TippingPoint Threat Intelligence and Zero-Day Coverage – Week of July 11, 2016

Image may be NSFW.
Clik here to view.

Earlier this week, Fiat Chrysler announced that it was launching a “bug bounty” for hackers. Inspired by Wired’s Andy Greenberg and his experience as he sat in a Jeep Cherokee that was hacked by Charlie Miller and Chris Valasek, Fiat Chrysler is offering bounties up to $1,500 USD to security researchers who find flaws in their Uconnect infotainment system and Eco-Drive driving efficiency applications. Bug bounty programs are nothing new…ahem, we created one of the early ones with our Zero Day Initiative back in 2005. It is good to see that organizations like Fiat Chrysler, Google, Tesla, United Airlines, and even the Pentagon are seeing the value of having others find your flaws and rewarding them with money or frequent flier points versus penalizing them with a lawsuit. And while I applaud the efforts I’ve seen with various companies taking that step and asking for outside help, there’s one big thing that’s missing.

In my opinion, that one big thing that’s missing is accountability. If I find a vulnerability in one of the applications that Fiat Chrysler has included in their bounty program, they will validate it, cut me a check, and that’s it. I’ll probably never know when they fix the vulnerability I found…if they even get to it at all. This entire transaction is on THEIR timetable, not mine. They might fix it in two months…it might take them two years. But since they control the fire they hold to their feet, the flame is as big or as little as they want to make it. With our Zero Day Initiative, we have phenomenal relationships with vendors all over the world, and we make sure they are accountable for the vulnerability information we pass to them and that they issue a patch in a timely manner. We understand that sometimes there are extenuating circumstances that may pop up, and we’ll work with vendors on a case-by-case basis as needed. Otherwise, we will allow the vendor four months to address the vulnerability with a patch. At the end of the deadline, if a vendor is not responsive or unable to provide a reasonable statement why the vulnerability is not fixed, the Zero Day Initiative will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user. Ultimately, we want the vendor to understand the responsibility they have to their customers and hope that they will fix any issues in a timely manner.

July Microsoft Patch Tuesday Update

This month’s Microsoft Patch Tuesday included 11 bulletins, with six of them rated as critical, which means these vulnerabilities can potentially allow remote code execution. This month’s bulletins covered vulnerabilities across several Microsoft products including Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, and .NET Framework.

This week’s Digital Vaccine (DV) package includes coverage for the Microsoft Security Bulletins released on or before July 12, 2016. The following table maps Digital Vaccine filters to the Microsoft Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers. More details on the zero-day protection we provided for this month’s Microsoft bulletins can be found below in the “Updated Existing Zero-Day Filters” section:

Zero-Day Filters

It doesn’t happen very often, but we did not have any new zero-day filters in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy.

Two of the zero-filters updated this week were associated with the July Microsoft Patch Tuesday and now have been officially disclosed. Both filters are tied to bulletin MS16-084, a cumulative security update for Internet Explorer. Customers using Trend Micro TippingPoint solutions have been protected from two of the CVEs associated with this bulletin (CVE-2016-3241 and CVE-2016-3242) since May 3, 2016!

For more details on Microsoft bulletins, visit Microsoft’s 2016 Bulletin Summaries page.

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap posted on the Trend Micro Simply Security blog!