About the Author

Stephen Brown

Stephen Brown is the Director of Product Management for Shavlik. Before Shavlik, Stephen has held executive, product management, and engineering roles at various information security product companies including Arellia, Altiris (now Symantec), and Axent (now Symantec).

macOS Sierra and Safari 10 Security Updates

Apple Mac OS X Updates

Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.

macOS Sierra

macOS Sierra 10.12 fixed 60 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
  • CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10

Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.

Summary

With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.

Apple Mac OS X September 1, 2016 Security Updates

Apple Mac OS X Updates

September brings us a updates for Safari and Mac OS X which appears to be a late response to the iOS zero day vulnerabilities patched last week in iOS 9.3.5. Because of the nature of the exploits in these vulnerabilities and the small size of the update, these updates should be treated as critical and applied quickly.

iOS 9.3.5

To better understand these updates, we must explore iOS 9.3.5 that came out on August 25, 2016. Deep analysis by Lookout and Citizen Lab, found that a spyware product called Pegasus uses zero-day vulnerabilities and sophisticated techniques for targeted attacks on mobile devices. The three vulnerabilities in use are being dubbed the Trident Exploit Chain:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
  • CVE-2016-4655: An application may be able to disclose kernel memory
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

To summarize the exploit actions, here is a summary from Lookout:

“The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.

Read more: Sophisticated, persistent mobile attack against high-value targets on iOS”

(https://blog.lookout.com/blog/2016/08/25/trident-pegasus/)

Once installed, the spyware can be used to gather data from the phones including calls, messages, and app data. Targets for these attacks include a human rights activist from the United Arab Emirates, a Mexican journalist, and unknown individuals from Kenya.

Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite

The two kernel vulnerabilities were included in these updates. With iOS 9.3.5 as a background, there are a few insights. First, OS X and iOS share a lot of code. This has always been known, but this update really reinforces this reality. Exploits may target one platform over the other, but potential for exploit often exists on both platforms. The second insight or question is why the delay? Obviously, the exploit chain was being used on iOS, but the same actions of phishing, opening a browser and loading malicious code on Mac OS X. It could be a simple case of engineering timelines, but security teams should again consider what happens on iOS may affect Mac OS X and vice versa.

Noticeably absent from these updates are an update for the nearly 3-year-old OS X Mavericks. There are a few conclusions that you can make based on this difference: OS Mavericks isn’t vulnerable or Apple didn’t chose to fix these issues. If there has ever been vulnerabilities worth fixing, this set would be it. That said, if I’m a betting man, I say that Apple decided not to fix these issues. As I’ve noted in previous articles, Apple is selective about fixing issues for the older versions of Mac OS X and staying current on the latest version is important as applying the latest patches. I can’t state for fact that OS X Mavericks is vulnerable, but I would be shocked if somehow it didn’t have these vulnerabilities.

Safari 9.1.3

Safari 9.1.3 fixes the vulnerability where a maliciously crafted website may lead to arbitrary code execution. We see such vulnerabilities addressed in almost every Safari update and should be a warning as these are prime for exploit through phishing or any other method which cons unsuspecting users to click on a link.

Summary

If there are few takeaways for IT and security teams here, they are:

  • Consider iOS and Mac OS X vulnerabilities to be related to each other
  • Older versions of Mac OS X are not going to have updates to fix every vulnerability including obvious critical ones
  • Don’t ignore your Apple devices – they get exploited too

Shavlik Protect is A Best of VMworld 2016 Gold Award Winner for Security

VMWorld2016_GoldAwards_11x17_Security

We are happy to announce that Shavlik Protect wins the Gold Award of VMworld 2016 for the Security category by TechTarget’s SearchServerVirtualization.com. We whole heartedly agree with their choice, but let’s give our perspective why Shavlik Protect is a winner.

Patch Management = Security Foundation

In today’s security landscape, there are an abundance of products that promise insight into the latest threat’s. With all of the flash and hype, many overlook the security of patch management which eliminates vulnerabilities and the countless threats that target each vulnerability.

There are many patch management products on the market, but Protect is particularly suited for virtual environments for a couple of reasons.

