Governance and Update Policies

When an update is necessary (as it is every month) “Patch Tuesday” means Microsoft combines multiple necessary vulnerability updates into one convenient date (2nd Tuesday). For example July it was on the 9th. One of my favorite sites shows the significance of this almost every month: Krebsonsecurity July Edition.

What can one do to prevent this disaster from occurring in the simplest way possible?

Here is another example: at Dark reading magazine. In this example updates not completed for years can cause serious problems.

Why do you say one may not update in 2 years or so? There may be several issues including if the system is close to obsolete and thus cannot accept an update.

The big issue as in above:

CVE-2024-21412 — a “high” severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

So five months have passed since the fix, but there are several systems that have the  problem. Thus as in the following image now attackers are actively exploiting unpatched systems. If your procedures are not good enough to resolve the updates.

The hackers are actively trying to find systems that are  not patched and you better have the organizational capabilities to update the vulnerable systems.

If not patched the dark reading webpage notes the following:

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen “through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed,” Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.


So with a stenography attack the attacker takes advantage of SmartScreen and then starts downloading software that takes over a machine.

Why would some companies not want to update? Are they worried of the BSoD (Blue Screen of Death)? If they are they will need to create a test system which is as close to the production systems as possible and run the new updates.

If Crowdstrike had done that they would have learned true governance and not had a massive amount of BSoDs with many of their customers.

We find out from Crowdstrike (Foxnews) that it was a bug in test software.

CrowdStrike on Wednesday released a preliminary report blaming a bug in its test software for the global outage that derailed airline operations and knocked banks, hospitals and other businesses offline.

A bug in test software that was not tested sufficiently (obviously). This problem was a monumental error.

 

It is high time for us to pay attention to details and create tests or QA/QC Quality assurance/Quality control programs that can delay or stop updates if there are problems.

Get my book to help you design the right testing environment.