May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

April 2015 Patch Tuesday

SecurityImage

Patch Tuesday excitement is building. There is at least one known Flash vulnerability being exploited in the wild and one Microsoft vulnerability that has been publicly disclosed this month.

Microsoft has released 11 security bulletins this month, four of which are Critical, bringing the total to 42 security bulletins so far in 2015. This is more than twice the number of security updates released than last year at the same time.

From a vulnerability standpoint in April 2014 the CVE count for vulnerabilities resolved was at 72. We passed that count in March, with 76 vulnerabilities resolved. When this month’s 26 CVEs are included, we have a much higher total of 102 CVEs resolved to date.

The product and service impact for Microsoft this month includes the Windows OS, IE, Office, SharePoint, ADFS, .Net and Hyper-V. Two OS, the IE update, and Office update are rated as Critical.

Flash Player is making its triumphant return to Patch Tuesday. Adobe is aware that exploits of CVE-2015-3043 exist in the wild. Between January and February’s Patch Tuesday there were three zero days resolved by two releases in the span of about two weeks. In March the release came on the same week; however, they came at the end of the week. APSB15-06 resolves 22 vulnerabilities and is rated as a Priority 1 update. This should make your list of priority updates to roll out this month.

With a Flash Player update you can always expect an Advisory for Internet Explorer and a Google Chrome update. Google Chrome has a large release covering 45 vulnerabilities including many High priority updates.  That with the Priority 1 Flash plug-in make this release a high priority update when it arrives.

Oracle’s quarterly CPU is also occurring this month and happens to fall on Patch Tuesday. Oracle Java is resolving 15 vulnerabilities — all of which are remotely exploitable without authentication. The highest CVSS Base Score of these 15 vulnerabilities is a 10.0, which is the highest possible score. It goes without saying that Java should be a priority update this month. Three other Oracle products are resolving CVE’s with a 10.0 CVSS Base Score. So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.

Join us tomorrow for the Shavlik April 2015 Patch Tuesday webinar as we discuss the releases for this month, priorities, known issues, etc.

Patch Tuesday February 2015

SecurityImageIt is February and already we have seen some excitement so far this year. Between Microsoft dissolving the ANS (Advanced Notification Service), to Google’s Project Zero team rigidly adhering to their 90-day disclosure policy (disclosing a Windows vulnerability days before the January Bulletin released, not to mention the disclosure of three high severity Apple vulnerabilities in late January), and a series of Flash Zero Day’s that were discovered in the wild and quickly turned around by Adobe. My take on each of these:

  • Microsoft ANS – I’m not a fan of dissolving this program. Not all companies may have used this to their full advantage, but customers of ours relied on the ANS to give them a couple of day jumpstart on prepping for their monthly maintenance. If Microsoft introduces patches to a product that has never been updated prior to the patch cycle, admins will need time to prep test machines. Now they will be condensing that time along with change control processes into a tighter window.
  • Google Project Zero disclosures – Anyone who has read my blogs or commentary before knows that I am a proponent for vendors being responsible about disclosures, but after a resolution is in place. Yes the time to resolution is important, and for vendors who are negligent I fully agree with the Google stance. By Chris Betz’s comments in a blog post just after Google’s disclosure of the Windows OS vulnerability, they had communicated to Google, prior to the 90-day date, that the update was coming just a couple of days later. What purpose did this disclosure serve other than to stir up a lively debate?
  • Flash Zero Day’s – I do not envy the Adobe Security Team so far this year. Browsers, browser plug-ins and media players are prime targets for hackers. They are on practically every device we use, so naturally they will become a target. I do think that the turnaround from discovery to resolution on these three instances was very fast and applaud the Adobe team for ensuring the resolutions were delivered quickly.

For February Patch Tuesday the non-Microsoft updates are going to be light this month. With three Zero Day’s in a row, Flash Player has had a number of updates pushed recently. Companies that have not pushed the most recent Flash Player updates should do so immediately. Since January there have been three Flash Player updates to cover a series of Zero Day’s discovered in the wild. The most recent update on Feb. 5 also included 17 other vulnerability fixes. The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January.

With the series of Flash Player updates, you will also need to push the latest IE Advisory 3021953 to update the Flash Plug-in, otherwise you have not fully plugged the three Zero Day’s and additional vulnerabilities from the Flash releases.

