New Microsoft Security Advisory 983438

A public report of a new vulnerability has prompted Microsoft to release Security Advisory 983438.  A vulnerability exists in SharePoint Server 2007 and SharePoint Services 3.0 that could result in elevation of privilege.

An attacker would need to entice a user to click on a specially crafted link.  This would allow the attacker to run a script with the same privileges as the user on a SharePoint site.  It is important to note the privileges gained are from the SharePoint site, not the user’s system.

There are a couple of workarounds for this issue until Microsoft patches the vulnerability:

1)  If you are using Internet Explorer 8, enable the XSS Filter.

2)  On your SharePoint server, disable access to the SharePoint Help.aspx file.  If you disable access, users will not be able to use the SharePoint help file system.

In terms of Advisories, this may not be as critical as other advisories unless your organization relies on SharePoint Server.  Considering the affected products, vulnerability type and how close we are to May’s Patch Tuesday, I doubt there will be patch for this during the next Patch Day cycle.

– Jason Miller

iTunes 9.1.1 Now Available

Apple has just released a new version of iTunes.  iTunes 9.1.1 appears to be a maintenance release with no security fixes.  Apple can be a bit slow on announce security fixes, so stay tuned.

Details on iTunes 9.1.1 can be found here.

This version of iTunes will still deploy QuickTime 7.6.6 as there was no update for QuickTime.  On the Apple Application Support front, the installer still fails to install AAS when deployed silently.  Like QuickTime, AAS did not get an upgrade as it is still at version 1.2.1.

– Jason Miller

If you stop to think about it, patch management touches our lives daily

Reprint of post (4/28/2010) by the moderator of Interesting way to look at patch management and the impact on our daily lives.

Nancee Melby
Director of Product Marketing
Shavlik Technologies

To whom it may concern at the Airport I’m flying out of this morning

When you install updates through whatever management service you use, can you make sure you flag the box to reboot preferably before 5:30 a.m.

which is when I arrived in the airport to see that EVERY gate information screen not only is running Window XP but had a “this system needs to be rebooted after automatic updates” message box stuck smack dab middle of the screen.

I’m sure your patching routine is hard to do and I wouldn’t wish it on anyone, but leaving the box in an unrebooted state leaves the system in an unstable, unpatched state.

Given that I also can’t figure out what you approved for patching last night — as I don’t read anything in was released to warrant pushing out, I’m hoping that these aren’t the patches from earlier in the month.  But since I’m not the admin of the airport, I’m not sure what you deemed proper to approve, let it install, but then not kick a reboot. I see more Win7 and Server 2008 updates including some updates to 2k8r2 best practice analyzers that said they may reboot the box but didn’t on mine.

I do find that you need to patch a test box to see which ones really will and which ones probably won’t need a reboot.

But bottom line people… updating without rebooting is only 1/2 of the job.  You gotta bounce that box before the job of patching is done.

MS10-025 Re-released Today

As planned, Microsoft re-released MS10-025 today.  If you have previously applied this patch to your systems, you will need to reapply the patch with the re-release.  As this may affect a small number of your machines, this may not have a major impact on maintenance windows.

We released a new XML for Shavlik NetChk that will apply the latest version of MS10-025.  We also added support for patching of the Opera Browser.

– Jason Miller

The Continuing Conundrum – Patching Non-Microsoft Applications

Clearly, one of the most important functions performed any IT organization centers around addressing the risks associated to poorly patched systems. This challenge is further complicated by the sheer number of new vulnerabilities that continue to appear. For years, the process of patching or repairing systems that are determined as vulnerable has continued to improve, but many organizations still wrestle with addressing the challenge of patching the ever increasing number of non-Microsoft applications found in their environment.

The vast majority of solutions on the market today that claim to do “patch management”, fall short of dealing with this continuing conundrum relative to address the non-Microsoft application patching challenge. By relying solely on a patching solution that doesn’t fully address the breath of non-Microsoft applications found in most environments (i.e.; Adobe, Real Player, Firefox, etc.) – it creates a condition of unnecessary risk!

In terms of a solution to this continuing challenge, I’d like to recommend the following:

1)      First, look for a solution that can give you an accurate assessment of your environments current patch status – one that is capable of discovering the complete set of Microsoft applications and operating systems, as well as all the most prevalent non-Microsoft products.

2)      Look for a solution that can address any patching requirements you may have relative to any “in-house” developed applications.

3)      Another key element that you should look for in any type of patch management solution centers around the level of automation. The great the level of automation, the faster the return on investment.

So, if you continue to wrestle with the challenges of patching all those non-Microsoft applications in your environment – there is hope!

