java Platform (Public) All these changes are going to be part of the Friday,  2 nd April 2021 ARL release. ... View more

Change Title   ixia to Keysight Technologies Product Migration Class 2   Customers should be prepared and take actions         Change Summary   Flexera will migrate all products/releases/mappings from the old manufacture name 'ixia' to ' Keysight Technologies '. As Keysight Technologies have acquired Ixia, all products/releases/mappings will migrate to Keysight Technologies. https://about.keysight.com/en/newsroom/pr/2017/18apr-nr17032.shtml       Impact   This change will impact customers who rely on Technopedia Manufacturer ID/Product ID/Release ID & Names, and discovered data that was previously mapped to the old manufacturers would be mapped to the new manufacturer. The change needs the customer to manage downstream processes and to report in their organization.     The spreadsheet Migration from Ixia to Keysight Technologies.xlsx provides the complete list of all the Technopedia products for which the manufacture name will be renamed from Ixia to Keysight Technologies.   ... View more

Flexera is going to migrate all products/releases/mappings from Syncsort to Precisely. As Syncsort Rebrands as Precisely, all products/releases/mappings will be migrated to Precisely. Change Title Syncsort to Precisely Class 2 Customers should be prepared and take actions Change Summary Flexera is going to migrate all products/releases/mappings from Syncsort to Precisely. Syncsort Rebrands as Precisely on May 14, 2020. https://www.precisely.com/press-release/precisely-launch Impact This change will impact customers who rely on not only Technopedia Manufacturer ID/Product ID/Release ID & Names but also discovered data that was previously mapped to the old manufacturer will be mapped to the new manufacturer. The change needs the customer to manage downstream processes and reporting in their organization.   Update The spreadsheet Syncsort migrate to Precisely Product List - updated.xlsx provides the full list of all the software products for which the publisher name has been renamed from Syncsort to Precisely. ... View more

Summary 422 advisories for 281 unique product from 66 unique vendors were issued from Mid December 2020 till mid-January 2021. Several Microsoft patches were issued in this month’s Patch Tuesday which included a patch for Microsoft Malware Protection Engine that is linked to SUNSPOT malware.   Zero-Day Advisories Microsoft issued a zero-day in their recent patch Tuesday on January 12 th . The advisory itself is moderately critical because of its local attack vector. However, it is linked t recent malware and cyber-attack. The vulnerability is reported in Microsoft Malware Protection engine which can be exploited to gain local escalation of privileges. CVE-2021-647  has 7.8 CVSS scores with a threat score of 28. This vulnerability is particularly important as it is linked to SUNBURST and SUNSPOT vulnerabilities – as discussed in the previous blog.  Microsoft Forefront Endpoint Security, Microsoft Malware Protection 1.x, Microsoft Security Essentials 4.x, Microsoft System Center Endpoint Protection, Microsoft Windows defender are the affected product. Call to Action: Microsoft recommends an update to version 1.1.17700.4. In their security blog, Microsoft suggests that another target for the SUNBURST attack was to steal credentials, escalate privileges and move latterly to either steal and even create valid SMAL authentication token. Microsoft dubs it as SOLORIGATE. [1] At this rate, the security industry is soon going to run out of interstellar acronyms for vulnerabilities and exploits. Microsoft Patch Tuesday January’s Microsoft Patch Tuesday edition had 11 KBS that fix 26 CVEs in 11 different products. [2] Another local escalation of privileges vulnerability CVE-2021-1648 was fixed which was an update to a previous update from December.     Patch Tuesday had updates for Microsoft Windows Microsoft Edge (EdgeHTML-based) Microsoft Office and Microsoft Office Services and Web Apps Microsoft Windows Codecs Library Visual Studio SQL Server Microsoft Malware Protection Engine .NET Core .NET Repository ASP .NET Azure   A list of KBs listed for different Operating systems is as below: [2]   KB Affected OS/Software 4598229 Windows 10, Version 1903, Windows Server, Version 1903, Windows 10, Version 1909, Windows Server, Version 1909 4598230 Windows 10, Version 1809, Windows Server 2019 4598242 Windows 10, Version 2004, Windows Server, Version 2004, Windows 10, Version 20H2, Windows Server, Version 20H2 4598275 Windows 8.1, Windows Server 2012 R2 (Security-only update) 4598278 Windows Server 2012 (Monthly Rollup) 4598279 Windows 7, Windows