Patch Tuesday February 2015

SecurityImageIt is February and already we have seen some excitement so far this year. Between Microsoft dissolving the ANS (Advanced Notification Service), to Google’s Project Zero team rigidly adhering to their 90-day disclosure policy (disclosing a Windows vulnerability days before the January Bulletin released, not to mention the disclosure of three high severity Apple vulnerabilities in late January), and a series of Flash Zero Day’s that were discovered in the wild and quickly turned around by Adobe. My take on each of these:

  • Microsoft ANS – I’m not a fan of dissolving this program. Not all companies may have used this to their full advantage, but customers of ours relied on the ANS to give them a couple of day jumpstart on prepping for their monthly maintenance. If Microsoft introduces patches to a product that has never been updated prior to the patch cycle, admins will need time to prep test machines. Now they will be condensing that time along with change control processes into a tighter window.
  • Google Project Zero disclosures – Anyone who has read my blogs or commentary before knows that I am a proponent for vendors being responsible about disclosures, but after a resolution is in place. Yes the time to resolution is important, and for vendors who are negligent I fully agree with the Google stance. By Chris Betz’s comments in a blog post just after Google’s disclosure of the Windows OS vulnerability, they had communicated to Google, prior to the 90-day date, that the update was coming just a couple of days later. What purpose did this disclosure serve other than to stir up a lively debate?
  • Flash Zero Day’s – I do not envy the Adobe Security Team so far this year. Browsers, browser plug-ins and media players are prime targets for hackers. They are on practically every device we use, so naturally they will become a target. I do think that the turnaround from discovery to resolution on these three instances was very fast and applaud the Adobe team for ensuring the resolutions were delivered quickly.

For February Patch Tuesday the non-Microsoft updates are going to be light this month. With three Zero Day’s in a row, Flash Player has had a number of updates pushed recently. Companies that have not pushed the most recent Flash Player updates should do so immediately. Since January there have been three Flash Player updates to cover a series of Zero Day’s discovered in the wild. The most recent update on Feb. 5 also included 17 other vulnerability fixes. The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January.

With the series of Flash Player updates, you will also need to push the latest IE Advisory 3021953 to update the Flash Plug-in, otherwise you have not fully plugged the three Zero Day’s and additional vulnerabilities from the Flash releases.

Google Chrome also released prior to patch Tuesday to accommodate the urgent Flash Player updates. The latest Chrome update resolves the Feb. 5 Flash Player plug-in update along with 11 security fixes. This should be another high priority update for you this month. Google has announced a Beta Channel Update for Chrome, which usually indicates a release is not far off. I would expect it to be a feature release since Google updated so many security fixes on Feb. 5.

Mozilla Firefox released an update last week including 10 security vulnerabilities. Four of these are Critical. This should be among your top priorities this month to get updated.

On the Microsoft front we will see a fairly average-sized Patch Tuesday. Three Critical and six Important updates have been released. The impact this month includes the operating system, Internet Explorer, Office, SharePoint and System Center Virtual Machine Manager.

Internet Explorer is a critical update this month. Having not pushed an update in January, it is not surprise that there are 41 vulnerabilities being resolved in this Security Rollup. Definitely a Priority 1 this month. One of these has been publicly disclosed.

There are two Critical updates for the Windows Operating System updates this month. The first is a Critical Kernel Mode Driver update this month, so test diligently lest you blow up the brains of the machine. Then we have a Critical update group policy that could allow remote code execution. The VMM update applies to both server and client installs. If you have the admin console installed on the VMM server you should update the VMM server patch first, then the administrator console patch.

There are no Critical updates for Office this month, but there are multiple Important updates including a SharePoint update. The thing about SharePoint updates is the lack of rollback. Test adequately, especially if you have a lot of SharePoint plug-ins. If you have not already done so, you should look into virtualizing your SharePoint servers. The ability to snapshot the VM prior to updating will allow you to rollback even if the patch does not support it. If you are running VMware vSphere and Shavlik Protect, you can take advantage of our snapshot feature to do a pre-deploy snapshot automatically during the patch process.

