Oracle releases large Critical Patch Update!

Oracle

Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.

The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.

Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.

For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.

Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.

Remove Apple Quicktime from your Windows systems

RemoveQuickTime

Apple has announced the end of availability for QuickTime 7 on Windows systems. In their announcement they explained their reason for pulling support:

“QuickTime 7 for Windows is no longer supported by Apple. New versions of Windows since 2009 have included support for the key media formats, such as H.264 and AAC, that QuickTime 7 enabled. All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows.”

To add to this, there are two known vulnerabilities that will go unpatched for QuickTime 7 on Windows which elevates the need to remove it. While the vulnerabilities are not being exploited, to anybodies’ knowledge, security experts are calling for removal of QuickTime as quickly as possible and are treating these two vulnerabilities as Zero Days since they have been disclosed and will never be fixed.

In response to this, Shavlik is creating uninstallers for our customers to find and remove QuickTime.

 

April Patch Tuesday Round-Up – Oracle Quarterly CPU Commentary

java_logo

Patch Tuesday continued!  Today Oracle released their quarterly Critical Patch Update.  This is the day that Oracle product updates all come together.  Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, and several other products.  Oh, and Java, we don’t want to forget Java.

Across all updates it looks like 121 CVE’s were resolved in total, the oldest of which dates back to 2011 (CVE-2011-4461).  Seven of these vulnerabilities rate a 10.0 CVSS, which is the highest base score rating on the CVSSv2 scale.

There are a few indicators that can help you prioritize what updates you should worry about first. Exploit code examples being available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands.  Beyond that things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.  If you look at Verizon’s 2015 Data Breach Investigation Report, the CVSS data provides a profile for vulnerabilities more likely to be exploited.  If you have not already read this year’s report, check out the vulnerabilities section.  I did a write-up on the Java Out-of-Band release that came out on March 24th.  The Verizon report shows a progression of all vulnerabilities, vulnerabilities exploited, and vulnerabilities exploited under one month from publication.  Using the pattern for those exploited in less than a month 7 out of 7 of the CVSS 10.0 vulnerabilities fit the pattern.

Based on that, I would recommend the following priorities be added to your April Patch Tuesday activities.  Java SE (4 of 7), MySQL (2 of 7), Sun Systems Products Suite (1 of 7) should be updated in this update cycle.  I know many of you are already a week in, but these are the ones that stand a higher chance of being exploited before your next monthly patch cycle.

Happy Patching Everyone!

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

Consumers Beware: Protect Yourselves from Security Breaches

ProtectionIn this blog series on security breaches, we’ve talked a lot about what retailers can do to secure their IT infrastructures and to protect customer data. However, in today’s environment, it is impossible for any company, not to a mention a retailer, to be 100% secure. The question isn’t IF your favorite store will get hacked; the question is WHEN your favorite store will get hacked.

Given this reality, let’s turn our attention to what we as consumers can do to protect ourselves. Following three basic practices will limit your risk of exposure to nearly zero, and means you can continue blissfully shopping at all of your favorite stores, regardless of whether or not you’ve seen their name in the paper recently.

#1 – Ditch the debit cards

As I was first venturing into the adult world, one piece of financial advice my dad gave me was, “Debit cards are evil.” It was the late ‘90s, so data breaches and BlackPOS weren’t top of mind. Heck, e-commerce was just kicking off then. He was thinking about old school things like earning interest in your checking account, earning cash back from credit cards, and the risk of the card being lost or stolen.

Fast forward to today’s environment and Dad’s advice is better than ever. If a debit card number is compromised, your checking account can be emptied and your money inaccessible while you go through what can be a lengthy process of disputing the charge. With credit cards, on the other hand, you are not obligated to make payments that are under dispute, so the disputed funds stay with you. In reality your only risk from a compromised credit card number is the inconvenience of having to update auto-payments if your credit card company issues a new number. That is if you do #2…

#2 – Review your statements carefully

We as consumers do have an obligation to review our credit card statements each month and to promptly report any erroneous charges. In doing so, be especially mindful of small charges, say for like $0.05, that might be testing the viability of your card number. That type of charge is an early indicator that your credit card number has fallen into the hands of evil, so don’t let the size of the charge keep you from reporting it.

By carefully reviewing your credit card statement each month and reporting any charges that don’t seem right, you shift the responsibility for unauthorized charges from yourself to your credit card company.

