January Patch Tuesday 2017

Patch Tuesday January 2017 Infographic
January 2017 Patch Tuesday has ushered in a new year of Patch Tuesdays with a manageable number of updates.

Adobe has released update APSB17-01 for Acrobat and Reader, keeping in line with the pattern of releasing an update every two to three months. This update includes 29 vulnerabilities, most of which allow for remote code execution. You will want to make sure this update is applied in a timely manner.

As expected, there is a Flash Player update. As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems, meaning Flash plug-ins for IE, Chrome and Firefox as well. Some of these will auto update; others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.

Microsoft has released a total of four bulletins, two of which are critical and publicaly disclosed. Microsoft is resolving 15 unique vulnerabilities this month, 12 of which come from the Adobe Flash update. It’s interesting to note that there is no rollup for Windows 8.1 or Server 2012 this month.

Other than Microsoft and Adobe, there are a few other updates available if you are using Foxit Reader, Skype, etc. Although there several of the Microsoft vulnerabilities have been publicaly disclosed, none of the them have been exploited and there are no zero days.

This could be the calm before the storm. We have not seen this light of a Patch Tuesday since January of 2014. Next month you should expect some adjustments and a heavier Patch Tuesday drop as Microsoft changes methodologies.

This is the last Patch Tuesday that Microsoft will be using security bulletins. After January 10, Microsoft will no longer be publishing traditional security bulletins as individual webpages, but instead will only be publishing security update information to the new Security Update Guide. I’m sure there are many questions about what this means and how it will affect everyone so, if you have not already seen the FAQ put together by Microsoft, I have provided a link here.

As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the January Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance.

January 2017 Patch Tuesday Forecast – Shavlik

Patch_Forecast01

Goodbye 2016; Hello 2017!

We have survived another year and what a year that was.

As we start off 2017, I am sure most of you have already heard about the joining of forces between LANDESK and Heat Software to further the expertise stronghold on security and patching. This marrying of the minds comes just in time for those who have not yet picked a new year’s resolution.  Now is the time to make a resolution to increase the health of your security posture and patch your systems regularly.

Even though there are no known zero days or hints of nasty exploits on the horizon, we all know that it is just a matter of time before someone will find something to hack and expose potential vulnerabilities. So, with that in mind, let’s start the year off with good habits and make sure we are following the steps to better Security Hygiene now that the holiday fun and distractions are behind us.

Steps to Better Security Hygiene

  • Make sure you have sanitized incoming email with junk mail and phishing filters. Remember that user targeted vulnerability is where some of the highest risk lies.
  • Make sure you have sanitized the machines and devices of users who have come into contact with public WiFi while traveling in and out of the office and private secured networks. Since users will likely browse the internet, open email with attachments, and in general be exposed to potential attack vectors daily, it is important to sanitize their machines with good signature, non-signature, and behavioral threat assessments.  Remember that signature based threat assessment alone is not enough anymore.
  • Make sure your systems are frequently patched, both the OS and software, and make use of least privilege rules and proper application control. Remember that preventative security measures can mitigate or eliminate 85% of the threats in today’s market.

Honorable Mentions

Chrome announced at the end of 2016 that beginning in the new year they will be identifying web pages as “Not Secure” if the page includes login or credit card fields AND the page is not served using HTTPS. For additional information on this announcement, see the following article posted on zdnet.com.

http://www.zdnet.com/article/chrome-will-begin-marking-http-pages-as-non-secure/

Your Patch Tuesday Forecast

Based on the trends we saw in 2016, the January 2017 Patch Tuesday will likely include updates for the following:

From Microsoft we are likely looking at around 1-4 installable packages:

  • OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
  • Office is likely since there were updates consistently pretty much every month in 2016.

From Adobe you can expect 1-3 updates:

  • Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all of 2016, so expect that update.
  • Adobe Reader and Acrobat both released an update back in October of 2016 and have been pretty consistently having an update every 2-3 months this year. Those two are a high possibility this month since they did not release last month.