Here is a bulletin-by-bulletin summary of the updates you should be planning for this February (first three released prior to Patch Tuesday):

APSB15-04: Security updates available for Adobe Flash Player
Vendor Severity: Priority 1
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 18 (+2 more if you have not pushed APSB15-03 yet)
Impact: 1 Zero Day currently being exploited in the wild (+2 more if you did not push -03), use-after-free, memory corruption, type confusion, heap buffer overflow, buffer overflow, and null pointer vulnerabilities.

Chrome 40.0.2214.111 : Stable Channel Update
Vendor Severity: High
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 11 (Also includes support for latest Flash plug-in)
Impact: 3 Highs resolving use-after-free, cross-origin-bypass, and privilege escalation

Firefox: 34 and 35 updates
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 10
Impact: 4 critical updates resolving sandbox escape, read-after-free, memory safety, and update to the OpenH254 plug-in.  Also includes uninitialized memory use, origin header, memory use, wrapper bypass and other vulnerability fixes.

MS15-009: Security Update for Internet Explorer (3034682)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 41 (1 is publicly disclosed)
Impact: Remote Code Execution, Security Feature Bypass

MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 6 (1 is publicly disclosed)
Impact: Elevation of privilege, Security feature bypass,

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 1
Impact: Remote code execution

MS15-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 3
Impact: Remote Code Execution

MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1 (publicly disclosed)
Impact: Security Feature Bypass

MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Security Feature Bypass

MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

MS15-016: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Information Disclosure

MS15-017: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

Join us tomorrow on our monthly Patch Tuesday webinar as we discuss the priorities and pitfalls you will want to watch out for.

December Patch Day Round-Up

ShavlikSecurityAlthough it was not as large as the November Patch Tuesday, December’s Patch Tuesday still had some important updates to close out the year.  Microsoft released seven bulletins, three of which were critical.  The three critical updates affect Internet Explorer, Microsoft Office, and VBScript engine.  Also, the Exchange update (MS14-075), which was deferred from the November Patch Tuesday, did release this month.

The Microsoft side of Patch Tuesday does not seem all that daunting of a challenge aside from the Exchange update.  Adobe, on the other hand, has added a number of critical updates to the December Patch Tuesday, which effectively doubles the priority 1 list for the month.  Adobe pre-announced an update for Acrobat and Reader, but on Patch Tuesday they released updates for Flash, Shockwave, and ColdFusion.  Shockwave and ColdFusion were lower priority updates, but the Flash update is resolving a vulnerability which was already being exploited in the wild.  We also have a couple of things to for you to watch out for in today’s Patch Tuesday Round-Up.

Known issues to look out for:

  • KB3004394: An update Windows Root Certificate Program in Windows, has caused some issues for companies.  The update, when applied to Windows 7 or Server 2008 systems, has caused a few issues such as MMC functions requiring Administrator authentication even when logged on as an Administrator, Windows Defender Service failing to start, and Windows Update Service being unable to apply additional updates.  KB3024777 has been released to fix the issue by removing KB3004394.
  • An issue occurred on Windows 10 Technical Preview where some users had to remove Office before they could apply the December update.  Recommendation is to try applying the updates before going through the more tedious workaround of removing office, installing updates, then re-installing office.  Most users will not see the issue.
  • Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • Two of the November Bulletins had re-releases for specific affected products.  You will likely see some of those updates being reapplied this month.  Recommendation is to do so as the original fixes were not complete.  MS14-066 (Schannel) update on Vista and 2008 and MS14-065 (IE Cumulative) update on IE 8 for Windows 7 or 2008 R2 or IE10.  In the case of IE, applying the December IE Cumulative will also resolve the issues in the re-release.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

Normally I would start with Microsoft, but your highest priority this month should be Adobe Flash, the Advisory for updating the IE Flash Plug-In and the Google Chrome update to update Flash.

