olly - Fotolia

Microsoft Patch Tuesday February release delayed by a month

News roundup: Microsoft Patch Tuesday was canceled in February without a clear reason. Plus, APT28 is linked to new Mac malware; Lazarus targets more banks and more.

There are six more weeks of winter, according to Punxsutawney Phil. And now, there are four more weeks before a Patch Tuesday, according to Microsoft.

In an unprecedented move, the monthly security patch release that was due out Feb. 14, has been canceled and won't be available until the next regularly scheduled Microsoft Patch Tuesday on March 14.

"Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems," the update from Microsoft read. "This month, we discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today."

"After considering all options, we made the decision to delay this month's updates. We apologize for any inconvenience caused by this change to the existing plan."

Microsoft has not said specifically what was behind the delay, just that the patches would have to wait until March Patch Tuesday.

However, users of Windows Server Message Block (SMB) 3.0 will have to continue to live on the edge until then, as Microsoft was supposed to release an already-overdue patch for a zero-day exploit in the protocol this month.

The exploit code for the SMB vulnerability was released to the public earlier this year by the security researcher who discovered it, Laurent Gaffié. The vulnerability could allow an attacker to perform a denial-of-service attack and cause a system reboot if the targeted user clicked on a malicious link. Gaffié disclosed the vulnerability to Microsoft in September 2016, and the company delayed patching it for two months, reportedly because the vulnerability is a low risk. Gaffié released the proof-of-concept exploit code anyway.

This Microsoft Patch Tuesday was also expected to change its regular rollout of Internet Explorer updates and fixes this month to be available as a separate update. This, too, will wait until March.

In other news:

  • A new malware that targets Mac OS X users is linked to the APT28 group, also known as Fancy Bear, which has been accused of hacking the Democratic National Committee and influencing the 2016 U.S. presidential election. Discovered by security researchers at Bitdefender, the malware, dubbed Xagent, steals passwords, grabs screens and steals iPhone backups stored on Macs. The attacks have been happening since September 2016 and, according to Bitdefender, show similarities to previous malware campaigns run by APT28, like the malware dropper used and command-and-control URLs. Bitdefender also found that the Xagent Mac OS binary shares identical strings to a downloader previously used by APT28 -- Komplex. "We conclude this brief teaser with the assertion that the Komplex component discovered in September has been exclusively used as a downloader and installer for the Xagent binary," Bitdefender wrote. "The investigation is ongoing, so there is much we can't say yet." The APT28 group is also attributed to using mobile malware to track the Ukraine military and has been linked with the Russian government.
  • The Lazarus gang is at it again -- this time, primarily targeting Polish banks in a malware campaign that reached financial organizations in 30 other countries. In a blog post, Symantec said, since October 2016, a malware campaign has been using watering-hole attacks to infect "preselected targets with previously unknown malware." While attacks were uncovered by a bank in Poland and other financial institutions have confirmed that they were also targeted, no money has actually been stolen yet. "The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses," Symantec explained in a blog post. "These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list." The malware, now known as Ratankba, is still being analyzed by Symantec, but appears to share "commonalities with code" previously seen in malware used by Lazarus. The Lazarus group has been active since 2009, and it's known for targeting banks and other institutions in the U.S. and South Korea. More recently, the group has been linked to attacks on banks in Bangladesh, Vietnam and the Philippines, including the attempted billion-dollar theft from the Bangladesh central bank's account at the Federal Reserve Bank of New York.
  • After secretly patching it in January 2017, attackers have started to exploit a WordPress REST API vulnerability. The privilege escalation flaw is now being exploited and used to gain full access to servers by installing a backdoor. WordPress patched the flaw in a security release on Jan. 26, along with three others, but did so without informing the public until Feb. 1, in an attempt to "ensure the safety of millions of additional WordPress sites." Despite these best efforts, hackers started targeting unpatched WordPress sites shortly after the flaw was publicly released, and BleepingComputer reported over 2 million pages have been defaced so far. Sucuri, the security research firm that discovered the original vulnerability, has found that attackers are going beyond the privilege escalation flaw and are now also using remote command execution to send their own PHP code to the WordPress sites with the REST API flaw and effectively create a backdoor that allows the attacker access to the site's underlying server. According to Sucuri, attackers are looking to make money off of this exploit. "Defacements don't offer economic returns, so that will likely die soon," said Sucuri's founder and CTO Daniel Cid in a blog post. "What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site -- and offers multiple ways to monetize -- and SPAM SEO / affiliate link / ad injections."

Next Steps

Catch up with the January 2017 Patch Tuesday release

Learn what the Windows SMB flaw means for enterprises and Microsoft

Find out what has US-CERT saying Windows SMB v1 needs to die

Dig Deeper on Application and platform security

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close