Server 2008 R2 (Monthly Rollup) 4598285 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) 4598287 Windows Server 2008 (Security-only update) 4598288 Windows Server 2008 (Monthly Rollup) 4598289 Windows 7, Windows Server 2008 R2 (Security-only update) 4598297 Windows Server 2012 (Security-only update)     Advisories for different Operating Systems: The number of Secunia advisories for various Operating systems are as below: Fedora: 00 Red Hat Enterprise Linux: 27 Debian: 17 Amazon Linux:  24 Ubuntu:   19 SUSE Linux: 33 Oracle Linux:   17 CentOS Advisories:  08 Microsoft OS Advisories:   05 Advisories by Criticality For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link. Advisories by Average CVSS Score A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link. CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below: CVSS 3 Score Advisories with Low CVSS3 under 4.0: 18  (4.2%) Advisories with Mid CVSS3 range 4-7: 152 (36.02%) Advisories with High CVSS3 range 7-10: 252 (59.72%)                               Threat Score Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this  link .                                   Advisories with positive Threat Score (1+):            256   (60.66%) None Threat Score SAIDs (=0):                                     166   (39.34%) Low-Range Threat Score SAIDs      (1-12):                 92   (21.80%) Medium-Range Threat Score SAIDs   (13-23):       130   (30.81%) High-Range Threat Score SAIDs     (24-44):                11    ( 2.61%) Critical-Range Threat Score SAIDs (45-70):                17    ( 4.03%) Very Critical Threat Score SAIDs  (71-99):                    6    ( 1.42%) Ransomware, Malware, and Exploit Kits:       Historically Linked to Ransomware:            10   (2.37%) Historically Linked to Malware:                   59   (13.98%) Linked to a Recent Cyber Exploit:                60   (14.22%) Related to a Historical Cyber Exploits:      154   (36.49%) Included in Penetration Testing Tools:     176  (41.71%)   Conclusion The affects pf SUNBURST vulnerabilities are still being unveiled and its aftershocks will be felt for quite some time – unfortunately. Microsoft has revealed that it is being used to steal and even creating new SAML authentication tokens. A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the  Software Vulnerability Research  and  Software Vulnerability Manager  solutions from Flexera. Stay Secure! References: [1] https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/#Tracking-the-cross-domain-Solarigate-attack [2] https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan   ... View more

Summary From Mid November till Mid December, 396 advisories were issued for 247 unique products. Two zero-day advisories were issued during this period including a hotly debated SolarWind hack. It eclipses every other technology news due to its potential victims and sophistication.   Zero-Day Advisories Solarwinds Orion Vulnerability a.ka. Sunburst Solarwind reported that a vulnerability was injected into its Orion product platforms supply-chain system. It affects SolarWinds® Orion® Platform software, and SolarWinds Network Performance Monitor builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. [1] An error related to SolarWinds.Orion.Core.BusinessLayer.dll containing a backdoor can be exploited to execute arbitrary code. Solarwinds digitally signed the Update containing the backdoor, so its users had no way of knowing if the Update was compromised. Orion products downloaded, implemented, or updated during the relevant period contained the inserted backdoor. The relevant period is from March until June 2020.  [2] The vendor recommends updating to version 2019.4 HF 6 or 2020.2.1 HF 2. The vulnerability is dubbed as Sunburst, and the list of the potentially affected customer is staggering. Solarwind lists US Armed forces, DoD agencies, UK defence sector, US department of treasury, UK NHS, NATO Support Agencies, and US president’s office among its customers. The vulnerability is quite devastating because the software is a networking monitoring software which runs under a privileged account.  Flexera’ Secunia research has issued a Zero-day advisory SA99447 available in SVR, SVM and Data platform products. Further details are being added as they become available. Further details and its coverage in different products are available at this link Microsoft Edge Chromium version:   A Google Chrome zero-day was reported on the 11th of November, which was covered in our previous blog. As a result, Microsoft Edge, based on the Chromium engine, also reported two vulnerabilities. One can be exploited to gain system access, and the other one has an unknown impact. Microsoft advises patching to 86.0.622.69.   