Patch Tuesday, Meet Patch Thursday

There are some critical patches that need your attention today.  Both Adobe and Mozilla released patches addressing critical zero-day vulnerabilities.

Mozilla released patches affecting Firefox, Thunderbird and SeaMonkey.  A critical vulnerability (CVE-2010-3765) was discovered with Firefox on Windows XP systems.  This vulnerability could result in remote code execution.  A patch was released for each of the Mozilla products because Thunderbird and SeaMonkey share the same code base for this vulnerability.  The zero-day vulnerability was the only fix in this release.

On 10/21, Adobe released a security advisory (APSA10-04) for Adobe Shockwave Player 11.5.8.612 and earlier versions.  The vulnerability, CVE-2010-3653, could result in remote code execution.  At the time of the security advisory release, there were no known attacks against the vulnerability.  Adobe updated the advisory yesterday stating this vulnerability has moved to a zero-day vulnerability as there have been reports of attacks in the wild against the vulnerability.

Keep an eye on Adobe’s website for the bulletin release today.

**UPDATE**

Adobe released the security bulletin for Adobe Shockwave.  Shockwave Player 11.5.8.615 fixes 11 vulnerabilities.  More information can be on the bulletin page:  APSB10-25.

– Jason Miller

This Week In Patching – 10/22/2010

Sometimes being the Nostradamus of patch releases can backfire on you.  Last week, I had thought we would see new versions of Thunderbird released with all of the other patch Tuesday bulletins.  Well, Mozilla released this week instead.  Chalk this one up to my cloudy crystal ball.

Thunderbird 3.1.5 is a security release addressing:

  • 5 Critical Vulnerabilities
  • 1 High Vulnerability
  • 1 Moderate Vulnerability
  • 1 Low Vulnerability

 

Thunderbird 3.0.9 is a security release addressing:

  • 5 Critical Vulnerabilities
  • 1 High Vulnerability
  • 1 Moderate Vulnerability
  • 1 Low Vulnerability

 

Mozilla also made an announcement about the end of life for the Thunderbird 3.0.x product line.  The next release, 3.0.10, will be the last release.  If you use Thunderbird, you should look to upgrade to the 3.1.x product line to ensure you continue getting security updates.  More information can be found on their developer blog.

Mozilla also updated the SeaMonkey product this week as well.

SeaMonkey 2.0.9 is a security release addressing:

  • 5 Critical Vulnerabilities
  • 2 High Vulnerabilities
  • 1 Moderate Vulnerability
  • 1 Low Vulnerability

 

To round out all of their major products, new versions of Firefox were made available from Mozilla:

Firefox 3.6.11 is a security release addressing:

  • 5 Critical Vulnerabilities
  • 2 High Vulnerabilities
  • 1 Moderate Vulnerability
  • 1 Low Vulnerability

 

Firefox 3.5.14 is a security release addressing:

  • 5 Critical Vulnerabilities
  • 2 High Vulnerabilities
  • 1 Moderate Vulnerability
  • 1 Low Vulnerability

Last but not least, Adobe released a security advisory on Thursday for the Adobe Shockwave Player.  This advisory affects Shockwave installations version 11.5.8.612 and earlier.  A critical vulnerability (CVE-2010-3653) has been publically disclosed, but there have been no reports of attacks at this time.  The release date for a bulletin to address the vulnerability has yet to be determined.  Monitor the security advisory APSA10-04 for updates surrounding the release date. 

– Jason Miller

Give your systems the flu-shot. Inoculate them with patching.

Every year, shortly after our kids return to school, the Center for Disease Control (CDC) launches their annual Flu vaccination.  Does it work? — I’m a firm believer.  Each year, my family lines up to take a shot and innoculate ourselves from the influenza variants the CDC deems critical.
This evening, that got me thinking as I was reading the lead story on CNN which highlighted that email spam is down but viruses are up.  After recently talking to some experts at Sunbelt, I can assure you that is true.  Back in 2004, the major Anti-Virus (AV) players had just north of 3,000,000 anti-virus test definitions on the market.  That number grew to 5,000,000 by mid-2007. That’s a big increase, but as you can guess the story gets more interesting.  By the end of 2009, that number had mushroomed to a staggering 35,000,000 test definitions. In the span of two and a half years, the test definitions jumped seven-fold.
It’s a new day where we all are vulnerable to viruses and over the past year, we’re seen viruses take on a whole new severity in which we see unequivocal evidence that they are growing in their sophistication as well as damage.  What typically sought to cause malicious damage to a single machine is now designed to exploit networks and in some cases even attack manufacturing equipment.  To be honest, it’s time for all of us to understand the severity of computer viruses and their scope.
In the years to come, the bad news is that it has to get worse before it gets better.  Thus far, we’ve watched AV definitions continue their exponential growth trend this year and we have no doubt they will push our safety experts across the entire IT industry into a frenzy trying to keep up.  But back to my original point for this email… with the changing times, using just AV isn’t enough.
The logical complement for Anti-Virus is innoculating your environment.  How do you do this? — It’s actually really simple: viruses exploit security vulnerabilities as a result, a good patching strategy can ensure you don’t have holes for these nasty viruses to exploit.  Think about that as you get your flu-shots this year.

