Server 2003 end of life July 14, 2015. What’s your plan?


Are you prepared for the impending Windows Server 2003 end of life? Support is ending on July 14, 2015, which just so happens to be Patch Tuesday. You get one last round of security updates before support ends. So what are your options? I have had a number of companies approach us about what their options are, so I thought I would share some of those thoughts here.

Option 1: Migrate off of 2003. By the fact that you are here reading this, we can assume that Option 1 is delayed for some time.

Federal agencies, cybersecurity, and an order from the White House to step up their game


Dateline 2015:

Scary stuff, right? Unfortunately, this should all sound very familiar as there has been a steady stream of headlines around the rising concerns of securing U.S. federal agencies from cyber attack.

I recently had a conversation with Ben Tacheny, the U.S. Federal Territory Sales Representative here at Shavlik. Needless to say, Ben has been very busy as of late. He had a lot of really good insights and guidance that I wanted to share.

Q: Ben, what kinds of security problems are federal government agencies facing today?

Protect 9.2 Sneak Peek: Patch Tuesday + X

Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.

June Patch Tuesday Round-Up

We are at Patch Tuesday + 8 days and many of you are probably well in to your third round of patching machines or farther along.  Here is a recap of Patch Tuesday highlights and some things to watch out for:

  • Two Critical updates – MS15-056 and MS15-057
  • Two public disclosures – MS15-056 (CVE-2015-1765) and MS15-060 (CVE-2015-1756).  Public disclosure increases the risk of exploit significantly so MS15-060 should be a higher priority along with the two critical updates from this month.
  • Exploit detected – MS15-061 has been seen used in a targeted attack.  Even though this is rated as important it should be a higher priority to roll-out.  This update plugs a vulnerability used by Duqu 2.0 as discussed by Kaspersky.
  • MS15-061 in combination with certain software can cause Copy\Paste to stop working – In reports on Reddit and this can occur if Spector 360 is installed on systems where this occurred.  Still recommended to roll-out as a priority.
  • Adobe Flash update resolves 13 vulnerabilities – Priority 1 update, should be pushed ASAP along with Chrome release.
  • Google Chrome – Released update with support for Adobe Flash update.  This update inherits the Priority 1 from Adobe Flash and should also be pushed ASAP.

WUB WUB WUB and Windows 10


Did you know that WUB is the new UNTS in Electronica Dubstep?  I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB.  Windows Update for Business.

There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.

May Patch Tuesday Round-Up


There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.


May Patch Tuesday 2015


Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

Critical Update for Shavlik Patch for Microsoft System Center

110931386-300x199You’ve probably heard by now that Shavlik is requiring all customers to install Update 1 for Shavlik Patch for Microsoft System Center 2.0 and 2.1, but did you know that the whole process takes less than two minutes? That’s right – less than two minutes.

Check out this video from John Rush where he demonstrates the process for applying Update 1 to Shavlik Patch. Did we mention it only takes two minutes?

Now, it’s your turn. Please install Update 1 today so you will not experience an interruption in receiving third-party patch data.

If you are a Shavlik Patch 2.1 user, complete the following actions:

  1. Download the updated version from, and copy the executable file to your Configuration Manager console machine.
  2. Close System Center Configuration Manager.
  3. Run the Shavlik Patch executable (sccmpatchsetup_2_1_810.exe) and follow the on-screen instructions. For further details about this step, see the Shavlik Patch User’s Guide.
  4. Open System Center Configuration Manager and commence business as usual.

If you are running Shavlik 2.0, we encourage you to upgrade to 2.1 (see instructions above). In the same amount of time it takes to apply the patch to Version 2.0, you can complete your upgrade to Version 2.1 and enjoy all of the latest features in Shavlik Patch. If you are unable to update from 2.0 to 2.1 at this time, please contact Shavlik Support to obtain the 2.0 update.

This update does not affect customers using the catalog file version (1.0) of Shavlik Patch or Shavlik Protect.

If you have any questions or concerns about applying this patch, please contact Shavlik Support.


February Patch Day Round-Up


February did not have a lot of issues from patches released on Patch Tuesday, but there are a couple of things that occurred that you may want to know about.

First is the update that was pulled from circulation after reports of systems hanging.  An update for Visual Studio 2010 Tools for Office Runtime (KB3001652) reportedly started causing issue on Patch Tuesday.  It was pulled later the same day.

Second, and probably the wider impacting issue this month, was update MS15-009 breaking Cisco AnyConnect VPN clients.  Microsoft has stated they will release a fix in March that should resolve the issue, but until then you have three work around options:

1. Windows 8 compatibility mode for the app

2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click “View installed updates” on the left and locate and uninstall the update labeled with KB3023607.  This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.

3. Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

You can the On Demand February Patch Tuesday webinar or download the presentation for this last months Patch Tuesday release.  Also, sign up for the March Patch Tuesday webinar to discuss the updates released on Patch Tuesday, recommendations, and things to watch out for.

The Communicator’s Corner: Secret Agent, Man

(Title inspired by a favorite song by Johnny Rivers that was a hit just a few years ago.)

Secret Agent

Did you know that Shavlik Protect provides all of this functionality using both agentless and agent-based technologies?

In my last few blog posts, I have talked about three prominent features in Shavlik Protect that go beyond the core patch management capabilities. The threat management, power management, and ITScripts features in Shavlik Protect make it much more than a utility used once a month at patch time. Rather, it is a multi-use, unified IT management platform that provides incredible value to your organization every single day.

Now that that secret is out of the bag, I thought I’d let you in on another. Did you know that Shavlik Protect provides all of this functionality using both agentless and agent-based technologies? It’s true! Most everyone is familiar with Shavlik Protect’s agentless capabilities – it is, after all, part of what helps you get up and running with the product in 30 minutes or less. But agents? That seems to be an untold story.

Here’s the scoop: Although performing actions on your target machines from a central console has many advantages, certain types of users or systems can pose problems for agentless solutions. For example, machines that must reside in a de-militarized zone (DMZ), roaming users, and disconnected or inactive machines can all prove problematic. In these cases an agent-based solution is often the best answer.

Implementing agents in Shavlik Protect is a relatively easy, two-step process. You first configure one or more agent policies on the console. Then, you install the agents on your target machines either by pushing them from the Shavlik Protect console or by manually installing them on individual machines. Once they are up and running, the agents will report all activity to the console so you can track their actions.

Depending on how they are configured when installed on a machine, an agent can:

  • Scan for and deploy missing patches
  • Scan for asset information
  • Provide real-time monitoring and protection against known and unknown threats
  • Scan for and remediate existing threats such as spyware, viruses, Trojans, and rootkits
  • Shut down or restart the agent machine on specific days and times
  • Listen to the console or the cloud for policy updates
  • Report the results to the local console

Not bad, huh? Here are a few options if you are interested in learning more.