This Week in Patching – 11/30/2012

This week was highlighted yet again by browser updates addressing security vulnerabilities.  Google released updates for their Chrome and Chrome Frame browsers addressing multiple vulnerabilities.  On Monday, Google Chrome 23.0.1271.91 was released and it addresses seven vulnerabilities.  On Thursday, a second update was provided with Google Chrome version 23.0.1271.95.  The latest version addresses two security vulnerabilities.

A little background and history on Google’s responsible vulnerability initiative:

In November 2010 Google implemented a vulnerability reward program to enable security researchers the ability to gain financial rewards for responsibly disclosing vulnerability information to Google.  A responsible vulnerability disclosure is when a vulnerability is submitted to the vendor and the source code is not made publicly available until a fix has been made in the affected software.

One of the vulnerabilities fixed in the latest version of Google Chrome is credited to the hacker known as “Pinkie Pie.”  This vulnerability netted Pinkie Pie a cool $7,331.  This is not the first time Pinkie Pie has received a reward in the vulnerability reward program.  Back in March, Pinkie Pie received $60,000 for a vulnerability in Google Chrome during the Pwnium contest.  In October, the Pwnium 2 contest was held and Pinkie Pie received another $60,000 for winning the contest.  I would say netting $127,331 on vulnerabilities found and responsibly disclosed makes 2012 a great year for both Google and Pinkie Pie!

Back to this week’s patches:

On Wednesday, the Wireshark Foundation released a security update for their Wireshark product.  Wireshark 1.8.4 addresses 11 vulnerabilities and Wireshark 1.6.12 addresses six vulnerabilities.

On Thursday, Apple released a new version of their iTunes software with version 11.  This new version includes many new features and possibly addresses vulnerabilities.  The product release notes contains a link to their security updates section but no vulnerabilities have been announced.  Apple can be a bit slow on releasing vulnerability information, so I will be watching out during the next week for any announcements.

Today, FileZilla has released yet another update for the FileZilla Client.  FileZilla Client 3.6.0.2 is a non-security update addressing two issues.

Happy Patching!

– Jason Miller

 

This Week in Patching – 11/23/2012

After a long holiday week, I am catching up with the week in patching review.

Last week was highlighted by a couple of security releases for non-Microsoft browsers.

On Sunday, two software updates were made available.  FileZilla Client version 3.6.0.1 and Notepad++ 6.2.2 are both non-security updates.

Adobe released a security bulletin for their ColdFusion product on Monday.  Adobe security bulletin APSB12-25 fixes one vulnerability and is rated as important.  If exploited, this vulnerability could lead to denial of service.

Tuesday saw Internet browser updates from Opera and Mozilla. Opera 12.11 is a security update addressing 2 vulnerabilities.  Mozilla also released numerous updates for their browsers and email clients:

The week rounded out with an update for Apache Tomcat being released on Wednesday.  Apache Tomcat 7.0.33 is a non-security update addressing several bugs.

 

Happy Patching!

– Jason Miller

This Week in Patching – 11/16/2012

This week in patching was highlighted by Microsoft’s Patch Tuesday.  Microsoft released six new security bulletins addressing 13 vulnerabilities.  I have a full write up on Patch Tuesday here.

On the non-Microsoft front, I did not see any security updates released.  However, there were a few non-security updates released that you may want to get installed to fix various issues.

On Monday, two vendors released updates for their programs to fix crashing issues.  Notepad++ 6.2.1  and Filezilla 3.6.0 are non-security updates fixing crash issues.

On Tuesday, an update for AT&T Global Network Client was released with version 9.1.0.  The release notes have not been updated yet.  Without a published update, I am under the assumption at this point that the release is a non-security update.

VMware also released updates for MozyHome and MozyPro with version 2.18.0.227.  These updates are non-security updates fixing numerous issues and introducing new features.

On Thursday, Microsoft released a new version of Skype with version 6.0.0.126.  The highlight of this non-security update is a fix that addresses issues when upgrading to the latest version of Skype.

Due to the holiday week next week, I will not have a weekly write up for the week in patching next Friday.  I will provide an update in patching for the holiday week the following Monday.

Happy Patching!

– Jason

November 2012 Patch Tuesday Overview

Microsoft has released six updates addressing 19 vulnerabilities in the November 2012 edition of Patch Tuesday.

