Mozilla Firefox Also Part Of Patch Tuesday

Mozilla released two new versions of their Firefox browser last night.

Mozilla Firefox 3.0.19

  • 5 Critical Vulnerabilities fixed.
  • 1 High Vulnerability fixed.
  • Details for the vulnerabilities fixed can be found here.

Mozilla Firefox 3.5.9

  • 5 Critical Vulnerabilities
  • 3 Low Vulnerabilities
  • Details for the vulnerabilities fixed can be found here.

For both browsers, the critical vulnerabilities are the same ones addressed in the Firefox 3.6.2 update released earlier.

– Jason Miller

Even More For Out-Of-Band Patch Tuesday

Today, the unplanned patch day started with:

  • Microsoft going out-of-band in releasing MS10-018
  • Sun releasing Sun Java 6 update 19
  • Mozilla releasing Thunderbird 3.0.4
  • Apple releases new patches for Mac OS X 10

Now, we have more joining the patching fun:

  • Mozilla has just released SeaMonkey 2.0.4.  This release fixes 8 vulnerabilities.  The vulnerability details can be found here.
  • Apple has just released iTunes 9.1.  This release fixes 7 vulnerabilities.
  • Apple has just released QuickTime 7.6.6.  This release fixes 16 vulnerabilities.

Let’s hope this is the end of security patches for today…  Tomorrow is another patching day.

 – Jason Miller

March Patch Tuesday Overview – Part 2

Microsoft is going out of their normal release cycle to post a new security bulletin for Internet Explorer.  This bulletin fixes a vulnerability that is currently being exploited in the wild.

In the past few years, Microsoft has gone out-of-band with security bulletin releases on limited occasions.  In both 2008 and 2009, Microsoft released only two out-of-band security bulletins to fix critical vulnerabilities.  With today’s out-of-band release, Microsoft has already released two in 2010, both addressing known critical vulnerabilities in Internet Explorer and kicking off a record year for out-of-band patch releases.

Microsoft typically releases cumulative updates for Internet Explorer bimonthly during regular Patch Tuesday releases, and we were expecting to see the next round of IE patches in April’s Patch Tuesday release.  As this bulletin is being released earlier than planned, it is important to note the bulletin contains a total of 10 vulnerability fixes.  The other nine vulnerabilities addressed are not publically known at this time.

If administrators used any of the workarounds suggested in the security advisory (KB981374) that prompted this out-of-band release, it is important for them to un-apply the workarounds.  This will restore functionality that was lost due to the temporary fix.

With any zero-day exploit that is being actively targeted, it is critical for administrators to patch their systems as soon as possible.  Some patch maintenance cycles are scheduled over weekends to accommodate the known downtime.  While many are planning for a long holiday weekend, administrators should not wait to patch this until next week as we know that hackers won’t be taking the weekend off.

Jumping on this version of Patch Tuesday:

Mozilla has released a new version of Thunderbird.  Thunderbird 3.0.4 fixes known security vulnerabilities in the product.  The Mozilla Security Advisory page has not been updated yet and you should keep an eye on the page for the announcement.

Sun has also released a new version of Sun Java.  Sun Java 6 update 19 fixes multiple security vulnerabilities.  More information can be found here.

Apple is also releasing a large number of vulnerability fixes for Mac OS X v10.5.8, Mac OS X v10.6 – v10.6.2.  The release notes can be found here.

As it seems a lot of vendors are in the patching mood today, I will update this blog posting if we find more here at Shavlik.

– Jason Miller

Microsoft Going Out-Of-Band For IE Vulnerability

Microsoft announced today they will be shipping an out-of-band bulletin tomorrow for Internet Explorer.

It is important to note that this bulletin was planned on being released during the regularly scheduled April patch Tuesday.  This bulletin will fix the highly publicized zero-day vulnerability for Internet Explorer (Microsoft Security Advisory 981374).  In addition, this bulletin will fix 9 other vulnerabilities.

Microsoft Security Advisory 981374 was published by Microsoft during March’s patch Tuesday.  This vulnerability affects Internet Explorer versions 6 and 7.  Internet Explorer version 8 is not affected by this vulnerability.  But, the patch is a cumulative update that fixes multiple vulnerabilities.  Some of the vulnerabilities fixed in this bulletin do affect Internet Explorer 8.  Administrators should be sure to patch all versions of Internet Explorer as soon as the bulletin is released.

It is not uncommon lately for Microsoft to release out-of-band.  Microsoft monitors the situation through customer reports and exploit activity.  If they notice, as in this case, the threat is growing, they will release out-of-band to address the vulnerability.

– Jason Miller

Time To Update Your Firefox Browser To 3.6.2

Mozilla released Firefox version 3.6.2 today to address a critical security vulnerability.  The vulnerability could lead to remote code execution.  This is a quick turnaround for a vulnerability fix from Mozilla.  You should look at updating your Firefox browser as soon as possible.

The release notes state other security vulnerabilities have been addressed with this release.  At this time, their security advisory page has not been updated with the additional fixes.

More information:

Firefox 3.6.2 security fixes 

Mozilla Critical Security Advisory 

CVE-2010-1028 information

– Jason Miller

Power Management – Immediate Impact!

Today there is a great deal of concern relating to the amount of power consumed by computers large and small. The ability to control power consumption via good power management techniques will not only save energy and reduce CO2 emissions, it will also dramatically reduce the cost to power and cool each system. This can amount to some significant savings!

Example: If you took 500 computers, that were generally left on 24×7, and reduced the time they were left on at night during the week (evenings) to just 3 days instead of 5, and powered these systems off over the weekend…the annual savings would be significant. At $.095 per kWh, the total savings would be $28,321 – with an energy savings of 298,116 kWh. This is significant!

