Windows 10 Patch Management and Third-Party Application (In)Compatibility

win10

Unlike previous releases of Windows, Windows 10 continues to evolve from month to month and update to update. With the January 2016 Patch Tuesday release, we see some very interesting challenges for customers, due to the cumulative update model and the impact on third-party applications.

Chris Goettl, senior product manager for Shavlik, and resident patch expert, noted in his January 2016 Patch Tuesday blog an impact to Citrix XenDesktop. Let’s drill into what happened and what this means for customers.

Stephen: Chris, quickly recap what happened in this month’s update and how it affected Citrix XenDesktop.

Chris: As many in IT are already aware, patches for Windows 10 are all deployed in a “Cumulative Update” model where you can’t choose which individual update to apply. You either apply them all or none of them. Microsoft’s January Windows 10 update will create issues when Citrix XenDesktop is installed.

Stephen: Wow! That’s painful if you are customer using Citrix on Windows 10. Has Microsoft responded to the issue?

Chris: Microsoft’s noted the following in bulletin MS16-007:

“Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.”

Stephen: Did Microsoft do anything to help prevent the incompatibility?

Chris: Microsoft’s detection logic now detects if Citrix XenDesktop is installed on an endpoint. If it is, the entire cumulative update simply will not be available for the endpoint.

Stephen: What does that mean for the rest of the cumulative update? Will part of the update apply except for the components that have conflict with Citrix?

Chris: None of the cumulative update will apply if Citrix XenDesktop is installed.

Stephen: What does this mean from a security perspective?

Chris: Customers have a difficult choice to make. They either need to uninstall Citrix XenDesktop and install the Windows 10 update or keep Citrix and be vulnerable to everything fixed in the January Update.

Stephen: How many vulnerabilities were in the January 2016 update?

Chris: 14 vulnerabilities were resolved across Windows 10, Edge, and Internet Explorer. Four of those were publicly disclosed, which puts them as significantly higher risk of exploit.

Stephen: So customers will not get Microsoft Edge and Internet Explorer updates without applying this cumulative update?

Chris: That’s correct. With Windows 10, all of those updates are bundled into the single cumulative update.

Stephen: What do you expect will happen with with Citrix XenDesktop?

Chris: We can’t speak for Citrix, but I would expect that they will come out with a patch that makes XenDesktop compatible with the latest Windows 10 update. Users will then need to deploy both the Citrix update and then the Windows 10 update.

Stephen: So this reinforces the need for third-party application patching?

Chris: Absolutely. This is just one example that illustrates the need to have a comprehensive patch management solution for operating system updates and third-party applications. Going a step further, it reinforces the need to patch client systems more frequently.  We don’t know when the Citrix update will be available, but when it is, customers are going to want to know ASAP, so hey will then be able to update Citrix and push the cumulative update for Windows 10.

Stephen: One last question. How does this illustrate the need for an enterprise patch management solution with Windows 10?

Chris: To reiterate and emphasize my earlier point, customers must decide whether to install the cumulative update or remove Citrix. Most likely, they will need to update both in the order I specified earlier. Neither Windows Update or Windows-only patch solutions give the flexibility to address these type of scenarios.

To summarize:

  • Patch Tuesday is no longer a single event, if it ever really was. If an enterprise starts their patch process and runs Citrix XenDesktop, they won’t have a choice: running the update will not apply patches and those systems will be exposed to known security vulnerabilities.  
  • We expect Citrix will come out with a patch. Enterprises will need to be able to detect and distribute that patch to get that third-party patch updated. Windows Update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) are not enough here.
  • After the enterprise patches Citrix XenDesktop, they then will be eligible for the cumulative update for Windows 10.  They then need to be able to rescan the system as soon as possible after the Citrix update to realize they are missing the Microsoft January 2016 Update, and are eligible to apply it. They then need to deploy and install the update.
  • Patching isn’t a once-a-month event: updates are becoming more complex and sometimes out of band. This is even more the case with third-party applications, vendors of which sometimes release multiple updates in a month.
  • Windows 10 does not simplify patching for enterprises. Enterprise need solutions that handle the new complexities with the Windows 10 update model.

Bottom line, third-party patching and flexible Windows 10 patch management is a must for all enterprises.

Microsoft is finally pushing people off of old Internet Explorer versions

internet-explorer1_12

Microsoft warned us back in April of 2014 that they would be reducing support for the Internet Explorer browser to only cover the latest version available for each operating system. Well that date it upon us. January 12, 2016 will be the official end-of-life date for any version of IE older than the latest available for the version of Windows you are running. If you take a look at the original life-cycle announcement, it provides the version that will be supported for each OS. After the January Patch Tuesday release there will be no security updates unless you are on the supported version for that OS.

On January 12, expect to see upgrade notifications on older versions of Windows, if you are running a version of the browser older than the latest. You can disable those notifications if you have a need to continue running an older version of the browser for some reason.

If you need to continue running an older version of IE for some reason, take precautions. After this last IE update, older versions will become a prime target.