Google Chrome also released prior to patch Tuesday to accommodate the urgent Flash Player updates. The latest Chrome update resolves the Feb. 5 Flash Player plug-in update along with 11 security fixes. This should be another high priority update for you this month. Google has announced a Beta Channel Update for Chrome, which usually indicates a release is not far off. I would expect it to be a feature release since Google updated so many security fixes on Feb. 5.

Mozilla Firefox released an update last week including 10 security vulnerabilities. Four of these are Critical. This should be among your top priorities this month to get updated.

On the Microsoft front we will see a fairly average-sized Patch Tuesday. Three Critical and six Important updates have been released. The impact this month includes the operating system, Internet Explorer, Office, SharePoint and System Center Virtual Machine Manager.

Internet Explorer is a critical update this month. Having not pushed an update in January, it is not surprise that there are 41 vulnerabilities being resolved in this Security Rollup. Definitely a Priority 1 this month. One of these has been publicly disclosed.

There are two Critical updates for the Windows Operating System updates this month. The first is a Critical Kernel Mode Driver update this month, so test diligently lest you blow up the brains of the machine. Then we have a Critical update group policy that could allow remote code execution. The VMM update applies to both server and client installs. If you have the admin console installed on the VMM server you should update the VMM server patch first, then the administrator console patch.

There are no Critical updates for Office this month, but there are multiple Important updates including a SharePoint update. The thing about SharePoint updates is the lack of rollback. Test adequately, especially if you have a lot of SharePoint plug-ins. If you have not already done so, you should look into virtualizing your SharePoint servers. The ability to snapshot the VM prior to updating will allow you to rollback even if the patch does not support it. If you are running VMware vSphere and Shavlik Protect, you can take advantage of our snapshot feature to do a pre-deploy snapshot automatically during the patch process.

Here is a bulletin-by-bulletin summary of the updates you should be planning for this February (first three released prior to Patch Tuesday):

APSB15-04: Security updates available for Adobe Flash Player
Vendor Severity: Priority 1
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 18 (+2 more if you have not pushed APSB15-03 yet)
Impact: 1 Zero Day currently being exploited in the wild (+2 more if you did not push -03), use-after-free, memory corruption, type confusion, heap buffer overflow, buffer overflow, and null pointer vulnerabilities.

Chrome 40.0.2214.111 : Stable Channel Update
Vendor Severity: High
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 11 (Also includes support for latest Flash plug-in)
Impact: 3 Highs resolving use-after-free, cross-origin-bypass, and privilege escalation

Firefox: 34 and 35 updates
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 10
Impact: 4 critical updates resolving sandbox escape, read-after-free, memory safety, and update to the OpenH254 plug-in.  Also includes uninitialized memory use, origin header, memory use, wrapper bypass and other vulnerability fixes.

MS15-009: Security Update for Internet Explorer (3034682)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 41 (1 is publicly disclosed)
Impact: Remote Code Execution, Security Feature Bypass

MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 6 (1 is publicly disclosed)
Impact: Elevation of privilege, Security feature bypass,

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 1
Impact: Remote code execution

MS15-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 3
Impact: Remote Code Execution

MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1 (publicly disclosed)
Impact: Security Feature Bypass

MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Security Feature Bypass

MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

MS15-016: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Information Disclosure

MS15-017: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

Join us tomorrow on our monthly Patch Tuesday webinar as we discuss the priorities and pitfalls you will want to watch out for.

December Patch Day Round-Up

ShavlikSecurityAlthough it was not as large as the November Patch Tuesday, December’s Patch Tuesday still had some important updates to close out the year.  Microsoft released seven bulletins, three of which were critical.  The three critical updates affect Internet Explorer, Microsoft Office, and VBScript engine.  Also, the Exchange update (MS14-075), which was deferred from the November Patch Tuesday, did release this month.

The Microsoft side of Patch Tuesday does not seem all that daunting of a challenge aside from the Exchange update.  Adobe, on the other hand, has added a number of critical updates to the December Patch Tuesday, which effectively doubles the priority 1 list for the month.  Adobe pre-announced an update for Acrobat and Reader, but on Patch Tuesday they released updates for Flash, Shockwave, and ColdFusion.  Shockwave and ColdFusion were lower priority updates, but the Flash update is resolving a vulnerability which was already being exploited in the wild.  We also have a couple of things to for you to watch out for in today’s Patch Tuesday Round-Up.

