Do you know your Patch Management Posture?

How well do you know the security posture of your environment?  Do you know how effective your Patch Management process is? Can you provide stakeholders with a quick look at the state of your network and show how protected you are in real time?

In today’s world with so many devices connected to a network and with the BYOD option becoming more and more of a norm, it is now more important than ever to have visibility into security risks for an organization.

Visibility into your security posture is the key to providing the knowledge necessary to take action on security measures that you can control. So how do you get visibility into your current security posture and what are valuable insights?

What are valuable insights?

  • When were devices last patched?
  • What are the outstanding patches missing from a device?
  • How many and what are the severity levels of the patches needed?
  • What devices are non-compliant and of those, which ones are the most security risk to the organization?
  • How quickly are patches deployed to devices after each patch is released?

How do you get the visibility into your security posture that is meaningful to you? Xtraction

Xtraction allows an organization:

  • To decide what is meaning information
  • To provide access to that information anywhere from a browser at anytime
  • To report real-time results based on the current state of the production database

Xtraction for Shavlik Protect provides a number of default dashboards as part of the Report Bundle offering.

These dashboards have been designed to give visibility into the security posture of an organization and to provide the insight needed to aid in prioritizing meaningful action.

Since the release of Xtraction for Shavlik Protect Reporting Bundle, 2 additional dashboards have been created and are available on the Xtraction for Shavlik Protect landing page of the community website.

Visibility into Security Posture

Windows Convenience Update causing inconvenience for VMware and Microsoft App-V users!

Cybersecurity(Own)A quick heads up.  The Convenience Update for Windows 7 SP1 and Server 2008 r2 SP1 is causing issues with VMs running VMware VMXNet3 virtual network adapter type.

According to a blog post by VMware and a post by Microsoft uninstalling the update will resolve the issue.  The Microsoft article goes on to talk about an issue with Microsoft App-V where virtual applications may have difficulty loading.

Recommendation in both cases is to defer pushing this update until a resolution is in place.

Java Out of Band! This vulnerability fits the profile…

Oracle has announced an out of band Java update to resolve a publicly-disclosed vulnerability that can be exploited over the network, without need for authentication. The vulnerability fits the profile of one that’s more likely to be exploited in 3o days or less.

The Oracle Security Advisory for CVE-2016-0636 provides the CVSS details regarding the vulnerability. The vulnerability has a CVSS of 9.3, access vector is network, access complexity is medium and authentication is none. Confidentiality, integrity and availability are all complete. If you have taken a look at Verizon’s 2015 Data Breach Investigations Report, the pattern indicates there is high risk of this vulnerability being exploited in a short time frame.

In the report, there is a section dedicated to indicators of risk, specifically focused on how they help to profile CVEs that are more likely to be exploited quickly. A vulnerability that ends up in the Metasploit framework is the most obvious indicator, since it would easily be replicated by a Threat Actor to exploit the vulnerability. However, based on the CVE information and analysis of over 67,000 CVEs, the Verizon team was able to uncover a pattern for vulnerabilities that have been exploited, including those exploited in less than 30 days.

The majority of vulnerabilities that have been exploited have an access vector of network; authentication would be none, and access complexity of medium or low. If confidentiality, integrity and availability are complete, and have a CVSS of nine or 10, it falls to a more critical time frame where it is likely to be exploited very quickly. (See image of the figure from the Verizon Breach Report)


As a precaution, put some urgency on getting this updated as quickly as possible. Aside from meeting the pattern described above, this vulnerability has been publicly disclosed. The Shavlik Content Team is already working on releasing content for this update.

Apple Mac OS X Updates for March 2016

AppleBuilding(own)(editorialuseonly)With Macs continuing to expand in the enterprise, and our increased focus on Mac patching, we are overdue to provide analysis on OS X updates as we do with those on Microsoft and third-party vendors on Patch Tuesday. Apple released a number of updates on March 21 that impact Mac OS X, including El Capitan 10.11.4, Security Update 2016-002 for Mavericks 10.9.5 and Yosemite 10.10.5, Safari 9.1, Xcode 7.3, and OS X Server 5.1. In total,

Before diving into the analysis, it is clear that Apple is much less transparent about their security than Microsoft and other vendors. While listing the Common Vulnerabilities and Exposures (CVE) IDs for their vulnerabilities, they did not reveal much information for proprietary components in the CVEs making it difficult to assess risk. Yet, analyzing the impact descriptions for their fixes gives one a sense of the risk.

OS X 10.11.4 and Security Update 2016-002

The last OS X security update was in mid-January and the latest brings fixes to 59 vulnerabilities. Interestingly, 36 of the vulnerabilities fixed were only fixed in El Capitan. Looking through the fixes that apply to Mavericks and Yosemite, they include vulnerabilities that allow malicious PNG and XML files to run arbitrary code and such vulnerabilities are prime candidates for phishing attacks. Among the El Capitan-only fixes was a fix in the FontParser for a vulnerability that could allow a malicious PDF to run arbitrary code that, again, is a prime candidate for phishing and other social engineering techniques. While it isn’t clear if this vulnerability, and others only fixed on El Capitan 10.11, are also found in older versions of OS X. The clear gap in fix applicability suggest that organizations should always update to the latest version of Mac OS X, and not just the latest security update. There were many other types of vulnerabilities fixed across numerous OS X components that have lower risk exposure, but bottom line is one should update their Macs to secure all exposures.

