December Patch Tuesday 2016

PatchTues-Blog-Dec2016_v2

December Patch Tuesday has a flurry of exploits and public disclosures. Coming in to Patch Tuesday, we already had one zero day from Mozilla (CVE-2016-9079) which updated on November 30. Today, Adobe released nine bulletins, including a critical update for Adobe Flash that resolves a zero day (CVE-2016-7892). Microsoft is updating Flash for IE and also has five publicly disclosed vulnerabilities being resolved.

Starting with Firefox, Mozilla announced an update on November 30 that resolved a zero day in SVG Animation. This was identified in attacks targeting unmasking users of the Tor anonymity network. In an article from ZDNet, there was speculation from researchers that this exploit was very similar to an exploit known to have been used by the FBI back in 2013 that was used to unmask IP addresses of Tor users.

Today Mozilla is releasing version 50.1, which includes the Zero Day fix from 50.0.2, which released a couple weeks ago. If you have not already done so, ensure that Firefox is on your priority list this month.

Adobe has released nine bulletins today, but only one is rated as critical. I am sure most of you have guessed that it is for Flash Player and also includes a zero day.  APSB16-39 resolves 17 total vulnerabilities and the exploited CVE-2016-7892, which has been used in limited targeted attacks against Windows systems running Internet Explorer (32-bit).

According to an article from Threat Post, analysts from the Google Threat Analysis Group discovered the vulnerability and privately disclosed details to Adobe. Adobe did not have details around the specific attack and the Google researches have not disclosed any more detail publicly at this time.

As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems. This means Flash plug-ins for IE, Chrome and Firefox. Some of these will auto update, others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.

On to Microsoft. Microsoft has released a total of 12 bulletins, six of which are critical. Microsoft is resolving 42 unique vulnerabilities this month.

Aside from Flash for IE, Microsoft does not have any additional zero days to report, but they do have several public disclosures. A public disclosure means that enough detail has been released to the public to give a threat actor a jump start in developing an exploit. This puts their vulnerabilities at higher risk of exploit.

MS16-144 is a critical update for Internet Explorer that resolves eight vulnerabilities, three of which are publicly disclosed (CVE-2016-7282, CVE-2016-7281, CVE-2016-7202). Many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.

MS16-145 is a critical update for the Edge browser that resolves 11 vulnerabilities, three of which are publicly disclosed (CVE-2016-7206, CVE-2016-7282, CVE-2016-7281). Similar to the IE vulnerabilities, many of the vulnerabilities resolved in this update target a user through specially hosted websites and ActiveX controls and through taking advantage of user-provided content or advertisements or compromised websites.

MS16-146 and MS16-147 are both rated as critical and affect components of the Windows Operating System. Both resolved vulnerabilities that would target a user and can be mitigated by running as less than a full administrator on the system.

MS16-148 is a critical update for Office, Sharepoint and Web Apps that resolves 16 vulnerabilities. Many of the vulnerabilities resolved in this update can target a user through specially crafted files. An attacker can also host specially crafted web content to exploit many of these vulnerabilities. CVE-2016-7298 is also able to use the Preview Pane as an attack vector.

MS16-155 is an important update for .Net Framework and resolves one vulnerability. Although only rated as important, this bulletin resolves a vulnerability that has been publicly disclosed (CVE-2016-7270), putting it at higher risk of being exploited.

There are additional bulletins from Adobe and Microsoft this month, but these are the bulletins that should be on your priority list for December.

As always, we will be running our monthly Patch Tuesday webinar, where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the December Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday

 

 

 

 

December Patch Tuesday Forecast

Patch_Forecast01

December is here and it finally snowed in Minnesota! In fact, we may get four to eight inches this weekend. So, my Patch Tuesday Forecast — like winter up here in MN was a little delayed — but better late than never! So get out your snow shovels and let’s dig in. There is already a little accumulation with a zero day hitting in late November. If you haven’t already done so, update your Mozilla Firefox browser!

On the Horizon

In the last week of November, it became clear to many security researchers that there was a flaw in Mozilla’s browsers and in TOR, a browser based on Firefox. CVE-2016-9079 is a critical use-after-free vulnerability affecting the SVG Animation component in Firefox. Researchers, such as Malwarebytes, have evaluated the vulnerability and have explained that the goal of this vulnerability “is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is run directly from memory.”

Although the observed exploits were only targeting windows, the vulnerability exists on Linux and Mac platforms as well. The exploit code also seems very similar to another Tor exploit used by the FBI as an investigative technique to track down child pornography suspects. It is not currently known where this code originated, but it’s a good example of a user-targeted vulnerability.

The Mozilla update became available on November 30 for Firefox, Firefox ESR and Thunderbird. If you are already caught up, you will want to make sure you include Mozilla in your updates this month.

