August Patch Tuesday Round-Up

Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.

Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).

Here is the August summary:

AugustSummary2015

 

For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

Bring out yer dead! I’m not dead yet says Patch Tuesday

Bringout

You can keep shouting “bring out your dead,” but Patch Tuesday is not dead yet. There is a large lineup this month on both the Microsoft and third party front, and even some Windows 10 updates to boot!

Patch Tuesday is always fun after a major security conference. We are going to see some fallout from the BlackHat conference last week, as security researchers showed off their skills with live exploits of popular browsers and plug-ins. Mozilla already released a security update last week and, for Patch Tuesday, we have updates for IE, Edge, Flash, Chrome and Java.

Microsoft

Microsoft has released 14 bulletins, four of which are critical. The critical updates affect Internet Explorer, Edge, Windows, .Net Framework, Microsoft Office, Microsoft Lync and Microsoft Silverlight. Two of the critical updates affect Office.

Exploits detected in wild:

  • MS15-081 CVE-2015-1642
  • MS15-085 CVE-2015-1769

Public disclosures:

Remember this is a risk indicator. If a vulnerability has been publicly disclosed, the chances of exploit are significantly higher.

  • MS15-079, MS15-081, MS15-088 – CVE-2015-2423 – To fully resolve this vulnerability you need to ensure that all bulletins that are affected by this vulnerability are updated.
  • MS15-080 – CVE-2015-2433 — MS15-080 is a critical update resolving 16 vulnerabilities across TrueType, OpenType, Office Graphics Component, and some Kernel and Shell security feature bypass vulnerabilities. This update will affect Windows 10 users and also is the one update this month that would affect Server 2003 customers and would be available if you have an extended support contract.

Windows 10 users can expect to see the IE update for IE 11 (MS15-079), MS15-080, MS15-085, MS15-088, MS15-091 (Critical update for Edge browser) and MS15-092.

Microsoft has changed the game up with its Windows 10 patches. Instead of releasing patches individually, it is now releasing patches in bundles. This makes it easy to patch systems, but it also means that users can no longer test patches individually before integrating them, which could be problematic if one patch causes issues.

Adobe

Adobe Flash has released an update today that resolves 35 vulnerabilities. The update is rated as a Priority 1.

Google

Google Chrome has an update available today to support the Flash Plug-In. It’s currently unclear if this update contained other security fixes, but the plug-in from Flash puts it in the Priority 1 bucket.

Java

There is an expected update from the Java team. Java 8u60 is a maybe for today. We have not seen it drop yet, but there is enough buzz going on to keep a wary eye open.

Mozilla

Mozilla FireFox had a security-related release last week to respond to some critical vulnerabilities. That update should be on your Priority 1 list this month. FireFox 40 is expected out at any time now, but it will be a feature update with new Windows 10 friendly features, not a security update.

Join us tomorrow for our monthly Patch Tuesday webinar, where we will discuss the updates, priorities, and related topics to keep you informed.

Protect 9.2 Sneak Peek: Patch Tuesday + X

Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.

A couple times a year, scheduling a job to run on the second Thursday of the month will be thrown off as the second Thursday will occur before the second Tuesday. Very problematic. So what you need is an anchor date to start your schedule from. Second Tuesday is the start of all your monthly maintenance and Protect 9.2 has your solution.  Observe:

PatchTuesday+X

 

So now you can setup all your reoccurring jobs exactly as they read from your patching maintenance spreadsheet. Ready to play? Beta@Shavlik.com starting soon.

 

WUB WUB WUB and Windows 10

KeepCalmandWUB

Did you know that WUB is the new UNTS in Electronica Dubstep?  I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB.  Windows Update for Business.

There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.

Microsoft has been making some much needed changes to their development teams over the past year. They have announced a new, quarterly-release schedule that they are moving the product development teams to. They are also working to simplify the complexity of supporting updates for their products. The proposed changes will allow development teams to work toward quarterly releases and launch when prepared. The cost of holding onto code, once tested and ready to ship, is very costly.

What do these changes mean for me as a user? Many of the applications you rely on will start to deliver usability and new-feature changes more quickly. Office 365 is a good example of the future of the application deliver from Microsoft. New features can be delivered more frequently and users will be able to consume those changes much quicker, brining this experience in line with what we have come to expect from our mobile devices. The operating system and server solutions, like SQL Server, Team Server, SharePoint Server, etc., will likely be slower to move to these quarterly release schedules and remain for longer periods of time on the Patch Tuesday cadence.

