October 2016 Patch Tuesday


October Patch Tuesday will see some changes to how Microsoft and Adobe will be distributing updates.  There is a lot of buzz regarding Microsoft’s servicing changes to pre Windows 10 systems. October Patch Tuesday is the first release under this new servicing model, which we will talk about more in a moment.  There are a few changes for Adobe Flash Player starting this month that you will need to be aware of. We are expecting a Google Chrome release today and Oracle’s Quarterly CPU next week, so plan on updates for Java JRE and many other Oracle solutions.

Regarding Microsoft’s servicing model changes, Microsoft has basically consolidated all IE and OS bulletins into a single update. This will be served up in one of two ways: as a security only quality update or a security monthly quality rollup. The biggest difference between these is the security only is bundling each month’s security updates only. The rollup includes non-security fixes as well as being cumulative. I recently spoke with LANDESK CSO Phil Richards about this change and he provided some good feedback as far as the challenges companies may face. In last week’s Patch Tuesday Forecast, I also talked about some recommendations on how best to choose between the security only and the rollup options.

Adobe has changed their distribution for Flash Player, so you would need to get an agreement in place with Adobe to be able to get access to the Flash Player distribution page. Today also marks the final release of Flash Player ESR. So instead of a current branch and stable branch, Adobe will just have current branch. Since they are doing fewer feature changes to Flash Player, having a single branch simplifies their release model. The new distribution page included this notification:


Oracle’s Quarterly CPU is coming next week on the 18.  Oracle releases on the first month of each quarter on the Tuesday nearest to the 17, which typically falls the week after Patch Tuesday. Watch for an update next week for Java and many other Oracle products.

Google Chrome should be releasing today. The Dev channel for Chrome Desktop updated late last week which usually indicates a Chrome release on Patch Tuesday or soon after. With a Flash Player update, they will be releasing to support the latest plug-in, but likely will have some additional security fixes as well.

Let’s break down the more severe of these bulletins.

Looking at the infographic you would see that Microsoft has released 10 bulletins today — five of which are rated as critical — and there are four unique Zero Day exploits across five of the bulletins. Now there are 10 bulletins, but the actual number of deployable packages is less. There will be the security only or security rollup, which will bundle MS16-118, MS16-120, MS16-122, MS16-123, MS16-124, MS16-125 and MS16-126 together in a single installer. For systems where you have installed a newer version of .Net you will have the .Net Rollup. Skype, Lync, Office and Flash are separate updates yet. So you could have as many as seven packages to deliver to some endpoints, but most will be getting around five actual packages to test.

MS16-118 is a critical update for Internet Explorer. This bulletin resolves 11 vulnerabilities including one Exploit in the Wild (CVE-2016-3298). There are multiple vulnerabilities in this bulletin that are user targeted, meaning the attacker can convince a user to open specially crafted web content to exploit the vulnerabilities. Several of the vulnerabilities can also be mitigated if the user is running as less than a full administrator, the attacker would only gain equal rights to the user reducing the impact if exploited.

MS16-119 is a critical update for Edge browser. This bulletin resolves 13 vulnerabilities including one Exploit in the Wild (CVE-2016-7189). Many of the vulnerabilities resolved in this bulletin are user targeted. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-120 is a critical update for .Net Framework, Office, Skype for Business, Lync and Silverlight. The bulletin resolves seven vulnerabilities including one Exploit in the Wild (CVE-2016-3393). This bulletin includes vulnerabilities that are user targeted. An attacker can host specially crafted web content or specially crafted document file designed to exploit the vulnerabilities. One of the vulnerabilities (CVE-2016-3396) can also be exploited through the Outlook Preview Pane. Users running with reduced privileges could reduce the impact if exploited.

MS16-121 is an important update for Office. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-7193).  An attacker could craft a file to send through email or by specially crafting web content designed to exploit the vulnerability. Users running with reduced privileges could reduce the impact if exploited.

MS16-122 is a critical update for Windows. The bulletin resolves one vulnerability. An attacker could exploit this vulnerability by convincing a user to open a specially crafted file from a webpage or an email message. The Outlook Preview Pane is an attack vector for this vulnerability. Users running with reduced privileges could reduce the impact if exploited.

