Patch [Fix] Tuesday – September 2024 [Spicy Vulnerabilities, YubiKey Security Advisories, and... Fashion Advice?], E11

Download MP3

Tom Bowyer (00:00)
Happy Patch Tuesday everyone. We made it to September we made it to our 11th episode of Fix Tuesday Patch Tuesday. It has been 11

Jason Kikta (00:09)
Has it been 11? Wow.

Tom Bowyer (00:12)
It's been almost almost a whole year since we started doing this. It does not feel like it, but.

Jason Kikta (00:18)
It it's astounding, To think that like, we, you know, we started this less than a year ago. And I mean, we're, you know, I don't know if you saw, but but on YouTube, and by the time this airs, we probably will be over it. We're almost at like 40,000 subscribers, right? Like, that's, that's mind blowing to me that it's blown up because I

Remember recording in July and saying, you know, Hey, we're at 25,000 and like, that's just, it's, it's really impressive. and I have no idea how we did it. That's probably how we did it.

Tom Bowyer (00:51)
videos.

None. Yeah. It's all the painstaking dedication we put into these, all the prep work we do, Like all the hours of reading before our...

Jason Kikta (01:02)
That's right. That's right. And, designing these super sweet, you know, Fix Tuesday t-shirts. that's what really, that's, that's the t-shirts. What put us over the top, except you didn't wear one today. Cause you're disloyal. Disloyal. He's not a t -shirt guy. Yeah. Tom shows up most days zoom calls and he's in a full suit. And I'm just like, yeah. Yeah.

Tom Bowyer (01:10)
Yeah, yeah, yeah. That's the key. It is. I didn't, because I am just not, just completely like, not a t-shirt guy, I guess.

suited and booted, you know? Looked the part, right?

Jason Kikta (01:32)
bow tie on like he's ready to go. He's ready to go. Yeah. Gray suit, gray suit. Right. Yeah. Yeah. Especially because it's after Labor Day.

Tom Bowyer (01:35)
A gray suit though, it has to be a gray suit. You know, you got to let them know I ain't here to play. I ain't here to mess around. Right.

Jason Kikta (01:49)
Uhhh, haha.

Tom Bowyer (01:50)
A gray suit though, it has to be a gray suit. You know, you got to let them know I ain't here to play. I ain't here to mess around. Right.

Jason Kikta (02:04)
Uhhh, haha.

Tom Bowyer (02:04)
goodness. Anyway, 10 minutes, right? So, Fix Tuesday, no mistakes. Some good ones today. Some real spicy meatballs. I know we said that a bunch of times here on the show, man, there's some good ones today.

Jason Kikta (02:07)
Yeah, 10 minutes, one shot. No mistakes.

not going to repeat for the audience what I said to Tom and Slack when I saw this one, this one, see. No, no, I cannot, but it's CVE 2024-43491 and that's a Microsoft Windows Update RCE and.

Tom Bowyer (02:28)
It's a PG show, Jason. You know, we can't be singing those things.

Jason Kikta (02:47)
This one is a doozy, it's somewhere that you, like you said, whether it's your updater, which is near and dear to us at Automox, because what do we do? We apply updates, and we manage configurations. So we get this one on sort of an emotional level that having a CVE at 9.8 in Windows Update.

Really bad. And this one, this one has the exploitation more likely. So no current exploitation in the wild known, but that probably won't last. this is, I think this is a pretty juicy target. Wouldn't you think, Tom?

Tom Bowyer (03:30)
Yeah, and I found it interesting that it's very sparse on the details too. Right? Like they're not trying to tip, give anything away because it's... Right? Likewise.

Jason Kikta (03:35)
Yeah.

I don't blame them. Like I like more, but this is also one of those ones that like, you just read the title alone and you're like, yeah, that's, that's, that's a do it now.

Tom Bowyer (03:51)
Yeah, I'm really curious like the attack vector here too, like is this, you know, like a bad, where are we getting these updates from? Right. That is just like some out of bounds thing, or I'm just, I wish I knew a little bit more.

Jason Kikta (04:01)
Yeah. Yeah. Is it, or is it a, is a configuration thing? Like, you know, Windows 10 has that ability to, pull updates from peers and right. is it using that sort of thing, but it doesn't say anything about the internet versus on network. I mean, the good news about this is this is not every version of Windows. It's Windows 10. as Tom said, pointed out to me, Tom said, Hey, it's only Windows 10. And I said, well, it's only 64% of the market. No big deal.

Tom Bowyer (04:29)
There's just three or four computers in the world, know, just a few. Just a few.

Jason Kikta (04:32)
I mean, actually, it's less than that. that's sorry. The number I gave you is at 64% of the current Windows market. So it is the predominance of Windows systems, but not of the overall market. But still, that is a massive chunk of the internet, no matter how you slice it. And in your update process, so this isn't.

We don't know all the details, but like, no matter how you slice it, like getting RCE through your update process probably means better than average shot that you can corrupt that update process to not only, not only do whatever malicious thing, like your primary goal, but also to sort of lock it out so that it can't pull updates. So it's lying about what updates of polls, right? Like this is one where if you're going to patch it, like patch it now, like right away now.

Tom Bowyer (05:18)
Yeah.

