About the Author

Chris Goettl

Chris Goettl has over 15 years of experience in IT Management. He spent several years working in IT before joining Shavlik in 2004. Chris started in the Shavlik support team, supported OEM partners integrating Shavlik SDK's, worked in Sales as a Systems Engineer, and is now the Product Manager for the Shavlik Protect product line.

Patch Tuesday Forecast October 2016

windows8patchtuesday

October is here already and should be an interesting lineup of updates coming in the next few weeks.  There are also some things you need to know about servicing model changes from Microsoft and on distribution changes for Adobe Flash. Oracle is also going to be dropping their quarterly CPU this month.  Read on for more details:

On the Horizon

This is the month Microsoft will have its first delivery under the new servicing model and there is a lot of uncertainty amongst companies as to what really is going to change. I interviewed LANDESK CSO Phil Richards on the subject and he had a lot to say. You can check out the full interview here, but it boils down to this:

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

Oracle will be releasing their quarterly critical patch update this month. I always try to emphasize this as they will not release on Patch Tuesday, but on the following Tuesday. Oracle’s release schedule is the first month of each quarter on the Tuesday closest to the 17, which falls to Tuesday October 18 this month. The Oracle CPU always brings a lot of fixes for some pretty nasty vulnerabilities. Take July’s release for JRE. This update included 13 security fixes, nine of which were remotely exploitable without authentication. Four of these updates were rated as CVSSv2 9.6, are exploitable remotely without authentication, are rated as low complexity, meaning they are easier to exploit, and rate as high for confidentiality, availability and integrity. According to analysis by Verizon’s 2015 Data Breach Investigations Report, these would fit the pattern of vulnerabilities likely to be exploited within two weeks of release from the vendor.

Adobe has changed availability of Flash Player for distribution. This change has been looming for some time now. We first caught wind of this late last year and since they have pushed the date multiple times, but September 29 they finally took the plunge. From the distribution page you now get two directions to go: for consumers and for companies wanting to distribute. Follow the link to request approval for distribution. I personally went through the process and it was quick and painless and, once approved, you will receive details on how to access the enterprise-ready version of Flash Player for distribution in corporate environments.

Patch Management Tip of the Month

In a conversation I had yesterday with one of our customers, we shared details of the change Microsoft described in its blog and through other sources like the customers Microsoft TAM and talked through some scenarios to figure out a plan to proceed this month and going forward. Here is where we left the conversation understanding full well that “No plan survives contact with enemy.”

  • For systems currently in operation plan to test and rollout the October security bundle, which will include updates for IE and the OS in a single package. This package should be security-only updates and also should not be cumulative. In other words, if you need to exclude this bundle for any reason, you should be able to take November’s security bundle without it forcing application of the October security bundle. Expect to take the security bundle each month until you hit a situation where non-security updates (bug fixes) would force the need to apply the cumulative rollup.
  • For new systems implemented after the servicing model change, they are planning to start with the cumulative rollup until a point where they hit an exception, in which case they would switch to the security bundle for those systems until the event which caused the exception can be resolved, allowing application of the cumulative rollup once again.

And I will re-emphasize last month’s tip which is to expand your pilot group for application compatibility testing. Getting power users from the parts of your organization that rely on business critical apps will help you to ensure that these larger bundles of updates do not cause impacts earlier in the test process.  Many companies have test systems, but only validate some high level functionality like login to the system and basic data rendering. Many issues could occur deeper in legacy apps from rendering of PDFs to printing documents, etc. This year alone we have seen both PDF and GDI updates nearly every month from Microsoft. These are common components to be updated as they are high profile targets for user targeted attacks like phishing scams. A vulnerability exploiting a user is often the first point of entry into a company’s network.

Your Patch Tuesday Forecast

From this point on you can expect an average of three to four Microsoft updates. Under the new servicing model, we will typically see the Security Bundle (IE and OS updates), Flash for IE, .Net, Office and occasionally Sharepoint, SQL, Exchange and other applications.

Oracle will release on October 18, so expect a critical update for Java and many other Oracle solutions.

Adobe is due for an Adobe Acrobat and Reader update, so I am forecasting at least two bulletins from Adobe this month. Adobe Reader and Flash Player with likely use Acrobat as well. If Flash drops we will see the Flash for IE bulletin from Microsoft and plug-in updates for Google Chrome and Mozilla Firefox.

It has been nearly a month since the last Google Chrome release on September 15. They did a re-release late in the month, but with only a minor change. The beta channel for Desktop was updated yesterday so we are not far off. There is a good chance we will see a Chrome update on or before Patch Tuesday.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

The CSO Perspective: On the Upcoming Microsoft Service Model Change

Cybersecurity(Own)

The CSO Perspective: What Does the Microsoft Servicing Change Mean?

October is CyberSecurity Awareness month. It’s also the month that Microsoft will implement the new servicing model to pre-Windows 10 systems. Yes, that’s correct. Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 will all be moving to an update servicing model similar to Windows 10. Microsoft first announced this change in June and described it as follows:

  • Internet Explorer and Operating System updates will be packaged in two ways.
    • Security Bundle—All OS and IE (Security only) updates for the month will be bundled in a single update. This is not cumulative: the November Security bundle would not include the October Security updates.
    • Cumulative Update—All OS and IE updates for the month for both security and non-security are included in a cumulative rollup each month. The November rollup would include the updates from the October cumulative update.
  • .NET Framework will be a separate Cumulative Rollup. This update will be a single package no matter how many .NET versions are currently installed on a system. The installer will detect and update the installed versions. It will NOT install net new versions.
  • Adobe Flash for IE will be a separate update.
  • Office, SharePoint, Exchange, SQL, and other products will still be separate updates each month.

I’ve had questions from customers, prospects, writers, vendors, and partners about the real impact of this. I’ve posted my thoughts, but today I thought we would catch up with LANDESK CSO Phil Richards and get his.

Chris: Phil, thanks for taking the time to talk about how you see this change and the improvements and challenges we’ll face in the future.

Phil: Thanks, Chris. This is an interesting development from Microsoft that has potential security improvements, and potential issues, depending on how we, the consumers, respond.

Chris: Phil, Microsoft’s change was prefaced with a message of “You asked for it, we delivered.” They didn’t really say what we “Microsoft customers” asked for. So, based on the changes, what was it you think we asked for?

Phil: Enterprise-level patching is far more complex than patching your personal computer at home. There are three main improvements customers are looking for over today’s patching processes: simplification, quality, and security. I think a good portion of the consumers are looking for a simplified patching experience. The complexity of patching—understanding precedence requirements, identifying installed components that require patching, and anticipating future patch needs—makes the patching experience somewhat painful, error prone, and manually intensive for IT professionals. Unfortunately, this is a double-edged sword: when Microsoft bundles the patches, making the customer interface more simplistic, they increase internal complexity of the patch package. he bundled patches must respond correctly to more configuration permutations. While many customers don’t like the complexity associated with multiple patches, I believe they will be unable to support patch bundles across the entire set of systems that require patching. When an IT department has a particular server that needs special handling because of software that will not work with a specific patch, it’s faced with the very real challenge of not applying the entire patch bundle on that system. Over time, we will see many systems that are not able to take patches at all, lowering the security readiness of the enterprise.

Customers are also asking that Microsoft improve the quality of the patches. But increasing the complexity of the patch package by bundling patches raises quality of the Microsoft package at the cost of adversely impacting other sensitive applications on the system.
Finally, customers also need improved security from their patches. With this new patching delivery method, updates are more frequent and potentially more comprehensive. Unfortunately, security updates often create new security vulnerabilities as quickly as they patch old ones. They are, after all, software. While this happens much more frequently with other providers, it has occurred with Microsoft patches. Another security issue has to do with the volume of patches and the possibility of missing one or more them in your environment. By bundling the patches and providing a cumulative update, IT professionals have the ability to make sure their servers are up to date. Again, the downside is that if I am unable to patch a particular server because of one component, the server remains vulnerable to all threats in the whole patch package.

Chris: Seems like, even with Microsoft’s good intentions, there could be challenges. Digging deeper into some of your points, let me throw a hypothetical situation at you and see how you’d handle it. Let’s say you have a legacy application in your environment that’s critical to your business and very sensitive to patching. You know that each month the security updates need to be tested and often result in one or two OS updates you have to mark as exceptions because they conflict with this application.