  •  APSB14-27 : Security updates available for Adobe Flash Player – This update resolves six vulnerabilities, one of which (CVE-2014-9163) was discovered being exploited in the wild.  The CVSSv2 base score for this vulnerability is a 10.0, which is the highest that can be assigned and it is Network Exploitable meaning an attacker does not need local network access or local access to exploit the vulnerability.  Admins should ensure they update Flash this month.  Not only for this update, but also for the other two Flash updates that occurred since November.  To fully patch Flash you must also update the Advisory for IE and the Chrome release so you have updated the plug-in for both browsers.
  • MSAF-034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer  – Updates the Flash Plug-In for IE.  Nuff said.
  • CHROME-119: Chrome 39.0.2171.95 – Ditto on the Flash Plug-In.  Update it.  In addition Google released a Chrome update just after the November Patch Tuesday that included 42 security updates, including many High priority updates.  That is two very good reasons to update Chrome ASAP.
  • MS14-080: Cumulative Security Update for Internet Explorer (3008923) – This update is rated as Critical and resolves fourteen privately reported vulnerabilities in Internet Explorer.  Many of the vulnerabilities involve memory corruption, continuing a trend we have seen for most of 2014.
  • MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) – This update resolves two privately reported vulnerabilities in Microsoft Word and Office Web Apps, which could lead to remote code execution if exploited.  The attacker would gain rights equal to the logged on user, so running as less than a full admin could reduce the impact of this type of attack if exploited.
  • MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) –  This update resolves one privately reported vulnerability in the VBScript engine.  If exploited an attacker would gain equal rights to the logged on user.  If the user is a full admin, the attacker would gain complete control of the affected system.
  • APSB14-28 : Security Updates available for Adobe Reader and Acrobat – This update resolves 20 privately reported vulnerabilities in Adobe Acrobat and Adobe Reader.  The impacts vary, but the worst of these could lead to code execution.  Adobe rated the update as a Priority 1, the highest priority Adobe assigns.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) – This update is rated as Important and resolves four privately reported vulnerabilities in Microsoft Exchange server.  Originally slated for November, this update was held until the December release.  Also, if you wait for the cumulative updates before updating, you may want to read up on the latest here.  The Exchange 2010 CU8 ran into some issues and was pulled from circulation then re-released.  The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package.
  • MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Office.  If you have not rolled this out yet please check on this article which I referenced in the known issues above.  “Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) – This update is rated as Important and resolves two privately reported vulnerabilities in Microsoft Excel.
  • MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) – This update resolves one privately reported vulnerability in Microsoft Graphics Component which could lead to information disclosure.

And that closes out December’s Round-Up.  Hopefully you all have your patching wrapped up before Christmas so you can relax, kick back, and enjoy the holidays.

 

 

