The Communicator’s Corner: Four Things You Are Forgetting to Patch

SecurityImageShavlik Protect is very well known for its industry-leading patch management capabilities. What is not so well known, however, is that it is capable of patching much more than just the Microsoft operating systems and applications on your laptops, workstations and servers. Many believe that these are the only items that matter, when in fact, they are sometimes only the tip of the proverbial patching iceberg. In this article, I will highlight four things that often get overlooked during the patch process and how Shavlik Protect can help.

Virtual Machines

Virtual machines have become extremely popular in both large and small organizations. But with their widespread use comes a certain danger. When it comes to patch management, your virtual machines are no different than your physical machines. Both must be consistently scanned and patched in order to stay protected. Fortunately, Shavlik Protect supports patching for all forms of virtual machines, including online VMs, offline VMs, and virtual machine templates. When you are patching your machines, don’t forget about your virtual machines!

ESXi Hypervisors

If you use many virtual machines in your organization, you likely use VMware ESXi hypervisors to deploy and serve them. You might also use a VMware vCenter Server to manage the hypervisors. It’s cool stuff, but did you know that the hypervisors require patching? If you are not regularly patching your hypervisors, you’re exposing yourself to potential attacks. You will be happy to learn that Shavlik Protect can help you manage the hypervisors and vCenter Servers in your organization. Shavlik Protect enables you to:

  • View basic configuration information about the vCenter servers and the ESXi hypervisors
  • Perform a scan of your managed and unmanaged ESXi hypervisors
  • Deploy any missing security bulletins to the ESXi hypervisors

Third-Party Applications

This seems like an easy one but somehow it keeps getting missed. Jordan Pusey touched on this in a blog article a few weeks ago. Many people are great at patching their Microsoft operating systems and Microsoft applications, but totally ignore their third-party applications. It is a fact that 70 – 80 percent of vulnerabilities are attributed to non-Microsoft applications, so make sure to include them in your patch management process.

Custom Patches

You may not realize it, but there is often a need to manage patches for products that are unique to your organization. For example, you might receive a special private patch from a software vendor. Or, you might create your own patch for a vendor’s product or for your own custom product. When these situations arise, it is good to know that Shavlik Protect is capable of handling these special cases. The built-in Custom Patch File Wizard walks you through the process of creating your own customized XML files. You then simply import the custom XML files into Shavlik Protect and perform your scans and deployments like normal. Easy!

In Summary

Don’t be guilty of locking all the doors but leaving the windows open. To stop the bad guys you need to patch every device and every product in your organization.

April Patch Tuesday Round-Up

SecurityImage

Hey All,

I think we have reached enough critical mass in issues and news regarding patch Tuesday to warrant getting this out today.  Here are the things to note regarding Patch Tuesday so far.

APSB15-006 – Flash Player – This update resolves 22 vulnerabilities including a Zero Day.  This vulnerability is actively being used in malvertising attacks.  Get this rolled out ASAP!  You need to update the OS, the IE Advisory (KB3049508), the latest Chrome update (42.0.2311.90), and FireFox (should show up as another instance of APSB15-006: Flash Player Plug-In when scanning with Protect).

MS15-032 – Cumulative Security Update for IE – On IE11 SSL v3 is now disabled by default.  We have seen reports of websites no longer being accessible after applying this update as the website in question used SSL v3.

MS15-033 – Critical Update for Word, Word Viewer, and SharePoint.  CVE-2015-1641, which is actively being exploited in phishing attacks, is resolved by this update.  I definitely agree with David Picotte’s, manager of security engineering at Rapid7, quote in this article.  Give your users a refresher in spotting phishing scams and be vigilant in patching.

MS15-034 – Vulnerability in HTTP.sys could allow remote code execution – PoCs now working and able to crash an IIS server.  There is a call out from the security community to expedite patching of this vulnerability.  DoS attacks are increasingly more common.  According to the recent Verizon 2015 DBIR, 10 CVE’s contributed 97% of exploits observed in 2014.  Of those 10, three were DoS attacks dating back to 2001 and 2002.  The same report also showed that half of the CVE’s exploited in 2014 fell within just a couple of weeks of the publish date.

