June Patch Tuesday 2016

June2016PatchTuesdaySummary

I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

May Patch Tuesday 2016

ShavlikMay_PATCH02fMay’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053).  Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update?  Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?

In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.

Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.

MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188).  The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.

It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.

MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189).  This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.

The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.

MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server.  On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.

Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.

Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.

With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.

Join us tomorrow for the May Patch Tuesday webinar where we will discuss the bulletins in more detail.

March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.

 

March Patch Tuesday 2016

MarchPatchTuesday2016Sum

March Patch Tuesday has a great deal of updates, but no public disclosures or exploited vulnerabilities as of yet. Let’s start with what we know for sure: Microsoft has released 13 bulletins, five of which are critical and eight are rated as important. With these bulletins, Microsoft is resolving 39 total vulnerabilities this month. On the non-Microsoft front, Adobe is releasing two bulletins, rated as Priority 2 and 3, that resolve four vulnerabilities. Additionally, Mozilla FireFox 45 has been released and is rated critical, as it resolves 22 vulnerabilities.

First, taking a closer look at Microsoft, we have critical updates for Internet Explorer (MS16-023) and Edge (MS16-024), as expected. These updates resolve 13 and 11 vulnerabilities, respectively. Microsoft’s claim that Edge is more secure appears to be valid, although this month’s activity does not make that big of a difference. So far in 2016, IE has had 27 vulnerabilities, as compared to Edge’s 19. As you would expect, the vulnerabilities resolved in both browsers involve exploiting a user through specially crafted web content. In this situation, an attacker who convinces a user to click on specific content can gain the same user rights as the actual user. If that user is a full admin, the attacker would gain complete control of the system, allowing them to create accounts, install, remove apps and delete data, among other things.

10 of the Microsoft updates affect Windows, including the other three critical updates from Microsoft. MS16-026 resolves vulnerabilities in graphic fonts, while MS16-027 resolves vulnerabilities in Windows Media and MS16-028 resolves vulnerabilities in Windows PDF Library. In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content. As a result, the attacker would gain equal privileges as the current user; so least-privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacks privileges because they can only execute out of the sandbox.

Microsoft Office and Sharepoint are both affected by MS16-029, which is rated as important and resolves three vulnerabilities. For all of you ops guys out there, I know there is some uneasiness around patching Sharepoint because the updates cannot be rolled back easily if something goes wrong. If you are on a virtual machine, you can take a snapshot prior to the update. That way, if anything goes wrong, you can quickly revert back. If you are not yet virtualized, consider making the switch – doing so will make life a lot easier.

There are six more important updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE. Last on the list is an update for .Net Framework. .Net is always interesting because you can have various versions on a machine. As a result, it can also take a bit longer to install updates for .Net. So, if your servers take a while to install updates, know that it’s due to multiple .Net versions requiring updates.

Now, switching to the non-Microsoft updates:

Mozilla has released FireFox 45, which resolves 22 total vulnerabilities, eight of which are critical. The vulnerabilities range from buffer overflows to font vulnerabilities, with the sheer number of updates making this update a priority for this month.

Adobe has released two bulletins so far. The first is APSB16-006, a Priority 3 update for Digital Editions that resolves a critical vulnerability. Although there is only one, it is critical and could lead to code execution; which makes me wonder about the priority. The second Adobe bulletin is for Adobe Acrobat and Reader. APSB16-009 resolves three vulnerabilities, including yet another critical that could lead to code execution. This bulletin is rated as a Priority 2.

While we haven’t seen it yet, there is evidence a Flash update could be on its way. If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it. This could signal the change in distribution that Adobe has warned us about for a few months now. Either way, if Flash Player drops, expect a bulletin from Microsoft for Flash for Internet Explorer, as well as an update from Google Chrome to support the latest plug-in and updates for Flash Player at the OS and FireFox plug-in levels.

Join us tomorrow for the March Patch Tuesday webinar where we will discuss the bulletins in more detail.

January Patch Tuesday 2016

2016_01_12_Patch

January 2016 is going to be anything but boring. Microsoft has a large lineup of updates. The bulletin list opens up 2016 with 10 bulletins — minus one. MS16-009 has been skipped and Microsoft went to MS16-010 instead. Is that a small joke relating to Windows 9 skipping to Windows 10? Maybe Microsoft doesn’t like the number nine for some reason. That oddity aside, Microsoft released six critical, three important and six public disclosures, along with a total vulnerability count of 26 resolved for January Patch Tuesday.

Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded. Adobe announced a bulletin for Reader with an additional non-security release of Shockwave and Oracle is gearing up for its quarterly CPU, so expect Java to release next Tuesday, January 19.

Microsoft System Updates and End of Life Scheduling

Jan. 12 is a significant milestone for Internet Explorer support. Microsoft is releasing a final update for all supported IE versions, but after January it will only support the latest available for each Operating System. This means that for anything Windows 7 SP1 and later, you must be on IE 11 to continue receiving updates. There are a few exceptions for older operating systems that only supported up to IE 9 or 10. If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct Internet access. In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.

Windows XP Embedded SP3 is also reaching its end of life today. It will be followed in a few months by Windows XP Embedded Point of Sale SP3, which is due to end on April 12. Retailers will start to sweat if you are still on those platforms after that date.

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. I am guessing there will be those who look into the registry hack that was used to trick Windows XP into thinking it was Windows XP Embedded POSReady 2009. If you have no other recourse, you may roll the dice on that, since POSReady 2009 is really just another distribution of Windows XP Embedded. Moving off of the end of lifed platform is still the best option though.

Oracle’s quarterly CPU is coming on Jan. 19. I mention it now as those of you running Java will definitely want to plan to roll that update out when it arrives next week as well. In 2015, the lightest of the Java updates included 14 CVEs, all of which were remotely executable without authentications. The rest had 19–25 vulnerabilities resolved with more than 15 being remotely executable without requiring credentials.

Microsoft January Bulletins

MS16-001 and MS16-002 are updates to Microsoft’s Internet Explorer and Edge browsers. Both are rated as critical, resolving two vulnerabilities each. The IE patch includes a public disclosure (CVE-2016-005), which puts it at a higher risk of being exploited.

MS16-004 is an update for Microsoft Office and Visual Basic. The bulletin is rated critical and resolves six vulnerabilities including two public disclosures (CVE-2016-0035, CVE-2015-6117).

MS16-005 is a critical update for the Windows Operating System resolving two vulnerabilities including one public disclosure (CVE-2016-009). This is also a Kernel-Mode Driver update. Thorough testing is always recommended. If an application patch goes wrong you can just reinstall, but if a kernel patch goes wrong it will be more severe.

MS16-007 is an important update for Microsoft Windows, which resolves six vulnerabilities including two public disclosures (CVE-2016-0016, CVE-2016-0018). There are a few known issues with this update. To be fully protected you also need to have MS16-001 for Internet Explorer. Windows 10 users who have Citrix XenDesktop should be aware that installing this update will prevent login. Microsoft recommends users uninstall XenDesktop and installing this bulletin, then follow up with Citrix for a fix for XenDesktop.

The way the issue is worded on the bulletin page makes it sound like Microsoft’s methods of updating Windows 10 (Windows Update, WSUS, SCCM) will not offer this update if XenDesktop is installed. It states “Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update.” So, if Windows 10 updates are all bundled, cumulative updates, this would mean that the January cumulative for Windows 10 would not be installed. That means all five bulletins that would affect Windows 10 would go unpatched until the issue is resolved.

MS16-008 is only rated as Important and no public disclosures, but it is a Kernel patch addressing Elevation of Privilege vulnerabilities. Thorough testing is recommended before rollout.

MS16-009 did not drop yet. This could mean it will not arrive until February, or it could come out of band. The last time we saw a bulletin be skipped in the order was an SQL update that dropped between Patch Tuesdays. Keep an eye out for this one in case it comes late. It will likely be a high priority if that is the case.

MS16-010 is an important update for Microsoft Exchange. No public disclosures or known issues, so recommendation is thorough testing and rollout in a timely manner.

Third Party Bulletins

Adobe has released one bulletin this month. APSB16-002 for Adobe Reader is a Priority 2 update resolving 17 vulnerabilities. The only other update from Adobe today was an update for Shockwave, which did not have an accompanying bulletin. APSB16-001 for Adobe Flash actually first dropped in late December with a re-release the next day resolving an Active-X issue. That release likely came early due to a known exploit in the wild (CVE-2015-8651). Ensure that the Flash update is rolled out if you have not already done so.

Join us tomorrow for the January Patch Tuesday webinar where we will discuss the bulletins in more detail.

 

A look at the top 5 most vulnerable vendors from 2015

I have read a number of speculative articles recently, discussing the number of bulletins and vulnerabilities released\resolved by Microsoft. Was it due to the introduction of Windows 10, Edge and several other product releases this year? I am going to say no. Let’s expand out past looking at just Microsoft and I think you will agree as well.

