CVE-ID Syntax change coming, urgent Protect update available!

Bunker BlogThere have been an incredibly large number of vulnerabilities this year, which unfortunately is going to cause a syntax change in MITRE’s CVE-ID.   The current syntax will max out at 9,999 vulnerabilities, so the change is to start adding additional digits.  When the CVE count breaks 10,000, MITRE will be adding an extra digit onto the end of their CVE-IDs.  The resulting CVE change will drive a change in how we import content for Shavlik Protect 9.1 and 9.0.

The deadline for the change is January 15, 2015, but due to the high volume of vulnerabilities releasing this year the change in format may be forced upon us early.  We have released an update for Protect 9.1 and are working on the Protect 9.0 update to prevent the format change from causing issues.  The patch will prevent import of new content from failing avoiding an inconvenience to our customers.  Protect 9.1 Patch 2 is available now and the Protect 9.0 Patch 2 will be coming in the next couple of weeks. Although the updates do not include a security fix, this is a critical bug fix that has a ticking timer.

To upgrade you can follow the instructions below based on version of Protect.

Upgrade Protect 9.1 to Patch 2:

Upgrade Protect 9.0 to 9.1 Patch 2 or 9.0 Patch 2:

  • (Recommended) For 9.0 customers you will now see that auto update to 9.1 Patch 2 is enabled in product.  You can click the auto update link in the bottom right corner of Protect when you open it and it will download the full installer upgrading you to Protect 9.1 Patch 2.
  • If you are unable to upgrade to Protect 9.1 at this time we are in the process of releasing a similar fix for Protect 9.0.  This update will be coming in a couple of weeks and can be applied very easily to Protect 9.0.  The change is entirely database schema related so no binaries are updated on Protect 9.0 console.

Please note that if you have not applied Patch 2 for either version, there will be a point in the not too distant future where you may not be able to import new content.  We would like to avoid this as much as you would, so plan for this patch update as soon as possible.


The Shavlik Team

Shavlik Team Enjoys Halloween Celebration

480206651The Shavlik team took some time out today for its annual Halloween celebration. The day started with breakfast treats and moved into a costume contest, pumpkin decorating contest, and finally a group lunch. A good time was had by all (well, except maybe our QA manager).

We hope you all have a wonderful Halloween and avoid being spooked by any security issues.

In the photos below, (top) the Renewals team gets into the Halloween spirit; (2nd) The costume contest finalists; (3rd) Two entries into the pumpkin decorating contest; (4th) The pumpkin carving contest winners (5th); The pumpkin carving contest runners-up; (6th) Two Shavlik team members enjoying lunch.

IMG_2873 IMG_2889 IMG_2892 IMG_2890 IMG_2882



Cloud Security: Thunderbolts and Lightning… very very frightening

469850273I have the pleasure of doing a large volume of phone calls with our customers, consulting with them on various aspects of Information Technology and Information Security.  Recently, a large number of questions have been focused on proper cloud adoption and what goes into cloud security.  With that focus, let’s shed some light onto cloud security and discuss how to evaluate your security posture as it pertains to it.

First off, when you are choosing cloud, you really are taking on two different security postures and positions.  Those are:

  • Your Security:  Since your network is accessing a cloud provider, the security posture of your network comes into play as to how that data is securely accessed.  Questions like, “Can someone exploit your internal network to gain access to the cloud provider?” have to be considered.  The risk of your security coming into play with a cloud provider varies depending on the type of provider and service they are providing.  IaaS or PaaS has a lot more risks here than a pure SaaS environment.
  • Their Security:  Beyond your network, the greater risk is exploiting the provider’s network which would allow someone to make off with your data, and potentially that of your customers’.  Depending on the data you store with the cloud provider, this could result in very sensitive information being leaked out.

Since the topic of “your security” is very broad, let’s focus on the security of the cloud provider.

In our threat and risk matrix, we break down cloud security into three different buckets:

1)      Prevention:  Preventative measures are specifically designed to deter, defend, and discover a threat coming at a cloud provider before the threat is realized.  In some cases, this is in the form of blocking IPs, patching regularly, and IDS systems that can flag irregular traffic patterns or identify common attacks against the platform as they begin to occur.  A good provider will have some level of prevention up front on their cloud, and also implement best practices to have their preventative counter-measures tested by themselves and third parties at regularly scheduled intervals.

2)      Detection:  Hopefully, the preventative measures are successful and these are never needed, but it’s always a good idea to have detection measures in place too.  Those cloud providers that have a robust model for cloud hosting will all have this as a vital component in their stack of threat and risk management.  Detection goes beyond the prevention and finds malware or attackers in your environment as they happen.  In our cases, while we don’t allow things like Javascript and SQL injection in our code (Which we routinely test for as part of our automation as well) we flag when we see users trying to do this.  It gives us an inside edge and also results in their accounts being instantly shut-down while we seek clarification from them as to why the bad input was occurring.

