Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Summary

Welcome to your Cyber Risk Report for the period of April 2017.
On 24th April 2017, the Cyber Risk Level remained as Moderate.
This Cyber Risk Report uses the POST intelligence model.
Politcal Risk
Operational Risk
Security (Cyber) Risk
Threats
This report covers the period of 1st through to 31st of April 2017. This report was compiled by Peter Bassill, CEO of Hedgehog Security.

Political Risk

Domestic Government and Oppositions

The UK is facing an ongoing, persistent threat of cyber-attack from other states, terrorists and criminals operating in cyberspace. Principle targets are those directly connected to the National Critical Infrastructure although targets of opportunity, those connected within the governments supply chain, are being sought.

Foreign Governments

There are a number of actions being taken by Russia and associated countries, conducting continual cyber attacks against the UK’s national critical infrastructure.

Operational Risk

Patches

Microsoft

As you might expect with Microsoft changing the way in which it provides details of its patches, we can no longer break down the information into pertinent and salient points. However, we can provide cumulative update information. We are looking at how to remedy this situation.
Windows 7 SP1 and Server 2008 R2 security update roll-up (KB 4015546). This update addresses multiple vulnerabilities in many different Windows components, including scripting engine, Hyper-V, libjpeg image-processing library, Adobe Type Manager Font Driver, Win32K, Microsoft Outlook, Internet Explorer, Graphics Component, Windows kernel-mode drivers and Lightweight Directory Access Protocol.
Windows 8.1 and Server 2012 R2 security update roll-up (KB 4015550). This update addresses multiple vulnerabilities in many different Windows components, including Hyper-V, libjpeg image-process library, Win32K, Adobe Type Manager font driver, Active Directory Federation Services, Lightweight Directory Access Protocol, Windows kernel-mode drivers, OLE, Scripting Engine, and the Windows Graphics component.
Windows 10 v1703 security update (KB 4015583). This update addresses multiple vulnerabilities in many different Windows components, including scripting engine, libjpeg image-processing library, Hyper-V, Windows kernel-mode drivers, Adobe Type Manager Font Driver, Internet Explorer, Graphics Component, Active Directory Federation Services, .NET Framework, Lightweight Directory Access Protocol, Microsoft Edge and Windows OLE.
Cumulative update for Internet Explorer (KB 4014661). This update for IE addresses multiple vulnerabilities in the web browser, running on Windows 10, and Server 2016, including the server core installation. The most severe of these are memory corruption issues that could result in remote code execution, thus the update is rated critical.
Security updates for Microsoft Edge. There are a number of updates issued this month to fix security issues in Microsoft Edge running on Windows 10. Both important and critical vulnerabilities are addressed. The most severe of these are memory corruption issues that could result in remote code execution, thus the update is rated critical.
Security updates for Microsoft .NET Framework. These updates address a remote code execution vulnerability that exists when Microsoft .NET Framework fails to properly validate input before loading libraries, in .NET Framework versions 2.0 SP2 through 4.7 running on all currently supported versions of the Windows client and server operating systems. It is rated critical for all.
2017-2605. This is an update for Microsoft Office that turns off, by default, the Encapsulated PostScript (EPS) Filter in Office as a defense-in-depth measure. Microsoft is aware of limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released. It applies to Office 2010, 2013, 2013 RT, and 2016.
2017-3447. This is an update for Adobe Flash that addresses seven vulnerabilities in the Flash Player software, the most serious of which could result in remote code execution. It applies to Windows 10, 8.1 and RT 8.1, and Server 2016.

