Patch [FIX] Tuesday: December 2023

December Patch [FIX] Tuesday, Episode Summary

In this episode, CISO Jason Kikta and Director of Security Tom Bowyer discuss the December Patch Tuesday and the light patch, highlighting the CVE-2023-35618 vulnerability in Edge and the CVE-2023-35628 vulnerability in Outlook.

Joined by Team Lead of Security Operations Ryan Braunstein, the hosts delve into the importance of keeping endpoints updated and the vulnerabilities in Mac OS.

The conversation emphasizes the need for user education, security culture, and good IT hygiene. The hosts conclude by mentioning an upcoming webinar on PowerShell signing.

Read the December Patch [FIX] Tuesday Transcript

Tom: Happy Tuesday, everybody. And welcome to December's Fix Tuesday podcast. Now we've been, this is our second time doing this and we hope they remain valuable to you listeners. We appreciate you taking the time today to listen to our ramblings. I'm Tom Bowyer, director of security at Automox, and joining me today is Ryan.

Ryan Braunstein: I'm Ryan Braunstein, Security Engineer at Automox

Tom Bowyer: And we also have Jason Kikta You wanna say hi, Jason?

Jason Kikta: Hi, I'm Jason Kikta I'm the Chief Information Security Officer at Automox and also the Senior VP of Product.

Tom Bowyer: Woohoo! A CISO and a VP of Product. What a dangerous combination. Isn't that true? Hahahaha!

Jason Kikta: I was, they asked me if I wanted to do more and I was too dumb to say no.

Tom Bowyer: Well, cool. So we made it December last Patch Tuesday of the year. And you know, nobody's ruined Christmas yet. So that is exciting. That is exciting.

Jason Kikta: I think yet is the operative word there, Tom of, you know, there's still, there's still plenty of baseball to play here in, and operation deny Christmas is, you know, always lurks and tends to come at the worst time. And it's funny because you and I made a joke about November being a very light month for Patch Tuesday and December is even lighter, only 35 vulnerabilities got patched this month. And you know, that, that always makes me wonder, you know, is that a sign of improvement, or does it just mean that a lot of folks are busy working on something horrible that's going to come out?

In January and then, you know, someone's going to end up leaking it on Christmas Eve or right before New Year. Yeah. My, internal pessimism is, uh, is, is a little high on that one.

Tom Bowyer: Right on GitHub, you know?

Ryan Braunstein: Yeah.

Tom Bowyer: Yeah, I mean, or they just assigned everyone to LLM, you know.

Jason Kikta: That's right. They're all, they're all out there busy building our new AI overlords. Yeah. Skynet doesn't know how many fingers a person has in a picture. Makes no facts.

Tom Bowyer: Skynet vs Microsoft. Hahaha. Six fingers give you extra typing, you know. Makes your face. Yeah, yeah, yeah.

Jason Kikta: That's right. You need to type so much faster.

Ryan Braunstein: It'll get you off of any crime. Yeah.

Tom Bowyer: So, you know, 35, obviously, probably the lightest patch Tuesday I've seen in, geez, in recent memory, to be honest. I always feel like there's some, you know, something that keeps me up at night. But honestly, going through this, there are a few, but it's not... Hold on, break. I heard a dog barking.

Tom Bowyer: Yeah, so December 35, that's actually pretty light. And honestly, this Patch Tuesday is, jeez, the lightest I could remember in, honestly, a very long time, right? I always feel like there's some CVE that keeps me up at night. And not necessarily the case this month, but you know my internal pessimism like Jason, there's always gonna be someone ruining Christmas. So kind of trying to stay prepared. But, you know, out of the notes, I think the first one that really popped into our mind, right, is CVE-2023-35618, which is this Edge elevation of privilege vulnerability. And, you know, it's rated critical. And essentially, you know, according to the notes, it could lead to a browser sandbox escape.

And right, they have like additional measures here or information here around what it is. But basically, you know, in a web-based attack scenario, an attacker could host a website or, you know, have a user click on the link and then boom RCE. I mean, that's what it reads to me.

Jason Kikta: And then, so it's interesting to me that they, you know, it has a base score of 9.6, you know, nearly maxes it out. And then a temporal score of 8.3 is rated critical, but then they talk about it being rated as moderate because of the preconditions and the user interaction. But then you read the preconditions and user interaction and it's like, well, they'd have to host a website or a website that accepts user-generated content. And you know, then the user would have to be tricked into going there and would have to click it and like, you're literally describing phishing.