September Patch Tuesday Round-Up

ShavlikSecurityThis month may have been a light release from Microsoft, but there was still plenty of updates to deploy. Microsoft released four security updates, one of which was critical, resolving 42 vulnerabilities. On the Non-Microsoft front, there were releases from Adobe and Google to take note of. Adobe Flash had a patch Tuesday release resulting in an IE advisory and a Google Chrome release to update the Flash plug-in. The Flash update resolved 12 vulnerabilities. There was no security updates for Office this month, but there were 18 non-security updates. One of those has run into some issues and had to be pulled. Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-052: Cumulative Security Update for Internet Explorer (2977629) – This update is rated as critical by Microsoft. It resolves 37 vulnerabilities which could allow for remote code execution. The updates are all relating to memory corruption issues. One of the vulnerabilities resolved (CVE-2013-7331) has been exploited in targeted attacks in the wild. There are a large number of vulnerabilities and one publicly exploited making this a high priority for update.
  • APSB14-21: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe. The update resolves 12 vulnerabilities which have a variety of impacts including memory corruptionbypass memory randomization, code execution, bypass same origin policy, and security feature bypass.
  • MSAF-029: Microsoft Security Advisory: update for vulnerabilities in Adobe Flash in Internet Explorer – This update allows Internet Explorer to support the latest Adobe Flash release which resolves 12 vulnerabilities and is rated as a Priority 1 by Adobe.
  • CHROME-111: Chrome 37.0.2062.120 – Resolves four vulnerabilities including one high priority vulnerability. The update also includes support for the latest Adobe Flash plug-in which puts it up in the priority list for this month.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-053: Vulnerability in .Net Framework could allow Denial of Service – This update resolves one privately reported vulnerability which could lead to a DoS, but by default an install of .Net will not be vulnerable to this vulnerability. The flaw is exposed if ASP.NET is installed and registered with an IIS server. This would require customer to install ASP.NET manually.
  • MS14-054: Vulnerability in Windows Task Scheduler could allow for elevation of privilege – This update resolves one privately reported vulnerability in Microsoft Windows which could allow for elevation of privilege. The attacker must, however, have a valid logon credential and be able to log on locally to exploit this vulnerability.
  • MS14-055: Vulnerabilities in Microsoft Lync Server could allow Denial of Service – This update resolves three privately reported vulnerabilities in Microsoft Lync Server. The attacker must send a specially crafted request to the Lync Server to exploit this vulnerability.

Watch List:

  • Adobe delayed release of APSB14-20 – The update will be a Priority 1 from Adobe as it resolves several critical vulnerabilities. The release was delayed to the week of September 15, meaning it will drop any day now. Once it does, you can expect to bump this up to the Priority list for rolling out this month.
  • Office non-security patch pulled by Microsoft – Microsoft did not release any security updates for Office this month, but 18 non-security updates have released.  An issue was discovered with KB2889866, an update for OneDrive, which would cause syncing to another users library to fail and moving of links etc, to no longer be picked up by sync.

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.

Patch Tuesday Advanced Notification September 2014

PatchWithoutBorderSo far we have four bulletins announced for September 2014, one Critical and three Important. Back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first patch Microsoft will be rolling out is for Internet Explorer and is Critical. For the past few months we have seen large numbers of vulnerabilities primarily around memory corruption and memory leaks being resolved in IE. It’s likely we are going to see a continuation of that trend that started back in June, but it’s probably going to be a fairly clean month for IE.

Of the three Important updates, there are two vulnerabilities that could result in a denial of service attack and one that could result in an elevation of privileges. These bulletins affect .Net Framework, the Windows Operating System and Lync Server. The .Net update is going to be the most important thing here and IT managers should make sure they are testing it adequately before rolling it out.

On the third party front, we are expecting an update from Opera any time now. They have updated their change log, but the new version (24) has not yet been made available on their downloads.

For Adobe we anticipate an update for Flash to be quite likely this month. So far in 2014 there has only been one patch Tuesday without a Flash update and that month there were two updates outside of patch Tuesday, one of which was a Zero Day. If there is a Flash release, you can expect a Microsoft Advisory update for IE to update the Flash plug-in and most likely a Google Chrome update to support the plug-in as well.

Microsoft Security Bulletins:

  • 1 bulletin is rated as Critical.
  • 3 bulletins are rated as Important

Vulnerability Impact:

  • 1 bulletin addresses vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in a Denial of Service.
  • 1 bulletin addresses vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • .Net Framework.
  • Lync Server.

Join us as we review the Microsoft and third-party releases for September Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, September 10th at 11 a.m. CDT.  We will also discuss other product and patch releases since the August Patch Tuesday.

You can register for the Patch Tuesday webinar here.