From Chrome you may have 1 update this month:

  • Chrome released a beta version after last Patch Tuesday making it likely there could be an update on or around Patch Tuesday this month.

Total Update Accumulation 3-8 updates for Patch Tuesday next week.

As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, January 11th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

December Patch Tuesday 2016

PatchTues-Blog-Dec2016_v2

December Patch Tuesday has a flurry of exploits and public disclosures. Coming in to Patch Tuesday, we already had one zero day from Mozilla (CVE-2016-9079) which updated on November 30. Today, Adobe released nine bulletins, including a critical update for Adobe Flash that resolves a zero day (CVE-2016-7892). Microsoft is updating Flash for IE and also has five publicly disclosed vulnerabilities being resolved.

Starting with Firefox, Mozilla announced an update on November 30 that resolved a zero day in SVG Animation. This was identified in attacks targeting unmasking users of the Tor anonymity network. In an article from ZDNet, there was speculation from researchers that this exploit was very similar to an exploit known to have been used by the FBI back in 2013 that was used to unmask IP addresses of Tor users.

Today Mozilla is releasing version 50.1, which includes the Zero Day fix from 50.0.2, which released a couple weeks ago. If you have not already done so, ensure that Firefox is on your priority list this month.

Adobe has released nine bulletins today, but only one is rated as critical. I am sure most of you have guessed that it is for Flash Player and also includes a zero day.  APSB16-39 resolves 17 total vulnerabilities and the exploited CVE-2016-7892, which has been used in limited targeted attacks against Windows systems running Internet Explorer (32-bit).

According to an article from Threat Post, analysts from the Google Threat Analysis Group discovered the vulnerability and privately disclosed details to Adobe. Adobe did not have details around the specific attack and the Google researches have not disclosed any more detail publicly at this time.

As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems. This means Flash plug-ins for IE, Chrome and Firefox. Some of these will auto update, others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.

On to Microsoft. Microsoft has released a total of 12 bulletins, six of which are critical. Microsoft is resolving 42 unique vulnerabilities this month.

Aside from Flash for IE, Microsoft does not have any additional zero days to report, but they do have several public disclosures. A public disclosure means that enough detail has been released to the public to give a threat actor a jump start in developing an exploit. This puts their vulnerabilities at higher risk of exploit.

MS16-144 is a critical update for Internet Explorer that resolves eight vulnerabilities, three of which are publicly disclosed (CVE-2016-7282, CVE-2016-7281, CVE-2016-7202). Many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.

MS16-145 is a critical update for the Edge browser that resolves 11 vulnerabilities, three of which are publicly disclosed (CVE-2016-7206, CVE-2016-7282, CVE-2016-7281). Similar to the IE vulnerabilities, many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.

MS16-146 and MS16-147 are both rated as critical and affect components of the Windows Operating System. Both resolved vulnerabilities that would target a user and can be mitigated by running as less than a full administrator on the system.

MS16-148 is a critical update for Office, Sharepoint and Web Apps that resolves 16 vulnerabilities. Many of the vulnerabilities resolved in this update can target a user through specially crafted files. An attacker can also host specially crafted web content to exploit many of these vulnerabilities. CVE-2016-7298 is also able to use the Preview Pane as an attack vector.

MS16-155 is an important update for .Net Framework and resolves one vulnerability. Although only rated as important, this bulletin resolves a vulnerability that has been publicly disclosed (CVE-2016-7270), putting it at higher risk of being exploited.

There are additional bulletins from Adobe and Microsoft this month, but these are the bulletins that should be on your priority list for December.

As always, we will be running our monthly Patch Tuesday webinar, where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the December Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday

 

 

 

 

December Patch Tuesday Forecast

Patch_Forecast01

December is here and it finally snowed in Minnesota! In fact, we may get four to eight inches this weekend. So, my Patch Tuesday Forecast — like winter up here in MN was a little delayed — but better late than never! So get out your snow shovels and let’s dig in. There is already a little accumulation with a zero day hitting in late November. If you haven’t already done so, update your Mozilla Firefox browser!