With Windows 10, Microsoft is introducing some changes to the way updates will be delivered to systems. They are also introducing new features into what will now be known as Windows Update for Business. The new features will allow businesses to control the speed at which updates are rolled out to their systems. One of the most significant changes will be the update rings. There are different tracks that you can opt into that will give you more control over how fast updates are delivered to your systems. Between announcements earlier this year, and additional announcements at the Ignite 2015 show, there will be three or more rings that you can configure in WUB. A Current Branch and Long Term Service Branch have been confirmed, but, at Ignite, a Ludicrous Branch was also announced, which would push updates at a cadence similar to its namesake. Windows 10 Home editions will be limited on options to control what updates are applied to their system. The home-user editions of Windows 10 will update fairly quickly. This is the Current Branch. Current Branch receives new features, fixes and security updates as they release to Windows Update. For the majority of Home users, this will be an ideal experience.

Windows 10 Professional editions will have options for Current Branch or Current Branch for Business. The additional CBB allows businesses more flexibility about when the new features, fixes, and security updates are applied to their systems. Companies that use Microsoft’s free Windows Update for Business (WUB) or Windows Server Update Services (WSUS) will have the ability to defer new feature updates for Windows 10 for a period of time. Microsoft will maintain the current, and a previous branch, that these customers can reside on for a period of time without taking the feature changes. After the next branch is started, the previous branch stops receiving security updates, forcing these companies to move to the new-current or previous branch. Details on how long before companies would be forced to update have not been officially announced.

For those companies on Windows 10 Enterprise, there will be additional options available. These customers will have the ability to mix and match CB and CBB, but will also have access to a Long Term Servicing Branch. This branch allows companies to take only security fixes and defer new features and fixes of a non-security nature. Enterprise customers will be able to utilize all branches to suit the needs of systems in their environment. The Current Branch is for groups of users that have low risk of being impacted by new features and changes. The Current Branch for Business group may contain users with more specific application needs that may be sensitive to new features, changes and behavior. The CBB gives IT more time to accommodate those changes and educate users or respond to issues. The Long Term Servicing Branch is ideal for servers and other critical assets which need the security updates, but also need more control over what changes occur on the system.

There is a really good FAQ on the Microsoft Community which included much of the details described above and a more clear description of the

Service Branch Options Edition
Current Branch
  • Security Updates, Features and Fixes are automatically applied.
  • There is no option to delay or customize these updates.
  • Windows 10 Home
Current Branch for Business (CBB)
  • CBB includes the requirements of the Current Branch, but also provides the option of customizing when and which Security Updates, Features and Fixes are applied, similar to how Windows Update works today in current versions of Windows.
  • Updates cannot be deferred indefinitely.
  • Windows Updates can be managed using enterprise management tools such as Windows Update for Business and/ WSUS.
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Education
Long Term Servicing Branch (LTSB)
  • Only available to volume license customers running Windows 10 Enterprise.
  • Flexible options for managing Windows Updates.
  • Windows Updates can be customized to only accept Security Fixes.
  • Windows Updates can be managed using enterprise management tools such as Windows Update for Business and/ WSUS.
  • Windows 10 Enterprise

So is Patch Tuesday dead? According to a Microsoft spokesperson, “Windows Update for Business can take responsibility for the timely distribution of security updates for customers for free. Customers that choose to distribute updates themselves (or through a Patch Management Vendor) will continue to receive the updates on the 2nd Tuesday of the month.” For consumers, Patch Tuesday is a non-issue as their system will apply updates as they arrive, similar to their mobile device experience. Some of those may come on Patch Tuesday, but others will come as they are released. For Pro and Enterprise customers utilizing WUB, WSUS, or SCCM, security and other updates will still arrive on the 2nd Tuesday of the month, giving them predictability and control over what gets rolled out to their environment.

May Patch Tuesday Round-Up

SecurityImage

There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.

 

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

April 2015 Patch Tuesday

SecurityImage

Patch Tuesday excitement is building. There is at least one known Flash vulnerability being exploited in the wild and one Microsoft vulnerability that has been publicly disclosed this month.

Microsoft has released 11 security bulletins this month, four of which are Critical, bringing the total to 42 security bulletins so far in 2015. This is more than twice the number of security updates released than last year at the same time.

From a vulnerability standpoint in April 2014 the CVE count for vulnerabilities resolved was at 72. We passed that count in March, with 76 vulnerabilities resolved. When this month’s 26 CVEs are included, we have a much higher total of 102 CVEs resolved to date.

