Windows 7 and 8.1 servicing changes!?!?

Keep-Calm-and-Carry-OnI have had this question come at me from a dozen directions today, so I thought I would provide my thoughts on these changes in a more consumable and easily shared format.

First off, lets summarize the changes. Microsoft has announced that it is changing the servicing model for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.  There will be a monthly roll-up similar to Windows 10 where all security and non-security updates will be bundled in a single cumulative update.  This means that starting in October the OS and IE updates will consolidate from several individual updates into a single cumulative bundle.  Come November the next cumulative will include the October updates as well and so on.

Microsoft is also going to provide a security only bundle for each month which is a little different.  The security bundle will allow enterprises to download only the security updates, but it will still be a single package with all security updates for that month bundled together in a single package.

.Net Framework will have a separate monthly roll-up and security only option that will update only existing versions of .Net installed on the system.  This update would not upgrade the .Net version to a newer one.

FAQ:

We will start with my favorite one.  Q: Did this change surprise you?

Chris: No, I actually made a prediction internally and had a bet with one of our content team members.  The prediction occurred when Microsoft first released the Convenience Roll-up.  I predicted that Microsoft would make this change before the year was out.  It just seemed like a logical next step.  Tylere owes me a six pack of good craft beer now.

Q: Why did Microsoft make this change?

Chris: They state similar reasons in their blog post that I linked to above.  I will state one other reason that I expect had a little something to do with it.  This was one of the final barriers to many companies making the switch to Windows 10.  Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks had many companies holding back from moving to Windows 10.  Moving to the bundled approach has removed this convenience, although they are providing the security only bundle for each month.  One thing to note, in the write-up Microsoft did not state that this security only bundle was cumulative so we will have to wait and see if they are cumulative or not.

Q: Why is the cumulative bundled approach a deterrent for enterprises?

Chris: The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle which may include many security fixes or breaking a business critical application if the two conflict.  On pre Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire months patch bundle.

If you recall the Windows 10 cumulative for January that broke the Citrix VDA client, Microsoft and Citrix had to coordinate a window of opportunity for Citrix to release an update to resolve the issue.  In this case it was a pretty quick turn around and customers with the VDA client installed on Windows 10 were able to apply the VDA update a week later then apply the Windows 10 January cumulative.

It did not seem too bad with just one week of lag time, but what if the cumulative breaks an application that is home grown or one that is from a vendor who may no longer be in business?  If a fix is either not forthcoming or comes months later this means that you cannot apply the next months cumulative or the month after, etc until the issue is fixed.  I have talked to many companies about concerns regarding the cumulative bundled service model for this reason.

Q: What does this mean for the Shavlik or LANDESK products I use to patch my environment?

Chris: Like Windows 10 for us it is business as usual.  We will continue to support updates for these updates as they release.  It really is just a change from 6-10 OS patches each month down to 1 patch that needs to be applied for the OS and IE.  So expect a cumulative roll-up or security only bundle for the OS, a .Net roll-up, and other Microsoft apps like Office, SQL, SharePoint mixed in depending on the month.

As always, we will be keeping an eye on any changes that develop and providing guidance and recommendations.  Sign up for our Patch Tuesday webinars to keep up to date on the latest from Microsoft and 3rd Party Vendors like Adobe, Google, Mozilla, Apple, Oracle and more.  From our Patch Tuesday page you can find future webinar registrations, previous Patch Tuesday infographics, presentations, and on-demand webinar playback from previous months.

Do you know your Patch Management Posture?

How well do you know the security posture of your environment?  Do you know how effective your Patch Management process is? Can you provide stakeholders with a quick look at the state of your network and show how protected you are in real time?

In today’s world with so many devices connected to a network and with the BYOD option becoming more and more of a norm, it is now more important than ever to have visibility into security risks for an organization.

Visibility into your security posture is the key to providing the knowledge necessary to take action on security measures that you can control. So how do you get visibility into your current security posture and what are valuable insights?

What are valuable insights?

  • When were devices last patched?
  • What are the outstanding patches missing from a device?
  • How many and what are the severity levels of the patches needed?
  • What devices are non-compliant and of those, which ones are the most security risk to the organization?
  • How quickly are patches deployed to devices after each patch is released?

How do you get the visibility into your security posture that is meaningful to you? Xtraction

Xtraction allows an organization:

  • To decide what is meaning information
  • To provide access to that information anywhere from a browser at anytime
  • To report real-time results based on the current state of the production database

Xtraction for Shavlik Protect provides a number of default dashboards as part of the Report Bundle offering.

These dashboards have been designed to give visibility into the security posture of an organization and to provide the insight needed to aid in prioritizing meaningful action.

Since the release of Xtraction for Shavlik Protect Reporting Bundle, 2 additional dashboards have been created and are available on the Xtraction for Shavlik Protect landing page of the community website.

Visibility into Security Posture

August Patch Tuesday 2016

Patch Tuesday Infographic

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.

Now Available: Xtraction for Shavlik Protect

Shavlik is pleased to announce the availability of Xtraction for Shavlik Protect.

