June Patch Tuesday 2016

June2016PatchTuesdaySummary

I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Flash Zero Day Closure, or maybe not…

FlashPlayerLogoIt was a confusing week for those tracking the Adobe Flash Player update.  Let me summarize what happened and what may still be lingering.

Flash Player did announce an Advisory on Patch Tuesday (APSA16-02) announcing a Zero Day vulnerability (CVE-2016-4117) which was detected in exploits in the wild.  The update for the Zero Day did not drop on Patch Tuesday.  Instead it was released on Thursday this week (May 12th) as bulletin APSB16-15.

As many of you are familiar with already, updating Adobe Flash Player is not a simple matter of updating a single product.  If you are running Internet Explorer, Chrome and Firefox and are using the Flash Player Plug-In you could have three more variations of Flash Player that need updating to fully resolve the vulnerabilities in a new release.  That is where the confusion set in this week.

On Patch Tuesday, Microsoft released MS16-064, which was the Critical update for Adobe Flash Player as it is bundled in Windows OS and IE versions.  This update documented the 24 fixes initially planned for release by Adobe in bulletin APSB16-15, but did not include the Zero Day vulnerability (CVE-2016-4117).  Today (Friday May 13th) Microsoft re-released MS16-064 to address the slight version update that included the exploited vulnerability.

What is a bit uncertain at the moment is Chrome.  When Flash Player updates occur, Chrome also needs to be updated to support the newer version of the Flash Player Plug-In.  The Chrome update this week came out before the Flash Player Zero Day was resolved.  Does this mean that they are only supporting the initial drop similar to Microsoft releasing on Patch Tuesday?

I will be doing my typical Patch Tuesday Round Up next week and will try to have answers by then on if there is still a bit of Zero Day hanging on the spring breeze or if we are good.

For updates like this and more relating to Patch Tuesday check out our webinars page for upcoming Patch Tuesday webinars and on-demand playback of previous Patch Tuesday webinars and presentations for download.

May Patch Tuesday 2016

ShavlikMay_PATCH02fMay’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053).  Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update?  Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?

In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.

Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.

MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188).  The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.

It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.

MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189).  This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.

The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.

MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server.  On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.

Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.

Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.

With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.

Join us tomorrow for the May Patch Tuesday webinar where we will discuss the bulletins in more detail.

April Patch Tuesday 2016

April_PATCH12f

April’s Patch Tuesday is looking and sounding like a spring weather forecast.  The forecast is calling for rain, but it turned out to be partly cloudy.  There has been some mixed feelings about a newly announced vulnerability, or vulnerabilities as it were, in Samba.

Badlock is a vulnerability recently identified in Windows and Samba. There are eight CVEs related to Badlock, categorized as man-in-the-middle and denial-of-service attacks. The primary CVE is CVE-2016-2118. This is a multi-vendor problem, so two CVEs were opened to track for each vendor.

CVE-2016-2118 is the vulnerability for Samba and CVE-2016-0128 is for Microsoft, and is related to MS16-047. CVE-2016-2110 describes a vulnerability in negotiation of NTLMSSP, which allows for a downgrade attack. Luckily, Windows 2003 and Vista have introduced ways to protect against this type of downgrade attack. The rest of the vulnerabilities are specific to Samba, versions 3.0.0 to 4.4.0.

Microsoft has released a total of 13 bulletins this Patch Tuesday, six of which are critical. Piecing the Badlock CVEs together, it seems the only MS Bulletin related to Badlock is MS16-047. This is an important update for SAM and LSAD Remote Protocols. Based on feedback from Badlock.org, PoC code will be introduced in the near future, so count this one as a public disclosure and treat it as a higher priority this month.

Aside from Badlock, there are three more public disclosures and three exploited in wild (Zero Days) this month. One of the three Zero Days is the Flash for IE Patch, which resolves 24 vulnerabilities, including CVE-2015-1019 Zero Day in Adobe Flash and AIR.

MS16-037 is the Internet Explorer Cumulative.  This bulletin is rated critical and resolves six CVEs, one of which is publicly disclosed (CVE-2016-0160). It’s important to note, many of the vulnerabilities can be mitigated by proper privilege management and use of the Enhanced Mitigation Experience Toolkit (EMET).

