Industry News Roundup
Industry News - Aug 2024
Aware Of What Tech Debt Costs Them, CIOs Still Can t Make It an IT Priority
One of a CIOs most persistent challenges involves embracing innovative technologies without while addressing potentially crippling technical debt. Tech debt can involve old applications, bloated code, and aging hardware. The issue often is deprioritized behind adoption of innovation and new technology. In a recent CIO Sentiment Survey by IDC almost 40% of CIOs surveyed said they expect to overspend on digital infrastructure over the next 18 months. Nearly 50% of those who expect to overspend blamed excessive tech debt, including old apps. Nonetheless, according to the survey CIOs ranked AI and cybersecurity far ahead of eliminating tech debt on their lists of priorities. Daniel Saroff, group vice president for consulting and research at IDC, noted that company boards and CEOs are putting pressure on CIOs to find innovative uses for AI. In addition, and the need for better cybersecurity is ever-present. Therefore, dealing with tech debt gets put on the backburner. One approach for CIOs who have significant tech debt is to sell it to organization leadership. One way to frame the need to address tech debt is to tie it to IT modernization. CIOs can use their IT asset management tools to identify old and obsolete hardware and software and point out the costs of legacy systems.,
Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
Microsoft recently warned users of six actively exploited Windows security defects. The company s security response team issued documentation for nearly 90 vulnerabilities across Windows and OS components and raised marked six flaws as being actively exploited. Microsoft urged Windows sysadmins to pay urgent attention to a batch of critical-severity issues that expose users to remote code execution, privilege escalation, cross-site scripting and security feature bypass attacks. These include a significant flaw in the Windows Reliable Multicast Transport Driver that brings remote code execution risks, a severe Windows TCP/IP remote code execution flaw, two separate remote code execution issues in Windows Network Virtualization and an information disclosure issue in the Azure Health Bot. IT professionals can utilize their IT asset management toolsets to identify vulnerable and/or unpatched systems.
Microsoft Outlook Security Hole Lets Attackers In Without Opening A Tainted Message
Microsoft recently patched a serious flaw within Microsoft s Outlook email client. The vulnerability would enable an attacker to have full access by simply sending the user an email. The attack would work even if the recipient did not open the message. Furthermore, the end user would have no way of knowing that they had been attacked. Michael Gorelik, the chief technology officer at Morphisec noted that You will not know. You will not experience anything. The security firm that says it discovered the problem and reported it to Microsoft. He also voice d concern that this flaw may indicate the existence of similar zero-click holes that Microsoft has yet to patch. IT professionals can utilize their IT asset management solutions to minimize exposure to the vulnerability by identifying any unpatched systems.
Ivanti Patches Critical Vulnerabilities in Neurons for ITSM, Virtual Traffic Manager
Ivanti recently announced patches for eight vulnerabilities in Neurons for ITSM, Avalanche, and Virtual Traffic Manager. Two addressed critical-severity flaws, including a critical-severity information disclosure issue that could enable an unauthenticated attacker to obtain the OIDC client secret via debug information . Ivanti also announced patches for a high-severity improper certificate validation flaw that could allow an attacker in a man-in-the-middle position to craft a token that would allow access to ITSM as any user . Ivanti also announced patches for a critical-severity bug in Virtual Traffic Manager that could enable an attacker to circumvent authentication and create an administrator user in the admin panel. The company also issued patches for five high-severity vulnerabilities in Avalanche.
Answering The Big Post-Outage Question: Are We All Patching Wrong?
Even before the worldwide CrowdStrike outage, patching was a constant challenge for many IT operations teams. They struggled to balance the need to patch urgently with the requirement to patch safely. Endpoint unpatched devices remain one of the greatest risks to an organization. However, deploying a bad patch can have dire consequences for a business. Clearly, applying software patches has exceeded current capabilities, and AI-based autonomous patching systems are a reasonable substitute.
Industry News - Jul 2024
Driving Efficient Software Spend: How Smart Organizations Beat Sprawl and Maximize SaaS Value
The Software as a service (SaaS) market is evolving and offers new opportunities for tech professionals to optimize operations and efficiency. Organizations are working to streamline IT investments by consolidating applications and focusing on integrated solutions. Despite their efforts challenges in managing SaaS sprawl are ongoing. This webinar will help participants to gain practical strategies, expert insights, and tools needed effectively lead a team in the dynamic SaaS landscape. During the webinar the speakers will examine changing SaaS usage trends and their impact on efficiency, share ideas to effectively manage the evolving tech stack and cover how to prepare for upcoming shifts in SaaS spending.
Legacy Tech Upgrades Cost the Average Business Nearly $3M Last Year
Businesses face significant obstacles when modernizing legacy technology systems, despite efforts and plans to modernize and streamline IT operations. According to Jeremiah Stone, CTO of SnapLogic, challenges are inherent in major technology upgrades, especially regarding legacy systems. Over 75% of IT decision-makers report that their teams spend up to 25 hours a week updating and patching legacy systems. Maintaining and updating Legacy tech can negatively impact productivity and the bottom line. IT managers can use their IRT asset management tools to identify key legacy systems and those which can be phased out or replaced.
