Claimed IIS Zero-Day Update

A few days ago, there were reports of a zero-day exploit affecting Microsoft IIS.  Microsoft has concluded their research and found there is no vulnerability in the IIS code.  The findings published outside of Microsoft surrounding the vulnerability were due to improper IIS security configurations.  The MSRC Blog has more information regarding their findings around the claimed zero-day exploit.

Patching a system is a good start for a line of defense against attackers.  But, improperly configured systems and services should be high on your list as well.  An IIS server is typically outside facing and should be “hardened” to prevent unauthorized access.

In the past few months, there have been many claims outside of Microsoft regarding zero-day exploits in the wild.  It is very important to remember to wait for the vendor to confirm the claims that are made by security researchers.  Microsoft relies heavily on external security researchers, but Microsoft is always the best source of information regarding vulnerabilities and exploits.

– Jason Miller

One Bad Apple Could Spoil Your Whole World

All I want for Christmas is for Apple, Inc., to acknowledge that they have created a mess by bundling Apple Application Support with iTunes v9, QuickTime v7.6.4, and Safari. Oh, and for Apple to fix the problem.

Shavlik and Apple customers have been wrangling with this problem since September. Consumers — home users — are affected but not to the extent that corporations are impacted. Why? Because home users are more likely to simply double-click the installer to upgrade to a newer version of these products. If that is the update method followed, no problem. The Apple Application Support  app is installed. Check out discussion thread at to get a feel for the pain the home users are feeling.

But corporations can’t follow the home user method. They need to ensure that updates are applied or risk exploit of one of many critical vulnerabilities that exist in these Apple applications. For even small corporations — 50 to 100 systems — they need to automate the update process. That means either scripting or using patch management software to automate the update process. Both of these methods require use of command line switches on the installer to silently install otherwise automation is not feasible.

That’s where Apple has created its mess. Whether intentional or unintentional, Apple Application Support fails to install if the silent install switches are used. The main applications — iTunes, QuickTime, and Safari — will install but Apple Application Support doesn’t. Then the user is left with the annoying message to uninstall and re-install iTunes. Shavlik has published workarounds for our customers. But workaround for such a ubiquitous problem should not be required and should not be seen as acceptable.

Apple, you sold 7.4 million iPhones in the quarter that ended in September. Many of those iPhones went to corporate executives. iTunes is required to use an iPhone. Your software has critical vulnerabilities that put businesses at risk. Fix this problem so corporations can protect themselves.

Director, Product Marketing

Microsoft prohibited from selling Microsoft Word

The U.S. Court of Appeals just sent judgment down on Microsoft prohibiting them from selling Microsoft Word starting January 11, 2010.  Microsoft is planning to release a new version of Word that will pull the offending code that started this patent infringement lawsuit.

The good news:  Microsoft will still be able to provide support (patching) to the product.

If Microsoft was not able to support the offending version of Word, many people would have vulnerable products for future patches that affect Word.

– Jason Miller

So where are the XP Embedded patches?

A few weeks ago, we added official support for scanning and patching of Windows XP Embedded devices.  Those of you who have these devices on your network and use the Shavlik product line may have noticed no patches were applicable from December’s patch Tuesday.  This does not mean those devices do not need to be kept up to date.

Microsoft does not release support for XP Embedded patches the same day as they do for their other operating systems.  There is an approximate two week period between patch Tuesday and when the patches become available to vendors.

If you have Windows XP Embedded devices on your network, you should plan accordingly to patch these possibly later than the rest of your machines.

– Jason Miller

Shavlik Product Training Options

Whether you are new to the Shavlik products or an old veteran who has upgraded from the 3.x command line days training on the Shavlik products is a must.  For those of you who have recently upgraded to the NetChk Protect 7.x product know we have added a lot of new content and features.  The product in general has changed significantly.  You can still do much of what you have been doing with the product the in the same way you have always done things for patch management, but no there is so much more you can do to manage your network using NetChk Protect.  Threat Protection, Asset Management, Agents, and dozens of other features have been added in the last few major versions.  And what we are finding is increased demand for training options on these new features.  Shavlik has a number of training options available today, both complimentary and as a service.  If you find that you could use some training to better utilize our solutions, I encourage you to take a look at our training options and see what we can do to help.

Training On-Demand: These free training play-back tutorials can be downloaded from the Shavlik web site. These short clips are ideal for those without a training budget or who like to learn at their own pace.

Shavlik Webinars: Another free option.  This is not specific to training in all cases, but the information may be invaluable in a day-to-day operations perspective.  Shavlik provides several regular webinars such as the Patch Tuesday webinars held on the second Wednesday of every month where Shavlik experts analyze each patch bulletin issued that month to help you determine your plan for patching your environment.  You can view them live by signing up or view previous webinars.

Rapid Results Web Training: This paid-for training can be purchased in one hour blocks and used as necessary.  This is great for new users that need fast-paced ramp up on the product.  It is most effective in parts.  Many of our customers will start with a two-hour jump start session to get the IT admin familiar with the product on a high level and help them locate the correct materials to get started on configuring for their environment, followed up by an additional two hour session a few weeks later to review the configuration of the admin console, answer questions, make recommendations on how to enhance the configuration for better performance, etc.  This is also ideal in cases where new team members are brought in to manage the product and transition time may be short or non-existent.  Contact your sales rep for additional details and pricing.

Rapid Results Onsite Services: Another paid for service purchased in one-day increments.  Onsite services are typically requested for new implementations, upgrade services, additional training, etc.  Sometimes onsite services can achieve a great deal more than the web-based option because you will have a Shavlik Sales Engineer come to your site.  This is great for the initial rollout of the product and for upgrades where additional product lines or customizations are required it can be very effective service for rapid and complete rollout.  Contact your sales rep for details and pricing.

Chris Goettl

Adobe Update, New Firefox Available

Like I had suspected, Adobe is not planning on releasing a patch for the zero-day exploit for Adobe Reader and Adobe Acrobat until their next scheduled quarterly update.  Adobe announced today they will be releasing this update on January’s patch Tuesday, January 12th.  In the meantime, Adobe has posted a workaround guide to protect your computer against active exploits.

Mozilla has released a new version of their Firefox browser.

Firefox 3.5.6 addresses: 3 Critical, 1 High, 2 Moderate and 1 Low software vulnerabilities.

– Jason Miller

New Adobe Zero-Day Exploit Announced

Adobe’s PSIRT team is reporting a zero day exploit for one of their products.  This software vulnerability affects Adobe Acrobat and Adobe Reader 9.2 and earlier.  PSIRT is reporting the vulnerability is actively exploited being in the wild.

The NVD Database has more information on this vulnerability:  CVE-2009-4324

Until Adobe patches this vulnerability, do not open or accept any PDF files from sources you do not know or can fully trust.  SANS is also talking about a workaround, but I have not seen Adobe confirm this workaround yet.

January’s patch Tuesday will mark Adobe’s quarterly update release.  I expect them to patch this vulnerability at that time and highly doubt they will release a patch before then.

– Jason Miller