SOX Spared, Oversight Improved…

The advent of regulations that impact IT (SOX, PCI, FDCC, etc.) are considered by many as a costly nuisance. However, one could argue that the impact of these regulations that require stringent controls and accountability have resulted in higher levels of measurable security.

Earlier this week, one of the most well known regulations (SOX) came under scrutiny by the Supreme Court…specific to concerns around oversight. There was an excellent article published that illustrates the courts ruling:

http://online.wsj.com/article/SB10001424052748703964104575334771098178714.html?mod=WSJ_hpp_LEADNewsCollection

The following is my summary of the results of the ruling:

1) The Supreme Court has ruled that the SEC now has the ability to remove Public Company Accounting Oversight Board (PCAOB) members “at will”, which represents a very significant change.  Prior to this decision, the only way the SEC could remove a member of the board would be with “due cause”. The importance of this ruling centers around ensuring that the accounting rules and controls that have been established (as it pertains to SOX) are maintained, and enforced – and that oversight is not conducted by the PCAOB…but rather by the SEC.  Thus, the change has created more accountability.

2) In terms of the impact on the SOX regulation, for those that have to comply, it’s business as usual.

Now, had the court ruled on a broader basis, they could have actually forced Congress to revisit the act altogether.  Which for most public companies, if SOX went away they would jump for joy. Although…the practices that have been established to ensure compliance have been a worthy and valuable investment as it’s helped make companies better practitioners, resulting in the prevention of any additional Enron’s or WorldCom’s in today’s business environment.

Dave Eike

Shavlik Technologies

New Adobe Patch Released

As they had announced earlier this month, Adobe has released critical security patches for the Adobe Reader and Acrobat products as described in security bulletin APDB10-15.  Most of the focus with this patch release will be on the actively exploited vulnerability CVE-2010-1297.  This vulnerability affects Adobe Reader and Acrobat versions 9.3.2 and earlier.  Adobe Reader and Acrobat 8.x are not affected by this vulnerability.  It is important to note that this patch contains 17 total vulnerability fixes, so Adobe Reader 8.x will be affected by this patch release for the remaining vulnerabilities.  The actively exploited vulnerability also exists in Adobe Flash.  Adobe patched the Flash program in early June, so you should address this program as well as Adobe Reader.

Adobe has released this patch earlier than their regularly security update schedule.  They are not planning on releasing additional security updates during the July 2010 patch day.

Since this is already turning into a mini patch day for you, here are some other releases since last week you should address:

 

 Opera 10.54
Security release fixing 2 issues:

Cross-stie scripting issue detailed here.
Windows Font issue detailed here.

 

SeaMonkey 2.0.5
This update addresses:

  • 6 Critical software vulnerabilities
  • 2 Moderate software vulnerabilities
  • 1 Low software vulnerability

More information regarding this release can be found here.

 

Firefox 3.6.6
This update is a maintenance release that addresses an issue introduced in 3.6.4 where applications, such as Farmville, could hang the browser.  Note:  Mozilla did not release a browser version 3.6.5.  More information can be found here.

 

Firefox 3.6.4
This update addresses:

  • 4 Critical software vulnerabilities
  • 2 Moderate software vulnerabilities
  • 1 Low software vulnerability

More information regarding this release can be found here.

 

Firefox 3.5.10
This update addresses:

  • 6 Critical software vulnerabilities
  • 2 Moderate software vulnerabilities
  • 1 Low software vulnerability

More information regarding this release can be found here.

 

Thunderbird 3.0.5
This update addresses:

  • 4 Critical software vulnerabilities

More information regarding this release can be found here.

 

Thunderbird 3.1
This update is a maintenance release.  More information can be found here.

– Jason Miller

Custom Actions and Custom Patch Examples

I am a little behind on my video content, but I wanted to let everyone know about a couple of sticky posts on the General Shavlik Product Support Forum.  I will try to have some videos to go with these examples in the near future.  Each comes with a doc with steps to implement.

Custom Patch Examples – Currently there is a Shavlik Agent as a Custom Patch and a Java Removal Tool example.

Custom Action Examples – Currently there is a Delete old propatches data example.

If you have some good examples please let us know.  We will have to go through submissions and validate them, but we would like to get examples of how our customers are using these features to share them with others.  You can submit any example to support@shavlik.com attn: Chris and I will review them as soon as I can and post them.

-Chris Goettl

Scan View: New vs Old

This is a call for feedback to those of you who started on older versions of Shavlik and have upgraded to NetChk Protect 7.5.  I have been in a continual debate with support techs over this issue and we have reached a stalemate.  Neither side fully able to win the other over.