Safari 9.1

Safari 9.1 is available for Mavericks 10.9.5, Yosemite 10.10.5, and El Capitan 10.11 to 10.11.3 (it’s included in 10.11.4). There where 12 vulnerabilities fixed, including three where arbitrary code could be executive through malicious XML or web content. These alone are a reason to upgrade. Other vulnerabilities compromise privacy, create denial of service, enable UI spoofing, or provide access to restricted ports. Safari 9.1 includes numerous new features that are the motivation for users to update and drag security fixes along.

Xcode 7.3

For developers, there is Xcode version 7.3 that fixed three vulnerabilities across two components: otool and subversion. The subversion vulnerabilities are the most significant where connection to a malicious server could allow arbitrary code execution. There were many new features in Xcode 7.3, like support for iOS 9.3, watchOS 2.2, tvOS 9.2, along with other improvements. Most developers will update for those features alone. However, the security fixes should be reason unto their own.

OS X Server 5.1

For those not familiar, OS X Server is an application that can be downloaded from the App Store (for $19.99 in the US) to enable server capabilities like website hosting, wikis, backups, file sharing, and many other features.

There were four vulnerabilities fixed in OS X Server that address RC4 exploits, access to sensitive information remotely, and storing backups on a volume without permissions enabled.


Apple is one of the best companies around for getting people to adopt new components by driving new features, interesting users and wrapping security in with the release. Most Apple users have grown accustomed to updating their devices when prompted. That said, it is still important to assess compliance and update systems in your organization to ensure there are no lingering risks.

Windows 10 Patch Management and Third-Party Application (In)Compatibility


Unlike previous releases of Windows, Windows 10 continues to evolve from month to month and update to update. With the January 2016 Patch Tuesday release, we see some very interesting challenges for customers, due to the cumulative update model and the impact on third-party applications.

Chris Goettl, senior product manager for Shavlik, and resident patch expert, noted in his January 2016 Patch Tuesday blog an impact to Citrix XenDesktop. Let’s drill into what happened and what this means for customers.

Stephen: Chris, quickly recap what happened in this month’s update and how it affected Citrix XenDesktop.

Chris: As many in IT are already aware, patches for Windows 10 are all deployed in a “Cumulative Update” model where you can’t choose which individual update to apply. You either apply them all or none of them. Microsoft’s January Windows 10 update will create issues when Citrix XenDesktop is installed.

Stephen: Wow! That’s painful if you are customer using Citrix on Windows 10. Has Microsoft responded to the issue?

Chris: Microsoft’s noted the following in bulletin MS16-007:

“Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.”

Stephen: Did Microsoft do anything to help prevent the incompatibility?

Chris: Microsoft’s detection logic now detects if Citrix XenDesktop is installed on an endpoint. If it is, the entire cumulative update simply will not be available for the endpoint.

Stephen: What does that mean for the rest of the cumulative update? Will part of the update apply except for the components that have conflict with Citrix?

Chris: None of the cumulative update will apply if Citrix XenDesktop is installed.

Stephen: What does this mean from a security perspective?

Chris: Customers have a difficult choice to make. They either need to uninstall Citrix XenDesktop and install the Windows 10 update or keep Citrix and be vulnerable to everything fixed in the January Update.

Stephen: How many vulnerabilities were in the January 2016 update?

Chris: 14 vulnerabilities were resolved across Windows 10, Edge, and Internet Explorer. Four of those were publicly disclosed, which puts them as significantly higher risk of exploit.

Stephen: So customers will not get Microsoft Edge and Internet Explorer updates without applying this cumulative update?

Chris: That’s correct. With Windows 10, all of those updates are bundled into the single cumulative update.

Stephen: What do you expect will happen with with Citrix XenDesktop?

Chris: We can’t speak for Citrix, but I would expect that they will come out with a patch that makes XenDesktop compatible with the latest Windows 10 update. Users will then need to deploy both the Citrix update and then the Windows 10 update.

Stephen: So this reinforces the need for third-party application patching?

Chris: Absolutely. This is just one example that illustrates the need to have a comprehensive patch management solution for operating system updates and third-party applications. Going a step further, it reinforces the need to patch client systems more frequently.  We don’t know when the Citrix update will be available, but when it is, customers are going to want to know ASAP, so hey will then be able to update Citrix and push the cumulative update for Windows 10.

Stephen: One last question. How does this illustrate the need for an enterprise patch management solution with Windows 10?

Chris: To reiterate and emphasize my earlier point, customers must decide whether to install the cumulative update or remove Citrix. Most likely, they will need to update both in the order I specified earlier. Neither Windows Update or Windows-only patch solutions give the flexibility to address these type of scenarios.