Operating Systems: The number of Secunia advisories for various Operating systems are as below: Fedora: 07 Red Hat Enterprise Linux: 10 Debian: 15 Amazon Linux:  19 Ubuntu:   25 SUSE Linux: 53 Oracle Linux:   17 CentOS Advisories:  11 Microsoft OS Advisories:   4                       Advisories for Browsers Microsoft Internet Explorer (version 9 & 11): 1 Advisory.   Microsoft Edge (HTML Based - Legacy): 1 Advisory Microsoft Edge (Chromium Based): 3 Advisories Google Chrome: 2 Advisories Mozilla Firefox: 2 Advisories Mozilla Thunderbird – 1 Advisory Microsoft Patch Tuesday December Patch Tuesday was a little light as compared to November. On December 8th – Second Tuesday of December, Microsoft issued advisories for these software. Microsoft Windows Microsoft Edge (EdgeHTML-based) Microsoft Edge for Android ChakraCore Microsoft Office and Microsoft Office Services and Web Apps Microsoft Exchange Server Azure DevOps Microsoft Dynamics Visual Studio Azure SDK Azure Sphere A complete list of all applicable updates for August’s Patch Tuesday is here [3] Patch Tuesday KBs   A digest of Patch Tuesday is listed here [4]   KB Affected OS/Software 4592438 Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2, Windows Server version 20H2 4592440 Windows 10 Version 1809, Windows Server 2019 4592449 Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909 4592468 Windows Server 2012 (Monthly Rollup) 4592471 Windows 7, Windows Server 2008 R2 (Monthly Rollup) 4592484 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) 4592495 Windows 8.1, Windows Server 2012 R2 (Security-only update) 4592497 Windows Server 2012 (Security-only update) 4592498 Windows Server 2008 (Monthly Rollup) 4592503 Windows 7, Windows Server 2008 R2 (Security-only update) 4592504 Windows Server 2008 (Security-only update) 4593226 Windows 10, version 1607, Windows Server 2016 4593465 Exchange Server 2019, Exchange Server 2016 4593466 Exchange Server 2013 4593467 Exchange Server 2010 Service Pack 3     Advisories by Criticality For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.                                         Advisories by Average CVSS Score A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link. CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below: CVSS 3 Score Advisories with Low CVSS3 under 4.0: 31  (7.83%) Advisories with Mid CVSS3 range 4-7: 133 (33.59%) Advisories with High CVSS3 range 7-10: 256 (60.24%)                                     Threat Score Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this  link .                     Advisories with positive Threat Score (1+):            271   (68.43%) None Threat Score SAIDs (=0):                                 125   (31.57%) Low-Range Threat Score SAIDs      (1-12):               124   (31.31%) Medium-Range Threat Score SAIDs   (13-23):        123   (31.06%) High-Range Threat Score SAIDs     (24-44):                16    ( 1.52%) Critical-Range Threat Score SAIDs (45-70):                06    ( 1.52%) Very Critical Threat Score SAIDs  (71-99):                    2    ( 0.51%) Ransomware, Malware, and Exploit Kits:   Historically Linked to Ransomware:            05   (1.26%) Historically Linked to Malware:                   46   (11.62%) Linked to a Recent Cyber Exploit:              116 (29.29%) Related to a Historical Cyber Exploits:      172 (43.43%) Included in Penetration Testing Tools:     178  (44.95%) Conclusion   The method and the style of SolarWinds Orion platform trojan horse throws a curveball at the organizations and security professionals. We preach to keep the software patched but ironically those customers that didn’t apply the Update were better off. However, users had no way of knowing if the patch contains malware as it was digitally code-signed by the vendor. There would be many lessons to be learned by the software vendors and tighten up their supply-chain and build and publishing process. It is too early to call about the after-effects and change of behaviour, but many organizations have to review their software processes. Many organizations were also panicking to check if they have affected software installed, which points out the need for an up to date software inventory. A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the  Software Vulnerability Research  and  Software Vulnerability Manager  solutions from Flexera. Stay Secure! References: [1] https://www.solarwinds.com/securityadvisory [2] https://www.solarwinds.com/securityadvisory/faq [3] https://support.microsoft.com/en-us/help/20200908/security-update-deployment-information-september-8-2020 [4] https://msrc.microsoft.com/update-guide/releaseNote/2020-Dec ... View more

