March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.

 

March Patch Tuesday 2016

MarchPatchTuesday2016Sum

March Patch Tuesday has a great deal of updates, but no public disclosures or exploited vulnerabilities as of yet. Let’s start with what we know for sure: Microsoft has released 13 bulletins, five of which are critical and eight are rated as important. With these bulletins, Microsoft is resolving 39 total vulnerabilities this month. On the non-Microsoft front, Adobe is releasing two bulletins, rated as Priority 2 and 3, that resolve four vulnerabilities. Additionally, Mozilla FireFox 45 has been released and is rated critical, as it resolves 22 vulnerabilities.

First, taking a closer look at Microsoft, we have critical updates for Internet Explorer (MS16-023) and Edge (MS16-024), as expected. These updates resolve 13 and 11 vulnerabilities, respectively. Microsoft’s claim that Edge is more secure appears to be valid, although this month’s activity does not make that big of a difference. So far in 2016, IE has had 27 vulnerabilities, as compared to Edge’s 19. As you would expect, the vulnerabilities resolved in both browsers involve exploiting a user through specially crafted web content. In this situation, an attacker who convinces a user to click on specific content can gain the same user rights as the actual user. If that user is a full admin, the attacker would gain complete control of the system, allowing them to create accounts, install, remove apps and delete data, among other things.

10 of the Microsoft updates affect Windows, including the other three critical updates from Microsoft. MS16-026 resolves vulnerabilities in graphic fonts, while MS16-027 resolves vulnerabilities in Windows Media and MS16-028 resolves vulnerabilities in Windows PDF Library. In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content. As a result, the attacker would gain equal privileges as the current user; so least-privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacks privileges because they can only execute out of the sandbox.

Microsoft Office and Sharepoint are both affected by MS16-029, which is rated as important and resolves three vulnerabilities. For all of you ops guys out there, I know there is some uneasiness around patching Sharepoint because the updates cannot be rolled back easily if something goes wrong. If you are on a virtual machine, you can take a snapshot prior to the update. That way, if anything goes wrong, you can quickly revert back. If you are not yet virtualized, consider making the switch – doing so will make life a lot easier.

There are six more important updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE. Last on the list is an update for .Net Framework. .Net is always interesting because you can have various versions on a machine. As a result, it can also take a bit longer to install updates for .Net. So, if your servers take a while to install updates, know that it’s due to multiple .Net versions requiring updates.

Now, switching to the non-Microsoft updates:

Mozilla has released FireFox 45, which resolves 22 total vulnerabilities, eight of which are critical. The vulnerabilities range from buffer overflows to font vulnerabilities, with the sheer number of updates making this update a priority for this month.

Adobe has released two bulletins so far. The first is APSB16-006, a Priority 3 update for Digital Editions that resolves a critical vulnerability. Although there is only one, it is critical and could lead to code execution; which makes me wonder about the priority. The second Adobe bulletin is for Adobe Acrobat and Reader. APSB16-009 resolves three vulnerabilities, including yet another critical that could lead to code execution. This bulletin is rated as a Priority 2.

While we haven’t seen it yet, there is evidence a Flash update could be on its way. If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it. This could signal the change in distribution that Adobe has warned us about for a few months now. Either way, if Flash Player drops, expect a bulletin from Microsoft for Flash for Internet Explorer, as well as an update from Google Chrome to support the latest plug-in and updates for Flash Player at the OS and FireFox plug-in levels.

Join us tomorrow for the March Patch Tuesday webinar where we will discuss the bulletins in more detail.

January Patch Tuesday 2016

2016_01_12_Patch

January 2016 is going to be anything but boring. Microsoft has a large lineup of updates. The bulletin list opens up 2016 with 10 bulletins — minus one. MS16-009 has been skipped and Microsoft went to MS16-010 instead. Is that a small joke relating to Windows 9 skipping to Windows 10? Maybe Microsoft doesn’t like the number nine for some reason. That oddity aside, Microsoft released six critical, three important and six public disclosures, along with a total vulnerability count of 26 resolved for January Patch Tuesday.

Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded. Adobe announced a bulletin for Reader with an additional non-security release of Shockwave and Oracle is gearing up for its quarterly CPU, so expect Java to release next Tuesday, January 19.

Microsoft System Updates and End of Life Scheduling

Jan. 12 is a significant milestone for Internet Explorer support. Microsoft is releasing a final update for all supported IE versions, but after January it will only support the latest available for each Operating System. This means that for anything Windows 7 SP1 and later, you must be on IE 11 to continue receiving updates. There are a few exceptions for older operating systems that only supported up to IE 9 or 10. If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct Internet access. In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.

Windows XP Embedded SP3 is also reaching its end of life today. It will be followed in a few months by Windows XP Embedded Point of Sale SP3, which is due to end on April 12. Retailers will start to sweat if you are still on those platforms after that date.

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. I am guessing there will be those who look into the registry hack that was used to trick Windows XP into thinking it was Windows XP Embedded POSReady 2009. If you have no other recourse, you may roll the dice on that, since POSReady 2009 is really just another distribution of Windows XP Embedded. Moving off of the end of lifed platform is still the best option though.

Oracle’s quarterly CPU is coming on Jan. 19. I mention it now as those of you running Java will definitely want to plan to roll that update out when it arrives next week as well. In 2015, the lightest of the Java updates included 14 CVEs, all of which were remotely executable without authentications. The rest had 19–25 vulnerabilities resolved with more than 15 being remotely executable without requiring credentials.

Microsoft January Bulletins

MS16-001 and MS16-002 are updates to Microsoft’s Internet Explorer and Edge browsers. Both are rated as critical, resolving two vulnerabilities each. The IE patch includes a public disclosure (CVE-2016-005), which puts it at a higher risk of being exploited.

MS16-004 is an update for Microsoft Office and Visual Basic. The bulletin is rated critical and resolves six vulnerabilities including two public disclosures (CVE-2016-0035, CVE-2015-6117).

MS16-005 is a critical update for the Windows Operating System resolving two vulnerabilities including one public disclosure (CVE-2016-009). This is also a Kernel-Mode Driver update. Thorough testing is always recommended. If an application patch goes wrong you can just reinstall, but if a kernel patch goes wrong it will be more severe.

MS16-007 is an important update for Microsoft Windows, which resolves six vulnerabilities including two public disclosures (CVE-2016-0016, CVE-2016-0018). There are a few known issues with this update. To be fully protected you also need to have MS16-001 for Internet Explorer. Windows 10 users who have Citrix XenDesktop should be aware that installing this update will prevent login. Microsoft recommends users uninstall XenDesktop and installing this bulletin, then follow up with Citrix for a fix for XenDesktop.

The way the issue is worded on the bulletin page makes it sound like Microsoft’s methods of updating Windows 10 (Windows Update, WSUS, SCCM) will not offer this update if XenDesktop is installed. It states “Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update.” So, if Windows 10 updates are all bundled, cumulative updates, this would mean that the January cumulative for Windows 10 would not be installed. That means all five bulletins that would affect Windows 10 would go unpatched until the issue is resolved.

MS16-008 is only rated as Important and no public disclosures, but it is a Kernel patch addressing Elevation of Privilege vulnerabilities. Thorough testing is recommended before rollout.

MS16-009 did not drop yet. This could mean it will not arrive until February, or it could come out of band. The last time we saw a bulletin be skipped in the order was an SQL update that dropped between Patch Tuesdays. Keep an eye out for this one in case it comes late. It will likely be a high priority if that is the case.

MS16-010 is an important update for Microsoft Exchange. No public disclosures or known issues, so recommendation is thorough testing and rollout in a timely manner.

Third Party Bulletins

Adobe has released one bulletin this month. APSB16-002 for Adobe Reader is a Priority 2 update resolving 17 vulnerabilities. The only other update from Adobe today was an update for Shockwave, which did not have an accompanying bulletin. APSB16-001 for Adobe Flash actually first dropped in late December with a re-release the next day resolving an Active-X issue. That release likely came early due to a known exploit in the wild (CVE-2015-8651). Ensure that the Flash update is rolled out if you have not already done so.

