Pay No Attention To The Vulnerabilities Behind The Curtain
September 24, 2018 • RBS
For years, Microsoft’s Patch Tuesday is something that all IT professionals (not just security practitioners) have dreaded. Since the practice was introduced in October 2003 to reduce the cost of distributing patches, it has become a point of consistency in patch cycles, and the source of grumbling because it often requires a full day or more to handle depending on the size of an organization. There are many months when numerous vendor advisories collide on that same Tuesday. Some are now a guarantee, like Adobe, who releases their product patches on the same day. Other vendors are less consistent, and may intersect on some weeks and not others. With so much being released on one day, it can be difficult for an organization to determine where to focus their attention and efforts.
In the world of magic, the tactic of misdirection plays a huge part in how many tricks stun those who watch, even up close, having no idea how it worked. Here at RBS, several of us are fans of Penn & Teller’s Fool Us TV show. A few of us have even seen them live several times during our yearly journeys to hacker summer camp in Las Vegas. In their weekly shows, performers use a wide variety of misdirection in an attempt to fool the veteran magicians. For those who want to learn more, check out this video as Penn Jillette describes the story of misdirection and the vanishing chicken.
Penn & Teller: Misdirection
In the security world, misdirection has also played an important role over the years. A long-used tactic is a DDoS attack on a company that distracts them with recovery efforts, and allows a targeted attack to be launched and go unnoticed. Another tactic that is becoming more popular is to hide announcements behind big news events such as when Heartland Payment System suffered a data breach and disclosed the news on the exact same day as President Obama was inaugurated. Perhaps the idea was to try to minimize the media scrutiny while everyone was focused on the presidential ceremonies.
The notion of redirection came to our minds while we were analyzing the latest batch of Microsoft vulnerabilities. Almost every Patch Tuesday, there are other large vendor releases including Cisco, Oracle, and Chrome and more, including security vendors. With the Microsoft vulnerabilities typically getting the most attention with numerous blog posts and news articles covering the release, you may not notice the gorilla being put in the cage.
Interestingly, this month we noticed that Intel released a total of 14 new vulnerabilities with little fanfare and virtually no coverage:
Bonus? MITRE finally opened up seven more vague Intel CVE assignments from July 18, 2018 that were in RESERVED status this whole time, all of which were rated a CVSSv2 score of 10:
Intel CVE Assignments
As we believe our readers now understand, CVE/NVD (which includes almost all of your security vendors) is still in the dark as NVD has just received the information from CVE and it will take them from seven to twelve weeks to do their initial analysis based on what we have seen this year.
It is clearly vitally important to focus on Microsoft’s Patch Tuesday advisories if your organization is a Windows shop, but it is also important to remember that it is just another day with many other vulnerabilities being disclosed and thus may become a bigger balancing act. It can be a daunting task to stay on top of vulnerability disclosures, not to mention extremely costly, if you are trying to monitor all of these disclosures yourself.
If you are looking for the best intelligence and also want to reduce your costs while not falling for any vulnerability misdirection, we would love to speak with you about how VulnDB can help!