Well, we’ve officially changed our name to Ivanti. That’s HUGE news! It positions us for another 30 years of growth.
Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.
The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.
Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.
For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.
Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.
Adobe has released update APSB17-01 for Acrobat and Reader, keeping in line with the pattern of releasing an update every two to three months. This update includes 29 vulnerabilities, most of which allow for remote code execution. You will want to make sure this update is applied in a timely manner.
As expected, there is a Flash Player update. As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems, meaning Flash plug-ins for IE, Chrome and Firefox as well. Some of these will auto update; others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.
Microsoft has released a total of four bulletins, two of which are critical and publicaly disclosed. Microsoft is resolving 15 unique vulnerabilities this month, 12 of which come from the Adobe Flash update. It’s interesting to note that there is no rollup for Windows 8.1 or Server 2012 this month.
Other than Microsoft and Adobe, there are a few other updates available if you are using Foxit Reader, Skype, etc. Although there several of the Microsoft vulnerabilities have been publicaly disclosed, none of the them have been exploited and there are no zero days.
This could be the calm before the storm. We have not seen this light of a Patch Tuesday since January of 2014. Next month you should expect some adjustments and a heavier Patch Tuesday drop as Microsoft changes methodologies.
This is the last Patch Tuesday that Microsoft will be using security bulletins. After January 10, Microsoft will no longer be publishing traditional security bulletins as individual webpages, but instead will only be publishing security update information to the new Security Update Guide. I’m sure there are many questions about what this means and how it will affect everyone so, if you have not already seen the FAQ put together by Microsoft, I have provided a link here.
As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the January Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance.
Goodbye 2016; Hello 2017!
We have survived another year and what a year that was.
As we start off 2017, I am sure most of you have already heard about the joining of forces between LANDESK and Heat Software to further the expertise stronghold on security and patching. This marrying of the minds comes just in time for those who have not yet picked a new year’s resolution. Now is the time to make a resolution to increase the health of your security posture and patch your systems regularly.
Even though there are no known zero days or hints of nasty exploits on the horizon, we all know that it is just a matter of time before someone will find something to hack and expose potential vulnerabilities. So, with that in mind, let’s start the year off with good habits and make sure we are following the steps to better Security Hygiene now that the holiday fun and distractions are behind us.
Steps to Better Security Hygiene
- Make sure you have sanitized incoming email with junk mail and phishing filters. Remember that user targeted vulnerability is where some of the highest risk lies.
- Make sure you have sanitized the machines and devices of users who have come into contact with public WiFi while traveling in and out of the office and private secured networks. Since users will likely browse the internet, open email with attachments, and in general be exposed to potential attack vectors daily, it is important to sanitize their machines with good signature, non-signature, and behavioral threat assessments. Remember that signature based threat assessment alone is not enough anymore.
- Make sure your systems are frequently patched, both the OS and software, and make use of least privilege rules and proper application control. Remember that preventative security measures can mitigate or eliminate 85% of the threats in today’s market.
Chrome announced at the end of 2016 that beginning in the new year they will be identifying web pages as “Not Secure” if the page includes login or credit card fields AND the page is not served using HTTPS. For additional information on this announcement, see the following article posted on zdnet.com.
Your Patch Tuesday Forecast
Based on the trends we saw in 2016, the January 2017 Patch Tuesday will likely include updates for the following:
From Microsoft we are likely looking at around 1-4 installable packages:
- OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
- Office is likely since there were updates consistently pretty much every month in 2016.
From Adobe you can expect 1-3 updates:
- Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all of 2016, so expect that update.
- Adobe Reader and Acrobat both released an update back in October of 2016 and have been pretty consistently having an update every 2-3 months this year. Those two are a high possibility this month since they did not release last month.
From Chrome you may have 1 update this month:
- Chrome released a beta version after last Patch Tuesday making it likely there could be an update on or around Patch Tuesday this month.
Total Update Accumulation 3-8 updates for Patch Tuesday next week.
As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, January 11th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.
Happy holiday’s everyone! This marks year three of our annual 12 Beers of Christmas blog post where the team gives you recommendations of their favorite beers from 2016. This is a tradition that actually started from a now nine-year practice of doing a beer exchange in our office instead of cookies or Secret Santa. So for all you beer fans out there, here is the 2016 edition of the Shavlik 12 Beers of Christmas. Enjoy!