If we look at September’s updates and apply the details Microsoft described, the 14 bulletins become 4. The largest is for IE and OS updates. It rolls 10 bulletins and 31 vulnerabilities into a single bulletin. There is another for Office, one for .NET, and one for Flash Player for IE. One of those OS bulletins for September is for the Windows Graphic Components. Under the old model it’s bulletin MS16-106, which resolved 5 vulnerabilities. In this case it will be in the bulletin that includes 31 vulnerabilities, including a Zero Day that was resolved in IE. This GDI change breaks the legacy application and will cause a major disruption to the business. You have to choose to make an exception or break the application and wait for the vendor to fix it. What would you choose to do?

Phil: If I choose to run the critical business application and keep my business afloat, I have to choose not to install multiple patches, which poses a very real threat to my business. If I choose to patch, I have to stop running the application, which poses a very real threat to my business. To address this issue, I’d try to get the vendor of the application to make modifications to support the Microsoft patch. I’d also look at other technologies that will allow me to further isolate the offending application, so I can patch the operating system, or apply network configuration changes to decrease the attack surface of the server. Major technologies in this space include containerization to isolate the application or web application firewalls to decrease the attack surface. While there are workarounds to patching issues, these require heavy lifting by an already overburdened IT organization. These workarounds aren’t efficient and will increase complexity of the environment overall—which is exactly what Microsoft is trying to avoid in the first place.

Chris: Let’s take this scenario one step further. The legacy application is from a vendor that’s no longer in business, so there’s no fix forthcoming. This leaves you with a known exploit for IE exposed in your environment, which is unacceptable. What steps would you take to protect the systems that require this application?

Phil: At this point, the best that can be done is application isolation through containerization and network isolation through a combination of segmentation, firewalls, and web application firewalls. The amount of work involved in this one-off solution is significant, and it’s brittle. I believe this scenario will happen multiple times for customers that have special apps not supported by vendors that are running significant portions of the business. Once the workaround solutions are in place, there is no incentive to fix the underlying problem. It just becomes more walled off, creates higher technical debt, and because of the brittleness of the solution, remains a high risk area of the infrastructure. The problem also compounds. Since the patches need to be cumulative in nature, there is the possibility that by skipping the patch bundle for October, you might not be able to take patches in the future, which increases the network configuration pressure, increases the brittleness of your workaround, and makes it all the more difficult to extricate your business app from the vicious cycle.

Chris: Great feedback, Phil. Thanks again for your time and recommendations. It appears that we should all expect some changes in the near future and some hard questions may come up, but I think you have provided some great takeaways from this discussion.

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

As always the team here will be keeping a close eye on the situation. As we near October Patch Tuesday we will have more details to share. Make sure to sign up for the October Patch Tuesday Webinar; we plan to cover the new servicing model changes in detail once we see the first month of the new model in operation. www.shavlik.com/Patch-Tuesday

September Patch Tuesday 2016

SeptemberPatchTuesday2016Sum

Patch Tuesday September 2016

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.

 

 

Patch Tuesday Forecast September 2016

We are only a few days away from September Patch Tuesday and just for a bit of nostalgia I dug up this old image.  Circa 2010 Minimize the Impact of Patch Tuesday banner.

webinar

So, here are a few things to watch our for to help minimize the impact of Patch Tuesday, a quick tip to help you tune your process, and our forecast on what we think you should expect this month.

On the Horizon

Based on the sheer volume of questions I’ve had about this I’m going to go out on a limb and say that the servicing changes Microsoft plans to implement in October are a hot topic right now. Microsoft’s announcement to move all pre-Windows 10 OSs to the same bundled update model has stirred up concerns from their customers. I will start off with the same recommendation I have given everyone so far: keep breathing. But also know the facts. Microsoft will have a security bundle that will release each month that includes updates for IE and the OS. There will be a cumulative bundle option as well that will include non-security fixes and feature changes. The security bundle will be the way to go for most organizations.

The fallout from this event will be a more pronounced need for application compatibility testing. If you recall January’s Patch Tuesday, the Windows 10 cumulative update caused Citrix’s VDA Client to break. This is exactly the type of scenario companies I’ve spoken to are concerned about. Fortunately, Citrix worked with Microsoft and moved quickly to resolve the VDA incompatibility that the cumulative update caused. Microsoft updated its release to detect if VDA was installed, and if it was, then the cumulative update was not installed. This process left their customers exposed to many vulnerabilities in the January release, but Citrix turned a fix-around in short order and together they reduced the risk to their common customers to only a week of not being able to push the January updates.

