Adobe Flash Ninja Fix!

ninja

Ok, so not sure exactly on the details, but that Adobe Flash update that happened in late December has received two additional updates since. Neither has updated the bulletin page. There was an additional release covering ActiveX earlier this month, and today we have this update from the debug downloads page.

1/19/2016 – Updated debugger and standalone versions of Flash Player. These versions contain fixes for critical vulnerabilities identified in Security Bulletin APSB 16-01. The latest versions are 20.0.0.286 (Win and Mac) and 11.2.202.559 (Linux). All users are encouraged to update to these latest versions.

If you have updated Adobe Flash 20 since the Dec. 28 release, you will see it as missing again. The standalone version is also affected, not just the debugged version. This fix is supposed to resolve critical vulnerabilities from the APSB16-01 update, so the original update was incomplete. No new CVEs have been added in the 20.0.0.286 update.

The patching fun never ends. Content will be live in a few.

 

 

Citrix XenDesktop incompatibility issue on Windows 10 resolved

win10

Citrix has released an update for versions of XenDesktop and Virtual Delivery Agent on Windows 10. The January cumulative update for Windows 10 released on Patch Tuesday with a known issue that would prevent Citrix XenDesktop from logging in. Basically, Microsoft had put in detection logic that would prevent the January Cumulative Update from being offered if you had any version of Citrix XenDesktop installed on Windows 10.

Shavlik’s in-house testing found that the issue affected specific versions. We then added logic to identify affected versions and not offer CSWU-018 in those cases. Citrix has announced a fix is now available. Systems with the following versions of the Virtual Delivery Agent should apply the update as soon as possible, as Microsoft, at some point in the near future, will remove the block on the cumulative update and it will be applicable once again.

  • Citrix WorkstationOS Virtual Delivery Agent (VDA) 7.6.300
  • Citrix WorkstationOS Virtual Delivery Agent (VDA) 7.7.0

For Shavlik Protect customers, we are releasing the VDA update today in an out-of-band content release. We will also keep specific detection logic on the CSWU-018 cumulative update for Windows 10, to know if your version of VDA is not up to date. If you have not applied the Citrix update, Shavlik will not apply the cumulative. If you have applied the VDA update, the CSWU-018 update will be offered.

Originally, there was a date in the Citrix post, but it has since been removed. For those who are not running Shavlik Protect and need still require the Citrix update, I would guess you have a week, or maybe a little more, before Microsoft makes the change on their side to start pushing the cumulative update regardless of if you have updated Citrix VDA or not.

 

Windows 10 Patch Management and Third-Party Application (In)Compatibility

win10

Unlike previous releases of Windows, Windows 10 continues to evolve from month to month and update to update. With the January 2016 Patch Tuesday release, we see some very interesting challenges for customers, due to the cumulative update model and the impact on third-party applications.

Chris Goettl, senior product manager for Shavlik, and resident patch expert, noted in his January 2016 Patch Tuesday blog an impact to Citrix XenDesktop. Let’s drill into what happened and what this means for customers.

Stephen: Chris, quickly recap what happened in this month’s update and how it affected Citrix XenDesktop.

Chris: As many in IT are already aware, patches for Windows 10 are all deployed in a “Cumulative Update” model where you can’t choose which individual update to apply. You either apply them all or none of them. Microsoft’s January Windows 10 update will create issues when Citrix XenDesktop is installed.

Stephen: Wow! That’s painful if you are customer using Citrix on Windows 10. Has Microsoft responded to the issue?

Chris: Microsoft’s noted the following in bulletin MS16-007:

“Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.”

Stephen: Did Microsoft do anything to help prevent the incompatibility?

Chris: Microsoft’s detection logic now detects if Citrix XenDesktop is installed on an endpoint. If it is, the entire cumulative update simply will not be available for the endpoint.

Stephen: What does that mean for the rest of the cumulative update? Will part of the update apply except for the components that have conflict with Citrix?

Chris: None of the cumulative update will apply if Citrix XenDesktop is installed.

Stephen: What does this mean from a security perspective?

Chris: Customers have a difficult choice to make. They either need to uninstall Citrix XenDesktop and install the Windows 10 update or keep Citrix and be vulnerable to everything fixed in the January Update.

Stephen: How many vulnerabilities were in the January 2016 update?

