Patch Tuesday Forecast September 2016

We are only a few days away from September Patch Tuesday and just for a bit of nostalgia I dug up this old image.  Circa 2010 Minimize the Impact of Patch Tuesday banner.

webinar

So, here are a few things to watch our for to help minimize the impact of Patch Tuesday, a quick tip to help you tune your process, and our forecast on what we think you should expect this month.

On the Horizon

Based on the sheer volume of questions I’ve had about this I’m going to go out on a limb and say that the servicing changes Microsoft plans to implement in October are a hot topic right now. Microsoft’s announcement to move all pre-Windows 10 OSs to the same bundled update model has stirred up concerns from their customers. I will start off with the same recommendation I have given everyone so far: keep breathing. But also know the facts. Microsoft will have a security bundle that will release each month that includes updates for IE and the OS. There will be a cumulative bundle option as well that will include non-security fixes and feature changes. The security bundle will be the way to go for most organizations.

The fallout from this event will be a more pronounced need for application compatibility testing. If you recall January’s Patch Tuesday, the Windows 10 cumulative update caused Citrix’s VDA Client to break. This is exactly the type of scenario companies I’ve spoken to are concerned about. Fortunately, Citrix worked with Microsoft and moved quickly to resolve the VDA incompatibility that the cumulative update caused. Microsoft updated its release to detect if VDA was installed, and if it was, then the cumulative update was not installed. This process left their customers exposed to many vulnerabilities in the January release, but Citrix turned a fix-around in short order and together they reduced the risk to their common customers to only a week of not being able to push the January updates.

But this was two software giants working together; the issues will be more pronounced with less common products or vertical specific products, such as healthcare devices or manufacturing systems that run on Windows systems. Home-grown applications and applications developed by vendors who are no longer in business may be less of a concern on Windows 10, but on older systems they are much more common. Which brings us to our tip of the month!

Patch Management Tip of the Month

Application compatibility is the biggest hurdle to effectively remediating software vulnerabilities. Most companies we talk to have an exception list of updates that conflicted with business critical applications. This has been a rising concern for companies as they evaluate Windows 10, and now will become a concern for their existing systems come October. The looming inability to pick and choose which updates to apply to their systems has many companies concerned. The reality is we will have less of a choice in the matter going forward, so what do we do?

Pilot Groups

One tip that I always stress when advising our customers is to have an involved pilot group. Many companies have a small set of test systems for the most critical of assets, but this falls short of truly ensuring you catch application compatibility issues quickly. What you need is to ensure you have a selection of power users in your pilot group to help you flush out issues quickly. These power users will be able to provide you better feedback, and they’re technically savvy enough to help you work through issues as you discover them.

Hitting a few power users who will keep their head and work with IT to resolve issues quickly helps reduce impact to the greater workforce. Someone from IT may be able to verify login works and some basic interfaces load, but the power users will get into the product and find the less obvious things, like updating broke print features or submitting a job or form. Most business managers quickly agree to this arrangement when you put it to them as a partnership where you will work with one or two of their best to keep the majority impact-free.

Your Patch Week Forecast

August was our lightest Microsoft Patch Tuesday this year tied with January at 9 Microsoft bulletins total; the average this year has been closer to 13 bulletins each month. I expect this month will be closer to the average if not a little above. Starting in October, this average will appear to drop significantly as the bulletins will become bundles instead, reducing the average number of Microsoft updates to around four or five each month. At that point, watching vulnerabilities resolved will be a more accurate indicator of how significant the month’s updates were.

On the non-Microsoft front, I would expect an Adobe Flash update, as we have not seen a Flash Player update since July, which is near an eternity in Flash Player terms. Also, be aware that Adobe has updated the looming end of open distribution of Flash message on the distribution download page. The end of September is the new cut off where you will need to have an Adobe ID and login to Adobe’s site to gain access to Flash updates if you need to distribute them internally. We will see if this is really the one.

