Tim Lovegrove
Security Analyst
Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup. While Microsoft continue their trend of releasing big updates, June is a relatively uneventful month so we’ll take the opportunity to dig into some other notable updates and releases happening at the moment.
Microsoft
With 129 CVE’s addressed in June, Microsoft have released one of their largest update packages of recent times. There’s a high prevalence of Elevation of Privilege bugs this month – the ability for an attacker to raise their privileges on the victim’s computer in order to further the attack. This gives an attacker a wide array of possible routes in, especially when paired with remote code execution bugs, of which there are also several this month. The good news is that few of these exploits are being actively targeted at the time of writing.
The most notable update this month is to fix “SMBleed”, an information disclosure attack on SMB v3 that was discovered alongside the recently revealed “SMBGhost” bug. SMBleed enables a remote code execution attack via unauthenticated SMB messages being fired at a vulnerable server. It’s rare for SMB to be accessible over the internet these days thanks to the famous WannaCry malware attack, which revealed the surprisingly widespread practice of permitting SMB ports 139 or 445 in and out of corporate networks. Internal networks may be less tightly configured though, and an attacker with a presence on the network could use this technique to strengthen that foothold and move laterally. A timely post by Microsoft’s Ned Pyle describes the steps for administrators to ensure servers and end-user devices have the built-in Windows Defender Firewall configured to protect against SMB attacks and that any unnecessary SMB services are stopped. With hindsight, this post may not be as random or coincidental as it first looked!
Aside from the regular monthly updates, the major Windows 10 release cycle comes around with version 2004 being pushed to devices from late May/early June. This brings with it a number of new features, capabilities and functionality, but has also had some compatibility issues and may not be made available to all devices.
Some notable features include Windows Hello, a passwordless authentication feature that uses biometrics or pin numbers at log in. We particularly love the Hello Face logon to laptops and tablets, which is quick and seamless on newer devices and integrates with Azure AD environments. Also of note from a security perspective is the roll-out of Application Guard and System Guard, advanced extensions of Windows Defender that offer sandboxing and low-level system protection. These two features are too extensive to detail here, but plenty of resources exist to review their capabilities and plan for their deployment. Anyone running or looking to move to Defender ATP will want to look at these extensions.
Adobe
Adobe keep things simple with just a single update to Flash this month. The official end-of-life date for Flash is slated as the 31st December 2020, and while it’s now deprecated across most browsers, there are no doubt a few custom applications and sites out there that rely on it still. 6 months isn’t as long as it seems, so plan to move away from those final few Flash-based apps ASAP.
VMWare
Not really an update, but VMware recently announced that the End of General Support date for ESXi 6.5 has been pushed out to November 2021 due to the ongoing COVID-19 situation. Many administrators have been unable to physically access their systems, relying on remote admin tools and out-of-band management to keep systems running over the last few months. While it’s perfectly possible to upgrade these systems without being sat next to them, it’s a task that few administrators will want to risk doing without the ability to get to the physical machine if the worst happens. And if the update requires a hardware replacement as well, you’re out of luck if you can’t get to your datacentre. The extension buys everyone a bit of breathing space.