Aging Devices, Not AI PCs, Drive PC Shipment Uptick
Businesses want to replace laptops and desktops before support runs out but we think that that surge is going to happen toward the end of this year and the beginning of next year. As a result PC shipments began to recover back this year. Kitagawa also noted that Enterprises are replacing PCs due to age, not AI. Managers can identify devices that need to be replaced using the reporting capabilities of their IT asset management software.
Kaspersky Lab Shuts Down US Operations in Wake Of National Security Ban
According to the edict issued by the , US Department of Commerce s Bureau of Industry and Security (BIS), US companies have until September 239th to stop using Kaspersky s antivirus software and services. US CISO s must act quickly to comply. Tim Crawford, founder of research and advisory firm Avoa, noted that You have to move quickly, don t wait or take a chance to get close to that October deadline, because those non-updated systems will become fully vulnerable, and hackers are lying in wait for you. Kaspersky software will no longer be supported and IT professionals can utilize their IT asset management toolsets to identify impacted systems and networks.
Ivanti Issues Hotfix for High-Severity Endpoint Manager Vulnerability
tracked as CVE-2024-37381 and impacts the Core server of Endpoint Manager 2024. The company also released patches for four vulnerabilities impacting all versions of its Endpoint Manager for Mobile product. Tracked as CVE-2024-36130, CVE-2024-36131 and CVE-2024-36132, these flaws are high-severity bugs. IT managers can identify unpatched systems using their IT asset management toolsets.
Microsoft Patch Tuesday, July 2024 Edition
The other zero-day is tracked as CVE-2024-38112, and is is a weakness in MSHTML, the engine of Microsoft s Internet Explorer web browser. Kevin Breen, senior director of threat research at Immersive Labs, said exploitation of this vulnerability requires the use of an attack chain of exploits or programmatic changes on the target host. Unpatched devices can easily be identified using a robust IT asset management toolset.
Industry News - Jun 2024
US Bans Kaspersky Labs Over National Security Concerns
The Biden administration has decided to block all new sales of Kaspersky Labs products and services un the United States. Allegations have been made that the Russian company has strong ties to Russia s nation-state cyber offensives. The Department of Commerce s Bureau of Industry and Security (BIS) stated that Kaspersky will no longer be able to, sell its software within the US or provide updates to software already in use. The prohibition applies to the company s US subsidiary Kaspersky Labs, Inc., will be enforced on its affiliates, subsidiaries, and parent companies, the statement added. The risk factors considered in the review included threats posed by Russia, vulnerabilities that Kaspersky s ICTS products create for US national security and the impact of Russia exploiting the vulnerabilities presented. IT professionals can identify deployed instances of the Kaspersky software by using the software asset management tools in their IT asset management software.
Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira
The Confluence Data Center and Server patches addresses six security defects, all of which were disclosed this year. The most severe of these flaws (tracked as CVE-2024-22257) is a broken access control issue in the Spring Framework. That vulnerability could allow unauthenticated attackers to expose assets for which they should not have access. Three server-side request forgery vulnerabilities, tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259. Were also resolved. Atlassian also issued patches for two out-of-bounds write bugs in Apache Commons Configuration. These bugs could allow unauthenticated attackers to cause a denial-of-service (DoS) condition. Patches for all vulnerabilities are included in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).
Microsoft Patches Zero-Click Outlook Vulnerability That Could Soon Be Exploited
The Microsoft Outlook security defect ( tracked as CVE-2024-30103) allows attackers to bypass Outlook registry block lists and create malicious DLL files. The Morphisec researchers who discovered the bug consider it critical and warned that attackers might soon start exploiting it as it does not require user interaction. The cybersecurity firm noted that, Execution initiates when an affected email is opened. This is notably dangerous for accounts using Microsoft Outlook s auto-open email feature. This Microsoft Outlook vulnerability can be circulated from user to user and doesn t require a click to execute. The company advised users to update their Outlook clients as soon as possible. Microsoft also released patches for over a dozen remote code execution vulnerabilities, including a critical-severity flaw in Microsoft Message Queuing. IT managers can utilize their IT asset management tools to identify unpatched or vulnerable systems.
Patch Tuesday: Remote Code Execution Flaw in Microsoft Message Queuing
Microsoft recently advised Windows administrators to prioritize patches for a critical remote code execution vulnerability in the Microsoft Message Queuing (MSMQ) software. The vulnerability, (tracked as CVE-2024-30080) has a CVSS severity score of 9.8/10. It can be exploited by an attacker sending specially crafted malicious MSMQ packets to a MSMQ server, resulting in remote code execution. The company also released patched for over 51 security defects across a range of Windows OS, components and services. A company s IT asset management tools can be used to easily identify unpatched or vulnerable systems.
Details of Atlassian Confluence RCE Vulnerability Disclosed
Successful exploitation of the vulnerability requires that the attacker has the privileges required for adding new macro languages, and to upload a malicious language file. According to Atlassianthe issue was introduced in Confluence version 5.2.