The product and service impact for Microsoft this month includes the Windows OS, IE, Office, SharePoint, ADFS, .Net and Hyper-V. Two OS, the IE update, and Office update are rated as Critical.

Flash Player is making its triumphant return to Patch Tuesday. Adobe is aware that exploits of CVE-2015-3043 exist in the wild. Between January and February’s Patch Tuesday there were three zero days resolved by two releases in the span of about two weeks. In March the release came on the same week; however, they came at the end of the week. APSB15-06 resolves 22 vulnerabilities and is rated as a Priority 1 update. This should make your list of priority updates to roll out this month.

With a Flash Player update you can always expect an Advisory for Internet Explorer and a Google Chrome update. Google Chrome has a large release covering 45 vulnerabilities including many High priority updates.  That with the Priority 1 Flash plug-in make this release a high priority update when it arrives.

Oracle’s quarterly CPU is also occurring this month and happens to fall on Patch Tuesday. Oracle Java is resolving 15 vulnerabilities — all of which are remotely exploitable without authentication. The highest CVSS Base Score of these 15 vulnerabilities is a 10.0, which is the highest possible score. It goes without saying that Java should be a priority update this month. Three other Oracle products are resolving CVE’s with a 10.0 CVSS Base Score. So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.

Join us tomorrow for the Shavlik April 2015 Patch Tuesday webinar as we discuss the releases for this month, priorities, known issues, etc.

March 2015 Patch Tuesday

In March of 2014, we saw five updates from Microsoft, which brought the year to date patch count to 16. Here we are in March 2015 and this month’s Patch Tuesday release is nearly equal to the total count for the first quarter last year, and the year to date count is now just under double where we were at in 2014.

SecurityImage

The Critical count for March is five bulletins affecting Internet Explorer, VBscript, Text Services, Adobe Font Drivers, and Office.

The additional nine Important updates affect Netlogon, Windows Task Scheduler, Windows Kernel, Remote Desktop Protocol, JPEG and PNG file formats, Kernel Mode Drivers, Schannel, and Exchange.

The 14 bulletins resolve 43 vulnerabilities. MS15-018 resolves one publicly disclosed vulnerability, which has been detected in target attacks (CVE-2015-0072) and CVE-2015-1625, which has also been publicly disclosed. MS15-031 resolves a vulnerability (CVE-2015-1637) in Schannel that facilitates exploitation of the publicly disclosed FREAK technique.

One nice addition to the Bulletin Summary page is a new column linking to known issues for that bulletin. Three of the bulletins link to KB articles with links to product specific pages so you can see product specific issues relating to the bulletin.  MS15-022 is a great example, although a little scary at the same time.  There are around 30 separate links to variations of Office, Sharepoint, Viewers, etc.

The first five bulletins are critical and should be rolled out as soon as possible.

  • This month’s IE Cumulative (MS15-018) is rated as critical and resolves a number of Memory Corruption vulnerabilities, two elevation of privilege vulnerabilities, and a VBSript memory corruption vulnerability.
  • MS15-019 resolves the same VBScript vulnerability as MS15-018, but for the operating system. Older operating systems will be more susceptible to attack than the newer OSs.
  • MS15-020 resolves two vulnerabilities in the operating system, which could lead to remote code execution.
  • MS15-021 resolves eight vulnerabilities in Adobe Font Driver, which could lead to remote code execution.
  •  MS15-022 resolves five vulnerabilities in Microsoft Office and Sharepoint.  Check out the link to known issues for this update.  There are a lot of links to separate products\versions.  At the time I wrote this blog I could view the bulletin level, but not the list of product specific links on that page.  Also, Sharepoint updates typically cannot be rolled back.  Test before deploying the Sharepoint variations.  If you are running on a Virtual Machine, you have the luxury of snapshots to make rollback possible.

All five of these updates are critical and all five of these updates resolve vulnerabilities that could be exploited through common social engineering techniques. One of the most common attacks still conducted regularly are phishing and email scams that convince a user to click on content that has been crafted to exploit vulnerabilities such as these.  A recent example (Oct 2014) of an attack like this is the Sandworm attack targeting a known vulnerability in OLE to spy on NATO, EU machines.  A weaponized PowerPoint attached to an email with a convincing enough message could convince at least some of the targeted users to open the attachment allowing it to exploit the system.  There are many cases where a vulnerability like this continues to be exploited well after an update has been released to plug the vulnerability.

The remaining nine updates are all rated as important.

  • MS15-023 resolves multiple vulnerabilities, the worst of which could lead to Elevation of Privileges.  This is one of two Kernel Mode Driver updates this month, which means you should definitely test before rolling out.  Typically if a kernel patch goes bad it would involve a blue screen.
  • MS15-024 resolves a vulnerability in PNG processing which could lead to Information Disclosure.
  • MS15-025 is the second Kernel Mode Driver update this month, so again, test before rolling out.  It also resolves vulnerabilities which could lead to Elevation of Privilege.  This bulletin also has some known issues.  Check out the known issues on the KB3038680 page for more details (at the time of publishing, I was getting a Ooops page)
  • MS15-026 resolves vulnerabilities in Exchange server, which could lead to Elevation of Privilege.  This is one of those rare bulletins which DOES NOT require a reboot.  Most require or ‘may’ require a reboot, which really means it will more than likely require reboot.
  • MS15-027 resolves a vulnerability in NETLOGON which could lead to a spoofing attack.
  • MS15-028 resolves a vulnerability in Windows Task Scheduler that could allow Security Feature Bypass letting the attacker execute tasks they should not have permissions to access.
  • MS15-029 resolves a vulnerability in Windows Decoder which could lead to information disclosure using a specially crafted JPEG.
  • MS15-030 resolves a vulnerability in Remote Desktop Protocol which could lead to a Denial of Service attack.
  • MS15-031 resolves a vulnerability in Schannel which could allow Security Feature Bypass using the FREAK technique, which was recently disclosed.

Join our Patch Tuesday webinar on Wednesday March 11th at 10am CDT to discuss the updates, priorities, and possible known issues to watch out for this Patch Tuesday.

 

February Patch Day Round-Up

SecurityImage

February did not have a lot of issues from patches released on Patch Tuesday, but there are a couple of things that occurred that you may want to know about.

First is the update that was pulled from circulation after reports of systems hanging.  An update for Visual Studio 2010 Tools for Office Runtime (KB3001652) reportedly started causing issue on Patch Tuesday.  It was pulled later the same day.

Second, and probably the wider impacting issue this month, was update MS15-009 breaking Cisco AnyConnect VPN clients.  Microsoft has stated they will release a fix in March that should resolve the issue, but until then you have three work around options:

1. Windows 8 compatibility mode for the app

2.Customers can uninstall the KB3023607 update from Microsoft. However, this will also remove any other security fixes provided by Microsoft as part of the update. This can be removed under:

Control Panel / Programs / Programs and Features, click “View installed updates” on the left and locate and uninstall the update labeled with KB3023607.  This update is not visible when you try to locate it through the Windows Update application’s history, but it is accessible via Control Panel.

3. Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607
https://support.microsoft.com/kb/3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

You can the On Demand February Patch Tuesday webinar or download the presentation for this last months Patch Tuesday release.  Also, sign up for the March Patch Tuesday webinar to discuss the updates released on Patch Tuesday, recommendations, and things to watch out for.

Patch Tuesday February 2015

SecurityImageIt is February and already we have seen some excitement so far this year. Between Microsoft dissolving the ANS (Advanced Notification Service), to Google’s Project Zero team rigidly adhering to their 90-day disclosure policy (disclosing a Windows vulnerability days before the January Bulletin released, not to mention the disclosure of three high severity Apple vulnerabilities in late January), and a series of Flash Zero Day’s that were discovered in the wild and quickly turned around by Adobe. My take on each of these:

  • Microsoft ANS – I’m not a fan of dissolving this program. Not all companies may have used this to their full advantage, but customers of ours relied on the ANS to give them a couple of day jumpstart on prepping for their monthly maintenance. If Microsoft introduces patches to a product that has never been updated prior to the patch cycle, admins will need time to prep test machines. Now they will be condensing that time along with change control processes into a tighter window.
  • Google Project Zero disclosures – Anyone who has read my blogs or commentary before knows that I am a proponent for vendors being responsible about disclosures, but after a resolution is in place. Yes the time to resolution is important, and for vendors who are negligent I fully agree with the Google stance. By Chris Betz’s comments in a blog post just after Google’s disclosure of the Windows OS vulnerability, they had communicated to Google, prior to the 90-day date, that the update was coming just a couple of days later. What purpose did this disclosure serve other than to stir up a lively debate?
  • Flash Zero Day’s – I do not envy the Adobe Security Team so far this year. Browsers, browser plug-ins and media players are prime targets for hackers. They are on practically every device we use, so naturally they will become a target. I do think that the turnaround from discovery to resolution on these three instances was very fast and applaud the Adobe team for ensuring the resolutions were delivered quickly.

