MS14-066: To Patch or Not to Patch?

Note: Since I originally posted this, Microsoft have updated the MS14-066 patch, which they say now resolves the issues the original patch caused.

A week ago (11th November 2014) Microsoft released a patch for of the one most critical Microsoft vulnerabilities seen in a long time – MS14-066. The vulnerability is in the Schannel (Microsoft Secure Channel) component, which is present in pretty much every version of Microsoft Windows, including the unsupported Windows XP and NT. The vulnerability may allow remote code execution by an attacker, but what makes this vulnerability stand out as a particularly more serious than the typical Microsoft remote code execution vulnerabilities, is it can be exploited directly via a network connection, and there is nothing which can be done to mitigate it, other than switching off or network disconnecting your Windows system.

Microsoft Windows servers and services that have direct Internet connectivity pose the highest risk, whether they be ISS web servers or VPN services, unpatched against MS14-066, they are at high risk of exploitation. But that is not to say users of Windows OS on desktops and laptops are not at serious risk as well.

Therefore it should be a complete ‘no brainer’ for business to quickly apply the MS14-066 patch, but a curveball has been thrown, in that there has been reports of server issues occurring after applying the patch, specifically with TLS 1.2 causing services to hang or to disconnect. Microsoft have published a work around for this issue, which involves deleting the following ciphers from the registry, a simple enough fix.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

So to the question I have been asked quite a bit this week, should this patch be applied now or should we wait until Microsoft release a more reliable patch?

Well firstly a golden rule of patching critical servers is to test the patch first, as patching always carries a risk of impacting the availability of services and breaking applications. The TLS 1.2 issue is straightforward to test for and simple enough to resolve if found to be a problem in testing.

Another golden rule of patching is to have a back-out plan, any patch carries a risk of breaking systems and applications, even with testing, so there should always be written plan to roll back critical systems should a patch cause an issue.

The ‘whether to patch now’ question becomes even more clear-cut when you consider it this way; with this vulnerability remaining present (unpatched), it means there is a significant risk for the compromise of confidentiality & integrity, whereas applying the patch carries a risk of losing server/service availability. 

High Risk of Confidentiality Compromise (unpatched) Vs Low Risk of Availability (patched)

Availability rarely trumps confidentiality in InfoSec, and in my view it certainly doesn’t in this scenario when weighing up the risk of not applying the patch, remember there is nothing that can be done to mitigate the risk of an unpatched system, other than applying the patch.

Therefore my conclusion is to quickly apply the patch to all Windows OS, testing for TLS 1.2 issue with any critical systems, and to start with patching all Microsoft OS Internet facing services first.

Why the UK Needs More Cyber Professionals

I am a huge fan of well a made Infographic, as they make an effective method to quickly convey issues backed by statistics, so when Norwich University’s Online Masters Degree in Information Assurance sent me a compelling Infographic they created on 'Why the US Needs More Cyber Professionals', I'd thought it would be very handy to share it. 

The Norwich University Infographic might have 'US' in the title and talk about dollar costs, but you can easily substitute 'US' to 'UK' and the $s to £s, as in the UK we too are facing a serious skills shortage of Cyber Security Professionals, just ask any InfoSec recruiter. The Infographic shows the demand for cyber security professionals has grown 3.5 times faster than the demand for other Information Technology professionals in the past five years. This is the simple economics of demand exceeding supply, which is leaving businesses with rudderless information security management and practises, this in turn eventually leads to needles and expensive compromises.

The question is what is going to be done to tackle this issue, how can we produce a continuous crop of significant numbers of Information Security professionals to keep pace with the demand of UK business.

InfoSec Blogs You Should Be Reading

The Security Innovation Europe Blog has listed 40 Information Security Blogs You Should Be Reading, which lists some of the best InfoSec bloggers around, and myself. So if you are lacking a bit of information security reading or just want an alternative opinion to the mainstream media InfoSec FUD, you know where to go.

A developer's guide to complying with PCI DSS 3.0 Requirement 6

I have written the following article for IBM which was published on IBM's DeveloperWorks

A developer's guide to complying with PCI DSS 3.0 Requirement 6 (website)

A developer's guide to complying with PCI DSS 3.0 Requirement 6 (PDF)

The Payment Card Industry Data Security Standard (PCI DSS) is a highly prescriptive technical standard, which is aimed at the protection of debit and credit card details, which is referred to within the payments industry as cardholder data. The objective of the standard is to prevent payment card fraud, by securing cardholder data within organizations that either accept card payments, or are involved in the handling of cardholder data. PCI DSS consists of 12 sections of requirements, and usually responsibility for compliance rests with IT infrastructure support. PCI DSS requirement 6, however, breaks down into 28 individual requirements, and sits squarely with software developers involved in the development of applications that process, store, and transmit cardholder data. PCI compliance heavily revolves around IT services. IT focused compliance managers that are tasked with achieving compliance within organizations, often lack the required software developer knowledge and experience to help assure that the application development meets the arduous requirements of PCI DSS.