Like this is, you know, 20, 30 years of phishing. Like, what are we doing here? Like if, if that's our you know, standard for complex, uh, I would hate to see simple. So, uh, you know, and then it, it's worsened because it talks about, um, you know, or it implies a sandbox breakout. And then it talks about, um, that they could gain the privileges needed to perform code execution and like, okay. So like, this is, you know, RCE, um, you know, through a phishing link.

To me, that's pretty critical. I just, feel like this one's being downplayed a bit, unless they're just withholding some really weird twist that they didn't even want to hint at. It's hard to see how this isn't just pure phishing fodder. But Ryan, I'm curious about your thoughts. Do you see it the same way, or do you think that you know, if a user is using Chrome or Firefox or another browser, that they're not gonna be as vulnerable to it?

Ryan Braunstein: Um, yeah, because when I first read through this, I think I kind of fell for the downplay a little bit. And then after discussing it a little bit more definitely felt that it deserved to be upgraded a bit. But yeah, if you're using Chrome or Firefox and you've got like a lot of your plugins on there, like Ublock and things of that nature, they might protect you. Whereas if you're using Edge, you don't even necessarily know you're using Edge in Windows. I think because Windows is so reliant on Edge, like all the integrated apps within it, you're going to end up interacting with it regardless. And a lot of times without browser plugins like uBlock Origin and things of that nature that might necessarily protect you using Firefox or Chrome. And so I think it would definitely be upgraded because of that.

Jason Kikta: Yeah, I mean, that's the danger of integrated browser components is that you know, it's, you're still using it, whether you know it or not. And you're using it sometimes without the benefits of some of your security-oriented plugins.

Tom Bowyer: Yeah. And I feel like these, these types of vulnerabilities are, I don't know, trending upwards, right? Like, you know, you think about November and really through 2023, and I feel like this is out of, even on Mac, right? All the CVEs, or at least all the critical ones that I've seen that I remember this year are like browser-based sandbox escape, you know, memory vulnerabilities. And I don't know if that's just a trend and how, you know, the exploit devs are shifting, right? I think maybe these just sell worth more money. Um, that's just.

Jason Kikta: I think the trend is shifting though, because if you think about it, the web browser in many ways is the modern OS because we have so many HTML-based applications. There's been a big push within the browser manufacturing industry to develop better controls around sandboxing and memory protections and reduce the predictability of cookie naming. But that only goes so far. And I think that it's also tied to the prevalence of SaaS applications for modern businesses and large organizations. When you're using SaaS, that cookie can be your password, and that cookie, you know, like that's your entry point.

So, you know, while this talks about, it could allow them to perform code execution, getting outside the sandbox, get you closer to those cookies. And like the user may not even be the true target here, but that user's access to some cloud portal or SaaS application might actually be the intended target. And so like, there's a lot of attack scenarios where this is going to be a very useful exploit because it gets you into that sweet spot of I can steal the cookies, I can take over the user machine, I can watch what they're doing within the browser, like all of those are extremely useful to attackers across a range of scenarios.

Tom Bowyer: Right. And as you alluded to, many of the apps are moving from kind of desktop-based apps, Word, Excel, right onto browsers. Like Office 365 is another one, you know, or OneDrive as well. Right. Those all kind of no longer have really desktop apps and they're primarily driven by the browser and you know, the browser is the new OS, like you, like you said, Jason, and I feel these attacks are going to trend upward, or at least these vulnerabilities are going to trend upward as, you know, as the industry shifts, right? Because I think we're headed towards more of a Chromebook-based model in the enterprise where there's not really a desktop. It's all done in the browser and you know, where are you going to go now? Right. You have to overflow the browser.

Jason Kikta: Yeah. And I think we're still a ways off from, you know, the true Chromebook experience for, um, the majority of users. But in the meantime, you know, we have a lot of these compromised bridge apps where, you know, if you look at how Microsoft Office functions today, you know, a lot of that backend stuff is thrown off to the cloud. Like it's a heavy desktop app on the front and an extension of their SAS platform on the back end. And then you have others where it's even more transparent, where you look at things like Slack. Electron apps are huge, huge.

