It is January 2015, and tomorrow is the year’s first Patch Tuesday. Microsoft should have posted their first Advance Notification (ANS) kicking off the patch cycle. But a new year brings many changes, and the Advanced Notification is affected by one of them. Microsoft will stop providing the ANS information to the general public, and interested parties will have to ask for the it through their account manager. Hmmh, I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out.
Free Cyber Security Training! Join the revolution, today!
But lets take a look in the past year to see what we can expect this year. 2014 has been a pretty turbulent year for Information Security in general. There were a high profile data breaches such as JP Morgan Chase, Home Depot, and Sony; critical vulnerabilities in Open Source Software like Heartbleed in OpenSSL and Shellshock in Bash; retired software (Windows XP, Java 6); and an elevated number of 0-day vulnerabilities in software from Microsoft and Adobe, who patched Flash every month in 2014.
And 0-days continue to be present even as the year starts, only this time it is not from an attacker but from the security research team. Google’s Project Zero researches vulnerabilities in common software and publishes the results in a transparent manner. Companies have 90 days to address issues before the vulnerability information becomes public. James Forshaw from the Project Zero team found a local privilege escalation vulnerability in Windows 8.1 on September 30 and made it public on December 29th, reigniting the discussion on the benefit of these disclosures without having a patch available (see comments here: https://code.google.com/p/google-security-research/issues/detail?id=118). The vulnerability is for local escalation only, meaning an attacker needs to have access to the target machine already to make use of it. But once on the machine, it allows the attacker to become administrator, giving total control over the target machine. Remember Stuxnet? There the attacker equipped the malware with 2 local 0-days, allowing them to become administrator in order to gain full control. This vulnerability is in a similar class. By itself, it is not too much to worry about, but in combination with other vulnerabilities or access through stolen credentials, it is certainly valuable.
Let me know what you think about this change, and stay tuned for tomorrow.
By Wolfgang Kandek, CTO of Qualys, Inc.
About Qualys, Inc.
The Qualys Cloud Platform and integrated suite of solutions helps businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.
Used by more than 6,700 customers in over 100 countries, including a majority of the Forbes Global 100, the Qualys Cloud Platform performs more than 1 billion IP scans/audits a year resulting in over 400 billion security events.Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including BT, Dell SecureWorks, Fujitsu, IBM, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the Council on CyberSecurity and the Cloud Security Alliance (CSA).