Brent, Software Engineer
Beer recommendation: Black Sheep Best Bitter
Description: Brent spent a bit of time across the pond this year after LANDESK acquired AppSense. “It was my nightly beer one trip to England during an AppSense visit. Very solid English bitter that paired well with any of the pub food.”
A well hopped, light golden session bitter with a distinctive, dry, refreshing taste enjoyed through a rich creamy head. Brewed in traditional cast iron and copper vessels using the finest ingredients.
Mark, Software Engineer
Beer Recommendation: Able BLK WLF Stout
Description: It is a coffee forward stout with a satisfying finish. The best part is since it as a low ABV at 3.8%, I can have a few without having to rely on my friends to carry me home.
Clear dark brown, large creamy tan head, good retention. Aroma of chocolate, roasted malts, piney hops. The taste is citrus, roasted malts, chocolate. Medium bodied, lingering bitterness.
Neil, Manager, Territory Sales
Beer Recommendation: Weihenstephaner Original
Description: A cheeky little number from the oldest brewery in the world. Not sure if you can get this in the US but the brewery is a 15 minute drive from Munich airport. It is worth the trip!!
A good beer takes its time. The long storage makes our yellow bright lager, “Original”, a flavourful beer enjoyed with fine poured, white foam. With a mild hoppy note and its pleasant fresh spicy taste, it goes very well with salads, poultry, stews or with a hearty snack. Brewed according to our centuries-old brewing tradition on the Weihenstephan hill.
Robert, Senior Product Marketing Manager
Beer Recommendation: Samuel Adams Nitro White Ale
Description: From America’s largest Craft Brewer, and from the city (Boston) known for more than just the revolution of craft beer. This beer is smooth as silk, refreshingly cold, and a joy to consume year round. Crisp enough for the Summer, hearty enough to keep you warm in Winter. I enjoyed this guy while watching summer sunsets over Lake Winnipesaukee in NH this past summer.
Brad, Software Engineer
Beer Recommendation: Fitger’s Big Boat Oatmeal Stout
Style: Stout – Oatmeal
Description: Good stout, nice chocolate and coffee combination for sipping on MN winter days. Enough alcohol to keep you warm and toasty on the inside but not stumble out of the bar and die from hypothermia when you slip and fall on the ice.
Simon, Chief Technologist
Beer Recommendation: Peroni Original
Style: Lager – Pale
Description: Served at Ultra cold temperature and great for the British summer when we get them. Added benefit is that it doesn’t seem to cause those dreadful headaches I seem to get more of as I get older. The downside is that its currently one of the most expensive you can buy.
Ken, QA Director
Beer recommendation: Surly Gose (pronounced “Go-zuh”)
Style: Kettle Sour Ale
Description: Just had this at the brewery during our holiday party. A great sour beer with a crisp taste with little surprise extra tartness in the end. Pairs extremely well with co-workers.
The base beer for our series of kettle souref ales, surly Gose had has a light, crisp body with a refreshing tartness and a fleeting saltiness.
Randy, Manager, Software Engineering
Description: I’m going to put in my official favorite for the year as Fulton Batch 300. I’m not sure how widely available it is, but it is a fantastic West Coast style IPA brewed right here in Minneapolis. Like many great beers, it was originally a limited edition but was so popular they decided to brew it year-round. It is very hoppy, but has a nice balance and smooth finish.
Batch 300 is built on a base of Weyermann Pilsner malt, and heavily hopped from start to finish with Mosaic, one of our favorite American hop varieties. At 74 IBU and just under 7% ABV, Batch 300 will delight your palate without wearing it out.
Frank, Software Engineer
Style: Porter – Peanut Butter
Description: Smells like peanuts, tastes likes peanuts and beer. When you want a peanut butter sandwich and you also want a beer, but you can’t be bothered to get both: this is the beer for you. Dark color with a nice full head. Really good on nitro if you can get it.