Virtualization Focused

VMworld is synonymous with virtualization and this is one of the great strengths of Shavlik Protect. There are many capabilities that make Protect a must for patching virtual environments including:

  • Online and offline virtual machine patching
  • Virtual machine template patching
  • Snapshot critical assets for superior rollback
  • VMware vCenter integration
  • VMware ESXi Hypervisor patching

The reality is that Protect seamlessly patches virtual environments making it a prime choice for the datacenter.

Just Say Yes to Agentless

Protect can use agents to assess and deploy patches, but our datacenter customers love our agentless capabilities for many reasons:

  • Assess and deploy patches
  • Minimize impact to server workloads
  • New virtual systems are never missed

Robust 3rd Party Patching

Too many organizations only focus on the operating system and turn a blind eye to the 3rd party applications that also create vulnerabilities on systems. Shavlik Protect in an industry leader with an immense catalog of 3rd party applications that is constantly expanded to cover new products and versions.

Just Add Water and Stir

Enterprise software has a bad rap for being very difficult to install and configure. With Protect, you can have the product installed, scanning for patches, and actually deploying patches in half an hour or less! Our engineering team has put a lot of effort in making Protect easy to install and use so you can get value quickly. Now don’t equate ease of install and use with simple. Protect has the capabilities to work in large and complex environments, but you can get started fast. Don’t believe me, try it for yourself.

Apple July 2016 Mac OS X Updates

AppleBuilding(own)(editorialuseonly)

As was the case in May, Happy Apple Patch Monday!

Apple’s July 2016 Mac OS X Updates apply to Mac OS X, including versions El Capitan 10.11.6; Security Update 2016-004 for Mavericks 10.9.5 and Yosemite 10.10.5; and Safari, with a new version 9.1.2. In total, there were 72 vulnerabilities fixed with many that create high-risk to enterprises.

OS X 10.11.6 and Security Update 2016-004

Apple is clearly in maintenance mode for released versions of OS X as they prepare to get macOS Sierra ready for release in a few months. There are no apparent significant new features in OS X 10.11.6, some bug fixes, and fixes for 60 vulnerabilities. These vulnerabilities also apply to older versions in the form of Security Update 2016-004.

As is the case in other security updates, Apple is selective about which vulnerabilities are fixed for the older, supported versions. I highly doubt that many of these vulnerabilities only apply to 10.11. In terms of a breakdown of the vulnerabilities fixed by OS X version, we get:

OS X Version Vulnerabilities Fixed
10.9.5 18
10.10.5 19
10.11 and later 60

Interesting vulnerabilities fixed in this release includes seven that apply to QuickTime where processing an image file can lead to arbitrary code execution. These types are golden for hackers since they can be emailed via SPAM or phishing and lure a target to compromise. With all of the terrible headlines in the news lately, it is easy to imagine how a hacker might send a message using news of the day with an image attached which someone would be enticed to open.

There were also a number of other arbitrary code execution vulnerabilities that address the PHP, Graphics, Image, and SSL components. There is one vulnerability, CVE-2016-2108, in the OpenSSL component that is particularly nasty with a CVSS 3.0 score of 9.8 out of 10. With all the attacks on SSL (Heartbleed) in recent times, this alone is a strong reason to upgrade all Macs with this update.

Safari 9.1.2

Safari 9.1.2 applies to OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6 and fixes 12 vulnerabilities. Of the dozen vulnerabilities, six have the impact where, to quote Apple, “Visiting a maliciously crafted website may lead to arbitrary code execution.”

Needless to say, arbitrary code execution is bad news and by simply visiting a maliciously crafted website to do so is really bad news. A real world example is phishing an end user to get them to click on a link and visit a bad website which then causes ransomware to be downloaded and run. The first instance of ransomware in the wild was discovered in March and delivered by an infected BitTorrent client, but it’s only a matter of time before web-based targeting occurs using vulnerabilities like those fixed in Safari 9.1.2.