Xbox One & PS4 Gamer Security

From the very first moment gamers played online, their accounts have been targeted by hackers. But hacking gamer accounts is no longer just about revenge and community kudos. There is serious money to be made from stealing access to gamer accounts, ranging from selling virtual gaming items and gaming currency for real money, to stealing bank account & credit card details. It is a subject I have touched upon several times over the years:

How to keep your Final Fantasy XIV Online Account Safe & Secure
PlayStation Hack: PSN Gamers Security Help
Is Club Penguin Safe for my Child?
World of Warcraft: Does the Internet have controllable Borders?

Last year's launches of Microsoft's Xbox One and Sony's PS4 consoles, have swelled the number of online gamers into millions, so is gamer security a problem that is set to raise? 

Yes, and no, I think online console gaming security has improved in recent years, as Microsoft and Sony understand a secure online gaming network is an essential part of their billion pound business model. Poor online gaming availability and the loss of trust by the millions of gamers using their gaming consoles and services, equates to a significant loss of revenue, so their motivation for having a decent level of security to protect their gaming systems is clear to see.

There will always be cases of third party gaming websites that are breached, which result in gamer account details being compromised on mass. Website security is an issue that is not going to go away any time soon, regardless of the industry.

New gamers need to be continually educated about the third party risk to their accounts, as many assume there is none.  Gamers need to be aware of the various pitfalls enacted by scammers seeking access their valuable gaming accounts. The most common gaming account thefts occur due to phishing scams, trojan horse websites & forums, and dodgy third party game plug-ins.

MicroTrend has kindly provided the following "Ahead of the Game" InfoGraphic on gamer security, there's some big numbers in there.

Scan your app to find & fix OWASP Top 10 2013 vulnerabilities

I have written the following article for IBM which was published on IBM's DeveloperWorks

Scan your app to find and fix OWASP Top 10 2013 vulnerabilities (website)

Scan your app to find and fix OWASP Top 10 2013 vulnerabilities (PDF)

Today's modern web applications are more than a match for most desktop PC applications and continue to push boundaries by taking advantage of limitless cloud services. But more powerful web applications means more complicated code, and the more complicated the code, the greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious actors, bent on profiteering from data theft, or gaining online notoriety by causing mischief. This article looks at securing web applications by adopting industry best application development practices, such as the OWASP Top 10 and using web application vulnerability scanning tools.

Forget Windows XP, Does Unsupported Java pose a Greater Risk to the Enterprise?

Recent research shows 76% of enterprises analysed by Cisco has Java version 6, which Oracle stopped supporting in February 2013, 14 months before the highly publicised end of Windows XP support by Microsoft. Running unsupported Java is arguably a far more risky affair than unsupported Windows XP in the enterprise, and according the Cisco 2014 Annual Security report, the Java problem is going under the security radar.

As most Cyber Security professional will tell you, you should avoid installing Java unless you really have to have it, as the exploitation of Java vulnerabilities is a typical culprit behind web-based desktop compromises. Recent data from Sourcefire shows that Java exploits make up a staggering 91% indicators of compromise.

The Java Applet Risk

The highest area of risk with Java lies with Java applets (applications) which are executed within a web browser. The intent is for Java applets to operate in a safe sandbox within the confines of the web browser, so limiting the applet’s interaction with the operating system. But this intent does not matchup to reality, as hackers are able to write malicious website Java applets which exploit Java vulnerabilities, leading to compromise of the operating system hosting the web browser. Due to the compatible nature of Java, hackers are able to attack most web browsers and most operating systems.

Myth Busting: Java has nothing to do with Javascripts. Disabling Java in your web browser or removing Java from your system, will not break the vast majority of websites online.

Why old versions of Java are still Present in the Enterprise
The reasons why unsupported versions of Java are still present in the enterprise, can be often attributed to internal business applications and custom written Java apps, which simply do not work with the latest versions of Java. In other cases it is a lack of desktop application patch management and desktop application control which is to blame, this is often coupled with low awareness and understanding.

Managing and Mitigating the Enterprise Java Risk
The first course of action is to understand the extent of Java installations within the enterprise, this can be achieved by using application auditing tools to ascertain Java installations, including version numbers and patch level. Next is to review the business reason for each Java installation, ensuring there is a valid reason for its presence, namely to run a specific business application. Sometimes Java is a legacy presence for applications which are no longer used or exist. If there is no reason for Java to be there, remove it and then prevent users from installing it. It is surprising how many users are duped into installing Java on their desktops when visiting websites, when they don’t actually require it.

Where Java is required for an application, verify if the application is web browser based. If not, disable Java from running within the web browser, preferably by enforcing it using enterprise management tools. This significantly reduces the risk, as it is the potential of users executing untrusted Java applets while visiting dodgy websites online which poses the greatest risk with unsupported Java versions.

Where applications are reliant on old Java versions, it can be just a question of raising the issue with developers and suppliers, and pushing them into making their applications and applets compatible with the latest versions of Java. Sometimes there are cost issues here, as developers tend to charge for software upgrades, however there really shouldn't be any excuse for applications not to be continually supported to be secure of vulnerabilities as part of their life-cycle of use. An application that doesn't work with any of Oracle's supported versions of Java, can be regarded as having its own security vulnerability. Continued patching of systems and applications is a fundamental enterprise security best practice, neglecting patching leaves doors of vulnerabilities open for cyber attackers to exploit.

The post is brought to you by Cisco