Category Archives: Patch management

SECURITY ALERT: Microsoft releases critical security updates to fix major vulnerabilities

Microsoft released its regular patches on the second Tuesday of the month, and as always, they included fixes for multiple vulnerabilities. Namely, 49 security bugs have been now fixed, out of which eight are considered to be critical.

Rumors started to circulate before the patches were officially out and sources were saying that Microsoft was very likely to fix “an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.” The same sources were indicating that Microsoft had quietly shipped a patch for the bug to branches of the U.S. military and to other highly valuable customers that manage key Internet infrastructure. Those organizations were allegedly asked to sign agreements that forbade them from disclosing details of the flaw prior to the January 2020 Patch Tuesday.

Microsoft declined to respond to these allegations, saying that they do not wish to discuss the details before the patches were officially released.

In short, there were some early signs that some serious flaws were going to be fixed, and the first Patch Tuesday of this year only confirmed the rumors.

So, keep on reading to find out what you should expect from Microsoft’s January 2020 updates.

CVE-2020-0601, the Windows CryptoAPI Spoofing Vulnerability

By far the most significant security bug that has been fixed (CVE-2020-0601) is indeed critical.

Here is what Microsoft has to say about it in its Security Update Guide:

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

In other words, this vulnerability can allow spoofing and bypassing normal security mechanisms that validate the credibility of binary code, including ECC certificates and this can circumvent your endpoint protection.

The vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. According to Microsoft and the NSA (which first reported the bug), no active attacks were spotted before this month’s patch was released. The Agency has published its own security guide, with details on mitigation and on how to detect exploitation.

CVE-2020-0609 and CVE-2020-0610, the vulnerabilities found in RDP

An additional relevant security update is related to the Windows Remote Desktop Gateway (RD Gateway) that address the CVE-2020-0610 and CVE-2020-0609 vulnerabilities. The update applies to Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 and it’s crucial you apply this update as well in a timely manner.

Sending a specially crafted request to an accessible and vulnerable RD Gateway via RDP opens the risk of arbitrary code execution. These vulnerabilities can be seen before the RDP authentication process and require no user interaction. A malicious hacker who manages to exploit these vulnerabilities may be able to then install programs, view, change, and delete data and even create new accounts with full user rights, Microsoft said in their Security Update guide.

We recommend that you place RDP services internally, so that they can, for instance, be accessed via a VPN connection and never as a service available via WAN / Internet.

Other notable vulnerabilities covered in January’s Patch Tuesday

Some other products that received fixes this month, besides Windows, include Internet Explorer, Microsoft Office, Microsoft Office Web Apps, Microsoft Dynamics, ASP.NET, the .NET Framework, and OneDrive for Android.

Patch, patch, and patch again

Here at Heimdal we always advise both organizations and individuals to never fall behind on their updates, since this practice alone will notably increase one’s defenses. Through our X-Ploit Resilience, which covers both Microsoft and 3rd party software, our corporate customers apply their patches four times faster than the global average. X-Ploit Resilience features all updates and patches within four hours since their launch, silently, in the background, with zero user interruption.

Conclusion

Even though Microsoft’s January 2020 Patch Tuesday is smaller compared to most of the other patches that were released seen in the past, it is, without doubt, still highly important. And the main lesson here is to always keep up with your patches!

The post SECURITY ALERT: Microsoft releases critical security updates to fix major vulnerabilities appeared first on Heimdal Security Blog.

Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely

During the last decade or so, software deployment for both SMBs and enterprise has become rather problematic – not so much on the upscaling part, but rather on the number of licenses an institution has to purchase and renew. The costs can be ginormous, which is the very reason why the company owner resorts to cost-effective alternatives such as freeware, shareware, and open-source. In this article, I’m going to run you through each category. After that, you can decide which is better for your business.  Let’s get to it – freeware vs. shareware vs. open source. Who will win the race?

What is Freeware?