Other Updates

As is typically the case, Apple also released updates for other key software including iOS 9.3.3, watchOS 2.2.2, tvOS 9.2.1 (I’m wondering if this is version error as May also had a tvOS 9.2.1), and iTunes 12.4.2 for Windows. An interesting note is that on iTunes 12.4.2, all of the vulnerabilities fixed also applied to the OS X updates and came in the form of various xml libraries. There is not a lot of detail in the bulletin to determine the impact of these iTunes fixes, but there are some nasty vulnerabilities, including CVE-2016-1836, which allows arbitrary code execution via a bad XML file (check out my cool playlist and get hacked for example).

Summary

Like the May 2016 updates, this month’s release doesn’t have anything by way of features to encourage users to upgrade, but there are plenty of high-security risks that should encourage all enterprises to update as soon as possible.

Apple May 2016 Mac OS X Updates

Apple Mac OS X Updates

Happy Apple Patch Monday! Today’s, Apple May 2016 Mac OS X Updates impact Mac OS X including El Capitan 10.11.5, Security Update 2016-003 for Mavericks 10.9.5 and Yosemite 10.10.5, and Safari 9.1.1. In total, there were 77 vulnerabilities fixed including many high risk vulnerabilities that should be remediated quickly

OS X 10.11.5 and Security Update 2016-003

The last Mac OS X Security Update was on March 21 and today’s release of OS X 10.11.5 and Security Update 2016-003 brings fixes to 67 vulnerabilities across OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11. As with previous security updates the majority of vulnerabilities are only fixed in El Capitan. Here is the breakdown of vulnerabilities fixed by OS X version:

  • 12 in Mavericks 10.9.5
  • 13 in Yosemite 10.10.5
  • All 70 fixed in El Capitan 10.11

With Apple’s latest version focus, it is very interesting to explore the vulnerabilities that were fixed in the older versions. Included in that mix are vulnerabilities where:

  • Application that can determine the kernel memory layout
  • Attacker in a privileged network may execute arbitrary code with user assistance
  • Malicious XML, website, or web content may lead to arbitrary code execution

The last category is most interesting as malicious websites or files are useful for hackers to social engineer their way onto a system.

From the vulnerabilities only fixed in El Capitan, there is of note for the exploitability and impact. The first is a vulnerability in QuickTime (CVE-2016-1848) where opening a maliciously crafted file may lead to arbitrary code execution. This is interesting in that social engineering could be employed to get a user to click on video file such as using a headline of the day that would be enticing to watch such as “Funny Quotes from Donald Trump” and bad things ensue (quite literally in the case of a malicious video).

There are many other vulnerabilities, but the true severity and impact is obscured by Apple’s limited information. That said, there is plenty of reasons to update quickly.

Safari 9.1.1

Safari 9.1.1 applies to Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11.5. This is a minor update with 7 vulnerabilities fixed including 5 where arbitrary code could be executed by visiting a malicious website. Such vulnerabilities are hooks for Phishers to use to bait users to visit malicious websites and compromise their systems. One other vulnerability is a minor risk in that it prevents fully deleting browsing history. The final vulnerability (CVE-2016-1858) is moderate risk where visiting a malicious website may disclose data from another website. If you have any doubt, make sure Safari is up to date quickly as the 5 arbitrary code vulnerabilities will undoubtedly be useful for targeting users.

Other Updates

Apple usually releases updates for everything at once and this release is no different. There were also updates for iOS (9.3.2), watchOS (2.2.1), tvOS(9.2.1), and iTunes (12.4).

Summary

This month’s updates do little to entice users to want to update their systems in terms of new features. That said, Apple will push them down unless a user explicitly avoids it. There is enough critical vulnerabilities in these updates that all organizations should ensure all Mac OS X systems are up to date quickly.

Tech Summit Preview: Shavlik Protect Advanced Features

shavlik-technical-summit-logo-640

Think you are a Shavlik Protect expert? Whether you are a Protect veteran or a noob, we would like to expand your expertise during the Shavlik Technical Summit at Interchange in Las Vegas on May 24-25. There are many Shavlik Protect advanced features we will go into including (but not limited to) predictive patching, content updates, distribution servers, scheduled reporting, rollups and other advanced features, including those new to version 9.2.

We know Protect is quick and easy to setup and configure, but there is so much more under the surface. One of our goals is to demystify many of the advanced features that will maximize the value of Shavlik Protect in any environment. We hope to introduce you to capabilities you didn’t even know existed and help you understand how to implement Shavlik Protect’s advanced features in your environment.