Industry News - Apr 2024
Microsoft Confirms When WordPad Will Be Tossed On The Scrapheap Later This Year With Windows 11 24H2
Microsoft has stated that WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. Users will not be able to avoid losing WordPad when the 24H2 update is distributed to Windows 11 systems. The only way for users to keep WordPad is not to take the 24H2 update when it s released. Users can continue to use 23H2 through November 2025 when support will be discontinued. However, Windows 11 24H2 will be a major update, changing the underpinnings of the OS with a new platform, which ushers in performance and security benefits under the hood. IT managers can utilize their IT asset management solution to identify WordPad users and plan a transition to Notepad, which will replace WordPad.
Broadcom is removing expired VMware licences from its portal - take action now!
Hot on the heels of Broadcom s announcement of the end of perpetual licences for VMware it has given customers barely a week to download any keys for licenses from its portal with expired support. This is due to Broadcom migrating all licence keys from the VMware portal into its own software management portal.
An Onslaught of Security Flaws Pushes Ivanti Into Security Re-Design
According to the open letter, published by CEO, Jeff Abbott, Ivanti is planning a transformation of its security operating model. The effort will include revamping core engineering, security, and vulnerability practices. The letter notes that Ivanti plans to optimize its products for security which includes accelerating the stack modernization of its Network Security products. Critical vulnerabilities include heap overflow (CVE-2024-21894 and CVE-2024-22053), Null Pointer Dereference (CVE-2024-22052), and XML entity expansion or XXE (CVE-2024-22023) flaws. These vulnerabilities coukld allow interaction-less RCE and DoS attacks. The criticality for these flaws ranges from 5.3 to 8.2 CVSS. As a result, the US government agencies took Ivanti VPN products offline as ordered by the US Cybersecurity and Infrastructure Security Agency (CISA).
Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products
The company put the Adobe Commerce vulnerabilities in the critical-severity category. It noted that successful exploitation could result in arbitrary code execution. Adobe also rolled out patches for Adobe Experience Manager (AEM), The Adobe Media Encoder, memory leaks in Adobe After Effects and Adobe Protoshop and Adobe InDesign (Windows and macOS affected); and denial-of-service and code execution issues in the Adobe Animate software. IT managers can utilize their IT asset management tools to identify vulnerable and un-patched systems.
Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability
Shadowserver Foundation researchers recently identified thousands of internet-exposed Ivanti VPN appliances lwhich are impacted by a vulnerability leading to remote code execution. The vulnerability, labeled CVE-2024-21894 (is described as a heap overflow bug in the IPSec component of Ivanti Connect Secure and Policy Secure. The bug can be exploited by remote, unauthenticated attackers to cause a denial-of-service condition or to execute arbitrary code. Ivanti has released software updates to address this flaw and three other vulnerabilities in its two VPN appliances. The patch impacts all supported versions of Connect Secure and Policy Secure. Ivanti has urged all users to update their affected systems.
Cisco Warns of Vulnerability in Discontinued Small Business Routers
Cisco has issued a warning about a cross-site scripting (XSS) vulnerability in its end-of-life RV series small business routers. Tracked as CVE-2024-20362 the flaw impacts the small business RV016, RV042, RV042G, RV082, RV320, and RV325 routers. These models have been discontinued and security patches are not published. Cisco has stated that it is not aware of this vulnerability being exploited in the wild, there are no workarounds for the bug. Users are advised to migrate to a supported product. Discontinued Cisco networking devices have been exploited in attacks. Network managers can use their It asset management tools to identify obsolete equipment.
Software Purges: How CIOs Can Declutter The Software Stack
Tech stacks can benefit from a decluttering exercise, especially if a company does not have a regular software review cycle. A software review can be a major undertaking and may result in major savings. An in-place IT asset management solution can speed the process. For example, last year a major bank retired several hundred legacy apps in an effort to simplify its technology infrastructure. A complex tech stack can create a world of problems, and having several disjointed systems that aren t integrated can make work harder and be a waste of employee time and financial resources. Karl Threadgold, managing director at Threadgold Consulting noted that The key thing is not having that single source of truth. Rather than determining a one-time software clean out, organizations should maintain a continuous cycle of analyzing what software applications are used and how. An IT asset management system creates that single source of truth and provides key information to support a regular software clean-out process.
22,500 Palo Alto Firewalls "Possibly Vulnerable" To Ongoing Attacks
Over 22,000 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw. The flaw is a critical command injection vulnerability that has been actively exploited in attacks since March of 2024. CVE-2024-3400 impacts specific Palo Alto Networks' PAN-OS versions in the GlobalProtect feature that allows unauthenticated attackers, using command injection triggered by arbitrary file creation, to execute commands with root privileges. Patches were made available between April 14 and 18, 2024 meaning that post-disclosure risks lasted two to six days. Palo Alto's mitigation of disabling telemetry would not protect devices and that the only solution was to apply the security patches. IT managers can utilize their IT asset management solutions to identify vulnerable and unpatched devices.