I’m sitting in a conference room at the Mirage Hotel in Vegas and contemplating all the different vulnerabilities that have been discovered recently. Last week there were two pretty significant security threats: the Intel vPro vulnerability and the Google Docs phishing scam.
The Intel vulnerability is a particularly nasty vulnerability. The vulnerability has existed for the past nine to 10 years and could allow a remote attacker to exploit a machine that uses the Intel vPro chipset and has the AMT features enabled. In this case, a remote attacker could silently tamper with the system, because the AMT features allow remote access to the hardware on the target system.
I’ve had several people ask me about what I think should be done regarding this vulnerability. You could take a gamble and wait for the hardware vendors to release or you can take some proactive mitigation steps to reduce the risk to external threats regarding this vulnerability.
Ivanti has created a package that can disable the AMT features to limit the threat to local system access only, which significantly reduces the risk to the system. The challenge with waiting is that Intel may have released an update to the OEM vendors, but each of those vendors must package and test the update across all affected hardware that they have shipped. For a vulnerability that has existed for around 10 years, that’s a pretty significant amount of hardware combinations that would need an update packaged up and tested. There’s a lot of speculation as to how far back these vendors will support a fix. Likely, many vendors may choose to only go back five or six years. As the larger vendors like HP, Dell, and Lenovo release, we’ll know more about that, but chances are you might need to have a mitigation step for older hardware in addition to the driver updates from the vendors when they release.
Another threat started going viral last week: a phishing scam using Google Docs. The attack was very simple, just a request to share a Google Doc with you. It often came from a trusted source. The challenge with an attack such as this is there is no way to patch against it. The best defense for this sort of scam is to use two-factor authentication on accounts that allow it. If you haven’t already, you should activate the two-step authentication for your Google account. It’s easy to do. The other defenses are education and diligence—including a healthy level of paranoia for any email you read. Here at Ivanti, our security team conducts active security training and phishing campaigns against our employees. If you get duped, you get assigned additional security training.
There is also a new wormable vulnerability in Windows that was just discovered. The vulnerability was discovered by researchers on the Google Project Zero team and news of this hit just yesterday. Because of this, you can expect this will not be in Microsoft’s Patch Update today. The researchers are calling this vulnerability “crazy bad” and say it’s the worst thing they have seen in a long time. The vulnerability is in Microsoft’s Malware Protection Engine and allows an attacker to execute code if the engine scans a specially crafted file. Microsoft has issued an advisory and will be releasing an update within 48 hours from the release of its advisory. The fix is supposed to auto update upon release.
Now on to May Patch Tuesday. Today we have updates from Microsoft and Adobe that need some attention. With last month’s change to remove bulletins, we’ve also changed things up a bit. Ivanti has implemented an artificial bulletin for Microsoft updates to keep things organized and easy to reference. By our count, there are 13 Microsoft updates this month addressing a total of 56 vulnerabilities, including three that have been exploited and three that were publicly disclosed. This is aside from the advisory regarding the “crazy bad” vulnerability discovered in the Malware Protection Engine. Adobe has also released an update for Adobe Flash Player that resolves a total of seven vulnerabilities and is rated as critical or priority by Adobe’s verbiage.
The exploited vulnerabilities resolved in today’s update affect the Windows OS, Internet Explorer, and Office. These updates should be a top priority along with the Flash Player update. Due to the way that Microsoft now packages updates, this pretty much means everything but .Net is a high priority and should be deployed ASAP!