Summary This review is a combination of advisories issued in September up to mid - November. We want to issue the review in the week of Patch Tuesday as most companies have a patch cycle right after the Patch Tuesday. In September, Secunia Research at Flexera issued 550 advisories for 317 different products. Up until 15th fo November, 323 advisories for 186 products. In September, 3 Zero-day advisories in Google Chrome, Microsoft Edge, and FreeType.  Up until mid of November, 4 Zero-day advisories were issued   Zero-Day and Highly Critical Vulnerabilities.   Definition of a Zero-day Vulnerability : A zero-day is a vulnerability which is being exploited in the wild on the day or prior its public disclosure. The vulnerability may or may not have a patch. There is much confusion in security communities Three zero-day in September and 4 zero-day until Mid-November. 97 highly critical in September and 66 in November so far. Google Chrome Three zero-day advisories in two consecutive months. Two zero-days in the first two weeks of November. In September, a zero-day vulnerability was reported in the version 86.x. Three use-after-free error within media, PDFium, and printing can be exploited to execute arbitrary code. At the time, 86.0.4240.111 was a recommended update. However, another zero-day was reported on November the 2nd and version 86.0.4240.183 was a recommended solution. Yet again, another zero-day was reported on November the 11th in the previous version. Call to Action: Upgrade to 86.0.4240.198. Microsoft Edge Chromium   Multiple vulnerabilities were reported in Chromium which can be exploited that can result in system access. Call to Action:  Update to version: 86.0.622.51   Apple IOS and macOS A zero-day vulnerability related to FontParser can be exploited to execute arbitrary code via a specially crafted font. A vulnerability in facetime can be exploited to send video in group facetime calls without knowing. It is advised to Call to Action: Upgrade to version 12.4.9 A zero-day vulnerability is reported in the macOS kernel, which can be exploited to disclose memory contents. Call to Action : Update to macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update, Security Update 2020-006 Mojave, or Security Update 2020-006 High Sierra. Microsoft Windows 7 and Server 2008 Multiple vulnerabilities were reported in Windows 7 and Server 2008, which can be exploited to disclose sensitive version, DOS attack, escalation of privileges and system access. Call to Action: Install the KB4586827, KB4586805, KB4586807, KB4586817. Operating Systems: Secunia advisories for different Operating systems are as below: Fedora: 39 Red Hat Enterprise Linux: 83 Debian: 21 Amazon Linux:  64 Ubuntu:   62 SUSE Linux: 61 Oracle Linux:   48 CentOS Advisories:  7 Microsoft OS Advisories:   9 Top Vendors with the most Advisories (September till Mid November) Advisories for Browsers Microsoft Internet Explorer (version 11): 1 Advisory.   Microsoft Edge (HTML Based - Legacy): 1 Advisory Microsoft Edge (Chromium Based): 4 Advisories Google Chrome: 7 Advisories Mozilla Firefox: 3 Advisories Mozilla Thunderbird – 2 Advisory Microsoft Patch Tuesday - October On September 8th – Second Tuesday of September, Microsoft issued advisories for these software: Microsoft Windows Microsoft Office and Microsoft Office Services and Web Apps Microsoft JET Database Engine Azure Functions Open Source Software Microsoft Exchange Server Visual Studio PowerShellGet Microsoft .NET Framework Microsoft Dynamics Adobe Flash Player Microsoft Windows Codecs Library   A complete list of all applicable updates for August’s Patch Tuesday is here [1] Patch Tuesday KBs   A digest of Patch Tuesday is listed here [2] KB Article Applies To 4577668 Windows 10 Version 1809, Windows Server 2019 4577671 Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909 4579311 Windows 10, version 2004 4580327 Windows 10 4580328 Windows 10, version 1709 4580330 Windows 10, version 1803 4580345 Windows 7, Windows Server 2008 R2 (Monthly Rollup) 4580346 Windows 10, version 1607, Windows Server 2016 4580347 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) 4580353 Windows Server 2012 (Security-only update) 4580358 Windows 8.1, Windows Server 2012 R2 (Security-only update) 4580378 Windows Server 2008 Service Pack 2 (Monthly Rollup) 4580382 Windows Server 2012 (Monthly Rollup) 4580385 Windows Server 2008 Service Pack 2 (Security-only update) 4580387 Windows 7, Windows Server 2008 R2 (Security-only update) 4581424 Exchange Server 2019, Exchange Server 2016, Exchange Server 2013   Microsoft Patch Tuesday - November On the second Tuesday of November the 10 th , Microsoft issued advisories for these software Microsoft Windows Microsoft Office