Tag Archives: Patching

Security Vendors Says Azure Takes Months to Fix Bugs

The cloud is not magic. Nor does it fix all vulnerabilities. Cases in point.

Two security vendors are accusing Microsoft of unnecessarily putting customers’ data at risk.

The vendors, Orca Security, and Tenable, are not bit players with a grudge, so you have to, at least, listen to them. According to the source:

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure’s Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 


Orca’s bug starts in early January and had a score of 7.8. The bug allowed a remote hacker to bypass the separation between tenants and access and control other customers’ workspaces, including stealing Azure keys, API tokens, and passwords.

While Microsoft patched it two months later, Orca told Microsoft that the patch didn’t work.

Microsoft repatched the bug on April 10, but Orca still said nice try.

Then the two got into a war of blogs. Microsoft said it was blog-fixed and Orca said it was blog-broke.

Several patches later, Orca is about to publish a technical analysis of the vulnerability. Now Microsoft says they really, really fixed it this time. Orca says that they have not had time yet to break these new fixes.

Moving on to Tenable, their CEO wrote a blog post that details Microsoft’s response to a privilege escalation bug that could be exploited by anyone. Microsoft, says Tenable, privately admitted the bugs were serious and silently patched one of the bugs. 89 days after Tenable disclosed them and after they told Microsoft that they were going public with the details.

Other security companies – Wiz, Positive Security, and Fortinet had similar tales.

To add pressure on Microsoft, Orca said that they found bugs in AWS Glue and AWS Cloud Formation and Amazon fixed them in 25 hours.

The current hand-shake agreement is that vendors have 90 days before researchers go public.

That timeline pre-dated AQS and Azure. Vendors do not have to package and test 100 different configurations to fix their own systems, so they ought to be able to do it more quickly.

Amazon is dealing with a much simpler and newer code base, which works in their favor. Microsoft, at some point, is going to have to deal with the backward compatibility dragon that they have been trying to ignore for thirty years.

In the meantime, the customers – you and me – get to deal with a less than perfect system.

Caveat emptor.

Credit: The Register

How Long Does it Take to Fix Your Bugs?

The average time to weaponize a new bug is seven days. that means that you have about half that time to harden your system to that attack. Almost no one regularly patches serious bugs that quickly. In 2019 Threatpost said that it took organizations 102 days to patch (see link above). That was in 2019.

What has happened since then?

NTT Application Security says that the average time to fix is on the rise while the time for severe bugs is down a little bit.

NTT says the average time to fix vulnerabilities has dropped since last month from 205 days to 202 days.

Note that is basically double what it was in 2019. Down is a relative term.

That number is actually up since January 1. In January the average time was 197 days.

The average time to patch “high” vulnerabilities grew from 194 days in January to 246 days in June.

Remediation rates for critical vulnerabilities fell from 54% in January to 48% in June. The rate for high vulnerabilities fell from 50% at the beginning of the year to 38% at the end of June.

NTT is in the business of managing companies security, so they have a lot of actual data.

More than 65% of applications in the utilities sector had at least one serious bug throughout the year – exploitable bugs.

Given that it takes hackers no more than 7 days to figure out how to exploit bugs and it takes businesses 200+ days to deploy patches, it is not surprising that hackers can take down a gasoline pipeline or almost poison a water supply. Or ransom thousands of companies.

Even if the numbers were flat since January, which they are not, that still means 7 days for the hackers, 200 days for the defenders.

And the part about 65% of the applications in the utility sector were not fully patched during the entire year. That’s pretty scary.

Of course, there is almost no consequence for businesses to ignore the problem.

After all, they are the victims.

I’m not so sure.

Credit: ZDNet

New Security Metrics to Consider – 24/72 and 1/10/60

Once a new bug is publicly announced, it takes, on average, seven days for bad guys to figure out how to weaponize it.

Experts say that this means that you need to harden your systems against that new attack within 72 hours.  That is not very long, even for the best of operations.

How long does it take the average organization to close holes?

On average – 102 days or 15 times the amount of time it takes to weaponize it.

Once a vulnerability is disclosed, it is a race between the good guys and the bad guys to either  fix it or abuse it.

Some examples:

Microsoft patched Bluekeep, a bug that was very well publicized in May 2019.   It was also explained why it was critical to patch.  In December 2019, there were at least 700,000 machines publicly exposed and still vulnerable.

Remember Wannacry?  Sophos says that there are still a large number of machines not patched against it – two years later.

Zero day attacks are even worse – best practice says that they should be patched in 24 hours.

To add to the complexity of the problem for IT, these fixes need to be tested.

So if the benchmark for MEAN TIME TO HARDENING is 24 HOURS FOR ZERO DAYS AND 72 HOURS FOR OTHER FIXES, IT has got a lot of work to do.

