Just Patching the OS is Worthless

Did the headline grab your attention? Good. Now let’s start talking about real patch management. There are lots of IT folk out there who have great patch management practices, but blatantly miss patching for over 80 percent of the vulnerabilities out there. Don’t believe me? Look at this graph.


Our experts at Shavlik looked into the CVE data and the National Vulnerability Database. What they found was the percentage of vulnerabilities existing in applications outside the operating system far exceed those found within it. We compared the data in order to determine whether this was a growing trend. Surprisingly, it was not. You’ll see from the graph that consistently eighty percent (87% in 2014) of vulnerabilities come from third-party applications, and have for the last 15 years.

Now that you’ve seen that the majority of vulnerabilities come from third-party applications, why are you still hung up on not patching them? Most organizations have some pretty stringent standards to update Microsoft OS and Microsoft applications, but miss or ignore many of the most problematic applications. Apple, Adobe, Java, and browser applications all add up to the most dangerous, yet easy to solve, security problem in your organization.

IT teams have some concerns around patching these applications. Many concerns have to do with time, expense, and the pain around reboots for end-users or maintenance windows for the data center. IT struggles to keep up with the burden of adding new application titles and versions. The time and expense to patch is amplified exponentially as you add software titles. The good news is there are products out there like Shavlik that can automate the process. (Now is a good time to check it out)


This next graph shows a general trend of the growing threat. We not only see the growing number of vulnerabilities but also the monumental effort vendors take to provide updates for their software. We were not surprised to find that it was a growing trend, but were definitely surprised to find times of fewer vulnerabilities as applications and OS stabilized. Nevertheless hackers will continue to hack and new versions of software pared with the ever increasing amount of code available will continue to create a growing problem.

With this information, and the growing threat of hackers, you can see that you will need an effective patch management strategy. Make sure your strategy covers the endpoints as well as the servers. Also, make sure that you put an emphasis on application coverage and not just focus on Patch Tuesday.

You are welcome to comment. What other trends do you see with this information?

The Communicator’s Corner: Cloud Computing to the (Mobile) Rescue!

By now, many organizations have a pretty good understanding of the concepts needed for managing and protecting computers that are permanently located on the corporate network. Picture the corporate network as a mother’s nest: it’s a safe haven for your computers to reside and be productive.

As every mother knows, however, children grow up to become young adults and eventually leave the safety of the nest. In today’s mobile environment, the same is true of your corporate machines. More and more computers are leaving the (relative) safety of the corporate network and are venturing out into the wild.

These adventurous machines are travelling to worldwide destinations and are connecting to the Internet from all sorts of unsecure locations: airports, coffee shops, hotel rooms, ball parks, a friend’s house. And it is not just your road warriors’ machines. It is now a fairly common practice for most anyone to take machines to and from the office on a regular basis. In the process, these machines are being exposed to all sorts of potential dangers whenever they connect to the Internet. Much like a mother frets about her adult children, how in the world does an IT administrator keep these roving machines safe and sound?

The answer is the cloud.

With cloud computing, you can track down these machines and keep them inline. Or, more accurately, you can require them to “call home” on a regular basis to receive the latest policies, patches and other security software that will keep them safe. You may not be able to control where every machine goes, but if you can remotely manage the machines to make sure they follow your corporate security policies, now you at least have a fighting chance at keeping everyone safe.

Shavlik understands the need for the cloud and we’ve developed our own implementation called Protect Cloud. And while we use Protect Cloud in a number of different ways, for this article I would like to focus on how it works with Shavlik Protect to keep your roving machines patched and secure.

With Shavlik Protect you can configure one or more agent policies and then install an agent on each of your remote machines. When these machines are off the corporate network, they won’t be able to check in directly with the Protect console. They can, however, use the Protect Cloud as an intermediary. The Protect console can use a secure connection to push the latest agent policy updates to the cloud and to retrieve agent results from the cloud. Whenever the remote machine makes an Internet connection, the installed agent will automatically check in with the cloud, download the latest policy, and upload results.

The following diagram illustrates the process.



There is almost no impact on your users during this process. While they go about their business, each agent will operate in the background, automatically contacting Protect Cloud and transferring the required information. In addition, all of this can occur at any time of the day, on the user’s own schedule, regardless of their location or time zone.

To summarize: If you have off-network computers that are causing you patch management problems (and who doesn’t?), the cloud can provide you with answers. It enables you to proactively manage your mobile devices and it helps mitigate the risks to those devices. And it does this without any additional infrastructure costs.

Take Tulane University’s advice: Get a Good Patch Management Solution

CollegeWhat does patch management take if you don’t have good patch management practices? According to Tulane University Freeman School of Business, it took a team of five to deploy a critical patch. When a major security update arose, the entire team dropped what they were doing to deploy the patch to hundreds of machines. They called it a “guerilla action.”