and Microsoft Office Services and Web Apps Internet Explorer Microsoft Edge (EdgeHTML-based) Microsoft Edge (Chromium-based) ChakraCore Microsoft Exchange Server Microsoft Dynamics Microsoft Windows Codecs Library Azure Sphere Windows Defender Microsoft Teams Azure SDK Azure DevOps Visual Studio KB Article Applies To 4486714 SharePoint Server 2019 4486717 SharePoint Server 2016 4586781 Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2, Windows Server version 20H2 4586786 Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909 4586793 Windows 10 Version 1809, Windows Server 2019 4586805 Windows 7, Windows Server 2008 R2 (Security-only update) 4586807 Windows Server 2008 (Monthly Rollup) 4586808 Windows Server 2012 (Security-only update) 4586817 Windows Server 2008 (Security-only update) 4586823 Windows 8.1, Windows Server 2012 R2 (Security-only update) 4586827 Windows 7, Windows Server 2008 R2 (Monthly Rollup) 4586830 Windows 10, version 1607, Windows Server 2016 4586834 Windows Server 2012 (Monthly Rollup) 4586845 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) 4486714 SharePoint Server 2019 4486717 SharePoint Server 2016 4588741 Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, Microsoft Exchange Server 2019           Advisories by Average CVSS Score A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link. CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below: CVSS 3 Score Advisories with Low CVSS3 under 4.0:      53  (6.07%) Advisories with Mid CVSS3 range 4-7:     301 (34.48%) Advisories with High CVSS3 range 7-10:   519 (59.45%)   Threat Score Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this  link . Advisories with positive Threat Score (1+):            591   (67.70%) None Threat Score SAIDs (=0):                                 282   (32.30%) Low-Range Threat Score SAIDs      (1-12):               150   (17.18%) Medium-Range Threat Score SAIDs   (13-23):       393   (45.02%) High-Range Threat Score SAIDs     (24-44):                33    ( 3.78%) Critical-Range Threat Score SAIDs (45-70):                 5    ( 0.57%) Very Critical Threat Score SAIDs  (71-99):                   10   ( 1.15%) Ransomware, Malware, and Exploit Kits:   . Historically Linked to Ransomware:            10   (1.15%) Historically Linked to Malware:                  108  (12.37%) Linked to a Recent Cyber Exploit:                188  (21.53%) Related to a Historical Cyber Exploits:      341 (39.06%) Included in Penetration Testing Tools:     399  (45.70%)   Conclusion   The number of vulnerabilities is increasing, so we need to leverage threat intelligence to prioritize the patching effort. Install Patch Tuesday as soon as possible after testing it. Zero-days should be delayed, and an emergency change request/window should be introduced. A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the  Software Vulnerability Research  and  Software Vulnerability Manager  solutions from Flexera. Stay Secure! References: [1] https://support.microsoft.com/en-us/help/20201013/security-update-deployment-information-october-13-2020 [2] https://msrc.microsoft.com/update-guide/releaseNote/2020-Oct ... View more

Summary In September, Secunia Research at Flexera issued 514 advisories for 389 unique versions of 289 products from 69 different vendors.  Apache Struts and Microsoft Exchange Server had notable vulnerabilities with a high threat score. Since we can’t patch everything due to the sheer volume of vulnerabilities, prioritize remediation efforts from a risk management perspective. Threat intelligence is a crucial parameter in risk analysis.     Zero-Day and Highly Critical Vulnerabilities   No Zero-day advisory in September. However, 78 highly critical advisories with 63 had a CVSS score between 9 and 10. Majority of these were for RedHat, SUSE, Microsoft SharePoint, and Exchange. Apache Struts Two highly critical vulnerabilities were reported in Apache Struts 2.5.22 and prior versions. CVE-2019-0230 with CVSS oft 9.8 where an error when applying forced OGNL evaluation inside a Struts tag attribute can be exploited to execute arbitrary code via a specially crafted request.  CVE-2019-0233 with CVSS 7.5 where an error when handling file uploads can be exploited to cause a DoS condition via a specially crafted request. Both vulnerabilities are linked to malware and used in recent and historic cyber exploits. In September, advisories are released for other software that uses the Apache Struts framework, namely IBM Sterling File Gateway, IBM Tivoli Netcool/OMNIbus Web GUI, and F5 BIG IP Application Acceleration Manager (AAM). In the coming months, we would probably see other vendors releasing patches or at least acknowledgement of these CVEs in their software. Microsoft Exchange Server CVE-2020-16875 has a threat score of 82, but Microsoft states that exploitation is highly unlikely. The patch KB4577352 was released as part of Patch Tuesday on September 8 th . However, the advisory was updated on September 17th. It affects Microsoft Exchange Server 2016 and 2019. An error related to Microsoft Exchange software when handling objects in memory can be exploited to corrupt memory and subsequently execute arbitrary code with system privileges via a specially crafted email sent to the Microsoft Exchange server.   Operating Systems Secunia advisories for different Operating systems are as below: Fedora: 18 Red Hat Enterprise Linux: 64 Debian: 11 Amazon Linux:  20 Ubuntu:   46 SUSE Linux: 43 Oracle Linux:   15 CentOS Advisories:  3 Microsoft OS Advisories:   4 Top Vendors with the most Advisories   Key Points Red Hat had the highest number of advisories with 96 in total. However, 64 for RHEL and 18 for Fedora. Rest of the advisories for Ansible line of Products., RedHat JBoss, Canonical Ltd. has second-highest advisories with 46 advisories for Ubuntu 12.04, 14.04, 16.04, and 18.04. IBM ranks third and most notable vulnerability in its WebSphere software. An advisory SA93203 which was issued in January but CVE-2020-4578 was added, and solution section was updated. SUSE at fourth with most vulnerabilities SLES flavour version 11,12, and 15. Cisco is kept its position at fifth with most advisories for its IOS 12.x, 15.x, IOS XE 3.x.x, and Jabber among others. Open Source software at the sixth level. Most vulnerabilities in Django REST, QEMU, OpenSSL, and WordPress. Microsoft is in sixth place with 22 advisories. More details are in the Patch Tuesday section.   Advisories for Browsers Microsoft Internet Explorer (version 9 & 11): 1 Advisory.   Microsoft Edge (HTML Based - Legacy): 1 Advisory Microsoft Edge (Chromium Based): 3 Advisories Google Chrome: 2 Advisories Mozilla Firefox: 2 Advisories Mozilla Thunderbird – 1 Advisory Microsoft Patch Tuesday On September 8th – Second Tuesday of September, Microsoft issued advisories for these software: Microsoft Windows Microsoft Edge (Edge HTML-based) Microsoft Edge (Chromium-based) Microsoft Chakra Core Internet Explorer SQL Server Microsoft JET Database Engine Microsoft Office and Microsoft Office Services and Web Apps Microsoft Dynamics Visual Studio Microsoft Exchange Server SQL Server ASP.NET Microsoft OneDrive Azure DevOps   A complete list of all applicable updates for August’s Patch Tuesday is here [1] Patch Tuesday KBs   A digest of Patch Tuesday is listed here [2] KB Article Applies To 4484488 SharePoint Foundation 2013 4484515 SharePoint Enterprise Server 2013 4486667 SharePoint Foundation 2010 4570333 Windows 10 Version 1809, Windows Server 2019 4571756 Windows 10, version 2004 4574727 Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909 4577015 Windows 10, version 1607, Windows Server 2016 4577038 Windows Server 2012 (Monthly Rollup) 4577048 Windows Server 2012 (Security-only update) 4577051 Windows 7, Windows Server 2008 R2 (Monthly Rollup) 4577053 Windows 7, Windows Server 2008 R2 (Security-only update) 4577064 Windows Server 2008 Service Pack 2 (Monthly Rollup) 4577066 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) 4577070 Windows Server 2008 Service Pack 2 (Security-only update) 4577071 Windows 8.1, Windows Server 2012 R2 (Security-only update) 4577352 Exchange Server 2019, Exchange Server 2016 4484505 SharePoint Server 2019 4484506 SharePoint Enterprise Server 2016 4484525 SharePoint Foundation 2013     Advisories by Criticality For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.       Advisories by A verage CVSS Score A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link. CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below: CVSS 3 Score Advisories with Low CVSS3 under 4.0: 35  (8.24%) Advisories with Mid CVSS3 range 4-7: 134 (31.53%) Advisories with High CVSS3 range 7-10: 256 (60.24%)   Threat Score Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this  link .    