On the Horizon

In the last week of November, it became clear to many security researchers that there was a flaw in Mozilla’s browsers and in TOR, a browser based on Firefox. CVE-2016-9079 is a critical use-after-free vulnerability affecting the SVG Animation component in Firefox. Researchers, such as Malwarebytes, have evaluated the vulnerability and have explained that the goal of this vulnerability “is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is run directly from memory.”

Although the observed exploits were only targeting windows, the vulnerability exists on Linux and Mac platforms as well. The exploit code also seems very similar to another Tor exploit used by the FBI as an investigative technique to track down child pornography suspects. It is not currently known where this code originated, but it’s a good example of a user-targeted vulnerability.

The Mozilla update became available on November 30 for Firefox, Firefox ESR and Thunderbird. If you are already caught up, you will want to make sure you include Mozilla in your updates this month.

Security Tip of the Month

December is also getting well into the cold and flu season, so this month’s security tip will follow the theme of security hygiene. I just returned from Las Vegas from the Gartner Data Center Conference where I attended a session by Neil MacDonald on security for cloud workloads. One of the things Neil mentioned was staring with a solid foundation, which he referred to as operations hygiene. I’m going to expand that out to a broader security hygiene message.

To stay well in the cold and flu season, you need to ensure you are getting rest and washing your hands, especially after coming into contact with someone who is sick or areas frequented by many people. You need to keep up on your vitamin C and drinking liquids in general. Similarly, with security we need to do the same.

  • Wash your hands – Make sure you have sanitized incoming email with junk mail and phishing filters.
  • Use some sanitizer after coming into contact with highly public areas – Your users who travel in and out of the company will come into contact with public Wi-Fi. Users will browse the internet, open email with attachments and, in general, be exposed to potential attack vectors daily. Make sure their machines are getting sanitized with good signature, non-signature and behavioral threat assessments. Signature-based threat assessment alone is not enough anymore.
  • Get your daily dose of vitamin C – Preventive security measures can defend against 80 percent of the threats in today’s market. Make sure you give your systems their shot of vitamin C in the form of patching the OS and software, use of least privilege rules and proper application control.

Your Patch Tuesday Forecast

Based on what trends we have seen this year I think it’s safe to say the following:

From Microsoft, we are expecting around two to four installable packages:

  • OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
  • Office has been very consistent this year with updates pretty much every month. The question is will this be a single update or a couple for Office, SharePoint and Web Apps. I would say one for office and a 50 percent chance of SharePoint/Web Apps.
  • .Net is also likely this month. .Net updates hit five of six patch Tuesdays in the first half of the year, and have been about every other in the later half.
  • You can also expect an IE update for Flash Player.

From Adobe, you can expect one to three updates:

  • Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all year, so expect that update.
  • Adobe Reader and Acrobat both released an update back in October and have been pretty consistently having an update every two to three months this year. Those two are a possibility this month.

From Mozilla, you can expect one update this month:

  • Mozilla’s update calendar is reflecting an update for Tuesday.

Total Update Accumulation four to eight updates for Patch Tuesday next week.

As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, December 14th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

 

 

 

November Patch Tuesday 2016

PatchTues-Blog-Nov2016

It’s Election Day! I hope you all voted or will be hitting the polls soon, as this election round has been one for the history books. November 8 also happens to be Patch Tuesday. While this is notably of far less concern than hitting the polls today, Patch Tuesday will be delivering updates from Microsoft, Adobe and Google this month and will, unfortunately, still require your attention tomorrow and in the weeks to come.

Microsoft has released 14 bulletins, six of which are rated as critical, resolving 68 unique vulnerabilities.  Two of the vulnerabilities have been exploited in the wild (Zero Days), and three of the bulletins contain public disclosures.

First off, we will get a little closure on the Adobe Flash/Microsoft Zero Day that was identified in October and to which Flash released an update on October 26 which resolved CVE-2016-7855. Microsoft has resolved CVE-2016-7255 as part of MS16-135.

Adobe has released another Flash Player update (which is rated as a priority one and resolves nine CVEs. If you haven’t already pushed the Flash update from October 26, ( ) this will be a high priority along with MS16-135.

Microsoft has a second Zero Day vulnerability this month (CVE-2016-7256). MS16-132 resolves an open type font vulnerability that can allow an attacker to remotely execute code. An attacker can target a user to exploit this vulnerability by crafting a document designed to exploit the vulnerability or by hosting a specially crafted website designed to exploit the vulnerability. The attacker would need to convince a user to click on or open the specially crafted content, but that’s really not a significant challenge. This bulletin should also be a high priority this month.

There are a number of public disclosures this month across several bulletins, which means enough information has been leaked to the public to give an attacker a head start on developing exploit code.  This increases the risk of exploit occurring for these vulnerabilities so we raise the risk level and priority of bulletins that contain public disclosures. See our Patch Tuesday infographics for more detail.

  • MS16-129 for the Edge browser resolves CVE-2016-7199 and CVE-2016-7209
  • MS16-135 for Windows resolves CVE-2016-7255 (which has already been exploited)
  • MS16-142 for Internet Explorer resolves CVE-2016-7199

Google Chrome went to beta last Wednesday. That along with another Flash Player update means we should expect a Chrome update in the foreseeable future. There is a chance it will come tonight, but it’s more likely to come in the next week. As always you will want to be sure that you have updated Chrome to support the latest Flash Player Plug-In.

If you have not already done so, you will want to make sure to include the Oracle updates from their Q4 CPU that released in October. This included a Critical Java JRE update as well as many other Oracle products.

November also marks the second month of the new servicing model. Here is what you should expect for actual packages to be deployed this month.

The Security Only Bundle (SB16-002) will include the following bulletins: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.

The monthly rollup (CR16-002) will include the following bulletins in addition to quality fixes and previous months’ updates: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.

As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the November Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday

 

November Patch Tuesday Forecast

windows8patchtuesday

Since October Patch Tuesday there has been a lot of activity. Oracle released their quarterly CPU including an update for Java JRE, Adobe resolved a Zero Day in Flash Player, our tip of the month, and a quick look at what to expect next week as Patch Tuesday hits.

On the Horizon

Actually more of a continuation from last month. On October 17th Oracle released their quarterly CPU including an update for Java JRE resolving seven vulnerabilities. All seven are remotely executable without the need for authentication and three of these have a CVSS score of 9.6. Java was actually on the lower end of total vulnerabilities addressed in an individual Oracle product for this CPU.  Ensure to include this update in your November testing if you have not already deployed it out.

Later in the month Adobe released a Critical Update for Flash Player resolving a Zero Day vulnerability (CVE-2016-7855). On October 26th Adobe released the update for Flash Player (APSB16-36) which started the clock for all the other vendors using the Adobe Flash Plug-In. When a Flash update occurs the plug-ins for Internet Explorer, Firefox, and Chrome also need to be updated.

Firefox uses the NPAPI version of Flash which was also released on the 26th.  The update for Flash for IE (MS16-128) released on October 27th plugging the Flash vulnerability. Google Chrome has two install options for Flash, one which relies on Chrome updating.  If you are using the Pepper Plug-In it was released on October 26th.  If you are using the traditional plug-in, this requires Google Chrome to be updated which occurred on November 1st.

In October, Microsoft changed their servicing model for pre-Windows 10 systems. I covered this extensively in a previous blog post, but there is a little ambiguity with Server 2016’s servicing model options. In a blog post from Microsoft they talk about a Security Only and a Security Quality option each month. This statement specifically caused several people to ask me some questions about how exactly Microsoft is handling updates on Server 2016.

“You can then have the flexibility to choose the security only update, or the quality update to build your patch management strategy around.”

The reality right now is Server 2016 updates are exactly like Windows 10. Cumulative bundles that include all updates that came before.  It will be interesting to see if a Security Only option does make itself available in November or sometime in the near future.  I expect a number of Microsoft customers would appreciate Security Only as an option for Server 2016.

Patch Management Tip of the Month

Exceptions: You can never push all patches. There is always an update that will conflict with business critical apps which cause exceptions. Documenting these exceptions and the reason they occurred is very important, but documenting an exception is just the beginning.

With each exception you are increasing risk. Each exception is an exposure that will potentially allow malware or ransomware into your environment or allows a threat actor to gain a foothold or move closer to proprietary information or user data.  With an exception you should also identify mitigating steps to reduce the risk. This may come in many forms, but here are some examples:

  • Least Privilege Rules will often mitigate the impact if an attacker is able to exploit a vulnerability. If you take a look at our Patch Tuesday infographics on our Patch Tuesday page you will see a column labeled “Privilege Management Mitigates Impact”.  These vulnerabilities will only gain the attacker equal rights as the user who is exploited.  If they are a full Administrator the attacker gains pretty much full access to the system. If they are running reduced privileges then the attacker must use an escalation of privilege vulnerability to gain sufficient permissions to do more.
  • Application Control will allow you to control what applications can be installed or run on a system and can effectively block most malware, ransomware, and other forms of attack. Application control can take many forms like Whitelisting or Blacklisting. These would be static application controls. More dynamic forms would include Trusted Ownership or Trusted Vendor rules. These are significantly easier to implement and maintain and also allow you to more easily rollout an effective Application Control Policy. The dynamic approaches are less commonly found, but we have a solution that can help there.
  • Containerization can effectively contain the more highly vulnerable user experiences like browsing the web and accessing email. Anything that occurs during these user experiences happens in a virtual container. If you have an exception on the system that is exposed by a phishing attack or drive by download the malicious payload whether a malvertising attack, ransomware, or some other form of malware would execute in the container and be separated from the physical system. Close the container (Browser or email, etc) and the threat goes away.

There are many other strategies to reduce exceptions from exposing too much risk like moving the sensitive application into a virtual environment and locking down access to that system to only require users, but this gives you some ideas. With every exception we recommend documenting the reason why it was made and the additional steps taken to reduce risk to the system.

Your Patch Tuesday Forecast

We are less than a week away from Patch Tuesday and as you can see there is a significant buildup of issues to deal with already. I would forecast that the 3rd party front is going to be lighter than normal for Patch Tuesday and we can expect an average workload from Microsoft on the order of ten or so bulletins total being released.

As always, join us for our Monthly Patch Tuesday Webinar next Wednesday November 9th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

 

 

 

 

October 2016 Patch Tuesday

201610-infographic-Shavlik-Patch-October-sm

October Patch Tuesday will see some changes to how Microsoft and Adobe will be distributing updates.  There is a lot of buzz regarding Microsoft’s servicing changes to pre Windows 10 systems. October Patch Tuesday is the first release under this new servicing model, which we will talk about more in a moment.  There are a few changes for Adobe Flash Player starting this month that you will need to be aware of. We are expecting a Google Chrome release today and Oracle’s Quarterly CPU next week, so plan on updates for Java JRE and many other Oracle solutions.

Regarding Microsoft’s servicing model changes, Microsoft has basically consolidated all IE and OS bulletins into a single update. This will be served up in one of two ways: as a security only quality update or a security monthly quality rollup. The biggest difference between these is the security only is bundling each month’s security updates only. The rollup includes non-security fixes as well as being cumulative. I recently spoke with LANDESK CSO Phil Richards about this change and he provided some good feedback as far as the challenges companies may face. In last week’s Patch Tuesday Forecast, I also talked about some recommendations on how best to choose between the security only and the rollup options.

Adobe has changed their distribution for Flash Player, so you would need to get an agreement in place with Adobe to be able to get access to the Flash Player distribution page. Today also marks the final release of Flash Player ESR. So instead of a current branch and stable branch, Adobe will just have current branch. Since they are doing fewer feature changes to Flash Player, having a single branch simplifies their release model. The new distribution page included this notification:

flashesr

Oracle’s Quarterly CPU is coming next week on the 18.  Oracle releases on the first month of each quarter on the Tuesday nearest to the 17, which typically falls the week after Patch Tuesday. Watch for an update next week for Java and many other Oracle products.