When does the cloud make sense?

If you talk with many small to medium sized businesses (SMB) about virtualization, unless they are a high-tech company many of them will tilt their heads sideways and deal you a “huh?” response.  The technology, although now mainstream at high-tech companies and enterprises is still facing an adoption curve as it moves down into SMB.  Not surprisingly, the “cloud” debate seems to be taking a path of a different sort.  – Starting with those SMB’s who are choosing to skip virtualization although and head straight for the cloud.

I was reading some articles recently, and came across an article on Redmondmag.com entitled “Survey: Cloud Benefits Not Clearly Defined” written by Keith Ward (10/14/2010:http://redmondmag.com/articles/2010/10/14/cloud-benefits-not-clearly-defined.aspx) which discussed the value proposition of Clouding and a specific survey cited as Hubspan which found a shockingly large number of business still trying to rationalize the cloud.  As he stated, the blog entry from Hubspan went on to say that perhaps the problem is we are supplying too much information around the cloud that, “it’s sometimes hard to break through the noise.” — A great observation.  Keith Ward, continues on to describe the fact that those companies that provide their software via the cloud need to do a better job of explaining why the cloud makes sense.  Again, a point I agree with whole-heartedly.

So now, let’s talk about why the cloud makes sense.  There are a few reasons that we’ve heard loud and clear from our loyal base of a few thousand IT administrators.  There are really two main scenarios that I hear time and time again:

  • I’m a SMB that hasn’t done much with virtualization, but we need to find a way to roll more applications out.  At the same time, the amount of infrastructure we manage is over-whelming.  We need to not have to manage so much.
  • I’m a bigger company that has an IT department serving many departments that require different applications and levels of lifecycle management.  To manage them through my department would be the end of me.

Sure, there are countless other examples of scenarios that are more specific, but when you look at it objectively, I’m seeing lot’s of SMB’s leap-frogging virtualization and going straight to the cloud, and the bigger organizations are doing it to manage diverging requests where virtualization will equate to massive amounts of VM-sprawl across their organization. – Thereby, it’s easier to do it in the clouds.  If one of these two scenarios fits your mold, perhaps it’s time you give it a look.

Even with these two value scenarios, I have to tell you the author of this article is dead-on.  Those of us that offer cloud applications or onboarding to the cloud need to be more explicit in delivering our value-proposition.  The cloud isn’t the panacea of IT. – It’s merely a distribution mechanism of computing that allows us to have to manage our equipment and processes less by virtue of attaching to someone elses world-class systems.

Need Some Java and Opera For Your Patch Day?

Opera and Oracle have joined this massive patch day.

Oracle released Sun Java 6 Update 22 today addressing 29 security issues.

Opera released a new version of their browser with 10.63 addressing 5 security fixes.  Opera typically does not release many details about security vulnerabilities fixed in their release.  But, this security advisory looks very similar to one of the vulnerabilities fixed by Microsoft today.

Oracle also released a large security update for their family of products addressing 85 security issues.

Catch your breath, there are still 3 days left in this patch week.  More vendors could be coming!  

(I’ll give you a hint.  I rhymes with ‘Mozilla Thunderbird on Thursday’)

– Jason Miller

October 2010 Patch Tuesday Overview

The October 2010 version of Microsoft Patch Tuesday is a large one with Microsoft releasing 16 bulletins that address 49 vulnerabilities.   Both of these numbers are new all time highs for Microsoft.  The most alarming number for most administrators will be the 49 vulnerabilities being addressed.  But, 26 of these vulnerabilities are addressed in 2 Microsoft Office updates and 12 vulnerabilities are addressed in the Internet Explorer cumulative update.

With today’s Patch Tuesday Microsoft has released 86 new security bulletins year-to-date.  Compared to previous years, you can see this number has far exceeded any previous total:

  • 2009 – Total 74 security bulletins
  • 2008 – Total 78 security bulletins
  • 2007 – Total 69 security bulletins

A common question asked is ‘Why are there so many bulletins and vulnerabilities being released/updated by Microsoft?’