But this was two software giants working together; the issues will be more pronounced with less common products or vertical specific products, such as healthcare devices or manufacturing systems that run on Windows systems. Home-grown applications and applications developed by vendors who are no longer in business may be less of a concern on Windows 10, but on older systems they are much more common. Which brings us to our tip of the month!

Patch Management Tip of the Month

Application compatibility is the biggest hurdle to effectively remediating software vulnerabilities. Most companies we talk to have an exception list of updates that conflicted with business critical applications. This has been a rising concern for companies as they evaluate Windows 10, and now will become a concern for their existing systems come October. The looming inability to pick and choose which updates to apply to their systems has many companies concerned. The reality is we will have less of a choice in the matter going forward, so what do we do?

Pilot Groups

One tip that I always stress when advising our customers is to have an involved pilot group. Many companies have a small set of test systems for the most critical of assets, but this falls short of truly ensuring you catch application compatibility issues quickly. What you need is to ensure you have a selection of power users in your pilot group to help you flush out issues quickly. These power users will be able to provide you better feedback, and they’re technically savvy enough to help you work through issues as you discover them.

Hitting a few power users who will keep their head and work with IT to resolve issues quickly helps reduce impact to the greater workforce. Someone from IT may be able to verify login works and some basic interfaces load, but the power users will get into the product and find the less obvious things, like updating broke print features or submitting a job or form. Most business managers quickly agree to this arrangement when you put it to them as a partnership where you will work with one or two of their best to keep the majority impact-free.

Your Patch Week Forecast

August was our lightest Microsoft Patch Tuesday this year tied with January at 9 Microsoft bulletins total; the average this year has been closer to 13 bulletins each month. I expect this month will be closer to the average if not a little above. Starting in October, this average will appear to drop significantly as the bulletins will become bundles instead, reducing the average number of Microsoft updates to around four or five each month. At that point, watching vulnerabilities resolved will be a more accurate indicator of how significant the month’s updates were.

On the non-Microsoft front, I would expect an Adobe Flash update, as we have not seen a Flash Player update since July, which is near an eternity in Flash Player terms. Also, be aware that Adobe has updated the looming end of open distribution of Flash message on the distribution download page. The end of September is the new cut off where you will need to have an Adobe ID and login to Adobe’s site to gain access to Flash updates if you need to distribute them internally. We will see if this is really the one.

Google Chrome just released this Wednesday, so plan to include that and some other recent third parties like Wireshark in your patching schedule this month.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

Windows 7 and 8.1 servicing changes!?!?

Keep-Calm-and-Carry-OnI have had this question come at me from a dozen directions today, so I thought I would provide my thoughts on these changes in a more consumable and easily shared format.

First off, lets summarize the changes. Microsoft has announced that it is changing the servicing model for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.  There will be a monthly roll-up similar to Windows 10 where all security and non-security updates will be bundled in a single cumulative update.  This means that starting in October the OS and IE updates will consolidate from several individual updates into a single cumulative bundle.  Come November the next cumulative will include the October updates as well and so on.

Microsoft is also going to provide a security only bundle for each month which is a little different.  The security bundle will allow enterprises to download only the security updates, but it will still be a single package with all security updates for that month bundled together in a single package.

.Net Framework will have a separate monthly roll-up and security only option that will update only existing versions of .Net installed on the system.  This update would not upgrade the .Net version to a newer one.

FAQ:

We will start with my favorite one.  Q: Did this change surprise you?

Chris: No, I actually made a prediction internally and had a bet with one of our content team members.  The prediction occurred when Microsoft first released the Convenience Roll-up.  I predicted that Microsoft would make this change before the year was out.  It just seemed like a logical next step.  Tylere owes me a six pack of good craft beer now.

Q: Why did Microsoft make this change?

Chris: They state similar reasons in their blog post that I linked to above.  I will state one other reason that I expect had a little something to do with it.  This was one of the final barriers to many companies making the switch to Windows 10.  Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks had many companies holding back from moving to Windows 10.  Moving to the bundled approach has removed this convenience, although they are providing the security only bundle for each month.  One thing to note, in the write-up Microsoft did not state that this security only bundle was cumulative so we will have to wait and see if they are cumulative or not.

Q: Why is the cumulative bundled approach a deterrent for enterprises?