Chris: 14 vulnerabilities were resolved across Windows 10, Edge, and Internet Explorer. Four of those were publicly disclosed, which puts them as significantly higher risk of exploit.

Stephen: So customers will not get Microsoft Edge and Internet Explorer updates without applying this cumulative update?

Chris: That’s correct. With Windows 10, all of those updates are bundled into the single cumulative update.

Stephen: What do you expect will happen with with Citrix XenDesktop?

Chris: We can’t speak for Citrix, but I would expect that they will come out with a patch that makes XenDesktop compatible with the latest Windows 10 update. Users will then need to deploy both the Citrix update and then the Windows 10 update.

Stephen: So this reinforces the need for third-party application patching?

Chris: Absolutely. This is just one example that illustrates the need to have a comprehensive patch management solution for operating system updates and third-party applications. Going a step further, it reinforces the need to patch client systems more frequently.  We don’t know when the Citrix update will be available, but when it is, customers are going to want to know ASAP, so hey will then be able to update Citrix and push the cumulative update for Windows 10.

Stephen: One last question. How does this illustrate the need for an enterprise patch management solution with Windows 10?

Chris: To reiterate and emphasize my earlier point, customers must decide whether to install the cumulative update or remove Citrix. Most likely, they will need to update both in the order I specified earlier. Neither Windows Update or Windows-only patch solutions give the flexibility to address these type of scenarios.

To summarize:

  • Patch Tuesday is no longer a single event, if it ever really was. If an enterprise starts their patch process and runs Citrix XenDesktop, they won’t have a choice: running the update will not apply patches and those systems will be exposed to known security vulnerabilities.  
  • We expect Citrix will come out with a patch. Enterprises will need to be able to detect and distribute that patch to get that third-party patch updated. Windows Update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) are not enough here.
  • After the enterprise patches Citrix XenDesktop, they then will be eligible for the cumulative update for Windows 10.  They then need to be able to rescan the system as soon as possible after the Citrix update to realize they are missing the Microsoft January 2016 Update, and are eligible to apply it. They then need to deploy and install the update.
  • Patching isn’t a once-a-month event: updates are becoming more complex and sometimes out of band. This is even more the case with third-party applications, vendors of which sometimes release multiple updates in a month.
  • Windows 10 does not simplify patching for enterprises. Enterprise need solutions that handle the new complexities with the Windows 10 update model.

Bottom line, third-party patching and flexible Windows 10 patch management is a must for all enterprises.

January Patch Tuesday 2016

2016_01_12_Patch

January 2016 is going to be anything but boring. Microsoft has a large lineup of updates. The bulletin list opens up 2016 with 10 bulletins — minus one. MS16-009 has been skipped and Microsoft went to MS16-010 instead. Is that a small joke relating to Windows 9 skipping to Windows 10? Maybe Microsoft doesn’t like the number nine for some reason. That oddity aside, Microsoft released six critical, three important and six public disclosures, along with a total vulnerability count of 26 resolved for January Patch Tuesday.

Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded. Adobe announced a bulletin for Reader with an additional non-security release of Shockwave and Oracle is gearing up for its quarterly CPU, so expect Java to release next Tuesday, January 19.

Microsoft System Updates and End of Life Scheduling

Jan. 12 is a significant milestone for Internet Explorer support. Microsoft is releasing a final update for all supported IE versions, but after January it will only support the latest available for each Operating System. This means that for anything Windows 7 SP1 and later, you must be on IE 11 to continue receiving updates. There are a few exceptions for older operating systems that only supported up to IE 9 or 10. If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct Internet access. In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.

Windows XP Embedded SP3 is also reaching its end of life today. It will be followed in a few months by Windows XP Embedded Point of Sale SP3, which is due to end on April 12. Retailers will start to sweat if you are still on those platforms after that date.

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. I am guessing there will be those who look into the registry hack that was used to trick Windows XP into thinking it was Windows XP Embedded POSReady 2009. If you have no other recourse, you may roll the dice on that, since POSReady 2009 is really just another distribution of Windows XP Embedded. Moving off of the end of lifed platform is still the best option though.