#3 – Don’t stress out about the headlines

Working for a security software company, I get questioned a lot about retail security breaches by friends and family. When Target came under fire last fall, a lot of folks asked if I was going to stop shopping there and if they should stop too. The thought of not shopping at Target had never crossed my mind. Shoot, I live in Minnesota; I’d give up hockey before giving up Target.

Seriously, though, if you’ve followed the steps above, there’s little if any effect on you if your credit card info is compromised. You don’t need to stop shopping at a store because you see its name in the paper. Swipe away and leave the worry to your favorite retailer’s IT department.

If you’d like to learn more about recent security breaches, what companies can do to defend their networks, and what consumers can do protect themselves, please join us for the following Shavlik webinar.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now

 

 

Good news regarding the IE Zero Day, MS14-021 has released and includes support for Windows XP

Microsoft has announced Security Bulletin MS14-021 on Technet to resolve the IE Zero Day identified on April 26th.  The Shavlik Content team is investigating and will be releasing support for this bulletin as soon as possible.  A restart will be required to apply the patch.  Also, if you have applied any of the mitigation steps you will need to take a look at the ‘Workarounds’ section of the bulletin to see if the steps you chose will need to be reverted.

For those of you on Windows XP, the bulletin identifies variations on IE 6, 7, and 8 and according to the MSRC post today, Microsoft has decided to support this bulletin on Windows XP.  According to Dustin Child’s post Microsoft “…made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system…”.

Watch for the Shavlik Content Announcement later today once we have tested and made it available to our customers.

 

 

March Patch Tuesday Round Up

What would Patch Tuesday be without a Critical IE Cumulative Update.  It would probably just feel wrong.  So it is no surprise that the lead in patch for this month was an IE Cumulative, was rated Critical, and covers a whopping 18 CVE’s  Needless to say this is the most important update to push for March.

There was also a Security Advisory for IE and an Update from Google Chrome to add plug-in support for the Adobe Flash patch that released on the 11th.  While this Flash update was only rated as a Priority 2 (by Adobe’s definition of severity), this update replaces APSB14-07 from February 20th which was a Priority 1.  That update resolves three CVE’s of a more serious nature.  Unless you are patching your endpoints multiple times each month that puts the Flash update to a high priority in our opinion.   The other two Flash updates we have seen so far this year (1/14 and 2/4) resolve three additional high priority CVE’s.  Long story short, UPDATE FLASH!

Google Chrome had a update to the Stable Channel resolving 4 high priority CVE’s and 3 additional vulnerabilities that were not as severe.  The 4 high’s plus the Flash plug-in push Chrome up into the spotlight with IE and Flash this month.  Roll those three product updates out ASAP!

Aside from that Microsoft did have another Critical update this month, in DirectShow (MS14-013), which should be a priority.  While there are no active attacks currently identified, the vulnerability could allow for Remote Code Execution by enticing a user to click on a JPG file in IE.  This type of exploit reemphasizes the importance of the least privilege rule.  It could mean the difference between giving the attacker keys to the kingdom vs keys to the room they entered.

The Important bulletins for March may not be as high of a priority, but we have two Security Feature Bypass exploits in the SAMR protocol and in Silverlight.  Although possibly more difficult to exploit and not currently being exploited in the wild, you will want to get these rolled out in a timely manner.  We also have a Kernel-Mode Driver to update.  Again, only rated as Important, but as with all Kernel updates, you will want to ensure proper testing before rolling out.

For these types of updates and more, join us each month for the Shavlik Patch Tuesday webinar.  In this monthly webinar we discuss the Microsoft and 3rd Party updates that affect you and your users.  We focus on Patch Tuesday, but we also discuss what happens in between.  Remember, 86% of attacks of reported vulnerabilities target 3rd Party applications.  Those vendors do not release on the same schedule as Microsoft and what happens between Patch Tuesdays can often be of more importance than what happens on Patch Tuesday.

 

 

Avoid the latest Java Zero Day by upgrading to Java 7 today

If you have not ready up on the ZDNet and other posts regarding this exploit here is a link to an article talking in more depth.  If you are still on Java 6 you are vulnerable to this Java vulnerability.  Java 7 update 21 and earlier are also exposed.  There is an exploit kit available to hackers for $450 dollars.  They can purchase a way to exploit this vulnerability off the shelf.  This means it is past time to upgrade your Java runtime.

So, Shavlik Protect users, here are some easy steps to create a scan template to allow you to deployupgrade Java 7 update 25 to your machines to ensure they are up to date.