Known issues to look out for:

  • KB3004394: An update Windows Root Certificate Program in Windows, has caused some issues for companies.  The update, when applied to Windows 7 or Server 2008 systems, has caused a few issues such as MMC functions requiring Administrator authentication even when logged on as an Administrator, Windows Defender Service failing to start, and Windows Update Service being unable to apply additional updates.  KB3024777 has been released to fix the issue by removing KB3004394.
  • An issue occurred on Windows 10 Technical Preview where some users had to remove Office before they could apply the December update.  Recommendation is to try applying the updates before going through the more tedious workaround of removing office, installing updates, then re-installing office.  Most users will not see the issue.
  • Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • Two of the November Bulletins had re-releases for specific affected products.  You will likely see some of those updates being reapplied this month.  Recommendation is to do so as the original fixes were not complete.  MS14-066 (Schannel) update on Vista and 2008 and MS14-065 (IE Cumulative) update on IE 8 for Windows 7 or 2008 R2 or IE10.  In the case of IE, applying the December IE Cumulative will also resolve the issues in the re-release.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

Normally I would start with Microsoft, but your highest priority this month should be Adobe Flash, the Advisory for updating the IE Flash Plug-In and the Google Chrome update to update Flash.

  •  APSB14-27 : Security updates available for Adobe Flash Player – This update resolves six vulnerabilities, one of which (CVE-2014-9163) was discovered being exploited in the wild.  The CVSSv2 base score for this vulnerability is a 10.0, which is the highest that can be assigned and it is Network Exploitable meaning an attacker does not need local network access or local access to exploit the vulnerability.  Admins should ensure they update Flash this month.  Not only for this update, but also for the other two Flash updates that occurred since November.  To fully patch Flash you must also update the Advisory for IE and the Chrome release so you have updated the plug-in for both browsers.
  • MSAF-034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer  – Updates the Flash Plug-In for IE.  Nuff said.
  • CHROME-119: Chrome 39.0.2171.95 – Ditto on the Flash Plug-In.  Update it.  In addition Google released a Chrome update just after the November Patch Tuesday that included 42 security updates, including many High priority updates.  That is two very good reasons to update Chrome ASAP.
  • MS14-080: Cumulative Security Update for Internet Explorer (3008923) – This update is rated as Critical and resolves fourteen privately reported vulnerabilities in Internet Explorer.  Many of the vulnerabilities involve memory corruption, continuing a trend we have seen for most of 2014.
  • MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) – This update resolves two privately reported vulnerabilities in Microsoft Word and Office Web Apps, which could lead to remote code execution if exploited.  The attacker would gain rights equal to the logged on user, so running as less than a full admin could reduce the impact of this type of attack if exploited.
  • MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) –  This update resolves one privately reported vulnerability in the VBScript engine.  If exploited an attacker would gain equal rights to the logged on user.  If the user is a full admin, the attacker would gain complete control of the affected system.
  • APSB14-28 : Security Updates available for Adobe Reader and Acrobat – This update resolves 20 privately reported vulnerabilities in Adobe Acrobat and Adobe Reader.  The impacts vary, but the worst of these could lead to code execution.  Adobe rated the update as a Priority 1, the highest priority Adobe assigns.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) – This update is rated as Important and resolves four privately reported vulnerabilities in Microsoft Exchange server.  Originally slated for November, this update was held until the December release.  Also, if you wait for the cumulative updates before updating, you may want to read up on the latest here.  The Exchange 2010 CU8 ran into some issues and was pulled from circulation then re-released.  The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package.
  • MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Office.  If you have not rolled this out yet please check on this article which I referenced in the known issues above.  “Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) – This update is rated as Important and resolves two privately reported vulnerabilities in Microsoft Excel.
  • MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) – This update resolves one privately reported vulnerability in Microsoft Graphics Component which could lead to information disclosure.

And that closes out December’s Round-Up.  Hopefully you all have your patching wrapped up before Christmas so you can relax, kick back, and enjoy the holidays.