Loosely defined as a type of proprietary software, that it’s being distributed at no cost whatsoever for the user, freeware is the answer to accomplishing very simple tasks without the need of investing in expensive, license-based software. Freeware software has no EULA, license, or rights of any kind, which means that it can be deployed on both home and enterprise machines.

Freeware is not a modern concoction. In fact, the term itself was coined in the golden 80s by Andrew Fluegelman, who sough of means of making PC-Talk (Skype’s long-forgotten ancestors) available outside regular distribution channels. The key differentiator between freeware, shareware, and open-source is that freeware does not make its source code available, despite being free of charge.

A couple of freeware examples: Discord (IM used by the gaming community), Yahoo Messenger (rest in peace, my friend), µTorrent, IrfanView, Groove Music, Winamp, DVD Shrink, CCleaner, and others.

Freeware pros:

  • Easy to use and deploy (for home users and enterprises\SMBs).
  • A great way to incentivize your potential customers (for soft makers and marketeers gunning for paid licenses).
  • Solve daily tasks without having to invest in expensive software.
  • Quickly grow your user base.

Freeware cons:

  • Limited functionality.
  • No way of reverse-engineering it since the source code is not made available.
  • Customers may sometimes perceive the product as inferior.

 

What is Shareware?

Probably most of the apps found online and offline fall under this category. Shareware is so widespread that it ‘felt’ the need to have its own consortium. Called the Association of Shareware Professional or ASP, for short, this international trading and trade organization comprises over 1,500 vendors, authors, and online retailers. The term was coined around the same time as freeware.

While Fluegelman was pushing his PC-Talk comm app. Jim “Button” Knopf, an IBM employee at that time, was releasing a database program called PC-File. In legal terms, the main difference between Knopf’s apps and Fluegelman’s freebie is that the database program was never meant to be offered free of charge.

Knopf himself called his creation “user-supported software” meaning that users would need to cover some of the fees associated with the continual development of the product. No doubt, an interesting marketing praxis, but a lucrative one, given shareware’s popularity and availability.

Shareware is an umbrella term, encompassing various types of apps, each following a unique business model.

Types of shareware

1. Adware

Also called “advertising-supported software”, this type of shareware has embedded ads running alongside the apps. The purpose of adware is to generate revenue for its creator. Ads may be present during the installation process or as part of the user interface. Most are ‘hardwired’ to analyze the users’ traffic in order to display customized ads. Adware is free-to-use, but the sheer number of ads can interfere with normal operation. A large number of apps currently available on Google Play are adware.

2. Crippleware

It may sound like a new form of malware, but it’s actually a legit type of software. Why is it called “Crippleware”? Because the author purposely “cripples” the app’s vital functions, making them available in the paid or premium version. For instance, if you have photo-editing apps, the download as jpeg function may be disabled or the photos may have watermarks that can be removed by upgrading to full.

3. Trialware

Trialware apps can be used for a limited period.  In most cases, users will be granted access to all of the app’s functions (including the ones available in the paid version). However, once the trial period expires, the app will be disabled or revert to a very basic (and very unusable version). From my experience, trialware that doesn’t cover vital system processes (i.e. antivirus or malware-scanner), will simply stop working. They will, of course, display a splash screen meant to inform the user that the software has expired and that he must upgrade to full.

4. Donationware

The software grants the user access to all of its features. However, it does come with one small request: the user is asked to shell out a small amount of cash to support the project or just show appreciation for the author’s work. The payout part is optional, having no bearing of the app’s functionality. Given its behavior, one could consider that donationware has more in common with freeware than with shareware.

5. Nagware

Pejorative in nature, the term “nagware” describes a software category that reminds users via on-screen messages that their licenses are about to expire and that they should upgrade to the full version. In most cases, the nags will continue well after the trial period is over. The functionality will be reduced, the user having access only to basic functions.