The cousin of this is incident response.  Crowdstrike sets the benchmark at 1/10/60.

For those of you not familiar with this benchmark, it means:


These two goals really important and also really hard.  Almost no organizations can currently do this.

These two goals interact with each other.  If we can close off enough holes then we make it harder for the bad guys.  This allows IT to focus on the remaining attacks.

For IT, the battle is basically the need for speed.

So here are the recommendations:

24/72 (hours) for patching

1/10/60 (minutes) for incident response

For almost all organizations, this is a big project.  Everybody ready?

Source: Threatpost

News Bites for the Week Ending November 16, 2018

DEA and ICE buying Surveillance Cameras Hidden in Streetlights

I am not particularly surprised and it certainly is not illegal  in any way, but apparently DEA and ICE have purchased $50,000 of security cameras that record video and sound, hidden in streetlights.

If $50,000 is what they spent, it would cover a small number of cameras, so this is not “mass surveillance”.

DEA issued another solicitation for concealments to house a pan-tilt-zoom camera, cellular modem and video compression technology.  Again, not a big surprise.

Overall, this is just the government using tech that is out there and other governments, both friendly and not so friendly, have been doing this for years (think Britain and China, for example).

On the other hand, if you are planning on committing a crime – SMILE, you may be on candid camera.  Source: Quartz .


The Gov is Sharing (Some) of the Malware it Finds

In what most people would agree is something long overdue, Cyber Command is going to start sharing unclassified malware that it finds with the tech community.  It is going to upload those samples to Virus Total, the shared virus repository that the tech community uses, and tweet about it each time they do.  Some malware, of course, they won’t share, but this allows the anti virus vendors to make sure that they can detect these new malware samples.  Source: ZDNet.


HSBC Discloses Data Breach but Few Details

Megabank HSBC said that less than 1% of US customer account data was compromised, but didn’t say what the number is.  Information taken includes name, address, bank account information, transaction history and more.  As global privacy rules become more intense, getting away with “some bad guys got away with some stuff” will be harder for businesses to use as an acceptable disclosure.  Likely the bank is still trying to understand the scope of the breach.   *IF* EU customers were affected, then this would be a post-GDPR breach as well.

It appears that this may have been a situation where the bank’s employees were not protecting their passwords well enough.  We don’t know if the credentials taken were for an administrator or not.

This is why the *LAW* in states like New York require financial institution administrators to use two factor authentication.  Source BBC .


U.S. Aligns with Russia, China and North Korea by Not Signing the Paris Call for Trust and Security in Cyberspace

It is not often that the U.S. interests align with countries like North Korea, but when it comes to hacking in cyberspace, it apparently does.  The U.S. did not sign the Paris Call non-binding agreement this past weekend when over 50 other countries and hundreds of businesses signed it. Companies like Facebook, Google and Microsoft, who did sign the agreement, have a vested financial interest in having their customers think the Internet is safe and the companies actively support that.  The U.S. government has less direct incentives although most of the large Internet content companies are U.S. based.  It could be that countries like North Korea, China and the U.S. don’t want to be limited in who they hack and how.  In any case, it just shows that Cyberspace is still a bit of the wild west when it comes to security and, like in the old west, you better bring your cyber-gun to the party to protect yourself.  Source: Washington Post.


Google Outage Caused by Traffic “Accidentally” Being Routed Through China

Interesting timing.  Following on from my wild, wild west comment above —

BGP hijacking has become a well honed art form by China (and others).  BGP, the preferred routing protocol of all ISPs and many large companies, has no security in it and anyone can”advertise” that they own an IP address block with no current way to stop them.  After the fact – when the owner is down – it can recover from it.  If the attacker is stealthy, they capture the traffic and, after a really small delay, send it on its way.  They now own a copy of the traffic which they can try and decrypt at their leisure.  China is likely very good at decrypting traffic.

In this case, however, parts of Google went dark when some of their traffic was hijacked in a BGP attack and some users were down.   Google says this was an accident, which is possible.  Also possible is that it was made to look like an accident.

Curiously, this “error” started with a small ISP in Nigeria.  How hard would it be for China to compromise a small African ISP or even pay them to accidentally make a mistake?

Data compromised includes data from Google’s VPN service and their corporate backbone.  Again, a coincidence?

The Internet Engineering Task Force is working on securing BGP, but it will be years before that happens on any large scale.

What is for certain is that China now has a lot of data to decrypt.  Source: Ars Technica.


This is Getting Old – Patch Now!

IF you haven’t gotten patching religion yet, here are, quickly, some more reasons JUST from today. —

ZERO DAY exploits (previously unknown) found in the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – details here.

As people start looking at the magic that allows computers to go fast, they are discovering that speed kills, figuratively speaking.  SO, we have *SEVEN*, yes seven new Meltdown and Spectre bugs that affect Intel, AMD and ARM chips – details here.  Some of these are mitigated by existing fixes but others are not.