Taking a look from a vendor perspective, Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin count over the previous shared 2010/2013 high of 106 bulletins. This also tops last year’s all-time vulnerability high of 376 vulnerabilities resolved across 85 bulletins and is more than double the vulnerabilities resolved than 13 of the last 15 years.

Even with 571 vulnerabilities resolved, Microsoft took the No. 2 spot on the Top 50 vendor list on CVE-Details. No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities, which is more than three times the 2014 count of 130 vulnerabilities resolved. This jumped them from No. 5 in 2014 to No. 1 this year.

Cisco came in third this year with a new all-time high of 480 vulnerabilities resolved. This only tops its previous 2013 high by around 50 vulnerabilities.

Oracle is in the No. 4 spot this year and is the only vendor in the top five that finished the year without topping its vulnerability high. They resolved 479, which is down from their 2013 record of 496 vulnerabilities.

Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and also more than double the previous 2010 record of 207 vulnerabilities. This jump comes from the staggering 295 vulnerabilities resolved in Adobe Flash Player in 2015.

Here is a visual recap of the Top 5:

SummaryTop5VulnVendors

As you can see there is a trend here and there are many contributing factors. Exploits and breaches are on the rise. One of my favorite visual examples of this trend is the POS Breaches Timeline from OpenDNS Security Labs. It starts back in 2002 with a six-year gap until the next major event. As you go forward there is an explosion in 2012 and it keeps increasing rapidly. This timeline focuses just on Point of Sale (POS) breaches, but the visual is on a similar trajectory to the broader security industry trend. Threat actors are better organized, better funded and there are more tools available to them than ever before. Off-the-shelf exploit kits are a competitive product market in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.

The exploit gap is also shrinking. From the time an update is released to when a vulnerability is resolved, baring a Zero Day, you have about two weeks before the exploits start to hit. According to the Verizon 2015 Breach Report, 50 percent of vulnerabilities that will be exploited are exploited in two–four weeks of release of an update from the vendor. One of the contributors to the Verizon Breach Report, Kenna Security, released an additional report that goes further out and shows that 90 percent of vulnerabilities that will be exploited are exploited within 40–60 days of an update being made available from the vendor. They go on to discuss that many enterprises struggle to release updates within 120 days. In fact, 99.9 percent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve the vulnerability. In the case of web exploits that time falls to less than 24 hours for major vulnerabilities.

We have a general upward trend of exploits and a shrinking window between updates from a vendor and exploit code being made available to take advantage of the resolved CVEs. Events of the three previous years set the stage for vendors in 2015. Let’s take a look at our top 5 vendors and talk a about how this trend may have affected each.

Apple has a combination of OS, Browser, and Media player products all of which are prime targets for attackers. Mac OS X is gaining in popularity, but so is OS X related malware. “There’s been an unprecedented rise in Mac OS X malware this year, according to security researchers at Bit9 + Carbon Black, with the number of samples found in 2015 being five times that seen in the previous five years combined.” With such a prolific increase in negative attention, Apple has had to step up its game on resolving vulnerabilities. The company is digging into and resolving vulnerabilities in components that likely did not receive the same level of attention in years past.

Microsoft has long held the OS market and it has built out browsers, media players and the Office suite of products. Microsoft has been a big target for a long time and there is no question that the trends we are seeing would have directly affected them. The thing I will add here is Windows 10 and Edge were likely much less significant in their contributions. OS bulletins released since Windows 10 have affected earlier versions of the Windows OS similarly and the same vulnerabilities were being addressed across different versions, so there were few net new vulnerabilities introduced by Windows 10. If you look at a filtered view of CVE’s affecting Windows 10 you will see in the description a list of many of the currently supported OS versions also affected. Edge did contribute additional security bulletins that would not have been in the mix otherwise, but most of the CVEs affected other components of the OS and IE browser as well. Similar to Apple, the increase of CVEs is in part due to the fact that they are focused on hardening shared components and products that previously were not being targeted.

Cisco did have an influx of CVEs resolved this year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe. Cisco does have its proprietary OS for its devices and it has a count on par with many of the individual Windows OS and Linux distributions, as far as CVE counts. It has other products, such as Cisco Anyconnect VPN, that could be an ideal target for attackers, but it does not have a browser or wildly popular media player products (as we will talk about with our No. 4 and No. 5 vendors). With Cisco, the huge list of products is the other significant contributing factor with over a thousand products with small contributions to get them into the No. 3 spot.