Google Chrome just released this Wednesday, so plan to include that and some other recent third parties like Wireshark in your patching schedule this month.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

August Patch Tuesday 2016

Patch Tuesday Infographic

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.

July Patch Tuesday 2016

Shavlik_Patch_July12

Even though there are no ‘Zero Day’ vulnerabilities, July’s Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical. In upcoming news, Oracle is due to have its quarterly Critical Patch Update release next Tuesday, July 19th. We also have the one year anniversary of Server 2003 end of life on July 14th, and it looks like the anniversary update for Windows 10 is slated for August 2nd – although the Insider build looks like it may have just stabilized on 1607 this week.

Starting with Adobe, they have released two bulletins. The first was preannounced last week as APSB16-26, which is a Priority 1 update resolving 30 vulnerabilities. As a reminder, the last Acrobat\Reader update was in May, which was also a priority two with 82 vulnerabilities resolved.

Flash player also has an update this month. APSB16-25 is a Priority 1 update resolving 52 vulnerabilities, the worst of which would allow an attacker to take full control of the affected system. If you recall last month, Adobe announced a ‘Zero Day’ on June’s Patch Tuesday, but released APSB16-18 on June 16th, along with 35 other CVEs. With that said, if you have not updated Flash Player in a while, you’ll want to put extra emphasis on updating this month ASAP.

Oracle’s Quarterly Critical Patch Update will be coming down the pipeline later this month, and is scheduled for next Tuesday, July 19th.  Be on the lookout for a Critical Java release and plan to include it in your monthly patch maintenance.

Microsoft’s release this month includes six critical updates and five important ones. This month, Microsoft is reporting two public disclosures and is resolving 41 distinct vulnerabilities.

First, let’s talk browser updates: MS16-084 for Internet Explorer is rated critical and fixes 15 vulnerabilities. MS16-085 for Edge is also rated critical and fixes 13 vulnerabilities. Both updates include vulnerabilities that are user targeted, meaning an attacker would be able to exploit a user through specially crafted content. These updates also include several vulnerabilities that can be mitigated by proper privilege management, meaning, if a user who clicks on the specially crafted content is a full admin, the attacker will have full control over the target system.

MS16-086 is a cumulative update for Jscript and VBscript. The bulletin is rated critical and resolves vulnerabilities that are user targeted and mitigated by proper privilege management. This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010.  The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from “Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution” to “Cumulative Security Update for JScript and VBScript to Address Remote Code Execution.”  The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016.  It seems a cumulative Jscript\VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.

MS18-087 addresses two vulnerabilities in Windows Print Spooler that could allow for Remote Code Execution and Elevation of Privilege attacks, if the attacker is able to perform a man-in-the-middle attack on either a workstation or print server, or by setting up a rogue print server on a target network.

MS16-088 addresses seven vulnerabilities in Microsoft Office and SharePoint. This update is also rated critical and includes vulnerabilities that are user targeted, and some that can be mitigated by proper Privilege Management. The vulnerabilities could allow Remote Code Execution if a user opens a specially crafted office document. An attack could come in the form of an email attachment or through hosted web content. On SharePoint, the vulnerabilities appear to only allow for Information Disclosure by documentation, provided by Microsoft, and the rating drops to important for SharePoint and Web Apps components. Thus, the urgency is lessened somewhat for those products.

MS16-093 is the last of Microsoft’s critical bulletins this month. This is the Flash Plug-in for IE update. It resolves the 52 vulnerabilities included in APSB16-25, and should be a high priority this month, along with the other Microsoft critical updates.

In addition to the critical updates, there are two important updates this month that warrant special mention. MS16-092 and MS16-094 both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.

MS16-092 (CVE-2016-3272) is an important update in the Windows Kernel on 8.1, and later editions, that could allow a Security Feature Bypass. Likewise, MS16-094 (CVE-2016-3287) is a vulnerability in Secure Boot on the same platforms that could allow for Security Feature Bypass. In both cases, an attacker would need to either use an additional exploit (MS16-092) or have full administrative privileges or physical access to the system (MS16-094), making these two bulletins tougher nuts to crack.