The New Scan View in NetChk Protect 7.5 was made with operational efficiency in mind.  The interface allows you to scan any number of machines you want and scan and deploy to any combination of said machines in as many or as few deployments as you want.  This increases the operational efficiency of working through the product in this way and decreases the  number of groups you would have to manage in complex environments.

Ex. In the old version if I wanted to scan DCs, Fileservers, App Servers, and clustered servers and deploy to them all using separate scheduled times I would have had to use multiple machine groups.  Clustered servers broken into as many groups as the deployment times, tiered apps broken into separate groups depending on reboot order (ex application, DB, and presentation layer each needing to reboot in a certain order or things will not come up right).  So instead of needing to manage this with many different machine groups we now allow for you to scan all of these servers at the same time and from there you can choose any combination of machines at the top-level, the selection of patches in the middle, and then deploy all missing or selected patches or service packs.  For a very complex server environment this simplifies the operational workflow greatly.

Along with this came the tracking of actions taken against missing items.  So if I deploy to any machines from the new Scan View it would update the missing patch with the deployment status as it progresses, again increasing operational visibility.  Any scan I open shows me specifically what I have deployed.  Now the actual scan data does not change as these status’ update.  A report would still show any missing patch as a missing patch for that result.  Also, if I look in the middle pane the combination of Missing, Scheduled, Executing, Pending Reboot, etc, items all started as a missing patch so I can still see all information I need from this one view without wondering if that missing patch was deployed and having to go search for a related deployment andor try to locate it through the tracker.  Done from an operational perspective.

So the argument is that the Scan View in 7.5 does not allow the user to click on a scan and immediately know what was originally missing in the scan.  The data is all there, but as things deploy a patch may jump from state to state at times.  So if the user wants to just go back to a scan they sometimes have to dig for the data.

My question to you (the user) is does this new operational workflow improve your experience or confuse it?  Please send in your comments on what you like or dislike about the new View and suggestions as well.

-Chris Goettl

New Windows Security Vulnerability Irresponsibly Disclosed

The MSRC (Microsoft Security Response Center) just disclosed a new publically reported vulnerability for earlier versions of Windows:  XP and 2003.

This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems. 

We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security.

Shame on you Google.  I would think that a researcher from a software giant such as Google would do the responsible thing:  privately disclose the vulnerability to the vendor instead of publically releasing the information.  I wonder how his company, Google, would appreciate a researcher at Microsoft publically disclosing vulnerabilities for Google Chrome?

The MSRC page has workarounds for this vulnerability until a patch is available.  A security advisory page is not up yet, but Microsoft should be releasing this soon.

Disclosing vulnerabilities is a touchy subject as people line up for defense on both sides.  What do you think about public vs. private vulnerability disclosure?

– Jason Miller

New Versions of Adobe Flash Available

Adobe released new versions of Flash 9 and 10 today as expected.  Flash 10.1.53.64 and 9.0.277.0 addresses one critical security vulnerability as described in Adobe Security Advisory APSA10-01.  You will want to look at patching these as soon as possible as this vulnerability is being actively exploited in the wild.

Adobe Reader and Acrobat are scheduled to be released later this month (June 29).

**Note:  The Adobe download page and security advisory still have not been updated.  The download for Adobe Flash will download the latest.  Stay tuned to the advisory page for details on the security bulletin.

– Jason Miller

SQL 2008 R2 Express Edition

For those of you using the Express edition of SQL there is some benefit to the new SQL 2008 R2 release.  2005 and 2008 Express editions have a maximum DB size limit of 4gb.  The R2 release has increased this DB limit to 10gb which allows for much more historical data to be stored.  I know we are looking to have the R2 edition as our default install in a future release, but for those of you currently on Express you can look into upgrading to the R2 edition.

Now just having a larger DB size limit and allowing it to grow is not recommended.  You do want to keep your DB clean and regularly maintain it.  The health of your DB will keep performance of the product where it should be.  Most customers I work with who start to get to 4gb and larger DB size really are just storing data that is unnecessary.  You can go to our online documentation and look to the Implementation and Planning Guide for recommendations on what SQL edition to use depending on your environment.  This guide also includes DB maintenance recommendations and a command line tool to use with Express editions.  I always recommend people clean up any older data that is not required for audit purposes.  If the data is stagnant it is just taking up space.  You can also do things like run reports and export them to pdf and store them as well as keep regular backups for archive purposes and keep only enough data live that is really necessary.  For most companies 90 days worth of data live in the DB is more than would really be necessary, but that will depend on your needs.

Oh and Happy Patch Wednesday!  XML release is out and I am installing my patches as I type this.  Adobe has announced a release coming soon. Read here for more details on the upcoming Flash, Reader, and Acrobat releases Adobe has announced for later this month.