There are a couple of factors that are coming into play for this.  First, Microsoft is the grandfather of patching and has spent years refining their process to develop the mature patching process we see today.  Second, Microsoft is working closer than ever with security researchers in their Coordinated Vulnerability Disclosure (CVD) program.  By working with researchers, Microsoft is closing the gap on the time to release fixes for vulnerabilities found.  This is a key factor that a lot of people have been asking for, so we shouldn’t be too surprised that we are seeing an uptick in security bulletins.

For the October 2010 Patch Tuesday, there are two bulletins that administrators should be looking to patch immediately.  MS10-071 is the bi-monthly cumulative update for Internet Explorer.  This bulletin

fixes 12 vulnerabilities. With the critical vulnerabilities in this bulletin, navigating to a malicious website can lead to remote code execution.  With any web browser vulnerability, it is critical to patch them as soon as possible.  One of the most common attack vectors for attackers is malicious websites that exploit unpatched browsers.

MS10-076 affects Embedded OpenType Font and can lead to remote code execution.  Like MS10-071, navigating to a malicious website with an unpatched system can result in remote code execution.  The result of exploiting the vulnerability with this bulletin can vary depending on what operating system you are running.  Newer versions of the Microsoft Windows operating system, Windows Vista and higher, have ASLR (address space layout randomization) built in which makes this vulnerability more difficult to attack.

Two bulletins rated important may be a higher priority depending on a corporation’s network composition.  MS10-077 affects the .NET Framework and can lead to remote code execution by navigating to a malicious website on an unpatched system.  It is important to note that this vulnerability only affects 64-bit operating systems.  If your network contains mostly 64-bit operating systems, you will want to raise the criticality of this bulletin.  MS10-075 affects Windows Media Player and should be considered critical for home users.  A vulnerability exists in the Media Network Sharing service.  By sending a malicious real time streaming protocol network packet to an unpatched machine, an attacker can take control of the machine.  There are some key factors for this vulnerability that lowers the risk for corporate machines. The attack must be carried out on a local network.  Also, machines joined to a domain, such as most corporate networks, are not vulnerable.

A common theme this month with Microsoft’s bulletin release is targeted at older software.  Older versions of Microsoft software have a number of vulnerabilities that do not affect newer software.  When looking at patch management, administrators should consider upgrading software whenever possible.  This can reduce attack vectors as most recent versions of software have additional lines of defense.

  • MS10-071 – Internet Explorer 7 and 8 are not affected by some of the vulnerabilities.
  • MS10-076 – Windows Vista and higher have ASLR built in making the vulnerability harder to exploit. 
  • MS10-079 – Office XP is affected by a majority of the vulnerabilities where newer versions are not affected.
  • MS10-080 – Office 2010 not affected by the vulnerabilities and most vulnerabilities only affect Office XP

There are three bulletins this month that affect 3rd party (non-Microsoft) software.  With these bulletins, vulnerabilities exist in the Microsoft operating system.  However, Microsoft software is not affected and cannot be exploited.  An attacker must try to exploit the third party product on unpatched systems. MS10-081 and MS10-082 affect non-Microsoft web browsers.  MS10-074 affects third party zip programs. Patching the operating system will close these vulnerabilities.

– Jason Miller

NetChk Protect 7.6 On-Demand Training Available

Hey Everyone,

We have uploaded the new video content for NetChk Protect 7.6.  The way this video set works is the 7.5 content and 7.6 addition are the current full set of videos for 7.5 and later users.  The 7.5 videos are roughly the same on either version.  The 7.6 videos are specific to new functionality for that release.

You can find the on-demand training as well as other great product content if you go to the Shavlik website and hover over or click on Support & Training.

Regards,

Chris Goettl
Agile Product Owner
Shavlik Technologies

October 2010 Patch Tuesday Preview

As expected, Microsoft is releasing a large amount of bulletins for the October Patch Tuesday.  Typically, Microsoft follows a light month of patches with a heavy month of patches.  Although, last month’s “light” patch month contained 9 new bulletins.  Microsoft announced today they will be releasing a whopping 16 new security bulletins addressing a total of 49 new vulnerabilities.  This month will be particularly challenging for administrators as most patch scenarios will hit every machine on a network.

Bulletin Detail Breakdown

  • 4 Bulletins Rated Critical
  • 10 Bulletins Rated Important
  • 2 Bulletins Rated Moderate
  • 10 Bulletins can lead to Remote Code Execution
  • 3 Bulletins can lead to Elevation of Privilege
  • 1 Bulletin can lead to Information Disclosure
  • 1 Bulletin can lead to Denial of Service
  • 1 Bulletin can lead to Tampering

 

Affected Products

  • All supported Microsoft Windows Operating Systems
  • Internet Explorer
  • Office XP, 2003, 2007, 2010 (Word, Excel)
  • Word Viewer
  • Excel Viewer
  • SharePoint Services 3.0
  • SharePoint Foundation 2010
  • SharePoint Server 2007
  • Groove Server 2010
  • Office Web Apps

If you have not addressed the out-of-band bulletin released by Microsoft last week (MS10-070) and the Adobe critical release for Flash, Reader and Acrobat, you should add these to your patch cycle this month.

