Patch Tuesday and the Threat of Blind Spots
2020-10-23 | 4 min read
Tuesday 13 October was a particularly robust and fruitful Patch Tuesday for those running Windows with patches for 87 CVEs spanning a dozen Microsoft products including Exchange, Windows 7, Server 2008, Server 2012 and 2019, Windows 8.1 and 10 in addition to various Office apps, Visual Studio, Microsoft Dynamics etcetera etcetera.
One of the most interesting in this month’s batch is CVE-2020-16898 aka “Bad Neighbor” aka “Ping of Death Redux.” Windows TCP/IP stack has a vulnerability such that a relatively simple attack using a slightly modified ICMPv6 Router Advertisement packet can reliably and immediately blue screen (BSOD/crash) the target machine via buffer overflow which in theory implies that remote code exection would also be possible.
Bad news. Time to patch. Again. Hopefully already sorted days ago.
By the way, you do set aside time to deal with the fallout from Patch Tuesday on a monthly basis, right?
This exploit, whether simple denial of service or eventual theoretical remote execution exploit, is relatively compact. It doesn’t take much data to pull it off. Couple packets. That makes it a relatively small needle in the a very large haystack of network traffic. Easy to miss, even if you aren’t dropping traffic. Real easy to miss if you are.
With that in mind, you may want to take a minute to think about not just your security tools, but also the network packet brokers that feed them. We recently had the good folks at Tolly do a test comparing performance of the Gigamon GigaVUE HC3 with the Keysight Vision X. You can read the blog about it if you would like as well. The long and short of it is that Gigamon drops packets and those dropped packets create holes in your visibility fabric – holes through which bad things like Pings of Death might slip through.
You put a lot of effort into security. You invest a lot of time and money on tools and their upkeep and maintenance. You owe it to yourself and your team to ensure that you are getting the best possible results from those significant investments and one of the best ways of doing that is by ensuring that those lovingly deployed and cared for tools are getting a complete view of traffic, sans blind spots. Not to get too dramatic, but it is like buying a gun for self defense. You need that gun to go bang each and every time you pull the trigger. With your life at stake, do load up with ammo that fails to fire 46% of the time? How about 6%? Or 10%? Of course not, you spend the money to do it right and get the good ammo that always fires.
What if I told you that the good ammo doesn’t cost extra?
Stay safe. Patch and plan to patch again. Thanks for reading.