This Week in Patching – 1/25/2013

After an eventful past couple of weeks in patch management, this week was relatively quiet.  Here is a quick recap in the happenings of patch management this week.

On Monday, a new version of Audacity was released.  Audacity 2.0.3 is a non-security update fixing numerous issues.

On Tuesday, Google released new security updates for their Chrome and Chrome Frame browsers.  Google Chrome / Chrome Frame version 24.0.1312.56 fixes three high, and two medium vulnerabilities.

On Wednesday, Core FTP released a new version with version 2.2.  This version was originally released on January 17th, but the details were provided on Wednesday.  This new version is a non-security update.

Last up for this week are new versions of MozyHome and MozyPro released today.  MozyHome and MozyPro version 2.18.3.247 are both non-security updates.

Happy Patching!

– Jason Miller

This Week in Patching – 1/11/2013

Happy New Year.  I hope IT administrators got some much needed patching rest over the past couple of weeks.  2013 is started out quite heavy in the world of patching.

This week was highlighted by a busy Patch Tuesday.  You can read my write up on the January 2013 edition of Patch Tuesday here.

There were also other vendors releasing critical security bulletins on Patch Tuesday.  Adobe released two security bulletins.  APSB13-02 was pre-announced last Thursday as a part of their quarterly update for Adobe Acrobat and Adobe Reader.  Adobe Acrobat / Reader versions 9.5.3 / 10.1.5 / 11.0.1 address 27 vulnerabilities and are rate Critical.  Adobe security bulletin APSB13-01 was not pre-announced by Adobe, but I expected this bulletin to be released after Microsoft announced an update for Adobe Flash Player in Microsoft Internet Explorer 10 last Thursday was set to be released on Patch Tuesday.  APSB13-01 addresses 1 vulnerability in Adobe Flash Player versions 10 and 11 (as well as Adobe Air 3.5).

Mozilla also released security updates to coincide with Microsoft’s Patch Tuesday.  The most notable of the releases by Mozilla was the major update for Firefox.  Mozilla Firefox 18 contains new features as well as security updates.  For those organizations that do not want to roll out new features in their Mozilla products due to concerns of the new features breaking functionality, Mozilla is continuing their effort with the Mozilla ESR products.  These product updates contain new security fixes but do not contain new features.

Here is the details list of Mozilla updates released on Patch Tuesday:

  • Mozilla Firefox 18
    • Security update addressing 12 Critical, 8 High and 1 Moderate Mozilla Security Advisories (30 vulnerabilities)
  • Mozilla Firefox ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (19 vulnerabilities)
  • Mozilla Firefox ESR 10.0.12
    • Security update addressing 8 Critical and 4 High Mozilla Security Advisories (14 vulnerabilities)
  • Mozilla Thunderbird 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla Thunderbird ESR 10.0.12
    • Security update addressing 8 Critical and 3 High Mozilla Security Advisories (18 vulnerabilities)
  • Mozilla Thunderbird ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla SeaMonkey 2.15
    • Security update addressing 12 Critical, 7 High and 1 Moderate Mozilla Security Advisories (26 vulnerabilities)

 

The other notable updates this week were released on Thursday.  Google updated their Chrome and Chrome Frame browser with version 24.0.1312.52.  This new version fixes 24 vulnerabilities and includes an updated version of Adobe Flash Player that was released by Adobe on Patch Tuesday.  In the past year, Google has been in sync with Adobe on Adobe Flash Player releases.  Interestingly, Google’s release came two days after the Adobe Flash Player release.

There were also some non-security updates released on Thursday.  MozyHome and MozyPro updated their programs with version 2.18.2.244.  Microsoft released a new version of Skype with 6.1.0.129.  This version now integrates with Microsoft Office Outlook contact.

Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Overview

To ring in the New Year, today Microsoft has released seven new security bulletins addressing 12 vulnerabilities.

However, the most notable headline from this Patch Tuesday is a security bulletin that was not released.  On December 29, 2012, Microsoft released a security advisory (2794220) informing administrators of a vulnerability in Internet Explorer was currently being exploited.  Microsoft provided a non-security update to prevent exploitation to that vulnerability.  Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability.  As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible.  Only Internet Explorer browser versions 6, 7 and 8 are affected by this vulnerability.

Of the seven Microsoft security bulletins released for the January 2013 edition of Patch Tuesday, administrators should look at patching MS13-002 first.  Microsoft has identified a vulnerability in Microsoft XML Core Services.  If an unpatched systems browses to a malicious website, an attacker can gain remote code execution.

The other browsing threat this month that needs attention from administrators is MS13-004.  In this security bulletin, Microsoft is addressing a vulnerability in their .NET software application.  If an unpatched machine browses to a malicious website, an attack can gain elevation of privilege on that machine.