More details to come Tuesday with the full bulletin detail announcement from Microsoft.

– Jason Miller

Shavlik NetChk Protect v7.6 Now Available

For those of you who use our NetChk platform, you know the power behind Shavlik’s IT solutions.  Designed to reduce the complexity of IT management, Shavlik products are engineered to accelerate the users time to value from months to minutes, and NetChk 7.6 is no exception.

Malware growth has exploded over the last few years and with new malware types on the rise, it’s up to the IT departments to be nimble and find ways to protect their network with limited budgets.  How can Shavlik help? Shavlik’s NetChk 7.6 allows users to take control of their network and manage the critical tasks of patch management, antivirus and power management from the same console at a cost lower than the average antivirus software.  Shavlik NetChk Protect 7.6 offers new features and enhancements for greater enterprise-level functionality and simplified endpoint management.

For more details about the features and benefits of NetChk Protect 7.6, visit our Product Blog at http://supportteamblog.shavlik.com/ or watch the Shavlik on demand webinar at http://www.shavlik.com/webinars.aspx.
For information on current NetChk Protect promotions, please check out our recent offers.

Nicole Amsler
Shavlik Technologies

Cloud as a Strategy (CaaS) : How to adopt the cloud safely

Recently, I was asked to comment on a story for a reporter regarding how Small to Medium sized Businesses (SMBs) should use “free trial” offers to determine if they should cloud their applications.  What started out as a small response in which I caution organizations to use free trials very carefully soon snowballed into a long diatribe about appropriate Cloud Strategy on-boarding management.  Shortly after the interview, this issue arose in our community and as such reposting the response to our Blogs.

All cloud providers today are incented to offer free cloud subscriptions due to their cost to serve.  Naturally, they have to build an infrastructure capable of supporting their targeted distribution and sales goals and for each customer they bring on, that cost to serve number drops as you distribute their fixed cost for hosting across the larger number of subscribers.

To be honest, this economic relationship creates some problems in that cloud providers offer trials that are billed as “Trials” but in fact are designed to get you hooked into their product.  As a result, don’t mistake “Free Trial” for “Risk-Free” as often the case you’ll have to make some change to your infrastructure to support the free trial which in many cases causes you to adjust key infrastructure elements of your network like your mail MX record, or perhaps your proxy-location information to pipe the information to a cloud provider.

To that end, we at Shavlik recommend people first buy into the Cloud as a Strategy as opposed to Cloud as a Tactic.  (And given our accronymed filled industry, it seems apropos that we abbreviate this as CaaS).  Many organization’s believe Cloud is a “Just add water and stir” experience when in fact it is not.  Making sure an organization has properly evaluated the effect of clouding aspects of their business is key.

If your organization has bought into the CaaS approach, we recommend you start by trialing low risk applications in the cloud.  How do you figure out what low-risk is? — It’s simple.  Imagine a continuum between low-risk and high-risk simply aligning with your business functions.  You might decide for example with the Infrastructure as a Service (IaaS) providers for example, the sheer risk of your business of taking an infrastructure level element and clouding it up front is too expensive.  At the same time, perhaps their is a low-used application like expense management is which is used on demand where you can start.  If the application itself is down, really… who is going to notice.

Here at Shavlik, and what we recommend for those serious about Clouding is that you create a risk-reward matrix.  One that looks at the risk of the business versus the cost to implement.  Using this model, if you can find applications that are low-risk to the business and easy to implement, this is where you start.  We’ve depicted this grid below.

Application to Cloud Risk Assessment Matrix

Application to Cloud Risk Assessment Matrix

If you hit this point and you have trialed a cloud service, CONGRATULATIONS! — You have gone farther than most.  Now it’s time for you to learn what you can from the experience.  Here’s what’s key:

  • Did it work? — Did you properly predict the value of the service?
  • How was it accepted?  —  Did your team implemented without political issues?
  • How did your users receive it? — Did you meet much user resistence?

If you breezed through it, it’s time to move onto bigger and better clouding projects.

Speaking from experience, we’ve managed to cloud more than 50% of Shavlik’s infrastructure.  Today, our email, our CRM, our infrastructure, our HR systems, our financial packages are all in the cloud.  The value you got above in the “green” quandrant is only a fraction of what you’ll get when you get to the “red” one, but when you master the art of clouding and implementation, I assure you the “clouding” strategy will lead you to “clear skies”.

Writers note:  For any private thoughts or ideas you would like to see addressed, either login to our IT community or email rob.juncker@shavlik.com.