March 2015 Patch Tuesday

In March of 2014, we saw five updates from Microsoft, which brought the year to date patch count to 16. Here we are in March 2015 and this month’s Patch Tuesday release is nearly equal to the total count for the first quarter last year, and the year to date count is now just under double where we were at in 2014.

SecurityImage

The Critical count for March is five bulletins affecting Internet Explorer, VBscript, Text Services, Adobe Font Drivers, and Office.

The additional nine Important updates affect Netlogon, Windows Task Scheduler, Windows Kernel, Remote Desktop Protocol, JPEG and PNG file formats, Kernel Mode Drivers, Schannel, and Exchange.

The 14 bulletins resolve 43 vulnerabilities. MS15-018 resolves one publicly disclosed vulnerability, which has been detected in target attacks (CVE-2015-0072) and CVE-2015-1625, which has also been publicly disclosed. MS15-031 resolves a vulnerability (CVE-2015-1637) in Schannel that facilitates exploitation of the publicly disclosed FREAK technique.

One nice addition to the Bulletin Summary page is a new column linking to known issues for that bulletin. Three of the bulletins link to KB articles with links to product specific pages so you can see product specific issues relating to the bulletin.  MS15-022 is a great example, although a little scary at the same time.  There are around 30 separate links to variations of Office, Sharepoint, Viewers, etc.

The first five bulletins are critical and should be rolled out as soon as possible.

  • This month’s IE Cumulative (MS15-018) is rated as critical and resolves a number of Memory Corruption vulnerabilities, two elevation of privilege vulnerabilities, and a VBSript memory corruption vulnerability.
  • MS15-019 resolves the same VBScript vulnerability as MS15-018, but for the operating system. Older operating systems will be more susceptible to attack than the newer OSs.
  • MS15-020 resolves two vulnerabilities in the operating system, which could lead to remote code execution.
  • MS15-021 resolves eight vulnerabilities in Adobe Font Driver, which could lead to remote code execution.
  •  MS15-022 resolves five vulnerabilities in Microsoft Office and Sharepoint.  Check out the link to known issues for this update.  There are a lot of links to separate products\versions.  At the time I wrote this blog I could view the bulletin level, but not the list of product specific links on that page.  Also, Sharepoint updates typically cannot be rolled back.  Test before deploying the Sharepoint variations.  If you are running on a Virtual Machine, you have the luxury of snapshots to make rollback possible.

All five of these updates are critical and all five of these updates resolve vulnerabilities that could be exploited through common social engineering techniques. One of the most common attacks still conducted regularly are phishing and email scams that convince a user to click on content that has been crafted to exploit vulnerabilities such as these.  A recent example (Oct 2014) of an attack like this is the Sandworm attack targeting a known vulnerability in OLE to spy on NATO, EU machines.  A weaponized PowerPoint attached to an email with a convincing enough message could convince at least some of the targeted users to open the attachment allowing it to exploit the system.  There are many cases where a vulnerability like this continues to be exploited well after an update has been released to plug the vulnerability.

The remaining nine updates are all rated as important.

  • MS15-023 resolves multiple vulnerabilities, the worst of which could lead to Elevation of Privileges.  This is one of two Kernel Mode Driver updates this month, which means you should definitely test before rolling out.  Typically if a kernel patch goes bad it would involve a blue screen.
  • MS15-024 resolves a vulnerability in PNG processing which could lead to Information Disclosure.
  • MS15-025 is the second Kernel Mode Driver update this month, so again, test before rolling out.  It also resolves vulnerabilities which could lead to Elevation of Privilege.  This bulletin also has some known issues.  Check out the known issues on the KB3038680 page for more details (at the time of publishing, I was getting a Ooops page)
  • MS15-026 resolves vulnerabilities in Exchange server, which could lead to Elevation of Privilege.  This is one of those rare bulletins which DOES NOT require a reboot.  Most require or ‘may’ require a reboot, which really means it will more than likely require reboot.
  • MS15-027 resolves a vulnerability in NETLOGON which could lead to a spoofing attack.
  • MS15-028 resolves a vulnerability in Windows Task Scheduler that could allow Security Feature Bypass letting the attacker execute tasks they should not have permissions to access.
  • MS15-029 resolves a vulnerability in Windows Decoder which could lead to information disclosure using a specially crafted JPEG.
  • MS15-030 resolves a vulnerability in Remote Desktop Protocol which could lead to a Denial of Service attack.
  • MS15-031 resolves a vulnerability in Schannel which could allow Security Feature Bypass using the FREAK technique, which was recently disclosed.

