Don’t let your antivirus solution stink up your network

If you think about your computer’s password like a toothbrush — you must use it every day but don’t share it with anybody else. Then compare your antivirus software to deodorant. Everybody should use it. Period.

The Internet continues to be infiltrated daily with newly introduced and existing spyware, malware, bots, rootkits and worms that are not being cleaned up. Today’s top threats continue to prove this point. Stats report that the top threats being exploited this month are:

Backdoor.Tidserv
This was initially detected in 2008 as a Trojan that uses an advanced rootkit to hide itself. The current variant is infecting 64-bit machines (as well as 32-bit); it also is infecting the MBR (Master Boot Record) gaining control before the operating system is loaded.

Conficker
Conficker (aka Downadup, Kido) blocks access to more than 100 anti-virus and security websites. It can be detected as malware and prevented by (after removal) applying patch MS08-067. The Conficker eye chart assists in detection of the worm.  I encourage you to run this eye chart to see if your network environment is infected: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Multiple Adobe Products Remote Code Execution Vulnerability
Adobe has released special out-of-cycle security updates to patch critical vulnerabilities in Adobe Reader and Acrobat X (10.0.2), including earlier 10.x and 9.x versions for Windows and Mac. The announcement was Adobe’s second in four weeks concerning a zero-day vulnerability.  Adobe says there are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an e-mail attachment.

Windows RPC Denial of Service
This threat has been detected and updated since Windows NT 4.0 Service Pack 6a. Recently it fixed a vulnerability that could allow remote code execution in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights (CVE 2011-0034).

The weakest link in your network is the unprotected computer that may be connected to but not necessarily logged into the “domain.” Utilizing a “layered” security approach is the best methodology but, after you get past the multiple firewalls, SMTP Gateways, Network Intrusion Detection Systems, Network Intrusion Prevention Systems, Host Intrusion Detection Systems, and Personal Firewalls, the antivirus software is still a line of defense that must stay in place and updated, guarding the local Operating System.

As threats grow smarter and stronger, the antivirus solution needs to be faster and able to detect malicious behavior. To remediate the suspected intruding code, either quarantine or delete it quickly and efficiently, and then notify the user of the potential infection.

The antivirus detection methodology needs to know the “family” association of the threat and understand its behavior by nature and during its execution. The antivirus solution needs to know the patterns and the characteristics of the threat as well as the packages it disguises itself in. If a generic signature can match the pattern of the threat, it can be unmistakably identified and dealt with.

In addition to the above requirements for an effective antivirus solution, all of this needs to be done with minimum impact on system performance. This allows the operator to continue working, unaffected by the security defending their data. The necessary function of antivirus can be effective and efficient.

In conclusion, the necessity of an antivirus solution is obvious to the most basic computer security implementation and all of the points made in this discussion should help establish the criteria when including an antivirus product as part of your layered approach to security. Do this and you won’t be left holding your nose.

– Kim Fors
Shavlik Technologies

Patch Management and the Challenges Facing our Educational Institutions

I have been in the IT management and IT security space for many years, and have had many discussions with IT staff in educational institutions about the same challenge they all face, keeping their networks secure.  Obviously patch management is very important for educational institutions but it’s often overlooked…or done in a less than effective manner.

Most educational institutions (specifically their IT departments) are continually struggling to maintain adequate levels of funding and manpower resources to ensure a reasonable level of service to their end users. Especially when the user-to-administrator ratio continues to increase!

By introducing the proper level of automation – specific to the issues associated with effective patch management…educational institutions, and their respective IT staff will see immediate and measurable savings – both in the recovery of time and the cost savings associated with the implementation of a more automated approach to patch management.

Things to Consider

When you begin the process of considering how to automate any process, and in this case the patch management function, there are some key things to consider:

1)      How much time and effort will be required, specific to injecting an automated tool into the current “Patch Management” process flow?

What to look for: When implementing a new patch management process, you’ll need to look for a solution that is both easy to setup and use, as well technology that provides comprehensive patch assessment and remediation capabilities…all at an affordable price!

2)      The next thing you’ll need to evaluate is what are my risks if the patch management process isn’t further automated?

What to look for: A tool or service that will provide an accurate assessment of your “overall patch risk,” with the ability to assess for both Microsoft and Non-Microsoft applications alike, as well as the ability to discover and assess virtual machines.

