The primary bulletin administrators should patch first is MS12-004.  This security bulletin addresses two vulnerabilities with Windows Media types.  Opening a malicious media or MIDI file on an unpatched system could allow an attacker to gain full control of the system.  As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible.  It is important to note that …]]> Microsoft is starting off the new year with seven new security bulletins released for the January 2012 Patch Tuesday.  These seven new security bulletins address eight vulnerabilities.

The primary bulletin administrators should patch first is MS12-004.  This security bulletin addresses two vulnerabilities with Windows Media types.  Opening a malicious media or MIDI file on an unpatched system could allow an attacker to gain full control of the system.  As media files are extremely popular for viewing and sharing, administrators should patch this bulletin on their workstation machines as soon as possible.  It is important to note that newer operating systems (Windows 7, Windows 2008 R2) are not affected by one of the vulnerabilities.  These machines will only show one patch missing whereas older Microsoft operating systems (Windows XP, Vista, 2003, 2008) will require two patches to fully fix the vulnerabilities in this security bulletin.

Administrators were given a last minute 2011 holiday surprise with an out-of-band security bulletin release from Microsoft.  On December 29th, Microsoft released MS11-100 to address a critical zero-day vulnerability with the Microsoft .NET program.  This vulnerability had the exploit code published and the bulletin could not wait until the regularly scheduled Patch Tuesday for release.  The vulnerability had a particularly nasty affect on web servers running ASP.NET web pages.  If successfully exploited, an attacker could create a denial of service attack on any web site running the vulnerable code.  Most administrators patched their web servers immediately with this security bulletin but chose to wait to patch all desktops and non-public facing web servers until the next scheduled Patch Tuesday.

On the non-Microsoft front, Adobe is planning to release their quarterly security bulletin update today with security bulletin APSB12-01.  This security update will apply to Adobe Acrobat/Reader versions 9 and 10.  The update for Adobe Reader/Acrobat 10 will contain the fixes for a previously released security bulletin for Adobe Acrobat/Reader 9.

On December 16, 2011, Adobe released a security bulletin (APSB11-30) that patched a critical security vulnerability in the Adobe Acrobat/Reader version 9 program.  This vulnerability was a zero-day vulnerability that Adobe had received reported active attacks against the vulnerability.  Adobe has waited until today to patch version 10 of their products as this version contains a Protected Mode that will prevent the vulnerability from being exploited.

- Jason Miller

Security Bulletin Breakdown:

Affected Products:

This Tuesday will also be a good chance to install the out-of-band security update (MS11-100) on …]]> Microsoft is kicking off the 2012 year with seven new Microsoft Security Bulletins.  Just announced in their advanced notification for the January 2012 Patch Tuesday, these seven security bulletins will address eight vulnerabilities.

Security Bulletin Breakdown:

• 1 bulletin is rated as Critical
• 6 bulletins are rated as Important
• 3 vulnerabilities could lead to Remote Code Execution
• 1 vulnerability could lead to Security Feature Bypass
• 2 vulnerabilities could lead to Information Disclosure
• 1 vulnerability could lead to Elevation of Privilege

Affected Products:

• All supported Microsoft Operating Systems
• Microsoft Developer Tools and Software

This Tuesday will also be a good chance to install the out-of-band security update (MS11-100) on your desktop systems.  This out-of-band security update was released last Thursday (12/29/11) and should already be applied to your public facing web servers.

This January Patch Tuesday will also mark the Adobe Quarterly Security update release.  Adobe has already stated they will be releasing security udpates for their Adobe Reader and Acrobat 10 product lines.  We will have to wait to see what other security patches Adobe may be releasing on Patch Tuesday.

As this marks a light Patch Tuesday, you can see that a lot of work will be greeting administrators from their holiday vacation season.

- Jason Miller

On the Microsoft side, there …]]> Tis the season of good friends, good food, good conversation and of course patching your network.  Today marks the final Patch Tuesday of 2011, and it’s a big one. Microsoft is giving the gift of 13 security bulletins addressing 19 vulnerabilities to add to the stress of this holiday season.  Not to be outdone by Microsoft, other software vendors such as Google and Adobe are also joining in on the season of giving by releasing updates of their own.  This combination of Microsoft and non-Microsoft patch releases will definitely keep us busy this season.