3)      Correction:  Finally, in the cases where there are security exploits, or a diagnosed risk during the preventative controls, there is correction.  This is the part where we take all of the feedback from people evaluating our products, the risks that we can identify and proactively get them back into our coding process and build/architecture process.  This phase sews up all the loose ends to ensure that our risk and threats are constantly managed and mitigated.

With all of the above, a cloud provider should be able to very easily answer the questions for you surrounding the various controls they have in place around prevention, detection, and correction.  If you are satisfied with their answers – they are likely a good provider for you.  If they don’t have all three in place… well, just remember, most gamblers in Vegas end up losing money.


October Patch Tuesday Round-Up


Microsoft had a rough month.  Instead of the nine announced bulletins they released eight.  Of those eight, three updates were plugging vulnerabilities that were being exploited in the wild.  An additional Microsoft Security Advisory has caused some issues and was pulled from the downloads site.  On the Non-Microsoft front, there were releases from Adobe, Google, and Oracle that should be on your high priority list.  Oracle released their quarterly Critical Patch Update which included many high severity vulnerabilities in Java SE.  Adobe Flash released which also caused Internet Explorer and Google Chrome to release an update to support the plug-in.  Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-056: Cumulative Security Update for Internet Explorer (2987107) – This update is rated as Critical by Microsoft and resolves fourteen privately reported vulnerabilities in Internet Explorer which could lead to Remote Code Execution.  The vulnerabilities are all memory related exploits and the update is changing behavior of how IE handles objects in memory to resolve these vulnerabilities.  One of the vulnerabilities resolved (CVE-2014-4123) has been exploited in wild as a sandbox escape.
  • MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) – This update is rated as Critical by Microsoft and resolves three privately reported vulnerabilities in .NET Framework which could lead to Remote Code Execution.   On .NET 4.0 iriParsing is disabled by default, but on .NET 4.5 this feature cannot be disabled.  If you are running .NET 4.5 this is a higher priority.
  • MS14-058:  Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) – This update resolves two privately reported vulnerabilities in Microsoft Windows which could lead to Remote Code Execution.  Both of the vulnerabilities (CVE-2014-4148 and CVE-2014-4113) in this bulletin have been reported in targeted attacks in the wild.  The vulnerabilities ideally could be used in concert, but the reported attacks were exploiting each in separate attacks.
  • MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Windows.  Although only rated as Important, this update resolves a vulnerability (CVE-2014-4114) that has been detected in targeted attacks reported in the wild.
  • APSB14-22: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe and resolves three vulnerabilities in Adobe Flash Player.  Two of the vulnerabilities are memory corruption issues and the third is a integer overflow which could lead to Code Execution.  In addition to the Flash Player update there is an IE Security Advisory and a Google Chrome update that need to be deployed to resolve the vulnerabilities in the Flash browser plug-in.
  • MSAF-031: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – This advisory updates Internet Explorer to support the latest Adobe Flash Player Plug-In update.  The Flash Player update is a Priority 1 update resolving three vulnerabilities.
  • CHROME-114: Chrome 38.0.2125.104 – This is a High priority update from Google to update the Adobe Flash Player Plug-In. The Flash Player update is a Priority 1 update resolving three vulnerabilities.
  • Java7-71: Java 7 Update 71 – This update is part of the Oracle Critical Patch Update release for Q4.  The release resolves 25 vulnerabilities, 22 of which are exploitable over the network without authentication.  Oracle has rated this update as Critical.  It includes one vulnerability with a CVSS score of 10.0 and several other 9’s.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) – This update resolves one publicly disclosed vulnerability and is rated as Important.  The vulnerability is mitigated by XSS filters in IE 8, 9, 10, and 11 and workarounds are available to block ActiveX controls for Local Intranet Security Zones.  A user would need to be convinced to view a specially crafted website or click a link in a email message or Instant Messenger message to be exploited.
  • MS14-061: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) – This update resolves one privately reported vulnerability and is rated as Important.  An attacker must convince a user to open an attachment or access a specially crafted website.  If exploited the attacker would gain the same user rights as the current user.  Limiting users to less than Administrator user rights can mitigate the exposure if exploited.
  • MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) – This update resolves a publicly disclosed vulnerability in Microsoft Windows and is rated as Important.  The vulnerability is part of the Message Queuing component which is not installed by default.  It must be enabled by a user with Administrator privileges.  An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):

  • MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) – This update resolves one privately reported vulnerability in Microsoft Windows which could lead to Elevation of Privilege.  The attacker must have physical access to the system to be able to exploit the vulnerability.
  • FF14-012: Firefox 33.0 – Mozilla released FireFox 33.  This update does not include security fixes, just new features and bug fixes.

