December 20, 2022

Good morning, everyone!

This week’s critical vulnerabilities: Apple released multiple updates with critical fixes for just about every iThing there is. If you have a newer iPhone or iPad that will run iOS 16, you should upgrade now if you haven't already. It's the only way to get these critical fixes. Older devices will get the fixes in iOS 15.7.2. Likewise, fixes were released for macOS Monterey and Big Sur for computers that cannot run Ventura. Microsoft's latest Patch Tuesday included patches for 74 vulnerabilities -- 7 critical, 1 previously disclosed, 1 is already being exploited Web Application Firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks all have fresh patches to secure against a critical vulnerability FortiNet has released a patch to fix a vulnerability in its FortiOS SSL-VPN which is already being exploited Citrix Application Delivery Controller and gateway products running older versions are under active attack. Patch All the Things!

This one has been puzzling us for a very long time, and I think we finally figured it out! It is very common for automatic updates not to happen. It drives me crazy. It drives other people crazy. So we have been looking for patterns, and have finally found at least two:

As you know, Microsoft releases categories of patches for Windows, "critical" and "recommended" and "optional" and so on. It also has "feature releases" which are a bundle of new features. When you get a feature release, the version number of your operating system changes. For example, it is still Windows 10, but it might change from Windows 10 21H1 to Windows 10 21H2.

We have noticed over time that a Windows computer that hasn't received updates in a couple of months is usually running an older feature release. So when it checks for updates, there aren't any, because Microsoft isn't releasing new updates for that older version. This means the computer may be missing out on critical fixes only pushed out to newer versions. If you are in charge of your IT, you should be aware that this could be happening.

Missing automatic updates from Apple is a different story. I have noticed repeatedly that when I have to manually pull an update, I get a popup with a new license that I must agree to before the update will be installed. I think this is the cause of automatic updates not automatically installing -- when the update includes some new feature or code that requires a change in the current license agreement, it cannot install itself automatically.

Usually it will still notify you that an update is available, though, so watch for that little red circle on the Settings icon. Apple rolls out notifications in waves, not all at once, and I don't know what the pattern is. I often will get a notice on one device long before the other devices get it. So, set yourself a reminder to manually check for updates once a month or so, in case that notification hasn't hit your device yet.

Don't forget to turn off Bluetooth after the update! This one really irritates me, but it seems to be Apple's MO these days. Even if you have Bluetooth disabled on your device, it will get turned on during the update. They desperately want you to use Apple Pay and it doesn't work without Bluetooth. I usually check my Privacy settings and iCloud settings after an update also, as I have seen those changed in the past.

And, of course, all operating systems will get stuck not installing automatic updates if it requires a reboot and you never shut down your computer! If you get a notice that updates are ready to be installed and a reboot is required, click "ok" and go get some more coffee or something. Don't just keep saying "not now." You'll never get the critical patches you need.

Popular antivirus programs tricked into deleting your data

Popular antivirus and endpoint protection programs, including Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus, are all vulnerable to an attack which tricks them into acting as data wipers, deleting your data. All vendors have released patches, so as always, Patch Early! Patch Often! Manually check for updates to be sure you have the fixes in place.

FBI's InfraGard forum hacked

(shaking head sadly) I just don't know what to say about this. InfraGard is a public-private partnership for information sharing on security issues. Members are vetted by the FBI before being admitted. This requires potential members to provide DOB, SSN, cell phone numbers and other contact info. So, yep, this database of 80,000 security professionals (including me) was stolen last week and offered for sale on the dark web.

If you have ever been a member of InfraGard, be on the alert in particular for (1) really high-quality phishing emails appearing to come from InfraGard or the FBI, (2) phishing messages sent through the InfraGard portal, and (3) personal identity theft.

Happy Holidays, everyone! I'll be back in January.

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