Different vendor perspectives on security and vulnerabilities. Which is right? You decide.


We rely on a lot of software in this highly connected world. We have things such as The Internet of Things, BYOD, Shadow IT. All of these trendy phrases mean we have a lot more riding on the software vendors that provide our connected world, but what are their views on security? By taking a look at some recent press you can start to paint a picture on some of the different perspectives that vendors have on security.

First, let’s take a look at Microsoft. Microsoft has a large following around Patch Tuesday and there is a lot of press and awareness about their security updates. They provide strong recommendations that updates should be applied on a regular basis. Microsoft also has a series of advisories they put out regarding issues that exist when no update has yet to be released. This proactive approach, and open disclosure about the risks to their customers, has been applauded by many, but also brings Microsoft under the gun when things go sour. This year, there have been a few patches that were either pulled or postponed due to quality issues.

For example, a recent Secure Channel (Schannel) update resolved a critical issue that experts say would be an enticing target for hackers. The update, however, has some known issues and has caused problems when applied to some systems. Despite these problems, Microsoft urged the update be applied as soon as possible. This article discusses the update and the impact of the known issues. What is the key take-away from this? That Microsoft prefers full disclosure when it comes to security issues.

Apple, on the other hand, has typically had a very closed-mouth take on security. Updates are typically released without much fanfare. When asked directly about security-related issues, they tend to deny an issue, or play it down, until a fix is available. They tend to lean more towards security by obscurity, or play down issues to be less than they are. While saying less, and preventing as many facts from being released as possible, may prevent some hackers from finding leads to where and what they can exploit, it has brought some scrutiny on Apple.

In this article, Apple addresses the ‘Masque Attack’ and plays it down, saying customers are safe. While Apple’s statement about the risk of exploit coming from third party sources may be true, the majority of exploits on any platform have some form of social engineering involved. The user is the weakest link in many exploits that occur. The Team at FireEye definitely stress a lot more concern than Apple regarding this form of exploit.

A third perspective is the vendor who is providing an application that is used by millions and is quite popular. Many other vendors fall into this category as well. The social media apps that are such an addiction for today’s culture often overlook security. The promises made by these vendors are taken at face value, but are they being met?

Snapchat recently had some issues that were in the news. ‘The Snappening’ was an attack dubbed by 4chan users, which ended up with over 100,000 pictures being captured and shared across the web. This included many questionable photos of a lot of minors. Snapchat has been criticized for misleading users about personal information privacy. The way Snapchat is designed has allowed third party developers to enhance the Snapchat experience, but the design also allowed account information and photos to be stolen. Snapchat’s response? Ban any accounts that utilize a third party app.

So what is the hypothetical result? An account is created by a hacker, the hacker gets x amount of hours exploiting the weaknesses in the Snapchat API, gets some amount of data (accountpersonal info, pictures), then is banned. The hacker then starts the process over again. They create software to replicate the process of creating an account and going through the process over and over. How well do we think this will play out? Kids, nothing ever really goes away. Conduct yourself in all things on the Internet as if you were standing in front of a crowd. You never know where it may end up.

So we have three perspectives on software security. You can argue the benefits and deficits to each (and there are continuing arguments). Which do you feel is right? Which do you feel is effective? Let us know.



Shavlik in the news- November Patch Tuesday(s)

478641227If you follow patching news, you are well aware that this month was somewhat of an abnormality. As we covered in a previous blog post, this month’s Patch Tuesday was the biggest this year with 16, and only 14 were released on the regular Patch Tuesday. An additional patch was released out-of-band this week and also received quite a bit of attention.

As an authority on Patching, Shavlik is often quoted in the press, and this month was no exception. Our own Chris Goettl was quoted in a variety of outlets, including KrebsOnSecurity, Computerworld, Network World, CIO, CNET, CSO, and internationally at The Register and The Inquirer.

In case you haven’t had a chance to read up on the news yet, here are links to a selection of the articles that include information from Shavlik:

Krebs On Security- Microsoft Releases Emergency Security Update

Krebs On SecurityAdobe, Microsoft Issue Critical Security Fixes

CSOMicrosoft patches Kerberos vulnerability with emergency update

Network World- Patch Tuesday: 16 security advisories, 5 critical for Windows

The RegisterMicrosoft warns of super-sized Patch Tuesday next week

CNET- Microsoft plans big Patch Tuesday this month with 16 bug fixes

ComputerworldMicrosoft releases emergency patch to stymie Windows Server attacks

SearchSecurity- Microsoft addresses Kerberos security flaw with critical out-of-band patch

Each month, we review the Microsoft and third-party releases for Patch Tuesday in a webcast, which occurs the day after the announcements are made. Our next webcast is scheduled for Wednesday, December 10 at 11:00am ET/8:00am PT. If you’d like to attend, you can register here. To view our other recent and upcoming webinars, including a recording of this month’s patch Tuesday webcast, you can find that information here.