For February Patch Tuesday the non-Microsoft updates are going to be light this month. With three Zero Day’s in a row, Flash Player has had a number of updates pushed recently. Companies that have not pushed the most recent Flash Player updates should do so immediately. Since January there have been three Flash Player updates to cover a series of Zero Day’s discovered in the wild. The most recent update on Feb. 5 also included 17 other vulnerability fixes. The expectation is that we will not be seeing a Flash Player update this Patch Tuesday, but you definitely have updates to push if you have not done so since January.

With the series of Flash Player updates, you will also need to push the latest IE Advisory 3021953 to update the Flash Plug-in, otherwise you have not fully plugged the three Zero Day’s and additional vulnerabilities from the Flash releases.

Google Chrome also released prior to patch Tuesday to accommodate the urgent Flash Player updates. The latest Chrome update resolves the Feb. 5 Flash Player plug-in update along with 11 security fixes. This should be another high priority update for you this month. Google has announced a Beta Channel Update for Chrome, which usually indicates a release is not far off. I would expect it to be a feature release since Google updated so many security fixes on Feb. 5.

Mozilla Firefox released an update last week including 10 security vulnerabilities. Four of these are Critical. This should be among your top priorities this month to get updated.

On the Microsoft front we will see a fairly average-sized Patch Tuesday. Three Critical and six Important updates have been released. The impact this month includes the operating system, Internet Explorer, Office, SharePoint and System Center Virtual Machine Manager.

Internet Explorer is a critical update this month. Having not pushed an update in January, it is not surprise that there are 41 vulnerabilities being resolved in this Security Rollup. Definitely a Priority 1 this month. One of these has been publicly disclosed.

There are two Critical updates for the Windows Operating System updates this month. The first is a Critical Kernel Mode Driver update this month, so test diligently lest you blow up the brains of the machine. Then we have a Critical update group policy that could allow remote code execution. The VMM update applies to both server and client installs. If you have the admin console installed on the VMM server you should update the VMM server patch first, then the administrator console patch.

There are no Critical updates for Office this month, but there are multiple Important updates including a SharePoint update. The thing about SharePoint updates is the lack of rollback. Test adequately, especially if you have a lot of SharePoint plug-ins. If you have not already done so, you should look into virtualizing your SharePoint servers. The ability to snapshot the VM prior to updating will allow you to rollback even if the patch does not support it. If you are running VMware vSphere and Shavlik Protect, you can take advantage of our snapshot feature to do a pre-deploy snapshot automatically during the patch process.

Here is a bulletin-by-bulletin summary of the updates you should be planning for this February (first three released prior to Patch Tuesday):

APSB15-04: Security updates available for Adobe Flash Player
Vendor Severity: Priority 1
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 18 (+2 more if you have not pushed APSB15-03 yet)
Impact: 1 Zero Day currently being exploited in the wild (+2 more if you did not push -03), use-after-free, memory corruption, type confusion, heap buffer overflow, buffer overflow, and null pointer vulnerabilities.

Chrome 40.0.2214.111 : Stable Channel Update
Vendor Severity: High
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 11 (Also includes support for latest Flash plug-in)
Impact: 3 Highs resolving use-after-free, cross-origin-bypass, and privilege escalation

Firefox: 34 and 35 updates
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 10
Impact: 4 critical updates resolving sandbox escape, read-after-free, memory safety, and update to the OpenH254 plug-in.  Also includes uninitialized memory use, origin header, memory use, wrapper bypass and other vulnerability fixes.

MS15-009: Security Update for Internet Explorer (3034682)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 41 (1 is publicly disclosed)
Impact: Remote Code Execution, Security Feature Bypass

MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 6 (1 is publicly disclosed)
Impact: Elevation of privilege, Security feature bypass,

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)
Vendor Severity: Critical
Shavlik Priority: Priority 1 – Should be pushed out as soon as possible
Vulnerability Count: 1
Impact: Remote code execution

MS15-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 3
Impact: Remote Code Execution

MS15-013: Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1 (publicly disclosed)
Impact: Security Feature Bypass

MS15-014: Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Security Feature Bypass

MS15-015: Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

MS15-016: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Information Disclosure

MS15-017: Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898)
Vendor Severity: Important
Shavlik Priority: Priority 2 – Should be pushed within 10 days
Vulnerability Count: 1
Impact: Elevation of Privilege

Join us tomorrow on our monthly Patch Tuesday webinar as we discuss the priorities and pitfalls you will want to watch out for.