*63* new Windows bugs, twelve of which are critical and some of which are zero days are patched this month – see details.  ONE OF THREE ZERO DAYS IS ALREADY BEING EXPLOITED IN THE WILD BY HACKERS.

And finally, a Facebook attack which allows an attacker to steal data from your Facebook search results, in the background, invisible to you.  Through the magic of the cloud, Facebook has already patched this, so you don’t need to do anything to fix it – details here.

Patching is Critical

Three news items today – different platforms, but one common message.

#1 – A new iPhone passcode bypass was found within hours of the release of iOS 12.1.  This follows on from the passcode bypass fixed in 12.0 and another iPhone passcode bypass in 12.0.1.  As iOS becomes more bloated (or feature rich, depending on your perspective), more bugs are likely to appear (source: The Hacker News).

#2 -Microsoft quietly patched a bug in Windows 10 that allowed certain Universal Windows Platform applications that had certain permissions to access user’s files without their knowledge.    The update changed the default for the “Broad FileSystemAccess” permission to OFF by default.  Up until now, it was ON by default.  Users may need to selectively turn that on now if the user feels that is safe (Source: The Hacker News).

#3 – Researchers tattled on Microsoft regarding a bug or feature in Word 2016 and earlier versions that allow a hacker to abuse Word’s (bloated?) feature that allow you to embed online videos.

Since a Word file is really a zip file, all a hacker has to do is embed a video link, such as to YouTube and then open the zip file separately outside of Word.  The zip file contains an XML configuration file that contains the embed code.  A hacker could edit that code and put in any link or javascript that the hacker wanted and that code would be silently executed when you open the document and click on the video.

The researchers gave Microsoft 90 days to fix the bug.  Microsoft says that they think it is a feature.  It likely is a feature, but a really poorly designed one.

Enterprise admins should update their anti-malware software to BLOCK any Office documents that contain the embedHTML tag.

Unfortunately, now that the cat is out of the digital bag, hackers will be looking at other similar ways to infect your user’s computers (Source: The Hacker News ).

So what is a user – or system admin – to do?

The first thing to do is to make sure that your patch management process is working.  That does not just mean your operating system patches, but also every single application installed on every computer.   Office is high up on that food chain, but things like Acrobat are targets too.  Adobe released 47 patches to Acrobat this last month that they rated CRITICAL,  46 of them allowed for REMOTELY executing arbitrary code if you use Acrobat to open PDFs in your browser.  FoxIt, an Acrobat replacement, released 116 patches this month.  The numbers are insane. 

If you look at all of your computers, you are running way more applications than you think you are – likely hundreds – probably many hundreds.  And it does not matter if you are using the apps.  In fact, unused apps are worse, because you are less likely to patch them.


The second thing to do, and it can be time consuming, is read security intelligence alerts such as this blog and our separate client alerts.  You have to know at least as much as the bad guys.

Sorry there is no easy fix!

NSA Offers Gift That Keeps on Giving

Sometimes the gift that keeps on giving is good.  Other times, it is not so good.

In this case, it is not so good.

You may remember the Wannacry ransomware attack last year.  That virus, which took many organizations back to the stone age of computing (i.e., a pencil and paper), infected and took down organizations like the UK’s National Health Service, parts of Fedex, Hitachi, Honda and hundreds if not thousands of other organizations, many unknown, was enabled by a gift written by the NSA called ETERNAL BLUE.  Eternal Blue was designed to be a gift given to our enemies, but managed to get out in the wild and be used by the bad guys to infect hundreds of thousands of computers in at least 150 countries and cost companies billions of dollars to fix.

If it weren’t for Eternal Blue, this attack would not have worked.  Funny thing is that, like the Equifax breach, the vendor (in this case Microsoft) had released a patch months before the attack.

Of course, some people are good about applying patches while others are not so good.

A year later, the NSA gift called Eternal Blue is still giving.  There are still at least a million computers that are not patched and hackers are using Eternal Blue to launch a new attack.  After all, why bother to use new, unknown attacks and risk them being discovered, when the same old attacks as last year still work.

Right now, today, the attackers are using this attack to mine crypto currency on the infected computers.  However, if that stops being profitable.  ENOUGH profitable.  Well then, these computers are already zombies, so the zombie controller could just turn this into a massive denial of service attack or a massive ransomware attack.  Or whatever.  Or more than one thing.

The simple thing is that there are Windows patches available to be installed.  Also, you can disable the protocol that the attack uses.

Either way, there is no reason why this attack should still work.

But, since people aren’t really diligent about patches and especially patches on phones, tablets and IoT devices, the hackers will continue to have a field day and businesses will lose millions.  Some are already going out of business due to ransomware attacks.  

Just think about that for a minute.

Information for this post came from ZDNet.