未加星标

Compared to last month’s Patch Tuesday, April will be a light drizzle

字体大小 | |
[数据库(mysql) 所属分类 数据库(mysql) | 发布者 店小二04 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

March saw a sizable release from Microsoft after a missed Patch Tuesday. Any way about it, April will be a lighter month than March. windows 10 1703 has officially released to MSDN. Windows 10 1507 reaches end of service in May, so for those on the original release branch, now is the time. Start upgrading those systems still on 1507 to prevent not having security exposures.

Last month Microsoft was kind enough to break Internet Explorer updates out of the security only bundles on pre-Windows 10 systems. This was well-received by many companies I have spoken to, allowing them to push updates for IE or everything else but hold the other behind if there was an issue. It doesn’t bring us back to the bulletin level control previously available before the rollup model was implemented, but it’s something.

Some recent news regarding a vulnerability in IIS 6.0 is worth mentioning. The vulnerability in WebDAV could allow an attacker to execute malicious code on a Windows Server running IIS 6.0 with the privileges of the user running the application. IIS 6.0 extended support ended in July 2015 along with Windows Server 2003, but there are still reportedly servicing millions of public web sites, and many companies still host internal websites on Windows Server 2003 on IIS 6.0.

The vulnerability appears to have been known to attacks since at least July or August of 2016, but the proof of concept code being made available on GitHub has exposed the vulnerability and many more attackers will be working on exploits to take advantage of such low-hanging fruit. Mitigation options include disabling the WebDAV extension on these systems, but these systems should ultimately be removed from service and the sites migrated to newer web servers that can be updated. This brings me to the tip of the month: end of life software.

There is no greater threat of exposure than software that is no longer being updated. Software is like milk; it has an expiration date and past that date it will go bad. As software ages the underlying technology it is built on, components it integrates with and protocols it utilizes will be exposed over time.

Leaving EoLed software in your environment is like leaving all of the apples within reach on the tree and climbing a ladder to pick only the ones higher up. Now all that low-hanging fruit is waiting for the threat actor to come by and pick away. EoLed software should be eliminated as quickly as possible. If you plan to keep it around, you better have a number of mitigation strategies in place to ensure it is not exposed, including the following:

Purchase extended support from the vendor (Java 7, Win XP and Server 2003 are good examples where the vendor offers additional support for a price) Remove it from public accessibility (like public web servers) Segregate from network ― Move it into a VDI environment with accessibility only from essential personnel who are not running as full admins Add additional layers of defense like device control and application control Implement a form of identity access to the environment.

But best option is still to migrate critical apps or retire them.

Time for the forecast. I would wager that we are going to see a much lighter set of updates from Microsoft this month, which was an easy guess. For third-party updates you can expect updates from Adobe for Flash and very likely Acrobat and Reader. It’s also time for Oracle’s quarterly CPU, which means along with all of Oracle’s other products, we will see a Java update on April 18. Leave some room in your monthly maintenance for a Java update!

本文数据库(mysql)相关术语:navicat for mysql mysql workbench mysql数据库 mysql 存储过程 mysql安装图解 mysql教程 mysql 管理工具

分页:12
转载请注明
本文标题:Compared to last month’s Patch Tuesday, April will be a light drizzle
本站链接:http://www.codesec.net/view/558474.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(mysql) | 评论(0) | 阅读(46)