This Week in Patching – 10/26/2012

The highlight of this week was Adobe releasing a new security bulletin on Tuesday.  Adobe Security bulletin APSB12-23 addresses six vulnerabilities that could lead to remote code execution and is rated critical.  Administrators should look at applying Adobe Shockwave Player 11.6.8.638 to their affected machines as soon as possible.

On Wednesday, Microsoft released a new version of their Skype product with version 6.0.0.120.  This is a non-security update that integrates Skype with Microsoft and Facebook services as well as a few other minor features.

On Thursday, Google released a new version of their Google Chrome browser and Chrome Frame browser plugin with version 22.0.1229.96.  Google has been very good at posting detailed release notes with every release of their Chrome, Chrome Frame and Chrome OS software.  Yesterday however, Google did not post release notes for the updated products.  It is tough to play the guessing game with patching.  When in doubt, always assume an undocumented update is a security release.

Happy Patching!

– Jason Miller

This Week in Patching – 10/19/2012

It is that time for a weekly recap of the happenings in patch management.

This week was highlighted by a critical security update from Oracle.  Oracle released updates for their Java programs with Java 7 update 9 and Java 6 update 37 during their quarterly update.  These updates address 28 vulnerabilities.  Some of the vulnerabilities addressed by this update were zero-day vulnerabilities.  With any patch addressing zero-day vulnerabilities, administrators will want to patch as soon as possible.  Apple also released an update for the newer version of Java.  This update release coincided with Oracle’s Java release.  The next scheduled update for Java is set for February 19, 2013.

On Wednesday, Adobe released new versions for their Adobe Acrobat and Reader product lines.  Adobe Acrobat / Reader 11 (or XI) does not contain any security fixes from the version 9 or 10 product lines.

On Thursday, VideoLAN released a new version for their VLC media player.  The release notes for VLC media player 2.0.4 state there are fixes for “security issues” but no CVE has been submitted for this version.

The Document Foundation released a new version of their LibreOffice product that prompted some confusion.  The release version for LibreOffice has steadily been increasing on a normal cadence.  LibreOffice 3.4.x was followed by 3.5.x.  On August 15th, LibreOffice had a new major version with 3.6.x and has since been followed up by minor version increases (3.6.1, 3.6.2).  Yesterday, LibreOffice 3.5.7 was released.  This version number is lower than the 3.6.x branch and has confused people.  From a LibreOffice blog posting, they have stated that the 3.5.x branch will continue to receive updates as will the 3.6.x branch.  The 3.5.x branch is intended to be a stable branch where the 3.6.x introduces new features to the LibreOffice program.  LibreOffice 3.5.7 (released yesterday) and LibreOffice 3.6.2 (released on October 4) both do not contain any security fixes.

Happy Patching!

– Jason Miller

This Week in Patching – 10/12/2012

Here is a quick recap of a fun-filled patch week.

The October 2012 edition of Patch Tuesday brought seven new security bulletins.  In addition, Microsoft released a new security advisory (2749655).  This new security advisory is related to an issue where Microsoft patches (and the files contained in the patches) have been signed with a bad digital signature.  The signature contains a timestamp that will expire early in 2013.

With the timestamp issue, Microsoft needed to re-release four security bulletins.  These security bulletins contain the same files and vulnerability fixes as the original release of the bulletin.  These bulletins will need to be reapplied to systems to ensure the invalid timestamp will not be an issue next year.  The following security bulletins were re-released by Microsoft to address the timestamp issue:

MS12-053
MS12-054
MS12-055
MS12-058

With the re-released security bulletins, only patches that apply to Microsoft operating systems Windows Vista and higher need to be reapplied to systems (Windows Vista, 2008, 7, 2008 R2).  Earlier Microsoft operating systems (Windows XP, 2003) do not need to have the patches reapplied to the system.