On the Microsoft side, there are two bulletins administrators should look to patch immediately.  MS11-087 fixes a zero-day vulnerability in the Windows Kernel-Mode Drivers.  Microsoft released Security Advisory 2639658 on November 3, 2011 for this vulnerability.  This Security Advisory was released just before the November 2011 Patch Tuesday.  There was speculation at the time that Microsoft would patch this vulnerability in the November 2011 Patch Tuesday release.  Exploit code for this vulnerability was published and Microsoft received reports of limited attacks against this vulnerability.  But, Microsoft did not see wide spread attacks against the zero-day vulnerability and this patch did not make it into the November release cycle.  This allowed Microsoft to release the corresponding Security Bulletin during today’s Patch Tuesday.  As with any zero-day vulnerability, it is critical to patch your systems as soon as possible.  To date the vulnerability has  been exploited a limited numbers times, but the possibility of a wide spread attack is always greater with zero-day vulnerabilities.

With MS11-087, administrators may have applied a workaround as stated in the Security Advisory released last month.  This workaround denied all access to a specific vulnerable DLL on the system.  You do not need to unapply the workaround to apply the patch.  But, it is advised that you unapply the workaround after applying the patch to restore functionality to the system.  If the workaround is left in place, users may not be able to see all fonts on a system, and this could lead to an uptick in support calls.

The next bulletin administrators should look at patching as soon as possible is the bi-monthly cumulative update for Internet Explorer.  MS11-099 fixes multiple vulnerabilities in the browser.  Although none of the vulnerabilities are publicly known or actively being attacked, any browser is a prime target for attackers.

There is an important note regarding Security Bulletin MS11-088 that administrators should be aware of.  This bulletin is only available on the Microsoft Download Center.  This means administrators must manually find the affected product on their network and manually apply the patch.  This bulletin affects IME for Chinese Office installations.  The Office installation must be Chinese.  Any other installation of Office in a language other than Chinese is not affected unless they have been installed with the Chinese Pinyin IME component.

As a final holiday gift from Microsoft, their Advanced Notification for this Patch Tuesday stated there would be 14 bulletins released this month, but they have only released 13 bulletins.  Obviously one of the bulletins needed to be pulled from release due to quality issues.  We will continue to monitor Microsoft to see why one bulletin is missing from today’s release.

On the non-Microsoft side, Google has released a new version of their Chrome browser.  This security update addresses 15 vulnerabilities as well as new features.

Adobe is releasing multiple bulletins for their products.  Adobe security bulletin APSB11-29 addresses two vulnerabilities in their ColdFusion product.  In addition, Adobe is patching their Adobe Reader/Acrobat version 9 products today.  Adobe announced last week they would be addressing a zero-day vulnerability in Reader and Acrobat today in version 9 only.  Adobe Acrobat and Reader version 10 also contain the software vulnerability.  But due to a protected mode in Acrobat and Reader version 10, an attacker cannot exploit the vulnerability.  Adobe will patch this version of Reader and Acrobat during their regularly scheduled quarterly update during the January 2012 Patch Tuesday.

Apple has released a new version of their iTunes product with iTunes 10.5.2.  This update is a non-security update.

VMware is also releasing a new version of their MozyPro backup software.  MozyPro 2.10.7.96 is a non-security update.

And Oracle has joined the list of other software vendors providing updates today by releasing a new version of their Java product.  Java 6 update 30 is a non-security update.  This update is currently only available for JDK download.  We will have to see if Oracle makes this version available to the public on the java.com webpage later today.

I will be reviewing the November 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.

- Jason Miller

Security Bulletin Breakdown:

Affected Products:

On the non-Microsoft front, Adobe released a security advisory (APSA11-04) for a zero-day vulnerability affecting Adobe Acrobat/Reader 9/10 on December 6th.  …]]> Microsoft has released their advanced notification for the December 2011 edition of Patch Tuesday.  Microsoft is giving the gift of 14 security bulletins addressing 20 vulnerabilities this holiday season.

Security Bulletin Breakdown:

• 3 bulletins rated as Critical
• 11 bulletins rated as Important
• 10 vulnerabilities could lead to Remote Code Execution
• 1 vulnerability could lead to Information Disclosure
• 3 vulnerabilities could lead to Elevation of Privilege

Affected Products:

• All supported Microsoft Operating systems
• Publisher 2003, 2007
• Excel 2003
• PowerPoint 2007, 2010
• Office 2007, 2010
• PowerPoint Viewer 2007
• Office Compatibility Pack 2007

On the non-Microsoft front, Adobe released a security advisory (APSA11-04) for a zero-day vulnerability affecting Adobe Acrobat/Reader 9/10 on December 6th.  Adobe is planning to release a patch for Adobe Acrobat and Reader version 9 during the week of December 12, 2011.  In other words, Adobe will be joining Microsoft’s Patch Tuesday this month.  Adobe Acrobat and Reader 10 are also affected by this vulnerability, but Adobe’s Protected View prevents the exploitation of the vulnerability.  For Adobe Acrobat and Reader 10, Adobe will release a patch during the January 2012 Patch Tuesday.