To summarize:

  • Patch Tuesday is no longer a single event, if it ever really was. If an enterprise starts their patch process and runs Citrix XenDesktop, they won’t have a choice: running the update will not apply patches and those systems will be exposed to known security vulnerabilities.  
  • We expect Citrix will come out with a patch. Enterprises will need to be able to detect and distribute that patch to get that third-party patch updated. Windows Update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) are not enough here.
  • After the enterprise patches Citrix XenDesktop, they then will be eligible for the cumulative update for Windows 10.  They then need to be able to rescan the system as soon as possible after the Citrix update to realize they are missing the Microsoft January 2016 Update, and are eligible to apply it. They then need to deploy and install the update.
  • Patching isn’t a once-a-month event: updates are becoming more complex and sometimes out of band. This is even more the case with third-party applications, vendors of which sometimes release multiple updates in a month.
  • Windows 10 does not simplify patching for enterprises. Enterprise need solutions that handle the new complexities with the Windows 10 update model.

Bottom line, third-party patching and flexible Windows 10 patch management is a must for all enterprises.

Microsoft is finally pushing people off of old Internet Explorer versions


Microsoft warned us back in April of 2014 that they would be reducing support for the Internet Explorer browser to only cover the latest version available for each operating system. Well that date it upon us. January 12, 2016 will be the official end-of-life date for any version of IE older than the latest available for the version of Windows you are running. If you take a look at the original life-cycle announcement, it provides the version that will be supported for each OS. After the January Patch Tuesday release there will be no security updates unless you are on the supported version for that OS.

On January 12, expect to see upgrade notifications on older versions of Windows, if you are running a version of the browser older than the latest. You can disable those notifications if you have a need to continue running an older version of the browser for some reason.

If you need to continue running an older version of IE for some reason, take precautions. After this last IE update, older versions will become a prime target.

  • Visualize a system with the older version of IE and remove access to the internet and from anyone who does not require access. Of course this only works if the browser will be used for an application or site that is internal to your network.
  • If you need to use an older version for access to an external site, you should begin putting pressure on the vendor involved or start shopping around for alternate solutions. In the mean time, you can also install an alternative browser and inform users of those systems that they must use Google Chrome or Mozilla Firefox for everything but that one purpose. Not a great solution.
  • You can add additional levels of protection with products like Bufferzone. This will containerize the browsing experience, protecting the system if the user happens to come across anything malicious.

This one is not a drill folks. If you recall my assessment of the top five vulnerable vendors from 2015, I called out the three primary contributors to vulnerability counts; OS, browser, and the media\office products. Internet Explorer had the largest single product vulnerability count in 2014. In 2015 it moved down the list to #7, but that was more due to the significant increase in vulnerabilities in other products. It had only 12 less resolved in 2015 than in the previous year. Point being, expect that from the point that older versions of IE are end-of-life’d this month, we will see around 200+ vulnerabilities identified that will go unresolved in the unsupported versions.




Server 2003 end of life July 14, 2015. What’s your plan?


Are you prepared for the impending Windows Server 2003 end of life? Support is ending on July 14, 2015, which just so happens to be Patch Tuesday. You get one last round of security updates before support ends. So what are your options? I have had a number of companies approach us about what their options are, so I thought I would share some of those thoughts here.

Option 1: Migrate off of 2003. By the fact that you are here reading this, we can assume that Option 1 is delayed for some time.

Federal agencies, cybersecurity, and an order from the White House to step up their game


Dateline 2015:

Scary stuff, right? Unfortunately, this should all sound very familiar as there has been a steady stream of headlines around the rising concerns of securing U.S. federal agencies from cyber attack.

I recently had a conversation with Ben Tacheny, the U.S. Federal Territory Sales Representative here at Shavlik. Needless to say, Ben has been very busy as of late. He had a lot of really good insights and guidance that I wanted to share.

Q: Ben, what kinds of security problems are federal government agencies facing today?

Protect 9.2 Sneak Peek: Patch Tuesday + X

Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.

June Patch Tuesday Round-Up

We are at Patch Tuesday + 8 days and many of you are probably well in to your third round of patching machines or farther along.  Here is a recap of Patch Tuesday highlights and some things to watch out for:

  • Two Critical updates – MS15-056 and MS15-057
  • Two public disclosures – MS15-056 (CVE-2015-1765) and MS15-060 (CVE-2015-1756).  Public disclosure increases the risk of exploit significantly so MS15-060 should be a higher priority along with the two critical updates from this month.
  • Exploit detected – MS15-061 has been seen used in a targeted attack.  Even though this is rated as important it should be a higher priority to roll-out.  This update plugs a vulnerability used by Duqu 2.0 as discussed by Kaspersky.
  • MS15-061 in combination with certain software can cause Copy\Paste to stop working – In reports on Reddit and this can occur if Spector 360 is installed on systems where this occurred.  Still recommended to roll-out as a priority.
  • Adobe Flash update resolves 13 vulnerabilities – Priority 1 update, should be pushed ASAP along with Chrome release.
  • Google Chrome – Released update with support for Adobe Flash update.  This update inherits the Priority 1 from Adobe Flash and should also be pushed ASAP.