Oracle’s quarterly CPU is coming on Jan. 19. I mention it now as those of you running Java will definitely want to plan to roll that update out when it arrives next week as well. In 2015, the lightest of the Java updates included 14 CVEs, all of which were remotely executable without authentications. The rest had 19–25 vulnerabilities resolved with more than 15 being remotely executable without requiring credentials.

Microsoft January Bulletins

MS16-001 and MS16-002 are updates to Microsoft’s Internet Explorer and Edge browsers. Both are rated as critical, resolving two vulnerabilities each. The IE patch includes a public disclosure (CVE-2016-005), which puts it at a higher risk of being exploited.

MS16-004 is an update for Microsoft Office and Visual Basic. The bulletin is rated critical and resolves six vulnerabilities including two public disclosures (CVE-2016-0035, CVE-2015-6117).

MS16-005 is a critical update for the Windows Operating System resolving two vulnerabilities including one public disclosure (CVE-2016-009). This is also a Kernel-Mode Driver update. Thorough testing is always recommended. If an application patch goes wrong you can just reinstall, but if a kernel patch goes wrong it will be more severe.

MS16-007 is an important update for Microsoft Windows, which resolves six vulnerabilities including two public disclosures (CVE-2016-0016, CVE-2016-0018). There are a few known issues with this update. To be fully protected you also need to have MS16-001 for Internet Explorer. Windows 10 users who have Citrix XenDesktop should be aware that installing this update will prevent login. Microsoft recommends users uninstall XenDesktop and installing this bulletin, then follow up with Citrix for a fix for XenDesktop.

The way the issue is worded on the bulletin page makes it sound like Microsoft’s methods of updating Windows 10 (Windows Update, WSUS, SCCM) will not offer this update if XenDesktop is installed. It states “Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update.” So, if Windows 10 updates are all bundled, cumulative updates, this would mean that the January cumulative for Windows 10 would not be installed. That means all five bulletins that would affect Windows 10 would go unpatched until the issue is resolved.

MS16-008 is only rated as Important and no public disclosures, but it is a Kernel patch addressing Elevation of Privilege vulnerabilities. Thorough testing is recommended before rollout.

MS16-009 did not drop yet. This could mean it will not arrive until February, or it could come out of band. The last time we saw a bulletin be skipped in the order was an SQL update that dropped between Patch Tuesdays. Keep an eye out for this one in case it comes late. It will likely be a high priority if that is the case.

MS16-010 is an important update for Microsoft Exchange. No public disclosures or known issues, so recommendation is thorough testing and rollout in a timely manner.

Third Party Bulletins

Adobe has released one bulletin this month. APSB16-002 for Adobe Reader is a Priority 2 update resolving 17 vulnerabilities. The only other update from Adobe today was an update for Shockwave, which did not have an accompanying bulletin. APSB16-001 for Adobe Flash actually first dropped in late December with a re-release the next day resolving an Active-X issue. That release likely came early due to a known exploit in the wild (CVE-2015-8651). Ensure that the Flash update is rolled out if you have not already done so.

Join us tomorrow for the January Patch Tuesday webinar where we will discuss the bulletins in more detail.

 

Microsoft is finally pushing people off of old Internet Explorer versions

internet-explorer1_12

Microsoft warned us back in April of 2014 that they would be reducing support for the Internet Explorer browser to only cover the latest version available for each operating system. Well that date it upon us. January 12, 2016 will be the official end-of-life date for any version of IE older than the latest available for the version of Windows you are running. If you take a look at the original life-cycle announcement, it provides the version that will be supported for each OS. After the January Patch Tuesday release there will be no security updates unless you are on the supported version for that OS.

On January 12, expect to see upgrade notifications on older versions of Windows, if you are running a version of the browser older than the latest. You can disable those notifications if you have a need to continue running an older version of the browser for some reason.

If you need to continue running an older version of IE for some reason, take precautions. After this last IE update, older versions will become a prime target.

  • Visualize a system with the older version of IE and remove access to the internet and from anyone who does not require access. Of course this only works if the browser will be used for an application or site that is internal to your network.
  • If you need to use an older version for access to an external site, you should begin putting pressure on the vendor involved or start shopping around for alternate solutions. In the mean time, you can also install an alternative browser and inform users of those systems that they must use Google Chrome or Mozilla Firefox for everything but that one purpose. Not a great solution.
  • You can add additional levels of protection with products like Bufferzone. This will containerize the browsing experience, protecting the system if the user happens to come across anything malicious.