August Patch Tuesday Advanced Notification

We have a big Patch Tuesday this month.  Microsoft started by releasing 8 updates and slipped in a later 9th later in the week last week.  That is just the beginning.  As of this morning we have updates from Opera, Picasa, Adobe Acrobat, Reader, Flash 13 and 14, and AIR, with likely appearances by Chrome (high likelihood) and a possible FireFox (have had a beta out for some time and likely to release soon).  A couple of things to look out for.  There is a Critical IE, which is likely the continuation of resolving a large number of memory corruption issues starting with the June IE resolving around 60 vulnerabilities and continuing in July resolving about half that many.  There is a SQL patch this month which will need some attention in testing and there is also a .Net patch resolving a Security Feature Bypass.

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 7 bulletins are rated as Important.

Vulnerability Impact:

  • 3 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 4 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 2 bulletins address vulnerabilities that could lead to Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions
  • Microsoft SQL Server
  • .Net Framework

Join us as we review the Microsoft and third-party releases for August Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, August 12th at 11 a.m. CDT.  We will also discuss other product and patch releases since the July Patch Tuesday.

You can register for the Patch Tuesday webinar here.

This Week in Patching – 1/11/2013

Happy New Year.  I hope IT administrators got some much needed patching rest over the past couple of weeks.  2013 is started out quite heavy in the world of patching.

This week was highlighted by a busy Patch Tuesday.  You can read my write up on the January 2013 edition of Patch Tuesday here.

There were also other vendors releasing critical security bulletins on Patch Tuesday.  Adobe released two security bulletins.  APSB13-02 was pre-announced last Thursday as a part of their quarterly update for Adobe Acrobat and Adobe Reader.  Adobe Acrobat / Reader versions 9.5.3 / 10.1.5 / 11.0.1 address 27 vulnerabilities and are rate Critical.  Adobe security bulletin APSB13-01 was not pre-announced by Adobe, but I expected this bulletin to be released after Microsoft announced an update for Adobe Flash Player in Microsoft Internet Explorer 10 last Thursday was set to be released on Patch Tuesday.  APSB13-01 addresses 1 vulnerability in Adobe Flash Player versions 10 and 11 (as well as Adobe Air 3.5).

Mozilla also released security updates to coincide with Microsoft’s Patch Tuesday.  The most notable of the releases by Mozilla was the major update for Firefox.  Mozilla Firefox 18 contains new features as well as security updates.  For those organizations that do not want to roll out new features in their Mozilla products due to concerns of the new features breaking functionality, Mozilla is continuing their effort with the Mozilla ESR products.  These product updates contain new security fixes but do not contain new features.

Here is the details list of Mozilla updates released on Patch Tuesday:

  • Mozilla Firefox 18
    • Security update addressing 12 Critical, 8 High and 1 Moderate Mozilla Security Advisories (30 vulnerabilities)
  • Mozilla Firefox ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (19 vulnerabilities)
  • Mozilla Firefox ESR 10.0.12
    • Security update addressing 8 Critical and 4 High Mozilla Security Advisories (14 vulnerabilities)
  • Mozilla Thunderbird 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla Thunderbird ESR 10.0.12
    • Security update addressing 8 Critical and 3 High Mozilla Security Advisories (18 vulnerabilities)
  • Mozilla Thunderbird ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla SeaMonkey 2.15
    • Security update addressing 12 Critical, 7 High and 1 Moderate Mozilla Security Advisories (26 vulnerabilities)

 

The other notable updates this week were released on Thursday.  Google updated their Chrome and Chrome Frame browser with version 24.0.1312.52.  This new version fixes 24 vulnerabilities and includes an updated version of Adobe Flash Player that was released by Adobe on Patch Tuesday.  In the past year, Google has been in sync with Adobe on Adobe Flash Player releases.  Interestingly, Google’s release came two days after the Adobe Flash Player release.

There were also some non-security updates released on Thursday.  MozyHome and MozyPro updated their programs with version 2.18.2.244.  Microsoft released a new version of Skype with 6.1.0.129.  This version now integrates with Microsoft Office Outlook contact.

Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Overview

To ring in the New Year, today Microsoft has released seven new security bulletins addressing 12 vulnerabilities.