Join us tomorrow for the January Patch Tuesday webinar where we will discuss the bulletins in more detail.

 

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

December Patch Tuesday 2015

DecemberPatchTuesday2015Summary

December Patch Tuesday is upon us. Let’s see if we have presents under the tree or coal in our stockings…

Microsoft has released 12 bulletins, eight of which are Critical, resolving a total of 71 vulnerabilities. Adobe released a whopper of a Flash update resolving 78 vulnerabilities. Google Chrome is dropping today as well. Aside from an update for the Flash Player plug-in and its 78 security fixes, there are reportedly security fixes coming for the browser as well.

While Microsoft has quite the lineup this month, it didn’t quite catch Adobe’s 78 vulnerabilities resolved for the month. They did, however, have one public disclosure (CVE-2015-6175), and two vulnerabilities exploited in the wild (CVE-2015-6175, CVE-2015-6124). Here are the highlights for Microsoft:

MS15-0124 is a critical update for Internet Explorer with 30 vulnerabilities resolved in total. Also of note, Internet Explorer supported versions will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. Time to check your browser versions across the enterprise and compare to the versions listed in this blog post:

https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/

MS15-125 is a critical update for Edge with 15 vulnerabilities resolved. This update will be included with six others in the December Windows 10 Cumulative Security Update.

MS15-128 is a critical update for Windows, .Net Framework, Office, Skype, Lync and Silverlight, resolving three vulnerabilities. This is a Microsoft Graphics Component update, which is a shared library that affects many applications. Expect many variations of this update to affect the same system for each product you have installed that is affected.

MS15-131 is a critical update for Microsoft Office, resolving six vulnerabilities. This bulletin includes a fix for CVE-2015-6124, which has been detected in exploits in the wild. The vulnerability takes advantage of a failure to properly handle objects in memory. If exploited, the attacker could run arbitrary code in the context of the user. Least privilege policies would help mitigate the impact if exploited by limiting what the attacker could do. This vulnerability can be exploited in web-based attacks using specially crafted content designed to exploit the vulnerability.

MS15-135 is an important update for Microsoft Windows, which resolves four vulnerabilities. This bulletin includes a fix for CVE-2015-6175, which has been publicly disclosed and also has been detected in exploits in the wild. While this is only rated as important, we recommend treating this as a high priority. This update resolves Kernel memory handling. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. At that point they could install programs, view, change or delete data or create new accounts with full user rights. This is a Kernel update, so thorough testing is highly recommended.

Windows also released its Windows 10 December Cumulative Update (3116869). This update includes seven bulletins: MS15-124, MS15-125, MS15-126, MS15-128, MS15-132, MS15-133 and MS15-135. This update includes five critical bulletins and MS15-135, which includes CVE-2015-6175. This vulnerability has been publicly disclosed and detected in exploits in the wild.

APSB15-32 is a Priority 1 update for Adobe Flash Player, resolving 78 vulnerabilities. This bulletin includes a large number of code execution vulnerabilities and a few security feature bypass vulnerabilities. To fully resolve these vulnerabilities you need to ensure you update Flash Player on the OS, as well as the plug-in in your browsers. You will need to update IE, Chrome and Firefox plug-ins to fully ensure these vulnerabilities are resolved.

Google has also released an update to Chrome resolving at least 7 vulnerabilities by initial reports from Google. It will also include support for the Flash Player plug-in and the 78 vulnerabilities resolved there. This is recommended to be a high-priority update this month.

Join us tomorrow for the December Patch Tuesday webinar where we will discuss the bulletins in more detail.

October Patch Tuesday 2015

2015-10-08B_patchTuesday

Microsoft is taking it easy on us this month. But don’t worry, Adobe, Google and Oracle are adding to the Patch Tuesday queue this month.

Microsoft has released just six bulletins this Patch Tuesday. This is a welcome reprieve given the 2015 bulletin count has already exceeded the total bulletin count for 2014 (85). With this month’s bulletins, the count is now up to 111 so far in 2015.