The other critical update this month (MS13-001) addresses a vulnerability in the Windows Print Spooler.  If a machine is set up as a print server, an attacker can send a malicious print job to the machine and gain remote code execution.  Security best practices call for printer servers to reside behind a firewall that only allows internal users to print to the print server.  A most likely attack scenario is for an attacker to already be on the internal network.

And as is becoming a recurring theme, this Patch Tuesday is not just a Microsoft-focused security day.  Several non-Microsoft software vendors have also joined in with releases of their own.

Adobe has released security bulletin APSB13-02 affecting all supported version of Adobe Acrobat and Reader.  This security bulletin is part of their quarterly update for Adobe Acrobat and Reader and was expected.

Adobe also released updates for their Air and Flash Player products.  These updates are security updates were not previously announced (APSB13-01).  With any Adobe Flash Player update, Microsoft and Google update their latest browsers to include the new release of Adobe Flash Player.

Mozilla also released new versions of their products.  Mozilla Firefox 18 are new versions of their product that only contain new features.  Previous versions of the Mozilla products also received updates that contain security fixes.

 

Given that the January 2013 Patch Tuesday does not include a security update for the zero-day Microsoft Internet Explorer vulnerability, there is a good chance we will see an out-of-band update from Microsoft before the February 2013 Patch Tuesday.  Microsoft will continue to monitor the threat landscape and decide if this zero-day vulnerability warrants and out-of-band release.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 1/4/2013

Patching quietly came to an end for 2012, and 2013 is starting off with a bang.  Here is a quick recap of the happenings in patch management this first week of the New Year:

On Wednesday, a new version of CDBurnerXP was released with version 4.5.0.3717.  This new version is a non-security update.  On Friday, Google released a non-security update for their Picasa program with version 3.9.136.120.

Microsoft announced their January 2013 Patch Tuesday Advance Notification.  You can read my write up here on the upcoming Patch Tuesday notification details.  In addition to the seven Microsoft security bulletins being released next Tuesday, there are quite a few non-Microsoft patches expected to be released as well.

Adobe announced they will be releasing updates for their Adobe Reader and Adobe Acrobat programs (versions 9/10/11).  These updates are rated as critical and are part of their quarterly update for Adobe Acrobat and Reader, which falls on this January Patch Tuesday.

In addition, Mozilla is lining up to release updates as well for their products.  You can expect updates for their Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey products.

On Microsoft’s preannouncement page for upcoming non-security updates, they have listed Adobe Flash Player for Internet Explorer 10.  With this in mind, expect updates from Adobe for Adobe Flash Player and Google Chrome on Patch Tuesday.  With every Adobe Flash Player release, Microsoft and Google update their browsers to supply the latest version of the Flash Player program.

On the Microsoft Security Advisory front, Microsoft released a new security advisory on Thursday.  Microsoft Security Advisory 2798897 addresses issues with fraudulent digital certificates.  This security advisory places the offending certificates in the untrusted certificate store on systems.  In June 2012, Microsoft released a tool that will run on systems and quickly moves revoked certificates to the untrusted certificate stores.  This tool aids administrators that want an easy and quick way to update certificate issues Microsoft finds.  This tool can be downloaded here.  For those that do not want to use the tool, Microsoft has provided patches for this certificate issue that can be applied to systems.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

Until Patch Tuesday, Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Advanced Notification

To ring in the New Year, Microsoft has announced their January 2013 advanced notification for Patch Tuesday.  The January 2013 edition of Patch Tuesday will be bringing seven security bulletins addressing 12 vulnerabilities.

Security Bulletin Breakdown:

  • 2 bulletins are rated as Critical
  • 5 bulletins are rated as Important
  • 2 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
  • 1 bulletin addressing a vulnerability that could lead to Security Feature Bypass
  • 1 bulletin addressing a vulnerability that could lead to Denial of Service

Affected Products:

  • All supported Microsoft operating systems
  • Microsoft Office 2003, 2007
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft Expression Web, Web 2
  • Microsoft SharePoint Server 2007
  • Microsoft System Center Operations Manager 2007, 2007 R2

If Adobe sticks to their previous release schedule, this Patch Tuesday will also include security updates for Adobe Acrobat and Reader during their quarterly update.  Adobe stated earlier this year that they were moving to a more standard cadence on Patch Tuesdays when necessary.  We could very well be seeing Adobe updates as the last time Adobe Acrobat and Adobe Reader were patched was during the October 2012 Patch Tuesday.

Mozilla is also on track to release an update for their Firefox browser during the week of Patch Tuesday with version 18.  Typically, Mozilla releases on the same day as Microsoft’s Patch Tuesday when their release cycle is during that week.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller