Patches Make for Good Gifts

Tis the season of good friends, good food, good conversation and of course patching your network.  Today marks the final Patch Tuesday of 2011, and it’s a big one. Microsoft is giving the gift of 13 security bulletins addressing 19 vulnerabilities to add to the stress of this holiday season.  Not to be outdone by Microsoft, other software vendors such as Google and Adobe are also joining in on the season of giving by releasing updates of their own.  This combination of Microsoft and non-Microsoft patch releases will definitely keep us busy this season.

On the Microsoft side, there are two bulletins administrators should look to patch immediately.  MS11-087 fixes a zero-day vulnerability in the Windows Kernel-Mode Drivers.  Microsoft released Security Advisory 2639658 on November 3, 2011 for this vulnerability.  This Security Advisory was released just before the November 2011 Patch Tuesday.  There was speculation at the time that Microsoft would patch this vulnerability in the November 2011 Patch Tuesday release.  Exploit code for this vulnerability was published and Microsoft received reports of limited attacks against this vulnerability.  But, Microsoft did not see wide spread attacks against the zero-day vulnerability and this patch did not make it into the November release cycle.  This allowed Microsoft to release the corresponding Security Bulletin during today’s Patch Tuesday.  As with any zero-day vulnerability, it is critical to patch your systems as soon as possible.  To date the vulnerability has  been exploited a limited numbers times, but the possibility of a wide spread attack is always greater with zero-day vulnerabilities.

With MS11-087, administrators may have applied a workaround as stated in the Security Advisory released last month.  This workaround denied all access to a specific vulnerable DLL on the system.  You do not need to unapply the workaround to apply the patch.  But, it is advised that you unapply the workaround after applying the patch to restore functionality to the system.  If the workaround is left in place, users may not be able to see all fonts on a system, and this could lead to an uptick in support calls.

The next bulletin administrators should look at patching as soon as possible is the bi-monthly cumulative update for Internet Explorer.  MS11-099 fixes multiple vulnerabilities in the browser.  Although none of the vulnerabilities are publicly known or actively being attacked, any browser is a prime target for attackers.

There is an important note regarding Security Bulletin MS11-088 that administrators should be aware of.  This bulletin is only available on the Microsoft Download Center.  This means administrators must manually find the affected product on their network and manually apply the patch.  This bulletin affects IME for Chinese Office installations.  The Office installation must be Chinese.  Any other installation of Office in a language other than Chinese is not affected unless they have been installed with the Chinese Pinyin IME component.

As a final holiday gift from Microsoft, their Advanced Notification for this Patch Tuesday stated there would be 14 bulletins released this month, but they have only released 13 bulletins.  Obviously one of the bulletins needed to be pulled from release due to quality issues.  We will continue to monitor Microsoft to see why one bulletin is missing from today’s release.

On the non-Microsoft side, Google has released a new version of their Chrome browser.  This security update addresses 15 vulnerabilities as well as new features.

Adobe is releasing multiple bulletins for their products.  Adobe security bulletin APSB11-29 addresses two vulnerabilities in their ColdFusion product.  In addition, Adobe is patching their Adobe Reader/Acrobat version 9 products today.  Adobe announced last week they would be addressing a zero-day vulnerability in Reader and Acrobat today in version 9 only.  Adobe Acrobat and Reader version 10 also contain the software vulnerability.  But due to a protected mode in Acrobat and Reader version 10, an attacker cannot exploit the vulnerability.  Adobe will patch this version of Reader and Acrobat during their regularly scheduled quarterly update during the January 2012 Patch Tuesday.

Apple has released a new version of their iTunes product with iTunes 10.5.2.  This update is a non-security update.

VMware is also releasing a new version of their MozyPro backup software.  MozyPro 2.10.7.96 is a non-security update.

And Oracle has joined the list of other software vendors providing updates today by releasing a new version of their Java product.  Java 6 update 30 is a non-security update.  This update is currently only available for JDK download.  We will have to see if Oracle makes this version available to the public on the java.com webpage later today.

I will be reviewing the November 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.

– Jason Miller

Microsoft: We Won't Update Others' Windows Apps

In a recent blog post by Farzana Rahman, Microsoft’s group program manager of the Windows Update group, she wrote that Microsoft has no plans to support third party patching now or in the future. She writes:

Lastly but not the least, I want to address the feedback from users who would like WU to update their 3rd-party applications. People clearly find the experience with multiple updaters on the system less than optimal (and we agree!) Each application updater gives you a different experience, you have to remember to go visit each updater to install updates, you never know when or how updaters will run and what they might do, and so on. People would like one updater for the entire system.

