January 2022 Patch Tuesday forecast: Old is new again – Help Net Security

January 2022 Patch Tuesday forecast: Old is new again - Help Net Security

Welcome to 2022 and a new year of patch management excitement! I’m rapidly approaching 40 years working in this industry and I can honestly say there is rarely a dull day. If you are willing to take on the challenges presented, it is a great industry to work in and I hope you all are excited to start the new year too. Let’s look at some recent events which will be influencing this month’s patch releases.

I closed out last month’s forecast article calling 2021 the ‘year of supply chain attacks’ and that trend is continuing. Malware in the Atera Remote Management Software is taking advantage of Microsoft’s digital signature verification vulnerabilities from as far back as 2012 to load ZLoader and steal account credentials.

Even though these vulnerabilities were fixed, the changes are not enabled by default. Microsoft Security Advisory 2915720 from 2017 provides more details on the Authenticode and WinVerify Trust functionality with recommendations for action. Despite the old vulnerabilities, this is a new attack and I’m sure we will be hearing more from Microsoft, with potential changes in next week’s patches.

The zero-day vulnerability in the Apache Log4j Java-based logging library took the software industry by storm in mid-December. This library is widely used in both enterprise and cloud service software. Even though Apache released the zero-day fix for CVE-2021-44228, it takes a while for companies who use this library to update, test, and release a new version.

To complicate the situation, a total of four additional CVEs associated with the Log4Shell bug have been identified in the last month, the latest being CVE-2021-44832. Keeping the industry churning, Apache released multiple updates with this library, now up to version 2.17.1. SaaS products can be quickly updated under DevOps but updating traditional software products in the field can take much longer, leaving them vulnerable to exploitation.

Microsoft has been busy leading up to the first Patch Tuesday of 2022. It released an out-of-band update for Windows servers that “experience a black screen, slow sign in, or general slowness,” These updates were initially a limited release, but are now available for all servers. It also released a script to run on Exchange Server 2016 and Exchange Server 2019, which fixes a problem related to date checking that leaves messages stuck in the transport queue. We’ll have to see if these updates manifest in any upcoming cumulative patches.

January 2022 Patch Tuesday forecast

I looked back at my January 2021 forecast article and surprisingly the focus was on identifying and maintaining third-party software embedded in enterprise products. With the malicious code in the Atera product and the scramble to update Apache’s Log4Shell vulnerability, this old advice is really new again!




This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.