Tim Lovegrove
Security Analyst
Welcome once again to the Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases. Surprisingly, we got nothing from Adobe this month, so we’ll dig into some other vendors who have major releases.
Microsoft
A smaller release of updates from Microsoft this month compared to other recent Patch Tuesdays, with 9 Critical vulnerabilities out of a total of 59. Of these, browsers form the largest group with a number of updates for Internet Explorer continuing to patch issues first addressed by an out-of-band update dropped in September. This emergency release in September led to scattered reports of certain browser-based admin consoles becoming unresponsive, which is a reminder to carefully test updates before pushing them network-wide.
There are more RDP fixes, this time for a vulnerability affecting RDP users tricked into connecting to a poisoned RDP server. Similarly, a maliciously crafted Excel file can be used to install malware via a bug in both the Windows and Mac versions of Office. The usual advice – update your end-user devices ASAP, and carefully test the updates before deploying to your servers on a suitable schedule.
Apple & Android
Apple dropped IOS 13 in mid-September, bringing with it new features and security capabilities. Dark Mode is the thing everyone has been raving about, while the Photos app has undergone a substantial overhaul to marry it with the new capabilities of the iPhone 11 Pro cameras. More notable from a security perspective is the ability to manage Location settings in a more granular fashion, giving control over tracking features back to the user. Apple has already dropped a number of patches for bugs and security flaws.
Not to be left out, Android 10 was released by Google at the start of September. Initially available for Google’s own Pixel phones, the OS will start rolling out to other Android platforms in the coming months. Unsurprisingly, the OS also features a Dark Mode, with additional privacy, location and security controls, and a Smart Reply feature that helps respond to and enrich messaging apps with extra info.
Cisco
With such a broad range of products and software available, Cisco have an unenviable task of trying to keep all these products secure and updated. The last month has seen significant updates to a number of key Cisco products, including ASA & Firepower, IOS/IOS XE, NX-OS and FXOS, Prime, Unified Comms and Nexus & Catalyst devices. The full list is too long to dig into here, so we recommend signing up to a service such as US-CERT, to get notified of new updates.
At the end of August the “perfect 10” CVE-2019-12643 was fixed in IOS XE, while more recently a batch of high-scoring updates were released focussing on Firepower and ASA bugs which primarily enable Denial of Service Attacks.
Firewalls and networking devices are often neglected as part of a patching regime, with the view that if it ain’t broke, don’t fix it. For internal network devices, the attack vector needed to exploit any of these bugs means the attacker must be in your network already, meaning you have bigger problems. While these devices should still be updated to the latest stable release, there is often more lee-way in terms of the update cycle, meaning most companies look to patch internal network devices quarterly.
However, for your external-facing devices and perimeter routing/switching, applying updates should be a more regular process. Software, Firmware and IPS/IDS signatures should be updated regularly, with the latter especially needing prompt installation. While it can be hard to test such updates in a production environment, most devices provide a way to install the new software into a secondary partition, allowing you to return to the previous software still available in the primary partition should anything go wrong.
Get in Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.