Jason Kikta: You know, these components and it's using these, you know, in some cases, you know, The thing that's always scares me about electron is a lot of that sandboxing doesn't exist, or is curtailed significantly. And so that impetus to exploit in this realm just goes up and up and up.

Tom Bowyer: Yeah, agreed. All right. Shifting focus. So, you know, we kind of touched on it briefly, desktop apps and, you know, we talked about moving off of that, but there's an interesting one in the Outlook client, right? CVE 2023-35628, which is, um, in RCE and MS HTML. And, you know, reading the patch notes, basically what this reads to me is a no-user interaction, no notification possibly RCE in Outlook in the preview pane. So, right, an attacker creates a malicious link or malicious email, sends it to the user, and obviously, they'll probably delete it before the user sees it. But it very, very much reminds me of the NSO group type, zero-click attack, but this time it seems very focused on Outlook and not iOS and similar. Any thoughts, Jason?

Jason Kikta: Yeah, I mean, this definitely screams either higher-end commercial actor like NSO or, uh, you know, high-end state actor, uh, you know, again, five eyes, uh, Russia, China, Israel, this would all be within their capability envelopes to develop this. Um, sort of exploit that gets you those features you really want of the victim never know the victim doesn't have to actually do anything, but you still get remote code execution on their machine. And so you can do, you know, whatever arbitrary actions you dream up. And the bar is high, right, there's complex memory-shaping techniques that have to be used to leverage this but that's again like that's where they excel those types of actors are able to overcome that barrier. And as we've seen over the last couple of years, they're able to overcome it on a regular basis. Now, that being said, this type of exploit, getting burned and being patched is still a significant blow to them. There's a lot of time and development effort that goes into this. But it's obviously proving fruitful and the fact that these have been burned with somewhat regularity over the last two or three years doesn't tell me that they're going out of style. It does say that the industry is getting better at detecting and mitigating them, but it also says that those actors are willing to bear those costs and keep working along these lines of exploitation.

Tom Bowyer: Yeah. And luckily though, for a lot of us in this space, just because it's deleted from the, you know, the user's device doesn't necessarily mean it, it was deleted from like a transaction log or an audit log, right? And, you know, I'm curious, Ryan, you know, as a user in the security space, you know.

What do you find kind of good about some of the logging capabilities? And, you know, do you think logging could help us in scenarios like this?

Ryan Braunstein: Logging is always very helpful in scenarios like this, especially when it comes to Microsoft's logging.

Tom Bowyer: I don't know, your experience with G Suite and the logging capabilities in there. I mean, you don't have to talk about G Suite directly but think about logging in to GSuite or O365 and how they do a good job nowadays at cataloging and tracking all the emails. If it's deleted from the endpoint, doesn't necessarily mean it's deleted from the cloud.

Ryan Braunstein: Yeah, and with Microsoft, are they now offering more advanced logging without having to pay for it now as well?

Jason Kikta: Ryan, I'm curious. Do you think this is something where, if you were writing detections for this, would you be able to detect some? Is it feasible to detect something like this in advance is going to be sort of difficult without monitoring the email logs or the incoming email and filtering it for certain things? But what about post-exploitation or the strategies that you could use to try and detect post-exploitation and know that something like this has happened on your network?

Ryan Braunstein: I think it would depend upon basically what happens with the end user. Oh my god, oh my god. I'm going to play that on. Okay, well, yeah.

Tom Bowyer: So beyond the two Windows, the Windows ones we talked about, you know, different than last time, I thought it was important. We also bring in other OS's into this because, you know, everyone usually gets fixated on patch Tuesday and their Microsoft endpoints, but sometimes we forget about those developers using Macs, which is such a common theme in the enterprise space, right? And a lot of the time those go unmanaged. So, you know, back in November, around November 30th, Apple released their latest update, 14.1.2 on Mac OS devices. And then obviously iOS, it was like, you know, 16.7.1, et cetera, but...

You know, two kinds of two big ones came out of that. And, you know, the one that I wanted to kind of talk through a CVE 2023, four, two, nine, one, seven, which reads very similar to the one in Edge we talked about earlier, but it's an, you know, processing web content may lead to arbitrary code execution. And, you know, Apple is aware that this is under exploitation and, you know,

Apple's very good at providing long descriptions, right? I remember encryption vulnerability was addressed with improved locking, right? That tells me so much, thanks. But this is another one of those, not to always play the blame game, right? But I feel like we're in this trend where it's hard to get on an iOS device or a macOS device without attacking like WebKit or iMessage or those similar NSO group attacks. And I don't think this is going away. And I'm curious about your thoughts, Jason.