We’re bringing some of our best engineers and product managers together to mind meld with you during a few days of training and extracurricular activities. Look forward to seeing you there.

Shavlik Tech Summit Preview: Patch Management Best Practices

Patch Management Best Practices at the Shavlik Technical Sumit 2016

Shavlik has been in the business of patch management for a very long time. From HFNetChk to Shavlik Protect, Shavlik Patch, and now Shavlik Empower, we’ve spent a long time building industry-leading patch management solutions. Along the way, we’ve built up a lot of expertise around patch management best practices. By now, we hope you’ve seen our Patch Tuesday analysis and webinars as well as insights on 3rd party applications, and Apple Mac OS X updates. It’s overdue that we have a face to face to share our cumulative knowledge on patch management best practices and we have just the event to do that.

At the Shavlik Technical Summit at Interchange in Las Vegas on May 24-25, we want to share our insights on patch management best practices so you can have a better understanding of how to address the process, people, and technology to keep your environment secure and stable. We’ll spend time helping you understand our products, but more importantly the processes and approaches to maximize success. We will also discuss how top vendors release patches, potential pitfalls, and changes that are coming. It’s not too late to register, so join us in Vegas and let us help you become a patch management expert for your company.

Tech Summit Preview: Shavlik Empower

shavlik-technical-summit-logo-640

Patch Management from the cloud – why should you care? With clients increasingly mobile, as are you, we saw a need to be able to patch and track what’s going on in your enterprise and see that information anywhere. With Shavlik Empower, we introduced cloud-based, web-accessible patch management with inventory and change tracking and this is just the beginning. We were so excited about what Shavlik Empower can do for our Shavlik Protect customers that we made the base inventory and change tracking free with Protect.

If you missed the launch of Shavlik Empower last fall, we want to give you some hands on training and experience at the first Shavlik Technical Summit at Interchange in Las Vegas on May 24-25. We’re going to go into architecture, integration with Protect, and the ability to manage Windows and Mac OS X systems directly from the cloud. We hope to see you there.

Tech Summit Preview: Shavlik Protect 9.2

shavlik-technical-summit-logo-640

Shavlik Protect 9.2 was released last fall and we know that many of you downloaded it and are already using. This release was jam packed with many new capabilities including turbo charged assessment and remediation, predictive patching, Patch Tuesday + X scheduling, product EOL reporting, redesigned patch view \ group, and so much more. If those capabilities don’t sound familiar, you may be asking, where can I get training on Shavlik Protect 9.2? We’ve got an answer: the first Shavlik Technical Summit at Interchange in Las Vegas on May 24-25.

We plan on going into many of the new features in sessions as well as hands on labs. We’ll give you a chance to learn how they work, how to implement them, and give you the experience to go home and apply the new capabilities to your environment. You will get a chance to mingle with our product managers and engineers and get answers to the questions you’ve had around Protect. We look forward to having you join us next month.

Invitation to the Shavlik Technical Summit

Shavlik Technical Summit at Interchange 2016

If you haven’t noticed from the homepage, we’re holding the first ever Shavlik Technical Summit at Interchange in Las Vegas on May 24-25. So I know what you’re thinking, “What the %^&* is a technical summit and why should I attend?” Let’s start with the why. We’re passionate about security: patch management in particular. We believe patching is one of the most fundamental parts of any security program. We know you are busy administrating multiple systems and applications and patching is one important part of your overall responsibilities. We want to make you to stand out in your company as an expert in patch management and Shavlik.

So how are we going to make you an expert? Well imagine if you blended hands on labs, best practices, product introductions, deep dives, roadmap, and access to product experts all mixed in with some fun on the side. As you can see, coming up with a name wasn’t easy, but our goal is to help you get the most out of Shavlik Protect and related solutions and have fun along the way. I guess we could have called it a boot-camp-expert-presentations-labs-roadmap-peer-experience-conference, but we settled on the Shavlik Technical Summit.

We’ve priced it to be very reasonable so whether you’re a long time customer with Shavlik or brand new, we believe these two days you will do more towards your become a patching and Shavlik expert that anything else you could do. We hope to see you there.