February Patch Tuesday Round Up

FebruaryPatchTuesday2016Sum

 

February’s Patch Tuesday had a number of updates, continuing into this week with Microsoft releasing a number of non-security updates today. There are reports of a few issues out there that you will want to be aware of.

The first is from the RDP Security Update (MS16-017) from last week. There were documented known issues involving the update when applied to Windows 7 running RDP 8.0. Multiple reboots may be required in that case. Our internal testing found the same could occur on Windows 8.1.

Another issue that has been reported, and also made some headlines, is an update for Office 2013 (KB 3114717) that has reportedly been freezing 32-bit Word 2013 on Win 7, 8.1, 10. We have not yet added support for this update due to the issue. Microsoft has recommended removal for those who have already deployed it. A re-release should be coming soon, at which time Shavlik will add support for this update.

There was also a Mozilla Firefox security update late last week. This included one critical security fix. There is only one vulnerability resolved in the release, but probably one you want to roll-out sooner rather than later.

 

 

 

 

February Patch Tuesday 2016

FebruaryPatchTuesday2016Sum

February Patch Tuesday started a bit early with Oracle releasing an out-of-band update for Java to resolve a critical vulnerability that allows DLL Hijacking. Microsoft has released 13 bulletins, six of which are critical, resolving a total of 42 vulnerabilities. Of the vulnerabilities being resolved, two have been publicly disclosed. We also have releases from Adobe for Flash and Photoshop, Mozilla for Firefox, and Google is expected to release a Chrome update with security fixes and support for the latest Flash Plug-In.

Starting with Oracle, the vulnerability resolved by Java 8u73 (CVE-2016-0603) affects many other products, but so far, Oracle and SUSE VirtualBox are the only vendors to release updates to resolve it so far. Researchers are still reporting additional products affected, but the notables include Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. So far there is no confirmation on the Firefox or Chrome releases resolving this vulnerability. Expect to see some more security release in the coming weeks.

As noted, Microsoft has released 13 total bulletins, six of which are rated as critical. Of the 42 vulnerabilities resolved, two have been publicly disclosed – these are part of MS16-014 (CVE-2016-0040) and MS16-015 (CVE-2016-0039). Public disclosures are a risk indicator that we use to rate threat risk, signaling a threat actor has a jump-start on the vendor and is able to exploit the vulnerability before companies can get an update in place. MS16-014 may only be rated as important by Microsoft, but the fact that it has a public discloser means it is at higher risk of exploit.

Here are some things to watch out for this month with Microsoft:

There is a Sharepoint update included in the Office bulletin, MS16-015. I know, all of your Sharepoint admins just cringed, but it has to be updated. This is a critical bulletin and has a publicly disclosed vulnerability, CVE-2016-0039. One of the complicating factors with Sharepoint is the fact that rollback is not an easy thing if something breaks. If you have not already done so, we highly recommend virtualizing your Sharepoint servers so you can take advantage of snapshot capabilities to roll back to a good state, in case something goes wrong.

MS16-014 is rated as important and affects the Windows Operating System. The threat around this bulletin should be considered high, as it does have a public disclosure. CVE-2016-0040 resolves a vulnerability with improper handling of objects in memory by the Kernel. According to the Microsoft bulletin, if exploited “an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The reason this is likely reduced in severity is because the attacker would need to log on to the system and then run a specially crafted application to exploit the vulnerability.

MS16-018 affects Kernel-Mode Drivers, so both MS16-014 and MS16-018 are making changes to Kernel behavior this month. As always, it is good to test Kernel updates thoroughly before deploying.

One change Microsoft made this month, that I hope is permanent, is making the Adobe Flash Player Plug-In update for Internet Explorer officially a Security Bulletin instead of a Security Advisory. This is a major change to how they have identified the Flash Player Plug-In updates in the past, and one that is warranted, because you have not completely resolved Flash vulnerabilities unless you’ve update the OS and all browser plug-ins. So keep an eye out for MS16-022, which is the critical update for Adobe Flash Player, for all currently supported versions of Windows and IE.

Speaking of Adobe Flash, APSB16-04 is a Priority 1 update resolving 22 vulnerabilities that should be on your priority list this month, especially since Adobe Flash has been highly targeted because it is so widely distributed. Remember, you need to update Adobe Flash, and Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.

Adobe Photoshop is a Priority 3 update this month that resolves for three lower severity security vulnerabilities.

Mozilla has released Firefox 44.0.1. So far, there’s no report on if security fixes were included in this release or not.

You can also expect to see a Google Chrome release coming out which will be resolve for some security vulnerabilities and will include support for the Flash Player APSB16-04 update. Do make sure this is on your priority list this month.

Join us tomorrow for the February Patch Tuesday webinar where we will discuss the bulletins in more detail.

Java releases out of band to start off Patch Week

java_logoOn Friday, Oracle announced a Security Advisory for Java that is out of their normal Quarterly CPU cycle. This udpate resolves one critical vulnerability that an attacker would need to exploit before Java is installed on the target system. Exploiting CVE-2016-0603 would allow the attacker to completely control the target system if exploited but, to exploit the vulnerability, an attacker would have to convince a user to open specially crafted content and this would have to occur before Java is installed on the target system using an installer older than the newly updated versions (6u113, 7u97, or 8u73).

Oracle is also recommending “users who have downloaded any old version of Java prior to 6u113, 7u97, or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”. This would prevent an attacker from taking advantage of the vulnerability in the future. Since this vulnerability affects windows systems installing Java, current instances are not as urgent of a concern. The immediate action is to remove older versions and only install using the latest release for each version.

Happy Patch Week!

Shavlik Protect 9.2 Update 2

The Shavlik Team is happy to announce the release of Shavlik Protect 9.2 Update 2. This update provides support for installing the Shavlik Protect Console on Windows 10. It also provides 13 bug fixes for known issues that customers have encountered since Update 1. The install is available now on our downloads page. It will install right over the top of Protect 9.2 Gold or Update 1. You can also upgrade directly to 9.2 Update 2 from Protect 9.0 or 9.1.

For customers still running on Shavlik Protect 9.0 or 9.1, this is a good time to look at upgrading. We will be ending support for all versions pre-9.2 by the end of 2016, due to the end of support for SHA1 certificates. Shavlik Protect 9.2 supports SHA 256 and will automatically convert the current SHA 1 console and agent certificates after you upgrade, making for a very seamless transition to a more secure mode of communication. Please review our product life-cycle policy for more details regarding the end of life date for specific versions.

logo_shavlik