Screen Shot 07-25-16 at 09.21 AM

Xtraction for Shavlik Protect is a self-service, web based solution that presents critical data from Shavlik Protect as customized dashboards and documents in real time.  There are 2 different offerings available for Xtraction with Shavlik Protect. These offerings include: Xtraction for Shavlik Protect Reporting Bundle or Xtraction Enterprise with the Shavlik Protect Connector .

The Xtraction for Shavlik Protect Reporting Bundle option is a view only license allowing customers to view pre-built dashboards and documents. The pre-built dashboards make it easier for a customer to get up and running quickly with a simplified reporting solution. The full Enterprise version of Extraction is needed for customers that want to create new dashboards or modify existing ones.

Xtraction complements Shavlik Protect by extending reporting visibility without the need to grant access privileges to Shavlik Protect.

Xtraction for Shavlik Protect helps to:

  • Improve speed of response to vulnerabilities
  • Improve accuracy of risk assessments
  • Manage compliance levels
  • Provide self-service reporting access to reduce the administrator burden

For more information and a deeper dive into the out-of-the-box dashboards available with the Xtraction for Shavlik Protect connector, please join me for the Introducing Xtraction for Shavlik Protect webinar on Wednesday, July 27th .

Apple July 2016 Mac OS X Updates

AppleBuilding(own)(editorialuseonly)

As was the case in May, Happy Apple Patch Monday!

Apple’s July 2016 Mac OS X Updates apply to Mac OS X, including versions El Capitan 10.11.6; Security Update 2016-004 for Mavericks 10.9.5 and Yosemite 10.10.5; and Safari, with a new version 9.1.2. In total, there were 72 vulnerabilities fixed with many that create high-risk to enterprises.

OS X 10.11.6 and Security Update 2016-004

Apple is clearly in maintenance mode for released versions of OS X as they prepare to get macOS Sierra ready for release in a few months. There are no apparent significant new features in OS X 10.11.6, some bug fixes, and fixes for 60 vulnerabilities. These vulnerabilities also apply to older versions in the form of Security Update 2016-004.

As is the case in other security updates, Apple is selective about which vulnerabilities are fixed for the older, supported versions. I highly doubt that many of these vulnerabilities only apply to 10.11. In terms of a breakdown of the vulnerabilities fixed by OS X version, we get:

OS X Version Vulnerabilities Fixed
10.9.5 18
10.10.5 19
10.11 and later 60

Interesting vulnerabilities fixed in this release includes seven that apply to QuickTime where processing an image file can lead to arbitrary code execution. These types are golden for hackers since they can be emailed via SPAM or phishing and lure a target to compromise. With all of the terrible headlines in the news lately, it is easy to imagine how a hacker might send a message using news of the day with an image attached which someone would be enticed to open.

There were also a number of other arbitrary code execution vulnerabilities that address the PHP, Graphics, Image, and SSL components. There is one vulnerability, CVE-2016-2108, in the OpenSSL component that is particularly nasty with a CVSS 3.0 score of 9.8 out of 10. With all the attacks on SSL (Heartbleed) in recent times, this alone is a strong reason to upgrade all Macs with this update.

Safari 9.1.2

Safari 9.1.2 applies to OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6 and fixes 12 vulnerabilities. Of the dozen vulnerabilities, six have the impact where, to quote Apple, “Visiting a maliciously crafted website may lead to arbitrary code execution.”

Needless to say, arbitrary code execution is bad news and by simply visiting a maliciously crafted website to do so is really bad news. A real world example is phishing an end user to get them to click on a link and visit a bad website which then causes ransomware to be downloaded and run. The first instance of ransomware in the wild was discovered in March and delivered by an infected BitTorrent client, but it’s only a matter of time before web-based targeting occurs using vulnerabilities like those fixed in Safari 9.1.2.

Other Updates

As is typically the case, Apple also released updates for other key software including iOS 9.3.3, watchOS 2.2.2, tvOS 9.2.1 (I’m wondering if this is version error as May also had a tvOS 9.2.1), and iTunes 12.4.2 for Windows. An interesting note is that on iTunes 12.4.2, all of the vulnerabilities fixed also applied to the OS X updates and came in the form of various xml libraries. There is not a lot of detail in the bulletin to determine the impact of these iTunes fixes, but there are some nasty vulnerabilities, including CVE-2016-1836, which allows arbitrary code execution via a bad XML file (check out my cool playlist and get hacked for example).

Summary

Like the May 2016 updates, this month’s release doesn’t have anything by way of features to encourage users to upgrade, but there are plenty of high-security risks that should encourage all enterprises to update as soon as possible.

July Patch Tuesday 2016

Shavlik_Patch_July12

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

 

 

Windows 10 branch upgrades and Shavlik Protect 9.2 Update 3 available!

win10 It has been a busy week here with the 4th of July holiday and a couple of content and product releases.

On Tuesday we released a content update which added support for pushing Windows 10 1511 to Windows 10 1507 systems.  Shavlik Protect 9.2 now supports branch upgrades! For instructions on how to upgrade Window 10 systems to branch 1511, please see our community post.