This wraps up our early analysis of the July Patch Tuesday Bulletins.  For more detail join us tomorrow for our regular Patch Tuesday webinar.

 

 

June Patch Tuesday 2016

June2016PatchTuesdaySummary

I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Apple May 2016 Mac OS X Updates

Apple Mac OS X Updates

Happy Apple Patch Monday! Today’s, Apple May 2016 Mac OS X Updates impact Mac OS X including El Capitan 10.11.5, Security Update 2016-003 for Mavericks 10.9.5 and Yosemite 10.10.5, and Safari 9.1.1. In total, there were 77 vulnerabilities fixed including many high risk vulnerabilities that should be remediated quickly

OS X 10.11.5 and Security Update 2016-003

The last Mac OS X Security Update was on March 21 and today’s release of OS X 10.11.5 and Security Update 2016-003 brings fixes to 67 vulnerabilities across OS X Mavericks 10.9.5, OS X Yosemite 10.10.5, and OS X El Capitan 10.11. As with previous security updates the majority of vulnerabilities are only fixed in El Capitan. Here is the breakdown of vulnerabilities fixed by OS X version:

  • 12 in Mavericks 10.9.5
  • 13 in Yosemite 10.10.5
  • All 70 fixed in El Capitan 10.11

With Apple’s latest version focus, it is very interesting to explore the vulnerabilities that were fixed in the older versions. Included in that mix are vulnerabilities where:

  • Application that can determine the kernel memory layout
  • Attacker in a privileged network may execute arbitrary code with user assistance
  • Malicious XML, website, or web content may lead to arbitrary code execution

The last category is most interesting as malicious websites or files are useful for hackers to social engineer their way onto a system.

From the vulnerabilities only fixed in El Capitan, there is of note for the exploitability and impact. The first is a vulnerability in QuickTime (CVE-2016-1848) where opening a maliciously crafted file may lead to arbitrary code execution. This is interesting in that social engineering could be employed to get a user to click on video file such as using a headline of the day that would be enticing to watch such as “Funny Quotes from Donald Trump” and bad things ensue (quite literally in the case of a malicious video).

There are many other vulnerabilities, but the true severity and impact is obscured by Apple’s limited information. That said, there is plenty of reasons to update quickly.

Safari 9.1.1

Safari 9.1.1 applies to Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11.5. This is a minor update with 7 vulnerabilities fixed including 5 where arbitrary code could be executed by visiting a malicious website. Such vulnerabilities are hooks for Phishers to use to bait users to visit malicious websites and compromise their systems. One other vulnerability is a minor risk in that it prevents fully deleting browsing history. The final vulnerability (CVE-2016-1858) is moderate risk where visiting a malicious website may disclose data from another website. If you have any doubt, make sure Safari is up to date quickly as the 5 arbitrary code vulnerabilities will undoubtedly be useful for targeting users.

Other Updates

Apple usually releases updates for everything at once and this release is no different. There were also updates for iOS (9.3.2), watchOS (2.2.1), tvOS(9.2.1), and iTunes (12.4).

Summary

This month’s updates do little to entice users to want to update their systems in terms of new features. That said, Apple will push them down unless a user explicitly avoids it. There is enough critical vulnerabilities in these updates that all organizations should ensure all Mac OS X systems are up to date quickly.

Flash Zero Day Closure, or maybe not…

FlashPlayerLogoIt was a confusing week for those tracking the Adobe Flash Player update.  Let me summarize what happened and what may still be lingering.

Flash Player did announce an Advisory on Patch Tuesday (APSA16-02) announcing a Zero Day vulnerability (CVE-2016-4117) which was detected in exploits in the wild.  The update for the Zero Day did not drop on Patch Tuesday.  Instead it was released on Thursday this week (May 12th) as bulletin APSB16-15.