The Value Of An Enforceable Power Management Policy

  • Measurable Cost Reduction – Power and Cooling Costs
  • Save Energy & Reduce CO2 Emissions
  • Enforceable Policy – Customize To The Needs Of The Business

Here at Shavlik we’re going to be introducing new technology that will help IT departments measure their current power consumption…and then create and manage power management policies that should have an immediate impact on the business. This new technology will enable the user to shutdown (power off) or put machines into hibernate or sleep mode on an immediate or scheduled basis – thus helping control power consumption. This new technology will also help simplify IT Operations by allowing system administrators to “Wake‐up” machines on the network either on-demand or on a scheduled basis, to assist with schedule maintenance.

In summary, the development and enforcement of a good Power Management policy can provide immediate and measurable savings – while contributing to Greener IT.

Dave Eike

Shavlik Technologies

Methods for Deploying Agents to Your Network

A very good question came up on the forum the other day (and has been coming up more frequently in general lately) so I thought I would post about it.  The question is how to deploy agents out to your entire environment quickly.  The answer is that it will vary based on each customer’s requirements.  How would you like to deploy it?  If you prefer to deploy it from the console using Shavlik NetChk Protect 7.2, you should be aware of some current known limitations.

There is a section in the following Shavlik NetChk Protect implementation and planning guide that talks about several ways to rollout the agents.  http://www.shavlik.com/documents/ipg-prt-7-2.pdf

Here are some options to get you started:

  • Self Extracting Zip.  If you have WinZip or some other solution that allows the ability to create a self extracting .exe this is a great way to package the install so someone can click on it and install without much effort.  I have one customer who did this for remote users.  146 standalone locations across Minnesota that rarely, if ever, check in.  We packaged it up and had it set to extract to a temp folder and execute the command line to connect to a DMZ facing console.  .Exe was hosted on their intranet site and an Email blast to the site administrators for each of the business units with the link to install.  Install was unattended from that point on.  Use the following references for details on how to do this.

-Chris Goettl

Shavlik Technologies Launches Facebook Page

We are very excited to announce that today we launched Shavlik Technology’s new Facebook Page.  The new page will give us the opportunity to get to know you better, and we hope that you get to know us better in turn.

We will be offering a number of items on our Facebook page:

  • Shavlik news, coverage and hot blog articles – all in one place.
  • Video demos of the latest products and services.
  • Our take on the latest industry news.  We’d like you to share items you think are important, too!
  • A place for Shavlik employees, customers and like-minded industry professionals to interact and build relationships.

Shavlik Technologies on Facebook

This is YOUR forum.

We created this for you.  We are hopeful that you will come in to share successes, troubleshoot, ask questions and meet others.

We look forward to having a conversation.

Colleen Kulhanek
Director of Marketing
Shavlik Technologies

Confused with Mozilla's recent patching? So am I

The question for the Shavlik team lately has been:  When is Mozilla actually going to end of life the Firefox 3.0.x product line?  I originally reported this product would go end of life in January 2010.  In fact, Mozilla’s website even stated the product was end of life.  Well, Mozilla decided to publish updates to the 3.0.x line with 3.0.18 on February 17th, 2010 (same day as 3.5.8)

So, now the guessing game comes.  Is Firefox 3.0.x actually end of life now?  All signs point to no.  A recent blog post stated Mozilla will be publishing 5 product updates at the same time.

  • Firefox 3.0.19
  • Firefox 3.5.9
  • Firefox 3.6.2
  • Firefox 3.7a3 (Alpha)
  • Thunderbird 2.0.0.24

Firefox 3.0.19 could be the final update for 3.0.x, but at this point I wouldn’t risk it.  Playing the game of “is this product actually supported or not” is a dangerous game to play in the patching world.  Eliminate the risk and confusion.  Update your Firefox browser to the latest unless you have a really good business case for not supporting the new version of the browser.

For the 5 product updates, look for them to be released later this month.

– Jason Miller

Software Distribution Options in Shavlik NetChk Protect

Ever do a comparison between a Shavlik scan and Windows Update?  If you just used the Shavlik Security Patch Scan you will see some differences.  We will catch 3rd party products like Adobe, Firefox, Apple, etc, but WU will only tell you that you are missing and need to install Microsoft products such as IE8 and .Net frameworks, Microsoft Silverlight and all sorts of other fun stuff you may not really need or want installed on your network, and ignoring critical non-Microsoft applications on your system.  Shavlik can scan for all of these as well, but choose to separate them from security patch reports as most of our customers are focused on Security Patching first, and other items as needed or when critical testing is complete.

However, if you find that you require additional software to be installed on your network, Shavlik can help.  Out of the box, Shavlik can deploy IE 7 or IE8, .NET frameworks, Acrobat Reader, Flash Player, Firefox, etc.  Here are quick and easy directions to scan for and install software using Shavlik NetChk Protect:

  1. In the console go to Patch Scan Templates and create a new patch scan template.
  2. Name it Software Distribution
  3. In the Patch Type Filter just uncheck Security Patches and check Software Distribution.
  4. Save.

Scan a machine with this template and you will find Firefox, Quick Time, Flash, .Net 1.1 – 3.5 SP1, Silverlight, windows desktop search, and much more.  You can deploy any of these items as easily as a patch.  The one thing we recommend is to scan for these separately and choose what you want to deploy to prevent unnecessary software from being deployed to systems like servers.  If you plan to make a product in this list standard, it is highly recommended to use a Patch Group to enforce only what you want and nothing else.

– Chris Goettl