I don’t think anyone will deny that Windows XP was expected to become a target after the EOL, but we couldn’t even make it to the first patch Tuesday after the EOL of Windows XP before a Critical IE Zero Day was discovered. On Saturday April 26th, Microsoft announced Security Advisory 2963983 in response to attacks discovered in the wild against IE 9, 10, and 11. The vulnerability also affects IE 6, 7, and 8, so those users still running on Windows XP systems are vulnerable to this Zero Day.
We recently caught up with the Shavlik technical support team to learn more about its role in solving customer issues with Shavlik products and services. The Backline Support team, which includes Chase Norton, Adam Gindt, and Charles Winning, has built a strong support staff as well as a lively online community of Shavlik users, who help each other through peer-to-peer questions and use cases.
Q: Can you tell us more about how you help customers find the support they need?
We are one week past April Patch Tuesday. Taking a look back, XP’s End-of-Life may have been overshadowed a bit with Heartbleed and Update 1 for Windows 8.1 and Server 2012 R2. Let’s start off by recapping Patch Day.
For those of you who caught our Patch Day webinar (playback found here), you may recall the recommendations we gave. High priority on MS14-017 (plugs publicly disclosed Word vulnerability) and MS14-018 (IE Cumulative which also happens to be Update 1 for 8.1 and 2012 R2 systems). These two updates are Critical and plug a number of vulnerabilities. While still important, the other two Microsoft updates are a bit overshadowed by the 3rd Party updates for Adobe Flash and Google Chrome that released on Patch Day as well. These two updates are also a high priority this month resolving 35 total vulnerabilities between the two of them. That is triple the vulnerabilities resolved by the 4 Microsoft updates this month.
Let’s take a closer look at MS14-018. When assessing machines you will see one missing patch on most systems, but for 8.1 and 2012 R2 you will see the missing IE patch and 5 additional updates that make up Update 1 with the biggest and most important being KB2919355. Without this last one you will not be getting the next round of OS updates on 8.1 or 2012 R2. Our sources have confirmed what Microsoft stated in their blog on April 10th, that newer patches will apply to 8.1 and 2012 R2 only if they have Update 1 applied. By the way, you will not see or be able to install 2919355 unless you have applied an important non-security update 2919442 (MSWU-905) as well. In our Content release on 4/15 we changed the designation of MSWU-905 from Non-Security to Security to ensure the majority of Protect users will see this patch and deploy it so 2919355 will be applicable to the system.
Now, you may have seen a lot of press around Update 1 causing issues on systems. The biggest was impacting WSUS 3.2 if running in specific configurations. This will NOT affect Shavlik Protect customers as we have no reliance on WSUS 3.2. Other issues identified seemed to be around properly licensed systems and got more obscure from there. Microsoft will be releasing fixes for these issues possibly later today. A fix for the WSUS 3.2 issues (2959977) appeared yesterday, but a patch did not release. It will likely release soon. Recommendation for our customers, get Update 1 applied before May Patch Tuesday, but make sure to test the rollout to your environment.
Last week Thursday’s Content Release was Non-Security related. There were many updates released, but nothing of a Security nature. Yesterday, however, Oracle released a Critical Update for Java 7 update 55. This update plugs 37 vulnerabilities, 4 of which were given CVSS scores of 10.0 which is the highest you can get. This should be added to your priority list for this month.
Overshadowing everything this month is the OpenSSL vulnerability Heartbleed, which has quickly become a household name. MPR, radio commercials, notifications to home users regarding services they use, pretty much everyone has now heard of Heartbleed. Many vendors are still investigating their product portfolios to see how far reaching this vulnerability affects them. As I posted last week on the Shavlik Blog, Protect customers, our products and services are covered, so you have nothing to worry about. Evaluate all products running in your environments. Check with your vendors as they are posting details around products and versions affected. VMware, Oracle, and many others are still investigating some product lines, but most are identified as being vulnerable or not. For VMware, the only version of the Hypervisor affected is ESXi 5.5. Protect customers can upgrade to Protect 9.1 later next week when we make it available via an Early Access release, which will support updates on ESXi 5.5. ESXi versions 5.1 and earlier, supported by Protect 9.0, are not affected.
…Guest blogger and Shavlik Product Evangelist John Rush shares his insights on the age old question in Patch Management – “Is patching with WSUS enough to keep my systems up-to-date and secure?”…
“Why is important to use something other than WSUS for Patch Management? Three words – third-party software.
WSUS does not have the metadata for anything other than Microsoft updates. This means that organizations using WSUS are having to create custom update content and scripts to patch third-party applications or having to let the auto-updater manage the updates and re-boots.