Google Chrome should be releasing today. The Dev channel for Chrome Desktop updated late last week which usually indicates a Chrome release on Patch Tuesday or soon after. With a Flash Player update, they will be releasing to support the latest plug-in, but likely will have some additional security fixes as well.

Let’s break down the more severe of these bulletins.

Looking at the infographic you would see that Microsoft has released 10 bulletins today — five of which are rated as critical — and there are four unique Zero Day exploits across five of the bulletins. Now there are 10 bulletins, but the actual number of deployable packages is less. There will be the security only or security rollup, which will bundle MS16-118, MS16-120, MS16-122, MS16-123, MS16-124, MS16-125 and MS16-126 together in a single installer. For systems where you have installed a newer version of .Net you will have the .Net Rollup. Skype, Lync, Office and Flash are separate updates yet. So you could have as many as seven packages to deliver to some endpoints, but most will be getting around five actual packages to test.

MS16-118 is a critical update for Internet Explorer. This bulletin resolves 11 vulnerabilities including one Exploit in the Wild (CVE-2016-3298). There are multiple vulnerabilities in this bulletin that are user targeted, meaning the attacker can convince a user to open specially crafted web content to exploit the vulnerabilities. Several of the vulnerabilities can also be mitigated if the user is running as less than a full administrator, the attacker would only gain equal rights to the user reducing the impact if exploited.

MS16-119 is a critical update for Edge browser. This bulletin resolves 13 vulnerabilities including one Exploit in the Wild (CVE-2016-7189). Many of the vulnerabilities resolved in this bulletin are user targeted. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-120 is a critical update for .Net Framework, Office, Skype for Business, Lync and Silverlight. The bulletin resolves seven vulnerabilities including one Exploit in the Wild (CVE-2016-3393). This bulletin includes vulnerabilities that are user targeted. An attacker can host specially crafted web content or specially crafted document file designed to exploit the vulnerabilities. One of the vulnerabilities (CVE-2016-3396) can also be exploited through the Outlook Preview Pane. Users running with reduced privileges could reduce the impact if exploited.

MS16-121 is an important update for Office. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-7193).  An attacker could craft a file to send through email or by specially crafting web content designed to exploit the vulnerability. Users running with reduced privileges could reduce the impact if exploited.

MS16-122 is a critical update for Windows. The bulletin resolves one vulnerability. An attacker could exploit this vulnerability by convincing a user to open a specially crafted file from a webpage or an email message. The Outlook Preview Pane is an attack vector for this vulnerability. Users running with reduced privileges could reduce the impact if exploited.

MS16-126 is a moderate update for Windows. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-3298). This is the same CVE ID as the Exploit in MS16-118 for Internet Explorer. To fully resolve the vulnerability, both MS16-118 and MS16-126 must be installed. For Windows Vista and Server 2008, this means installing two separate packages. For newer Oss, both will be included in the security only or security rollup package.

MS16-127 is a critical update for Flash Player for Internet Explorer. This update resolves 12 vulnerabilities in Adobe Flash Player Plug-In for Internet Explorer. To fully resolve Flash Player vulnerabilities you must install updates for Flash Player, Flash for IE, Flash for Chrome and Flash for Firefox, so this could be multiple installable updates on a single system.

APSB16-32 is a priority one update for Adobe Flash Player. This update resolves 12 vulnerabilities. Many of the vulnerabilities are user targeted and, if exploited, could allow an attacker to take control of the affected system.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.