Join our Patch Tuesday webinar on Wednesday March 11th at 10am CDT to discuss the updates, priorities, and possible known issues to watch out for this Patch Tuesday.

 

February Patch Day Round-Up

SecurityImage

February did not have a lot of issues from patches released on Patch Tuesday, but there are a couple of things that occurred that you may want to know about.

First is the update that was pulled from circulation after reports of systems hanging.  An update for Visual Studio 2010 Tools for Office Runtime (KB3001652) reportedly started causing issue on Patch Tuesday.  It was pulled later the same day.

Second, and probably the wider impacting issue this month, was update MS15-009 breaking Cisco AnyConnect VPN clients.  Microsoft has stated they will release a fix in March that should resolve the issue, but until then you have three work around options:

1. Windows 8 compatibility mode for the app

2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click “View installed updates” on the left and locate and uninstall the update labeled with KB3023607.  This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.

3. Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607
https://support.microsoft.com/kb/3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

You can the On Demand February Patch Tuesday webinar or download the presentation for this last months Patch Tuesday release.  Also, sign up for the March Patch Tuesday webinar to discuss the updates released on Patch Tuesday, recommendations, and things to watch out for.

Patch Tuesday February 2015

SecurityImageIt is February and already we have seen some excitement so far this year. Between Microsoft dissolving the ANS (Advanced Notification Service), to Google’s Project Zero team rigidly adhering to their 90-day disclosure policy (disclosing a Windows vulnerability days before the January Bulletin released, not to mention the disclosure of three high severity Apple vulnerabilities in late January), and a series of Flash Zero Day’s that were discovered in the wild and quickly turned around by Adobe. My take on each of these:

  • Microsoft ANS – I’m not a fan of dissolving this program. Not all companies may have used this to their full advantage, but customers of ours relied on the ANS to give them a couple of day jumpstart on prepping for their monthly maintenance. If Microsoft introduces patches to a product that has never been updated prior to the patch cycle, admins will need time to prep test machines. Now they will be condensing that time along with change control processes into a tighter window.
  • Google Project Zero disclosures – Anyone who has read my blogs or commentary before knows that I am a proponent for vendors being responsible about disclosures, but after a resolution is in place. Yes the time to resolution is important, and for vendors who are negligent I fully agree with the Google stance. By Chris Betz’s comments in a blog post just after Google’s disclosure of the Windows OS vulnerability, they had communicated to Google, prior to the 90-day date, that the update was coming just a couple of days later. What purpose did this disclosure serve other than to stir up a lively debate?
  • Flash Zero Day’s – I do not envy the Adobe Security Team so far this year. Browsers, browser plug-ins and media players are prime targets for hackers. They are on practically every device we use, so naturally they will become a target. I do think that the turnaround from discovery to resolution on these three instances was very fast and applaud the Adobe team for ensuring the resolutions were delivered quickly.

For February Patch Tuesday the non-Microsoft updates are going to be light this month. With three Zero Day’s in a row, Flash Player has had a number of updates pushed recently. Companies that have not pushed the most recent Flash Player updates should do so immediately. Since January there have been three Flash Player updates to cover a series of Zero Day’s discovered in the wild. The most recent update on Feb. 5 also included 17 other vulnerability fixes. The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January.

With the series of Flash Player updates, you will also need to push the latest IE Advisory 3021953 to update the Flash Plug-in, otherwise you have not fully plugged the three Zero Day’s and additional vulnerabilities from the Flash releases.

Google Chrome also released prior to patch Tuesday to accommodate the urgent Flash Player updates. The latest Chrome update resolves the Feb. 5 Flash Player plug-in update along with 11 security fixes. This should be another high priority update for you this month. Google has announced a Beta Channel Update for Chrome, which usually indicates a release is not far off. I would expect it to be a feature release since Google updated so many security fixes on Feb. 5.

Mozilla Firefox released an update last week including 10 security vulnerabilities. Four of these are Critical. This should be among your top priorities this month to get updated.

On the Microsoft front we will see a fairly average-sized Patch Tuesday. Three Critical and six Important updates have been released. The impact this month includes the operating system, Internet Explorer, Office, SharePoint and System Center Virtual Machine Manager.

Internet Explorer is a critical update this month. Having not pushed an update in January, it is not surprise that there are 41 vulnerabilities being resolved in this Security Rollup. Definitely a Priority 1 this month. One of these has been publicly disclosed.

There are two Critical updates for the Windows Operating System updates this month. The first is a Critical Kernel Mode Driver update this month, so test diligently lest you blow up the brains of the machine. Then we have a Critical update group policy that could allow remote code execution. The VMM update applies to both server and client installs. If you have the admin console installed on the VMM server you should update the VMM server patch first, then the administrator console patch.

There are no Critical updates for Office this month, but there are multiple Important updates including a SharePoint update. The thing about SharePoint updates is the lack of rollback. Test adequately, especially if you have a lot of SharePoint plug-ins. If you have not already done so, you should look into virtualizing your SharePoint servers. The ability to snapshot the VM prior to updating will allow you to rollback even if the patch does not support it. If you are running VMware vSphere and Shavlik Protect, you can take advantage of our snapshot feature to do a pre-deploy snapshot automatically during the patch process.

Here is a bulletin-by-bulletin summary of the updates you should be planning for this February (first three released prior to Patch Tuesday):

APSB15-04: Security updates available for Adobe Flash Player
Vendor Severity: Priority 1
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 18 (+2 more if you have not pushed APSB15-03 yet)
Impact: 1 Zero Day currently being exploited in the wild (+2 more if you did not push -03), use-after-free, memory corruption, type confusion, heap buffer overflow, buffer overflow, and null pointer vulnerabilities.

Chrome 40.0.2214.111 : Stable Channel Update
Vendor Severity: High
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 11 (Also includes support for latest Flash plug-in)
Impact: 3 Highs resolving use-after-free, cross-origin-bypass, and privilege escalation

Firefox: 34 and 35 updates
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 10
Impact: 4 critical updates resolving sandbox escape, read-after-free, memory safety, and update to the OpenH254 plug-in.  Also includes uninitialized memory use, origin header, memory use, wrapper bypass and other vulnerability fixes.

MS15-009: Security Update for Internet Explorer (3034682)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 41 (1 is publicly disclosed)
Impact: Remote Code Execution, Security Feature Bypass

MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 6 (1 is publicly disclosed)
Impact: Elevation of privilege, Security feature bypass,

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 1
Impact: Remote code execution

MS15-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 3
Impact: Remote Code Execution

MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1 (publicly disclosed)
Impact: Security Feature Bypass

MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Security Feature Bypass

MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

MS15-016: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Information Disclosure

MS15-017: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

Join us tomorrow on our monthly Patch Tuesday webinar as we discuss the priorities and pitfalls you will want to watch out for.

January 2015 Patch Day Round-Up

110931386-300x199January Patch Tuesday has kicked off with a bit of contention.  Google disclosed two vulnerabilities just days before Microsoft released bulletins resolving the issues.  MS15-001 and MS15-003 likely would have been less of a concern if Google had not made the disclosure, but Google’s strict adherence to their 90 day disclosure policy the updates in question have been publicly disclosed raising the risk of exploit.

Other than being publicly disclosed, there are no known issues around MS15-001.

MS15-002, an update for Telnet, is rated as critical, but most customers will not have to worry as the Telnet service is not configured on Vista or later OSs.  For Server 2003 the Telnet service is disabled by default.  Unless you are running Telnet, this update may not show up as being needed for your environment at all.

MS15-003 has a few issues occurring:

No known issues for MS15-004, MS15-005, MS15-006, or MS15-007 at this time.

MS15-008 has one report of an issue where the setup is a non Windows DHCP/DNS server with 2003 DCs.  After applying the patch to clients they can no longer obtain a DHCP lease from the server.  This seems like a unique situation that not many are likely to encounter.

 

December Patch Day Round-Up

ShavlikSecurityAlthough it was not as large as the November Patch Tuesday, December’s Patch Tuesday still had some important updates to close out the year.  Microsoft released seven bulletins, three of which were critical.  The three critical updates affect Internet Explorer, Microsoft Office, and VBScript engine.  Also, the Exchange update (MS14-075), which was deferred from the November Patch Tuesday, did release this month.

The Microsoft side of Patch Tuesday does not seem all that daunting of a challenge aside from the Exchange update.  Adobe, on the other hand, has added a number of critical updates to the December Patch Tuesday, which effectively doubles the priority 1 list for the month.  Adobe pre-announced an update for Acrobat and Reader, but on Patch Tuesday they released updates for Flash, Shockwave, and ColdFusion.  Shockwave and ColdFusion were lower priority updates, but the Flash update is resolving a vulnerability which was already being exploited in the wild.  We also have a couple of things to for you to watch out for in today’s Patch Tuesday Round-Up.

Known issues to look out for:

  • KB3004394: An update Windows Root Certificate Program in Windows, has caused some issues for companies.  The update, when applied to Windows 7 or Server 2008 systems, has caused a few issues such as MMC functions requiring Administrator authentication even when logged on as an Administrator, Windows Defender Service failing to start, and Windows Update Service being unable to apply additional updates.  KB3024777 has been released to fix the issue by removing KB3004394.
  • An issue occurred on Windows 10 Technical Preview where some users had to remove Office before they could apply the December update.  Recommendation is to try applying the updates before going through the more tedious workaround of removing office, installing updates, then re-installing office.  Most users will not see the issue.
  • Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • Two of the November Bulletins had re-releases for specific affected products.  You will likely see some of those updates being reapplied this month.  Recommendation is to do so as the original fixes were not complete.  MS14-066 (Schannel) update on Vista and 2008 and MS14-065 (IE Cumulative) update on IE 8 for Windows 7 or 2008 R2 or IE10.  In the case of IE, applying the December IE Cumulative will also resolve the issues in the re-release.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

Normally I would start with Microsoft, but your highest priority this month should be Adobe Flash, the Advisory for updating the IE Flash Plug-In and the Google Chrome update to update Flash.

  •  APSB14-27 : Security updates available for Adobe Flash Player – This update resolves six vulnerabilities, one of which (CVE-2014-9163) was discovered being exploited in the wild.  The CVSSv2 base score for this vulnerability is a 10.0, which is the highest that can be assigned and it is Network Exploitable meaning an attacker does not need local network access or local access to exploit the vulnerability.  Admins should ensure they update Flash this month.  Not only for this update, but also for the other two Flash updates that occurred since November.  To fully patch Flash you must also update the Advisory for IE and the Chrome release so you have updated the plug-in for both browsers.
  • MSAF-034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer  – Updates the Flash Plug-In for IE.  Nuff said.
  • CHROME-119: Chrome 39.0.2171.95 – Ditto on the Flash Plug-In.  Update it.  In addition Google released a Chrome update just after the November Patch Tuesday that included 42 security updates, including many High priority updates.  That is two very good reasons to update Chrome ASAP.
  • MS14-080: Cumulative Security Update for Internet Explorer (3008923) – This update is rated as Critical and resolves fourteen privately reported vulnerabilities in Internet Explorer.  Many of the vulnerabilities involve memory corruption, continuing a trend we have seen for most of 2014.
  • MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) – This update resolves two privately reported vulnerabilities in Microsoft Word and Office Web Apps, which could lead to remote code execution if exploited.  The attacker would gain rights equal to the logged on user, so running as less than a full admin could reduce the impact of this type of attack if exploited.
  • MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) –  This update resolves one privately reported vulnerability in the VBScript engine.  If exploited an attacker would gain equal rights to the logged on user.  If the user is a full admin, the attacker would gain complete control of the affected system.
  • APSB14-28 : Security Updates available for Adobe Reader and Acrobat – This update resolves 20 privately reported vulnerabilities in Adobe Acrobat and Adobe Reader.  The impacts vary, but the worst of these could lead to code execution.  Adobe rated the update as a Priority 1, the highest priority Adobe assigns.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) – This update is rated as Important and resolves four privately reported vulnerabilities in Microsoft Exchange server.  Originally slated for November, this update was held until the December release.  Also, if you wait for the cumulative updates before updating, you may want to read up on the latest here.  The Exchange 2010 CU8 ran into some issues and was pulled from circulation then re-released.  The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package.
  • MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Office.  If you have not rolled this out yet please check on this article which I referenced in the known issues above.  “Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) – This update is rated as Important and resolves two privately reported vulnerabilities in Microsoft Excel.
  • MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) – This update resolves one privately reported vulnerability in Microsoft Graphics Component which could lead to information disclosure.

And that closes out December’s Round-Up.  Hopefully you all have your patching wrapped up before Christmas so you can relax, kick back, and enjoy the holidays.

 

 

Patch Tuesday Advanced Notification December 2014

Bunker BlogThis month is a bit quieter than last month’s barrage of patches as there are only seven bulletins announced, of which three are Critical and four are Important.

The Microsoft Exchange patch (likely MS14-075) is on the list this month again and rated as Important. It is resolving an elevation of privilege vulnerability. Admins who have been watching for when that patch may drop can rest assured that it will not be before Tuesday. As you may recall, this patch was held out of last month’s Path Tuesday updates along with another out-of-band patch that was released later in November.  With all of the changes at Microsoft recently, this practice of holding a patch could become a pattern. It is likely that with less important patches, these will be released on a subsequent Patch Tuesday. However, for more important patches that aren’t ready for Patch Tuesday, they will likely be released later on in the month as they become ready for release.

There is a Critical Internet Explorer update this month as well. We have seen a steady trend of a Critical Cumulative Security Update for IE each month for some time. It may just become a regular fixture as all of the major browsers are getting a lot of attention in the white hat hacking community. We can safely say that this is going to become a Critical monthly occurrence.

There are two additional Microsoft Windows patches, one of which is rated as Critical, the other Important. The Critical update could allow for remote code execution, the Important update is an information disclosure vulnerability.

There are three updates for Microsoft Office including one Critical. All three Office updates resolve vulnerabilities, which could allow remote code execution.

Adobe released an update for Flash Player late in November, so maybe we will see a break in the nine-month streak of Flash Player updates on Patch Tuesday.  We will have to wait and see on that.

Google Chrome and Mozilla FireFox both released a couple of updates in the past few weeks, so we anticipate not seeing any additional Patch Tuesday updates from the other major browsers — unless we see a Flash update. In that case we could also see a Chrome update to support the plug-in.

Microsoft Security Bulletins:

  • 3 bulletins are rated as Critical.
  • 4 bulletins are rated as Important

Vulnerability Impact:

  • 5 bulletins address vulnerabilities which could allow Remote Code Execution.
  • 1 bulletins address vulnerabilities which could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability which could lead to Information Disclosure.

Affected Products:

  • All supported Windows Operating Systems (Including the Technical Previews!)
  • All supported Internet Explorer versions.
  • Microsoft Office 2007, 2010
  • Microsoft Exchange 2007, 2010, and 2013

Join us as we review the Microsoft and third-party releases for December Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, December 10th at 10 a.m. CDT.  We will also discuss other product and patch releases since the November Patch Tuesday.

You can register for the Patch Tuesday webinar here.

For more information on Patch Management go here.

Different vendor perspectives on security and vulnerabilities. Which is right? You decide.

ShavlikSecurity

We rely on a lot of software in this highly connected world. We have things such as The Internet of Things, BYOD, Shadow IT. All of these trendy phrases mean we have a lot more riding on the software vendors that provide our connected world, but what are their views on security? By taking a look at some recent press you can start to paint a picture on some of the different perspectives that vendors have on security.

First, let’s take a look at Microsoft. Microsoft has a large following around Patch Tuesday and there is a lot of press and awareness about their security updates. They provide strong recommendations that updates should be applied on a regular basis. Microsoft also has a series of advisories they put out regarding issues that exist when no update has yet to be released. This proactive approach, and open disclosure about the risks to their customers, has been applauded by many, but also brings Microsoft under the gun when things go sour. This year, there have been a few patches that were either pulled or postponed due to quality issues.

For example, a recent Secure Channel (Schannel) update resolved a critical issue that experts say would be an enticing target for hackers. The update, however, has some known issues and has caused problems when applied to some systems. Despite these problems, Microsoft urged the update be applied as soon as possible. This article discusses the update and the impact of the known issues. What is the key take-away from this? That Microsoft prefers full disclosure when it comes to security issues.

Apple, on the other hand, has typically had a very closed-mouth take on security. Updates are typically released without much fanfare. When asked directly about security-related issues, they tend to deny an issue, or play it down, until a fix is available. They tend to lean more towards security by obscurity, or play down issues to be less than they are. While saying less, and preventing as many facts from being released as possible, may prevent some hackers from finding leads to where and what they can exploit, it has brought some scrutiny on Apple.

In this article, Apple addresses the ‘Masque Attack’ and plays it down, saying customers are safe. While Apple’s statement about the risk of exploit coming from third party sources may be true, the majority of exploits on any platform have some form of social engineering involved. The user is the weakest link in many exploits that occur. The Team at FireEye definitely stress a lot more concern than Apple regarding this form of exploit.

A third perspective is the vendor who is providing an application that is used by millions and is quite popular. Many other vendors fall into this category as well. The social media apps that are such an addiction for today’s culture often overlook security. The promises made by these vendors are taken at face value, but are they being met?

Snapchat recently had some issues that were in the news. ‘The Snappening’ was an attack dubbed by 4chan users, which ended up with over 100,000 pictures being captured and shared across the web. This included many questionable photos of a lot of minors. Snapchat has been criticized for misleading users about personal information privacy. The way Snapchat is designed has allowed third party developers to enhance the Snapchat experience, but the design also allowed account information and photos to be stolen. Snapchat’s response? Ban any accounts that utilize a third party app.

So what is the hypothetical result? An account is created by a hacker, the hacker gets x amount of hours exploiting the weaknesses in the Snapchat API, gets some amount of data (accountpersonal info, pictures), then is banned. The hacker then starts the process over again. They create software to replicate the process of creating an account and going through the process over and over. How well do we think this will play out? Kids, nothing ever really goes away. Conduct yourself in all things on the Internet as if you were standing in front of a crowd. You never know where it may end up.

So we have three perspectives on software security. You can argue the benefits and deficits to each (and there are continuing arguments). Which do you feel is right? Which do you feel is effective? Let us know.

 

 

November Patch Day Round-Up

ShavlikSecurityNovember Patch Tuesday was the biggest this year with 16 announced, but Microsoft only released 14 on Patch Tuesday and today we step up to 15 updates.  As you may recall, two of the updates were not pulled from November, but marked as “Release date to be determined”.  Well today is the day for MS14-068.  Microsoft announced the Critical OS patch this morning.  This update for Kerberos should make its way into your deployment plan if possible.

So if we run down the list of everything that will be touched this month when you patch, here is what will receive updates: All Windows OSs, All versions of IE, MSXML, .NET Framework, IIS (for specific OSs), RDP, Office, Sharepoint, AD Federation Services, and there is still the Exchange patch with a release date TBD.  Aside from Microsoft there is the Adobe Flash update which resolved 18 vulnerabilities and there is an corresponding IE Advisory and Chrome release to update the Flash plugin.

Known issues to look out for:

  • There is an issue with the IE Cumulative and EMET that you will want to watch out for and rising concerns over how bad the Schannel (MS14-066) update really is.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) – This update is rated Critical by Microsoft and resolves two privately reported vulnerabilities in Windows OLE.  One of the vulnerabilities resolved has been exploited in the wild (CVE-2014-6352) with an exploit known as ‘Sandworm’.  The attack was targeted at NATO PC’s through a specially crafted PowerPoint file.
  • MS14-065: Cumulative Security Update for Internet Explorer (3003057) – This update is rated Critical by Microsoft and resolves 17 vulnerabilities in Internet Explorer.  Many of the vulnerabilities resolved are memory related, continuing a trend we have been seeing since June of this year.  So far there is at least one known issue with this update.  If you are running IE11 and EMET on Windows 7 or 8.1, you will also need to update EMET to version 5.1 which released this month as well.
  • MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) – This update is rated as Critical by Microsoft and resolves one vulnerability.  The issues resolved are being compared to the Heartbleed OpenSSL vulnerability as far as severity of the issue.  Although Microsoft has not received information to indicate this vulnerability has been publicly disclosed, the recommendation is to roll this update out ASAP.  If a worm or mass botnet were developed to exploit this vulnerability the expected could be significant.
  • MS14-067: Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) – This update is rated as Critical and resolves one privately reported vulnerability in XML Core Services.  An attacker could create specially crafted web content to exploit this vulnerability allowing the execution of code on the system exposed.
  • MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) – This update has been rated as Critical by Microsoft.  This update was postponed on Patch Tuesday, but was not pulled from the November release.  Well, it released today.  The vulnerability is in Kerberos and affects all Windows Operating Systems currently under support.  It resolves one privately reported vulnerability in Kerberos KDC, which could allow Elevation of Privilege.  The attacker must have a valid domain user account, but with that user account they can forge a Kerberos ticket that will allow them to claim they are a domain administrator.  From there they can do pretty much what they want from creating accounts to installing software and deleting or changing data.  They will have access to your network as a Domain Administrator.  The update should be worked into your deployment plan this month as the vulnerabilities resolved are severe enough to warrant some urgency.
  • APSB14-24: Security updates available for Adobe Flash Player – This update is a Priority 1 update from Adobe resolving 18 vulnerabilities across many types of attack vectors.  You will have OS and browser updates to completely resolve these vulnerabilities.  This is for Flash on the OS.
  • MSAF-032: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – This Advisory is not rated by Microsoft, but following the Adobe rating of Priority 1, this update is recommend to push as soon as possible.  This update resolve allows Internet Explorer to run the latest Adobe Flash release resolving the 18 vulnerabilities.
  • CHROME-116: Chrome 38.0.2125.122 – This update is not rated by Google as it resolves no known vulnerabilities in Chrome.  This update does provide support for the Adobe Flash release.  Again the severity here should be based on the Priority 1 that Adobe has set and should be rolled out as soon as possible to ensure all parts of Flash are updated preventing any exposure to these risks.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-069: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) – This update is rated as important and resolves three privately reported vulnerabilities in Microsoft Office.  An attacker could create specially crafted content to exploit these vulnerabilities allowing them to execute remote code.
  • MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) – This update is rated as Important and resolves one privately reported vulnerability in Windows Server 2003 which could allow an attacker to exploit a vulnerability in TCPIP, which could lead to an Elevation of Privilege attack.
  • MS14-071: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) – This update is rated as important and resolves one privately reported vulnerability in Windows Audio Service, which could allow Elevation of Privilege.
  • MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) – This update is rated as Important and resolves one privately reported vulnerability in .NET Framework which could allow Elevation of Privilege.
  • MS14-073: Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)  – This update is rated as Important and resolves one privately reported vulnerability in SharePoint Foundation, which could allow Elevation of Privilege.
  • MS14-074: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) –  This update resolves one privately reported vulnerability in Remote Desktop Protocol, which could allow Security Feature Bypass.
  • MS14-075: “Release date to be determined”.  Likely before December Patch Tuesday if MS14-068’s release today is any indication.
  • MS14-076: Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) – This update resolves a privately reported vulnerability in Internet Information Services, which could allow Security Feature Bypass.
  • MS14-077: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) – This update resolves one privately reported vulnerability in Active Directory Federation Services, which could allow Information Disclosure.

Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):

  • MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (3005210) – This update resolves one privately reported vulnerability in IME Japanese, which could allow for Elevation of Privilege.  The mitigating circumstances reduces the potential risk extensively, but this was discovered in the wild, so it has been publicly disclosed.
  • MS14-079: Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885) –  This update resolves one privately reported vulnerability in Kernel Mode Driver, which could allow a Denial of Service attack.  The steps to exploit this vulnerability would require the attacker to put specially crafted TrueType font on a network share and require a user to navigate to it and open to exploit.  Chances are the attacker would find easier ways to exploit an environment so this is less likely to occur.

 

 

September Patch Tuesday Round-Up

ShavlikSecurityThis month may have been a light release from Microsoft, but there was still plenty of updates to deploy. Microsoft released four security updates, one of which was critical, resolving 42 vulnerabilities. On the Non-Microsoft front, there were releases from Adobe and Google to take note of. Adobe Flash had a patch Tuesday release resulting in an IE advisory and a Google Chrome release to update the Flash plug-in. The Flash update resolved 12 vulnerabilities. There was no security updates for Office this month, but there were 18 non-security updates. One of those has run into some issues and had to be pulled. Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-052: Cumulative Security Update for Internet Explorer (2977629) – This update is rated as critical by Microsoft. It resolves 37 vulnerabilities which could allow for remote code execution. The updates are all relating to memory corruption issues. One of the vulnerabilities resolved (CVE-2013-7331) has been exploited in targeted attacks in the wild. There are a large number of vulnerabilities and one publicly exploited making this a high priority for update.
  • APSB14-21: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe. The update resolves 12 vulnerabilities which have a variety of impacts including memory corruptionbypass memory randomization, code execution, bypass same origin policy, and security feature bypass.
  • MSAF-029: Microsoft Security Advisory: update for vulnerabilities in Adobe Flash in Internet Explorer – This update allows Internet Explorer to support the latest Adobe Flash release which resolves 12 vulnerabilities and is rated as a Priority 1 by Adobe.
  • CHROME-111: Chrome 37.0.2062.120 – Resolves four vulnerabilities including one high priority vulnerability. The update also includes support for the latest Adobe Flash plug-in which puts it up in the priority list for this month.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-053: Vulnerability in .Net Framework could allow Denial of Service – This update resolves one privately reported vulnerability which could lead to a DoS, but by default an install of .Net will not be vulnerable to this vulnerability. The flaw is exposed if ASP.NET is installed and registered with an IIS server. This would require customer to install ASP.NET manually.
  • MS14-054: Vulnerability in Windows Task Scheduler could allow for elevation of privilege – This update resolves one privately reported vulnerability in Microsoft Windows which could allow for elevation of privilege. The attacker must, however, have a valid logon credential and be able to log on locally to exploit this vulnerability.
  • MS14-055: Vulnerabilities in Microsoft Lync Server could allow Denial of Service – This update resolves three privately reported vulnerabilities in Microsoft Lync Server. The attacker must send a specially crafted request to the Lync Server to exploit this vulnerability.

Watch List:

  • Adobe delayed release of APSB14-20 – The update will be a Priority 1 from Adobe as it resolves several critical vulnerabilities. The release was delayed to the week of September 15, meaning it will drop any day now. Once it does, you can expect to bump this up to the Priority list for rolling out this month.
  • Office non-security patch pulled by Microsoft – Microsoft did not release any security updates for Office this month, but 18 non-security updates have released.  An issue was discovered with KB2889866, an update for OneDrive, which would cause syncing to another users library to fail and moving of links etc, to no longer be picked up by sync.

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.

Patch Tuesday Advanced Notification September 2014

PatchWithoutBorderSo far we have four bulletins announced for September 2014, one Critical and three Important. Back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first patch Microsoft will be rolling out is for Internet Explorer and is Critical. For the past few months we have seen large numbers of vulnerabilities primarily around memory corruption and memory leaks being resolved in IE. It’s likely we are going to see a continuation of that trend that started back in June, but it’s probably going to be a fairly clean month for IE.

Of the three Important updates, there are two vulnerabilities that could result in a denial of service attack and one that could result in an elevation of privileges. These bulletins affect .Net Framework, the Windows Operating System and Lync Server. The .Net update is going to be the most important thing here and IT managers should make sure they are testing it adequately before rolling it out.

On the third party front, we are expecting an update from Opera any time now. They have updated their change log, but the new version (24) has not yet been made available on their downloads.

For Adobe we anticipate an update for Flash to be quite likely this month. So far in 2014 there has only been one patch Tuesday without a Flash update and that month there were two updates outside of patch Tuesday, one of which was a Zero Day. If there is a Flash release, you can expect a Microsoft Advisory update for IE to update the Flash plug-in and most likely a Google Chrome update to support the plug-in as well.

Microsoft Security Bulletins:

  • 1 bulletin is rated as Critical.
  • 3 bulletins are rated as Important

Vulnerability Impact:

  • 1 bulletin addresses vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in a Denial of Service.
  • 1 bulletin addresses vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • .Net Framework.
  • Lync Server.

Join us as we review the Microsoft and third-party releases for September Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, September 10th at 11 a.m. CDT.  We will also discuss other product and patch releases since the August Patch Tuesday.

You can register for the Patch Tuesday webinar here.