Our customers tell us it takes 4-6 hours to research, package, script, and deploy a custom Adobe patch, and the updates come out so often they never have a chance to fully catch up.
Third-party applications are the “other than Microsoft” applications used in the enterprise. These include the big three of Adobe, Java, and Mozilla. There are more updates for these applications than there are for the Microsoft Operating System. In fact according to the National Vulnerability Database, 86% of reported vulnerabilities come from third-party applications; however, most organizations are allowing the auto-updaters for these applications to run and auto-patch.
Why is this bad? Two big reasons come to mind.
‘What’s it gonna break?’ Every update has the potential to be an application breaker. It happened recently; a certain database application stopped working when a Java update was applied.
‘Does everyone have the necessary “rights” to install the updates?’ If not, it is going to generate a help ticket, and someone is going to have to ‘touch’ that machine to get it updated.
So how can you solve this problem?
Download the free trial of Shavlik Protect and see how you can easily assess, deploy, and report missing patches on your machines for both Microsoft and third-party applications. Here is a list of the supported third party applications.”
By now you have likely heard of a vulnerability with OpenSSL that has been dubbed Heartbleed. This vulnerability can allow an attacker to remotely gain access to sensitive information on services that use vulnerable versions of OpenSSL. We did a self assessment here at Shavlik and we can confirm for our customers that Shavlik Products and Webservices are NOT vulnerable to this issue. Yay!
Now, that being said, what does this mean for you on a personal level? How does this affect your bankbrokerage sites, the social media sites you use, pretty much any web site or service you login to? Check out this list which covers a lot of the big names you will be concerned about. Good news is the major banks and brokerages are covered (collective sigh of relief). Facebook and Gmail were exposed, but have since plugged the vulnerability. You should change your Facebook password to be safe, but Google is standing firm and confident in their speed to plug to gap and suggest that their users should not have to. Use your discretion there.
Also remember your kids. Got some snapchatters in the family? DON’T CLICK THE SMOOTHIE NO MATTER HOW GOOD IT LOOKS!!! If you did, or if your friends are getting smoothie related pictures from you, change your password. Snapchat has reportedly made some changes to secure accounts, but better to be safe than sorry.
If you are not sure of sites or services you use and they are not on the list above the best methods to find out if they are exposed it to Google the productservice + heartbleed (pretty much everybody is talking about this) or use one of these sites to test the site or service you are concerned about.
For those of you running a known vulnerable version of OpenSSL there is guidance on a workaround and a patch available. Check out the Heartbleed.com page for full details about the bug, affected versions, workarounds, and more.
Microsoft has announced this month’s Patch Tuesday release. There are 4 total patches expected to be released on Tuesday, April 8th. With this Patch Tuesday we also say farewell to Windows XP and Office 2003 support. Microsoft has reached the End of Life for these two products. All in all a seemingly light April for Microsoft Patching, but I think the first two bulletins will be concerning enough. Likely bulletin 1 will be resolving a known vulnerability in Office that is currently being exploited in the wild (Security Advisory 2953095). You will want to pay special attention to the 3rd Party updates that released in between March and April. March’s Pwn2Own conference was held on March 12-13th and a number of browser and high profile product exploits were displayed at the conference netting a $850k in bounties. Products such as Adobe Flash and Reader, IE, Firefox, and Safari were all successfully exploited during the event. We may see a few more on Patch Tuesday yet as well. Back to Patch Tuesday, here is the breakdown for this month:
- Two bulletins are rated as Critical.
- Two bulletins are rated as Important.
- Four bulletins address vulnerabilities that could allow Remote Code Execution.
- All supported Windows operating systems
- All supported Internet Explorer versions
- All supported versions of Office
Join us as we review the Microsoft and third-party releases for April Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, April 9th at 11 a.m. CST. We will also discuss other product and patch releases since the February Patch Tuesday.
You can register for the Patch Tuesday webinar here.
This is a follow up to a post I made a while back where we took a look at some of the security risks identified by Gartner and some of the Features of Shavlik Protect that can help you reduce these risks. Today we will talk about a couple more of the items.
3 Utilize snapshots for rollback.
Vendors have gotten much better about turning out a stable patch, but it is always good to have an insurance policy. Shavlik Protect supports rollback for patches that the vendor supports rollback. In cases where the vendor does not support rollback the ability to snapshot a virtual machine before executing patches introduces a better and easier way to support rollback. Protect has the ability to snapshot vSphere VMs before andor after patch deployments. This snapshot can be reverted to very quickly and rolls back to the state before execution. Most customers I speak to are concerned that they can revert if needed, but most don’t have to do this often. This is configurable in the Deployment Template under the Hosted VMs/Templates tab.