-Chris Goettl

June 2010 Patch Tuesday Overview

Microsoft has released 10 new security bulletins for the June 2010 edition of patch Tuesday.  These 10 bulletins address 34 vulnerabilities.

A large release by Microsoft this month was expected by us here at Shavlik.  Microsoft has shown a pattern lately of a smaller month followed by a larger release month.

 

*Note:  -OOB represents an out-of-band release by Microsoft.

Two security advisories have been closed by Microsoft as the vulnerabilities have been addressed in two new bulletins:

KB980088MS10-035:  Internet Explorer

KB983438MS10-039:  SharePoint

There are two bulletins that administrators should address first.  MS10-033 addresses two vulnerabilities in Windows that could lead to remote code execution.  This bulletin affects Windows media which is very common in the new age of social networking.  Opening a specially crafted media file or connecting to a malicious server streaming media content can lead to remote code execution.  The days of solely focusing on Internet Browsers for patching have changed.  In the past year, Microsoft has focused on fixing vulnerabilities in their media formats and players.  As we move to a media centric audience, attackers will focus more and more on media players to go along with browser attacks.  I can guarantee that someone on your network, right now, is browsing the Internet looking for a video with Tom Cruise’s Tropic Thunder character Less Grossman dance routine from the MTV Movie Awards.

MS10-035 is the bi-monthly release of the Cumulative Security Update for Internet Explorer.  This bulletin fixes 6 vulnerabilities where a successful attack can lead to remote code execution.  Internet Explorer is one of the most targeted applications for attackers, so this bulletin should be addressed immediately on your network.

There are a couple of bulletins that require special attention from administrators this month.  Patching software has made patch management easy, but administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security.

First, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft.  Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability.  If possible, you can upgrade your Office installations to Office 2003 or 2007 as Microsoft is supplying patches for those products.  If this is not possible, Microsoft is providing a workaround FixIt tool that will protect against the vulnerability (KB983235).  In addition, Microsoft Office 2003 and 2007 must be upgraded to the latest service pack level as well as having the bulletin applied to fix the vulnerability. you must install the patch for the full Office installation for Office 2003 or 2007 if you are installing the patch for the stand alone product.  For example, patching Visio 2003 will require you to patch Office 2003 as well.

Lastly, MS10-040 has a special case for Windows 2003, Vista and 2008 installations.  These systems will only be vulnerable if Extended Protection For Authentication has been previously installed.

On the non-Microsoft patching front, Apple has released two new versions of their Safari browser.  Safari 5.0 and 4.1 fix 47 vulnerabilities.  Safari 4.1 is Mac OS only where Safari 5.0 with Mac and Windows OS.  More information can be found here.

Adobe announced today they are planning on releasing new updates for Adobe Flash, Reader and Acrobat soon.  Adobe Flash 10 is planned on being released June 10.  For Adobe Reader and Acrobat, Adobe is planning on a June 29.  More information can be found here.

– Jason Miller

**Updated:  Sometimes the bulletin detail pages can be a bit confusing.  Updated the post to reflect a chage for MS10-036 when patching a standalone product.

Adobe back pedals on monthly patch cycle; announces new critical vulnerabilities

Dan Raywood from SC Magazine UK contacted us a couple of weeks ago for a comment on Adobe’s announcement that it would move to adopt a monthly patch release cycle. Dan’s article also seemed to indicate that after making the announcement, Adobe back pedaled saying that it is sticking with the quarterly cycle.

So, now we don’t know if Brad Arkin, Adobe’s director of product security and privacy, was inaccurate or premature. Stay tuned.

Following on the heels of this confusion, Adobe announced critical flaws in Flash, Reader, and Acrobat. Surprise, surprise.

In a post to patchmanagement.org Friday, June 4, 2010, Susan Bradley wrote:

Adobe Warns of Critical Flaw in Flash, Acrobat & Reader – Krebs on Security:
http://krebsonsecurity.com/2010/06/adobe-warns-of-critical-flaw-in-flash-acrobat-reader/

The company notes that the /Flash Player 10.1 Release Candidate/, available from this link <http://labs.adobe.com/technologies/flashplayer10/>, does not appear to be vulnerable. Adobe also said Adobe Reader and Acrobat 8.x are
confirmed not vulnerable. Further, Adobe Reader and Acrobat users can mitigate the threat from this flaw by deleting, renaming or removing
access to the “authplay.dll” file that ships with Reader and Acrobat (although users may still experience a non-exploitable crash or error
message when opening a PDF that contains Flash content).

The vulnerable component should be located at these spots for Windows users:

  • Adobe Reader: C:Program FilesAdobeReader 9.0Readerauthplay.dll
  • Acrobat: C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll

Adobe says it is working on an official patch for the problem. Stay tuned for more details.