With the seven new October Microsoft security bulletins, one Microsoft out-of-band security bulletin and the four re-released security bulletins, the total count of Microsoft security bulletins that will need to be addressed this month is up to 12. (And some people say a Patch Tuesday is cut-and-dry, tired-and-true and run-of-the-mill).

But wait, there is more!  The documentation coming from Microsoft regarding the timestamp issue was quite thorough on Microsoft security patches in their knowledge base article and blog statements.  Microsoft also re-released non-security updates with the timestamp issue.  We found the following non-security updates were also released by Microsoft to fix the timestamp issue:

Update for Windows 7 (KB2647753)
Update for Windows 7 (KB2729094)
Update for Windows 7 (KB2732487)
Update for Windows 7 (KB2732500)

Is there more with this timestamp issue?  Why yes there is!  These non-security patches stated above are publicly available patches.  These types of patches can be easily obtained from the Microsoft Download Center or through WSUS/Windows Update.

Microsoft also released non-public non-security updates.  These updates are similar to the publicly available updates.  These patches also fix non-security issues with Microsoft products, but the patches can only be obtained by calling Microsoft.  Microsoft will release these patches to customers if they are experiencing the issue fixed in the patch.  If administrators have contacted Microsoft and obtained one of the non-public patches, they will need to contact Microsoft again to get the new version of the patch with the correct timestamp applied to it.  This part is important as non-public patches will not show up in a patch management product.

On to the non-Microsoft side this week, there were some other notable patch releases:

Adobe Security Bulletin APSB12-22 – Monday
Adobe released an update to address 25 vulnerabilities to their Adobe Flash Player 10/11 and Adobe Air 3.4.

Google Chrome 22.0.1229.92 – Monday
With every security release of Adobe Flash, Google releases a new version of their Chrome browser.  This browser bundles Adobe Flash with the installation.  This new version of Chrome also contains multiple vulnerabilities fixes for Chrome itself.

Microsoft Security Advisory 2755801 – Monday
This security advisory is a re-release issuing a new version of the Adobe Flash Player for Internet Explorer 10 on Windows 8 / Server 2012.  Similar to Google Chrome, Microsoft is now bundling Adobe Flash Player in the installation of Internet Explorer 8.  This release marks the first time the security advisory release has been in conjunction with an Adobe and Google release for Flash Player.

Mozilla Firefox 16.0 / Thunderbird 16.0 / SeaMonkey 12.3 – Tuesday
Mozilla released critical security updates for their products after a month of no updates.  These updates were quickly pulled from availability as a critical vulnerability was introduced with the new updates.

Notepad++ 6.2.0 – Tuesday
Non-security update

TortoiseSVN 1.7.10 – Tuesday
Non-security update

Google Chrome 22.0.1229.94 – Wednesday
Google released an update to address a critical vulnerability in a short time period.  This vulnerability was highlighted in the Pwnium 2 contest just one day earlier.

Mozilla Firefox 16.0.1 / Thunderbird 16.0.1 / SeaMonkey 12.3.1 – Thursday
Two days after releasing a new update that introduced a critical vulnerability, Mozilla released updates for all of the affected products.

Happy Patching!

– Jason Miller

VMworld Barcelona Wrap Up

We have concluded a very successful VMworld Barcelona. Thank you to the over 8,000 customers, partners, press and analysts we met this week – you are the reason for the success. VMworld Europe lived up to its reputation an exceptional networking experience and real-world training for anyone in the IT industry, and this year’s event offered new product announcements and highlights for all audiences (check out some of the videos here).

We had a great reception for Vmware vCenter Protect with over 150 people taking the vCenter Protect Hands On Lab, and over 90 attending our session on simplifying and automating the task of updating both physical and virtual machines. And, vCenter Protect was the #1 demo in the VMware booth! What a great event – can’t wait to see you all again in Barcelona next year!

– Mike Bleakmore

 

 

 

 

 

 

SpiceWorld 2012 Was A Real Sizzler!