6. Freemium

A portmanteau term (“free” + “premium”) describing a type of software that ‘withholds’ advanced features, making them available in the premium version. The free version is fully functional. Nags are rare, but users might receive ads from time to time regarding the advantages of the premium versions.

Shareware pros:

  • Free to use.
  • Powerful feature. Great for getting a one-time task done.
  • Donationware is just as good as any license-based application.
  • Diversity and abundance.
  • Most of them are cross-platformers.

Shareware cons:

  • Some legal issues may arise if deployed on enterprise machines.
  • Poor compatibility with newer operating systems.
  • Ads and nags can become annoying.
  • Shareware doesn’t benefit from regular security and functionality updates as licensed software.

One last thing to mention – neither freeware nor shareware authors don’t make the software code available for studying or altering. Which brings us to the third software category: open-source.

What is Open-Source?

Open-source software or OSS is a type of software in which the author releases the source code. Furthermore, as far as the copyright is concerned, whoever holds the software’s license can distribute, study or alter the source code. Enterprises would often turn to open-source solutions since they’re much easier to customize compared to licensed software.

The best example of OSS I can think of is VLC player, one of the most popular video players available online. That’s on the consumer side.

As for enterprises and SMBs, there are a number of open-source software that successfully replaced their license-based counterparts: OpernCart (online shopping platform), SuiteCRM (useful for managing customer info), Helpy (self-service support), Mailman (management tool for email lists), WordPress (blogging), Daawarpper (data visualization), Gimp (powerful image editor), LibreOffice (perfect and free alternative to Microsoft Office), and the list goes on.

Open-source software pros:

  • Free and cheaper compared to (paid) license-based products.
  • Modable, reliable, and easy to use.
  • Safer from a cybersecurity standpoint compared to free and even some license-based products.
  • Very flexible. It can be used beyond its intended purpose (you’re going to need a talented backend hand for that).

Open-source software cons:

  • It can incur some long-term (and unforeseeable) costs. Any issues that arise have to be dealt with by yourself or your dev team. This usually happens when the software has been outstretched or altered more than necessary. Doing in-house patching and/or repair points to another con: no support for the product. So, if something goes wrong, you’re on your own.
  • Less-than-friendly UI. It will also take you a while to learn the product.

 

Freeware vs. Shareware

Now that we’ve got the basics in place, let’s take a closer look at the first contenders: freeware vs. shareware.

First of all, I think it’s important to see which category the two of them address. We can agree (to disagree) that both types of software can be used on home and work machines alike. As someone who didn’t have a lot of money to spend on software, I can wholeheartedly say that freeware is what dreams are made of – imagine what it would have meant to buy a Photoshop license just to tweak some family photos or to pull a plank on your roommate.

Game streaming – for those of you familiar with the concept, the costs alone can make your head spin, that is if you want to go pro. Still, even the basics can cost a pretty penny. Luckily you can accomplish basic tasks like screen or voice recording with some very nice (and free) online tools.

Things change a bit when it comes to deploying freeware on enterprise machines. Of course, some shareware can handle some of the routine tasks. For instance, ePrompter is a great and hassle-free alternative to Microsoft Outlook or some other desktop-based email management tool. Even TeamViewer, the (over)glorified remote computer control tool is free and can be used to accomplish very simple tasks.

Other honorable mentions: Discord (great alternative to Teams, Skype for business, and even WhatsApp), B1 Free Archiver (if you really don’t want to buy WinRAR), Recuva (powerful data recovery application), CCleaner (registry cleaner), Foxit Reader (open and print pdf files), and Microsoft Visual Studio Express (supports multiple IDEs, pitch-perfect for web designers).

Indeed, they are very powerful tools, but, in my opinion, simply not enough to meet the needs of a bustling enterprise. It all boils down to statistics: the bigger the database, the likelier it is to find a solution (or more) to suit your needs.

Why shareware? There are literally thousands of apps, available both online and offline, some of them just as good, if not better than license-based software. One thing about shareware – it’s a short-term solution.