MS16-126 is a moderate update for Windows. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-3298). This is the same CVE ID as the Exploit in MS16-118 for Internet Explorer. To fully resolve the vulnerability, both MS16-118 and MS16-126 must be installed. For Windows Vista and Server 2008, this means installing two separate packages. For newer Oss, both will be included in the security only or security rollup package.

MS16-127 is a critical update for Flash Player for Internet Explorer. This update resolves 12 vulnerabilities in Adobe Flash Player Plug-In for Internet Explorer. To fully resolve Flash Player vulnerabilities you must install updates for Flash Player, Flash for IE, Flash for Chrome and Flash for Firefox, so this could be multiple installable updates on a single system.

APSB16-32 is a priority one update for Adobe Flash Player. This update resolves 12 vulnerabilities. Many of the vulnerabilities are user targeted and, if exploited, could allow an attacker to take control of the affected system.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.



Patch Tuesday Forecast October 2016


October is here already and should be an interesting lineup of updates coming in the next few weeks.  There are also some things you need to know about servicing model changes from Microsoft and on distribution changes for Adobe Flash. Oracle is also going to be dropping their quarterly CPU this month.  Read on for more details:

On the Horizon

This is the month Microsoft will have its first delivery under the new servicing model and there is a lot of uncertainty amongst companies as to what really is going to change. I interviewed LANDESK CSO Phil Richards on the subject and he had a lot to say. You can check out the full interview here, but it boils down to this:

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

Oracle will be releasing their quarterly critical patch update this month. I always try to emphasize this as they will not release on Patch Tuesday, but on the following Tuesday. Oracle’s release schedule is the first month of each quarter on the Tuesday closest to the 17, which falls to Tuesday October 18 this month. The Oracle CPU always brings a lot of fixes for some pretty nasty vulnerabilities. Take July’s release for JRE. This update included 13 security fixes, nine of which were remotely exploitable without authentication. Four of these updates were rated as CVSSv2 9.6, are exploitable remotely without authentication, are rated as low complexity, meaning they are easier to exploit, and rate as high for confidentiality, availability and integrity. According to analysis by Verizon’s 2015 Data Breach Investigations Report, these would fit the pattern of vulnerabilities likely to be exploited within two weeks of release from the vendor.

Adobe has changed availability of Flash Player for distribution. This change has been looming for some time now. We first caught wind of this late last year and since they have pushed the date multiple times, but September 29 they finally took the plunge. From the distribution page you now get two directions to go: for consumers and for companies wanting to distribute. Follow the link to request approval for distribution. I personally went through the process and it was quick and painless and, once approved, you will receive details on how to access the enterprise-ready version of Flash Player for distribution in corporate environments.

Patch Management Tip of the Month

In a conversation I had yesterday with one of our customers, we shared details of the change Microsoft described in its blog and through other sources like the customers Microsoft TAM and talked through some scenarios to figure out a plan to proceed this month and going forward. Here is where we left the conversation understanding full well that “No plan survives contact with enemy.”

  • For systems currently in operation plan to test and rollout the October security bundle, which will include updates for IE and the OS in a single package. This package should be security-only updates and also should not be cumulative. In other words, if you need to exclude this bundle for any reason, you should be able to take November’s security bundle without it forcing application of the October security bundle. Expect to take the security bundle each month until you hit a situation where non-security updates (bug fixes) would force the need to apply the cumulative rollup.
  • For new systems implemented after the servicing model change, they are planning to start with the cumulative rollup until a point where they hit an exception, in which case they would switch to the security bundle for those systems until the event which caused the exception can be resolved, allowing application of the cumulative rollup once again.

And I will re-emphasize last month’s tip which is to expand your pilot group for application compatibility testing. Getting power users from the parts of your organization that rely on business critical apps will help you to ensure that these larger bundles of updates do not cause impacts earlier in the test process.  Many companies have test systems, but only validate some high level functionality like login to the system and basic data rendering. Many issues could occur deeper in legacy apps from rendering of PDFs to printing documents, etc. This year alone we have seen both PDF and GDI updates nearly every month from Microsoft. These are common components to be updated as they are high profile targets for user targeted attacks like phishing scams. A vulnerability exploiting a user is often the first point of entry into a company’s network.