  • Visualize a system with the older version of IE and remove access to the internet and from anyone who does not require access. Of course this only works if the browser will be used for an application or site that is internal to your network.
  • If you need to use an older version for access to an external site, you should begin putting pressure on the vendor involved or start shopping around for alternate solutions. In the mean time, you can also install an alternative browser and inform users of those systems that they must use Google Chrome or Mozilla Firefox for everything but that one purpose. Not a great solution.
  • You can add additional levels of protection with products like Bufferzone. This will containerize the browsing experience, protecting the system if the user happens to come across anything malicious.

This one is not a drill folks. If you recall my assessment of the top five vulnerable vendors from 2015, I called out the three primary contributors to vulnerability counts; OS, browser, and the media\office products. Internet Explorer had the largest single product vulnerability count in 2014. In 2015 it moved down the list to #7, but that was more due to the significant increase in vulnerabilities in other products. It had only 12 less resolved in 2015 than in the previous year. Point being, expect that from the point that older versions of IE are end-of-life’d this month, we will see around 200+ vulnerabilities identified that will go unresolved in the unsupported versions.

 

 

 

Server 2003 end of life July 14, 2015. What’s your plan?

2003countdown

Are you prepared for the impending Windows Server 2003 end of life? Support is ending on July 14, 2015, which just so happens to be Patch Tuesday. You get one last round of security updates before support ends. So what are your options? I have had a number of companies approach us about what their options are, so I thought I would share some of those thoughts here.

Option 1: Migrate off of 2003. By the fact that you are here reading this, we can assume that Option 1 is delayed for some time.

Federal agencies, cybersecurity, and an order from the White House to step up their game

168799504

Dateline 2015:

Scary stuff, right? Unfortunately, this should all sound very familiar as there has been a steady stream of headlines around the rising concerns of securing U.S. federal agencies from cyber attack.

I recently had a conversation with Ben Tacheny, the U.S. Federal Territory Sales Representative here at Shavlik. Needless to say, Ben has been very busy as of late. He had a lot of really good insights and guidance that I wanted to share.

Q: Ben, what kinds of security problems are federal government agencies facing today?

Protect 9.2 Sneak Peek: Patch Tuesday + X

Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.

June Patch Tuesday Round-Up

We are at Patch Tuesday + 8 days and many of you are probably well in to your third round of patching machines or farther along.  Here is a recap of Patch Tuesday highlights and some things to watch out for:

  • Two Critical updates – MS15-056 and MS15-057
  • Two public disclosures – MS15-056 (CVE-2015-1765) and MS15-060 (CVE-2015-1756).  Public disclosure increases the risk of exploit significantly so MS15-060 should be a higher priority along with the two critical updates from this month.
  • Exploit detected – MS15-061 has been seen used in a targeted attack.  Even though this is rated as important it should be a higher priority to roll-out.  This update plugs a vulnerability used by Duqu 2.0 as discussed by Kaspersky.
  • MS15-061 in combination with certain software can cause Copy\Paste to stop working – In reports on Reddit and PatchManagement.org this can occur if Spector 360 is installed on systems where this occurred.  Still recommended to roll-out as a priority.
  • Adobe Flash update resolves 13 vulnerabilities – Priority 1 update, should be pushed ASAP along with Chrome release.
  • Google Chrome – Released update with support for Adobe Flash update.  This update inherits the Priority 1 from Adobe Flash and should also be pushed ASAP.

WUB WUB WUB and Windows 10

KeepCalmandWUB

Did you know that WUB is the new UNTS in Electronica Dubstep?  I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB.  Windows Update for Business.

There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.

May Patch Tuesday Round-Up

SecurityImage

There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.

 

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

Critical Update for Shavlik Patch for Microsoft System Center

110931386-300x199You’ve probably heard by now that Shavlik is requiring all customers to install Update 1 for Shavlik Patch for Microsoft System Center 2.0 and 2.1, but did you know that the whole process takes less than two minutes? That’s right – less than two minutes.

Check out this video from John Rush where he demonstrates the process for applying Update 1 to Shavlik Patch. Did we mention it only takes two minutes?

Now, it’s your turn. Please install Update 1 today so you will not experience an interruption in receiving third-party patch data.

If you are a Shavlik Patch 2.1 user, complete the following actions:

  1. Download the updated version from www.shavlik.com/support/patch/downloads, and copy the executable file to your Configuration Manager console machine.
  2. Close System Center Configuration Manager.
  3. Run the Shavlik Patch executable (sccmpatchsetup_2_1_810.exe) and follow the on-screen instructions. For further details about this step, see the Shavlik Patch User’s Guide.
  4. Open System Center Configuration Manager and commence business as usual.

If you are running Shavlik 2.0, we encourage you to upgrade to 2.1 (see instructions above). In the same amount of time it takes to apply the patch to Version 2.0, you can complete your upgrade to Version 2.1 and enjoy all of the latest features in Shavlik Patch. If you are unable to update from 2.0 to 2.1 at this time, please contact Shavlik Support to obtain the 2.0 update.

This update does not affect customers using the catalog file version (1.0) of Shavlik Patch or Shavlik Protect.

If you have any questions or concerns about applying this patch, please contact Shavlik Support.