3)      Another important factor to consider centers around the “return on investment.” As you begin testing solutions that will help you automate the patch process, the solution you select should enable you to clearly measure time savings, improved productivity, and the impact the new automation has on the current overall process costs.

What to look for: as you carefully consider any solution, you should look for technology that will provide the proper level of patch coverage, as well as a solution that will offer a very rapid, and measurable reduction in the time you currently spend performing the patch management process. By injecting a higher degree of automation into the patch process – the savings you’ll realize will be significant!

In summary, for any educational institution that looking to find ways to “do more with less”, while at the same time dealing with the very complex requirements associated with patch management, automation is the key to providing relief!

Dave Eike
Shavlik Technologies

Banking on Cloud-Based IT Management

Financial institutions have an immense responsibility to ensure that their networks are secure, and that their customers’ data is properly protected. The larger banks have sizable IT departments and considerable resources dedicated to addressing vulnerabilities and maintaining network operations.  However, small and mid-sized banks have to meet the very same IT network requirements, but often don’t have enough sufficient resources, making IT management an enormous challenge.  However, it can be done.  By implementing automated, cloud-based solutions to proactively manage some of the vital, but mundane and time-consuming tasks, IT staff can be freed up to focus on more important projects.

In a recent blog, I shared how one small bank turned to a cloud-based solution and saw impressive results.  This isn’t the end of the story.  You can find out more about the results Integrity First Bank achieved by downloading a new white paper that discusses the IT challenges faced by small and mid-sized banks, and how a cost-effective solution like IT.Shavlik can help a small IT department work more efficiently, while enhancing security and compliance.

Dave Eike

NetChk Protect 7.8 Patch 1 now available

NetChk Protect 7.8 Patch 1 is now available and can be downloaded from our downloads page.  Or you can download it directly by clicking here.  The Patch will be released via Shavlik XML as a Patch for NetChk Protect 7.8 in the next couple of weeks, making it available to automatically scan for and deploy from the console.

The following issues have been resolved in this patch release:

  • Resolved issue with custom patch editor after saving news xml, where user became unable to access custom patch editor
  • Enhanced disable AP feature.  If the admin checks the Disable Active Protection box on the General Tab, this will disable the permanent and temporary disable options in the Agent.
  • Resolved custom action functionality post reboot
  • Resolved issue where deploying service packs from an agent upgraded from 7.6 SP doesn’t deploy
  • Resolved issue with Agent SP Deployment, where users using Distribution Servers can’t deploy some SPs
  • Resolved issue with mounting VMs, where user were not able to mount VMs with datacenters under a folder
  • Resolved issue when deleting a patch task from a copy of Agent Policy
  • Resolved issue where Agents fail to download patches/service packs when the BITS Service is configured to have a startup type of ‘Disabled’
  • Resolved issue where Managed machine resolver does not exclude by IP address correctly
  • Resolved issue after scanning and trying to deploy missing patches, user can’t use buy licenses button
  • Resolved deployment failure of office patches with install point

If you have any questions or need any assistance regarding this patch, please contact support@shavlik.com.

Regards,

Chris Goettl
Product Owner
Shavlik Technologies

Microsoft Updates Coordinated Vulnerability Disclosure Program

Today, Microsoft released an update to their Coordinated Vulnerability Disclosure (CVD) program.  The CVD program aims to streamline the practice for vulnerabilities in how they are disclosed, addressed by the vendor and coordinated with security researchers.

For some time now, there has been a massive and quite ugly debate over Responsible Disclosure versus Full Disclosure when it comes to software vulnerabilities.  The main difference between the two comes down to how and when software vulnerabilities are disclosed to the public.  If a vulnerability is disclosed before a vendor can patch the flaw, the vulnerability is considered a Full Disclosure vulnerability.

I am not going to say what side of the argument I have been on to this point as this shift in Microsoft’s philosophy has changed my stance on the subject.  A change is needed in the security industry on vulnerabilities, and Microsoft is stepping up to the challenge of bringing the security community together.  This effort to truly coordinate the disclosure of vulnerabilities is a turning point in software security and I am not surprised Microsoft is taking the lead.

First, Microsoft has released the Coordinated Vulnerability Disclosure at Microsoft documentation surrounding policies and procedures for vulnerabilities.  This document fully described the steps and actions Microsoft is going to take in regards to vulnerabilities.  The document is very thorough and definitely worth reading.