For users on Protect 9.0 the steps are as follows:

  1. Create a new Patch Group by clicking on the +New > Patch Group…
  2. Name the Patch Group “Java 7 Software Distribution”
  3. Click add and sort by QNumber column.  Select QJAVA7U25N and QJAVA7U25X64N and save the patch group.
  4. Click +New > Patch Scan Template… and name it Java 7 Software Distribution
  5. On the Filtering tab uncheck the Patch Type > Security Patches and Patch filter settings set to “Scan Selected” and click the “…” button and select the “Java 7 Software Distribution” patch group.
  6. Click on the “Software Distribution” tab and check the box to enable Software Distribution.  Save the scan template.
  7. Scan and Deploy the Java 7 update 25.

The best way to protect against this zero day is to eliminate the presence of Java 6 and this should be an easy way to do so.

Chris Goettl

 

Virtual Patches and the Data Center Environment

In advance of VMworld we caught up with Chris Goettl, Program Product Manager for Shavlik , to learn more about the patching in the data center environment.

Q:  What are some of the key things to consider when deploying patches in a datacenter environment?

Chris:   From the conversations I have with customers I think getting up and running quickly is important.  You would be surprised how long some products take to implement.  Many of our competitors deploy agent-based systems that take longer to implement.  We have talked to some of their customers that struggled with implementation. In fact, one was in year two of trying to roll out a well-known product.

Q:  What is different about Shavlik from a timing perspective?

Chris:  There are a few things that give us an advantage in this area; in fact, we can show value on the same day.   So for example, if you install our product, we can be up and running, assessing your environment, and can stage patches within the first hour.   There is no product in the market that can be installed and be up and running delivering patches to endpoints that fast. 

Q: How do your products complement VMware?

Chris:  Of course we can patch VMware offline and online machines as well as hypervisors, but there is another area where we work well together.  Our products help VMware introductory level customers maintain their patch capability. This all stems from our previous relationship with VMware (we were owned by VMware before joining the LANDesk family).

Q: How does Shavlik provide benefit to these customers?

Chris: Let’s say you have a virtual infrastructure with 50 VMs on standard servers.  If the customer is running vSphere or less, then you have a big challenge to maintain that infrastructure.  On the other hand, enterprise VMware customers that have vSphere have an extremely robust product that images the hypervisor.  Every time you reboot the hypervisor it actually reboots under the base image, so all the customer has to do is apply a patch to the base image and then every time they reboot the hypervisors they are up to date.

Q: So Shavlik helps bridge the gap between VMware standard and the enterprise? 

Chris: Right, so we have a hypervisor feature within our product.  When IT installs Shavlik Protect the feature is already in place.  With Protect, you install it and type in the IP address or the server name for the hypervisor and a credential.  Protect connects, you click on a scan button, click on which patches you want, click deploy, and that is about it.  It really is a matter of months to minutes.

It's Possible! The Ability to Patch VMware Offline Machines with Shavlik Protect

In advance of VMworld we caught up with Anne Steiner, principal product manager at LANDesk, to learn more about how Shavlik Protect patches VMware virtual machines and templates.

Q: Shavlik has always been known for its ability to patch online virtual machines but there is an added capability that some may not be familiar with.  Shavlik can also patch offline VMware VMs as well as offline VMware templates.  What is the benefit in being able to do this?

Anne: IT departments generally have an image or a template that helps them create various user VMs.   These templates behave similarly to offline VMs.  When IT goes to create VMs for folks like you and me, they don’t want to have to go through a two-step process of creating the VM and then on top of that having to patch it.  Patching in that way takes extra time and manpower.  If the offline templates can be kept current all the time, IT can deploy a virtual machine without having to worry about whether the VM  is up to date.   

Q:  You mentioned patching offline machines, how does that work? 

Anne: If a VMware VM happens to be offline (maybe it is powered down to conserve power or offline maintenance) Shavlik has the ability to see the VMWare VM in your virtual infrastructure, recognize that it is offline, bring it up and patch it, and then put it back to rest.  The advantage is we’ll keep your entire virtual infrastructure up to date regardless of whether VM’s are online or offline.

Q: Shavlik Protect has a feature called Snapshot.  Can you tell us about it?

A:  In the Shavlik patch process, we allow users to take a snapshot which provides a restore point to revert to a known good configuration.  After the snapshot is created the user applies the patches and knows that if something were to happen, like one of the patches damages the VM for example, they would very easily be able to go back to that snapshot and have everything the way it was before the patches were deployed.  In other words, snapshots can be used as is a bit of an insurance policy.