Watch List:

  • MS14-A12: Security Advisory KB 2949927: Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 – The update has been pulled due to issues impacting systems after update.  Some have had to be restored by CD-rom to resolve.  If you have already deployed this Advisory you may need to roll it back.   

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.



No POODLES Allowed! How to Avoid the POODLE Vulnerability


Ever wonder why poodles seem so evil? Maybe it is because of the pretentious hair cuts and pink bows. I suppose I would have a mean disposition if someone dressed me up like that every day. Whether you are a fan of the breed or not, I think we can all agree that POODLE is something that none of us would allow. I am referring to the recently discovered SSL 3.0 vulnerability called POODLE (Padding Oracle On Downgraded Legacy Encryption).

This dog may have teeth and a unfriendly disposition, but it might have more bark than bite.

The issue is at a protocol level, taking advantage of how SSL 3.0 encrypts using CBC mode ciphersuites. I am not a crypto expert, but here is a interesting write-up that explains it in terms that even my rudimentary crypto knowledge can grasp. The solution? Do not allow POODLE. Or more importantly do-not-allow SSL 3.0.  This recommendation is already cropping up from vendors and security experts. SSL 3.0 is old and outdated (18+ years). Many vendors and security experts are calling for the end of SSL 3.0 and a couple of your favorite browsers are taking steps in the near future to make this a reality. See posts from both Mozilla and Google hinting at near term removal of SSL 3.0 support from the popular FireFox and Chrome browsers.


You can start taking steps to remove this threat from your environment and remove the threat from your highest risk users, those who leave the network and do crazy things like connect up to free wi-fi at the airport, coffee shop, etc. Those are the users who are going to be most at risk.

There are a number of vendors starting to respond to how this can be locked down and all are pretty similar. Disable SSL 3.0 on the servers and at the browser. Either client or server disabling this will not allow the downgrade attack to occur (connection tries to negotiate a TLS connection, but is downgraded deliberately to SSL 3.0 so it can be exploited). If either end would not allow the SSL 3.0 protocol the attack would not be successful.

Here are some helpful links from some of the large vendors out there. The difficulties will come in for appliances and other devices that do not give much for configuration options.

Microsoft Advisory 3009008 or this KB to disable SSL 3.0 in IIS

Apple has not been too helpful based on the response seen in this community post. Talk to your internet provider? Really?

YouWouldBeTooIfYouHadHairLikeThisThe guidance to our customers is disable SSL 3.0 to take the teeth out of this POODLE. The GPO from Microsoft and the registry key in the KB article will allow you to disable SSL 3.0 on your clients and your servers. This should do two things. For the clients you remove the threat of one of your users getting on an unprotected Wi-Fi and being exposed while connecting to a web service that allows SSL 3.0. For your servers, you are removing the threat for them being the weak link if your customersclients are connecting from unprotected Wi-Fi. If both ends of the connection disables SSL 3.0, you have effectively removed the threat.



Patch Tuesday Advanced Notification October 2014

Bunker Blog

Microsoft has announced 9 bulletins for October 2014, three of which are rated as Critical.  Just a reminder that back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first bulletin is a Critical update for Internet Explorer.  There is a strong likelihood it will resolve a number of vulnerabilities in the double digits.  Since June we have seen a trend of double digit vulnerabilities regarding Memory Corruption issues in IE.  Expect this to be a high priority to be rolled out ASAP.

The second and third bulletins are also Critical and affect the Windows Operating System and .Net Framework.  Both could allow for remote code execution.

Bulletins four and six affect Microsoft Office.  One is listed as Moderate and one as Important.  Bulletin six also pertains to SharePoint and Office Web Apps.  For Office these patches will likely fall into the test adequately and roll-out in a timely manner category.  The SharePoint and Office Web Apps updates will require adequate testing before rolling out.

On top of what looks to be a large Patch Day from Microsoft we will also see Oracle’s quarterly Critical Patch Update next week.  Expect an update for Java that will include a large number of fixes and likely will have some urgency to roll-out.

Adobe is on a solid trend of releasing a Flash update on Patch Tuesday.  So far in 2014 there have been Critical updates to Flash every month.  All but one month have fallen on Patch Tuesday.  Expect Flash and expect it to be a priority.  If that releases we will see an IE Advisory to support the Plug-In update.

Also on the Adobe front, a number of issues have been reported on Acrobat Reader 11.0.9.  There is a chance for an update to resolve those issues.  If you have updated to 11.0.9 watch for this.

Google Chrome just had a rather large release so chances are either from a potential Flash update (to support the Flash Plug-In) or other issues that may occur we could likely see a Google Chrome update.

