NetChk Protect 7.5 Patch 2 Released

Shavlik has released a patch for NetChk Protect 7.5.  This patch resolves five known issues.  To read more on this patch release you can click on the Forum link below.

http://forum.shavlik.com/viewtopic.php?f=10&t=16359

The hotfix will require NetChk Protect and the Shavlik Console Service to be closed and stopped (it will do this for you) otherwise a reboot may be required.  If you have any questions you can contact support@shavlik.com.

-Chris Goettl
Sales Engineer, Shavlik Technologies

This Week In Patching – 7/23/2010

There were quite a few critical patches released this week.  Some of these, such as Firefox, were expected.  Mozilla just released an updated version for the Firefox browser.  This is the second critical Firefox release just this week.

Mozilla Firefox 3.6.8

  • Released 7/23/2010
  • Fixes:  1 Critical Vulnerability

Mozilla Thunderbird 3.0.6

  • Released 7/20/2010
  • Fixes:  4 Critical Vulnerabilities; 1 High Vulnerability; 2 Moderate Vulnerabilities

Mozilla Thunderbird 3.1.1

  • Released 7/20/2010
  • Fixes:  5 Critical Vulnerabilities; 2 High Vulnerabilities; 3 Moderate Vulnerabilities

Mozilla SeaMonkey 2.0.6

  • Released 7/20/2010
  • Fixes:  7 Critical Vulnerabilities; 1 High Vulnerability; 3 Moderate Vulnerabilities

Mozilla Firefox 3.5.11

  • Released 7/20/2010
  • Fixes: 7 Critical Vulnerabilities; 1 High Vulnerability; 3 Moderate Vulnerabilities

Mozilla Firefox 3.6.7

  • Released 7/20/2010
  • Fixes:  8 Critical Vulnerabilities; 2 High Vulnerabilities; 4 Moderate Vulnerabilities

Apple iTunes 9.2.1

  • Released 7/19/2010
  • Fixes:  CVE-2010-1777
  • It is important to note a special case with QuickTime in this installer.  If you do not have QuickTime currently installed, the iTunes installer will install version 7.66.73.0.  QuickTime version 7.66.71.0 is the version publically available on Apple’s site.  I did not see any release notes around this minor update, so I expect this is a minor fix that is not security related.

– Jason Miller

Psst…Have you heard Mozilla and Apple's dirty little secret?

Still think patching non-Microsoft applications is unimportant? Guess again.

Technology reseller, Channel Reseller, just posted the latest security report (data from Secunia) identifying the most dangerous and most attacked applications and also the most vulnerable operating systems.

The report found that Mozilla’s Firefox and Apple’s Safari ranked No. 1 and No. 2 respectively as the most vulnerable third party applications. Mozilla Firefox contained a total of 96 vulnerabilities while Apple’s Safari thus far had 84.

According to the report, both Web browsers outranked Adobe products Reader and Acrobat, which each contained 61 vulnerabilities, as well as Flash Player and AIR, which each contained 51 security flaws.

The most prevalent attack vector during the first 6 months of 2010 was via remote code execution, meaning that hackers could exploit the majority of security flaws remotely with little or no user intervention required. Vendors typically rate vulnerabilities that allow remote code execution attacks with the highest severity rating of “critical.”

The report also points to a decisive upward trend in security vulnerabilities. During the first six months of 2010, researchers have detected 380 vulnerabilities, representing 89 percent of the total number for all of 2009.

And, interestingly, Microsoft does not lead the pack as the most vulnerable “platform”. That honor goes to Apple who is leading with the highest number security vulnerabilities reported. Rounding out the top 10 vulnerable platforms are: Oracle, Microsoft, HP, Adobe System, IBM, VMware, Cisco, Google and Mozilla Organization.

Director of Product Marketing

Microsoft Announces New Vulnerability Disclosure Program

Microsoft announced today a change in the way they will be handling vulnerability disclosures with the Coordinated Vulnerability Disclosure (CVD) program.  This is a very interesting article.