September Patch Tuesday, a lot of Microsoft with a touch of Adobe

SepPatchDaySummary

This feels like a light month compared to the last few Patch Tuesdays, especially for third parties. Coming off of Black Hat, all the vendors we would normally expect to see on patch day have had their hands forced last month to respond quickly to any vulnerability they may have had, likely causing a slow month this time around. Next month we should expect a Java quarterly release, along with more third-party patches.

As for Microsoft, it has released 12 bulletins. Five of these bulletins are rated as Critical. There are a lot of media content vulnerabilities being resolved this month for graphics drivers, Windows Journal and Media Center, and Microsoft Office and Sharepoint.

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

April 2015 Patch Tuesday

SecurityImage

Patch Tuesday excitement is building. There is at least one known Flash vulnerability being exploited in the wild and one Microsoft vulnerability that has been publicly disclosed this month.

Microsoft has released 11 security bulletins this month, four of which are Critical, bringing the total to 42 security bulletins so far in 2015. This is more than twice the number of security updates released than last year at the same time.

From a vulnerability standpoint in April 2014 the CVE count for vulnerabilities resolved was at 72. We passed that count in March, with 76 vulnerabilities resolved. When this month’s 26 CVEs are included, we have a much higher total of 102 CVEs resolved to date.

The product and service impact for Microsoft this month includes the Windows OS, IE, Office, SharePoint, ADFS, .Net and Hyper-V. Two OS, the IE update, and Office update are rated as Critical.

Flash Player is making its triumphant return to Patch Tuesday. Adobe is aware that exploits of CVE-2015-3043 exist in the wild. Between January and February’s Patch Tuesday there were three zero days resolved by two releases in the span of about two weeks. In March the release came on the same week; however, they came at the end of the week. APSB15-06 resolves 22 vulnerabilities and is rated as a Priority 1 update. This should make your list of priority updates to roll out this month.

With a Flash Player update you can always expect an Advisory for Internet Explorer and a Google Chrome update. Google Chrome has a large release covering 45 vulnerabilities including many High priority updates.  That with the Priority 1 Flash plug-in make this release a high priority update when it arrives.

Oracle’s quarterly CPU is also occurring this month and happens to fall on Patch Tuesday. Oracle Java is resolving 15 vulnerabilities — all of which are remotely exploitable without authentication. The highest CVSS Base Score of these 15 vulnerabilities is a 10.0, which is the highest possible score. It goes without saying that Java should be a priority update this month. Three other Oracle products are resolving CVE’s with a 10.0 CVSS Base Score. So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.

Join us tomorrow for the Shavlik April 2015 Patch Tuesday webinar as we discuss the releases for this month, priorities, known issues, etc.

Patch Tuesday February 2015

SecurityImageIt is February and already we have seen some excitement so far this year. Between Microsoft dissolving the ANS (Advanced Notification Service), to Google’s Project Zero team rigidly adhering to their 90-day disclosure policy (disclosing a Windows vulnerability days before the January Bulletin released, not to mention the disclosure of three high severity Apple vulnerabilities in late January), and a series of Flash Zero Day’s that were discovered in the wild and quickly turned around by Adobe. My take on each of these:

  • Microsoft ANS – I’m not a fan of dissolving this program. Not all companies may have used this to their full advantage, but customers of ours relied on the ANS to give them a couple of day jumpstart on prepping for their monthly maintenance. If Microsoft introduces patches to a product that has never been updated prior to the patch cycle, admins will need time to prep test machines. Now they will be condensing that time along with change control processes into a tighter window.
  • Google Project Zero disclosures – Anyone who has read my blogs or commentary before knows that I am a proponent for vendors being responsible about disclosures, but after a resolution is in place. Yes the time to resolution is important, and for vendors who are negligent I fully agree with the Google stance. By Chris Betz’s comments in a blog post just after Google’s disclosure of the Windows OS vulnerability, they had communicated to Google, prior to the 90-day date, that the update was coming just a couple of days later. What purpose did this disclosure serve other than to stir up a lively debate?
  • Flash Zero Day’s – I do not envy the Adobe Security Team so far this year. Browsers, browser plug-ins and media players are prime targets for hackers. They are on practically every device we use, so naturally they will become a target. I do think that the turnaround from discovery to resolution on these three instances was very fast and applaud the Adobe team for ensuring the resolutions were delivered quickly.