MS16-038 is an update for the Edge browser. This bulletin is also rated as critical and resolves six vulnerabilities. Similarly, most of the vulnerabilities are user-targeted and can be alleviated by proper privilege management.

MS16-039 is an update for Microsoft Graphics Component.  It is rated as critical and resolves four vulnerabilities, two of which have been detected in exploits in the wild.  The two Zero Days are CVE-2016-0165 and CVE-2016-0167, and should be considered a high priority for you this month. Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.

MS16-041 is an update for Microsoft .Net Framework. The bulletin is rated as important, but includes a public disclosure (CVE-2016-0148).  To exploit this vulnerability, the attacker would need to gain access to the local system, with the ability to execute a malicious application. Although it’s rated as important, the fact that is has a public disclosure puts this bulletin at higher risk of exploit.

MS16-046 is an update for Secondary Logon. This update is also rated as important and includes a publicly disclosed vulnerability (CVE-2016-0135). The attacker must first log on to the system, but after doing so, could run a specially crafted application that could exploit the vulnerability and take control of the system. Again, even though this vulnerability is rated as important, because it has a public disclosure, it’s at higher risk of exploit.

Adobe recently dropped a Flash update on April 7, 2016, and today, they updated their blog to say it also applies to Adobe AIR. This update included 24 CVEs, but most importantly, CVE-2016-1019, which is being actively exploited. With this vulnerability, an attacker could cause a crash on vulnerable systems, allowing the attacker to take full control of the affected system. This is a high priority update and should be pushed out to all systems without delay.

For Flash updates, keep in mind you need to update the plug-in for all of your browsers that have Flash installed. Today, Microsoft released the critical update for Flash Player for IE, and Google Chrome’s update also supports the latest plug-in. So if you are like me and run IE, Chrome, and Firefox, you may need to apply four separate updates to fully patch these Flash vulnerabilities.

Oracle is releasing their quarterly CPU next week on April 19th. Java will have an update and it will be critical, so be prepared for that. The January CPU included fixes for eight CVEs, seven of which were remotely exploitable without credentials and three that had CVSS scores of 10.0. Although it may sound like a lot, this was actually a smaller update, compared to 2015’s four. Last year, April 2015 was the smallest release with only 14 CVEs addressed, all of which were remotely exploitable without credentials and three that were CVSS 10.0.

Mozilla released Firefox 45.0.2 today, but reported no security fixes. This is great news and means we get a free pass on this one today! In case you’re counting, the last security Firefox update was Firefox 45, released on March 8, 2016.

I am going to end my Patch Tuesday blog  post with my new favorite quote from the closing statements of the Verizon 2015 Data Breach Investigations Report, specifically the section on Vulnerabilities: “The lesson here isn’t ‘Which of these should I patch?’ Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest.”

Join us tomorrow for the April Patch Tuesday webinar where we will discuss the bulletins in more detail.

March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.

 

March Patch Tuesday 2016

MarchPatchTuesday2016Sum

March Patch Tuesday has a great deal of updates, but no public disclosures or exploited vulnerabilities as of yet. Let’s start with what we know for sure: Microsoft has released 13 bulletins, five of which are critical and eight are rated as important. With these bulletins, Microsoft is resolving 39 total vulnerabilities this month. On the non-Microsoft front, Adobe is releasing two bulletins, rated as Priority 2 and 3, that resolve four vulnerabilities. Additionally, Mozilla FireFox 45 has been released and is rated critical, as it resolves 22 vulnerabilities.

First, taking a closer look at Microsoft, we have critical updates for Internet Explorer (MS16-023) and Edge (MS16-024), as expected. These updates resolve 13 and 11 vulnerabilities, respectively. Microsoft’s claim that Edge is more secure appears to be valid, although this month’s activity does not make that big of a difference. So far in 2016, IE has had 27 vulnerabilities, as compared to Edge’s 19. As you would expect, the vulnerabilities resolved in both browsers involve exploiting a user through specially crafted web content. In this situation, an attacker who convinces a user to click on specific content can gain the same user rights as the actual user. If that user is a full admin, the attacker would gain complete control of the system, allowing them to create accounts, install, remove apps and delete data, among other things.