Second, Microsoft is making the effort to work with third-party (non-Microsoft) vendors and security researchers to close the gap on vulnerability disclosure.  This has been one of the challenges to date on the vulnerability disclosure subject.  Working cooperatively with both vendors and researchers, the MSVR group will utilize their resources to jointly work on issues that affect multiple vendors.

In this joint effort, Microsoft will now be supplying “Microsoft Vulnerability Research Advisories” (MSVR).  These advisories will be published when a resolution to a vulnerability has been addressed by the affected vendor.

Already today, The MSVR program is already showing the value of working together with vulnerabilities as they just released two new “Microsoft Vulnerability Research Advisories.” 

MSVR11-001
– Affecting Google Chrome

MSVR11-002
– Affecting Google Chrome and Opera

In both cases, Microsoft researchers found vulnerabilities in third-party software.  Microsoft worked with all affected software vendors by supplying information confidential to the vendors and coordinating a release effort with both.  After both vendors supplied patches for the vulnerability, Microsoft released the security advisories.  The advisories are very similar to Microsoft Security Advisories (advisories that apply to Microsoft products).  The advisories include the following information:

  • CVE Information
  • The severity of the vulnerability
  • How the vulnerability might be attacked
  • What could happen if the vulnerability is attacked
  • Suggested actions or workaround

At the end of the day, researchers and software vendors, whether Microsoft or non-Microsoft, are all on the same side when it comes to vulnerabilities and protecting systems.  This update of the CVD program at Microsoft should just be the little push in the back the industry needs to get a leg up on attackers exploiting zero-day vulnerabilities.

– Jason Miller

The Brave New World of SaaS

If there’s one upside to the dire global economy over the last few years, it’s that there’s been a greater desire to save money and make better use of the existing resources (human and capital) by companies around the world.  And that business trend has led to greater adoption of software-as-a-service (SaaS) by businesses in the U.S. and around the world. The facts support this trend: Analyst firm Gartner estimated that virtual IT delivery was going to be about a $9.6 billion industry in 2010, quickly growing to $16 billion a few years in the future.

Virtualization and SaaS make sense from a number of perspectives – cost savings, efficiency and enabling companies to focus on their core business rather than the behind-the-scenes IT complexities. These benefits are easy to comprehend.  However, there are still factors that are preventing companies from taking that step into the brave new world of SaaS.

Gartner Research Director Sharon Mertz noted that concerns about data security, questions about scalability, apprehension about whether vendors will be around for the long-haul and existing investments in IT staff or capital for applications have given some companies pause about utilizing SaaS offerings. But as the industry matures, these concerns are becoming less valid.

Security, in particular, is one aspect where companies are finding that they can do better with a SaaS model than maintaining their own in-house operations. According to its biannual Managed Security Services and SaaS report in September 2010, Infonetics Research’s principal security analyst Jeff Wilson noted that:

“The big story in the managed security space continues to be SaaS. We forecast SaaS for security revenue to increase dramatically, at a compound annual growth rate of 31 percent from 2009 to 2014, the highest CAGR in this market by a mile. The time for SaaS has come, and the strong growth forecast is driven by a mix of increased demand (with a boost from the poor economy) and greatly increased availability from a wide variety of providers, including network providers, security specialist service providers, large content providers, and product manufacturers.”

The global demand for managed security services/SaaS from organizations of all sizes is a result of a number of trends, Infonetics noted, including the proliferation of security threats, complexity of current security solutions, and the widespread use of so many different devices, platforms and applications.

As companies grow more comfortable with SaaS offerings and see the benefits – from efficiency and cost savings to outsourced expertise – that they can deliver, there’s no doubt that we’ll see the wave of virtualization flow from North America, into Europe and across Asia.

Ed Peek
VP, Worldwide Sales

April's Patch Tuesday Gets Even Bigger

********** UPDATE **********
RealNetworks has released the details on their security bulletin.  The new version of Real Player fixes two vulnerabilities.  More information can be found here.
*******************************

Non-Micorosoft vendors are joining in on Microsoft’s Patch Tuesday.

RealNetworks is planning to release a new version of the RealPlayer program today.  We have seen a download available for RealPlayer, but the security update page has not been updated.  Keep watching RealNetworks for a security update today.  The advanced notification from RealNetworks can be found here.

Opera released a new version of the Opera Browser with 11.10.  This is a non-security update.

Add these two products to the 17 Microsoft security bulletins and 2 Microsoft security advisories that were released, and you have an even longer week of patching.  We will keep watching the patching skies for more patches dropping on us.