Oracle is down from its record 496 CVEs in 2013. It was the only vendor of the top five that didn’t set new CVE records this year. Probably the most high-profile product with security issues in the Oracle portfolio is Java. Java has been a high-profile target due to its popularity and availability worldwide. More importantly, Java is one of those products that gets neglected too often. Older applications built to run on Java often required a specific version of Java. If you updated Java, you broke the application. This resulted in an easily exploitable scenario that treat actors have taken advantage of for years and still do. It was so easily exploitable that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier this year. It is back up over 150 days since the last Zero Day and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.

Adobe charged into the top five this year with the most significant increase over the previous year. With over three times the increase in CVEs resolved, Adobe had a busy year and much of the attention was on Adobe Flash Player. Adobe Flash Player has gained the same broad use and popularity that caused Java to become a target. It has, quite possibly, topped Java for its notoriety as a vulnerable product. This year Adobe faced a staggering eight Zero-Day streak. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there. Security experts have called for the death of Flash Player from Brian Krebs’ life without Flash Player series to tech giant Google killing Flash in its browser. Flash Player contributed 295 of the 440 total Adobe CVE count for 2015, which more than doubled the 2014 count of 138 on its own. Adobe is trying to move away from Flash and in January 2016 it will restrict distribution of Flash Player by removing it from its public download pages and restricting access to companies with Adobe Enterprise Agreements in place.

So from the pattern we are seeing, OS and commonly used media products are a significant contributor to counts for our top 5 vendors. Browser is another significant contributor. Apple Safari and Microsoft Internet Explorer and Edge contributed 135 and 231 CVEs respectively to their vendor’s total counts this year. Two vendors worth noting that did not quite make the top five are Google and Mozilla. Google Chrome contributed 185 out of Google’s total 321, putting them in the No. 6 spot for vulnerabilities by vendor. Mozilla Firefox contributed 177 out of 187 total placing them at No. 8 for vendors in 2015. So in the great browser faceoff, you have the following:

  • Microsoft Internet Explorer with 231 CVEs falls in at No. 4 for vulnerable products and No. 1 for browsers.
  • Google Chrome with 185 CVEs falls in at No. 8 for products and No. 2 for browsers.
  • Mozilla Firefox with 177 CVEs falls in at No. 9 for products and No. 3 for browsers.
  • Apple Safari with 135 CVEs falls in at No. 19 for products and No. 4 for browsers.
  • Microsoft Edge with 27 CVEs makes the list, but I would not place them this year as they were a late year entry into the race. We will see where they fall next year.

Overall you can rest assured that if you are running a computer with an operating system, a variety of media player products and a browser, you are as vulnerable as you can possibly be. The window between product release and exposure has shrunk considerably, so you need to be proactive and effective in deciding what you will deploy and how frequently. So what to do? You need to bring your processes and tools up to a new level to deal with these threats.

Challenges:

  • Updates can break critical systems. Yes, but with proper prioritization you can reduce this risk by making sure to deliver updates for the most likely to be exploited vulnerabilities. There are threat indicators out there that will tell you much of what you need to know. You can join our Shavlik Patch Tuesday webinarseries where we discuss updates that occur on the infamous Patch Tuesday, as well as other releases and indicators that will help you here. We will be posting 2016 versions of that series shortly and you can catch a playback of the December webinar there as well.
  • I run maintenance once a month and users complain about that event. You want me to update more frequently? Yes, we are absolutely saying any system with an end user must be updated more than once a month if you are going to weather this storm. Features of our Shavlik Protect + Empower products are specifically designed to ensure you can reach users wherever they go and also work around their needs to reboot and finalize installs of updates effectively. The ProtectCloud enabled agents allow you to push policy updates to systems that reside off network without opening security risks to your network or the end user system. We host this service for you and provide it as part of the base feature set of our product so you can reach those systems and ensure you can report on them no matter how long they stay off network. With our SafeReboot technology you can provide the user a variety of reboot options from deferring reboot for up to seven days, reboot at logoff or at next occurrence of a specified time.
  • I am on SCCM and cannot switch to another solution, so how do I cover the frequency of product updates and the number of products that are on my network? We have a plug-in for Microsoft System Center Configuration Manager. It is called Shavlik Patchand provides our catalog of third-party updates, including those we spoke about above, so you can quickly publish those updates in SCCM and not change your infrastructure or processes you have in place.