Yeah, absolutely. This it's vaguely familiar to something I think maybe last year or the year before that something similar like this happened in Windows Update itself. And I don't know if it was an RCE or something with they weren't verifying the search chain correctly and when it was using TLS. I can't remember exactly what it was, but I'm pretty sure this isn't the only one I've seen in the last couple of years that was directly impacted Windows Update, but.

Jason Kikta (05:29)
you

Tom Bowyer (05:54)
This is one of those, you know, put your tin foil hat on ones. Right? Yeah.

Jason Kikta (05:59)
Yeah, yeah, this is this one's spicy and I would love to have this one in my, in my old life. Although this, I'll be honest, this is one that, would have definitely been disclosed to the vendor if the government had found it, like, this is not one that anyone would play with. that's, well, that's, that's bad.

Tom Bowyer (06:20)
Yeah. Yeah, absolutely. Speaking of spicy, I think the, the market really took a, you know, they took a lot of spice to those that YubiKey vulnerability that came out recently. People were panicking. It seemed like to me, at least on LinkedIn, all the, info-sec influencers, right.

Jason Kikta (06:24)
Yeah.

Yeah.

Yeah, well, I, yeah. And when we looked at it, you know, Hey, with specialized equipment, the ability to extract keys like that, you know, that's a much lower threat than some sort of, know, I can remotely cryptographically guess or, or assert myself as a key, right? Like, like, you know, one of your employees has to get their keys lost or stolen and, and lost or stolen by the

the right actor who's got a lot of resources and knowledge and expertise to be able to clone it, but at the same time, it is so fundamental to the security role those things play and why they're important to security that it really gets your attention of like, I mean, you saw when I sent it, when I sent you the link, I was like, no, this is.

Tom Bowyer (07:30)

Jason Kikta (07:32)
Right. And it wasn't nearly as bad as it looked at first glance, but like there is an emotional impact to having something as fundamental as a YubiKey with a security issue.

Tom Bowyer (07:41)
Yeah, absolutely. That first initial reaction is always going to be a vulnerability and the YubiKey is all goodness. And it's tough to replace, Like those, it's not an easy thing to replace because they're, you can't really back, you can't back it up. Like that's the point, right? Like it's.

Jason Kikta (07:49)
Yeah.

Yeah. And, and you can switch what key types you're using, I believe to mitigate it, but like, have fun walking your users through that, right? Like just getting them to use YubiKeys in the first place and not be, you know, baffled by this, you know, mysterious piece of technology is painful enough.

Tom Bowyer (08:06)
Absolutely.

And doing that deep configuration with them is not something many IT departments are even want to do.

Jason Kikta (08:25)
Right.

Tom Bowyer (08:27)
Yeah, absolutely. And I think I should shout out this last final one that it gave us a good chuckle was 2024-43463, the RCE in Visio. I can't not help but talk about it for a couple of minutes here since we're already over on time and you know.

Jason Kikta (08:34)
the

That one's just funny.

Visio users everywhere are deeply upset. mean, and there are dozens of them, dozens.

Tom Bowyer (08:57)
Yes, 22 probably total. But, know, a crafted file can cause RCE in Visio, you know, a specifically crafted file. The details are a little light, but I guess watch where you're downloading your Visio files from, right? Don't download them from Pastebin or random GitHub repos.

Jason Kikta (09:00)
Yeah, right.

Yeah. Yeah. Don't, yeah, don't trust, don't trust random, random Visio files who just, you know, come up to you in public and want to be your friend.

Tom Bowyer (09:27)
Yeah, absolutely. Absolutely. Well, cool. It's on this USB drive I found in the parking lot, you know? Right. Absolutely. So we're, you know, we're coming to the end. Thanks again, everyone for tuning in and listening. We appreciate all the support. Go follow Automox on YouTube. There's other great podcasts that we produce.

Jason Kikta (09:31)
If a stranger offers you a diagram, you say no. That's right. It's legit.

Tom Bowyer (09:56)
Jason has his own special by himself podcast because he's fancy. You should go check it out if you have time. If not, happy Patch Tuesday, happy September everybody and have a great rest of your month.

Jason Kikta (10:01)
Ha ha!

Thanks, everyone.

Creators and Guests

Jason Kikta
Host
Jason Kikta
Jason Kikta is a fortress of knowledge in cybersecurity, bringing over two decades of frontline experience to the CISO IT podcast. His tenure at US Cyber Command isn't just a credential — it's a cornerstone of his expertise, providing a unique lens through which he views security threats and applies the best ways to prevent or remediate them. At Automox, Jason bridges the gap between good IT and robust security, sharing cutting-edge trends, tips, and expert advice based on the credo good security comes from good IT. His episodes are essential listening for IT professionals aiming to fortify their defenses and stay ahead in the ever-evolving cybersecurity battlefield.
Tom Bowyer
Host
Tom Bowyer
Tom Bowyer is a cybersecurity sentinel, guiding listeners through the digital wilderness with wisdom gleaned from the frontlines of security program development. As the Director of Security at Automox, his expertise spans secure software development, vulnerability management, and more, making him a lighthouse for those navigating the stormy seas of cybersecurity threats. On the Patch [Fix] Tuesday podcast, Tom shares invaluable insights, mitigation strategies, and the latest in custom automations for CVE remediations. His dedication to modern, effective security solutions makes him a pillar of trust and knowledge in the cybersecurity community.
Patch [Fix] Tuesday – September 2024 [Spicy Vulnerabilities, YubiKey Security Advisories, and... Fashion Advice?], E11
Broadcast by