MS15-036 – Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044) – Make sure to run psconfig after applying the patch to finalize the update.  This is an unfortunate manual step that is required.

That’s all for today.  If you are going to RSA next week, stop by and see us at booth N2628.  We hope to see you there!

Chris

 

April 2015 Patch Tuesday

SecurityImage

Patch Tuesday excitement is building. There is at least one known Flash vulnerability being exploited in the wild and one Microsoft vulnerability that has been publicly disclosed this month.

Microsoft has released 11 security bulletins this month, four of which are Critical, bringing the total to 42 security bulletins so far in 2015. This is more than twice the number of security updates released than last year at the same time.

From a vulnerability standpoint in April 2014 the CVE count for vulnerabilities resolved was at 72. We passed that count in March, with 76 vulnerabilities resolved. When this month’s 26 CVEs are included, we have a much higher total of 102 CVEs resolved to date.

The product and service impact for Microsoft this month includes the Windows OS, IE, Office, SharePoint, ADFS, .Net and Hyper-V. Two OS, the IE update, and Office update are rated as Critical.

Flash Player is making its triumphant return to Patch Tuesday. Adobe is aware that exploits of CVE-2015-3043 exist in the wild. Between January and February’s Patch Tuesday there were three zero days resolved by two releases in the span of about two weeks. In March the release came on the same week; however, they came at the end of the week. APSB15-06 resolves 22 vulnerabilities and is rated as a Priority 1 update. This should make your list of priority updates to roll out this month.

With a Flash Player update you can always expect an Advisory for Internet Explorer and a Google Chrome update. Google Chrome has a large release covering 45 vulnerabilities including many High priority updates.  That with the Priority 1 Flash plug-in make this release a high priority update when it arrives.

Oracle’s quarterly CPU is also occurring this month and happens to fall on Patch Tuesday. Oracle Java is resolving 15 vulnerabilities — all of which are remotely exploitable without authentication. The highest CVSS Base Score of these 15 vulnerabilities is a 10.0, which is the highest possible score. It goes without saying that Java should be a priority update this month. Three other Oracle products are resolving CVE’s with a 10.0 CVSS Base Score. So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.

Join us tomorrow for the Shavlik April 2015 Patch Tuesday webinar as we discuss the releases for this month, priorities, known issues, etc.

The Communicator’s Corner: What Does the Masters Have in Common With Patch Management?

Sunset GolfAt Shavlik, we are serious about patch management. We do, however, have a fun side. In honor of the 2015 Masters golf tournament being played this week, here is a little computer humor comparing golf with patch management. Enjoy!

  • A hole-in-one in golf is good. An unpatched security hole in your organization is bad.
  • A flaw in your opponent’s golf swing is good. A flaw in your security software is bad.
  • A hacker in golf is bad. A hacker in your computer system is also bad.
  • A golfer is represented by an agent. A patch can be deployed by an agent.
  • A golfer can catch a cold. An unpatched computer can catch a virus.
  • A good golfer plays many different courses. A good patch management system patches products from many different vendors.
  • A golfer who is playing well is said to be on fire. An IT department that does not regularly apply patches is playing with fire.
  • A posh golf course maintains a strict dress code policy. A posh IT department maintains a strict patch management policy.
  • The Masters is played once a year. Good patch management is performed year round.
  • In golf, an explosion is a bunker shot that propels the ball out of the sand trap. In IT, an explosion is what happens when your boss finds out you’ve been hacked.
  • In golf you can get a mulligan. In IT there is no such thing as a mulligan.
  • A golfer has a caddy. An IT administrator has Shavlik.

 

Got a better one-liner? Feel free to share with us on Twitter @shavlikprotect.

Happy National Beer Day!

For those of you who are followers of our team, you know that we here at Shavlik enjoy a good beer. Today we are going to go off topic and focus on National Beer Day. I have been working on a house project that is nearly complete, but didn’t make it in time for National Beer Day. I am changing over from bottling my own home brew to kegging. I have almost everything ready. Even got the first beer I plan to keg already started (Belgian Tripel). The kegerator itself is, unfortunately, on back order until end of April. **Sigh**

Kegerator