With administrators commonly taking vacations this time of year, the large number of security bulletins Microsoft is planning to release may seem a bit unfair.  However, this is in line with past typical Microsoft December Patch Tuesdays.

Last year, Microsoft released 17 security bulletins during the December 2010 Patch Tuesday.  This brought the total number of security bulletins released by Microsoft in 2010 to 106.  With the December 2011 Patch Tuesday security bulletins, the grand total for released security bulletins for 2011 will bring us to 100.

Stay tuned for more 2011 year in review information.  Later this month I will be releasing “Patching Year in Review” information.

I will be talking about December’s Patch Tuesday next Wednesday, December 14th at 11:00am CST in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

- Jason Miller

The first bulletin administrators should address is MS11-083.  This bulletin addresses one vulnerability in Windows TCP/IP.  If an attacker sends a stream of malicious User Datagram Protocol (UDP) network packets to an unpatched machine, the attacker could gain control over the affected system.  With this type of an attack scenario, alarms could be raised about the potential of a vulnerability that is used in a worm.  However, there are a few items that will make it difficult …]]> Microsoft has released four new security bulletins for this edition of Patch Tuesday.  These four security bulletins address four vulnerabilities.

The first bulletin administrators should address is MS11-083.  This bulletin addresses one vulnerability in Windows TCP/IP.  If an attacker sends a stream of malicious User Datagram Protocol (UDP) network packets to an unpatched machine, the attacker could gain control over the affected system.  With this type of an attack scenario, alarms could be raised about the potential of a vulnerability that is used in a worm.  However, there are a few items that will make it difficult for an attacker to use this exploit in a worm.  First, the network port attacked on the target machine must be closed.  Second, a normal UDP packet streamed to a vulnerable machine will not allow the attacker to gain access to the system.  The UDP packet must be “specially” crafted.  An attacker will need to figure out the type of packet to send to a vulnerable machine.  Finally, this vulnerability was privately disclosed to Microsoft so there is no known code out in the wild at this time and Microsoft has not received any reports of attacks against this vulnerability.

On the non-Microsoft front, a couple of vendors will be a part of this Patch Tuesday.  Adobe released a new security bulletin for their Shockwave player today.  This security bulletin addresses four vulnerabilities and is rated as Critical.  Mozilla is planning to release new versions to the Firefox, Thunderbird and SeaMonkey product families.

Patch Tuesday is no longer just about Microsoft releasing new security bulletins.  Many other vendors can sneak in with their own security releases that can be just as or more important than Microsoft releases.  Given the history of non-Microsoft vendors releasing on Patch Tuesday, administrators should plan for the unexpected during the monthly patch maintenance window.

I will be reviewing the November 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.

- Jason Miller

Check out the ITScripts feature and integration with RDP which provide some handy and quick solutions for any …]]> It is patch week once again, but before the patch announcements and Patch Tuesday webinar start to fill your week I wanted to let you know what a couple hundred of our customers have already found out.  VMware vCenter Protect Essentials Plus 8.0 (formerly Shavlik NetChk Protect) is now available.  For those of you who have not seen the new features of the latest release they are focused on making day to day IT Management easier.

Check out the ITScripts feature and integration with RDP which provide some handy and quick solutions for any IT Administrator. From the machine view or scan view you could make a selection of machines and check the last boot time of machines to see if they have rebooted after patch deployment. Also right click and RDP into machines and have vCenter Protect Essentials Plus provide the credential for you. Those and many more handy scripts are available with a few clicks.

Next, the credentials management enhancements make updating passwords and setting credentials a breeze.

Also, for those of you who share a console between multiple admins, this release also supports multiple admin access on the same console.   So by upgrading to vCenter Protect Essentials Plus, as you prep for Patch Tuesday you will no longer have to coordinate time on the console to setup or modify machine groups, update patch groups, or schedule operations.

If you are a current customer and are interested in upgrading to vCenter Protect Essentials Plus, register here to attend this live webinar on November 15th at 10am CST in which I will walk you through the new features and the product upgrade path.

Download is available here.