Brian, QA Engineer
Beer Recommendation: Ballast Point Grapefruit Sculpin
Style: American IPA
Description: Bright, citrusy IPAs are becoming increasingly common and I am not complaining. The Sculpin IPA is hopped at five separate stages and has notes of apricot, peach, mango, and lemon. This award winning IPA is then complimented with grapefruit, creating a flavorful and surprisingly drinkable IPA. A perfect beer to compliment warm summer days or the bitter cold winters of Minnesota.
Derek, Manager, Cloud Operations
Beer Recommendation: Surly Darkness (2016)
Style: Imperial Stout
ABV: 9-12% (Depending on the year)
Description: Knocks you on your a$$!
This massive Russian Imperial Stout brings waves of flavors; chocolate, cherries, raisins, coffee, and toffee. We add a touch of hops to make this delicious brew even tastier.
Chris, Manager, Product Management
Beer Recommendation: O’Town Triple
Style: Belgian Triple
Description: From the fine brewer at Lamada Brewing comes fine example of a Belgian abbey style ale. Not as dark as a St Bernardus ABT 12 or Chimay Grand Reserve. Has a fruity aroma and complex flavors with a mix of malty, slightly bitter, and a fruity sweetness. Actually this is my own home brew and a recipe I am continuing to perfect. I just brewed batch three this fall and it should be ready to drink sometime around June! Perfection takes time. If you really want to try some you will have to come visit me in June.
Joe, Technical Writer
Beer Recommendation: Grain Belt Nordeast
Style: Amber Lager/Vienna
Description: For anyone wishing to experience some local Minnesota flavor, I highly recommend Grain Belt Nordeast. It’s a great tasting beer that meets my main requirements: it is reasonably priced and almost always available wherever I go. Unlike most of the other beers you’ll see on this list, there’s no need to take out a loan or drive 100 miles to an obscure liquor store to purchase it. And that makes Nordeast satisfying in a number of different ways.
John, Channel Account Manager
Beer Recommendation: George Killian’s Irish Red
Style: American Amber\Red Lager
Description: A full and well-balanced American Amber / Red Lager style beer, and honestly, my go to if I’m hanging out with relatives or friends who don’t really enjoy craft beer and would rather depend on boring domestics. Like an IPA, has a body more similar to a Scotch ale than a lager or porter, offering a blend of dark fruit, caramel, bread and toast swells in a tight bouquet. While it’s aroma is complex, it’s easy on the tongue. A malt-forward profile flows across the palate with easy transitions: Light bready malts pick up hints of toast, and then caramel and dark fruit as it washes back. A quiet bitterness counters the sweetness and guides this straightforward beer to a refreshingly clean finish. Joyeaux Noël !
The Peanut Gallery (there is always a comedian in the bunch. This year we have two.) :
Brian, QA Engineer (his first attempt that was rejected)
Beer Recommendation: Camo Black Ice High Gravity Lager
Style: Malt Liquor
Description: The Camo Beer Company in Lacrosse WI describes this beer as “Ice brewed for extra smooth taste”. This true star of the north is best served in a paper bag. At a size of 24 ounces, an ABV 10.5%, and a price around $2 it is truly a symbol of efficiency. Who needs hydration from six and a half 3.2 beers when you can fit the same punch into one fine paper bag?
Rob, VP Engineering (remember 2014 when he recommended Coors? Yeah this one is worse)
Beer Recommendation: Hamms
Style: Pale Lager
Description: If it looks like a Coors, smells like a Coors, and tastes like a Coors then it must be a Coors….except it’s not. It’s Hamm’s American Lager and it doesn’t smell like Coors… in fact, it has no aroma at all. But for days when you feel like punishing yourself, grab a can… or 48 of these. This beer is very much a synthesizer of taste and takes on the taste of whatever you are pairing it with making it the perfect beer to pair with any meal that you like the taste of… be warned though, if you are using it to wash the taste of a burnt garlic meatloaf out of your mouth, all you have done is captured and amplified that tragic flavor. I hear if you mix a little Mio in there though, you can work your way right past that.
It is the holiday season and with that comes presents for the MAC OS in the form of updates for a number of issues, including several denial of service.
Released on December 13th, Apple has new security updates for macOS Sierra 10.12.2, El Capitan 2016-003 and Yosemite 2016-007.
