A critical patch update from Oracle meanwhile contains a hefty 334 new security patches across over 100 different products and versions.
(Look out for holes in Oracle’s Web Logic server, including a handful with a CVSS score of a critical 9.8: e.g. CVE-2020-2551 and CVE-2020-2546. There are 30 vulnerabilities that are remotely exploitable without authentication — i.e., may be exploited over a network without requiring user credentials — in Oracle Fusion Middleware alone).
Adobe’s January Patch Tuesday security update contains five critical patches for Illustrator CC and four non-critical vulnerabilities for Experience Manager. Intel has pushed out six security advisories including one with a high CVSS score of 8.2 in its VTune Amplifier for Windows that may allow escalation of privilege.
I actually had a director get mad at me. "We just went through a huge patching effort last month and said you were good. Now it's Tuesday and you're saying you have all these windows vulns. Why didn't you patch them last month! Why did you say the scans were clean!" https://t.co/24Z5IWen4S
With the patches including the last batch for the now-unsupported Windows 7 and Server 8, IT teams will also be needing to consider their next steps to keep those systems secure. As IT asset management specialist Ivanti notes: “If you are continuing to run these systems in your environment, you should make sure you are prepared for February and beyond. If you are engaging with Microsoft to continue support, [ask]:
Do you have your ESU agreement in place?
Have you configured all systems that are continuing support with your ESU key?
Have you applied the latest Service Stack Update to these systems? (Microsoft just released an updated SSU for these platforms with the January release.)
Jonathan Knudsen, senior security strategist at Synopsys,notes: “Software rots over time [as] vulnerabilities that were already in the software and its component building blocks are discovered over time… People often say ‘if it ain’t broke, don’t fix it.’
“Unfortunately, this attitude is disastrous in software security, where the expression should be ‘if it ain’t broke, it will be soon… if you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems.”
He adds: “Unfortunately, updating software sometimes causes things to stop working. Many organizations are reluctant to update as soon as patches are available because of the risk of losing functionality. Each organization must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability.”
It’s a delicate balance to strike. Marco Rottigni, CTSO, EMEA at Qualys emphasises that early visibility is key to getting the balance right. He said in an emailed comment: “Getting your priorities right depends very much on the specific IT set-up you have, their dependencies and how quickly you can implement those necessary changes.
” To sustain [software hygiene] efforts, it is crucial that organisations maximise their observability about what to fix, where it is deployed and when to plan it.
“This requires deep visibility, the ability to monitor specific situations and to gain answers about difficult simple questions such as ‘Where is this service running? Where is this software component active?’ or ‘Where is this application installed?’ with a velocity that many organizations don’t currently have.”
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.