Happy Patching!

Chris Goettl
Customer-Product Owner
SMB Management Solutions
VMware

Security Bulletin Breakdown:

 Affected Products:

On the non-Microsoft front, be prepared for new versions of products in the Mozilla family.  New versions of Firefox, Thunderbird and SeaMonkey should be available on Patch Tuesday.

I will be …]]> Microsoft has released their advanced notification for the upcoming November edition of Patch Tuesday.  Microsoft is planning to release four new security bulletins addressing four  vulnerabilities.

Security Bulletin Breakdown:

• 1 bulletin rated as Critical
• 2 bulletins rated as Important
• 1 bulletin rated as Moderate
• 2 vulnerabilities fixed could lead to Remote Code Execution
• 1 vulnerability fixed could lead to Elevation of Privilege
• 1 vulnerability fixed could lead to Denial of Service

 Affected Products:

• All supported Microsoft Operating Systems

On the non-Microsoft front, be prepared for new versions of products in the Mozilla family.  New versions of Firefox, Thunderbird and SeaMonkey should be available on Patch Tuesday.

I will be talking about November’s Patch Tuesday next Wednesday, November 8th at 11:00am CST in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

- Jason Miller

The bulletin administrators should look at patching first is the bi-monthly cumulative update for Microsoft Internet Explorer.  Security bulletin MS11-081 addresses eight individual vulnerabilities in Internet Explorer.  A user visiting a malicious web page with an unpatched Internet Explorer browser could lead to remote code execution.  As with every security update for Internet browsers (Microsoft or other browser vendors), patching browsers will be top priority because the vulnerabilities fixed with each security bulletin release …]]> Microsoft has released eight new security bulletins in their October 2011 version of Patch Tuesday.  These eight new security bulletins address 23 vulnerabilities.

The bulletin administrators should look at patching first is the bi-monthly cumulative update for Microsoft Internet Explorer.  Security bulletin MS11-081 addresses eight individual vulnerabilities in Internet Explorer.  A user visiting a malicious web page with an unpatched Internet Explorer browser could lead to remote code execution.  As with every security update for Internet browsers (Microsoft or other browser vendors), patching browsers will be top priority because the vulnerabilities fixed with each security bulletin release in browsers are top exploit targets for attackers.

The next bulletin administrators should look at patching as soon as possible is the security bulletin affecting the Microsoft .NET Framework and Microsoft Silverlight programs.  MS11-078 addresses one vulnerability in both programs.  If an attacker can entice a user to visit a malicious site, a vulnerability could then be exploited that results in remote code execution.  With most browse then attack scenarios, the vulnerability is attacked through the browser.  This month, administrators will need to patch both Internet Explorer and .NET/Silverlight to prevent malicious website vector attacks.  It is important to note that Microsoft .NET Framework patches from Microsoft typically take quite a while to run through the patching process.  The patches can also be quite large for each version of the program (example:  the .NET 4.0 update ranges from 10 MB to 22MB in size).

Microsoft is also revisiting a security advisory that was issued more than one year ago.  MS11-075 and MS11-076 fix two more programs that have been identified as having the DLL preload vulnerability.  Since the security advisory (2269637) was released last August 23, 2010, Microsoft has released a security bulletin 17 times to address the issue in various programs.

MS11-079 also has an interesting scenario that may affect administrators this month.  This security bulletin addresses vulnerabilties in the Microsoft Unified Access Gateway (UAG) program.  The patches for this security bulletin are only available on the Microsoft download center.  Thus, administrators are relying solely on their WSUS and Windows Update reports for patching, this bulletin will not show as missing.  Administrators will need to identify any machines on their network that have the affected program installed and manually deploy the patch to those systems.  In addition, there are manual actions to fully protect the systems after patching.  Administrators will need to perform manual actions on their UAG consoles to configure the program to fully be protected against attacks.

This is not the first time we have seen a patch for UAG not available through WSUS and Windows Update.  The last security bulletin released for this program was released in November 2010.  This security bulletin was also only available on the Microsoft Download Center.  Both of these security bulletin releases are prime examples of why administrators should spend time each month reviewing the security bulletin documentation.  This information may be in the fine print of the lengthy security bulletin web pages, but the extra time spent researching just may prevent an attack against systems.

I will be reviewing the October 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.

- Jason Miller

Security Bulletin Breakdown:

Affected Products:

I will be going through each bulletin thoroughly next Wednesday, October 12th at 11:00am CDT in part of …]]> Microsoft has released their October 2011 Patch Tuesday Advanced notification.  Microsoft is planning to release 8 new security bulletins addressing 23 vulnerabilities.