The first bulletin administrators should look at patching immediately is the cumulative update for Internet Explorer.  Unlike most cumulative Internet Explorer updates, MS12-071 only affects Internet Explorer version 9.  Like most browser-based attack scenarios, this vulnerability can be exploiting by visiting malicious website which can result in remote code execution.

MS12-075 is the second bulletin that administrators should look at patching immediately. This security bulletin addresses vulnerabilities in the Windows Kernel that could potentially lead to remote code execution.  If an attacker can entice a user to view a file with malicious TrueType fonts, the attacker could take control of the unpatched system.

There are a couple of interesting notes about this edition of Patch Tuesday.  First, we are seeing the first Microsoft security bulletins addressing vulnerabilities in their new operating systems (Windows 8, Windows Server 2012).  MS12-072, MS12-074 and MS12-075 all affect the new operating systems or components on the operating systems.

Windows 8 Release Preview and Server 2012 Release Candidate are affected by vulnerabilities such as the ones addressed in MS12-072.  It is interesting to note that Microsoft is still offering patches for these vulnerabilities even after both versions of Windows 8 and Windows Server 2012 operating systems are now publicly available in Microsoft’s live released version form.

I was curious to see how Microsoft was going to handle the updates for Windows RT.  Windows RT is the version of Windows 8 that runs on devices like the Microsoft Surface tablet.  I noticed that Windows Server Update Services (WSUS) had added a category for Windows RT.  Looking at the security bulletins this month, the patches for Windows RT are only available through Windows Update.  This could present a challenge for IT admins that manually manage their machines and need reporting on which machines are up to date.

Continuing on the product preview front, the security bulletin for Microsoft .NET Framework (MS12-074) also affects .NET 4.5 preview.  The patch for this product is only available through Windows Update only (not the Microsoft Download Center). This patching practice has been a common theme for Microsoft releasing security updates for their preview products.

Last month, Microsoft released Security Advisory 2749655 addressing an issue where numerous patch packages and the files contained within the patch packages had been signed with a bad certificate.  The certificate is set to expire in early 2013.  Microsoft re-released patches affected by this issue during the October 2012 Patch Tuesday and stated that they will be releasing more patches in the future.

Today, we are seeing another re-release of a patch with this issue.  The Microsoft Office 2003 patch released in security bulletin MS12-046 has been re-released.  Previous re-releases required customers to reapply the patches to ensure the digital certificate would not expire on early 2013.  This re-release contradicts the process laid down from Microsoft as the details of the re-release are stating the patch does not need to be reapplied.  Hopefully, Microsoft will provide some more clarification soon on why this particular patch does not need to be reapplied.

I will be going over the November Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, November 14th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 11/9/2012

It has been a busy week for patch releases.  Here is a quick recap of the happenings in patch management.

 

Tuesday

Adobe released a new security bulletin for Adobe Flash Player and Adobe Air.  APSB12-24 addresses seven vulnerabilities and the following versions address these issues:

  • Adobe Flash Player 11.5.502.110
  • Adobe Flash Player 10.3.183.43
  • Adobe Air 3.4.0.600

It is important to note that the vulnerabilities also affect the Adobe Flash Player 10 product line as well.  In the ‘Priority and Ratings,’ ‘Affected Software Versions,’ and ‘ Summary’ on the Adobe security bulletin page do not list Adobe Flash Player 10 as an affected product.  The CVE filed on behalf of the vulnerabilities state that Adobe Flash Player 10 is indeed affected by the vulnerabilities.  In addition, the Adobe Security Bulletin page has Adobe Flash Player 10 affected in the ‘Solution’ area.

With the Adobe Flash Player release, I also saw a coordinated release effort from Google and Microsoft to address vulnerable Adobe Flash Player programs embedded in their browsers.  Google Chrome / Chrome Frame version 23.0.1271.64 fixes 14 vulnerabilities and includes the latest version of the Adobe Flash Player.  This new version of the Google browser includes a new ‘Do Not Track’ feature that sends a request to a website asking it to not track information.  On the Microsoft side, Microsoft Security Advisory 2755801 was updated to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.