I had the pleasure of attending SpiceWorld 2012 in Austin, TX this week – what a great event! There were over 460 IT Pros in attendance, and I’m quite certain Spiceworks could have doubled the attendance numbers with a larger venue.

There was a great deal of excitement at this year’s event, from the all the new functionality (including Mobile Device support) to an expanded set of programs that vendors like us (VMware) can utlize to better leverage the Spiceworks community.

The highlight was the session we sponsored titled “How Virtualization Can Save Your Bacon,” where Chris Westphal from VMware and Darren Schoen (a prolific Spiceworks Community Representative) presented together in “Bacon Suits.” For whatever reason, the Spiceworks community has a strong affection for “all bacon products.” All-in-all it was a terrific event.

– Dave Eike

October 2012 Patch Tuesday Overview

For the October 2012 edition of Patch Tuesday, Microsoft is getting back to a normal release size with seven new security bulletins addressing 20 vulnerabilities.  September’s Patch Tuesday was quite a light month with only one security bulletin being released by Microsoft and hopefully IT admins had enough time to test out the non-security update addressing digital certificates less than 1024 bits in length (security advisory 2661254).  Luckily, this is probably the last time I will be talking about this non-security update as it has been released to the general patching channel (Microsoft WSUS and Windows Update).

The first bulletin administrators should look at patching is MS12-064.  This security bulletin addresses a critical vulnerability in Microsoft Word where an attacker can gain remote code execution if a user opens a malicious RTF document with an unpatched system.

It is important to note that Outlook 2007 uses Word as the default email viewer.  RTF documents are typically not blocked by company email servers.  Also, RTF documents, like PDF documents, are commonly used for sharing documents between different companies.

An interesting note about MS12-067, this is the second time this year we have seen Microsoft release a security bulletin for vulnerabilities that exist in Oracle’s software.  Microsoft SharePoint servers with FAST Search 2010 use Oracle’s Outside In libraries code in their product.  We could be seeing different software vendors working more closely on security vulnerabilities in shared software code.

To that point, Microsoft re-released their security advisory for Adobe Flash Player yesterday.  Security Advisory 2755801 provides an update to Adobe Flash Player that is bundled within Internet Explorer 10.  The latest version of Internet Explorer has taken the same route that Google has done with their Chrome browser for some time by bundling Adobe Flash with the installation.  Adobe released an update for Flash (APSB12-22) addressing multiple critical vulnerabilities and all three vendors (Adobe, Microsoft and Google) worked together on a coordinated release.

As with any Patch Tuesday, it is important to also look for non-Microsoft vendors releasing updates.  With a coordinated release, administrators should be aware there is more to be concerned with than just Microsoft security bulletins.

On the non-Microsoft front, Mozilla released updates for their products.  Mozilla Firefox and Thunderbird 16 are new security updates addressing quite a few critical vulnerabilities.  Although I am only calling out one Microsoft security bulletin to be patched as soon as possible, there are quite a few products (Microsoft and non-Microsoft) that also need to be patched this month.  Be sure to plan for extra time to get all of the patches fully deployed to your systems.

I will be going over the October Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webast.  This webcast is scheduled for tomorrow, October 10th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

New Adobe Flash Player Released

To get you warmed up and ready to roll into another Patch Tuesday, Adobe just released a new version of Adobe Flash and Adobe Air.  Adobe Security Bulletin APSB12-22 is a security update that fixes 25 vulnerabilities.

Google Chrome should be releasing shortly as it has Adobe Flash bundled in the installation.  We will have to wait to see if Microsoft updates IE 10 during this Patch Tuesday or if there is some lag time in their release.

UPDATE:  Microsoft and Google have released updates as well.  It appears all three companies are in a solid release cycle together.

Microsoft Security Advisory 2755801

Google Chrome 22.0.1229.92

– Jason Miller

This Week in Patching – 10/5/2012

Here is a recap of the patch management this week.

On Tuesday, Wireshark released two new updates to their product.  Wireshark 1.8.3 and 1.6.11 are security releases addressing multiple vulnerabilities.