10 of the Microsoft updates affect Windows, including the other three critical updates from Microsoft. MS16-026 resolves vulnerabilities in graphic fonts, while MS16-027 resolves vulnerabilities in Windows Media and MS16-028 resolves vulnerabilities in Windows PDF Library. In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content. As a result, the attacker would gain equal privileges as the current user; so least-privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacks privileges because they can only execute out of the sandbox.

Microsoft Office and Sharepoint are both affected by MS16-029, which is rated as important and resolves three vulnerabilities. For all of you ops guys out there, I know there is some uneasiness around patching Sharepoint because the updates cannot be rolled back easily if something goes wrong. If you are on a virtual machine, you can take a snapshot prior to the update. That way, if anything goes wrong, you can quickly revert back. If you are not yet virtualized, consider making the switch – doing so will make life a lot easier.

There are six more important updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE. Last on the list is an update for .Net Framework. .Net is always interesting because you can have various versions on a machine. As a result, it can also take a bit longer to install updates for .Net. So, if your servers take a while to install updates, know that it’s due to multiple .Net versions requiring updates.

Now, switching to the non-Microsoft updates:

Mozilla has released FireFox 45, which resolves 22 total vulnerabilities, eight of which are critical. The vulnerabilities range from buffer overflows to font vulnerabilities, with the sheer number of updates making this update a priority for this month.

Adobe has released two bulletins so far. The first is APSB16-006, a Priority 3 update for Digital Editions that resolves a critical vulnerability. Although there is only one, it is critical and could lead to code execution; which makes me wonder about the priority. The second Adobe bulletin is for Adobe Acrobat and Reader. APSB16-009 resolves three vulnerabilities, including yet another critical that could lead to code execution. This bulletin is rated as a Priority 2.

While we haven’t seen it yet, there is evidence a Flash update could be on its way. If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it. This could signal the change in distribution that Adobe has warned us about for a few months now. Either way, if Flash Player drops, expect a bulletin from Microsoft for Flash for Internet Explorer, as well as an update from Google Chrome to support the latest plug-in and updates for Flash Player at the OS and FireFox plug-in levels.

Join us tomorrow for the March Patch Tuesday webinar where we will discuss the bulletins in more detail.

February Patch Tuesday Round Up

FebruaryPatchTuesday2016Sum

 

February’s Patch Tuesday had a number of updates, continuing into this week with Microsoft releasing a number of non-security updates today. There are reports of a few issues out there that you will want to be aware of.

The first is from the RDP Security Update (MS16-017) from last week. There were documented known issues involving the update when applied to Windows 7 running RDP 8.0. Multiple reboots may be required in that case. Our internal testing found the same could occur on Windows 8.1.

Another issue that has been reported, and also made some headlines, is an update for Office 2013 (KB 3114717) that has reportedly been freezing 32-bit Word 2013 on Win 7, 8.1, 10. We have not yet added support for this update due to the issue. Microsoft has recommended removal for those who have already deployed it. A re-release should be coming soon, at which time Shavlik will add support for this update.

There was also a Mozilla Firefox security update late last week. This included one critical security fix. There is only one vulnerability resolved in the release, but probably one you want to roll-out sooner rather than later.

 

 

 

 

February Patch Tuesday 2016

FebruaryPatchTuesday2016Sum

February Patch Tuesday started a bit early with Oracle releasing an out-of-band update for Java to resolve a critical vulnerability that allows DLL Hijacking. Microsoft has released 13 bulletins, six of which are critical, resolving a total of 42 vulnerabilities. Of the vulnerabilities being resolved, two have been publicly disclosed. We also have releases from Adobe for Flash and Photoshop, Mozilla for Firefox, and Google is expected to release a Chrome update with security fixes and support for the latest Flash Plug-In.

Starting with Oracle, the vulnerability resolved by Java 8u73 (CVE-2016-0603) affects many other products, but so far, Oracle and SUSE VirtualBox are the only vendors to release updates to resolve it so far. Researchers are still reporting additional products affected, but the notables include Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. So far there is no confirmation on the Firefox or Chrome releases resolving this vulnerability. Expect to see some more security release in the coming weeks.