December Patch Tuesday 2015

DecemberPatchTuesday2015Summary

December Patch Tuesday is upon us. Let’s see if we have presents under the tree or coal in our stockings…

Microsoft has released 12 bulletins, eight of which are Critical, resolving a total of 71 vulnerabilities. Adobe released a whopper of a Flash update resolving 78 vulnerabilities. Google Chrome is dropping today as well. Aside from an update for the Flash Player plug-in and its 78 security fixes, there are reportedly security fixes coming for the browser as well.

While Microsoft has quite the lineup this month, it didn’t quite catch Adobe’s 78 vulnerabilities resolved for the month. They did, however, have one public disclosure (CVE-2015-6175), and two vulnerabilities exploited in the wild (CVE-2015-6175, CVE-2015-6124). Here are the highlights for Microsoft:

MS15-0124 is a critical update for Internet Explorer with 30 vulnerabilities resolved in total. Also of note, Internet Explorer supported versions will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. Time to check your browser versions across the enterprise and compare to the versions listed in this blog post:

https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/

MS15-125 is a critical update for Edge with 15 vulnerabilities resolved. This update will be included with six others in the December Windows 10 Cumulative Security Update.

MS15-128 is a critical update for Windows, .Net Framework, Office, Skype, Lync and Silverlight, resolving three vulnerabilities. This is a Microsoft Graphics Component update, which is a shared library that affects many applications. Expect many variations of this update to affect the same system for each product you have installed that is affected.

MS15-131 is a critical update for Microsoft Office, resolving six vulnerabilities. This bulletin includes a fix for CVE-2015-6124, which has been detected in exploits in the wild. The vulnerability takes advantage of a failure to properly handle objects in memory. If exploited, the attacker could run arbitrary code in the context of the user. Least privilege policies would help mitigate the impact if exploited by limiting what the attacker could do. This vulnerability can be exploited in web-based attacks using specially crafted content designed to exploit the vulnerability.

MS15-135 is an important update for Microsoft Windows, which resolves four vulnerabilities. This bulletin includes a fix for CVE-2015-6175, which has been publicly disclosed and also has been detected in exploits in the wild. While this is only rated as important, we recommend treating this as a high priority. This update resolves Kernel memory handling. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. At that point they could install programs, view, change or delete data or create new accounts with full user rights. This is a Kernel update, so thorough testing is highly recommended.

Windows also released its Windows 10 December Cumulative Update (3116869). This update includes seven bulletins: MS15-124, MS15-125, MS15-126, MS15-128, MS15-132, MS15-133 and MS15-135. This update includes five critical bulletins and MS15-135, which includes CVE-2015-6175. This vulnerability has been publicly disclosed and detected in exploits in the wild.

APSB15-32 is a Priority 1 update for Adobe Flash Player, resolving 78 vulnerabilities. This bulletin includes a large number of code execution vulnerabilities and a few security feature bypass vulnerabilities. To fully resolve these vulnerabilities you need to ensure you update Flash Player on the OS, as well as the plug-in in your browsers. You will need to update IE, Chrome and Firefox plug-ins to fully ensure these vulnerabilities are resolved.

Google has also released an update to Chrome resolving at least 7 vulnerabilities by initial reports from Google. It will also include support for the Flash Player plug-in and the 78 vulnerabilities resolved there. This is recommended to be a high-priority update this month.

Join us tomorrow for the December Patch Tuesday webinar where we will discuss the bulletins in more detail.

October Patch Tuesday 2015

2015-10-08B_patchTuesday

Microsoft is taking it easy on us this month. But don’t worry, Adobe, Google and Oracle are adding to the Patch Tuesday queue this month.

Microsoft has released just six bulletins this Patch Tuesday. This is a welcome reprieve given the 2015 bulletin count has already exceeded the total bulletin count for 2014 (85). With this month’s bulletins, the count is now up to 111 so far in 2015.

September Patch Tuesday, a lot of Microsoft with a touch of Adobe

SepPatchDaySummary

This feels like a light month compared to the last few Patch Tuesdays, especially for third parties. Coming off of Black Hat, all the vendors we would normally expect to see on patch day have had their hands forced last month to respond quickly to any vulnerability they may have had, likely causing a slow month this time around. Next month we should expect a Java quarterly release, along with more third-party patches.

As for Microsoft, it has released 12 bulletins. Five of these bulletins are rated as Critical. There are a lot of media content vulnerabilities being resolved this month for graphics drivers, Windows Journal and Media Center, and Microsoft Office and Sharepoint.

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.