The winner for most CVE updates for this release is macOS Sierra 10.12.2 with 71 CVEs to address a wide variety of vulnerabilities. These vulnerabilities include 8 denial of service issues
- CVE-2016-7609 : AppleGraphicsPowerManagement – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
- CVE-2016-7605 : Bluetooth – Improved input validation has been added to address the possible impact of an application being able to cause a system denial of service.
- CVE-2016-7604 : CoreCapture – Improved state management has been added to address the possible impact of a local user being able to cause a system denial of service.
- CVE-2016-7603 : CoreStorage – Improved input validation has been added to address the possible impact of a local user being able to cause a system denial of service.
- CVE-2016-7667 : CoreText – Improved validation of overlapping ranges has been added to address the possible processing of a maliciously crafted string being able to cause a denial of service.
- CVE-2016-7615 : Kernel – Improved memory handling has been added to address the possible impact of a local user being able to cause a system denial of service.
- CVE-2016-6304 : LibreSSL and OpenSSL – Improved memory handling in unbounded OCSP growth has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.
- CVE-2016-7636 : Security – Verification of OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate has been added to address the possible impact of an attacker with a privileged network position being able to cause a denial of service.
This security update addresses memory corruption and shared memory issues, use after free issues, validation and system privilege issues on top of the denial of service critical vulnerabilities.
New security content is also available for Safari 10.0.2 which is made up of 25 CVEs to address vulnerabilities focusing on arbitrary code execution in both Safari Reader and WebKit. Given the number of user targeted vulnerabilities, it would be a good idea to look at installing this security update sooner rather than later.
With the pending end to 2016, now is the perfect time to start a new habit of patching your MAC regularly and having a more secure 2017.
December Patch Tuesday has a flurry of exploits and public disclosures. Coming in to Patch Tuesday, we already had one zero day from Mozilla (CVE-2016-9079) which updated on November 30. Today, Adobe released nine bulletins, including a critical update for Adobe Flash that resolves a zero day (CVE-2016-7892). Microsoft is updating Flash for IE and also has five publicly disclosed vulnerabilities being resolved.
Starting with Firefox, Mozilla announced an update on November 30 that resolved a zero day in SVG Animation. This was identified in attacks targeting unmasking users of the Tor anonymity network. In an article from ZDNet, there was speculation from researchers that this exploit was very similar to an exploit known to have been used by the FBI back in 2013 that was used to unmask IP addresses of Tor users.
Today Mozilla is releasing version 50.1, which includes the Zero Day fix from 50.0.2, which released a couple weeks ago. If you have not already done so, ensure that Firefox is on your priority list this month.
Adobe has released nine bulletins today, but only one is rated as critical. I am sure most of you have guessed that it is for Flash Player and also includes a zero day. APSB16-39 resolves 17 total vulnerabilities and the exploited CVE-2016-7892, which has been used in limited targeted attacks against Windows systems running Internet Explorer (32-bit).
According to an article from Threat Post, analysts from the Google Threat Analysis Group discovered the vulnerability and privately disclosed details to Adobe. Adobe did not have details around the specific attack and the Google researches have not disclosed any more detail publicly at this time.
As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems. This means Flash plug-ins for IE, Chrome and Firefox. Some of these will auto update, others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.
On to Microsoft. Microsoft has released a total of 12 bulletins, six of which are critical. Microsoft is resolving 42 unique vulnerabilities this month.
Aside from Flash for IE, Microsoft does not have any additional zero days to report, but they do have several public disclosures. A public disclosure means that enough detail has been released to the public to give a threat actor a jump start in developing an exploit. This puts their vulnerabilities at higher risk of exploit.
MS16-144 is a critical update for Internet Explorer that resolves eight vulnerabilities, three of which are publicly disclosed (CVE-2016-7282, CVE-2016-7281, CVE-2016-7202). Many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.
MS16-145 is a critical update for the Edge browser that resolves 11 vulnerabilities, three of which are publicly disclosed (CVE-2016-7206, CVE-2016-7282, CVE-2016-7281). Similar to the IE vulnerabilities, many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.
MS16-146 and MS16-147 are both rated as critical and affect components of the Windows Operating System. Both resolved vulnerabilities that would target a user and can be mitigated by running as less than a full administrator on the system.
