Patch Tuesday, August 2019 Edition

Aug 19

Patch Tuesday, August 2019 Edition

Most Microsoft Windows (ab)users probably welcome the monthly ritual of applying security updates about as much as they look forward to going to the dentist: It always seems like you were there just yesterday, and you never quite know how it’s all going to turn out. Fortunately, this month’s patch batch from Redmond is mercifully light, at least compared to last month.

Okay, maybe a trip to the dentist’s office is still preferable. In any case, today is the second Tuesday of the month, which means it’s once again Patch Tuesday (or — depending on your setup and when you’re reading this post — Reboot Wednesday). Microsoft today released patches to fix some 93 vulnerabilities in Windows and related software, 35 of which affect various Server versions of Windows, and another 70 that apply to the Windows 10 operating system.

Although there don’t appear to be any zero-day vulnerabilities fixed this month — i.e. those that get exploited by cybercriminals before an official patch is available — there are several issues that merit attention.

Chief among those are patches to address four moderately terrifying flaws in Microsoft’s Remote Desktop Service, a feature which allows users to remotely access and administer a Windows computer as if they were actually seated in front of the remote computer. Security vendor Qualys says two of these weaknesses can be exploited remotely without any authentication or user interaction.

“According to Microsoft, at least two of these vulnerabilities (CVE-2019-1181 and CVE-2019-1182) can be considered ‘wormable’ and [can be equated] to BlueKeep,” referring to a dangerous bug patched earlier this year that Microsoft warned could be used to spread another WannaCry-like ransomware outbreak. “It is highly likely that at least one of these vulnerabilities will be quickly weaponized, and patching should be prioritized for all Windows systems.”

Fortunately, Remote Desktop is disabled by default in Windows 10, and as such these flaws are more likely to be a threat for enterprises that have enabled the application for various purposes. For those keeping score, this is the fourth time in 2019 Microsoft has had to fix critical security issues with its Remote Desktop service.

For all you Microsoft Edge and Internet Exploiter Explorer users, Microsoft has issued the usual panoply of updates for flaws that could be exploited to install malware after a user merely visits a hacked or booby-trapped Web site. Other equally serious flaws patched in Windows this month could be used to compromise the operating system just by convincing the user to open a malicious file (regardless of which browser the user is running).

As crazy as it may seem, this is the second month in a row that Adobe hasn’t issued a security update for its Flash Player browser plugin, which is bundled in IE/Edge and Chrome (although now hobbled by default in Chrome). However, Adobe did release important updates for its Acrobat and free PDF reader products.

If the tone of this post sounds a wee bit cantankerous, it might be because at least one of the updates I installed last month totally hosed my Windows 10 machine. I consider myself an equal OS abuser, and maintain multiple computers powered by a variety of operating systems, including Windows, Linux and MacOS.

Nevertheless, it is frustrating when being diligent about applying patches introduces so many unfixable problems that you’re forced to completely reinstall the OS and all of the programs that ride on top of it. On the bright side, my newly-refreshed Windows computer is a bit more responsive than it was before crash hell.

So, three words of advice. First off, don’t let Microsoft decide when to apply patches and reboot your computer. On the one hand, it’s nice Microsoft gives us a predictable schedule when it’s going to release patches. On the other, Windows 10 will by default download and install patches whenever it pleases, and then reboot the computer.

Unless you change that setting. Here’s a tutorial on how to do that. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Secondly, it doesn’t hurt to wait a few days to apply updates.  Very often fixes released on Patch Tuesday have glitches that cause problems for an indeterminate number of Windows systems. When this happens, Microsoft then patches their patches to minimize the same problems for users who haven’t yet applied the updates, but it sometimes takes a few days for Redmond to iron out the kinks.

Finally, please have some kind of system for backing up your files before applying any updates. You can use third-party software for this, or just the options built into Windows 10. At some level, it doesn’t matter. Just make sure you’re backing up your files, preferably following the 3-2-1 backup rule. Thankfully, I’m vigilant about backing up my files.

And, as ever, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Tags: August 2019 Edition, Microsoft Patch Tuesday

You can skip to the end and leave a comment. Pinging is currently not allowed.

Speak Up and Take Risks: Featuring the Perspectives of Symantec Women in APJ – Part Two

As we said in part one of our Women in APJ series, achieving global gender equality depends on the empowerment of women. Only when we are willing to systematically address attitudes, laws, and policies will we start to see tangible change. As a global company, Symantec has a profound opportunity to lead the charge toward global gender equality and further women’s empowerment in all aspects of our organization – from our employees to our customers to the countless communities we are involved in. Together we will empower women across the globe. 

Tapping into the knowledge and expertise of current female leaders will help carve a new path for women everywhere. With this in mind, we’ve asked some of Symantec’s incredible women leaders in the APJ region two questions: 

  • What advice would you offer your younger self?
  • What do you see as the biggest opportunities and challenges for young women today?  

We think that women all over the world – and people of all genders – will find their answers insightful and inspiring. This is part two of a three-part series. 

