Shavlik Patch 2.2 available in early access!

ShavlikPatch

The Shavlik Team is proud to announce the availability of Shavlik Patch 2.2 in an early access delivery.  Check out what’s new!

  • Edit packages (watch the video) – Change the command line switches, return codes expected, etc for a given package.
  • IAVA Support – For our Federal customers we have extended our IAVA coverage into our Shavlik Patch offering making it much easier to automatically cross-reference DOD IAVAs.
  • Republish and resigning of packages – The manual steps for doing this are long and painful and going down that rabbit hole is not recommended.  It is also no longer necessary!  We are going to do all the heavy lifting on this one.
  • Manage vendor and product categories (watch the video) – We have a new interface that lets you monitor and manage the categories in use so, again, you do not have to go down a significantly long, manual process to reclaim a category that is no longer in use.

We have a webinar scheduled for April 6th, 2016 to walk through the Shavlik Patch 2.2 features and show you whats new! You can also download Shavlik Patch 2.2 here.

Microsoft is finally pushing people off of old Internet Explorer versions

internet-explorer1_12

Microsoft warned us back in April of 2014 that they would be reducing support for the Internet Explorer browser to only cover the latest version available for each operating system. Well that date it upon us. January 12, 2016 will be the official end-of-life date for any version of IE older than the latest available for the version of Windows you are running. If you take a look at the original life-cycle announcement, it provides the version that will be supported for each OS. After the January Patch Tuesday release there will be no security updates unless you are on the supported version for that OS.

On January 12, expect to see upgrade notifications on older versions of Windows, if you are running a version of the browser older than the latest. You can disable those notifications if you have a need to continue running an older version of the browser for some reason.

If you need to continue running an older version of IE for some reason, take precautions. After this last IE update, older versions will become a prime target.

  • Visualize a system with the older version of IE and remove access to the internet and from anyone who does not require access. Of course this only works if the browser will be used for an application or site that is internal to your network.
  • If you need to use an older version for access to an external site, you should begin putting pressure on the vendor involved or start shopping around for alternate solutions. In the mean time, you can also install an alternative browser and inform users of those systems that they must use Google Chrome or Mozilla Firefox for everything but that one purpose. Not a great solution.
  • You can add additional levels of protection with products like Bufferzone. This will containerize the browsing experience, protecting the system if the user happens to come across anything malicious.

This one is not a drill folks. If you recall my assessment of the top five vulnerable vendors from 2015, I called out the three primary contributors to vulnerability counts; OS, browser, and the media\office products. Internet Explorer had the largest single product vulnerability count in 2014. In 2015 it moved down the list to #7, but that was more due to the significant increase in vulnerabilities in other products. It had only 12 less resolved in 2015 than in the previous year. Point being, expect that from the point that older versions of IE are end-of-life’d this month, we will see around 200+ vulnerabilities identified that will go unresolved in the unsupported versions.

 

 

 

Windows 10 is coming early

win10

Along with all of the new features and improvements, Microsoft is introducing changes to how updates will be delivered. There have been growing concerns around these changes and the introduction of Windows Update for Business (WUB). Regardless of what you may have heard, these changes are not all bad. Microsoft is trying to deliver two important things to the Windows user with these changes: 1) accelerated release of Security Updates while retaining stability and 2) faster delivery of new features for the user. Microsoft is introducing branches, or rings, that will allow machines to receive updates on different intervals.

Server 2003 end of life July 14, 2015. What’s your plan?

2003countdown

Are you prepared for the impending Windows Server 2003 end of life? Support is ending on July 14, 2015, which just so happens to be Patch Tuesday. You get one last round of security updates before support ends. So what are your options? I have had a number of companies approach us about what their options are, so I thought I would share some of those thoughts here.

Option 1: Migrate off of 2003. By the fact that you are here reading this, we can assume that Option 1 is delayed for some time.

WUB WUB WUB and Windows 10

KeepCalmandWUB

Did you know that WUB is the new UNTS in Electronica Dubstep?  I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB.  Windows Update for Business.

There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.

Shavlik in the news- November Patch Tuesday(s)

478641227If you follow patching news, you are well aware that this month was somewhat of an abnormality. As we covered in a previous blog post, this month’s Patch Tuesday was the biggest this year with 16, and only 14 were released on the regular Patch Tuesday. An additional patch was released out-of-band this week and also received quite a bit of attention.