With the Windows 10 Anniversary update coming on August 2nd, those Windows 10 systems running the original 1507 branch will start their countdown to end of support for updates.  Microsoft has stated a 4 month grace period once a new branch releases before the N-2 branch stops receiving updates.

The recommended approach to supporting these branch upgrades is to keep a pilot group moving ahead to the new branch soon after it releases.  Those systems on the previous Current Branch for Business (in this case 1507) should start migrating to the new CBB (1511).  The 1608 (Anniversary update) branch will become the new Current Branch and you will have around 8 to 10 months to evaluate this within your pilot group before the next branch update releases.

On Thursday this week we released Update 3 for Shavlik Protect 9.2.  This update includes several customer reported bug fixes.  For more details or to download the latest installer visit our downloads page.

More than half of our customer base has already moved to Protect 9.2 and are taking advantage of the great new features and speed of Protect 9.2.  For those customers still on 9.1 or 9.0 please keep in mind that these versions will reach end of service this year.  Protect 9.0 is ending service as it was scheduled to do, but Protect 9.1 is being moved forward because of SHA 1 end of life.  Protect 9.2 supports SHA 256 and after upgrading will migrate the Protect Console and Agent certificates over to SHA 256.  For more details please see our product life-cycle policy here.

  • Shavlik Protect 9.0 will reach end of service on 2016/10/19.
  • Shavlik Protect 9.1 will reach end of service on 2016/12/31.
  • Shavlik Protect Threat Protection in Advanced and AV Add-On editions will also reach end of service on 2016/12/31.

 

 

June Patch Tuesday 2016

June2016PatchTuesdaySummary

I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Windows Convenience Update causing inconvenience for VMware and Microsoft App-V users!

Cybersecurity(Own)A quick heads up.  The Convenience Update for Windows 7 SP1 and Server 2008 r2 SP1 is causing issues with VMs running VMware VMXNet3 virtual network adapter type.

According to a blog post by VMware and a post by Microsoft uninstalling the update will resolve the issue.  The Microsoft article goes on to talk about an issue with Microsoft App-V where virtual applications may have difficulty loading.

Recommendation in both cases is to defer pushing this update until a resolution is in place.

Apple May 2016 Mac OS X Updates

Apple Mac OS X Updates

Happy Apple Patch Monday! Today’s, Apple May 2016 Mac OS X Updates impact Mac OS X including El Capitan 10.11.5, Security Update 2016-003 for Mavericks 10.9.5 and Yosemite 10.10.5, and Safari 9.1.1. In total, there were 77 vulnerabilities fixed including many high risk vulnerabilities that should be remediated quickly

OS X 10.11.5 and Security Update 2016-003

The last Mac OS X Security Update was on March 21 and today’s release of OS X 10.11.5 and Security Update 2016-003 brings fixes to 67 vulnerabilities across OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11. As with previous security updates the majority of vulnerabilities are only fixed in El Capitan. Here is the breakdown of vulnerabilities fixed by OS X version:

  • 12 in Mavericks 10.9.5
  • 13 in Yosemite 10.10.5
  • All 70 fixed in El Capitan 10.11

With Apple’s latest version focus, it is very interesting to explore the vulnerabilities that were fixed in the older versions. Included in that mix are vulnerabilities where:

  • Application that can determine the kernel memory layout
  • Attacker in a privileged network may execute arbitrary code with user assistance
  • Malicious XML, website, or web content may lead to arbitrary code execution

The last category is most interesting as malicious websites or files are useful for hackers to social engineer their way onto a system.

From the vulnerabilities only fixed in El Capitan, there is of note for the exploitability and impact. The first is a vulnerability in QuickTime (CVE-2016-1848) where opening a maliciously crafted file may lead to arbitrary code execution. This is interesting in that social engineering could be employed to get a user to click on video file such as using a headline of the day that would be enticing to watch such as “Funny Quotes from Donald Trump” and bad things ensue (quite literally in the case of a malicious video).

There are many other vulnerabilities, but the true severity and impact is obscured by Apple’s limited information. That said, there is plenty of reasons to update quickly.

Safari 9.1.1

Safari 9.1.1 applies to Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11.5. This is a minor update with 7 vulnerabilities fixed including 5 where arbitrary code could be executed by visiting a malicious website. Such vulnerabilities are hooks for Phishers to use to bait users to visit malicious websites and compromise their systems. One other vulnerability is a minor risk in that it prevents fully deleting browsing history. The final vulnerability (CVE-2016-1858) is moderate risk where visiting a malicious website may disclose data from another website. If you have any doubt, make sure Safari is up to date quickly as the 5 arbitrary code vulnerabilities will undoubtedly be useful for targeting users.

Other Updates

Apple usually releases updates for everything at once and this release is no different. There were also updates for iOS (9.3.2), watchOS (2.2.1), tvOS(9.2.1), and iTunes (12.4).

Summary

This month’s updates do little to entice users to want to update their systems in terms of new features. That said, Apple will push them down unless a user explicitly avoids it. There is enough critical vulnerabilities in these updates that all organizations should ensure all Mac OS X systems are up to date quickly.