MS16-148 is a critical update for Office, Sharepoint and Web Apps that resolves 16 vulnerabilities. Many of the vulnerabilities resolved in this update can target a user through specially crafted files. An attacker can also host specially crafted web content to exploit many of these vulnerabilities. CVE-2016-7298 is also able to use the Preview Pane as an attack vector.
MS16-155 is an important update for .Net Framework and resolves one vulnerability. Although only rated as important, this bulletin resolves a vulnerability that has been publicly disclosed (CVE-2016-7270), putting it at higher risk of being exploited.
There are additional bulletins from Adobe and Microsoft this month, but these are the bulletins that should be on your priority list for December.
As always, we will be running our monthly Patch Tuesday webinar, where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the December Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday
December is here and it finally snowed in Minnesota! In fact, we may get four to eight inches this weekend. So, my Patch Tuesday Forecast — like winter up here in MN was a little delayed — but better late than never! So get out your snow shovels and let’s dig in. There is already a little accumulation with a zero day hitting in late November. If you haven’t already done so, update your Mozilla Firefox browser!
On the Horizon
In the last week of November, it became clear to many security researchers that there was a flaw in Mozilla’s browsers and in TOR, a browser based on Firefox. CVE-2016-9079 is a critical use-after-free vulnerability affecting the SVG Animation component in Firefox. Researchers, such as Malwarebytes, have evaluated the vulnerability and have explained that the goal of this vulnerability “is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is run directly from memory.”
Although the observed exploits were only targeting windows, the vulnerability exists on Linux and Mac platforms as well. The exploit code also seems very similar to another Tor exploit used by the FBI as an investigative technique to track down child pornography suspects. It is not currently known where this code originated, but it’s a good example of a user-targeted vulnerability.
The Mozilla update became available on November 30 for Firefox, Firefox ESR and Thunderbird. If you are already caught up, you will want to make sure you include Mozilla in your updates this month.
Security Tip of the Month
December is also getting well into the cold and flu season, so this month’s security tip will follow the theme of security hygiene. I just returned from Las Vegas from the Gartner Data Center Conference where I attended a session by Neil MacDonald on security for cloud workloads. One of the things Neil mentioned was staring with a solid foundation, which he referred to as operations hygiene. I’m going to expand that out to a broader security hygiene message.
To stay well in the cold and flu season, you need to ensure you are getting rest and washing your hands, especially after coming into contact with someone who is sick or areas frequented by many people. You need to keep up on your vitamin C and drinking liquids in general. Similarly, with security we need to do the same.
- Wash your hands – Make sure you have sanitized incoming email with junk mail and phishing filters.
- Use some sanitizer after coming into contact with highly public areas – Your users who travel in and out of the company will come into contact with public Wi-Fi. Users will browse the internet, open email with attachments and, in general, be exposed to potential attack vectors daily. Make sure their machines are getting sanitized with good signature, non-signature and behavioral threat assessments. Signature-based threat assessment alone is not enough anymore.
- Get your daily dose of vitamin C – Preventive security measures can defend against 80 percent of the threats in today’s market. Make sure you give your systems their shot of vitamin C in the form of patching the OS and software, use of least privilege rules and proper application control.
Your Patch Tuesday Forecast
Based on what trends we have seen this year I think it’s safe to say the following:
From Microsoft, we are expecting around two to four installable packages:
- OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
- Office has been very consistent this year with updates pretty much every month. The question is will this be a single update or a couple for Office, SharePoint and Web Apps. I would say one for office and a 50 percent chance of SharePoint/Web Apps.
- .Net is also likely this month. .Net updates hit five of six patch Tuesdays in the first half of the year, and have been about every other in the later half.
- You can also expect an IE update for Flash Player.
From Adobe, you can expect one to three updates:
- Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all year, so expect that update.
- Adobe Reader and Acrobat both released an update back in October and have been pretty consistently having an update every two to three months this year. Those two are a possibility this month.
From Mozilla, you can expect one update this month:
- Mozilla’s update calendar is reflecting an update for Tuesday.
Total Update Accumulation four to eight updates for Patch Tuesday next week.
As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, December 14th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.