For February Patch Tuesday the non-Microsoft updates are going to be light this month. With three Zero Day’s in a row, Flash Player has had a number of updates pushed recently. Companies that have not pushed the most recent Flash Player updates should do so immediately. Since January there have been three Flash Player updates to cover a series of Zero Day’s discovered in the wild. The most recent update on Feb. 5 also included 17 other vulnerability fixes. The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January.

With the series of Flash Player updates, you will also need to push the latest IE Advisory 3021953 to update the Flash Plug-in, otherwise you have not fully plugged the three Zero Day’s and additional vulnerabilities from the Flash releases.

Google Chrome also released prior to patch Tuesday to accommodate the urgent Flash Player updates. The latest Chrome update resolves the Feb. 5 Flash Player plug-in update along with 11 security fixes. This should be another high priority update for you this month. Google has announced a Beta Channel Update for Chrome, which usually indicates a release is not far off. I would expect it to be a feature release since Google updated so many security fixes on Feb. 5.

Mozilla Firefox released an update last week including 10 security vulnerabilities. Four of these are Critical. This should be among your top priorities this month to get updated.

On the Microsoft front we will see a fairly average-sized Patch Tuesday. Three Critical and six Important updates have been released. The impact this month includes the operating system, Internet Explorer, Office, SharePoint and System Center Virtual Machine Manager.

Internet Explorer is a critical update this month. Having not pushed an update in January, it is not surprise that there are 41 vulnerabilities being resolved in this Security Rollup. Definitely a Priority 1 this month. One of these has been publicly disclosed.

There are two Critical updates for the Windows Operating System updates this month. The first is a Critical Kernel Mode Driver update this month, so test diligently lest you blow up the brains of the machine. Then we have a Critical update group policy that could allow remote code execution. The VMM update applies to both server and client installs. If you have the admin console installed on the VMM server you should update the VMM server patch first, then the administrator console patch.

There are no Critical updates for Office this month, but there are multiple Important updates including a SharePoint update. The thing about SharePoint updates is the lack of rollback. Test adequately, especially if you have a lot of SharePoint plug-ins. If you have not already done so, you should look into virtualizing your SharePoint servers. The ability to snapshot the VM prior to updating will allow you to rollback even if the patch does not support it. If you are running VMware vSphere and Shavlik Protect, you can take advantage of our snapshot feature to do a pre-deploy snapshot automatically during the patch process.

Here is a bulletin-by-bulletin summary of the updates you should be planning for this February (first three released prior to Patch Tuesday):

APSB15-04: Security updates available for Adobe Flash Player
Vendor Severity: Priority 1
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 18 (+2 more if you have not pushed APSB15-03 yet)
Impact: 1 Zero Day currently being exploited in the wild (+2 more if you did not push -03), use-after-free, memory corruption, type confusion, heap buffer overflow, buffer overflow, and null pointer vulnerabilities.

Chrome 40.0.2214.111 : Stable Channel Update
Vendor Severity: High
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 11 (Also includes support for latest Flash plug-in)
Impact: 3 Highs resolving use-after-free, cross-origin-bypass, and privilege escalation

Firefox: 34 and 35 updates
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 10
Impact: 4 critical updates resolving sandbox escape, read-after-free, memory safety, and update to the OpenH254 plug-in.  Also includes uninitialized memory use, origin header, memory use, wrapper bypass and other vulnerability fixes.

MS15-009: Security Update for Internet Explorer (3034682)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 41 (1 is publicly disclosed)
Impact: Remote Code Execution, Security Feature Bypass

MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 6 (1 is publicly disclosed)
Impact: Elevation of privilege, Security feature bypass,

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 1
Impact: Remote code execution

MS15-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 3
Impact: Remote Code Execution

MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1 (publicly disclosed)
Impact: Security Feature Bypass

MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Security Feature Bypass

MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

MS15-016: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Information Disclosure

MS15-017: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

Join us tomorrow on our monthly Patch Tuesday webinar as we discuss the priorities and pitfalls you will want to watch out for.