 

 

September Patch Tuesday Round-Up

ShavlikSecurityThis month may have been a light release from Microsoft, but there was still plenty of updates to deploy. Microsoft released four security updates, one of which was critical, resolving 42 vulnerabilities. On the Non-Microsoft front, there were releases from Adobe and Google to take note of. Adobe Flash had a patch Tuesday release resulting in an IE advisory and a Google Chrome release to update the Flash plug-in. The Flash update resolved 12 vulnerabilities. There was no security updates for Office this month, but there were 18 non-security updates. One of those has run into some issues and had to be pulled. Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-052: Cumulative Security Update for Internet Explorer (2977629) – This update is rated as critical by Microsoft. It resolves 37 vulnerabilities which could allow for remote code execution. The updates are all relating to memory corruption issues. One of the vulnerabilities resolved (CVE-2013-7331) has been exploited in targeted attacks in the wild. There are a large number of vulnerabilities and one publicly exploited making this a high priority for update.
  • APSB14-21: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe. The update resolves 12 vulnerabilities which have a variety of impacts including memory corruptionbypass memory randomization, code execution, bypass same origin policy, and security feature bypass.
  • MSAF-029: Microsoft Security Advisory: update for vulnerabilities in Adobe Flash in Internet Explorer – This update allows Internet Explorer to support the latest Adobe Flash release which resolves 12 vulnerabilities and is rated as a Priority 1 by Adobe.
  • CHROME-111: Chrome 37.0.2062.120 – Resolves four vulnerabilities including one high priority vulnerability. The update also includes support for the latest Adobe Flash plug-in which puts it up in the priority list for this month.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-053: Vulnerability in .Net Framework could allow Denial of Service – This update resolves one privately reported vulnerability which could lead to a DoS, but by default an install of .Net will not be vulnerable to this vulnerability. The flaw is exposed if ASP.NET is installed and registered with an IIS server. This would require customer to install ASP.NET manually.
  • MS14-054: Vulnerability in Windows Task Scheduler could allow for elevation of privilege – This update resolves one privately reported vulnerability in Microsoft Windows which could allow for elevation of privilege. The attacker must, however, have a valid logon credential and be able to log on locally to exploit this vulnerability.
  • MS14-055: Vulnerabilities in Microsoft Lync Server could allow Denial of Service – This update resolves three privately reported vulnerabilities in Microsoft Lync Server. The attacker must send a specially crafted request to the Lync Server to exploit this vulnerability.

Watch List:

  • Adobe delayed release of APSB14-20 – The update will be a Priority 1 from Adobe as it resolves several critical vulnerabilities. The release was delayed to the week of September 15, meaning it will drop any day now. Once it does, you can expect to bump this up to the Priority list for rolling out this month.
  • Office non-security patch pulled by Microsoft – Microsoft did not release any security updates for Office this month, but 18 non-security updates have released.  An issue was discovered with KB2889866, an update for OneDrive, which would cause syncing to another users library to fail and moving of links etc, to no longer be picked up by sync.

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.

Patch Tuesday Advanced Notification September 2014

PatchWithoutBorderSo far we have four bulletins announced for September 2014, one Critical and three Important. Back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first patch Microsoft will be rolling out is for Internet Explorer and is Critical. For the past few months we have seen large numbers of vulnerabilities primarily around memory corruption and memory leaks being resolved in IE. It’s likely we are going to see a continuation of that trend that started back in June, but it’s probably going to be a fairly clean month for IE.

Of the three Important updates, there are two vulnerabilities that could result in a denial of service attack and one that could result in an elevation of privileges. These bulletins affect .Net Framework, the Windows Operating System and Lync Server. The .Net update is going to be the most important thing here and IT managers should make sure they are testing it adequately before rolling it out.

On the third party front, we are expecting an update from Opera any time now. They have updated their change log, but the new version (24) has not yet been made available on their downloads.

For Adobe we anticipate an update for Flash to be quite likely this month. So far in 2014 there has only been one patch Tuesday without a Flash update and that month there were two updates outside of patch Tuesday, one of which was a Zero Day. If there is a Flash release, you can expect a Microsoft Advisory update for IE to update the Flash plug-in and most likely a Google Chrome update to support the plug-in as well.

Microsoft Security Bulletins:

  • 1 bulletin is rated as Critical.
  • 3 bulletins are rated as Important

Vulnerability Impact:

  • 1 bulletin addresses vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in a Denial of Service.
  • 1 bulletin addresses vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • .Net Framework.
  • Lync Server.