As noted, Microsoft has released 13 total bulletins, six of which are rated as critical. Of the 42 vulnerabilities resolved, two have been publicly disclosed – these are part of MS16-014 (CVE-2016-0040) and MS16-015 (CVE-2016-0039). Public disclosures are a risk indicator that we use to rate threat risk, signaling a threat actor has a jump-start on the vendor and is able to exploit the vulnerability before companies can get an update in place. MS16-014 may only be rated as important by Microsoft, but the fact that it has a public discloser means it is at higher risk of exploit.

Here are some things to watch out for this month with Microsoft:

There is a Sharepoint update included in the Office bulletin, MS16-015. I know, all of your Sharepoint admins just cringed, but it has to be updated. This is a critical bulletin and has a publicly disclosed vulnerability, CVE-2016-0039. One of the complicating factors with Sharepoint is the fact that rollback is not an easy thing if something breaks. If you have not already done so, we highly recommend virtualizing your Sharepoint servers so you can take advantage of snapshot capabilities to roll back to a good state, in case something goes wrong.

MS16-014 is rated as important and affects the Windows Operating System. The threat around this bulletin should be considered high, as it does have a public disclosure. CVE-2016-0040 resolves a vulnerability with improper handling of objects in memory by the Kernel. According to the Microsoft bulletin, if exploited “an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The reason this is likely reduced in severity is because the attacker would need to log on to the system and then run a specially crafted application to exploit the vulnerability.

MS16-018 affects Kernel-Mode Drivers, so both MS16-014 and MS16-018 are making changes to Kernel behavior this month. As always, it is good to test Kernel updates thoroughly before deploying.

One change Microsoft made this month, that I hope is permanent, is making the Adobe Flash Player Plug-In update for Internet Explorer officially a Security Bulletin instead of a Security Advisory. This is a major change to how they have identified the Flash Player Plug-In updates in the past, and one that is warranted, because you have not completely resolved Flash vulnerabilities unless you’ve update the OS and all browser plug-ins. So keep an eye out for MS16-022, which is the critical update for Adobe Flash Player, for all currently supported versions of Windows and IE.

Speaking of Adobe Flash, APSB16-04 is a Priority 1 update resolving 22 vulnerabilities that should be on your priority list this month, especially since Adobe Flash has been highly targeted because it is so widely distributed. Remember, you need to update Adobe Flash, and Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.

Adobe Photoshop is a Priority 3 update this month that resolves for three lower severity security vulnerabilities.

Mozilla has released Firefox 44.0.1. So far, there’s no report on if security fixes were included in this release or not.

You can also expect to see a Google Chrome release coming out which will be resolve for some security vulnerabilities and will include support for the Flash Player APSB16-04 update. Do make sure this is on your priority list this month.

Join us tomorrow for the February Patch Tuesday webinar where we will discuss the bulletins in more detail.

Java releases out of band to start off Patch Week

java_logoOn Friday, Oracle announced a Security Advisory for Java that is out of their normal Quarterly CPU cycle. This udpate resolves one critical vulnerability that an attacker would need to exploit before Java is installed on the target system. Exploiting CVE-2016-0603 would allow the attacker to completely control the target system if exploited but, to exploit the vulnerability, an attacker would have to convince a user to open specially crafted content and this would have to occur before Java is installed on the target system using an installer older than the newly updated versions (6u113, 7u97, or 8u73).

Oracle is also recommending “users who have downloaded any old version of Java prior to 6u113, 7u97, or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later”. This would prevent an attacker from taking advantage of the vulnerability in the future. Since this vulnerability affects windows systems installing Java, current instances are not as urgent of a concern. The immediate action is to remove older versions and only install using the latest release for each version.

Happy Patch Week!

January Patch Tuesday 2016

2016_01_12_Patch

January 2016 is going to be anything but boring. Microsoft has a large lineup of updates. The bulletin list opens up 2016 with 10 bulletins — minus one. MS16-009 has been skipped and Microsoft went to MS16-010 instead. Is that a small joke relating to Windows 9 skipping to Windows 10? Maybe Microsoft doesn’t like the number nine for some reason. That oddity aside, Microsoft released six critical, three important and six public disclosures, along with a total vulnerability count of 26 resolved for January Patch Tuesday.

Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded. Adobe announced a bulletin for Reader with an additional non-security release of Shockwave and Oracle is gearing up for its quarterly CPU, so expect Java to release next Tuesday, January 19.

Microsoft System Updates and End of Life Scheduling

Jan. 12 is a significant milestone for Internet Explorer support. Microsoft is releasing a final update for all supported IE versions, but after January it will only support the latest available for each Operating System. This means that for anything Windows 7 SP1 and later, you must be on IE 11 to continue receiving updates. There are a few exceptions for older operating systems that only supported up to IE 9 or 10. If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct Internet access. In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.

Windows XP Embedded SP3 is also reaching its end of life today. It will be followed in a few months by Windows XP Embedded Point of Sale SP3, which is due to end on April 12. Retailers will start to sweat if you are still on those platforms after that date.

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. I am guessing there will be those who look into the registry hack that was used to trick Windows XP into thinking it was Windows XP Embedded POSReady 2009. If you have no other recourse, you may roll the dice on that, since POSReady 2009 is really just another distribution of Windows XP Embedded. Moving off of the end of lifed platform is still the best option though.

Oracle’s quarterly CPU is coming on Jan. 19. I mention it now as those of you running Java will definitely want to plan to roll that update out when it arrives next week as well. In 2015, the lightest of the Java updates included 14 CVEs, all of which were remotely executable without authentications. The rest had 19–25 vulnerabilities resolved with more than 15 being remotely executable without requiring credentials.

Microsoft January Bulletins

MS16-001 and MS16-002 are updates to Microsoft’s Internet Explorer and Edge browsers. Both are rated as critical, resolving two vulnerabilities each. The IE patch includes a public disclosure (CVE-2016-005), which puts it at a higher risk of being exploited.

MS16-004 is an update for Microsoft Office and Visual Basic. The bulletin is rated critical and resolves six vulnerabilities including two public disclosures (CVE-2016-0035, CVE-2015-6117).

MS16-005 is a critical update for the Windows Operating System resolving two vulnerabilities including one public disclosure (CVE-2016-009). This is also a Kernel-Mode Driver update. Thorough testing is always recommended. If an application patch goes wrong you can just reinstall, but if a kernel patch goes wrong it will be more severe.

MS16-007 is an important update for Microsoft Windows, which resolves six vulnerabilities including two public disclosures (CVE-2016-0016, CVE-2016-0018). There are a few known issues with this update. To be fully protected you also need to have MS16-001 for Internet Explorer. Windows 10 users who have Citrix XenDesktop should be aware that installing this update will prevent login. Microsoft recommends users uninstall XenDesktop and installing this bulletin, then follow up with Citrix for a fix for XenDesktop.

The way the issue is worded on the bulletin page makes it sound like Microsoft’s methods of updating Windows 10 (Windows Update, WSUS, SCCM) will not offer this update if XenDesktop is installed. It states “Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update.” So, if Windows 10 updates are all bundled, cumulative updates, this would mean that the January cumulative for Windows 10 would not be installed. That means all five bulletins that would affect Windows 10 would go unpatched until the issue is resolved.

MS16-008 is only rated as Important and no public disclosures, but it is a Kernel patch addressing Elevation of Privilege vulnerabilities. Thorough testing is recommended before rollout.

MS16-009 did not drop yet. This could mean it will not arrive until February, or it could come out of band. The last time we saw a bulletin be skipped in the order was an SQL update that dropped between Patch Tuesdays. Keep an eye out for this one in case it comes late. It will likely be a high priority if that is the case.

MS16-010 is an important update for Microsoft Exchange. No public disclosures or known issues, so recommendation is thorough testing and rollout in a timely manner.

Third Party Bulletins

Adobe has released one bulletin this month. APSB16-002 for Adobe Reader is a Priority 2 update resolving 17 vulnerabilities. The only other update from Adobe today was an update for Shockwave, which did not have an accompanying bulletin. APSB16-001 for Adobe Flash actually first dropped in late December with a re-release the next day resolving an Active-X issue. That release likely came early due to a known exploit in the wild (CVE-2015-8651). Ensure that the Flash update is rolled out if you have not already done so.

Join us tomorrow for the January Patch Tuesday webinar where we will discuss the bulletins in more detail.