November Patch Day Round-Up

ShavlikSecurityNovember Patch Tuesday was the biggest this year with 16 announced, but Microsoft only released 14 on Patch Tuesday and today we step up to 15 updates.  As you may recall, two of the updates were not pulled from November, but marked as “Release date to be determined”.  Well today is the day for MS14-068.  Microsoft announced the Critical OS patch this morning.  This update for Kerberos should make its way into your deployment plan if possible.

So if we run down the list of everything that will be touched this month when you patch, here is what will receive updates: All Windows OSs, All versions of IE, MSXML, .NET Framework, IIS (for specific OSs), RDP, Office, Sharepoint, AD Federation Services, and there is still the Exchange patch with a release date TBD.  Aside from Microsoft there is the Adobe Flash update which resolved 18 vulnerabilities and there is an corresponding IE Advisory and Chrome release to update the Flash plugin.

Known issues to look out for:

  • There is an issue with the IE Cumulative and EMET that you will want to watch out for and rising concerns over how bad the Schannel (MS14-066) update really is.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) – This update is rated Critical by Microsoft and resolves two privately reported vulnerabilities in Windows OLE.  One of the vulnerabilities resolved has been exploited in the wild (CVE-2014-6352) with an exploit known as ‘Sandworm’.  The attack was targeted at NATO PC’s through a specially crafted PowerPoint file.
  • MS14-065: Cumulative Security Update for Internet Explorer (3003057) – This update is rated Critical by Microsoft and resolves 17 vulnerabilities in Internet Explorer.  Many of the vulnerabilities resolved are memory related, continuing a trend we have been seeing since June of this year.  So far there is at least one known issue with this update.  If you are running IE11 and EMET on Windows 7 or 8.1, you will also need to update EMET to version 5.1 which released this month as well.
  • MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) – This update is rated as Critical by Microsoft and resolves one vulnerability.  The issues resolved are being compared to the Heartbleed OpenSSL vulnerability as far as severity of the issue.  Although Microsoft has not received information to indicate this vulnerability has been publicly disclosed, the recommendation is to roll this update out ASAP.  If a worm or mass botnet were developed to exploit this vulnerability the expected could be significant.
  • MS14-067: Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) – This update is rated as Critical and resolves one privately reported vulnerability in XML Core Services.  An attacker could create specially crafted web content to exploit this vulnerability allowing the execution of code on the system exposed.
  • MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) – This update has been rated as Critical by Microsoft.  This update was postponed on Patch Tuesday, but was not pulled from the November release.  Well, it released today.  The vulnerability is in Kerberos and affects all Windows Operating Systems currently under support.  It resolves one privately reported vulnerability in Kerberos KDC, which could allow Elevation of Privilege.  The attacker must have a valid domain user account, but with that user account they can forge a Kerberos ticket that will allow them to claim they are a domain administrator.  From there they can do pretty much what they want from creating accounts to installing software and deleting or changing data.  They will have access to your network as a Domain Administrator.  The update should be worked into your deployment plan this month as the vulnerabilities resolved are severe enough to warrant some urgency.
  • APSB14-24: Security updates available for Adobe Flash Player – This update is a Priority 1 update from Adobe resolving 18 vulnerabilities across many types of attack vectors.  You will have OS and browser updates to completely resolve these vulnerabilities.  This is for Flash on the OS.
  • MSAF-032: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – This Advisory is not rated by Microsoft, but following the Adobe rating of Priority 1, this update is recommend to push as soon as possible.  This update resolve allows Internet Explorer to run the latest Adobe Flash release resolving the 18 vulnerabilities.
  • CHROME-116: Chrome 38.0.2125.122 – This update is not rated by Google as it resolves no known vulnerabilities in Chrome.  This update does provide support for the Adobe Flash release.  Again the severity here should be based on the Priority 1 that Adobe has set and should be rolled out as soon as possible to ensure all parts of Flash are updated preventing any exposure to these risks.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-069: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) – This update is rated as important and resolves three privately reported vulnerabilities in Microsoft Office.  An attacker could create specially crafted content to exploit these vulnerabilities allowing them to execute remote code.
  • MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) – This update is rated as Important and resolves one privately reported vulnerability in Windows Server 2003 which could allow an attacker to exploit a vulnerability in TCPIP, which could lead to an Elevation of Privilege attack.
  • MS14-071: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) – This update is rated as important and resolves one privately reported vulnerability in Windows Audio Service, which could allow Elevation of Privilege.
  • MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) – This update is rated as Important and resolves one privately reported vulnerability in .NET Framework which could allow Elevation of Privilege.
  • MS14-073: Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)  – This update is rated as Important and resolves one privately reported vulnerability in SharePoint Foundation, which could allow Elevation of Privilege.
  • MS14-074: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) –  This update resolves one privately reported vulnerability in Remote Desktop Protocol, which could allow Security Feature Bypass.
  • MS14-075: “Release date to be determined”.  Likely before December Patch Tuesday if MS14-068’s release today is any indication.
  • MS14-076: Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) – This update resolves a privately reported vulnerability in Internet Information Services, which could allow Security Feature Bypass.
  • MS14-077: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) – This update resolves one privately reported vulnerability in Active Directory Federation Services, which could allow Information Disclosure.

Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):

  • MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (3005210) – This update resolves one privately reported vulnerability in IME Japanese, which could allow for Elevation of Privilege.  The mitigating circumstances reduces the potential risk extensively, but this was discovered in the wild, so it has been publicly disclosed.
  • MS14-079: Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885) –  This update resolves one privately reported vulnerability in Kernel Mode Driver, which could allow a Denial of Service attack.  The steps to exploit this vulnerability would require the attacker to put specially crafted TrueType font on a network share and require a user to navigate to it and open to exploit.  Chances are the attacker would find easier ways to exploit an environment so this is less likely to occur.



Shavlik Patch 2.1 Makes 3rd-Party Patching With SCCM Even Easier

PatchWithoutBorderShavlik is proud to announce today’s release of Shavlik Patch for Microsoft System Center 2.1.

This is the second Shavlik Patch release this year, and it represents yet another quantum leap towards making third-party application patching within SCCM easy.

Shavlik Patch 2.1 focuses on five core areas: setup and configuration, automation, core patching capabilities, ease of use and globalization.

  • Setup and Configuration – Our new configuration checker allows you to verify that your SCCM environment is ready to publish and deploy third-party patches. It’s easy for application versions, credentials, and certificates to get out of sync. No problem; the configuration checker will point you to discrepancies in your environment, so you don’t have to guess where the problem exists.
  • Automation – With Shavlik Patch 2.1, you can create and save filters that allow you to control which applications, which vendors, and which individual updates you publish for a timeframe of your choice. For example, say you want to publish all Adobe updates, Oracle Java and Chrome updates, within the last 30 days. You can now build that filter, view the updates that meet that criteria, and automatically publish them.
  • Core Patch Capabilities – With Shavlik Patch 2.1, we introduce a patch details view that tells you lots of great information about each update. Also, Shavlik Patch now handles superceded patches.
  • Ease of Use – You thought Shavlik Patch 2.0 was easy; well, it just got better. Shavlik Patch 2.1 introduces authenticating proxy support, the ability to run scheduled jobs as a different user, and the ability to choose, hide and reorder columns in the updates view.
  • Globalization – Shavlik Patch is now available in 11 languages. Additionally, you can also view translated versions of our User’s Guide. Hablas Espanol? Great, so does Shavlik Patch.

Now, being the seasoned SCCM admin that you are, you’re probably thinking, “Wow, that’s cool, but I won’t be able to use it for six months because it’ll take that long to get it working in my environment.”

Umm…no. Here’s the directions for upgrading Shavlik Patch from 2.0 to 2.1 (no kidding check out our User’s Guide).

  • Close SCCM
  • Download the latest version of Shavlik Patch from www.shavlik.com/downloads
  • Install the Shavlik Patch exe
  • Open SCCM

That’s it! All of your configuration settings, filters, and registration info will still be there. We don’t mess with anything in your SCCM database. You can be up and running on Shavlik Patch 2.1 in about five minutes.

With today’s release, Shavlik has also announced the end of life for Shavlik Patch 2.0 on December 1, 2015. We encourage all customers to upgrade to 2.1 at your earliest convenience. Pro tip – there’s lots of great stuff in 2.1.

For more information about today’s release, please join us for one of our Shavlik Patch 2.1 release webinars.

If you are using Shavlik Patch today, please join us for this webinar.

Patch Like a Pro! New Shavlik Patch for Microsoft System Center 2.1 | Wednesday, November 18, 2014 10:00 am CST | Register Now

If you are new to Shavlik Patch, please join us for this webinar.

Why Break SCCM? Get Third-Party Application Patching Without Additional Infrastructure | Wednesday, November 13, 2014 10:00 am CST | Register Now

Tune in later this week as I continue to share more insights on the latest release of Shavlik Patch and how this solution sets itself apart from other third-party patch add-on’s for SCCM.