Advisories with positive Threat Score (1+):            346   (67.32%) None Threat Score SAIDs (=0):                                 168   (32.68%) Low-Range Threat Score SAIDs      (1-12):               159   (30.93%) Medium-Range Threat Score SAIDs   (13-23):       171   (33.27%) High-Range Threat Score SAIDs     (24-44):                4     ( 0.78%) Critical-Range Threat Score SAIDs (45-70):               10    ( 1.95%) Very Critical Threat Score SAIDs  (71-99):                    2   ( 0.39%) Ransomware, Malware, and Exploit Kits   Historically Linked to Ransomware:            10   (1.95%) Historically Linked to Malware:                  54  (10.51%) Linked to a Recent Cyber Exploit:              89  (17.32%) Related to a Historical Cyber Exploits:      229 (44.55%) Included in Penetration Testing Tools:     199  (38.72%)   Conclusion   Patch Tuesday should be applied as soon possible after its initial release. Most organization focus on client and Server Operating system patches, but we have noticed that a lot of critical patches are released for software like Exchange, Office, and SharePoint. Once the vulnerabilities in common frameworks are discovered, the software that uses or redistributes the software also issues patches for their versions. However, the process can take time and leaves the software vulnerable to attack as the exploit or POC are usually available for the base vulnerability. Threat score is an essential parameter in risk analysis, and most organization ignores risk management and choose to patch a predefined set of software – which is a dangerous approach. We will discuss remediation from a risk management perspective in the next episode of the blog. A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the  Software Vulnerability Research  and  Software Vulnerability Manager  solutions from Flexera. Stay Secure! References: [1] https://support.microsoft.com/en-us/help/20200908/security-update-deployment-information-september-8-2020 [2] https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep ... View more

Summary In August, 425 advisories were issued for 354 unique versions of 258 products from 70 different vendors.  Two Zero-day vulnerabilities were reported by Microsoft, including one which was known to it for more than one and half year. Microsoft’s August Patch Tuesday and vulnerabilities in other third party vendors and products are part of this months’ blog. Zero-Day Two Zero-day advisories were reported in Microsoft Windows and Internet Explorer 9 and 11. CVE-2020-1464 is dubbed as “Windows Spoofing” vulnerability. Microsoft Windows uses code signing certificates to authenticate a software’s integrity and verify its publisher.  A flaw in the system keeps a signature valid even after appending any content to the end of a Windows installer (.msi). It is dangerous in particular with .jar files which can be used for malicious purpose. Java loads its required resources in a single request. If the attacker successfully appends a malicious JAR file to a signed MSI installer; Microsoft Windows wouldn’t complain and validates the software. Just double-clicking on the file can result in successful exploitation. [1] The security researchers informed Microsoft approximately one an half year ago, but it decided not to patch the vulnerability at the time. The fix was shipped in August’s Patch Tuesday. CVE-2020-1380 was also fixed in August Patch Tuesday. The vulnerability is detected in Internet Explorer 9 and 11. It uses the ‘use after free’ bug in IE’s JavaScript ‘Just-in-time engine. Reportedly, the vulnerability can be exploited by merely visiting a specially crafted website. Refer to SA97055 for more details.   Call to Action Deploy patches offered in Microsoft August’s Patch Tuesday release. Operating Systems: Secunia advisories for different Operating systems are as below: Fedora: 28 Red Hat Enterprise Linux: 11 Debian: 16 Amazon Linux:  10 Ubuntu:   29 SUSE Linux: 47 Oracle Linux:   15 CentOS Advisories:    6 Microsoft OS Advisories (Including one Zero-day):   4 Top Vendors with the most Advisories   Key Points IBM has topped with the 59 advisories in its various products like WebSphere, Tivoli, and other financial software. Red Hat has second-highest advisories because we treat RHEL and Fedora under the same vendor.    48 Advisories for SUSE with 47 for SLES 11. 12, and 15 versions. Canonical Ltd. ranked fourth with advisories for Ubuntu 12.04, 14.04, 16.04, and 18.04. Cisco is fifth with most advisories for its 9000 and 300 series switches, 6000 series routers and one for widely used WebEx. Microsoft is in sixth place with 22 advisories. More details are in the Patch Tuesday section.   Advisories for Browsers Microsoft Internet Explorer (version 9 & 11): 2 Advisories.   