As an authority on Patching, Shavlik is often quoted in the press, and this month was no exception. Our own Chris Goettl was quoted in a variety of outlets, including KrebsOnSecurity, Computerworld, Network World, CIO, CNET, CSO, and internationally at The Register and The Inquirer.

In case you haven’t had a chance to read up on the news yet, here are links to a selection of the articles that include information from Shavlik:

Krebs On Security- Microsoft Releases Emergency Security Update

Krebs On SecurityAdobe, Microsoft Issue Critical Security Fixes

CSOMicrosoft patches Kerberos vulnerability with emergency update

Network World- Patch Tuesday: 16 security advisories, 5 critical for Windows

The RegisterMicrosoft warns of super-sized Patch Tuesday next week

CNET- Microsoft plans big Patch Tuesday this month with 16 bug fixes

ComputerworldMicrosoft releases emergency patch to stymie Windows Server attacks

SearchSecurity- Microsoft addresses Kerberos security flaw with critical out-of-band patch

Each month, we review the Microsoft and third-party releases for Patch Tuesday in a webcast, which occurs the day after the announcements are made. Our next webcast is scheduled for Wednesday, December 10 at 11:00am ET/8:00am PT. If you’d like to attend, you can register here. To view our other recent and upcoming webinars, including a recording of this month’s patch Tuesday webcast, you can find that information here.

Security Breaches Everywhere: Keeping Your Company Out of the Headlines

Bunker BlogLately, it seems not a day goes by without news of a security breach dominating the headlines. The Target breach last fall set off waves of copycat attacks that still, nearly a year later, are successfully infiltrating the networks of prominent retailers. Recently, we’ve seen the likes of P.F. Chang, Dairy Queen, and Minneapolis-based SUPERVALU join the ranks of hacked retailers.

I sat down with Rob Juncker to chat about these hacks and the unique challenges that companies in certain business like retailer and health care face in securing their environments. In addition to being the Vice President of R&D here at Shavlik, Rob also dabbles in white hat hacking.

 

Anne:  Rob, the Target breach really got our attention as both consumers and as an industry. Now, nearly a year later, what do we know about the Target breach? How did it happen?

Rob:  We know an external hacker managed to take control and infiltrate Target’s system by way of a very unsecure node that was allowed to operate on their network. This was a complicated attack because they infiltrated a node, jumped onto Target’s network, and then had ample time to search the network, to find vulnerabilities, and to infect machines.

They infected the machines by injecting BlackPOS. It located point of sale (POS) devices, looked for specific processes on those machines, stared into their memory, and tried to match data formatted in the same manner that credit card tracks are formatted. After it found credit card data, BlackPOS sent it out of Target’s network to a location where the hackers could grab it.

Anne:  One thing that really stands out there is that they attacked a more or less forgotten node and not the data center. As an IT community, we invest so much of our energy into securing the data center, but from this example we see that isn’t enough.

Rob:  Most people focus on securing the most important assets within their network. The entire Target hack happened on the least valuable parts of the network – a computer designed for remote diagnostics as well as POS’s which are typically the cheapest nodes and the cheapest OS’s. These hackers could have never gained access to Target’s core databases, but they didn’t have to. They simply attacked the nodes where the data is collected.

Anne:  Do retailers face unique challenges in securing their IT infrastructure?

Rob:  Retailers have incredibly complex environments – all of these terminals out on a WAN in all of these stores. Nobody in IT is hands-on because every store can’t have its own IT department, and the devices are running various OS’s that have various third-party applications resident on them. This makes for a perfect storm for retailers to be exploited. Health care providers have similar complexity when you think about all of the nodes spread out throughout a hospital or a clinic.

Anne:  Here at Shavlik we are quick to share the figure that 75% of vulnerabilities exploited in the wild already have software updates (patches) available to fix them. How important is patch management in preventing these types of breaches?

Rob:  If you aren’t properly patched, someone can use off-the-shelf scripts to get access to that network. The Target hack was a professional hack. They knew what they were doing. That was the first, but all of these others are simple variants of the same approach. This has gone from being the work of an experienced hacker to that of a script kiddie. It is now readily repeatable, and we have a population of hackers attacking every site they can find.