As many of you are familiar with already, updating Adobe Flash Player is not a simple matter of updating a single product.  If you are running Internet Explorer, Chrome and Firefox and are using the Flash Player Plug-In you could have three more variations of Flash Player that need updating to fully resolve the vulnerabilities in a new release.  That is where the confusion set in this week.

On Patch Tuesday, Microsoft released MS16-064, which was the Critical update for Adobe Flash Player as it is bundled in Windows OS and IE versions.  This update documented the 24 fixes initially planned for release by Adobe in bulletin APSB16-15, but did not include the Zero Day vulnerability (CVE-2016-4117).  Today (Friday May 13th) Microsoft re-released MS16-064 to address the slight version update that included the exploited vulnerability.

What is a bit uncertain at the moment is Chrome.  When Flash Player updates occur, Chrome also needs to be updated to support the newer version of the Flash Player Plug-In.  The Chrome update this week came out before the Flash Player Zero Day was resolved.  Does this mean that they are only supporting the initial drop similar to Microsoft releasing on Patch Tuesday?

I will be doing my typical Patch Tuesday Round Up next week and will try to have answers by then on if there is still a bit of Zero Day hanging on the spring breeze or if we are good.

For updates like this and more relating to Patch Tuesday check out our webinars page for upcoming Patch Tuesday webinars and on-demand playback of previous Patch Tuesday webinars and presentations for download.

May Patch Tuesday 2016

ShavlikMay_PATCH02fMay’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053).  Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update?  Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?

In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.

Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.

MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188).  The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.

It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.

MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189).  This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.

The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.

MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server.  On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.

Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.

Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.

With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.

Join us tomorrow for the May Patch Tuesday webinar where we will discuss the bulletins in more detail.

April Patch Tuesday Round-Up – Oracle Quarterly CPU Commentary

java_logo

Patch Tuesday continued!  Today Oracle released their quarterly Critical Patch Update.  This is the day that Oracle product updates all come together.  Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, and several other products.  Oh, and Java, we don’t want to forget Java.

Across all updates it looks like 121 CVE’s were resolved in total, the oldest of which dates back to 2011 (CVE-2011-4461).  Seven of these vulnerabilities rate a 10.0 CVSS, which is the highest base score rating on the CVSSv2 scale.

There are a few indicators that can help you prioritize what updates you should worry about first. Exploit code examples being available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands.  Beyond that things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.  If you look at Verizon’s 2015 Data Breach Investigation Report, the CVSS data provides a profile for vulnerabilities more likely to be exploited.  If you have not already read this year’s report, check out the vulnerabilities section.  I did a write-up on the Java Out-of-Band release that came out on March 24th.  The Verizon report shows a progression of all vulnerabilities, vulnerabilities exploited, and vulnerabilities exploited under one month from publication.  Using the pattern for those exploited in less than a month 7 out of 7 of the CVSS 10.0 vulnerabilities fit the pattern.

Based on that, I would recommend the following priorities be added to your April Patch Tuesday activities.  Java SE (4 of 7), MySQL (2 of 7), Sun Systems Products Suite (1 of 7) should be updated in this update cycle.  I know many of you are already a week in, but these are the ones that stand a higher chance of being exploited before your next monthly patch cycle.

Happy Patching Everyone!

April Patch Tuesday 2016

April_PATCH12f

April’s Patch Tuesday is looking and sounding like a spring weather forecast.  The forecast is calling for rain, but it turned out to be partly cloudy.  There has been some mixed feelings about a newly announced vulnerability, or vulnerabilities as it were, in Samba.

Badlock is a vulnerability recently identified in Windows and Samba. There are eight CVEs related to Badlock, categorized as man-in-the-middle and denial-of-service attacks. The primary CVE is CVE-2016-2118. This is a multi-vendor problem, so two CVEs were opened to track for each vendor.

CVE-2016-2118 is the vulnerability for Samba and CVE-2016-0128 is for Microsoft, and is related to MS16-047. CVE-2016-2110 describes a vulnerability in negotiation of NTLMSSP, which allows for a downgrade attack. Luckily, Windows 2003 and Vista have introduced ways to protect against this type of downgrade attack. The rest of the vulnerabilities are specific to Samba, versions 3.0.0 to 4.4.0.