On Thursday, a new version of LibreOffice was released by The Document Foundation.  LibreOffice version 3.6.2 is a non-security update.

With much hype around the Adobe certificate issue, Thursday came and went without much interruption.  I went through every Adobe product and product update available that could be potentially affected by the digital signature that was to be expired by Adobe.  Every update I could find did not have the digital signature in question.  Our speculation is that Adobe has a distribution channel that uses that digital certificate.  The good news for administrators is that there should be no effect from this digital certificate change by Adobe.

Next week marks the October 2012 edition of Patch Tuesday.  I will be reviewing each of the Microsoft security updates and providing information regarding the vulnerabilities and patches.  Check back on Tuesday for more fun-filled patching information.

Happy Patching!

– Jason Miller

October 2012 Patch Tuesday Advanced Notification

Microsoft has released their advanced notification for the upcoming Patch Tuesday.  The October 2012 edition of Patch Tuesday will feature seven security bulletins.  After an extremely light September Patch Tuesday, administrators will be quite busy this month with the number of products that have vulnerabilities being addressed.  One of the security bulletins this month will address a security advisory that Microsoft released back in July.  In addition to the seven Microsoft security bulletins, administrators will need to patch the out-of-band security bulletin that Microsoft released in late September affecting Internet Explorer if they have not done so yet.

Security Bulletin Breakdown:

  • 1 bulletin is rated as Critical
  • 6 bulletins are rated as Important
  • 3 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
  • 1 bulletin addressing vulnerabilities that could lead to Denial of Service

 

Affected Products:

  • All supported Microsoft operating systems except Windows 8 and Server 2012
  • Microsoft Office 2003, 2007, 2010
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft InfoPath 2007, 2010
  • Microsoft Works
  • Microsoft SharePoint Server 2007, 2010
  • Microsoft FAST Search Server 2010 for SharePoint
  • Microsoft Groove Server 2010
  • Microsoft Windows SharePoint Services 3.0
  • Microsoft SharePoint Foundation 2010
  • Microsoft Office Web Apps 2010
  • Microsoft Communicator 2007 R2
  • Microsoft Lync 2010
  • Microsoft Lync 2010 Attendee
  • Microsoft SQL Server 2000 Reporting Services
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008
  • Microsoft SQL Server 2008 R2
  • Microsoft SQL Server 2012

After administrators get through this Patch Tuesday, they will get to look forward to patching the following week yet again.  Oracle’s scheduled Critical Patch Update for Java is scheduled for the week after Patch Tuesday (October 16th, 2012).  Hopefully Oracle will be releasing updates for the known vulnerabilities in Java at that time.

As a friendly reminder (and yes, I have been talking about this way too much), the patch that will invalidate all certificates that are not at least 1024 bits in length will be moving from the Microsoft Download Center to Microsoft’s mainstream patching applications (Windows Update, WSUS).  If an organization has not tested this patch with certificates on their network, administrators will need to be on the lookout this month for any issues that could arise with this patch.

I will be going over the October Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wedensday, October 10th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

The Bacon Will be Sizzling at SpiceWorld 2012

With SpiceWorld 2012 rapidly approaching, VMware is thrilled to be participating again this year. We’re planning to spend a great deal of time both at our booth and in the sessions we’re conducting discussing important issues that continue to challenge our customers…especially those in the SMB.

From the ever-expanding issues associated with patching third  party applications such as Adobe, RealPlayer and Firefox, to the need for greater levels of automation for those every day, mundane, repetitive tasks (i.e., IT Scripting, standing up a virtual machine, and network reporting).

We look forward to discussing solutions to your most important and pressing issues.  And while you’re there, please stop by The After Party on Wednesday, October 10th where we will be sponsoring the Table Area Happy Hour with free drinks and appetizers and of course, more SWAG including bacon give-aways.

To learn more about how VMware can help save your bacon, visit our Spiceworks community site here.

See y’all in Texas!

– Dave Eike