Microsoft Edge (HTML Based - Legacy): 1 Advisory Microsoft Edge (Chromium Based): 3 Advisories Google Chrome: 3 Advisories Mozilla Firefox: 3 Advisories Mozilla Thunderbird – 2 Advisories Microsoft Patch Tuesday Microsoft issues security patches for its products on every second Tuesday of the month known as Patch Tuesday. On 11 th August – Second Tuesday of August, Microsoft issued advisories for these software: Microsoft Windows Microsoft Edge (EdgeHTML-based) Microsoft Edge (Chromium-based) Microsoft ChakraCore Internet Explorer Microsoft Scripting Engine SQL Server Microsoft JET Database Engine .NET Framework ASP.NET Core Microsoft Office and Microsoft Office Services and Web Apps Microsoft Windows Codecs Library Microsoft Dynamics A complete list of all applicable updates for August’s Patch Tuesday is here Patch Tuesday KBs 4 Secunia Advisories cover updates for each OS pair. KB Article Applies To 4565349 Windows 10 Version 1809, Windows Server 2019 4566782 Windows 10, version 2004 4571694 Windows 10, version 1607, Windows Server 2016 4571702 Windows Server 2012 (Security-only update) 4571703 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup) 4571719 Windows 7, Windows Server 2008 R2 (Security-only update) 4571723 Windows 8.1, Windows Server 2012 R2 (Security-only update) 4571729 Windows 7, Windows Server 2008 R2 (Monthly Rollup) 4571730 Windows Server 2008 Service Pack 2 (Monthly Rollup) 4571736 Windows Server 2012 (Monthly Rollup) 4571746 Windows Server 2008 Service Pack 2 (Security-only update)     Advisories by Criticality For easy understanding of Operations teams and management, Secunia Advisories are ranked into 5 simple and easy to understand criticalities. Secunia research follows a meticulous process which involves detailed analysis, peer review, and a QA process – among other things. Our customers can depend on the intelligence without indulging into more minute details of CVSS, impact and attack vector. All of these factors are considered during the ranking process. Further explained at this link.   Advisories by Attack Vector. 65% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.       Advisories by Average CVSS Score A CVSS score is a metric used to measure the severity of a vulnerability. CVSS v3 specifications and the criteria details are at this link. CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below: CVSS 3 Score Advisories with Low CVSS3 under 4.0: 35  (8.24%) Advisories with Mid CVSS3 range 4-7: 134 (31.53%) Advisories with High CVSS3 range 7-10: 256 (60.24%)       Advisories by Solution   Threat Score Like many other things in life, not every vulnerability is created equal. For the ease of our customers, we provide threat score as an add-on which helps in decision making and prioritization.  Higher the score; bigger the risk! Threat score is calculated based on criticality and its linkage to a recent or historical threat of either remote trojan horse, ransomware, used in penetration testing tools, availability of exploit kit, and cyber exploit. Each rule triggers an increase in the threat value. A detailed explanation of Threat Score calculation is available at this  link .   Advisories with positive Threat Score (1+):            278 (65.41%) None Threat Score SAIDs (=0):                                 147 (34.59%) Low-Range Threat Score SAIDs      (1-12):               119 (28.00%) Medium-Range Threat Score SAIDs   (13-23):       142 (33.41%) High-Range Threat Score SAIDs     (24-44):               12 (2.82%) Critical-Range Threat Score SAIDs (45-70):                 5 (1.18%) Very Critical Threat Score SAIDs  (71-99):                   0 (0.00%) Ransomware, Malware, and Exploit Kits:   Statistics clearly shows us that software vulnerabilities have a clear relationship with malware, cyber exploits and notorious ransomware. Remediating these vulnerabilities reduces exposure to these threats. Security is a multi-prong approach where one size fits all or one tool to rule them all is not enough. Just like with network, we require multiple layers of protection; similarly, we need to remediate known vulnerabilities along with a reputable anti-malware system.    Historically Linked to Ransomware:           05  (1.18%) Historically Linked to Malware:                  63  (14.82%) Linked to a Recent Cyber Exploit:              70  (16.47%) Related to a Historical Cyber Exploits:      193 (36.24%) Included in Penetration Testing Tools:     275  (40.80%)   Conclusion   More than 60% of vulnerabilities can be exploited from remote while massively 92% advisories have a vendor patch while only 5% have either no fix or an upgrade option is available. Most malware relies on vulnerabilities in everyday use software. Patching effort minimizes the risk and exposure. For Microsoft Windows environment, always deploy the Patch Tuesday and any out of band security updates. Don’t ignore third-party software as more than 86% of vulnerabilities are found in software other than Microsoft. A complete list of vulnerabilities, affected software, criticality, threat score, and relevant patch information is available in the  Software Vulnerability Research  and  Software Vulnerability Manager  solutions from Flexera. References: [1] https://blog.virustotal.com/2019/01/distribution-of-malicious-jar-appended.html ... View more