 

 

Patch Tuesday Forecast October 2016

windows8patchtuesday

October is here already and should be an interesting lineup of updates coming in the next few weeks.  There are also some things you need to know about servicing model changes from Microsoft and on distribution changes for Adobe Flash. Oracle is also going to be dropping their quarterly CPU this month.  Read on for more details:

On the Horizon

This is the month Microsoft will have its first delivery under the new servicing model and there is a lot of uncertainty amongst companies as to what really is going to change. I interviewed LANDESK CSO Phil Richards on the subject and he had a lot to say. You can check out the full interview here, but it boils down to this:

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

Oracle will be releasing their quarterly critical patch update this month. I always try to emphasize this as they will not release on Patch Tuesday, but on the following Tuesday. Oracle’s release schedule is the first month of each quarter on the Tuesday closest to the 17, which falls to Tuesday October 18 this month. The Oracle CPU always brings a lot of fixes for some pretty nasty vulnerabilities. Take July’s release for JRE. This update included 13 security fixes, nine of which were remotely exploitable without authentication. Four of these updates were rated as CVSSv2 9.6, are exploitable remotely without authentication, are rated as low complexity, meaning they are easier to exploit, and rate as high for confidentiality, availability and integrity. According to analysis by Verizon’s 2015 Data Breach Investigations Report, these would fit the pattern of vulnerabilities likely to be exploited within two weeks of release from the vendor.

Adobe has changed availability of Flash Player for distribution. This change has been looming for some time now. We first caught wind of this late last year and since they have pushed the date multiple times, but September 29 they finally took the plunge. From the distribution page you now get two directions to go: for consumers and for companies wanting to distribute. Follow the link to request approval for distribution. I personally went through the process and it was quick and painless and, once approved, you will receive details on how to access the enterprise-ready version of Flash Player for distribution in corporate environments.

Patch Management Tip of the Month

In a conversation I had yesterday with one of our customers, we shared details of the change Microsoft described in its blog and through other sources like the customers Microsoft TAM and talked through some scenarios to figure out a plan to proceed this month and going forward. Here is where we left the conversation understanding full well that “No plan survives contact with enemy.”

  • For systems currently in operation plan to test and rollout the October security bundle, which will include updates for IE and the OS in a single package. This package should be security-only updates and also should not be cumulative. In other words, if you need to exclude this bundle for any reason, you should be able to take November’s security bundle without it forcing application of the October security bundle. Expect to take the security bundle each month until you hit a situation where non-security updates (bug fixes) would force the need to apply the cumulative rollup.
  • For new systems implemented after the servicing model change, they are planning to start with the cumulative rollup until a point where they hit an exception, in which case they would switch to the security bundle for those systems until the event which caused the exception can be resolved, allowing application of the cumulative rollup once again.

And I will re-emphasize last month’s tip which is to expand your pilot group for application compatibility testing. Getting power users from the parts of your organization that rely on business critical apps will help you to ensure that these larger bundles of updates do not cause impacts earlier in the test process.  Many companies have test systems, but only validate some high level functionality like login to the system and basic data rendering. Many issues could occur deeper in legacy apps from rendering of PDFs to printing documents, etc. This year alone we have seen both PDF and GDI updates nearly every month from Microsoft. These are common components to be updated as they are high profile targets for user targeted attacks like phishing scams. A vulnerability exploiting a user is often the first point of entry into a company’s network.

Your Patch Tuesday Forecast

From this point on you can expect an average of three to four Microsoft updates. Under the new servicing model, we will typically see the Security Bundle (IE and OS updates), Flash for IE, .Net, Office and occasionally Sharepoint, SQL, Exchange and other applications.

Oracle will release on October 18, so expect a critical update for Java and many other Oracle solutions.

Adobe is due for an Adobe Acrobat and Reader update, so I am forecasting at least two bulletins from Adobe this month. Adobe Reader and Flash Player with likely use Acrobat as well. If Flash drops we will see the Flash for IE bulletin from Microsoft and plug-in updates for Google Chrome and Mozilla Firefox.

It has been nearly a month since the last Google Chrome release on September 15. They did a re-release late in the month, but with only a minor change. The beta channel for Desktop was updated yesterday so we are not far off. There is a good chance we will see a Chrome update on or before Patch Tuesday.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

September Patch Tuesday 2016

SeptemberPatchTuesday2016Sum

Patch Tuesday September 2016

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.