Security Bulletin Breakdown:

• 2 bulletins are rated as Critical
• 6 bulletins are rated as Important
• 6 vulnerabilities fixed could lead to Remote Code Execution
• 1 vulnerability fixed could lead to Elevation of Privilege
• 1 vulnerability fixed could lead to Denial of Service

Affected Products:

• All supported Microsoft operating systems
• Microsoft Internet Explorer
• Microsoft .NET Framework
• Microsoft Host Integration Server 2004, 2006, 2009, 2010
• Microsoft Silverlight 4
• Microsoft Forefront Unified Access Gateway 2010

I will be going through each bulletin thoroughly next Wednesday, October 12th at 11:00am CDT in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

- Jason Miller

MS11-070 addresses 1 vulnerability in the WINS service.  Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2).  In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine.  Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine.  This could result in elevation of privilege.

MS11-071 brings back the DLL preloading issue …]]> Microsoft has released their scheduled monthly Security Bulletin release with 5 bulletins addressing 15 vulnerabilities.

MS11-070 addresses 1 vulnerability in the WINS service.  Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2).  In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine.  Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine.  This could result in elevation of privilege.

MS11-071 brings back the DLL preloading issue once again this month.  On August 23, 2010 Microsoft released a Security Advisory (2269637) regarding an issue with Microsoft products that could be attacked via binary planting.  Microsoft has been identifying and patching affected products through the last 13 months.  MS11-071 marks the 16th time that Microsoft has issued a Security Bulletin for the DLL preloading issue.  Opening a genuine text file (.rtf or .txt) file in a directory that contains a malicious DLL can result in Remote Code Execution.

MS11-072 addresses five vulnerabilities in the Microsoft Office Excel program.  Opening a malcious Microsoft Excel file could result in remote code execution on an affected machine.  This bulletin is not rated as critical due to the defense in depth mechanism in the Microsoft Office program.  The program will prompt users whether or not to open an excel file.  To exploit this vulnerability, an attack requires user interaction.

MS11-073 addresses an issue with Microsoft Office.  This vulnerability will be quite difficult for an attacker to exploit due to the user interaction required.  Scenario 1:  An attacker entices a user to open an office file located in a directory with a malicious DLL.  This scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL.  Scenario 2:  An attacker sends a malicious Microsoft Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL.  Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed on your machines.  This feature was originally introduced by Microsoft in Microsoft Office 2010.  Microsoft has since provided this defense-in-depth measure through an update to their customers.

MS11-074 is the largest Security Bulletin released this month.  This Security Bulletin affects 12 different Microsoft product lines.  One of the five vulnerabilities fixed in this Security Bulletin have been publicly released.  However, Microsoft has not received any reports of attacks against the vulnerability.  This Security Bulletin is related to MS11-050 (Cumulative Update for Internet Explorer released on June 14, 2011).  MS11-050 fixed the vulnerability in Internet Explorer, and MS11-074 will fix the issue in the “Microsoft productivity” products.  Both patches will need to be installed to fix the vulnerability in all Microsoft products.

Last week, Microsoft released a Security Advisory and subsequent patch adding the DigiNotar certficates to the untrusted certificate store.  Today, Microsoft released an update adding additional certificates to the untrusted certificate store.  This update superscedes the previous update, so you will only need to apply the latest patch if you did not apply the previous patch.

Adobe has also released a new Security Bulletin for Adobe Acrobat and Reader with APSB11-24.  This update addresses 13 vulnerabilities.  In addition, Adobe joins other vendors (Microsoft, Apple, Mozilla, etc) in blacklisting DigiNotar certificates.  Adobe is not currently aware of any attacks with digitally signed Adobe documents with rogue DigiNotar certificates.  More information on Adobe’s stance with Adobe’s Approved Trust List and subsequent blacklisting of DigiNotar certificates can be found on the Adobe Security Matters blog.

Skype has released a non-security update for their software.  This release adds support for Windows 8.  Yes, you read that correctly, Windows 8.  Microsoft held a demonstration for journalists and analysts on Monday, September 12, 2011 showing off Windows 8.  I expect a beta will soon be in the works for Windows 8 where you can install and use Skype.  Or maybe, just maybe, Microsoft will bundle Skype with their latest operating system (Microsoft bought Skype last May).

I will be reviewing the September 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT.  You can register to attend the live webinar here.

- Jason Miller