– Jason Miller

April 2011 Patch Tuesday Overview

Microsoft has released 17 new security bulletins for the April 2011 edition of Patch Tuesday.  These security bulletins address a record 64 vulnerabilities.  There are three bulletins that administrators should address immediately.

First, Microsoft is releasing their bi-monthly update for Internet Explorer.  MS11-018 fixes five vulnerabilities.  Two of the vulnerabilities addressed with this security bulletin fix zero-day vulnerabilities.  Just yesterday, Microsoft’s MSRC tweeted about reports of limited attacks on one of these zero-day vulnerabilities.  It is extremely important to patch as soon as possible, regardless of which browser you are running.  Web browsers are still, and will continue to be, one of the most common attack vectors.  The urgency to patch gets exponentially bigger when there are zero-day exploits actively being attacked against web browsers.  It is important to note, however, that the newly-released Internet Explorer 9 browser is not affected by this security bulletin.

The next bulletin that should be addressed immediately is MS11-020.  A vulnerability exists in Microsoft’s SMB Server on all supported Microsoft operating systems.  An attacker could send malicious network traffic to an unpatched system resulting in remote code execution.  This bulletin is particularly alarming as this vulnerability could be a potential “wormable” exploit.  The vulnerability can be exploited while unauthenticated.  In other words, an attacker only needs to get to an unpatched machine with no user interaction required for exploitation.  Keep a watchful eye on this vulnerability.  The last time we saw a major worm against a vulnerability such as this one was the Conficker virus, when the patch for the vulnerability was released in October of 2008.  It was four months until a major virus attacked the vulnerability.

The last bulletin that should be addressed immediately is MS11-019.  A vulnerability exists in the SMB client on the Windows operating system.  If a client system makes a connection to a malicious SMB server, an attacker could take complete control of the system.  With this vulnerability, user interaction is required.  An iFrame exploit that points a user to a malicious SMB server is an example of how this vulnerability could, and more than likely will, exploit the vulnerability.

MS11-026 addresses a vulnerability with MHTML.  This security bulletin closes out Security Advisory (2501696) released by Microsoft in January 2011.  There have been reports of this vulnerability being publicly exploited.  Microsoft did supply a workaround for the vulnerability that disabled MHTML functionality.  If the work around has been applied, it should be removed to return MHTML functionality back to end users.

One question that will undoubtedly come up this month is:  Why are there so many vulnerabilities being fixed this month?  One reason is that MS11-034 addresses 30 of the 64 vulnerabilities this month.  This bulletin covers three core vulnerabilities.  The remaining 27 vulnerabilities relate to the core vulnerabilities.

Also of note, Microsoft has also released two new security advisories this month.  Both advisories supply non-security updates that apply defense in depth to Microsoft software.  First, Microsoft released Security Advisory KB2501584.  This advisory introduces new functionality to Office 2003 and Office 2007.  This defense measure allows Microsoft Office the ability to pre-screen documents when opening the documents.  This will prevent some malicious documents from exploiting a machine.  This feature was originally introduced in Office 2010.  Microsoft has backported the functionality to older versions of the Office program.

The second Security Advisory (KB2506014) hardens the Windows operating system against kernel-mode rootkits.  This update will break the hiding mechanisms of rootkits such as Alureon.  With any update to the Windows kernel, the update should be tested thoroughly to ensure the patch does not adversely affect the operating system.

On the non-Microsoft front, Adobe released a new security advisory (APSA11-02) for Adobe Flash, Reader and Acrobat.  A vulnerability is being actively exploited in the wild for Adobe Flash.  There have been no reports of exploits against Adobe Reader and Acrobat to date.  Watch for an update to Adobe Flash coming very soon.  In addition, you can expect a quick update to the Google Chrome browser.  Google Chrome bundles Adobe Flash with the installation of the browser.  In the past, Google has coincided releases with Adobe for Flash vulnerability fixes.  Adobe is reporting the Adobe Reader X program prevents the exploit from executing, so they are waiting to release an update for that program until their next quarterly update scheduled for next June.

I will be going over the April 2011 patch Tuesday in depth with our monthly patch Tuesday webinar.  You can register to attend it here.

 – Jason Miller

Usability Improvements for Shavlik NetChk Protect

Hey All,

We are about to go to the drawing board regarding our 1st Half 2012 release of NetChk Protect.  I have been reviewing feature requests from our customers and lining up a few possible usability improvements that we are considering for this release.  I wanted to share them with you and get some feedback.