Jason Kikta: I mean, not only is it going away, but I think it's, I think there's both a good and bad here, right? The good news is it's really fantastic that Apple's been able to herd most of the exploitation in their ecosystem down to applications and processes that parse unsolicited payloads from other users, right? So like an iMessage, anyone can send you a message, right, unless you're in lockdown mode. So people are texting you, they're sending you things, and then the system has to take that and parse that. And of course, that's the nature of the web itself, is that, yes, you hopefully chose to go to the site or were at least induced to go to the website, but you have no idea what that site is going to load until you actually visit it, download it, parse it, and display it. And it's in that parsing of the text of the binary that, you know, the exploitation occurs, right? They're looking for parsing errors where they can give it irregular input and get the system into an unsafe state. So, in one respect, it's, you know, a disappointing break.

In one respect, it's disappointing that these come up again and again, but when you think about the universe of things on any iOS, iPad, iOS, Mac, OS type device and all the different things that could be exploited, but they keep coming back to its web kit and iMessage and these handful of things again and again and again, like at least they have shrunken the problem space to those. Uh, and you know, they're just, they're very hard to get right. Um, and.

This one's interesting and actually, I want to bring up a related one because you know, the one we're talking about is CVE 2023 42917 but 42916 also came at the same time they're both from the same researcher at Google tag. And you know that one's an out-of-bounds read addressed with improved input validation. Thank you, Apple for your terrible notes.

Uh, but that implies to me that these were probably being used, uh, as a pair, uh, you know, these were part of a single exploit chain. Uh, and so this again, screams something like NSO group or top-tier state actor. Uh, the one thing that was really perplexing to me, you know, so this, this effect affects iOS. So this affects iOS, iPad, OS, uh, Mac OS.

Tom Bowyer (25:21)

Jason Kikta (25:44)

Uh, they didn't mention TVOS, which is a little interesting, but, more interestingly is that they released a patch for Sonoma, but not Ventura. And that's, but they talk about, uh, iOS versions before 16.7.1 being affected. So it would have been around in the right era. And I'm just wondering what was different about Ventura that, uh, allowed it to escape needing a patch here.

Tom Bowyer: Yeah. And they also reused the patch notes, right? I feel like they just copied and pasted it through all of them, which, you know, I get it. Maybe they are rushing, but I, you know, maybe a little bit more due diligence on how we're releasing these CVEs. But I do appreciate them doing, right, these quick security updates. You know, if you remember, I think they started that this year where Apple went on this like security release cycle where instead of bundling security vulnerabilities within other patches, they, they do these out of the band and you know, I think that's important because the trend, the trend is attacking web kit, attacking iOS, iMessage, et cetera, and you know, waiting months for a fix is just not going to cut it, you know, especially to us in the enterprise that use max and that secure max, right? Because there are protections, but really, you know, the best protection that we have is getting those things updated and macOS updates are, have always been difficult without an MDM, right? It requires user interaction and it had to click the length and you need to click update and you know, that, that hasn't necessarily been solved for by many vendors.

Jason Kikta: Yeah. And I've been around long enough that I recall when there was a big push in the industry to do more consolidation of patching, uh, because patching meant touch labor, either physically or virtually. And it was so onerous to do it and to cycle through it that the more you could apply at once, the better.

But that's not really the state of the art anymore. You have an auto update for individuals. I know I'm biased here, but you have patch management for enterprise. And so having more patches is not necessarily a significant impact because you have automated solutions to deploy and implement those patches. And it's still a far better thing to have it available than not have it available because the reality is this web kit vulnerability and the MSHTML one that we discussed earlier, uh, or excuse me, the outlook one that we discussed earlier. They don't affect every organization, but you know, those things that are valuable to state-based actors, you know, it's, it's critically important. And so if you're a defense contractor, if you're a Ministry of Foreign Affairs because all of them seem to get hacked on the regular, um, you know, think tanks. I, and then, you know, that broadens outward more so than I think people generally appreciate, you know, in the 2020 election cycle, when I was working at cyber command, you know, we had a release in an advisory from the U S government about, um, you know, Russian state actors hacking into schools, schools that happen to be, um, election sites. Now they couldn't get from there to the actual polling machines. That was impossible. And so I'm still personally a little bit undecided on whether they thought that they might have a path to target there or whether they were just trying to create noise and friction for us. But it doesn't matter those educational institutions and local municipalities who got hacked, they still had an issue. And you know, within another election coming up, like their impetus to put in patches for things that are a little more advanced is going to go up again. And so they're going to have to handle these sorts of things.

