Compared to last month’s Patch Tuesday, April will be a light drizzle
March saw a sizable release from Microsoft after a missed Patch Tuesday. Any way about it, April will be a lighter month than March. Windows 10 1703 has officially released to MSDN. Windows 10 1507 reaches end of service in May, so for those on the original release branch, now is the time. Start upgrading those systems still on 1507 to prevent not having security exposures.
Last month Microsoft was kind enough to break Internet Explorer updates out of the security only bundles on pre-Windows 10 systems. This was well-received by many companies I have spoken to, allowing them to push updates for IE or everything else but hold the other behind if there was an issue. It doesn’t bring us back to the bulletin level control previously available before the rollup model was implemented, but it’s something.
Some recent news regarding a vulnerability in IIS 6.0 is worth mentioning. The vulnerability in WebDAV could allow an attacker to execute malicious code on a Windows Server running IIS 6.0 with the privileges of the user running the application. IIS 6.0 extended support ended in July 2015 along with Windows Server 2003, but there are still reportedly servicing millions of public web sites, and many companies still host internal websites on Windows Server 2003 on IIS 6.0.
The vulnerability appears to have been known to attacks since at least July or August of 2016, but the proof of concept code being made available on GitHub has exposed the vulnerability and many more attackers will be working on exploits to take advantage of such low-hanging fruit. Mitigation options include disabling the WebDAV extension on these systems, but these systems should ultimately be removed from service and the sites migrated to newer web servers that can be updated. This brings me to the tip of the month: end of life software.
There is no greater threat of exposure than software that is no longer being updated. Software is like milk; it has an expiration date and past that date it will go bad. As software ages the underlying technology it is built on, components it integrates with and protocols it utilizes will be exposed over time.
Leaving EoLed software in your environment is like leaving all of the apples within reach on the tree and climbing a ladder to pick only the ones higher up. Now all that low-hanging fruit is waiting for the threat actor to come by and pick away. EoLed software should be eliminated as quickly as possible. If you plan to keep it around, you better have a number of mitigation strategies in place to ensure it is not exposed, including the following:
- Purchase extended support from the vendor (Java 7, Win XP and Server 2003 are good examples where the vendor offers additional support for a price)
- Remove it from public accessibility (like public web servers)
- Segregate from network — Move it into a VDI environment with accessibility only from essential personnel who are not running as full admins
- Add additional layers of defense like device control and application control
- Implement a form of identity access to the environment.
But best option is still to migrate critical apps or retire them.
Time for the forecast. I would wager that we are going to see a much lighter set of updates from Microsoft this month, which was an easy guess. For third-party updates you can expect updates from Adobe for Flash and very likely Acrobat and Reader. It’s also time for Oracle’s quarterly CPU, which means along with all of Oracle’s other products, we will see a Java update on April 18. Leave some room in your monthly maintenance for a Java update!