Chris: The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle which may include many security fixes or breaking a business critical application if the two conflict.  On pre Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire months patch bundle.

If you recall the Windows 10 cumulative for January that broke the Citrix VDA client, Microsoft and Citrix had to coordinate a window of opportunity for Citrix to release an update to resolve the issue.  In this case it was a pretty quick turn around and customers with the VDA client installed on Windows 10 were able to apply the VDA update a week later then apply the Windows 10 January cumulative.

It did not seem too bad with just one week of lag time, but what if the cumulative breaks an application that is home grown or one that is from a vendor who may no longer be in business?  If a fix is either not forthcoming or comes months later this means that you cannot apply the next months cumulative or the month after, etc until the issue is fixed.  I have talked to many companies about concerns regarding the cumulative bundled service model for this reason.

Q: What does this mean for the Shavlik or LANDESK products I use to patch my environment?

Chris: Like Windows 10 for us it is business as usual.  We will continue to support updates for these updates as they release.  It really is just a change from 6-10 OS patches each month down to 1 patch that needs to be applied for the OS and IE.  So expect a cumulative roll-up or security only bundle for the OS, a .Net roll-up, and other Microsoft apps like Office, SQL, SharePoint mixed in depending on the month.

As always, we will be keeping an eye on any changes that develop and providing guidance and recommendations.  Sign up for our Patch Tuesday webinars to keep up to date on the latest from Microsoft and 3rd Party Vendors like Adobe, Google, Mozilla, Apple, Oracle and more.  From our Patch Tuesday page you can find future webinar registrations, previous Patch Tuesday infographics, presentations, and on-demand webinar playback from previous months.

August Patch Tuesday 2016

Patch Tuesday Infographic

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.

July Patch Tuesday 2016

Shavlik_Patch_July12

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

 

 

Windows 10 branch upgrades and Shavlik Protect 9.2 Update 3 available!

win10 It has been a busy week here with the 4th of July holiday and a couple of content and product releases.

On Tuesday we released a content update which added support for pushing Windows 10 1511 to Windows 10 1507 systems.  Shavlik Protect 9.2 now supports branch upgrades! For instructions on how to upgrade Window 10 systems to branch 1511, please see our community post.

With the Windows 10 Anniversary update coming on August 2nd, those Windows 10 systems running the original 1507 branch will start their countdown to end of support for updates.  Microsoft has stated a 4 month grace period once a new branch releases before the N-2 branch stops receiving updates.

The recommended approach to supporting these branch upgrades is to keep a pilot group moving ahead to the new branch soon after it releases.  Those systems on the previous Current Branch for Business (in this case 1507) should start migrating to the new CBB (1511).  The 1608 (Anniversary update) branch will become the new Current Branch and you will have around 8 to 10 months to evaluate this within your pilot group before the next branch update releases.

On Thursday this week we released Update 3 for Shavlik Protect 9.2.  This update includes several customer reported bug fixes.  For more details or to download the latest installer visit our downloads page.

More than half of our customer base has already moved to Protect 9.2 and are taking advantage of the great new features and speed of Protect 9.2.  For those customers still on 9.1 or 9.0 please keep in mind that these versions will reach end of service this year.  Protect 9.0 is ending service as it was scheduled to do, but Protect 9.1 is being moved forward because of SHA 1 end of life.  Protect 9.2 supports SHA 256 and after upgrading will migrate the Protect Console and Agent certificates over to SHA 256.  For more details please see our product life-cycle policy here.

  • Shavlik Protect 9.0 will reach end of service on 2016/10/19.
  • Shavlik Protect 9.1 will reach end of service on 2016/12/31.
  • Shavlik Protect Threat Protection in Advanced and AV Add-On editions will also reach end of service on 2016/12/31.

 

 

June Patch Tuesday 2016

June2016PatchTuesdaySummary

I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Windows Convenience Update causing inconvenience for VMware and Microsoft App-V users!

Cybersecurity(Own)A quick heads up.  The Convenience Update for Windows 7 SP1 and Server 2008 r2 SP1 is causing issues with VMs running VMware VMXNet3 virtual network adapter type.

According to a blog post by VMware and a post by Microsoft uninstalling the update will resolve the issue.  The Microsoft article goes on to talk about an issue with Microsoft App-V where virtual applications may have difficulty loading.

Recommendation in both cases is to defer pushing this update until a resolution is in place.