Join us as we review the Microsoft and third-party releases for September Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, September 10th at 11 a.m. CDT.  We will also discuss other product and patch releases since the August Patch Tuesday.

You can register for the Patch Tuesday webinar here.

August Patch Tuesday Advanced Notification

We have a big Patch Tuesday this month.  Microsoft started by releasing 8 updates and slipped in a later 9th later in the week last week.  That is just the beginning.  As of this morning we have updates from Opera, Picasa, Adobe Acrobat, Reader, Flash 13 and 14, and AIR, with likely appearances by Chrome (high likelihood) and a possible FireFox (have had a beta out for some time and likely to release soon).  A couple of things to look out for.  There is a Critical IE, which is likely the continuation of resolving a large number of memory corruption issues starting with the June IE resolving around 60 vulnerabilities and continuing in July resolving about half that many.  There is a SQL patch this month which will need some attention in testing and there is also a .Net patch resolving a Security Feature Bypass.

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 7 bulletins are rated as Important.

Vulnerability Impact:

  • 3 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 4 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 2 bulletins address vulnerabilities that could lead to Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions
  • Microsoft SQL Server
  • .Net Framework

Join us as we review the Microsoft and third-party releases for August Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, August 12th at 11 a.m. CDT.  We will also discuss other product and patch releases since the July Patch Tuesday.

You can register for the Patch Tuesday webinar here.

This Week in Patching – 1/11/2013

Happy New Year.  I hope IT administrators got some much needed patching rest over the past couple of weeks.  2013 is started out quite heavy in the world of patching.

This week was highlighted by a busy Patch Tuesday.  You can read my write up on the January 2013 edition of Patch Tuesday here.

There were also other vendors releasing critical security bulletins on Patch Tuesday.  Adobe released two security bulletins.  APSB13-02 was pre-announced last Thursday as a part of their quarterly update for Adobe Acrobat and Adobe Reader.  Adobe Acrobat / Reader versions 9.5.3 / 10.1.5 / 11.0.1 address 27 vulnerabilities and are rate Critical.  Adobe security bulletin APSB13-01 was not pre-announced by Adobe, but I expected this bulletin to be released after Microsoft announced an update for Adobe Flash Player in Microsoft Internet Explorer 10 last Thursday was set to be released on Patch Tuesday.  APSB13-01 addresses 1 vulnerability in Adobe Flash Player versions 10 and 11 (as well as Adobe Air 3.5).

Mozilla also released security updates to coincide with Microsoft’s Patch Tuesday.  The most notable of the releases by Mozilla was the major update for Firefox.  Mozilla Firefox 18 contains new features as well as security updates.  For those organizations that do not want to roll out new features in their Mozilla products due to concerns of the new features breaking functionality, Mozilla is continuing their effort with the Mozilla ESR products.  These product updates contain new security fixes but do not contain new features.

Here is the details list of Mozilla updates released on Patch Tuesday:

  • Mozilla Firefox 18
    • Security update addressing 12 Critical, 8 High and 1 Moderate Mozilla Security Advisories (30 vulnerabilities)
  • Mozilla Firefox ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (19 vulnerabilities)
  • Mozilla Firefox ESR 10.0.12
    • Security update addressing 8 Critical and 4 High Mozilla Security Advisories (14 vulnerabilities)
  • Mozilla Thunderbird 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla Thunderbird ESR 10.0.12
    • Security update addressing 8 Critical and 3 High Mozilla Security Advisories (18 vulnerabilities)
  • Mozilla Thunderbird ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla SeaMonkey 2.15
    • Security update addressing 12 Critical, 7 High and 1 Moderate Mozilla Security Advisories (26 vulnerabilities)

 

The other notable updates this week were released on Thursday.  Google updated their Chrome and Chrome Frame browser with version 24.0.1312.52.  This new version fixes 24 vulnerabilities and includes an updated version of Adobe Flash Player that was released by Adobe on Patch Tuesday.  In the past year, Google has been in sync with Adobe on Adobe Flash Player releases.  Interestingly, Google’s release came two days after the Adobe Flash Player release.

There were also some non-security updates released on Thursday.  MozyHome and MozyPro updated their programs with version 2.18.2.244.  Microsoft released a new version of Skype with 6.1.0.129.  This version now integrates with Microsoft Office Outlook contact.

Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Overview

To ring in the New Year, today Microsoft has released seven new security bulletins addressing 12 vulnerabilities.