Basically, it’s your ‘emergency-only’ kit: problem – shareware – problem solved. This type of software wasn’t designed for long-term use. As I pointed out in the section about shareware, most have some kind of built-in ‘safety’ to prevent users from doing just that; except for donationware, of course. There’s also the matter of overexposing your machine(s) to malicious content. I will cover this in the last section of the article.

The main reason why shareware is better than freeware for enterprise needs – evergreen(ess). Most freeware is outdated, meaning that they may not even run properly on Windows 10 machines. If you also add the fact that they are unpatched, you’ve got yourself a major cybersecurity vulnerability. Last, but not least, to my knowledge, few freeware support platforms other than Microsoft Windows. So, if you need to deploy freeware on a machine running Linux or macOS, you’re in for a world of pain.

Winner – shareware. Hassle-free, tons of content, suitable for any kind of needs, be them home- or enterprise-related.

Shareware vs. open-source

Clearly, shareware is the better alternative to freeware, but how does it fare against open-source software. Clearly, the latter category holds the high ground here. Why? Because, as the name suggests, the source code is made available, which means that a talented backend hand can easily customize it. But, will it prove to be a match for shareware’s availability and ‘widespreadness’?

It could and it does. Open-source software is definitely getting a lot of attention and for a very good reason – even though OSS is free, it’s extremely reliable and tends to take quite a beating when subjected to repeated reverse-engineering. And, on top of that, OSS software, compared to freeware and shareware, is much more secure.

Open-source software is amazing simply because it’s out there and can potentially be molded into anything you like. However, it’s not the Holy Grail of enterprise software, nor does it want to be. OSS is scalable, dependable, and, in all cases, it’s made by an experienced computer engineer who isn’t necessarily motivated by money. Don’t get me wrong – shareware-type software is also developed by experienced people, but on the sample-now-buy-full-later basis.

As an enterprise, you should also consider the support aspect. If something goes terribly wrong with the software, there’s no one out there to help.

Well, that’s entirely correct; there’s an entire community out there of experts willing to give you a helping hand, but that means hours upon hours of digging through forums, asking questions and praying for someone to come up with the right answer. This perspective is not exactly compatible with an enterprise’s credo.

So, do we have a winner here? It would say that it’s a tie: open-source is dependable, flexible, and scalable, but low on support and could incur unforeseen costs, especially when you try to use for purposes other than it was designed for. On the other hand, shareware holds an abundant database but falls back as far as a long-term commitment.

Freeware vs. shareware vs open source

Now that we have all the pieces of the puzzle, it’s easier to figure out which is the best enterprise-grade solution.

Let’s start with freeware.

Major advantages – it’s free, easy to install, and can solve any number of issues. On the other hand, disadvantages wise, the freeware pool is very limited and can only address a handful of issues. Freeware would best be used on home machines. Take that and its questionable compatibility, no support of any kind, and the fact that most of them are obsolete, it’s safe to assume that freeware and enterprises just don’t mix.

Shareware – an entire database, laid down at your feet. Plenty of possibilities, but is shareware the answer to your company’s needs? It’s just a matter of how you look upon the problem: if it’s a one-time thing, then you should definitely consider deploying software on a couple of machines.

There’s no need to concern yourself with the trial period, as long as you can solve the task or tasks in one go. Just bear in mind that some apps will revert to basic functions or stop working altogether after a certain number of uses. Of course, if the app suits your needs, you can always activate the full version by buying the license.

Open-source – dependable, can easily be taken apart by any IDE, and free to use. Do take in mind that OSS can come with hidden costs and it’s harder to get used to it compared to shareware or license-based software. If you encounter issues along the way, you can always ask the dev community for help. Just don’t expect the answer to be prompt as in the case of an app that offers round-the-clock support.

In the end, it’s all up to you to decide which one clicks with your company’s needs.

Cybersecurity issues and safety tips

Tackling non-licensed-based software should come with a warning label. Up next, I’ll be discussing the risk of using shareware, freeware, and open-source software. I will also include some cybersecurity tips along the way.

1. Adware also means malware

If you plan on using shareware, pay extra attention to apps that use ads-generated revenue. Some of them may contain links to malicious websites that could seriously harm your machine. Best to check the security certificate after clicking on an ad, though I advise you not to.

2. Fake apps

Some applications advertised as freeware could be fake. Don’t download the first app you find on Google. Take your time and do some research. You would do well to stay away from websites that use too many CTAs and “free download” buttons. It’s like playing Russian Roulette with your personal data.

3. Freeware used as a malware entry point

As you know, outdated and unpatched software can be used by malicious hackers to circumvent your antivirus\antimalware solution. Since freeware does not receive regular security patches, it can become an entry point for malware.

4. Strengthen your cyber-defenses

When all else fails, ensure that you have a good antivirus\antimalware solution. Thor Premium Enterprise, our product that incorporates two of our award-winning technologies (Thor Foresight Enterprise and Thor Vigilance Enterprise) will ensure that no malware lands on your machine, by continuously scanning your outbound and inbound traffic, severing any malicious C&C connection it detects.

Wrap-up

Companies, regardless of their size and needs, can also benefit from freeware, shareware, and open-source software. It’s all about figuring out your needs and selecting the solution that makes the most sense. As always, if you have any questions, feel free to send me a message.

The post Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely appeared first on Heimdal Security Blog.

Software Patching Statistics for 2019: Common Practices and Vulnerabilities

Wondering about software patching statistics and what the current state of affairs on updates is? This is where you will find all the relevant data as soon as experts reveal it, as well as stats based on our own customer data.

I will keep updating this list of software patching statistics periodically so it’s easier to see both the necessity of patching and how well companies worldwide do it (or not).

Without a question, difficulties and delays in applying software patching are still one of the biggest threats for companies today. Apps and software lacking the latest update are some of the easiest targets for any hacker who wants to infiltrate an organization.

Experts keep saying it over and over, but people have a hard time getting to those never-ending software updates. It’s both a matter of prioritization and a matter of difficulty (in the absence of a tool which can successfully automate software patching).

So, here are the most important truths about updates and how we apply them or not. I have broken down the software patching statistics of recent years in sections pertaining to the behavior or phenomena

Why Software Patching is Important, in Statistics and Data:

  • 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.
  • Upon a breach or failed audit, nearly half of companies (46%) took longer than 10 days to remedy the situation and apply patches, because deploying updates in the entire organization can be difficult – Voke Media survey, 2016.
  • Devastating malware and ransomware which could have been prevented by patching software on time: WannaCry, NotPetya, SamSam.
  • 20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.
  • The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 daysEdgescan Stats Report, 2018.
  • 18% of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc. – Edgescan Stats Report, 2018.
  • 37% of organizations admitted that they don’t even scan for vulnerabilities – Ponemon Report, 2018.
  • 58% of organizations run on ‘legacy systems’ – platforms which are no longer supported with patches but which would still be too expensive to replace in the near future – 0patch Survey Report, 2017.
  • 64% of organizations say that they plan to hire more people on the vulnerability response team, although the average headcount is already 28, representing about 29% of all security human resources – Ponemon State of Vulnerability Report, 2018.
  • Still, this is something known in the industry as the ‘patching paradox’ – hiring more people will not make software vulnerabilities easier to handle – Ponemon State of Vulnerability Report, 2018.
  • Microsoft reports that most of its customers are breached via vulnerabilities that had patches released years agoMicrosoft’s Security Intelligence Report, 2015.
  • Since 2002, the total number of software vulnerabilities has grown year by year by the thousands. The peak year seems to have been 2018 for now, but the figures keep rising – ENISA report for 2018.

Why Is Software Patching So Difficult?

The main reason why patching is difficult is that manual updates (or coordinating the updates manually) take a gruesome amount of time.

According to the Ponemon Institute study for 2018:

  • More than half of all companies (55%) say that when it comes to spending more time manually navigating the various processes involved than actually patching vulnerabilities;
  • On average it takes 12 days for teams to coordinate for applying a patch across all devices;
  • Most companies (61%) feel that they are disadvantages for relying on manual processes for applying software patches;
  • Nearly two-thirds of all companies (65%) say that it is currently too difficult for them to decide correctly on the priority level of each software patch (aka which update is of critical importance and should be applied first).

Considering that it doesn’t make sense for most organizations to have really well-trained security experts on their payroll, it makes sense to have difficulties when prioritizing patches. In the best scenario, security and IT professionals define priorities simply by following the CVSS scoring.

While that scoring for patch importance is reliable, the organizations which implement automation of software patches are still better off both in terms of security and time spent.

Why Do Companies Choose to Delay Applying Software Patches and Updates?

It’s not just that it’s difficult. Some managers don’t want to apply the patches.

Organizations are not just late in applying patches because it takes time; some managers are reluctant to apply the patches for other reasons. According to the 0patch Survey Report, 2017:

  • 88% say they would apply patches faster if they had the option to quickly un-patch if needed;
  • 79% say decoupling security patches from functional ones would help them apply security patches faster;
  • 72% of managers are afraid to apply security patches right away because they could ‘break stuff’;
  • 52% of managers say they don’t want the functionality changes which come with security patching.

Even more worrying is that not everyone is aware of how dangerous it can be to delay. One of the most baffling software patching statistics of the past year comes from the Ponemon Institute report for 2019, again. According to them, only 39% of organizations are aware that actual breaches are linked to known vulnerabilities.

Of course, not wanting the hassle of updating software or system is a legitimate attitude, albeit a very dangerous one. But it’s only a hassle if you plan on updating it alone, manually.

Our Own Software Patching Statistics:

We have hundreds of thousands of enterprise endpoints which are kept secure and up to date through our patch management automation solution, X-Ploit Resilience. While our fast response and implementation times allow us to keep them all updated at a much higher rate compared to industry benchmarks, there are still interesting insights to be gleaned from our data.

This is what we can boast:

  • A new patch reaches the endpoints secured with our patch management system within 4 hours since it was launched (if the endpoint is available to receive it);
  • By automatically applying the patches, the X-Ploit Resilience technology effectively closes all possible system vulnerabilities in an enterprise environment, effectively taking away about 85% of all possible attack vectors;
  • At the moment, the X-Ploit Resilience patch management system covers 112 of the most common software and apps, with several apps and software being added to the list every year.

And this is what we and our customers need to work on together for an even better performance:

  • During the last 3 months, our corporate customers took a while to apply the patches we made available through our system (this can be either for a lack of activity on the endpoints, or a conscious decision to delay), but still at a rate 4 times faster than the global average).

Wrapping up:

If there’s one thing that the latest software patching statistics reflect, it’s that the field can be very non-homogenous. Some organizations react fast(er) to patches but take a long time applying them or apply them in the incorrect order.  Others have complicated assigning procedures but once a patch is set to be applied, it goes fast and smooth. Some apply only critical system updates and completely reject other patches to avoid functionality changes, even if it puts them at some risk.

The bottom line is that whatever is your organization’s unique flavor, we know patches can be overwhelming in one way or another. That’s why we leverage the scaling power of technology to help keep our customers covered with all software patches and zero inconveniences.

Our X-Ploit Resilience module will handle all software updates and patches within 4 hours since their launch, silently, in the background, with no interruptions. You can set it and forget it, as we like to say, or set a few preferences (like the right to exclude updates from one app or category, or to be asked before applying a patch on all endpoints within your organization, or the possibility to deploy and patch your own custom software through the platform).

The post Software Patching Statistics for 2019: Common Practices and Vulnerabilities appeared first on Heimdal Security Blog.