Patch management is an important piece of having a full security profile for your entire network. Exploiting a known vulnerability is step one of the process. If you can reduce the ease of doing that, hackers are likely to move on to someone else.

Anne:  Most IT departments are disciplined about patching their data center servers with tools like Shavlik Protect and patching endpoint OS’s with tools like Microsoft System Center Configuration Manager (SCCM). Let’s assume the OS is up-to-date. Is that good enough?

Rob:  No. Because they have POS’s running a Windows OS, it is guaranteed there are third-party applications running on those devices. It could be an embedded internet browser or an embedded PDF generator. Worse, it could be Java which is the most exploited third-party application.

The existence of third-party app’s isn’t a “maybe;” it is a “for sure.” CIO’s around the world should ask themselves, “It’s great the we patch Windows, but do we patch everything else?” If the answer is “no,” are you willing to bet your job on that decision?

Anne:  Of course CIO’s don’t want to risk their jobs over something as simple as third-party app patching, but given the complexity of their networks, are IT departments for retailers faced with a lose/lose decision between knowingly remaining unsecure versus spending all of their time on patching?

Rob:  For those companies who have SCCM, Shavlik Patch for Microsoft System Center makes the decision easy. With Shavlik Patch retailers can patch third-party applications from within SCCM in the same manner in which they patch the OS. They can also completely automate the process which means they can get into a “set and forget” mode for applying third-party updates. Third-party patching doesn’t have to be a difficult or arduous process. If it feels that way, Shavlik can help you out.

 

Patch management is critical, but it is just one piece of the security puzzle. In the next post in this series, Rob will dig deeper into the technical details of the Target hack, discuss how you can determine if BlackPOS already exists in your environment, and explain how you can cut off its communication lines if/when it finds its way into your network.

Also, if you’d like to join a discussion on this topic, Shavlik will be hosting a webinar on September 30.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now

Think patching with WSUS is enough? Think again…

…Guest blogger and Shavlik Product Evangelist John Rush shares his insights on the age old question in Patch Management – “Is patching with WSUS enough to keep my systems up-to-date and secure?”…

John Rush:

“Why is important to use something other than WSUS for Patch Management? Three words – third-party software.

WSUS does not have the metadata for anything other than Microsoft updates. This means that organizations using WSUS are having to create custom update content and scripts to patch third-party applications or having to let the auto-updater manage the updates and re-boots.

Our customers tell us it takes 4-6 hours to research, package, script, and deploy a custom Adobe patch, and the updates come out so often they never have a chance to fully catch up.

Third-party applications are the “other than Microsoft” applications used in the enterprise. These include the big three of Adobe, Java, and Mozilla. There are more updates for these applications than there are for the Microsoft Operating System. In fact according to the National Vulnerability Database, 86% of reported vulnerabilities come from third-party applications; however, most organizations are allowing the auto-updaters for these applications to run and auto-patch.

Why is this bad? Two big reasons come to mind.

‘What’s it gonna break?’ Every update has the potential to be an application breaker. It happened recently; a certain database application stopped working when a Java update was applied.

‘Does everyone have the necessary “rights” to install the updates?’ If not, it is going to generate a help ticket, and someone is going to have to ‘touch’ that machine to get it updated.

So how can you solve this problem?

Download the free trial of Shavlik Protect and see how you can easily assess, deploy, and report missing patches on your machines for both Microsoft and third-party applications. Here is a list of the supported third party applications.”

Security of Point-of-sale devices

POSDeviceAlong with the rise in successful attacks on retailers, there has also been a rise in concern about the vulnerability of point-of-sale (POS) devices. Target, Subway, Nieman Marcus are all good examples of why a hacker would choose the POS device as their target. The rewards are both far reaching and highly lucrative.

Particularly with POS devices, it’s impossible to emphasize enough the difference between compliance and security. These cannot be equated and sometimes are not even in the same ballpark. Taking the Subway breach as an example, you can be PCI and PA-DSS compliant and still be exploited if you leave other security measures untended.

Ensuring you are following the guidance in NACS/PCATS 8-point plan is a good way to stay on top of those other security measures that can improve not only compliance, but also security. It provides guidance to a layered security approach to protect the POS devices beyond the local device. One of the most important elements is keeping the PA-DSS compliant software up to date and compliant, but also keeping any other applications residing on these systems patched and updated is imperative. Segmenting the POS devices, and eliminating internet access directly from the POS device further protects them. CERT’s Alert (TA14-002A), released in January 2014, emphasizes many of the same points for protection of the POS devices.