Microsoft is coming out and saying the way vendors and security researchers are handling vulnerability disclosures is just not working and is in need of a major overhaul.  I wholeheartedly agree with this.  There has been too much finger pointing between vendors and security researchers.  Microsoft couldn’t have said it better:

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem. 

In the end, vulnerabilities being disclosed before a solution is available is putting everyone at risk.  I am sure attackers have been chuckling at the “responsible disclosure” debate for years.  Let’s hope that the new CVD program helps mitigate zero-day exploits (and soon).

– Jason Miller

Agentless Patch Scans

I have seen several hits on the support blog regarding searches for scan error codes.  So, today we will discuss what exactly happens during an agentless patch scan.  This is similar to what I would teach in our classroom training.  The goal is to give you a better understanding of what is happening under the hood.  At each step I will describe what the engine is doing.  Where possible you will see validation options which show you how to test equivalent functionality outside our product for troubleshooting and validation purposes.   You will also see possible error codes that would result at that point in the scan.  Each will include troubleshooting steps and possible SKBs that show steps on how to resolve them.  Steps 1-3 have this information.  Step 4 and beyond are written to the DB and tracked via logs.  I will not be stepping into that level of detail in this particular write-up.

Step 1: Machine Resolution – How the machine is added into the machine group determines how resolution of the target occurs.  If we add a machine by Hostname we would discover the machine in the network using its name through NetBIOS (TCP 139) or DirectHost (TCP 445).  If we add a Domain or OU we will query AD and determine a list of names to resolve and once we have the name we will resolve via NetBIOS or DirectHost.  If we add IP addresses or ranges we will resolve via IP to discover machines.  Each method may be useful in different ways. Examples: IP range can be used to do a discovery scan to find machines you may not be aware of.  Using Domain, OU, and IP Range are methods that are dynamically updated each time you do a scan to reduce Machine Group maintenance.

Validation options: Ping, NSLookup

Possible Protect Errors and Troubleshooting options at this step:

–Level 200 Error codes

  • System Pre Reqs.  This is usually a prerequisites issue, although it can be network related as well.
  • Can you PING the machine or NSlookup by the method you added the machine to the group?
  • NET USE MACHINENAMEC$ /user:DOMAINUSER PASSWORD

Step 2: Connect to Admin Share – Once we have resolved the machine we will connect to its Admin share by connecting to C$ (or whatever the default system drive is.  In 6.0 and later you can also utilize a feature to create an admin share on the fly if they have been removed or hidden).  This connection would be equivalent to doing a Net Use machineC$ and browsing the target machines files system. There are a few different errors that could result at this point:

Validation Options: Net Use machineC$ /user:domainusername password

Possible Protect Errors and Troubleshooting options at this step:

–Level 300 Error codes

  • 6.x and 7.x: go to tools > options > Authentication and check the box to Create a temporary systemdrive share if none exists.
  • 5.x: Set the value for the following keys to from 0 to 1 HKLMSYSTEMCurrentControlSetServiceslanmanserverparatermersAutoShareServer HKLMSYSTEMCurrentControlSetServiceslanmanserverparatermersAutoShareWks
  • MS Articles on Admin Shares that may be of help.
    http://support.microsoft.com/kb/318755
    http://support.microsoft.com/kb/314984

–  Error code 451

–Error code 452

Step 3: Connect to Remote Registry – Registry values play a big part in the detection process so we connect to the registry on a machine so we can validate this information.

Validation Options: From the console open Regedit > click on file > Connect to Remote Registry.  When prompted supply the credentials you are trying to scan with.

Possible Protect Errors and Troubleshooting options at this step:

–Level 500 Error codes

Step 4: Determine OSSPLanguage – Once we have established the connection to the machine we can begin the process of detecting what is on the machine.  The first step is to validate what OS edition is running and what service pack level it is at.  This will begin to filter down the scope of what could possibly be required for this machine.  We do a few tests to confirm this information such as checking DLLsReg keys etc.