Shavlik Patch 2.1: When a Good Thing Gets Even Better

477569935Have you ever had the experience where a product you like and use on a regular basis gets better? For most of us, it doesn’t happen nearly enough, but when it does it is a very nice surprise. For smartphone users this may happen once a year or so, or every time your favorite vendor releases a new and improved model of your phone. For me, a good example (and this will probably date me) is from years ago when Sony released the PlayStation 2. It was SOOO much better than the PlayStation 1 that I had been using and I was just blown away.

Well, for users of Shavlik Patch 2.0, prepare to be blown away. Shavlik will soon announce the availability of Shavlik Patch 2.1, a new and improved version of our popular add-in to Microsoft’s SCCM that allows you to publish updates for third-party vendors and for legacy Microsoft products. I can’t give you too many details just yet, but in advance of the release, let me pull back the curtain just a bit and give you a sneak peek at some of the many new features in Shavlik Patch 2.1.

  • Improved Configuration Capabilities: No more guessing, crossing your fingers, and hoping that you meet all the implementation requirements. The next release will be able to tell you exactly what is needed in order to get Shavlik Patch up and running in your SCCM environment.
  • Lots of New Functionality: I am really excited about the many new features that will be available in Shavlik Patch 2.1. You will be able to more easily locate updates you want to publish, you will see more information about those updates, and you will have more configuration options if you work in a proxy server environment.
  • Language Support: Shavlik Patch 2.1 will provide support in a couple of different ways for non-English languages. Interested? Stay tuned!

I can’t wait for the official list of new features to become available next week. I know that Shavlik Patch 2.0 users will be blown away, just like I was years ago by the PS2.

For more information, go to www.shavlik.com/webinars and register for these upcoming webinars:

Patch Tuesday Advanced Notification November 2014

Bunker BlogIt looks like this is going to be the biggest month yet for Microsoft, as it has announced 16 bulletins. This is the highest bulletin count we have seen from Microsoft this year. August and May each had nine bulletins. Nothing has come close to this until now for this year. Of the 16 bulletins announced, five are critical.

We can most likely expect bulletin 2 to be a continuation of the IE Critical update trend, which is likely to resolve more than 10 vulnerabilities relating to memory leaks, corruption, etc. This is a trend we have seen since June of this year and we have no reason to not expect this to be the case.

There is still the Security Advisory 3010060 (CVE-2014-6352), released on October 21, regarding the vulnerability in Microsoft OLE, that has not been patched, which was leading to attacks in the wild for Excel and PowerPoint. It is possible that two of the updates could apply to this vulnerability. Bulletin 6 for Office could be resolving part of the vulnerability and likely one of the critical windows patches is resolving the OS level.

Although Microsoft usually staggers its patches, alternating between OS and app updates, it looks like nearly all machines will have at least a few critical updates to apply, including .NET Framework, Office 2007, Exchange and SharePoint. Exchange and SharePoint being in the mix means that there will be a need for some thorough testing before rolling out updates. .NET Framework also is getting an update this month, which usually means a little longer time on the maintenance window as those patches tend to take a little longer than the average OS patch to install.

Microsoft is making bulletins 1, 2, 4, and 5 available for the Windows Technical Preview and Windows Server Technical Preview, which means that Windows 10 and Server Previews will have updates available. It would be a good idea to run this and see how well the patches apply. The updates will be available through Windows Update and Microsoft is encouraging people to apply them.

On the non-Microsoft front, there is a high likelihood for an Adobe Flash update this Patch Tuesday. So far this year, we have seen Flash release on all but one Patch Tuesday. With that, you can expect an IE Advisory to update the plug-in, as well as a Google Chrome release for the same reason.

Microsoft Security Bulletins:

  • 5 bulletins are rated as Critical.
  • 8 bulletins are rated as Important
  • 2 bulletin is rated as Moderate

Vulnerability Impact:

  • 5 bulletins address vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in Security Feature Bypass.
  • 7 bulletins address vulnerabilities which could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability which could lead to Information Disclosure.
  • 1 bulletin addresses a vulnerability which could lead to a Denial of Service attack.

Affected Products:

  • All supported Windows Operating Systems (Including the Technical Previews!)
  • All supported Internet Explorer versions.
  • Microsoft .Net Framework
  • Microsoft Office 2007
  • Microsoft SharePoint Server 2010
  • Microsoft Exchange 2007, 2010, and 2013

Join us as we review the Microsoft and third-party releases for November Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, November 12th at 10 a.m. CDT.  We will also discuss other product and patch releases since the October Patch Tuesday.

You can register for the Patch Tuesday webinar here.