Threat Post is reporting that Adobe may be changing their patch release cadence from quarterly to monthly. We would applaud this change as third party products are one of the most targeted applications for security vulnerabilities.
Last year, Adobe began releasing security patches on a quarterly schedule on the same day as Microsoft’s patch Tuesday. Recently, we have seen Adobe releasing patches out-of-band that address zero-day exploits for their software. Increasing the cadence of patches for Adobe products only makes sense. Administrators already have maintenance windows associated with Microsoft patching. Adding one more product to the cycle would only help in the vulnerability battle.
– Jason Miller
The Microsoft Malware Protection Center recently released their MSRT (Malicious Software Removal Tool) threat report for May. This report focuses on the steps Microsoft has taken on removing Alureon rootkit on systems.
Back in February, Microsoft released security bulletin MS10-015 that addressed vulnerabilities in the Windows Kernel. Microsoft received reports of machines that were blue screening after patching MS10-015. The blue screen was caused by the Alureon rootkit. The patches for bulletin MS10-015 were pulled to address the issue. The patch was changed to include detection logic for abnormalities such as the Alureon rootkit. If these abnormalities are found, the patch will not apply on the system.
The MSRT tool has cleaned nearly 400,000 machines infected with the Alureon rootkit in May alone. Virus outbreaks usually make headlines when discovered, but this report shows that viruses and vulnerabilities never go away. Many machines are still being infected with the virus.
Having an anti-virus program only on a machine is not the only solution to the problem. It is important to identify and patch software vulnerabilities on target systems as well.
– Jason Miller
Google released a new version of Chrome that addresses multiple security vulnerabilities:
-  Medium Canonicalize URLs closer to the Safe Browsing specification.
-  High Possible URL bar spoofing via unload event handlers.
-  Medium Memory error in Safe Browsing interaction.
-  Medium Bypass of whitelist-mode plugin blocker.
-  Medium Memory error with drag + drop.
Google Chrome 5 is also now officially supported on Mac and Linux. More details on Google Chrome can be found here and here.
– Jason Miller
For those of you who have already upgraded to NetChk Protect 7.5 you have seen some great enhancements. Much has been done to improve the workflow in the product and bring you an experience where fully patched machines are just a few clicks away. You can see more and do more in the product than ever before. One thing you may have missed is a new set of features around Power Management. This feature set includes the ability to schedule power state changes for machine in your environment as well as Wake-on-LAN to wake them back up for critical tasks like AV scans and Patch Maintenance. The goal, enable you to stay secure while trying to save a buck. That’s right! Green is not just in our logo, it is now part of the product as well. Ok, so that line was cheesy, but I am sure Marketing will love it. I will let the features speak for themselves. Check them out in the videos at the following link:
Look under the right side under SOS Videos and you will find Power Management and Wake-on-LAN. These two videos make up the Power Management feature set.
We will also be running a live Webinar with Randy Franklin Smith on Wednesday this week. You can sign up at the following link to attend.
Getting Out of the Way of Green Initiatives: Power Management Joins Patch Management
For more details on how to enable Power Management in NetChk Protect 7.5 contact your Sales Representative.
This week at Shavlik, we released a new corporate and product strategy that more solidly emphasizes our leadership in the cloud space and highlights how we leverage the latest in cloud and virtualization technologies to deliver an increasingly faster time to value in managing critical IT assets. See the news here.
This fast time to value we deliver to our customers is not new – Shavlik has always been known for this – but we continually raise the bar for ourselves as to what “fast” equates to. For the last several years, we’ve promised that in “30 minutes or less” you’ll be up and running with patch scanning and deployment for physical and virtual machines. Today however, we can promise our customers high value IT management in 90 seconds or less. Our new cloud-based solution, IT.Shavlik.com, provides our customers with a fast and easy way to immediately begin scanning their systems for latest software, hardware versions, patch status, VM status, and then deploy updates as needed. This is a web based interface with zero IT infrastructure required. IT.Shavlik.com runs on a cloud platform that Shavlik refers to as our OpsCloud.
Today IT.Shavlik.com is ideal for managing smaller business environments, but its value for mid sized and larger companies will scale over time. Even today a larger environment could easily leverage IT.Shavlik.com to quickly scan their systems as an audit effort to ensure their systems are fully up to date.
We hope that our customers and other friends of Shavlik will take a look at the new face of Shavlik today, visit our new web site, and see how easy it is to find out what we offer and get immediate access to all of our free software and downloads, just click Start Now from the home page.
Director of Marketing
Microsoft released a new security advisory (KB2028859) for Windows 7 x64 and Windows 2008 R2 yesterday. Although the vulnerability has been publically disclosed, Microsoft has no reports of any attacks at that time.