Microsoft Security Bulletins:

  • 3 bulletins are rated as Critical.
  • 1 bulletin is rated as Moderate
  • 5 bulletins are rated as Important

Vulnerability Impact:

  • 5 bulletins address vulnerabilities which could allow Remote Code Execution.
  • 1 bulletin addresses vulnerabilities which could result in Security Feature Bypass.
  • 3 bulletins address vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • Microsoft .Net Framework
  • Microsoft Office 2007 and 2010
  • Microsoft SharePoint Server 2010
  • Microsoft Office Web Apps 2010
  • ASP.Net MVC


Join us as we review the Microsoft and third-party releases for October Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, October 15th at 11 a.m. CDT.  We will also discuss other product and patch releases since the September Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Why Break SCCM Just To Add Functionality?

WhybreakSCCMLast week, I had the opportunity to attend the Atlanta Systems Management User Group (atlsmug).  It had some great discussion as well as some really good presentations. One that stuck out to me was Joe Crawford’s presentation titled “Notes from the Field: Why Pull DPs Are Like Pulling Teeth.” He went into some good details about how to leverage the Microsoft System Center Configuration Manager (SCCM) client to pull software packages to distribution points.

The presentation got me thinking. It seems that SCCM admins work hard to make sure they can get what they need from SCCM. It needs to be configured and customized for their environments, which is not all that easy. With large organizations and complex networks, getting SCCM to work properly just to distribute software and updates can be a real challenge.

My interaction with SCCM users shows that many of them did not setup the initial install. This means, that because of the complexity of getting their implementation from the beginning, that one of two things happened: they hired a contractor, or they used the server team to get it going.

So why break all of that? Many SCCM add-on products claim to plug into SCCM, but drag with it additional processes, consoles, and infrastructure based on light integration from an existing vendor’s software. They simply have some type of integration point (push or pull data) with SCCM, but are not truly integrated.

Shavlik surveyed SCCM users to determine that over 68 percent of those surveyed preferred a completely integrated tool. (Raise hand, turn palm toward forehead, slap). It seems that this is a no brainer, but somehow many software vendors still create tools that add additional functionality but require you to use their proprietary distribution tools. If you ‘ve already built your implementation of SCCM to handle all your network segments, remote locations and even remote workers, why get a solution that requires you to install that all again?

One of the most important functions of SCCM is patch management, and many organizations use it to patch server and client systems but just for the OS or Microsoft applications. With 86 percent of vulnerabilities coming from software outside of the OS and with all the news of retail, healthcare, and now financial security breaches, it’s becoming even more important to patch all of your systems.

Shavlik has provided Shavlik Patch for Microsoft System Centers. Take a look at how we were able to provide you a simple and intuitive add-on for SCCM for third-party application patching. At the Atlanta user group meeting, John Rush did a great job of showing how easy it was to add third-party patching to SCCM without additional infrastructure.

The Communicator’s Corner: Database Maintenance Tool– The Importance of Keeping Your Tools Running at Peak Efficiency

DatabaseMaintenanceToolI have a 1997 Acura Integra that I have owned for over 16 years. I am often asked why I still drive such an old car and my answer is always the same: the car is still running great, it gets great gas mileage (34 mpg!), it is still in relatively good condition, so why get rid of it? Now, I am not a gear-head and truth be told I know very little about the mechanical workings of a car. But what I do know is basic maintenance. I am very conscientious about doing the little things that keep the car going, including changing the oil myself on a regular basis. I am convinced that it is the basic maintenance that I do on a consistent basis that keeps this car humming at peak efficiency.

Did you know that you should also perform basic maintenance on Shavlik Protect in order to keep it operating at peak efficiency? It’s true, and we provide you with several tools to do just that. In this blog article I’d like to introduce you to one of those tools, the Database Maintenance tool.

Over time, the SQL database you use with Shavlik Protect can grow quite large and can get bogged down with old data. It is important to perform periodic maintenance on your database so that, like my trusty old car, it continues to hum along at peak efficiency. To help with this, Shavlik provides you with a Database Maintenance tool. It is available from the Shavlik Protect Tools > Operations menu and its purpose is to help you perform maintenance tasks on your SQL database.

Some of the tasks that the Database Maintenance tool enables you to perform are:

  • Delete old scan results that are no longer needed
  • Set limits on the number of scan results to store in the database
  • Rebuild the database indexes after old data is removed
  • Create backup copies of the database and the transaction log

And to make life easier for you, you can create a scheduled job that performs the database maintenance tasks on a regularly scheduled basis. (Refer to my previous blog article, Automated Patching for Busy People, for the importance of simplifying life by using automated tasks.)

Nice, huh?! Interested in learning more? I hope so! You can find out everything you need to know about the Database Maintenance tool in the Shavlik Protect Help system available here: