November Patch Tuesday 2015

2015_11_09 PatchTuesday01


November Patch Tuesday comes with 12 Microsoft bulletins and an update for Adobe Flash Player. For Windows 10 users there is the question of the Fall Refresh. It did not release today, but it’s likely not too far off. We may even see it on Thursday.

Microsoft has released four critical updates and eight important updates. The updates are mostly OS related, but there is an Office update and two other updates that affect Skype for Business. Four of the bulletins are resolving a vulnerability that has been publicly disclosed. This means that these four bulletins are a higher risk of exploit. For these, expect that in as few as two to four weeks there could be working code exploits taking advantage of these vulnerabilities.

If you look closely at MS15-113, the update for the Edge browser on Windows 10, you will see that it has been released for the Fall Refresh (Threshold 2). Expect that you’ll need to apply this after you upgrade to Windows 10 build 1511, which we expect on Thursday of this week.

MS15-115 resolves seven vulnerabilities in Windows, which could allow remote code execution.  CVE-2015-6109 is resolved by this bulletin and has been publicly disclosed. This particular vulnerability resolves an issue where an attacker could gain information on the location of the Kernal driver in memory. 

MS15-116 resolves seven vulnerabilities in Office, Sharepoint, Lync and Skype for Business, which could allow remote code execution. CVE-2015-2503 is resolved by this bulletin and has been publicly disclosed. This vulnerability on its own is not too terrible, but if used in conjunction with other vulnerabilities it could be used to elevate privileges. 

MS15-120 resolves one vulnerability in Windows, which could allow an attacker to cause a denial of service to systems running IPSec. CVE-2015-6111 is resolved by this bulletin and has been publicly disclosed. 

MS15-121 resolves one vulnerability in Windows, which could allow an attacker to exploit Schannel using a man-in-the-middle attack. CVE-2015-6112 is resolved by this bulletin and has been publicly disclosed. 

On the third party front, Flash player has released an update that includes 17 security fixes. This is a Priority 1 update and should be considered a high priority. Keep in mind that with Flash Player comes additional updates. You should expect plug-in updates for Internet Explorer, FireFox and Chrome today as well. You must update the Player instance and all browser plug-ins to be fully protected from these 17 vulnerabilities.

Join us tomorrow for the November Patch Tuesday webinar where we will discuss the bulletins in more detail.

April Patch Tuesday Round-Up

We are one week past April Patch Tuesday.  Taking a look back, XP’s End-of-Life may have been overshadowed a bit with Heartbleed and Update 1 for Windows 8.1 and Server 2012 R2.  Let’s start off by recapping Patch Day.

For those of you who caught our Patch Day webinar (playback found here), you may recall the recommendations we gave.  High priority on MS14-017 (plugs publicly disclosed Word vulnerability) and MS14-018 (IE Cumulative which also happens to be Update 1 for 8.1 and 2012 R2 systems).  These two updates are Critical and plug a number of vulnerabilities.  While still important, the other two Microsoft updates are a bit overshadowed by the 3rd Party updates for Adobe Flash and Google Chrome that released on Patch Day as well.  These two updates are also a high priority this month resolving 35 total vulnerabilities between the two of them.  That is triple the vulnerabilities resolved by the 4 Microsoft updates this month.

Let’s take a closer look at MS14-018.  When assessing machines you will see one missing patch on most systems, but for 8.1 and 2012 R2 you will see the missing IE patch and 5 additional updates that make up Update 1 with the biggest and most important being KB2919355.  Without this last one you will not be getting the next round of OS updates on 8.1 or 2012 R2.  Our sources have confirmed what Microsoft stated in their blog on April 10th, that newer patches will apply to 8.1 and 2012 R2 only if they have Update 1 applied.  By the way, you will not see or be able to install 2919355 unless you have applied an important non-security update 2919442 (MSWU-905) as well.  In our Content release on 4/15 we changed the designation of MSWU-905 from Non-Security to Security to ensure the majority of Protect users will see this patch and deploy it so 2919355 will be applicable to the system.

Now, you may have seen a lot of press around Update 1 causing issues on systems.  The biggest was impacting WSUS 3.2 if running in specific configurations.  This will NOT affect Shavlik Protect customers as we have no reliance on WSUS 3.2.  Other issues identified seemed to be around properly licensed systems and got more obscure from there.  Microsoft will be releasing fixes for these issues possibly later today.  A fix for the WSUS 3.2 issues (2959977) appeared yesterday, but a patch did not release.  It will likely release soon.   Recommendation for our customers, get Update 1 applied before May Patch Tuesday, but make sure to test the rollout to your environment.

Last week Thursday’s Content Release was Non-Security related.  There were many updates released, but nothing of a Security nature.  Yesterday, however, Oracle released a Critical Update for Java 7 update 55.  This update plugs 37 vulnerabilities, 4 of which were given CVSS scores of 10.0 which is the highest you can get.  This should be added to your priority list for this month.

Overshadowing everything this month is the OpenSSL vulnerability Heartbleed, which has quickly become a household name.  MPR, radio commercials, notifications to home users regarding services they use, pretty much everyone has now heard of Heartbleed.  Many vendors are still investigating their product portfolios to see how far reaching this vulnerability affects them.  As I posted last week on the Shavlik Blog, Protect customers, our products and services are covered, so you have nothing to worry about.  Evaluate all products running in your environments.  Check with your vendors as they are posting details around products and versions affected.  VMware, Oracle, and many others are still investigating some product lines, but most are identified as being vulnerable or not.  For VMware, the only version of the Hypervisor affected is ESXi 5.5.  Protect customers can upgrade to Protect 9.1 later next week when we make it available via an Early Access release, which will support updates on ESXi 5.5.  ESXi versions 5.1 and earlier, supported by Protect 9.0, are not affected.