Step 5: Determine Installed Products and versions – Note for a Patch Scan this is not a WMI scan.  We have scripted product detection for each of the products we support including Registry, Service, and File level checks.  With these Product Detection scripts we determine what products are installed that Shavlik supports scanning for.  The engine knows what products are potentially applicable to the OSSP that it determined in Step 4.

Step 6: Determine Patch Status – At this point we know what OSSP is on the machine and what products are installed.  The Patch Engine now has all the info it needs to determine what patches apply to the machine in question.  We can now build the list of vulnerable patches based on information gathered in steps 4 and 5.  Scan against Registry and File checks for each potential vulnerability.  (note our engine prunes out patches that are not necessary such as superseded and effectively installed patches prevent scanning of patches we are not concerned about.  There are options to show superseded patches and effectively installed patches if you choose.  This is in the scan template general tab, check include effectively installed.)

Step 7: Send result to arrivals – Once the result for a machine is completed we drop it into the arrivals folder to be processed.  The arrivals folder is located under NetChkDataFiles and is processed by our importer utility into the database on a regular interval.  Agent results are also processed this way.

-Chris Goettl
Sales Engineer, Shavlik Technologies

New Microsoft Security Advisory (2286198)

Microsoft released a new Security Advisory (2286198) last Friday affecting the Windows operating system.  A vulnerability exists in the way the Windows parses shortcuts that could lead to remote code execution.  The most likely attack vector is through removable drives, although network shares could also play a part.

Even though this is a zero-day exploit with limited attacks, I am not expecting Microsoft to go out-of-band and patch this before the next patch Tuesday in August.  This vulnerability affects all supported operating systems as well as the beta service packs for Windows 7 and Windows 2008.  It is important to note that Windows XP SP2 is not listed as an affected product even though the operating system / service pack level is vulnerable.  This product reached end of life support last patch day.

Microsoft’s advisory page has a few workarounds posted that can help mitigate the risk with this vulnerability.  If you choose to apply these workarounds, it is important to unapply these workarounds as soon as the patch is available.

– Jason Miller

Continued support for patching Windows 2000 SP4 and Windows XP SP2

If you are in a situation where you need continued support for Windows 2000 SP4 or Windows XP SP2 have no fear.  Shavlik will still support scan and deployment to these platforms.  Both have been officially EOLed by Microsoft this month, which leaves many companies in a tight spot.  Whether it is because you need a legacy app to run or need just a little more time to upgrade or migrate systems to newer Operating Systems you are not alone.  I actually just got off the phone minutes before starting this post with a current Shavlik customer with several thousand machines under management.  They need an additional six months or so before they will be able to move entirely away from Windows 2000 SP4.

So, how can Shavlik continue to help you ask?

1 We will continue to scan and deploy publically available patches and SPs for both of these OSSP levels with no current end to supporting them in site.  (We still scan NT4, so rest assured, not going away tomorrow. And yes, we still have customers running NT4.)

2 If you have a continued support contract in place with Microsoft to get additional security patches for either of these OSSP levels you can use Shavlik NetChk Protect’s Custom Patch feature to build in support for these privately released patches in short order.

3 Resources available to show you how to use Custom Patch: What flavor would you like?

  • Video Training On-Demand – Look in the SOS column on the right and click on the 6.5 and Previous and #8 is a Custom Patch tutorial.  This interface has not undergone much as far as changes since this video was recorded.  I will try to have a new video available soon.
  • In Product go to Help > Index > Custom XML and you will find two articles discussing how this functionality works.
  • Samples! Everyone likes samples.  Especially free samples.  We have a repository of sample files on the forum. (If you have a custom patch you have created please share, instructions on how in the post)
  • Professional Help!  Contact your sales rep and you can line up Rapid Results Web Training to have a Shavlik Engineer assist you in creating a Custom Patch file.  Typically a one to two-hour block will give us plenty of time train you up on how this functionality works and in the case of a patch from Microsoft, once you are familiar with how Custom Patch works it will take you maybe 20-30 minutes to add a new patch in and test it.