One of the things we do at Shavlik is talk to organizations about patch management practices. Are you patching the entire organization? Are you using automated tools that will help you accurately deploy to each system including servers and endpoints? Are you patching third-party applications, not just the endpoints?

Tulane was looking for a tool to solve the problem of patching hundreds of computers without using manual “guerilla” methods. These updates were becoming frequent and starting to interfere with doing the business of education.

Do you find yourself like this? It’s not an uncommon problem. Many organizations struggle to deploy patches across the entire organization with manual methods or even with certain patch management tools.

Let’s face it, no one really wants the title “Patch Administrator.” Patch management with manual efforts is time consuming and fraught with error. Many use automated tools that focus on only part of the problem or still have manual steps to include software outside of the OS.

Fortunately, this story has a happy ending. In the end, Tulane decided to use Shavlik Protect as their tool to deploy patches. They got agentless patch assessment and deployment along with flexible automation to deploy during downtimes and maintenance windows. They also were able to control power functions, keeping the machines shut down to save electricity, but able to wake them up to deploy patches.

Having a good patch management strategy in place will also save your organization time and, more importantly, increase the security of your network. Considering the latest breaches, it’s important to patch not just servers in the data center, but also endpoints and third-party applications.

Take the advice of Tulane University and get your patching process in order. Read the rest of Tulane’s story to see if this looks like your organization.

March 2015 Patch Tuesday

In March of 2014, we saw five updates from Microsoft, which brought the year to date patch count to 16. Here we are in March 2015 and this month’s Patch Tuesday release is nearly equal to the total count for the first quarter last year, and the year to date count is now just under double where we were at in 2014.


The Critical count for March is five bulletins affecting Internet Explorer, VBscript, Text Services, Adobe Font Drivers, and Office.

The additional nine Important updates affect Netlogon, Windows Task Scheduler, Windows Kernel, Remote Desktop Protocol, JPEG and PNG file formats, Kernel Mode Drivers, Schannel, and Exchange.

The 14 bulletins resolve 43 vulnerabilities. MS15-018 resolves one publicly disclosed vulnerability, which has been detected in target attacks (CVE-2015-0072) and CVE-2015-1625, which has also been publicly disclosed. MS15-031 resolves a vulnerability (CVE-2015-1637) in Schannel that facilitates exploitation of the publicly disclosed FREAK technique.

One nice addition to the Bulletin Summary page is a new column linking to known issues for that bulletin. Three of the bulletins link to KB articles with links to product specific pages so you can see product specific issues relating to the bulletin.  MS15-022 is a great example, although a little scary at the same time.  There are around 30 separate links to variations of Office, Sharepoint, Viewers, etc.

The first five bulletins are critical and should be rolled out as soon as possible.

  • This month’s IE Cumulative (MS15-018) is rated as critical and resolves a number of Memory Corruption vulnerabilities, two elevation of privilege vulnerabilities, and a VBSript memory corruption vulnerability.
  • MS15-019 resolves the same VBScript vulnerability as MS15-018, but for the operating system. Older operating systems will be more susceptible to attack than the newer OSs.
  • MS15-020 resolves two vulnerabilities in the operating system, which could lead to remote code execution.
  • MS15-021 resolves eight vulnerabilities in Adobe Font Driver, which could lead to remote code execution.
  •  MS15-022 resolves five vulnerabilities in Microsoft Office and Sharepoint.  Check out the link to known issues for this update.  There are a lot of links to separate products\versions.  At the time I wrote this blog I could view the bulletin level, but not the list of product specific links on that page.  Also, Sharepoint updates typically cannot be rolled back.  Test before deploying the Sharepoint variations.  If you are running on a Virtual Machine, you have the luxury of snapshots to make rollback possible.

All five of these updates are critical and all five of these updates resolve vulnerabilities that could be exploited through common social engineering techniques. One of the most common attacks still conducted regularly are phishing and email scams that convince a user to click on content that has been crafted to exploit vulnerabilities such as these.  A recent example (Oct 2014) of an attack like this is the Sandworm attack targeting a known vulnerability in OLE to spy on NATO, EU machines.  A weaponized PowerPoint attached to an email with a convincing enough message could convince at least some of the targeted users to open the attachment allowing it to exploit the system.  There are many cases where a vulnerability like this continues to be exploited well after an update has been released to plug the vulnerability.

The remaining nine updates are all rated as important.