Tom Bowyer: Yeah. And to your point around elections and, you know, I think about like where I am, there's almost all the voting stations are at churches, right? When was the last time someone talked about church IT? You know, that's an MSP probably that has thousands of devices maybe. And, you know, they're probably heavily focused on Windows and not necessarily focused on Mac, right?

Ryan Braunstein: Or somebody's nephew. I said, or somebody's nephew who's doing their IT for them. That's a common theme for me. Yeah.

Jason Kikta: It is. It's. Yeah, it's, it's the nephew or the friend. Uh, and you know, I think that's the modern travesty of cybersecurity and Wendy Nather, when she coined the term, the, the cybersecurity poverty line, you know, really encapsulated it well that, you know, it's not the fortune 500 companies who struggle with cybersecurity because they can afford to buy large robust protections, they can hire massive teams, they can hire top-notch expertise and have all the best vendors and make technology shifts rather rapidly and in certain areas, some of them are much harder. But, you know, then you compare that to the things that are not as well serviced by IT and security monetization, like hospitals, schools, municipalities, small and a lot of even a lot of medium businesses, like they're really struggling and they struggle both with, you know, their day-to-day scourge of ransomware and business email compromise type fraud, but then they also struggle with they might inadvertently find themselves in the middle of some, you know, cyberspace conflict between states because they happen to host a polling site or be of some political interest for a moment. And so now they have to worry about that too. And it's just, they're not well equipped to do it. And so being able to have these patches available and get them implemented quickly just becomes really, really critical to them because they just can't do it on their own.

Tom Bowyer: Yeah. And I think back to like, how do we get the user to update? And there's just a tool that comes to my mind, a free tool you can download from GitHub, but it's Nudge from MacAdmins.

Tom Bowyer: So in closing here, right? I think a constant theme remains true throughout all these CVEs throughout patch Tuesday and you know, a lot of the inbound and out-of-band cycles that we go through around our endpoints. It's just got to keep them updated. And, you know, that's kind of, kind of the reality of it. Have any closing thoughts, Ryan?

Ryan Braunstein: I would say also on top of that, education. Educate your users. I mean, just our first vulnerability that we talked about is essentially a phishing vulnerability that can be escalated into a remote code execution. So, keeping users up to date on, you know, some of these tactics could really make your life easier in the future, especially in this cloud-based world that we are now living in.

Tom Bowyer: Any closing thoughts, Jason?

Jason Kikta: Yeah, I'll agree with what Ryan said and expand on it slightly my mantra has always been that culture is the number one security measure hands down. And so I think whether you have a culture of patching regularly and often, or whether it's a culture of user education and vigilance, or a culture of developing strong detection methodologies, hopefully, it's all of the above you know, at the end of the day, these threats develop and come onto the scene rather rapidly, and being able to rely on that security culture that you've set to carry you through is the most critical thing that you can do.

Tom Bowyer: Agreed. You know, if you can get your grandma to keep her Mac updated, and you know, I'm pretty sure you could get everyone else.

Jason Kikta: Yeah. I mean, so much security is actually just really fantastic. It is security or excuse me. So much of security is actually just very good at hygiene. And I think that's a deeply unappreciated fact.

Tom Bowyer: Yeah. Speaking of hygiene, Jason and I will be talking today in a webinar about PowerShell signing. So if you have questions or concerns or are curious what PowerShell, if you are curious as to what PowerShell signing actually is, you know, join the webinar and we're going to kind of go into a little deep dive and talk about threats and kind of risk to the organization, but with that, thanks for tuning in and Happy December and let's hope this Christmas is a quiet one.

Jason Kikta: I look forward to our January episode where we talk about all the horrible things that happened in the latter half of December.

Tom Bowyer: I can't wait!