However, the most notable headline from this Patch Tuesday is a security bulletin that was not released.  On December 29, 2012, Microsoft released a security advisory (2794220) informing administrators of a vulnerability in Internet Explorer was currently being exploited.  Microsoft provided a non-security update to prevent exploitation to that vulnerability.  Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability.  As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible.  Only Internet Explorer browser versions 6, 7 and 8 are affected by this vulnerability.

Of the seven Microsoft security bulletins released for the January 2013 edition of Patch Tuesday, administrators should look at patching MS13-002 first.  Microsoft has identified a vulnerability in Microsoft XML Core Services.  If an unpatched systems browses to a malicious website, an attacker can gain remote code execution.

The other browsing threat this month that needs attention from administrators is MS13-004.  In this security bulletin, Microsoft is addressing a vulnerability in their .NET software application.  If an unpatched machine browses to a malicious website, an attack can gain elevation of privilege on that machine.

The other critical update this month (MS13-001) addresses a vulnerability in the Windows Print Spooler.  If a machine is set up as a print server, an attacker can send a malicious print job to the machine and gain remote code execution.  Security best practices call for printer servers to reside behind a firewall that only allows internal users to print to the print server.  A most likely attack scenario is for an attacker to already be on the internal network.

And as is becoming a recurring theme, this Patch Tuesday is not just a Microsoft-focused security day.  Several non-Microsoft software vendors have also joined in with releases of their own.

Adobe has released security bulletin APSB13-02 affecting all supported version of Adobe Acrobat and Reader.  This security bulletin is part of their quarterly update for Adobe Acrobat and Reader and was expected.

Adobe also released updates for their Air and Flash Player products.  These updates are security updates were not previously announced (APSB13-01).  With any Adobe Flash Player update, Microsoft and Google update their latest browsers to include the new release of Adobe Flash Player.

Mozilla also released new versions of their products.  Mozilla Firefox 18 are new versions of their product that only contain new features.  Previous versions of the Mozilla products also received updates that contain security fixes.

 

Given that the January 2013 Patch Tuesday does not include a security update for the zero-day Microsoft Internet Explorer vulnerability, there is a good chance we will see an out-of-band update from Microsoft before the February 2013 Patch Tuesday.  Microsoft will continue to monitor the threat landscape and decide if this zero-day vulnerability warrants and out-of-band release.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 1/4/2013

Patching quietly came to an end for 2012, and 2013 is starting off with a bang.  Here is a quick recap of the happenings in patch management this first week of the New Year:

On Wednesday, a new version of CDBurnerXP was released with version 4.5.0.3717.  This new version is a non-security update.  On Friday, Google released a non-security update for their Picasa program with version 3.9.136.120.

Microsoft announced their January 2013 Patch Tuesday Advance Notification.  You can read my write up here on the upcoming Patch Tuesday notification details.  In addition to the seven Microsoft security bulletins being released next Tuesday, there are quite a few non-Microsoft patches expected to be released as well.

Adobe announced they will be releasing updates for their Adobe Reader and Adobe Acrobat programs (versions 9/10/11).  These updates are rated as critical and are part of their quarterly update for Adobe Acrobat and Reader, which falls on this January Patch Tuesday.

In addition, Mozilla is lining up to release updates as well for their products.  You can expect updates for their Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey products.

On Microsoft’s preannouncement page for upcoming non-security updates, they have listed Adobe Flash Player for Internet Explorer 10.  With this in mind, expect updates from Adobe for Adobe Flash Player and Google Chrome on Patch Tuesday.  With every Adobe Flash Player release, Microsoft and Google update their browsers to supply the latest version of the Flash Player program.