Opera also released a new version of their browser for the first time since June of this year.  Opera 12.10 addresses six vulnerabilities.  In the release notes, you will need to scroll down to the beta section to see that this release actually fixed security vulnerabilities.  They are noted in the beta section for version 12.10.

 

Wednesday

There was another release from Google for their Chrome and Chrome Frame browsers.  Google did not release any update notes for this new version, so I am assuming this release is a non-security update fixing very minor issues with Tuesday’s release.  **Update: This is my mistake on reporting. I inadvertently thought Google Chrome released twice this week without release notes for the latest. Although I have seen this happen in the past, only one version of Chrome was released by Google this week.**

HP released their first update since June of this year for their System Management Homepage product.  HP System Management Homepage 7.1.2 appears to be a security update and is rated as “Recommended” from HP.    The release notes for this newer version states “Improved security features.”  Vulnerability information for HP System Management Homepage releases typically take a few weeks after the product release, so I will be watching the national vulnerability database for more information.

 

Thursday

Apple joined the busy patching week with a new release of Apple QuickTime.  Apple QuickTime 7.7.3 is a security update addressing nine vulnerabilities. One of the vulnerabilities fixed with this release is remarkably from 2011 (CVE-2011-1374).

 

Friday

AOL Instant Messenger 1.2.0.2 has been released to the mainstream.  This product typically does not have release notes associated with each version.  I will be waiting to see if a CVE is released that would mark this release as a security bulletin.

 

Other News

Next Tuesday marks the November 2012 edition of Patch Tuesday.  Microsoft is set to release six bulletins addressing 13 vulnerabilities.  This Patch Tuesday will be highlighted by the first security bulletin releases for the new Microsoft Windows 8 and Server 2012 operating systems.

There are reports of a Zero-day vulnerability in Adobe Reader.  No confirmation or information has been released yet by Adobe.  There is a chance that Adobe could be releasing an update for Adobe Reader on Patch Tuesday.

I will be back next Tuesday to talk in detail on all of the activities for the November 2012 Patch Tuesday.

Happy Patching!

 

– Jason Miller

November 2012 Patch Tuesday Advanced Notification

Don’t worry, this is not another political ad.  It is that time of the month for Microsoft’s Patch Tuesday Advance Notification!

Microsoft is planning to release six bulletins next Tuesday, November 13th.  These six new security bulletins will address 13 vulnerabilities.  With the November 2012 Patch Tuesday, we will see the first security bulletins released for Microsoft’s new operating systems (Windows 8, Windows Server 2012).

Security Bulletin Breakdown:

•4 bulletins are rated as Critical

•1 bulletin is rated as Important

•1 bulletin is rated as Moderate

•5 bulletins addressing vulnerabilities that could lead to Remote Code Execution

•1 bulletin addressing vulnerabilities that could lead to Information Disclosure

Affected Products:

•All supported Microsoft operating systems including Windows 8 and Server 2012

•Microsoft Internet Explorer 9 (not the bi-monthly cumulative update for Internet Explorer)

•Microsoft .NET Framework (Exact versions to be known on Patch Tuesday)

•Microsoft Excel 2003, 2007, 2010

•Microsoft Office for Mac 2008, 2011

•Microsoft Excel Viewer

•Microsoft Office Compatibility Pack

I will be going over the November Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, November 14th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 11/2/2012

It is that time of the week for a recap of the happenings in patch management for the week.

The highlight of the week was a post late on Friday, October 26 by Mozilla.  Mozilla released updates for all of their products.  Mozilla Firefox 16.0.2, Mozilla Firefox 10.0.10 ESR, Mozilla Thunderbird 16.0.2, Mozilla Thunderbird 10.0.10 ESR and Mozilla SeaMonkey 2.13.2 address multiple vulnerabilities.

On Wednesday we got a bit of a treat for Halloween this year with Google updating Google Earth.  Google Earth 7.0.1.8244 is a non-security update introducing new features.  This release has been a long time coming as Google’s previous release of Google Earth was back in January 2012.

On Thursday, The Document Foundation released another update to their experimental branch with LibreOffice 3.6.3.  This update is a non-security update offering new features and bug fixes.

Next week we will be looking forward to Microsoft November 2012 Security Bulletin Advance Notification.  I will be going over this notification then.

Happy Patching!

– Jason Miller