Well, we’ve officially changed our name to Ivanti. That’s HUGE news! It positions us for another 30 years of growth.
Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.
The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.
Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.
For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.
Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.
Adobe has released update APSB17-01 for Acrobat and Reader, keeping in line with the pattern of releasing an update every two to three months. This update includes 29 vulnerabilities, most of which allow for remote code execution. You will want to make sure this update is applied in a timely manner.
As expected, there is a Flash Player update. As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems, meaning Flash plug-ins for IE, Chrome and Firefox as well. Some of these will auto update; others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.
Microsoft has released a total of four bulletins, two of which are critical and publicaly disclosed. Microsoft is resolving 15 unique vulnerabilities this month, 12 of which come from the Adobe Flash update. It’s interesting to note that there is no rollup for Windows 8.1 or Server 2012 this month.
Other than Microsoft and Adobe, there are a few other updates available if you are using Foxit Reader, Skype, etc. Although there several of the Microsoft vulnerabilities have been publicaly disclosed, none of the them have been exploited and there are no zero days.
This could be the calm before the storm. We have not seen this light of a Patch Tuesday since January of 2014. Next month you should expect some adjustments and a heavier Patch Tuesday drop as Microsoft changes methodologies.
This is the last Patch Tuesday that Microsoft will be using security bulletins. After January 10, Microsoft will no longer be publishing traditional security bulletins as individual webpages, but instead will only be publishing security update information to the new Security Update Guide. I’m sure there are many questions about what this means and how it will affect everyone so, if you have not already seen the FAQ put together by Microsoft, I have provided a link here.
As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the January Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance.
Goodbye 2016; Hello 2017!
We have survived another year and what a year that was.
As we start off 2017, I am sure most of you have already heard about the joining of forces between LANDESK and Heat Software to further the expertise stronghold on security and patching. This marrying of the minds comes just in time for those who have not yet picked a new year’s resolution. Now is the time to make a resolution to increase the health of your security posture and patch your systems regularly.
Even though there are no known zero days or hints of nasty exploits on the horizon, we all know that it is just a matter of time before someone will find something to hack and expose potential vulnerabilities. So, with that in mind, let’s start the year off with good habits and make sure we are following the steps to better Security Hygiene now that the holiday fun and distractions are behind us.
Steps to Better Security Hygiene
- Make sure you have sanitized incoming email with junk mail and phishing filters. Remember that user targeted vulnerability is where some of the highest risk lies.
- Make sure you have sanitized the machines and devices of users who have come into contact with public WiFi while traveling in and out of the office and private secured networks. Since users will likely browse the internet, open email with attachments, and in general be exposed to potential attack vectors daily, it is important to sanitize their machines with good signature, non-signature, and behavioral threat assessments. Remember that signature based threat assessment alone is not enough anymore.
- Make sure your systems are frequently patched, both the OS and software, and make use of least privilege rules and proper application control. Remember that preventative security measures can mitigate or eliminate 85% of the threats in today’s market.
Chrome announced at the end of 2016 that beginning in the new year they will be identifying web pages as “Not Secure” if the page includes login or credit card fields AND the page is not served using HTTPS. For additional information on this announcement, see the following article posted on zdnet.com.
Your Patch Tuesday Forecast
Based on the trends we saw in 2016, the January 2017 Patch Tuesday will likely include updates for the following:
From Microsoft we are likely looking at around 1-4 installable packages:
- OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
- Office is likely since there were updates consistently pretty much every month in 2016.
From Adobe you can expect 1-3 updates:
- Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all of 2016, so expect that update.
- Adobe Reader and Acrobat both released an update back in October of 2016 and have been pretty consistently having an update every 2-3 months this year. Those two are a high possibility this month since they did not release last month.
From Chrome you may have 1 update this month:
- Chrome released a beta version after last Patch Tuesday making it likely there could be an update on or around Patch Tuesday this month.
Total Update Accumulation 3-8 updates for Patch Tuesday next week.
As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, January 11th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.