On the Microsoft Security Advisory front, Microsoft released a new security advisory on Thursday.  Microsoft Security Advisory 2798897 addresses issues with fraudulent digital certificates.  This security advisory places the offending certificates in the untrusted certificate store on systems.  In June 2012, Microsoft released a tool that will run on systems and quickly moves revoked certificates to the untrusted certificate stores.  This tool aids administrators that want an easy and quick way to update certificate issues Microsoft finds.  This tool can be downloaded here.  For those that do not want to use the tool, Microsoft has provided patches for this certificate issue that can be applied to systems.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

Until Patch Tuesday, Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Advanced Notification

To ring in the New Year, Microsoft has announced their January 2013 advanced notification for Patch Tuesday.  The January 2013 edition of Patch Tuesday will be bringing seven security bulletins addressing 12 vulnerabilities.

Security Bulletin Breakdown:

  • 2 bulletins are rated as Critical
  • 5 bulletins are rated as Important
  • 2 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
  • 1 bulletin addressing a vulnerability that could lead to Security Feature Bypass
  • 1 bulletin addressing a vulnerability that could lead to Denial of Service

Affected Products:

  • All supported Microsoft operating systems
  • Microsoft Office 2003, 2007
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft Expression Web, Web 2
  • Microsoft SharePoint Server 2007
  • Microsoft System Center Operations Manager 2007, 2007 R2

If Adobe sticks to their previous release schedule, this Patch Tuesday will also include security updates for Adobe Acrobat and Reader during their quarterly update.  Adobe stated earlier this year that they were moving to a more standard cadence on Patch Tuesdays when necessary.  We could very well be seeing Adobe updates as the last time Adobe Acrobat and Adobe Reader were patched was during the October 2012 Patch Tuesday.

Mozilla is also on track to release an update for their Firefox browser during the week of Patch Tuesday with version 18.  Typically, Mozilla releases on the same day as Microsoft’s Patch Tuesday when their release cycle is during that week.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 12/14/2012

This week in patching was highlighted by Microsoft’s December 2012 Patch Tuesday.  Microsoft released seven security bulletins addressing 12 vulnerabilities.  You can read my full write up on Patch Tuesday here.

On the non-Microsoft front, Adobe released an update for their Adobe Flash Player and Air products.  Adobe Security Bulletin APSB12-27 addresses three vulnerabilities as is rated as Critical.  Adobe has started the trend of releasing security updates for Flash Player on Microsoft’s Patch Tuesday.  This trend will probably continue as Microsoft and Google both bundle Adobe Flash Player in their latest browsers.

On that note, Microsoft released an update for their security advisory (KB2755801) to include the latest version of Adobe Flash for Internet Explorer 10.  Google released an update on Patch Tuesday for their Chrome browser.  Google Chrome 23.0.1271.97 contains the latest version of Adobe Flash Player as well as addressing six Google Chrome vulnerabilities.

To wrap up Patch Tuesday, Apache released a new version of Tomcat for Windows with version 7.0.34.  This latest version of Tomcat is a non-security update.

On Thursday, Oracle provided updates for Java version 6 and 7.  Java 6 update 38 and Java 7 update 10 are non-security releases.  The next scheduled security update for Oracle Java is planned for February 19, 2013.  It is important to note that the next scheduled security update will be the last time Java version 6 will receive a security update.  At that time, Oracle will continue to provide security updates for Java version 7.  In the next few months, administrators should look at testing the upgrade for Java version 6 to version 7.  Java can be quite tricky to upgrade.  There are occasions where older software programs that rely on Java simply will not work with the latest version.  By June 18, 2013, administrators should be upgraded to Java 7.  That date will be the next scheduled security update after Java 6 has reached end of life for support.

On Friday, Apple provided updates for their iTunes product with version 11.01.  This update addresses non-security issues with their recent major upgrade in version 11.

Typically, the last two weeks of the year are very quiet for vendors releasing patches for their software.  If any vendor does release updates, I will be back next Friday with an update on the happenings in patch management.  If not, I will be getting a head start on ringing in the New Year.

Happy Patching and Happy Holidays!

 

– Jason Miller