As we approach the Windows XP End of Life (EOL) in April, concerns have been raised regarding the broad reliance of ATMs on Windows XP Embedded. While XP Embedded is still supported until 2016, many of the systems supporting the ATMs will remain dependent on Windows XP and will go unpatched after April. This raises the concerns around letting platforms that will increase the risk of exploitation come in contact with POS devices.

Many banks have already been in negotiations with Microsoft to extend support for the support of these dependent XP systems. Extending the support for these systems will allow banks to deploy private-release critical security patches to them, but this may require additional effort on the part of the IT teams to package the private patches for delivery to the EOL systems. For companies choosing to extend XP support beyond the April EOL date, you should contact your vendor regarding custom patch support. Shavlik has done this in the past with the EOL of Windows NT and 2000 systems. We are already discussing this type of service for customers who know they will have a prolonged dependency on Windows XP.

Many of the banks will be moving to Windows 7 Embedded, but are holding off for a few years to wait for the chip and pin rollouts before performing the migration to Windows 7 Embedded. That will occur over the next few years. By the time most have made the switch, it will be time to start looking at the next migration, as they will have about three years until Windows 7 Embedded reaches its own EOL and the problem repeats.

Last week our content team released support for Windows 8.1 Embedded. For the Shavlik customers who have already been requesting support for this platform, it is available for you now. For those customers upgrading to Windows 7 Embedded, that is already supported as well.  For more information, please visit http://www.shavlik.com/solutions/patch-management/ 

 

What Does Shavlik Patch Mean to Existing SCUPdates Customers?

Earlier this week, Shavlik announced the release of Shavlik Patch for Microsoft System Center. As an existing SCUPdates user, this likely left you with a number of questions. Let’s talk about them.

 

Q: We are using SCUPdates with SCCM 2007. What does this mean to us?

A: Nothing changes for you. You still have all the goodness of SCUPdates just with a shiny new name. If your organization is evaluating moving up to SCCM 2012, read on to see what the future holds.

 

Q: We are using SCUPdates with SCCM 2012. What does this mean to us?

A: A lot! You read earlier this week about the add-in, its tight integration with SCCM, and how easy it is to install and configure.  Hopefully, you attended our webinar yesterday and saw it in action. If not, check out the following.

  • Learn more about Shavlik Patch here.
  • View quick videos about how to install and configure Shavlik Patch here.
  • Download a free trial of Shavlik Patch here.
  • View user documentation for Shavlik Patch here.

 

Q: Lovely marketing material…tell me something technical.

A: Special logic has been added within the add-in for patching difficult to handle applications like Java. In the case of Java, you might find that updates often fail because Java doesn’t uninstall correctly when it is running. The Shavlik Patch add-in will

  • Uninstall Java
  • Detect if it was uninstalled incorrectly
  • Schedule the install on reboot if needed
  • Inform the SCCM Agent if a reboot is required

The Shavlik Patch add-in will also handle Apple updates that are bundled in with the QuickTime and iTunes patches such as Apple Mobile Device Support and Apple Application Support.

 

Q: If I am on SCCM 2012, do I have to switch over to the add-in?

A: No. We think you will want to, but you do not have to. Customers can choose to use the add-in configuration, the catalog file configuration, or even both if that makes sense in your environment. Your choice of configuration does not affect your licensing.

 

Q: Do we have to pay more to get the new SCCM add-in?

A: Nope, as a current SCUPdates customer, you are entitled to the add-in or the catalog file configuration. You may download the add-in at http://www.shavlik.com/downloads/patch/ and begin using it immediately.

 

Q: I’ve had this product for a few years and haven’t seen you guys do much of anything with it. Is this release a signal of increased investment by your technology team?

A: Absolutely! Yes, we haven’t had a release in some time, but we have been listening to you. Here’s some things you have been asking for that are addressed with the add-in.

  • Automatically download the catalog files
  • Handle Java better
  • Automate publishing to WSUS

Here’s some other things you have been asking for that are on our roadmap for upcoming releases.

  • Disable auto updaters
  • Expanded product support
  • Support for supercedence