With this vulnerability, a denial of service attack causing the system to stop responding is most likely attack scenario. A remote code execution attack is theoretically possible, but Microsoft is downplaying the likelihood due to the difficulty of pull off such an exploit.
Unlike the past, Microsoft is giving the security advisory an Exploitability Index. These ratings are usually only used for released security bulletins. This security advisory has an Exploitability Index rating of “3: Functioning exploit code unlikely” which reflects the unlikelihood of a working exploit.
Patch week is still a few weeks away, so there may be a chance we will see a patch to fix this vulnerability. Due to the complexity of pulling off this exploit, I do not expect to see an out-of-band patch release for this vulnerability.
In the meantime, you can disable the Aero theme on your systems. The exploit needs the Aero theme in order for the system to be vulnerable.
Microsoft has step by step instructions on disabling the Aero theme on their Aero troubleshooting page:
Can I turn Aero off?
– Jason Miller
For those of you who joined the 7.5 upgrade webinar live or watched the rerun, you may recall a question that was asked towards the end. Someone had asked about cleaning up the ProPatches folder as over a long period of time it was beginning to accumulate data. I have created a custom action that will clean up c:windowspropatchespatches and c:windowspropatchesinstall. It purges files older than 30 days for patches and 90 days for the install files. There is a doc inside the zip that explains in more detail and includes instructions on how to modify the number of days to keep for each folder.
The forum thread below will become home to other custom actions as well.
– Chris Goettl
For those of you who have seen the previous tool the new version is available. For those who have not yet seen this it is a way to purge data older than xx number of days through a script that is able to be scheduled regularly so you can work this into your DB maintenance routine. Please refer to the following links for more details:
PowerShell Scripts write-up:
DB Maintenance Recommendations: http://supportteamblog.shavlik.com/2010/01/13/sql-database-maintenance/
Edit: For NetChk Protect 7.8 Customers you should use the DB Maintenance Feature in the product.
I spoke too soon. Adobe has just joined patch Tuesday by releasing a new security bulletin for Adobe Shockwave.
APSB10-12: Adobe Shockwave 184.108.40.2069
- Applies to Shockwave versions 220.127.116.116 and earlier
- Addresses 18 vulnerabilities
- Rated critical by Adobe.
- Can lead to remote code execution
Be sure to add this one to your patch maintenance window for May. Stay tuned to see if any other vendors jump onboard the Patch Tuesday train.
– Jason Miller
Microsoft has released 2 new security bulletins for the May 2010 Patch Tuesday. This month’s security bulletins primarily affect workstations and each has a special case associated to it.
MS10-031 affects Microsoft Visual Basic for Applications. This bulletin can cause confusion as it affects Microsoft products as well as non-Microsoft products. On the Microsoft products side, this patch will cover all supported versions of Microsoft Office. For non-Microsoft products, Microsoft Visual Basic for Applications and Microsoft Visual Basic for Applications SDK are potentially used by third party software vendors for their own applications. The vulnerable code could be on your system through one of these programs. It is important to note that Microsoft can only patch the Microsoft Office suite for this vulnerability.
To find out if you have third-party software that is vulnerable, Microsoft has provided a knowledge base article (KB978213) with steps to identify these products. If you do find one of these products, you should contact the software vendor and ask for their patch to address the vulnerability. Like the ATL issue last July, we could see many vendors supplying their own patches to address this vulnerability. This is just another important reminder that patching is not just a Microsoft issue when it comes to software vulnerabilities.
MS10-030 affects Microsoft’s email clients and addresses one vulnerability. Like MS10-031, there is a special case with this bulletin. This bulletin affects every supported Microsoft operating system. However the Microsoft email clients, Windows Live Mail and Windows Mail, are not installed by default on some of the affected operating systems and will require a user to install the client.
The primary attack vector for this vulnerability is to intercept mail client network traffic through a man-in-the-middle attack. A common scenario for this type of an attack is free Wi-Fi host spots such as Universities or libraries because they are not secured. An attacker could perform a man-in-the-middle attack and gain remote code execution.
The attack vector for this vulnerability seems a bit unlikely. An attacker would need to entice a user to connect to a malicious email server in order to gain remote code execution. We all see spam emails ranging from luxury watches and “special” pharmaceutical drugs at outrageously cheap prices to phishing attempts aimed at gaining private and confidential information. But, a phishing attempt to entice a user to connect to a malicious email server is very uncommon.
On the re-release and security advisory front, there are no new updates for this month. We are also not seeing any other vendors, at this point, joining in on the Patch Tuesday activities.
– Jason Miller