Effective Patch Management

Introduction

Early this month, security researchers’ uncovered a new critical vulnerability in Microsoft’s software: Active Directory Federation Services (ADFS) allowing malicious actors to bypass multi-factor authentication (MFA) safeguards. This critical issue was later fixed by Microsoft on its August Cumulative Patch (Microsoft Patch Tuesday). This patch also addressed 19 critical vulnerabilities including the fixes of two “zero-days” that according to security researchers, are currently under active attack. The patch comes after a number of stability and quality issues with the July update. This Info Note reviews the importance of conducting effective patch management, even in critical situations with vulnerabilities under active exploitation and patches presenting serious performance and quality issues.

Contextual Information

Microsoft released its August cumulative patch update, fixing 60 flaws, two of which have reportedly been actively exploited as “zero-days” flaws:

• Windows Shell remote code execution CVE-2018-8414 – This remote code execution issue is caused by Windows Shell not properly validating file paths when executing SettingContent-ms files, and can be used by an attacker to take control of the affected system.
• Internet Explorer scripting engine memory corruption vulnerability CVE-2018-8373 – This is another remote code execution vulnerability that an attacker can exploit to execute arbitrary code in the context of the current user. It can be exploited via web-based attacks or email documents that embed the Internet Explorer rendering engine.

The August update also patched a recently discovered vulnerability in the Microsoft’s Active Directory Federation Services (ADFS) allowing malicious actors to bypass multi-factor authentication (MFA) safeguards. The flaw (CVE-2018-8340), allows a second factor for one account to be used for all other accounts within an organization. If an attacker obtains a single user’s password and second factor, the attacker can use the second factor to complete the second-factor challenge for any account in an organization. The exploit makes it much easier for an attacker who has obtained limited access to expand their reach toward more valuable targets.

Microsoft also patched more variants of the Meltdown/Spectre memory vulnerabilities, collectively dubbed “Foreshadow” by a team of researchers who discovered and reported the Intel-based flaws. These speculative side-channel flaws - disclosed in tandem with Intel - addressed three vulnerabilities – CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646. The Foreshadow (or L1 Terminal Fault) vulnerabilities allows a malicious actor to bypass memory access security controls ordinarily imposed and managed by the operating system or hypervisor. An attacker can use this vulnerability to read any physical memory location that is cached in the L1 data cache of the processor.

March this year, ENISA published an Info Note providing an overview on the reasons for the growing number of disclosed vulnerabilities and the impact it has in the industry credibility and confidence in the technology market.

Patch release and installation

Microsoft first initiated its "monthly rollup" patch model with Windows 10, where each month's quality and security patches were "cumulative," meaning that they included all of the fixes from prior months. Therefore, users/system administrators can no longer remove a single patch when updates go wrong. They have to roll back to the previous month's cumulative update or carry out a workaround. It's now almost two years since Microsoft broadly applied this cumulative update model to its software, that users find it difficult to deal.

The July’s cumulative patch batch included 14 updates to fix more than 50 security flaws in Windows and associated software. This patch was heavily criticized, with the company admitting that these fixes caused Skype and Exchange server problems.

With the August patch, Microsoft fixed a total of 60 flaws, spanning Windows OS, Edge, Internet Explorer, Office, .NET Framework, ChakraCore, Exchange Server, Microsoft SQL Server and Visual Studio. Of those, 19 were critical, 39 were rated important, one was moderate and one was rated low in severity. For now, this patch was considered stable with better quality than the previous. However, a number of issues were already identified:

• The original SQL Server 2016 SP2 patch KB 4293807, fixing a serious buffer overflow vulnerability CVE-2018-8273 was pulled by Microsoft and replaced by KB 4458621. The initial patch could not be installed, ending with an error 0x80070643.
• The Visual Studio 2015 Update 3 patch KB 4456688, has gone through two versions — released Aug. 14 and then pulled, then re-released Aug. 18 — and the re-released version still has problems.
• The software issue in the Win10 version 1803 upgrade that resets TLS 1.2 settings persists for some devices.
• The Win10 1803 cumulative update has an acknowledged software issue in the way the Edge browser interacts with Application Guard.
• The Win7 Monthly Rollup has an old acknowledged software issues about “missing file (oem<number>.inf)”.

Recommendations

Software patching is one of the most critical activities in IT governance and central to cybersecurity. Patch management is the practice of updating software with new pieces of code – most often to address vulnerabilities that could be exploited by hackers but also to address other problems in the existing program or add new functions to it. Applying software patches in modern enterprises that have complex, often customized environments with multiple integration points could slow down hardware or software. Patches could close ports, disable critical pieces of infrastructure, could crash systems or cut availability – potential scenarios that could leave businesses without the systems they need to operate or handle transactions.

• Patch management policy. IT management needs to define policies that governs the patch management activities within the organization including who, how and when patches are tested and applied into production systems.
• Assets inventory. IT needs to know every asset in its environment in order to identify which patches are needed when vendors make them available.
• Patch testing. A procedure and a lab environment are required to test patches before applying it into the production environment.
• Structure and planning. The complexities of the modern IT stack, with its numerous points of integration, customized pieces, add-ons, etc. that are often spread among multiple locations as well as mobile endpoints, make patching more complicated. Access to the infrastructure component map is required to properly manage the patch testing and installation processes.
• Ownership and accountability. A typical IT department has many workers who apply patches as part of their portfolio of responsibilities; as a result, patch management can become a task done by many but owned by no one. It is difficult for an enterprise to have a strong patch management process without clear accountability.
• Document. A strong patch management discipline should include a way to identify and document patches as they are released by vendors, when they are scheduled to be tested and deployed in the enterprise, and when the patches have been completed.

Closing Remarks

From a simple end user device software update to an orchestrated update in a complex organizational environment, all requires accurate and consistent patch management, if the impact of not having an operational system is high. Patch management needs to be seen as a discipline on its own within the IT organization. The growing complexity of this undervalued activity is creating difficulties for IT managers to understand who, how and when software patches should be applied into a production environment. For end users, patch management software needs to become more coordinated and user friendly, consolidating all different software vendors into one unique and intelligent software update platform.