Dave Eike

Shavlik Technologies

Learn More About Shavlik: Patch + AV

For those of you on NetChk Protect 7 you are probably now aware that Shavlik offers Threat Protection as part of its offering.  If you have not had an opportunity to investigate this functionality and are interested in finding out more please read the following.  We have an upcoming webinar that may be of interest to you.

Patch Plus AV: Manage Both from the Same Console

Did you know that Shavlik offers antivirus + antispyware from the same console?  Shavlik has integrated Sunbelt Software’s VIPRE Enterprise Antivirus + Antispyware engine into Shavlik NetChk Protect.   If you are currently using NetChk Protect and are looking at other AV solutions for your environment, you will find this upcoming webinar interesting.  Mark Shavlik, CEO, Shavlik Technologies and Alex Eckelberry, CEO, Sunbelt Software, will explain what they’ve learned from customers about the real value of reducing cost, complexity, and the number of agents you have to manage.

Please join Mark Shavlik and Alex Eckelberry on Thursday, April 29th at 11:00am for a short webinar.  You can register at:

Shavlik's Big Splash at the Microsoft Management Summit

The week at the Microsoft Management Summit in review.

I spent last week at the Microsoft Management Summit (MMS), April 19-22 in Las Vegas. While Microsoft finally added “cloud computing” to its massive vocabulary, the cloud announcements didn’t generate the most excitement and buzz. I’d have to say that honor belongs to Shavlik SCUpdates and the need to patch 3rd party applications.

We ended up with mentions in three of the biggest sessions at MMS. Bill Anderson, System Center program manager, demonstrated Shavlik SCUPdates in his “State of the Union” address. You can read about the State of the Union address in Kenny Buntinx’s blog. SCUPdates was also the topic of extended conversations at the System Center Updates (SCUP) breakout session and a session hosted by Dell, also on SCUP.

The need for an effective means for patching 3rd party applications was obvious to those in attendance. We had numerous conversations with System Center Configuration Manager users about the pain of researching and creating packages to deploy updates for non-Microsoft applications, especially Adobe Reader, Adobe Flash, Firefox, Quicktime, and Sun JRE. Many confessed they don’t have bandwidth to effectively patch these applications. They end up doing custom one-offs or doing nothing at all. The need is clear. The pain is obvious. Shavlik has the solution.

A System Center Config Manager administrator from a major oil company came by for a SCUPdates discussion following the State of the Union session. He came back later with some of his co-workers. He did all the talking. Then he came back a third time with his boss. Again, he did all the talking. We gave him a trial catalog file which he promptly sent back to his colleagues.

He came back a fourth time with questions from the home office.

That scenario played out numerous times. The interest in SCUPdates was very high. There is clearly a need, a pain that needs relief. If you want to get more information on how Shavlik SCUPdates will have you patching non-Microsoft applications in minutes using SCCM, register here and try it.

Director of Product Marketing

Microsoft Bulletin MS10-025 Has Been Pulled

Microsoft has pulled support for the recent security bulletin MS10-025.  The bulletin only affects Windows Media Services on Windows 2000 Servers.  Microsoft found the bulletin did not fix the vulnerability.  In other words, applying the patch made the machine still vulnerable to attack.

So, what does this mean for you?  Be prepared for an out-of-band update for this bulletin.  You will need to reapply this bulletin to any machine that you have already patched in your April patch Tuesday cycle.

The good news is that Microsoft has not been seeing any attacks on this vulnerability.  And, the bulletin itself applies to a very small number of targets (in a typical organization).  If the vulnerability does concern you or your organization, Microsoft has posted workarounds on the bulletin page to help mitigate the risk of this vulnerability.

More information can be found on the MSRC blog.

– Jason Miller

Apple Application Support as a Custom Action

Those of you who are dealing with the changes with Apple products know it is a bit of a pain.  We are trying to do things to make this easier.  Here is another option that can help reduce the effort. For this discussion I am using QuickTime 7.6.6 as an example.  To upgrade QuickTime you scan and deploy AQ10-001, which is the QuickTime 7.6.6 install.  Once installed you need to rescan to detect AAS01-005, which is the new version of Apple Application Support that released with QuickTime 7.6.6, and deploy that as well.  If AAS is not updated as well your users will get the error upon opening saying Apple Application Support is not installed reinstall the application to fix the issue.   So rather than do two deployments, since the AAS patch is dependent on the QuickTime version, we can use Custom Actions to trigger the install of AAS01-005 along with the QuickTime 7.6.6 install.

The following sticky post on the forum steps you through how to setup these actions.  This will work for Agentless deployments only.  Currently the Agent does not support custom actions.