-Chris Goettl
Sales Engineer, Shavlik Technologies

R.I.P Windows XP SP2

Tuesday, July 13…a date which will live in infamy.

Not really, but it is the last date that Microsoft will deliver patches for what may have been its most popular operating system/service pack combo. Yes, it is true. Windows XP SP2 has officially reached end of life. Rest in peace.

This seems to have caught people by surprise. A quick check of the stats from our customer base (both NetChk Protect and IT.Shavlik.com) indicates that about 16% of the target machines managed by Shavlik are running XP SP2 as their operating system.

In a story that appeared on Daniweb by Davey Winder, Qualys estimates that it will take a year before everyone can migrate off XP SP2.

Why should you care? This article from Computerworld sums it up best: You shouldn’t. The vulnerabilities in Windows XP SP2 that Microsoft will no longer fix aren’t your biggest problem. Your biggest problem is the vulnerabilities in non-Microsoft applications like Adobe Reader and Flash, Apple QuickTime, and Sun JRE that you’ve been ignoring for years.

News flash folks: hackers and those with malicious intent to infiltrate your environment and steal sensitive data aren’t focused on Microsoft operating systems any longer. They are targeting 3rd party applications…and in a big way.

From the Computerworld article titled “How to Keep Windows XP SP2 safer after Microsoft stops patching“:

Antivirus vendors McAfee and Symantec have both reported huge surges in attacks exploiting bugs in Adobe’s Reader, one of the most widely-installed plug-ins. McAfee, for example, said that exploits of Reader jumped 65% in the first quarter of 2010 compared to 2009’s total.

There you have it. Wring your hands in angst over the fact that XP SP2 is EOL. But then dust yourself off and start addressing the real threat to your data…unpatched Adobe, Apple, Sun, and Mozilla products.

Think you’re covered? Then I’ll extend a challenge. Register for IT.Shavlik.com. Check 10 machines in your environment (you can scan and patch up to 10 machines FREE). You’re not as patched as you think you are and IT.Shavlik.com will prove it.

— Director of Product Marketing, Shavlik

July 2010 Patch Tuesday Overview

Microsoft has released 4 new security bulletins in the July 2010
edition of patch Tuesday.  These bulletins address 5 vulnerabilities.
It is not uncommon, and has become expected, for a light patch Tuesday
to follow a heavy patch Tuesday release from Microsoft.  Last month,
Microsoft released a hefty load of patches with 10 security bulletins
addressing 34 vulnerabilities.

The security bulletin that administrators should address first on their
machines is MS10-042.  This security bulletin addresses a currently
exploited vulnerability in the wild affecting the Windows Help system.
Earlier this month, this vulnerability and exploit code was released
by a security researcher prompting Microsoft to release Security
Advisory 2219475.  For any zero day exploit, administrators should
deploy the patch as soon as possible.

A second Security Advisory, 2028859, is being closed out with the
release of Security Bulletin MS10-043.  There are no current exploits
being reported from Microsoft against this vulnerability although the
vulnerability was publically disclosed.  The last two bulletins affect
Microsoft Office programs and each can lead to remote code execution
on an affected machine.

This may seem like a light patch month in the amount of effort
required by administrators to protect their networks, but all
administrators could have quite a work load as Windows 2000 and
Windows XP SP2 have officially reached end of life support.  These
operating systems will no longer be supported after today’s patch
Tuesday.  Microsoft will not be supplying new Security Bulletins for
these operating systems going forward.  It is important for
administrators to use this light patch month to identify these systems
on their network and upgrade the machines to a supported operating
system or service pack level.  Unlike patching, deploying new
operating systems or service packs can be quite an undertaking as it
requires plenty of time and effort.

– Jason Miller