Caroline Wheeler – Enterprise Sales Account Manager, Australia

Before I had kids, I had very different goals and a different work-life balance. For me it’s not an age thing, but definitely a ‘kids’ thing. I used to be way more driven and aggressive. I probably didn’t see things from the other side often enough or step back before I made a decision. My advice to my younger self would be: 

  • Know what you like and don’t like, and be honest about it, because both still need to be managed.
  • You don’t have to like everyone, but you do need to be pleasant to everyone.
  • Doubt has killed more dreams then failure ever has; failure is an opportunity in disguise.
  • Nothing will work unless you do.

While you’re young and relatively free, find the time to push yourself more, spend time with mentors and successful people, and see how they do things. Network outside of the normal day with industry peers. Ask lots of ‘why’ and ‘so what’ questions to internal peers to find out what goes on and what does and doesn’t work. At some point – because of kids, sickness, or other unforeseen factors – you won’t have bandwidth for these time-consuming opportunities, and you might have to compromise, and just focus on getting your job done. Most of us are in a customer service industry (sales, support, internal customers) and you have to get to know your customers and what makes them tick. Always ask yourself if you were the customer: Would I be happy with the situation? And, Was I listened to?

BrandPost: Cybersecurity is a Team Sport

Cybersecurity relies on specialists of every kind – CISOs, network systems administrators, cloud experts, human resources and more – to achieve success. It takes a true team in order to avoid the pitfalls of failing controls and successful attacks. And just like team sports, cybersecurity has rules and playbooks that help everyone stay safe and provide guidance on how to be successful. A type of ‘playbook’ in cybersecurity are the multiple frameworks that your organization can follow to improve its cyber defenses. Some are influenced by a risk based model and others a proscriptive model. The CIS Controls are one well-known security best practice framework based on real attack data and a consensus development process involving an international group of volunteers. The consensus process brings together cybersecurity experts from multiple industries around the world to create a prioritized list of cyber defense actions. Formerly known as the SANS Top 20, the CIS Controls are used by organizations around the world to protect their systems and data from cyber attacks. 

Because of multiple security regulations and standards, organizations often choose to implement more than one framework. For example, a local hospital may need to meet privacy compliance for GDPR, payment card security for PCI, and data security compliance for HIPAA. Because the CIS Controls offer prioritized security guidance and is mapped to various different standards and regulations, some end users have described them as a useful “on-ramp” to meeting regulatory compliance. 

No matter which cybersecurity framework(s) you choose to implement, you’ll want to measure against it to see how your team fares. Without taking score, how will you know if you’ve really improved your organizational cyber defenses?

It’s important to look at your organization’s overall cyber defensive actions, not just those within a particular department. Once you’ve identified a security framework to put in place, see if it offers any tools or other resources to help you measure your implementation. Ideally, everyone on the team can input their work towards a particular security control. You’ll want to measure and track the implementation of the cybersecurity program over time – hopefully improving your security posture over time. You can manually record security control implementation or use a tool such as CIS CSAT (CIS Controls Self-Assessment Tool). CIS CSAT provides a free method for organizations to track their implementation of the CIS. It offers the ability for different team members to answer security control assessment questions, ensuring accountability across the organization. After all, in many organizations the person responsible for adding email SPF records may not be the same person responsible for securing workstations. CIS CSAT helps the entire team take part in the security journey. Organizations using CIS CSAT can also:

  • Delegate questions to other team members
  • Set deadlines for each CIS Control and sub-control
  • Collect documentation related to your findings
  • Capture team discussion about each assessment question

Over time, your organization should be able to implement more and more of whichever security framework(s) you decide on. But you’ll never know if you aren’t keeping score! Measure your security control implementation not just once, but on a regular cadence. Doing so at scheduled intervals will help you identify gaps in security and remediate. You can also see if your organization is improving its adherence to cybersecurity regulations over time. Organizations can measure their compliance to the CIS Controls over time using CIS CSAT.  Assessment results from CIS CSAT can be exported per department or organizational unit, or you can take a more holistic view of the entire organization’s security. With cross-mappings to additional security frameworks like NIST SP800-53 and PCI DSS, you can also track your alignment between other best practices and the CIS Controls. This free tool also allows you to anonymously compare your results to the average of your industry or other peer groups to help drive the direction of your security program.

As I mentioned, it takes a whole team in order to achieve a strong cyber defense posture. From everyday users spotting a phishing attempt on the frontlines to hardened IT experts building strong firewall rules, it’s up to all of us. By choosing a strong program, measuring implementation, and tracking your security controls over time, your team can win big. And remember, there’s always room to grow more secure in our habits – insofar as cybersecurity can be considered a game, our truest opponents are always ourselves. 

About the Author

Philippe Langlois

Technical Product Manager for the CIS Controls®

Philippe Langlois is currently a Technical Product Manager for the CIS Controls®. In this role, he leads an international community of cybersecurity experts who develop best practices which help mitigate the most prevalent cyber threats. He manages the production, writing, and publication of a range of cybersecurity resources. Working in collaboration with users of the CIS Controls, he ensures the quality and utility of the guidance, plus the availability of tools, scripts, and other resources aiding users with implementation of the CIS Controls.