This is the first of many “meat and potatoes” blog articles that I will be writing throughout the course of this year. In this article, I am going to talk about one of the most useful, but also one of the most underused and misunderstood, features in Shavlik Protect – distribution servers.
Most of you are familiar with Shavlik Protect and love it for how it simplifies your patch, threat and power management activities. But you may not be familiar with distribution servers, or you may be reluctant to use them because they don’t seem simple to implement. While it’s true that distribution servers add a level of complexity to your administration activities, in many cases they are well worth the effort for the value that they add.
With the Oracle CPU fresh in our minds I thought this would be a good time to discuss a well-known issue for IT Admins around the world; updating Java only to find it breaks something in your users environment. More importantly updating Java only to find that a mission critical app is broken. Java is running everywhere. It is one of the most popular development languages and responsible for a significant chunk of cool web development that has occurred over the past decade. The Jave Runtime Environment (JRE), which renders all of the awesomeness that is Java, quickly turned into the bane of many an IT Department.
According to Cisco’s 2014 Annual Security Report, Java was involved in 91% of web exploits and the majority of those exploits were for versions of Java that were outdated and vulnerabilities that the vendor had already plugged. That is a pretty staggering number and makes one wonder why you would choose to utilize a product that relies on Java. So where does the fault lay? Is it Oracle and prior to them, Sun to blame for the vulnerability of their development toolkit? To a point, yes, you can say they are responsible, but they also resolve MOST of the known vulnerabilities that are identified in a timely manner (and have improved significantly over time). There is still a bit more blame to go around however.
You can google ‘java upgrade issues,’ and you will find ample evidence as to why an IT Admin would be a little gun shy around a Java update. FireFox, Netscaler, printing issues, and especially Minecraft (heaven forbid!) can all be found in the first page of recent Java upgrade issues. Some others that typically occur are those back office applications that make the business run. ERP solutions or other critical apps that help you ship product, process orders, etc., could all rely on Java. Break those and you may be talking about an RGE (Resume Generating Event). So, no one party really is to blame here. We have Oracle trying to resolve vulnerabilities in a timely manner and improving on that front. How about the vendors and the companies who are running Java? You may need to evaluate a little closer to home and see why you are not upgrading.
Ask your venders:
- If the latest version of their product supports the most recent Java updates?
- Do they support updating Java as new versions are released?
- How do they communicate whether the latest Java update will be compatible with the version you are running?
- Are we running the latest version of the vendors software?
- What are the limitations to upgrading? Customization that would not be supported if you upgrade, cost of upgrading, etc.
- What is your exposure by not upgrading?
The IT world is full of exceptions to the rule. For every exception there is some risk. Have you evaluated that risk and have you mitigated your exposure?
Things you can evaluate if you know you have a dependency on an outdated version of Java:
- Are only required users able to access the outdated versions of Java?
- Can the privilege level of the users who need to run on the at risk machine be reduced to mitigate exposure if certain vulnerabilities are exploited?
- Are the machines running Java able to be virtualized and segmented from parts of the network that have direct Internet access?
- Can you lock down the machine in question to only allow access to the one application Java is needed for and all other web browsing, email, etc. be locked down?
Oracle has released their quarterly Critical Patch Update. There is a long list of products with updates coming and at the top of that list from a severity standpoint is Java. With a CVSS base score of 10.0 on some of the vulnerabilities, the 20 new security fixes for Java SE are definitely in need of some immediate attention. All 20 of the vulnerabilities in Java could be remotely exploited without authentication. This means exploitable over a network without the need for a username and password.
Oracle Database server may only have 5 vulnerabilities being resolved, but one or more of those have a CVSS base score of 9.0. Several other products like Fusion, Virtualization, and Retail Applications have CVSS base scores of 7.5 and the rest start to fall steadily from there, but one fairly common theme is the remotely executable without the need for authentication. Companies running a lot of Oracle software should take some time on Tuesday and review what solutions they have and where they are to see if immediate action is necessary. Again, for Java, the urgency is going to be far greater. If you don’t have a breaking dependency on a specific version it would be a good idea to roll out ASAP.
With Oracle’s CPU today Java should be added to the top of the priorities list this month. Three updates in particular should be considered a top priority as you are conducting your monthly maintenance. Flash Player, the IE Cumulative Update, and Oracle Java. The July Patch Tuesday update to IE to resolve 23 memory corruption vulnerabilities, one of which was publicly disclosed, appears to be a continuation of the very large IE Cumulative update from June which had over 50 fixes to memory corruption vulnerabilities. The Adobe Flash player update resolves three vulnerabilities that allow an attacker to bypass security features. Adobe Flash has had critical release every month in 2014, and on Patch Tuesday for six of seven months. It is looking to be a permanent fixture for IT Admins to prioritize each month. If you haven’t been keeping it up to date, there is ample cause to do so.
Microsoft has announced this month’s Patch Tuesday release. It looks pretty clean at first glance. IE with a lot of OS patches and likely nothing all that complex. The one thing to watch for will be the possibilities of more dependencies. For those running Windows 8.1 or Server 2012 R2, make sure you are prioritizing Update 1 to be rolled out. Next month is the cut off after Microsoft extended the Update 1 required for continued patch support on those platforms. There are 6 total patches expected to be released on Tuesday, July 8th. Here is the breakdown for this month:
- 2 bulletins are rated as Critical.
- 3 bulletins are rated as Important.
- 1 bulletin is rated as Moderate.
- 2 bulletins address vulnerabilities that could allow Remote Code Execution.
- 3 bulletins address vulnerabilities that could allow Elevation of Privileges.
- 1 bulletin addresses a vulnerability that could lead to Denial of Service.
- All supported Windows operating systems
- All supported Internet Explorer versions
Join us as we review the Microsoft and third-party releases for June Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, July 9th at 11 a.m. CDT. We will also discuss other product and patch releases since the May Patch Tuesday.
You can register for the Patch Tuesday webinar here.
Hi everyone, and welcome to my corner of the world at Shavlik. For those who don’t know me, I am a technical communicator at Shavlik and I’ve been providing documentation for Shavlik products for more years than I care to admit. I’ve been with the company for all these years because the people and the products are simply the best!
When I was offered the opportunity to write a series of blog articles, I jumped at the chance. I am not in marketing so I won’t be writing flowery prose about our products. Rather, I would like to use this forum to provide some real meat and potatoes material, information you can use right now to improve the way you use our wonderful products. Sort of like those “The More You Know” public service announcements you see on TV.