2020 is in the rearview mirror and most of us can’t get away fast enough. It was a year unlike any other, but 2021 looks to be unique as well.
The year started out with continuing investigation into the cause and impact of the compromised SolarWinds Orion software. Many predictions said we were due for another major cyberattack leading into 2021, but no one foresaw this type of attack and the impact it had, leading to a new focus on security and software development.
The attack took place through a remote access trojan, which was embedded in the SolarWinds Orion software. This type of attack is referred to as a ‘supply chain’ attack because the malware is added to and compiled into a trusted product, in this case SolarWinds Orion. Once the compromised software was installed on an endpoint, the trojan reported back to a remote network, from which access to the endpoint was then available. The remote hacker could read and modify files on the compromised system with little fear of detection. This is very different from a typical attack, in which a hacker might attempt to trick a user into installing malware through an email phishing campaign.
The SolarWinds attacker had a guaranteed connection to all systems managed by the product, whereas in email phishing attacks, a hacker gains access to a random system based on an unsuspecting user clicking on a malicious link and unknowingly downloading malware. And as mentioned previously, the SolarWinds attack was more effectively hidden as part of a known product while phishing attacks are subject to detection from a variety of sources including anti-malware products.
Investigation into how the SolarWinds product was compromised revealed the malware was added to build systems back in March 2020 and has been included in all product updates since then. As customers updated their systems with the newer versions of SolarWinds Orion software, they were subject to access and compromise. Not surprisingly, the patch forums lit up with interesting questions and discussions.
The compromise of SolarWinds brings into question the security practices of all software developers, including topics such as patching of development machines, outsourcing of code development, control and understanding of code functionality through mergers and employee turnover, code reviews and other techniques to identify security issues and many others.
None of this should be new if you are a software development company, but the far-reaching impact of the SolarWinds compromise has many companies revisiting and refocusing on both the security and legal sides of their software development process.
Switching gears from compromise to security, here’s what we can expect next week as we begin the 2021 monthly Patch Tuesday cycle.
January 2021 Patch Tuesday forecast
- Microsoft generally has a light set of releases in January, meaning they have a smaller subset of updates with fewer vulnerabilities addressed. I expect that trend to continue. In addition to the operating systems, updates for Office, Microsoft 365, and the associated Sharepoint server will be released. Don’t forget to look for the latest service stack updates (SSU) as well; there are always a few new ones each month.
- The January Patch Tuesday release completes the first year of extended security updates (ESU) for Windows 7 and Server 2008. Microsoft has stated they will provide at least another two years of support, so more ESUs to come.
- Adobe has not provided any pre-release announcements yet, but they did release security updates for Acrobat and Reader on December Patch Tuesday. I anticipate another set coming soon. Remember that Adobe Flash Player reached end-of-life. Remove old versions if you don’t need them or if you still require them, reach out to Harman for support.
- Apple released security updates for Big Sur 11.0 just before the holidays on December 14. We may see an iCloud or iTunes security release for Windows.
- Google Chrome was updated to 87.0.4280.141 for Windows, Mac and Linux this week which included 16 security fixes with 15 of them rated High. It is unlikely there will be another one next week.
- Mozilla released a minor security update for Firefox 84 and Firefox ESR 78 this week. There will probably not be a major update next week, but one is on the horizon.
Happy New Year to everyone! We saw record numbers of vulnerabilities addressed in 2020 and based on the latest round of cyberattacks in the news, we will probably see that trend continue with everyone focused on the need for more security.