Your Patch Tuesday Forecast

From this point on you can expect an average of three to four Microsoft updates. Under the new servicing model, we will typically see the Security Bundle (IE and OS updates), Flash for IE, .Net, Office and occasionally Sharepoint, SQL, Exchange and other applications.

Oracle will release on October 18, so expect a critical update for Java and many other Oracle solutions.

Adobe is due for an Adobe Acrobat and Reader update, so I am forecasting at least two bulletins from Adobe this month. Adobe Reader and Flash Player with likely use Acrobat as well. If Flash drops we will see the Flash for IE bulletin from Microsoft and plug-in updates for Google Chrome and Mozilla Firefox.

It has been nearly a month since the last Google Chrome release on September 15. They did a re-release late in the month, but with only a minor change. The beta channel for Desktop was updated yesterday so we are not far off. There is a good chance we will see a Chrome update on or before Patch Tuesday.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

September Patch Tuesday 2016


Patch Tuesday September 2016

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.



Patch Tuesday Forecast September 2016

We are only a few days away from September Patch Tuesday and just for a bit of nostalgia I dug up this old image.  Circa 2010 Minimize the Impact of Patch Tuesday banner.


So, here are a few things to watch our for to help minimize the impact of Patch Tuesday, a quick tip to help you tune your process, and our forecast on what we think you should expect this month.

On the Horizon

Based on the sheer volume of questions I’ve had about this I’m going to go out on a limb and say that the servicing changes Microsoft plans to implement in October are a hot topic right now. Microsoft’s announcement to move all pre-Windows 10 OSs to the same bundled update model has stirred up concerns from their customers. I will start off with the same recommendation I have given everyone so far: keep breathing. But also know the facts. Microsoft will have a security bundle that will release each month that includes updates for IE and the OS. There will be a cumulative bundle option as well that will include non-security fixes and feature changes. The security bundle will be the way to go for most organizations.

The fallout from this event will be a more pronounced need for application compatibility testing. If you recall January’s Patch Tuesday, the Windows 10 cumulative update caused Citrix’s VDA Client to break. This is exactly the type of scenario companies I’ve spoken to are concerned about. Fortunately, Citrix worked with Microsoft and moved quickly to resolve the VDA incompatibility that the cumulative update caused. Microsoft updated its release to detect if VDA was installed, and if it was, then the cumulative update was not installed. This process left their customers exposed to many vulnerabilities in the January release, but Citrix turned a fix-around in short order and together they reduced the risk to their common customers to only a week of not being able to push the January updates.

But this was two software giants working together; the issues will be more pronounced with less common products or vertical specific products, such as healthcare devices or manufacturing systems that run on Windows systems. Home-grown applications and applications developed by vendors who are no longer in business may be less of a concern on Windows 10, but on older systems they are much more common. Which brings us to our tip of the month!

Patch Management Tip of the Month

Application compatibility is the biggest hurdle to effectively remediating software vulnerabilities. Most companies we talk to have an exception list of updates that conflicted with business critical applications. This has been a rising concern for companies as they evaluate Windows 10, and now will become a concern for their existing systems come October. The looming inability to pick and choose which updates to apply to their systems has many companies concerned. The reality is we will have less of a choice in the matter going forward, so what do we do?

Pilot Groups

One tip that I always stress when advising our customers is to have an involved pilot group. Many companies have a small set of test systems for the most critical of assets, but this falls short of truly ensuring you catch application compatibility issues quickly. What you need is to ensure you have a selection of power users in your pilot group to help you flush out issues quickly. These power users will be able to provide you better feedback, and they’re technically savvy enough to help you work through issues as you discover them.

Hitting a few power users who will keep their head and work with IT to resolve issues quickly helps reduce impact to the greater workforce. Someone from IT may be able to verify login works and some basic interfaces load, but the power users will get into the product and find the less obvious things, like updating broke print features or submitting a job or form. Most business managers quickly agree to this arrangement when you put it to them as a partnership where you will work with one or two of their best to keep the majority impact-free.

