The continued onslaught of phishing attacks, ransomware deployment, and other exploitation is forcing the community to pay closer attention to early identification, as well as fast response, to vulnerabilities in their software. In July alone Microsoft addressed 84 CVEs in Windows 11, 99 in Windows 10, and even 69 in Windows Server 2012. The good news is that attention on security testing and providing better security tools is on the rise.
CVSS 4.0
The public preview of CVSS 4.0 ended this week providing the last opportunity to add to this important security tool. The comments are in review and FIRST is targeting a publication date of October 1st this year. The changes were substantial enough to prompt a version change from 3.1. For newcomers to CVSS, the nomenclature changes will be welcome. The ‘Temporal’ metrics were renamed to ‘Threat’ metrics which aligns with industry standards. FIRST also clarified the terminology with Base, Environment, and Threat designators which clearly shows the factors used in the calculation.
For example, CVSS-B only uses base metrics to calculate the ‘pure’ severity score of the vulnerability in the absence of environment and threat, whereas, CVSS-BTE takes into account the base, environment, and threat metrics which provides the risk associated with the vulnerability. This is a great step forward towards providing a clear understanding of what each score encompasses.
One additional section to consider is the new Supplemental Metrics Group which provides insight into the automation, recovery, vulnerability response effort, and other important factors that are associated with the vulnerability and may be of importance to you in prioritizing the updates in your regular patching routine. The CVSS continues to evolve, remaining a relevant and important factor in our patch processes; be on the lookout for the final release later this year.
The Log4j vulnerability provided focus on the need for more security testing during software development. According to some recent reports, developers are spending more time on security analysis and testing, but it is still less than 50% of all companies. The upside is that 94% of these companies have improved the testing processes they had in place prior to the Log4j exposure.
The other good news is that time-to-fix has been cut by nearly 50% in open-source software during 2022. It’s clear that software security testing will continue to evolve and is currently on the rise which helps us all.
Ivanti vulnerabilities
Ivanti is continuing its investigation into two critical vulnerabilities which were disclosed publicly at the same time a patch was available on July 24 and July 28 respectively. The vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been utilized in targeted attacks.
CISA and NCSC-NO released a joint cybersecurity advisory on CVE-2023-35078 and CVE-2023-35081 on August 1, 2023, and urged organizations to apply the patches released by the organization. Ivanti is continuing to work actively with customers to upgrade their appliances and helping them apply the fix.
Remediation guidance
For customers on currently supported versions of EPMM the recommendation is to apply the latest fix for CVE-2023-35081. If you are on an unsupported release Ivanti highly recommends upgrading, but mitigation options are available for CVE-2023-35078 this KB page for those running on unsupported versions.
EPMM supported releases (11.8.1.1, 11.9.1.1,11.10.0.2)
- Upgrade EPMM with patch releases (11.8.1.2, 11.9.1.2 and 11.10.0.3) from system manager portal.
EPMM unsupported releases (<11.8.1.1)
- Ivanti highly recommends you upgrade to the latest version of EPMM to ensure you have the latest security and stability fixes. More information about upgrading can be found here.
August 2023 Patch Tuesday forecast
- After the massive number of CVEs addressed by Microsoft last month, we may see a bit of a pullback in the CVEs addressed in the operating systems and Office applications. There is always the possibility of a .NET Framework or SQL Server update, so be on the lookout.
- Can you believe the last security update for Acrobat and Reader came on April 11th? Be on the lookout for one this month.
- July 24th was patch Monday for Apple. They released security updates for Big Sur, Monterey, Venture, iOS and iPadOS. Keep in mind these include all the rapid response updates that were provided since the last major update. We probably won’t see any updates from Apple next week.
- The Long Term Support Channel for Chrome OS 108.0.5359.239 was updated this week addressing 6 High and 2 Medium rated vulnerabilities. Likewise, the Stable Channel for Desktop was updated to 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows. It addressed 17 vulnerabilities with 9 rated High and 2 Medium. The beta version of Chrome 116 was also released, so we may see a GA version next week.
- Mozilla released security updates this week for Firefox 116, Firefox ESR and Thunderbird 115.1, and finally Firefox ESR and Thunderbird 102.14. With all these recent releases, I don’t expect another update next week.
It appears all the major third-party software updates are out with the possible exception of an Adobe release, so the focus is on Microsoft this month.