4 Updating VMware Tools.
One of the most important components to ensure is being updated in your vSphere environment is the VMware Tools. This is the interface between the VM and the infrastructure for many VMware and 3rd party products. Many vSphere admins think their tools are up to date because the summary for that machine shows it is up to date. In fact that is only valid if you applied the latest VM Tools updates to your hypervisor. Then there is a delay and often a reboot required until the status for that VM updates to show it is now out of date. Now you need to update to the latest tools by having them run on VM startup which requires user intervention or by python script through some other means. Throw in a cluster of hypervisors all on different versions and different versions of the tools and it gets to be a real mess. The good news is there is a better way. VMware has made their tools all backward compatible. You can push the latest version of the 5.5 tools to your VMs regardless of what version each host is running on. Shavlik Protect will detect an install of VMware Tools and update to the latest 5.5 tools. This way you can ensure that as long as you have the one set of tools at the latest version and no new vulnerabilities have been discovered you have a secure version on every VM. This was released as a security patch towards the middle of 2013 and most customers would likely already be updating in this way unless they utilize patch groups to approve what gets deployed. You can read more in our FAQ on updating VMware Tools.
These are some of the basics that can help you ensure you are delivering the same level of security to the virtual infrastructure as you are in your physical infrastructure. It is important to make sure the teams involved are all in agreement and utilizing the tools available, and that policies are up to date and describe the coverage to both the physical and virtual infrastructures. Also evaluate other tools you utilize to ensure they also cover your virtual infrastructure effectively.
We recently caught up with the Shavlik technical sales team to learn more about its role in helping customers make better connections with the Shavlik products and services they are considering or are already using every day. The team, which includes John Rush, Clifton Slater, Ryan Worlten, and Guido Adriaansens, has the customer covered no matter where they are in the world. As you will see, this is a unique gathering of talent. The team even includes a former customer that believed so strongly in Shavlik that they came on board!
Q: Can you tell us more about how you help customers learn about Shavlik?
A: Sure, through our sales team we help customers connect with any learning they might need to help them make a decision about purchasing a product or even brushing up on things they may need to know to help them get the most out of Shavlik products.
Q: Do customers call you or are they put in touch with you?
A: We generally support the sales team. The sales team has a pretty good pulse on our customers. Our sales representatives talk to the customer and find out more about their pain points and what they need to learn. From that initial information we consult both sales team and the customer to recommend the best learning tools to address the issue.
Q: What types of tools do you have at your disposal?
A: The learning opportunities we help build for the client include just about anything the customer could need to help inform them in the sales decision. We walk customers through demonstrations, provide on-site demos, lunch and learn sessions, meet and greets, webinars and online product demos.
Q: What have you learned from your vantage point?
A: We have learned that patch is still puzzling for customers and this is really not a surprise. They are reading about security catastrophes every day and their organizations are working hard to put the right processes in place. They are being asked to do more with less and they face a multitude of moving parts like people leaving, changes within their organizations and a growing list of things to manage.
Q: Are there any common themes you are seeing?
A: We often see customers’ eyes opened to the seriousness of 3rd party patching threats and we are seeing a real growth in questions surrounding the patching of virtual machines.
Q: Any advice for customers?
A: Become a student of security. Don’t just leave it as a task to check off. Shavlik makes things easy so that you can keep up on the latest things you need to learn.
Q: Tell us a little about yourselves:
Meet Guido Adriaansens:
Guido is a Systems Engineer for Shavlik products covering EMEA and located in Amsterdam, The Netherlands but can regularly be found in our UK based office. Apart from his (obvious) interest in IT, Guido enjoys sailing, playing squash, and coaching his daughter’s field hockey team.
Meet Clifton Slater:
Clifton is a Sales Engineer for Shavlik, specializing in the Shavlik suite of products, located in central New Jersey. Clifton is an avid reader of Sci-Fi and Fantasy and a die-hard Pittsburgh Steelers fan, (originally hailing from Pittsburgh).
Meet Ryan Worlton:
Ryan is a Sales Engineer for the Shavlik products, serving the Western region of the US. In his personal time, Ryan loves to be in the outdoors, this spring and summer he plans on spending about 30 days (and nights) in the Utah back country.
Meet John Rush:
John is a Systems Engineer at Shavlik located in St. Paul, Minnesota. John participated in a webinar covering SCCM, see it here.