Apple

Apple released nine big updates in January, then only two in February. This month, the pendulum swings back the other way and the company has gifted us with 10 patches that address numerous vulnerabilities across their various operating systems and applications.
On March 21, the following two updates were released:
iTunes 12.6 for OS X Mavericks and later
iTunes 12.6 for Windows 7 and later
Both of these updates for Apple’s digital media store and player address 17 vulnerabilities in the SQLite and expat components. Apple provided very little information about the vulnerability types or impact. The update for Windows 7 and later also addresses a vulnerability in the APNs Server whereby a client certificate was sent in plaintext, multiple memory corruption issues in libxsit and WebKit, and a validation issue in element handling. The most serious could be exploited to accomplish arbitrary code execution.
On March 27, the following seven updates were released:
New versions of Pages, Numbers and Keynote (Apple’s iWork productivity applications) for both iOS and Mac. These updates address a vulnerability by which the contents of password-protected PDFs could be exposed.
Safari 10.1 for OS X Yosemite, El Capitan and macOS Sierra. This update to the Apple web browser addresses numerous vulnerabilities, most of them in the WebKit component, the most serious of which could be exploited to accomplish arbitrary code execution.
macOS Sierra 10.12.4 and Security Update 2017-001 for OS X El Capitan and Yosemite. This update to Apple’s currently supported desktop/laptop operating systems patches a whopping 128 vulnerabilities in a large number of components, ranging from keyboard software to the kernel. The most serious could be exploited to accomplish arbitrary code execution.
iOS 10.3 for iPhone 5 and later, iPad 4th gen and later, and iPod Touch 6th gen and later. This update to Apple’s mobile operating system patches 88 vulnerabilities in a large number of components, many of them in WebKit. The most serious could be exploited to accomplish arbitrary code execution.
watchOS 3.2 for all Apple watch models. This update to Apple’s watchOS operating system patches 35 vulnerabilities in a large number of components. The most serious could be exploited to accomplish arbitrary code execution.
tvOS 10.2 for Apple TV 4th generation. This update to Apple’s TV software patches 35 vulnerabilities in a large number of components. The most serious could be exploited to accomplish arbitrary code execution.
macOS Server 5.3 for macOS 10.12.4 and later. This update to Apple’s server software patches three vulnerabilities in the Profile Manager, Web server and Wiki server components, two of which could be exploited to cause a denial of service and one that could enable a remote attacker to enumerate users.
On March 28, the following update was released:
iCloud for Windows 6.2. This update to Apple’s cloud client software for Windows 7 and later patches five vulnerabilities in the APNs Server, libxsit and WebKit components. The most serious could be exploited to accomplish arbitrary code execution.
For more information about these and the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe released only two patches this month. Both were released on their regularly scheduled Patch Tuesday, March 14.
APSB17-07 for Adobe Flash Player. This update applies to Flash Player running on Windows, Mac, Linux and ChromeOS and addresses seven vulnerabilities that include buffer overflow, memory corruption, random number generator vulnerability and use-after-free issues. Three of these could be exploited to accomplish code execution while the other is an information disclosure vulnerability. The update is rated critical with a Priority 1 rating for all but Flash Player Desktop Runtime for Linux, which is Priority rating 3.
APSB17-08 for Adobe Shockwave Player. This update applies to Shockwave Player running on Windows and addresses a single vulnerability that could lead to escalation of privilege. Its severity rating is important and it has a Priority rating of 2.
For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html or see the individual bulletins linked in each bullet point above.

Google

On March 9, Google released stable channel release of the Chrome browser on the desktop, v. 57.0.2987.98 for Windows, Mac, and Linux, which includes 36 security fixes that include memory corruption, use-after-free, out of bounds write, integer overflow, incorrect security UI, information disclosure, address spoofing, bypass of content security policy in Blink, incorrect handling of cookies, and heap overflow issues, as well as various fixes from internal audits, fuzzing and other initiatives.
For more information, see the Chrome releases blog at https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  In January, they released a collection of patches (Critical Patch Update) that addressed two hundred and seventy security issues across a wide range of product families. The next regularly scheduled update is scheduled to take place on April 18.
For more information about previously released patches, see Oracle’s Update Advisory at https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Advisory 2017-05 for Firefox was released by Mozilla on March 7. It addresses security issues fixed in Firefox v. 52., which addressed 29 vulnerabilities that include eight critical issues, four of high severity, eleven rated as moderate, and six that are low impact.
Advisory 2017-08 for Firefox was released by Mozilla on March 17. It addresses a single security issue fixed in Firefox v. 52.0.1, which is an integer overflow issue that was reported through the Pwn2Own contest. It is rated critical.
For more information about those vulnerabilities and fixes, and to check for new version releases, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox52.0.1

Laws, Rules and Regulations

The European General Data Protection Regulation is now just over a year away from becoming law.

Regulatory Environment

There are no updates to ISO27001, ISO9001, PCI-DSS, LEXCEL or the NGS-IGT to report on for this period.