Usability Improvements:

  • Scan filter by vendor severity.  NetChk Protect has always had the ability to scan by user set criticality, but it requires a bit of maintenance to keep it up to date.  For customers who have a mandate to deploy all critical patches always it would convenient to use the Vendor Severity as a filter in the scan template.
  • Patch Group feature to prune superseded patches from the patch group.  For those of you who implement Patch Groups to create an approval process for patching your machines, one issue a lot of customers run into at some point is cleaning out superseded patches as time goes on.  What I am proposing here is a two-part feature.  In the Patch Group there would be a button that you can click to manually kick off the process of evaluating all patches in the patch group and pruning any that are superseded by an additional patch that you have added to the Patch Group in question.  Each month you would add new patches then click the remove superseded patches button and they are cleaned out as needed.  The second part would be an option to automate this process.  Next to the manual cleanup button there could be a check-box that will automatically clean up anytime you add a patch to the patch group.  From the Machine View, Scan View, and Patch View you can right click and add patches to a patch group.  This would automate the cleanup of the patch group in question any time a patch is added to the group.
  • Edit Machine Name, IP Address, Domain, in Machine Group.  One request that has come up a number of times is the ability to right click on an item in the Machine Group and edit the value.  We would have to limit the edit to specific fields as some of the container types like OU could get rather complex to edit and are easier left to removere-add, but Machine Name, IP, and Domain would be possible to right click and edit without having to remove and re-add to the group.

One thing that helps drive features is interest from our customers.  These three come up often from Shavlik Support and Engineers as pain points for customers, but we do not get many feature requests for them.  For those of you who are not aware you can submit feature requests at Shavlik.FeatureIdea.com.  Visit this site and share your ideas about what you would like to see in Shavlik’s products.

If you are interested in any of the three above feature ideas please let us know.  Cast your vote by doing the following:

Step 1
Go to shavlik.featureidea.com

Step 2
Copy and past the item above you are interested in (or expand on the above ideas)

Step 3
Enter the other required fields and submit

Regards,

Chris Goettl
Product Owner
Shavlik Technologies

Spring Has Sprung, and so has the Microsoft Security Bulletin Count

Microsoft just released their Patch Tuesday Advanced Notification for April 2011.  Microsoft plans to release 17 new security bulletins addressing 64 vulnerabilities.  So far this year we have gotten off pretty easy from Microsoft Patch Tuesdays.  However, the upcoming Patch Tuesday will be another day to remember.  This month will tie the record for the most security bulletins released by Microsoft at one time.  In December of last year, Microsoft also released 17 security bulletins.  On the vulnerability front, yes, we have another Microsoft record.  With Microsoft fixing 64 vulnerabilities, they will surpass the previous Microsoft record of 49 vulnerabilities fixed in October of last year.

Bulletin Breakdown:
– 9 bulletins are rated as Critical
– 8 bulletins are rated as Important
– 16 bulletins address vulnerabilities that could lead to Remote Code Execution
– 1 bulletin addresses a vulnerability that could lead to Elevation of Privilege

Affected Products:
– All supported operating systems
– Office XP, 2003, 2007
– Excel XP, 2003, 2007, 2010
– PowerPoint XP, 2003, 2007, 2010
– Excel Viewer
– PowerPoint Viewer, 2007
– Office Compatibility Pack 2007
– Office PowerPoint Web App
– Visual Studio .NET 2003
– Visual Studio 2005, 2008, 2010
– Visual C++ 2005, 2008, 2010

This upcoming Patch Tuesday will also address two open Microsoft vulnerabilities.  First, Microsoft will fix an issue that was detailed on February 16th, 2011.  Microsoft did not put out a Security Advisory for this, but they did detail a vulnerability in a blog posting.  The vulnerability affects the SMB Browser on all supported versions of the Microsoft operating system.  This vulnerability is a zero-day vulnerability, but Microsoft has not had any reports of attacks to date.  Second, Microsoft will be addressing Security Advisory 2501696 that was released on January 28, 2011.  This vulnerability affects an issue with the MHTML protocol.  Microsoft supplied a temporary workaround with a FixIt tool that locked down the MHTML protocol.  If you have applied the FixIt tool from Microsoft, you should remove the workaround and return MHTML functionality to your systems as soon as you patch the system.

Hopefully you will get some time this weekend to enjoy a nice, relaxing early spring weekend.  Next week will be bringing many sleepless nights as the Shavlik Data Team is about to face.

– Jason Miller