Week 20: Patchday – regular updates keep you safe

21.05.2024 - Microsoft, the manufacturer of the widely used Windows operating system and the well-known Office environment, releases patches (updates) for its products once a month. Other software manufacturers may have a different cycle, but what they all have in common is that these updates should be taken seriously. On the one hand, patches help to improve the functionality or performance of software, but above all they boost product security and thus protect users from potential attacks.

The digital world functions thanks to a wide variety of software and operating systems, all of which are complex systems. However, errors can creep in during the development process, leaving unintended security gaps. Furthermore, new threats or vulnerabilities can be discovered once the software is already on the market. These security vulnerabilities can be exploited by cybercriminals for their own purposes. Manufacturers therefore offer patches to close gaps, increase the security of the software and protect users from potential threats.

Zero Day

On 14 May, the software manufacturer Microsoft published a patch for an operating system component that fixes a so-called zero day vulnerability. 'Zero day' means that the vulnerability was already publicly known or even exploited by cybercriminals before the update was available.

In this specific case, security researchers from other companies drew Microsoft's attention to the vulnerability. They discovered that the well-known Qakbot malware has recently been using precisely this vulnerability to infiltrate the target system. (https://securelist.com/cve-2024-30051/112618/).

The Qakbot malware (also known as Qbot or Quakbot), which is also circulating in Switzerland, is often the first stage for the subsequent deployment of ransomware which can cause enormous damage. The NCSC has already issued several warnings about Qakbot: 

The vulnerability affects both the current desktop versions of Windows 10 and Windows 11 (older versions are no longer supported and should not be used under any circumstances), as well as server versions of Windows.

System updates

Microsoft desktop products for home users are configured by default to download and install updates automatically. This is also the procedure recommended by the NCSC. Updates (patches) are usually provided by Microsoft on the second Tuesday of each month, leading to the unofficial name "Patch Tuesday".

Automatic updates are often deactivated on company desktop systems and servers because updates are controlled centrally following internal tests. In this case patches should also be installed as soon as possible during a maintenance window.

Of course, the recommendation to carry out regular updates does not only apply to Microsoft products. Other manufacturers also provide updates, sometimes regularly, sometimes only as required.

The same applies to other operating systems. There is still a widespread belief that other systems such as Linux and Apple's MacOS are much more secure. But this is no longer the case. Here too, any updates provided should be installed promptly if this does not happen automatically.

Targeted development of malware

Malware developers do not always exploit zero day vulnerabilities: this is usually the exception. Cybercriminals want to make a large profit with as little effort as possible. They often rely on the "human weak point", working on the principle that an individual receiving a malicious attachment will open it and so install the malware.

Sometimes cybercriminals download patches as soon as they are released in order to analyse the differences to the previous version. In this way they find out whether previously unknown vulnerabilities have been rectified. They use their findings to develop malware, in the knowledge that not all users update their software quickly enough. This allows cybercriminals to minimise their development costs.

Recommendations

  • In principle, we only recommend the use of operating systems and application programmes that are still supported and maintained by the manufacturer. It is well known that Windows 7 or even older versions are still running on some private computers. This is strongly discouraged, and it can be assumed that many of these unmaintained devices are infected with malware.
  • The updates (patches) provided by the operating system or application software manufacturer should be installed promptly.
  • Ideally, updates should be carried out automatically as soon as patches are available.
  • Set up user accounts without administrator rights on your system. Do not work as an administrator by default.
  • Use up-to-date antivirus software, but be aware that it cannot recognise all threats.
  • Be careful when opening documents from unknown sources, and do not rely on the antivirus software to recognise everything.
  • Companies are advised to use Applocker to prevent unwanted programmes being launched. This is often a more efficient way to block malware than using a malware scanner.

Last modification 21.05.2024

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_20.html