This one is not a drill folks. If you recall my assessment of the top five vulnerable vendors from 2015, I called out the three primary contributors to vulnerability counts; OS, browser, and the media\office products. Internet Explorer had the largest single product vulnerability count in 2014. In 2015 it moved down the list to #7, but that was more due to the significant increase in vulnerabilities in other products. It had only 12 less resolved in 2015 than in the previous year. Point being, expect that from the point that older versions of IE are end-of-life’d this month, we will see around 200+ vulnerabilities identified that will go unresolved in the unsupported versions.

 

 

 

Cybersecurity in 2016: Predictions from Elsewhere

Cybersecurity(Own)(4)One of the best things about this time of year is the spate of predictions that accompany the season. Herewith, a look at some of the more interesting security-related predictions from various IT and security industry observers.

Forrester Research “is one of the most influential research and advisory firms in the world”—according to the company’s website. Hard to argue. On Nov. 30, 2015, Health Data Management published “5 Cyber Security Predictions for 2016,” a summary of predictions from Forrester. Here’s what Forrester predicts, according to that article.

  • We’ll see ransomware for a medical device or wearable
  • The U.S. Government will experience another significant breach
  • Security and risk pros will increase spending on prevention by five to 10 Percent
  • Defense contractors will fail to woo private industry with “military grade” security
  • HR departments will offer identity and credit protection as an employee benefit

On Dec. 15, 2015, Network World published “A Few Cybersecurity Predictions for 2016,” an article by Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG). ESG is a firm with “a 360o perspective” and “remarkably detailed, nuanced views of technologies, industries, and markets”—according to the company’s website. Herewith, a summary of Mr. Oltsik’s predictions from that article.

  • Greater focus on cyber supply chain security
  • The consumerization of authentication
  • Cyber insurance continues to boom
  • A rise in ransomware

A wide range of predictions can be found in “The 2016 Websense Cybersecurity Predictions Report.” The report is produced by Raytheon|Websense Security Labs, part of a joint venture that combines Websense with Raytheon Cyber Products. The venture “brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats,” its website says. The predictions from its report appear below.

  • The U.S. elections cycle will drive significant themed attacks
  • Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
  • The addition of the gTLD [generic top-level domains] system will provide new opportunities for attackers
  • Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
  • DTP [data theft protection] adoption will dramatically increase in more mainstream companies
  • Forgotten ongoing maintenance will become a major problem for defenders [of IT security] as maintenance costs rise, manageability falls and manpower is limited
  • The Internet Of Things will help (and hurt) us all
  • Societal views of privacy will evolve, with great impact to defenders

Perhaps some of the most interesting predictions for 2016 and beyond can be found in “McAfee Labs Report 2016 Threats Predictions.” McAfee Labs, now part of Intel Security, “is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership,” according to the report’s introduction. The report begins with a five-year look into the future, created by 21 of Intel Security’s thought leaders. Here’s a summary of what they predict for the next five years.

  • The cyberattack surface will continue to grow, thanks to continuing explosive growth in users, devices, connections, data and network traffic
  • Attacks and defenses will continue and increase a shift in focus, away from systems and applications and toward firmware and chips themselves
  • Attacks will continue to become more and more difficult to detect
  • Virtualization will present more and different cybersecurity threats and opportunities, especially as network function virtualization (NFV) grows in popularity
  • New device types, including wearables and those connected to the Internet of Things (IoT), will challenge security efforts, and cyber threats will continue to evolve
  • IoT security standards will evolve and improve
  • The growing value of personal data will lead to more sophisticated thieves and markets, and more security and privacy legislation.
  • The security industry will fight back, with new and evolving tools including behavioral analytics, shared threat intelligence, cloud-integrated security and more automated detection and correction.

The range of these predictions and the common elements that link many of them provide valuable guidance and validation to any of you who are seeking to improve security at your enterprise. And of course, we at Shavlik have our own predictions to add to the mix, as well as a review of how well we did with our end-of-2014 predictions. You can download these here. We hope you’ll find all of these predictions, from Shavlik and elsewhere, helpful and inspirational. Here’s to a happy, productive, profitable and secure 2016 for you and your enterprise.