Microsoft has released a total of 13 bulletins this Patch Tuesday, six of which are critical. Piecing the Badlock CVEs together, it seems the only MS Bulletin related to Badlock is MS16-047. This is an important update for SAM and LSAD Remote Protocols. Based on feedback from Badlock.org, PoC code will be introduced in the near future, so count this one as a public disclosure and treat it as a higher priority this month.

Aside from Badlock, there are three more public disclosures and three exploited in wild (Zero Days) this month. One of the three Zero Days is the Flash for IE Patch, which resolves 24 vulnerabilities, including CVE-2015-1019 Zero Day in Adobe Flash and AIR.

MS16-037 is the Internet Explorer Cumulative.  This bulletin is rated critical and resolves six CVEs, one of which is publicly disclosed (CVE-2016-0160). It’s important to note, many of the vulnerabilities can be mitigated by proper privilege management and use of the Enhanced Mitigation Experience Toolkit (EMET).

MS16-038 is an update for the Edge browser. This bulletin is also rated as critical and resolves six vulnerabilities. Similarly, most of the vulnerabilities are user-targeted and can be alleviated by proper privilege management.

MS16-039 is an update for Microsoft Graphics Component.  It is rated as critical and resolves four vulnerabilities, two of which have been detected in exploits in the wild.  The two Zero Days are CVE-2016-0165 and CVE-2016-0167, and should be considered a high priority for you this month. Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.

MS16-041 is an update for Microsoft .Net Framework. The bulletin is rated as important, but includes a public disclosure (CVE-2016-0148).  To exploit this vulnerability, the attacker would need to gain access to the local system, with the ability to execute a malicious application. Although it’s rated as important, the fact that is has a public disclosure puts this bulletin at higher risk of exploit.

MS16-046 is an update for Secondary Logon. This update is also rated as important and includes a publicly disclosed vulnerability (CVE-2016-0135). The attacker must first log on to the system, but after doing so, could run a specially crafted application that could exploit the vulnerability and take control of the system. Again, even though this vulnerability is rated as important, because it has a public disclosure, it’s at higher risk of exploit.

Adobe recently dropped a Flash update on April 7, 2016, and today, they updated their blog to say it also applies to Adobe AIR. This update included 24 CVEs, but most importantly, CVE-2016-1019, which is being actively exploited. With this vulnerability, an attacker could cause a crash on vulnerable systems, allowing the attacker to take full control of the affected system. This is a high priority update and should be pushed out to all systems without delay.

For Flash updates, keep in mind you need to update the plug-in for all of your browsers that have Flash installed. Today, Microsoft released the critical update for Flash Player for IE, and Google Chrome’s update also supports the latest plug-in. So if you are like me and run IE, Chrome, and Firefox, you may need to apply four separate updates to fully patch these Flash vulnerabilities.

Oracle is releasing their quarterly CPU next week on April 19th. Java will have an update and it will be critical, so be prepared for that. The January CPU included fixes for eight CVEs, seven of which were remotely exploitable without credentials and three that had CVSS scores of 10.0. Although it may sound like a lot, this was actually a smaller update, compared to 2015’s four. Last year, April 2015 was the smallest release with only 14 CVEs addressed, all of which were remotely exploitable without credentials and three that were CVSS 10.0.

Mozilla released Firefox 45.0.2 today, but reported no security fixes. This is great news and means we get a free pass on this one today! In case you’re counting, the last security Firefox update was Firefox 45, released on March 8, 2016.

I am going to end my Patch Tuesday blog  post with my new favorite quote from the closing statements of the Verizon 2015 Data Breach Investigations Report, specifically the section on Vulnerabilities: “The lesson here isn’t ‘Which of these should I patch?’ Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest.”

Join us tomorrow for the April Patch Tuesday webinar where we will discuss the bulletins in more detail.

March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.