This comes as no surprise to those of us at Shavilk, now part of VMware, who have offered just such a service since the 1990’s. Our flagship product VMware vCenter Protect Essentials Plus (formerly NetChk Protect), delivers a one-stop-shop for all third party applications (and some legacy Microsoft applications, too). All of the complexity that Farzana describes in her post is addressed in a simple easy-to-use interface for organizations of all sizes to keep their networks secure and up to date.

In fact, we offer Security Advisor, a free service that performs a thorough scan of your network and delivers a report on all of the applications installed on machines (whether physical or virtual) on your network. Most companies we talk to are surprised by the number of titles, versions and publishers installed on machines across their networks. What’s worse is that critical updates to these applications are missing, opening the network–and therefore the business–to unnecessary risk.

So, vCenter Protect Essentials Plus is the “one updater for the entire system.” Problem solved.

– Mike Bleakmore

December 2011 Patch Tuesday Advanced Notification

Microsoft has released their advanced notification for the December 2011 edition of Patch Tuesday.  Microsoft is giving the gift of 14 security bulletins addressing 20 vulnerabilities this holiday season.

Security Bulletin Breakdown:

  • 3 bulletins rated as Critical
  • 11 bulletins rated as Important
  • 10 vulnerabilities could lead to Remote Code Execution
  • 1 vulnerability could lead to Information Disclosure
  • 3 vulnerabilities could lead to Elevation of Privilege

 

Affected Products:

  • All supported Microsoft Operating systems
  • Publisher 2003, 2007
  • Excel 2003
  • PowerPoint 2007, 2010
  • Office 2007, 2010
  • PowerPoint Viewer 2007
  • Office Compatibility Pack 2007

 

On the non-Microsoft front, Adobe released a security advisory (APSA11-04) for a zero-day vulnerability affecting Adobe Acrobat/Reader 9/10 on December 6th.  Adobe is planning to release a patch for Adobe Acrobat and Reader version 9 during the week of December 12, 2011.  In other words, Adobe will be joining Microsoft’s Patch Tuesday this month.  Adobe Acrobat and Reader 10 are also affected by this vulnerability, but Adobe’s Protected View prevents the exploitation of the vulnerability.  For Adobe Acrobat and Reader 10, Adobe will release a patch during the January 2012 Patch Tuesday.

With administrators commonly taking vacations this time of year, the large number of security bulletins Microsoft is planning to release may seem a bit unfair.  However, this is in line with past typical Microsoft December Patch Tuesdays.

Last year, Microsoft released 17 security bulletins during the December 2010 Patch Tuesday.  This brought the total number of security bulletins released by Microsoft in 2010 to 106.  With the December 2011 Patch Tuesday security bulletins, the grand total for released security bulletins for 2011 will bring us to 100.

Stay tuned for more 2011 year in review information.  Later this month I will be releasing “Patching Year in Review” information.

I will be talking about December’s Patch Tuesday next Wednesday, December 14th at 11:00am CST in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

– Jason Miller

New ITScripts Available

Hey Everybody,

Just a quick update on the latest XML release for VMware vCenter Protect Essentials Plus as you will notice some new items have been released.  As many of you know, vCenter Protect Essentials Plus 8.0 offers a new feature called ITScripts.   This integration with Microsoft Powershell  delivers powerful scripting capabilities through vCenter Protect Essentials Plus.  In the XML release yesterday we did release three new script into the VMware Script Catalog.

A little about XML Announcements for those who may not be familiar.  vCenter Protect Essentials Plus has regular data releases to update patch data.  Typically you will see a release every Tuesday and Thursday, but it can vary.  ITScripts is now driven by the same data releases.  Although scripts will not be releasing nearly as often as patch data, you will be able to keep up on what is releasing through the XML Announcements.   In the announcment you will see [Patch-ITScripts] in the subject line indicating this release includes additions or changes to the script catalog.

So in yesterday’s release we included three new scripts.

  • Disable Adobe Reader and Acrobat Updater (version 1.0.0.5)
  • Get Security Center Status (version 1.0.0.40)
  • Local Administrator Password Change (version 1.0.0.6)

These new scripts are available in vCenter Protect Essentials Plus 8.0 today and can be approved by going to Manage > ITScripts.  From there you can approve the scripts for use in vCenter Protect Essentials Plus.  Depending on your license and if you are a vCenter Protect Essentials or Essentials Plus customer you will see the scripts available to you.

For more details you can go to the ITScripts Community Site.  Here you can find a write up on each of the scripts in the VMware Script Catalog. You can also find answers to common questions and post questions relating to the scripts as well.  One specific thing that customers have asked is which scripts should I see as a vCenter Protect Essentials or Essentials Plus customer.  Each script is tagged with Essentials or Essentials Plus to show what license level you need to see them.  vCenter Protect Essentials Plus customers see all Essentials scripts with the addition of the Essentials Plus scripts.

Regards,

Chris Goettl
Customer-Product Owner
SMB Management Solutions
VMware