Your Patch Week Forecast

August was our lightest Microsoft Patch Tuesday this year tied with January at 9 Microsoft bulletins total; the average this year has been closer to 13 bulletins each month. I expect this month will be closer to the average if not a little above. Starting in October, this average will appear to drop significantly as the bulletins will become bundles instead, reducing the average number of Microsoft updates to around four or five each month. At that point, watching vulnerabilities resolved will be a more accurate indicator of how significant the month’s updates were.

On the non-Microsoft front, I would expect an Adobe Flash update, as we have not seen a Flash Player update since July, which is near an eternity in Flash Player terms. Also, be aware that Adobe has updated the looming end of open distribution of Flash message on the distribution download page. The end of September is the new cut off where you will need to have an Adobe ID and login to Adobe’s site to gain access to Flash updates if you need to distribute them internally. We will see if this is really the one.

Google Chrome just released this Wednesday, so plan to include that and some other recent third parties like Wireshark in your patching schedule this month.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

August Patch Tuesday 2016

Patch Tuesday Infographic

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.

June Patch Tuesday 2016


I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to https://get.adobe.com/flashplayer/.  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to http://www.adobe.com/products/players/flash-player-distribution.html.

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Flash Zero Day Closure, or maybe not…

FlashPlayerLogoIt was a confusing week for those tracking the Adobe Flash Player update.  Let me summarize what happened and what may still be lingering.

Flash Player did announce an Advisory on Patch Tuesday (APSA16-02) announcing a Zero Day vulnerability (CVE-2016-4117) which was detected in exploits in the wild.  The update for the Zero Day did not drop on Patch Tuesday.  Instead it was released on Thursday this week (May 12th) as bulletin APSB16-15.

As many of you are familiar with already, updating Adobe Flash Player is not a simple matter of updating a single product.  If you are running Internet Explorer, Chrome and Firefox and are using the Flash Player Plug-In you could have three more variations of Flash Player that need updating to fully resolve the vulnerabilities in a new release.  That is where the confusion set in this week.

On Patch Tuesday, Microsoft released MS16-064, which was the Critical update for Adobe Flash Player as it is bundled in Windows OS and IE versions.  This update documented the 24 fixes initially planned for release by Adobe in bulletin APSB16-15, but did not include the Zero Day vulnerability (CVE-2016-4117).  Today (Friday May 13th) Microsoft re-released MS16-064 to address the slight version update that included the exploited vulnerability.

What is a bit uncertain at the moment is Chrome.  When Flash Player updates occur, Chrome also needs to be updated to support the newer version of the Flash Player Plug-In.  The Chrome update this week came out before the Flash Player Zero Day was resolved.  Does this mean that they are only supporting the initial drop similar to Microsoft releasing on Patch Tuesday?

I will be doing my typical Patch Tuesday Round Up next week and will try to have answers by then on if there is still a bit of Zero Day hanging on the spring breeze or if we are good.

For updates like this and more relating to Patch Tuesday check out our webinars page for upcoming Patch Tuesday webinars and on-demand playback of previous Patch Tuesday webinars and presentations for download.

May Patch Tuesday 2016

ShavlikMay_PATCH02fMay’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053).  Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update?  Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?

In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.

Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.

MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188).  The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.

It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.

MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189).  This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.

The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.

MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server.  On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.

Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.

Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.

With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.

Join us tomorrow for the May Patch Tuesday webinar where we will discuss the bulletins in more detail.

April Patch Tuesday 2016


April’s Patch Tuesday is looking and sounding like a spring weather forecast.  The forecast is calling for rain, but it turned out to be partly cloudy.  There has been some mixed feelings about a newly announced vulnerability, or vulnerabilities as it were, in Samba.

Badlock is a vulnerability recently identified in Windows and Samba. There are eight CVEs related to Badlock, categorized as man-in-the-middle and denial-of-service attacks. The primary CVE is CVE-2016-2118. This is a multi-vendor problem, so two CVEs were opened to track for each vendor.