  • MS15-023 resolves multiple vulnerabilities, the worst of which could lead to Elevation of Privileges.  This is one of two Kernel Mode Driver updates this month, which means you should definitely test before rolling out.  Typically if a kernel patch goes bad it would involve a blue screen.
  • MS15-024 resolves a vulnerability in PNG processing which could lead to Information Disclosure.
  • MS15-025 is the second Kernel Mode Driver update this month, so again, test before rolling out.  It also resolves vulnerabilities which could lead to Elevation of Privilege.  This bulletin also has some known issues.  Check out the known issues on the KB3038680 page for more details (at the time of publishing, I was getting a Ooops page)
  • MS15-026 resolves vulnerabilities in Exchange server, which could lead to Elevation of Privilege.  This is one of those rare bulletins which DOES NOT require a reboot.  Most require or ‘may’ require a reboot, which really means it will more than likely require reboot.
  • MS15-027 resolves a vulnerability in NETLOGON which could lead to a spoofing attack.
  • MS15-028 resolves a vulnerability in Windows Task Scheduler that could allow Security Feature Bypass letting the attacker execute tasks they should not have permissions to access.
  • MS15-029 resolves a vulnerability in Windows Decoder which could lead to information disclosure using a specially crafted JPEG.
  • MS15-030 resolves a vulnerability in Remote Desktop Protocol which could lead to a Denial of Service attack.
  • MS15-031 resolves a vulnerability in Schannel which could allow Security Feature Bypass using the FREAK technique, which was recently disclosed.

Join our Patch Tuesday webinar on Wednesday March 11th at 10am CDT to discuss the updates, priorities, and possible known issues to watch out for this Patch Tuesday.


Take time to “Empower” your Assets



make (someone) stronger and more confident, especially in controlling their life and claiming their rights.

This week, Shavlik introduced a new product called Empower. Empower is a cloud-based add-on to Shavlik Protect that offers additional hardware and software asset management and visibility. Empower as a software product may not help you to be more confident in controlling your personal life, but it will give you confidence in your IT career as you gain more power over the hardware and software assets in your organization.

With Empower, you will be given view of your organization’s assets and associated user data to help you troubleshoot configuration and security issues. Empower is currently available to Shavlik Protect customers in a limited beta.

Here are some things you can expect with Empower:

  • Cloud interface – Simple dashboards, reports, and user-centered views offer insight into the users, hardware, and software in your organization.
  • Asset discovery – Discover and upload hardware and software information from each device on your network or network segment.
  • Warranty information – Download information directly from your vendors and associate it with devices to receive better service and cost-savings.
  • Multi-platform support – Supports Windows desktops, laptops, and tablets as well as Mac OS X.
  • Configuration drift – Obtain time-based views to visualize a sequence of events on each device and use this information to troubleshoot hardware configuration issues.

As a cloud application, Empower allows you to view your data wherever you are, providing a quick view of pressing issues in your organization. View configuration drift, outdated anti-virus, devices with new or outdated software, expiring passwords, warranties and other configuration or security issues that will impact individual computers or your entire organization.

Empower also gives you the power of a user-centered interface by viewing not just devices, but also the users those devices are assigned to. Most users have more than a single device and now you can view them all to help you troubleshoot efficiently.


A device timeline allows you to see a chronological view of device reboots, application installs and uninstalls, and memory changes.

Now that I’ve piqued your interest, are you ready to try it out? View more information about Empower on the Shavlik website and please feel free to register for the beta. Getting started is extremely quick-and-easy and once you are accepted into the program you will be able to immediately populate the Empower database with your organization’s information, and begin scanning assets in real time across whatever portion of your network you designate.

We are very interested in your feedback through this beta phase. Empower is just getting started and we are aggressively working toward a more complete product and getting features in place for something very special down the road!

Now is the time for you to join Empower!

Critical Update for Shavlik Patch for Microsoft System Center

110931386-300x199You’ve probably heard by now that Shavlik is requiring all customers to install Update 1 for Shavlik Patch for Microsoft System Center 2.0 and 2.1, but did you know that the whole process takes less than two minutes? That’s right – less than two minutes.

Check out this video from John Rush where he demonstrates the process for applying Update 1 to Shavlik Patch. Did we mention it only takes two minutes?

Now, it’s your turn. Please install Update 1 today so you will not experience an interruption in receiving third-party patch data.

If you are a Shavlik Patch 2.1 user, complete the following actions:

  1. Download the updated version from www.shavlik.com/support/patch/downloads, and copy the executable file to your Configuration Manager console machine.
  2. Close System Center Configuration Manager.
  3. Run the Shavlik Patch executable (sccmpatchsetup_2_1_810.exe) and follow the on-screen instructions. For further details about this step, see the Shavlik Patch User’s Guide.
  4. Open System Center Configuration Manager and commence business as usual.

If you are running Shavlik 2.0, we encourage you to upgrade to 2.1 (see instructions above). In the same amount of time it takes to apply the patch to Version 2.0, you can complete your upgrade to Version 2.1 and enjoy all of the latest features in Shavlik Patch. If you are unable to update from 2.0 to 2.1 at this time, please contact Shavlik Support to obtain the 2.0 update.

This update does not affect customers using the catalog file version (1.0) of Shavlik Patch or Shavlik Protect.

If you have any questions or concerns about applying this patch, please contact Shavlik Support.