However, the most notable headline from this Patch Tuesday is a security bulletin that was not released.  On December 29, 2012, Microsoft released a security advisory (2794220) informing administrators of a vulnerability in Internet Explorer was currently being exploited.  Microsoft provided a non-security update to prevent exploitation to that vulnerability.  Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability.  As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible.  Only Internet Explorer browser versions 6, 7 and 8 are affected by this vulnerability.

Of the seven Microsoft security bulletins released for the January 2013 edition of Patch Tuesday, administrators should look at patching MS13-002 first.  Microsoft has identified a vulnerability in Microsoft XML Core Services.  If an unpatched systems browses to a malicious website, an attacker can gain remote code execution.

The other browsing threat this month that needs attention from administrators is MS13-004.  In this security bulletin, Microsoft is addressing a vulnerability in their .NET software application.  If an unpatched machine browses to a malicious website, an attack can gain elevation of privilege on that machine.

The other critical update this month (MS13-001) addresses a vulnerability in the Windows Print Spooler.  If a machine is set up as a print server, an attacker can send a malicious print job to the machine and gain remote code execution.  Security best practices call for printer servers to reside behind a firewall that only allows internal users to print to the print server.  A most likely attack scenario is for an attacker to already be on the internal network.

And as is becoming a recurring theme, this Patch Tuesday is not just a Microsoft-focused security day.  Several non-Microsoft software vendors have also joined in with releases of their own.

Adobe has released security bulletin APSB13-02 affecting all supported version of Adobe Acrobat and Reader.  This security bulletin is part of their quarterly update for Adobe Acrobat and Reader and was expected.

Adobe also released updates for their Air and Flash Player products.  These updates are security updates were not previously announced (APSB13-01).  With any Adobe Flash Player update, Microsoft and Google update their latest browsers to include the new release of Adobe Flash Player.

Mozilla also released new versions of their products.  Mozilla Firefox 18 are new versions of their product that only contain new features.  Previous versions of the Mozilla products also received updates that contain security fixes.

 

Given that the January 2013 Patch Tuesday does not include a security update for the zero-day Microsoft Internet Explorer vulnerability, there is a good chance we will see an out-of-band update from Microsoft before the February 2013 Patch Tuesday.  Microsoft will continue to monitor the threat landscape and decide if this zero-day vulnerability warrants and out-of-band release.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 1/4/2013

Patching quietly came to an end for 2012, and 2013 is starting off with a bang.  Here is a quick recap of the happenings in patch management this first week of the New Year:

On Wednesday, a new version of CDBurnerXP was released with version 4.5.0.3717.  This new version is a non-security update.  On Friday, Google released a non-security update for their Picasa program with version 3.9.136.120.

Microsoft announced their January 2013 Patch Tuesday Advance Notification.  You can read my write up here on the upcoming Patch Tuesday notification details.  In addition to the seven Microsoft security bulletins being released next Tuesday, there are quite a few non-Microsoft patches expected to be released as well.

Adobe announced they will be releasing updates for their Adobe Reader and Adobe Acrobat programs (versions 9/10/11).  These updates are rated as critical and are part of their quarterly update for Adobe Acrobat and Reader, which falls on this January Patch Tuesday.

In addition, Mozilla is lining up to release updates as well for their products.  You can expect updates for their Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey products.

On Microsoft’s preannouncement page for upcoming non-security updates, they have listed Adobe Flash Player for Internet Explorer 10.  With this in mind, expect updates from Adobe for Adobe Flash Player and Google Chrome on Patch Tuesday.  With every Adobe Flash Player release, Microsoft and Google update their browsers to supply the latest version of the Flash Player program.

On the Microsoft Security Advisory front, Microsoft released a new security advisory on Thursday.  Microsoft Security Advisory 2798897 addresses issues with fraudulent digital certificates.  This security advisory places the offending certificates in the untrusted certificate store on systems.  In June 2012, Microsoft released a tool that will run on systems and quickly moves revoked certificates to the untrusted certificate stores.  This tool aids administrators that want an easy and quick way to update certificate issues Microsoft finds.  This tool can be downloaded here.  For those that do not want to use the tool, Microsoft has provided patches for this certificate issue that can be applied to systems.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

Until Patch Tuesday, Happy Patching!

– Jason Miller