Patching is Critical

Three news items today – different platforms, but one common message.

#1 – A new iPhone passcode bypass was found within hours of the release of iOS 12.1.  This follows on from the passcode bypass fixed in 12.0 and another iPhone passcode bypass in 12.0.1.  As iOS becomes more bloated (or feature rich, depending on your perspective), more bugs are likely to appear (source: The Hacker News).

#2 -Microsoft quietly patched a bug in Windows 10 that allowed certain Universal Windows Platform applications that had certain permissions to access user’s files without their knowledge.    The update changed the default for the “Broad FileSystemAccess” permission to OFF by default.  Up until now, it was ON by default.  Users may need to selectively turn that on now if the user feels that is safe (Source: The Hacker News).

#3 – Researchers tattled on Microsoft regarding a bug or feature in Word 2016 and earlier versions that allow a hacker to abuse Word’s (bloated?) feature that allow you to embed online videos.

Since a Word file is really a zip file, all a hacker has to do is embed a video link, such as to YouTube and then open the zip file separately outside of Word.  The zip file contains an XML configuration file that contains the embed code.  A hacker could edit that code and put in any link or javascript that the hacker wanted and that code would be silently executed when you open the document and click on the video.

The researchers gave Microsoft 90 days to fix the bug.  Microsoft says that they think it is a feature.  It likely is a feature, but a really poorly designed one.

Enterprise admins should update their anti-malware software to BLOCK any Office documents that contain the embedHTML tag.

Unfortunately, now that the cat is out of the digital bag, hackers will be looking at other similar ways to infect your user’s computers (Source: The Hacker News ).

So what is a user – or system admin – to do?

The first thing to do is to make sure that your patch management process is working.  That does not just mean your operating system patches, but also every single application installed on every computer.   Office is high up on that food chain, but things like Acrobat are targets too.  Adobe released 47 patches to Acrobat this last month that they rated CRITICAL,  46 of them allowed for REMOTELY executing arbitrary code if you use Acrobat to open PDFs in your browser.  FoxIt, an Acrobat replacement, released 116 patches this month.  The numbers are insane. 

If you look at all of your computers, you are running way more applications than you think you are – likely hundreds – probably many hundreds.  And it does not matter if you are using the apps.  In fact, unused apps are worse, because you are less likely to patch them.


The second thing to do, and it can be time consuming, is read security intelligence alerts such as this blog and our separate client alerts.  You have to know at least as much as the bad guys.

Sorry there is no easy fix!

Leave a Reply

Your email address will not be published.