CVE-2016-2118 is the vulnerability for Samba and CVE-2016-0128 is for Microsoft, and is related to MS16-047. CVE-2016-2110 describes a vulnerability in negotiation of NTLMSSP, which allows for a downgrade attack. Luckily, Windows 2003 and Vista have introduced ways to protect against this type of downgrade attack. The rest of the vulnerabilities are specific to Samba, versions 3.0.0 to 4.4.0.

Microsoft has released a total of 13 bulletins this Patch Tuesday, six of which are critical. Piecing the Badlock CVEs together, it seems the only MS Bulletin related to Badlock is MS16-047. This is an important update for SAM and LSAD Remote Protocols. Based on feedback from Badlock.org, PoC code will be introduced in the near future, so count this one as a public disclosure and treat it as a higher priority this month.

Aside from Badlock, there are three more public disclosures and three exploited in wild (Zero Days) this month. One of the three Zero Days is the Flash for IE Patch, which resolves 24 vulnerabilities, including CVE-2015-1019 Zero Day in Adobe Flash and AIR.

MS16-037 is the Internet Explorer Cumulative.  This bulletin is rated critical and resolves six CVEs, one of which is publicly disclosed (CVE-2016-0160). It’s important to note, many of the vulnerabilities can be mitigated by proper privilege management and use of the Enhanced Mitigation Experience Toolkit (EMET).

MS16-038 is an update for the Edge browser. This bulletin is also rated as critical and resolves six vulnerabilities. Similarly, most of the vulnerabilities are user-targeted and can be alleviated by proper privilege management.

MS16-039 is an update for Microsoft Graphics Component.  It is rated as critical and resolves four vulnerabilities, two of which have been detected in exploits in the wild.  The two Zero Days are CVE-2016-0165 and CVE-2016-0167, and should be considered a high priority for you this month. Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.

MS16-041 is an update for Microsoft .Net Framework. The bulletin is rated as important, but includes a public disclosure (CVE-2016-0148).  To exploit this vulnerability, the attacker would need to gain access to the local system, with the ability to execute a malicious application. Although it’s rated as important, the fact that is has a public disclosure puts this bulletin at higher risk of exploit.

MS16-046 is an update for Secondary Logon. This update is also rated as important and includes a publicly disclosed vulnerability (CVE-2016-0135). The attacker must first log on to the system, but after doing so, could run a specially crafted application that could exploit the vulnerability and take control of the system. Again, even though this vulnerability is rated as important, because it has a public disclosure, it’s at higher risk of exploit.

Adobe recently dropped a Flash update on April 7, 2016, and today, they updated their blog to say it also applies to Adobe AIR. This update included 24 CVEs, but most importantly, CVE-2016-1019, which is being actively exploited. With this vulnerability, an attacker could cause a crash on vulnerable systems, allowing the attacker to take full control of the affected system. This is a high priority update and should be pushed out to all systems without delay.

For Flash updates, keep in mind you need to update the plug-in for all of your browsers that have Flash installed. Today, Microsoft released the critical update for Flash Player for IE, and Google Chrome’s update also supports the latest plug-in. So if you are like me and run IE, Chrome, and Firefox, you may need to apply four separate updates to fully patch these Flash vulnerabilities.

Oracle is releasing their quarterly CPU next week on April 19th. Java will have an update and it will be critical, so be prepared for that. The January CPU included fixes for eight CVEs, seven of which were remotely exploitable without credentials and three that had CVSS scores of 10.0. Although it may sound like a lot, this was actually a smaller update, compared to 2015’s four. Last year, April 2015 was the smallest release with only 14 CVEs addressed, all of which were remotely exploitable without credentials and three that were CVSS 10.0.

Mozilla released Firefox 45.0.2 today, but reported no security fixes. This is great news and means we get a free pass on this one today! In case you’re counting, the last security Firefox update was Firefox 45, released on March 8, 2016.

I am going to end my Patch Tuesday blog  post with my new favorite quote from the closing statements of the Verizon 2015 Data Breach Investigations Report, specifically the section on Vulnerabilities: “The lesson here isn’t ‘Which of these should I patch?’ Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest.”

Join us tomorrow for the April Patch Tuesday webinar where we will discuss the bulletins in more detail.

March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.