Oracle releases large Critical Patch Update!

Oracle

Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.

The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.

Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.

For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.

Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.

Do you know your Patch Management Posture?

How well do you know the security posture of your environment?  Do you know how effective your Patch Management process is? Can you provide stakeholders with a quick look at the state of your network and show how protected you are in real time?

In today’s world with so many devices connected to a network and with the BYOD option becoming more and more of a norm, it is now more important than ever to have visibility into security risks for an organization.

Visibility into your security posture is the key to providing the knowledge necessary to take action on security measures that you can control. So how do you get visibility into your current security posture and what are valuable insights?

What are valuable insights?

  • When were devices last patched?
  • What are the outstanding patches missing from a device?
  • How many and what are the severity levels of the patches needed?
  • What devices are non-compliant and of those, which ones are the most security risk to the organization?
  • How quickly are patches deployed to devices after each patch is released?

How do you get the visibility into your security posture that is meaningful to you? Xtraction

Xtraction allows an organization:

  • To decide what is meaning information
  • To provide access to that information anywhere from a browser at anytime
  • To report real-time results based on the current state of the production database

Xtraction for Shavlik Protect provides a number of default dashboards as part of the Report Bundle offering.

These dashboards have been designed to give visibility into the security posture of an organization and to provide the insight needed to aid in prioritizing meaningful action.

Since the release of Xtraction for Shavlik Protect Reporting Bundle, 2 additional dashboards have been created and are available on the Xtraction for Shavlik Protect landing page of the community website.

Visibility into Security Posture

Now Available: Xtraction for Shavlik Protect

Shavlik is pleased to announce the availability of Xtraction for Shavlik Protect.

Screen Shot 07-25-16 at 09.21 AM

Xtraction for Shavlik Protect is a self-service, web based solution that presents critical data from Shavlik Protect as customized dashboards and documents in real time.  There are 2 different offerings available for Xtraction with Shavlik Protect. These offerings include: Xtraction for Shavlik Protect Reporting Bundle or Xtraction Enterprise with the Shavlik Protect Connector .

The Xtraction for Shavlik Protect Reporting Bundle option is a view only license allowing customers to view pre-built dashboards and documents. The pre-built dashboards make it easier for a customer to get up and running quickly with a simplified reporting solution. The full Enterprise version of Extraction is needed for customers that want to create new dashboards or modify existing ones.

Xtraction complements Shavlik Protect by extending reporting visibility without the need to grant access privileges to Shavlik Protect.

Xtraction for Shavlik Protect helps to:

  • Improve speed of response to vulnerabilities
  • Improve accuracy of risk assessments
  • Manage compliance levels
  • Provide self-service reporting access to reduce the administrator burden

For more information and a deeper dive into the out-of-the-box dashboards available with the Xtraction for Shavlik Protect connector, please join me for the Introducing Xtraction for Shavlik Protect webinar on Wednesday, July 27th .

Windows 10 branch upgrades and Shavlik Protect 9.2 Update 3 available!

win10 It has been a busy week here with the 4th of July holiday and a couple of content and product releases.

On Tuesday we released a content update which added support for pushing Windows 10 1511 to Windows 10 1507 systems.  Shavlik Protect 9.2 now supports branch upgrades! For instructions on how to upgrade Window 10 systems to branch 1511, please see our community post.

With the Windows 10 Anniversary update coming on August 2nd, those Windows 10 systems running the original 1507 branch will start their countdown to end of support for updates.  Microsoft has stated a 4 month grace period once a new branch releases before the N-2 branch stops receiving updates.

The recommended approach to supporting these branch upgrades is to keep a pilot group moving ahead to the new branch soon after it releases.  Those systems on the previous Current Branch for Business (in this case 1507) should start migrating to the new CBB (1511).  The 1608 (Anniversary update) branch will become the new Current Branch and you will have around 8 to 10 months to evaluate this within your pilot group before the next branch update releases.

On Thursday this week we released Update 3 for Shavlik Protect 9.2.  This update includes several customer reported bug fixes.  For more details or to download the latest installer visit our downloads page.

More than half of our customer base has already moved to Protect 9.2 and are taking advantage of the great new features and speed of Protect 9.2.  For those customers still on 9.1 or 9.0 please keep in mind that these versions will reach end of service this year.  Protect 9.0 is ending service as it was scheduled to do, but Protect 9.1 is being moved forward because of SHA 1 end of life.  Protect 9.2 supports SHA 256 and after upgrading will migrate the Protect Console and Agent certificates over to SHA 256.  For more details please see our product life-cycle policy here.

  • Shavlik Protect 9.0 will reach end of service on 2016/10/19.
  • Shavlik Protect 9.1 will reach end of service on 2016/12/31.
  • Shavlik Protect Threat Protection in Advanced and AV Add-On editions will also reach end of service on 2016/12/31.