Security Tip of the Month

December is also getting well into the cold and flu season, so this month’s security tip will follow the theme of security hygiene. I just returned from Las Vegas from the Gartner Data Center Conference where I attended a session by Neil MacDonald on security for cloud workloads. One of the things Neil mentioned was staring with a solid foundation, which he referred to as operations hygiene. I’m going to expand that out to a broader security hygiene message.

To stay well in the cold and flu season, you need to ensure you are getting rest and washing your hands, especially after coming into contact with someone who is sick or areas frequented by many people. You need to keep up on your vitamin C and drinking liquids in general. Similarly, with security we need to do the same.

  • Wash your hands – Make sure you have sanitized incoming email with junk mail and phishing filters.
  • Use some sanitizer after coming into contact with highly public areas – Your users who travel in and out of the company will come into contact with public Wi-Fi. Users will browse the internet, open email with attachments and, in general, be exposed to potential attack vectors daily. Make sure their machines are getting sanitized with good signature, non-signature and behavioral threat assessments. Signature-based threat assessment alone is not enough anymore.
  • Get your daily dose of vitamin C – Preventive security measures can defend against 80 percent of the threats in today’s market. Make sure you give your systems their shot of vitamin C in the form of patching the OS and software, use of least privilege rules and proper application control.

Your Patch Tuesday Forecast

Based on what trends we have seen this year I think it’s safe to say the following:

From Microsoft, we are expecting around two to four installable packages:

  • OS and IE will definitely have multiple updates, but they will come in a single installable package under the new servicing model. Vista would be the only exception to this change as it still receives individual bulletin updates.
  • Office has been very consistent this year with updates pretty much every month. The question is will this be a single update or a couple for Office, SharePoint and Web Apps. I would say one for office and a 50 percent chance of SharePoint/Web Apps.
  • .Net is also likely this month. .Net updates hit five of six patch Tuesdays in the first half of the year, and have been about every other in the later half.
  • You can also expect an IE update for Flash Player.

From Adobe, you can expect one to three updates:

  • Adobe typically tries to release Flash Player on Patch Tuesday and has done so pretty consistently all year, so expect that update.
  • Adobe Reader and Acrobat both released an update back in October and have been pretty consistently having an update every two to three months this year. Those two are a possibility this month.

From Mozilla, you can expect one update this month:

  • Mozilla’s update calendar is reflecting an update for Tuesday.

Total Update Accumulation four to eight updates for Patch Tuesday next week.

As always, catch our Patch Tuesday blog and commentary next Tuesday and sign up for our Patch Tuesday Webinar next Wednesday, December 14th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

 

 

 

Microsoft releases fix for MS15-098 issues on Windows 8 and Server 2012, but it is no piece of cake

nocake

Yesterday Microsoft released KB3096053, but as a separate patch.  On Patch Tuesday MS15-098 released to resolve security vulnerabilities in Windows Journal.  The initial patch release failed to install correctly on Windows 8 and Server 2012.  As a response to these issues Microsoft has released a non-security update that must be run before MS15-098 can be installed on the affected operating systems.  The fix seems to come with it’s own pains:

MS14-045 re-released today and everyone wants to know if they need to uninstall the previous version

Microsoft re-released MS14-045, which was causing blue screens for some customers. Our content team did release an out-of-band content update to add the new version of MS14-045. It was released as a new KB (2993651). The Microsoft bulletin has answers to many common questions in the Update FAQ, but the one question most people are asking me is do they have to uninstall the previous one if it is not blue screening systems. Microsoft states in the FAQ that the patch will install over the top of the previous version, but they are recommending uninstall even if you are not having issues.

For that reason, Shavlik Protect will still show the original KB if you have already installed the original. The new version replaces the previous one, so if you have not installed it you would not see the original by default. We kept the original in product but marked it as non-deployable so customers who had not already installed would not accidentally do so. This also removed the ability to uninstall if you had already deployed the original update. Our support team has created a set of custom actions to remove the original patch. You can view that KB here.

 

 

Blue Screen (Stop 0x50) after applying update KB2982791 to Windows 7

BSOD

Reports have started popping up regarding a Blue Screen of Death (BSOD) after applying MS14-045 to Windows 7 systems. If you are seeing issues please go to this Microsoft forum post and let them know. Microsoft MVP Susan Bradley and others have started a support case with Microsoft and are asking for anyone else who sees these issues to let them know so they can collect all possible information in one place and help Microsoft quickly find and resolve this issue.

All is not doom and gloom, however. Many reports for members of PatchManagement.org (mailing list focused on patch management issues), have reported successful deployment of these updates. The Shavlik Content Team did not encounter the BSOD during our Patch Tuesday testing. LANDESK and Shavlik employees have not reported issues either. I personally deployed 11 updates including MS14-045 (KB2976897 and KB2982791) to my own Windows 7 x64 system on Wednesday morning without issue. So, while this is not an epidemic affecting all deployments of the Kernal-Mode Driver patch, it should prompt Admins to take a little extra time to test if possible.