 

 

Remove Apple Quicktime from your Windows systems

RemoveQuickTime

Apple has announced the end of availability for QuickTime 7 on Windows systems. In their announcement they explained their reason for pulling support:

“QuickTime 7 for Windows is no longer supported by Apple. New versions of Windows since 2009 have included support for the key media formats, such as H.264 and AAC, that QuickTime 7 enabled. All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows.”

To add to this, there are two known vulnerabilities that will go unpatched for QuickTime 7 on Windows which elevates the need to remove it. While the vulnerabilities are not being exploited, to anybodies’ knowledge, security experts are calling for removal of QuickTime as quickly as possible and are treating these two vulnerabilities as Zero Days since they have been disclosed and will never be fixed.

In response to this, Shavlik is creating uninstallers for our customers to find and remove QuickTime.

 

April Patch Tuesday Round-Up – Oracle Quarterly CPU Commentary

java_logo

Patch Tuesday continued!  Today Oracle released their quarterly Critical Patch Update.  This is the day that Oracle product updates all come together.  Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, and several other products.  Oh, and Java, we don’t want to forget Java.

Across all updates it looks like 121 CVE’s were resolved in total, the oldest of which dates back to 2011 (CVE-2011-4461).  Seven of these vulnerabilities rate a 10.0 CVSS, which is the highest base score rating on the CVSSv2 scale.

There are a few indicators that can help you prioritize what updates you should worry about first. Exploit code examples being available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands.  Beyond that things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.  If you look at Verizon’s 2015 Data Breach Investigation Report, the CVSS data provides a profile for vulnerabilities more likely to be exploited.  If you have not already read this year’s report, check out the vulnerabilities section.  I did a write-up on the Java Out-of-Band release that came out on March 24th.  The Verizon report shows a progression of all vulnerabilities, vulnerabilities exploited, and vulnerabilities exploited under one month from publication.  Using the pattern for those exploited in less than a month 7 out of 7 of the CVSS 10.0 vulnerabilities fit the pattern.

Based on that, I would recommend the following priorities be added to your April Patch Tuesday activities.  Java SE (4 of 7), MySQL (2 of 7), Sun Systems Products Suite (1 of 7) should be updated in this update cycle.  I know many of you are already a week in, but these are the ones that stand a higher chance of being exploited before your next monthly patch cycle.

Happy Patching Everyone!

Shavlik Patch 2.2 available in early access!

ShavlikPatch

The Shavlik Team is proud to announce the availability of Shavlik Patch 2.2 in an early access delivery.  Check out what’s new!

  • Edit packages (watch the video) – Change the command line switches, return codes expected, etc for a given package.
  • IAVA Support – For our Federal customers we have extended our IAVA coverage into our Shavlik Patch offering making it much easier to automatically cross-reference DOD IAVAs.
  • Republish and resigning of packages – The manual steps for doing this are long and painful and going down that rabbit hole is not recommended.  It is also no longer necessary!  We are going to do all the heavy lifting on this one.
  • Manage vendor and product categories (watch the video) – We have a new interface that lets you monitor and manage the categories in use so, again, you do not have to go down a significantly long, manual process to reclaim a category that is no longer in use.

We have a webinar scheduled for April 6th, 2016 to walk through the Shavlik Patch 2.2 features and show you whats new! You can also download Shavlik Patch 2.2 here.

Shavlik Protect 9.2 Update 2

The Shavlik Team is happy to announce the release of Shavlik Protect 9.2 Update 2. This update provides support for installing the Shavlik Protect Console on Windows 10. It also provides 13 bug fixes for known issues that customers have encountered since Update 1. The install is available now on our downloads page. It will install right over the top of Protect 9.2 Gold or Update 1. You can also upgrade directly to 9.2 Update 2 from Protect 9.0 or 9.1.

For customers still running on Shavlik Protect 9.0 or 9.1, this is a good time to look at upgrading. We will be ending support for all versions pre-9.2 by the end of 2016, due to the end of support for SHA1 certificates. Shavlik Protect 9.2 supports SHA 256 and will automatically convert the current SHA 1 console and agent certificates after you upgrade, making for a very seamless transition to a more secure mode of communication. Please review our product life-cycle policy for more details regarding the end of life date for specific versions.

logo_shavlik

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

Shavlik Protect 9.2 and Empower Beta Launch

EmpowerDashboard_edited

Shavlik is proud to announce the launch of Shavlik Protect 9.2 Beta and introduce the Empower platform. This simultaneous launch is a significant leap into a rapidly changing world. Shavlik Protect will continue to be the Data Center solution for patching critical systems and ensuring vulnerabilities are being plugged. Shavlik Empower is the platform that Shavlik will use to launch us into the future.

Empower is purpose built to manage your users, the devices they use and follow those users wherever they go. Empower will aggregate data from Protect, from other parts of your network and off network using the