Oracle releases large Critical Patch Update!

Oracle

Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.

The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.

Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.

For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.

Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.

May Patch Tuesday Round-Up

SecurityImage

There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.

 

January 2015 Patch Day Round-Up

110931386-300x199January Patch Tuesday has kicked off with a bit of contention.  Google disclosed two vulnerabilities just days before Microsoft released bulletins resolving the issues.  MS15-001 and MS15-003 likely would have been less of a concern if Google had not made the disclosure, but Google’s strict adherence to their 90 day disclosure policy the updates in question have been publicly disclosed raising the risk of exploit.

Other than being publicly disclosed, there are no known issues around MS15-001.

MS15-002, an update for Telnet, is rated as critical, but most customers will not have to worry as the Telnet service is not configured on Vista or later OSs.  For Server 2003 the Telnet service is disabled by default.  Unless you are running Telnet, this update may not show up as being needed for your environment at all.

MS15-003 has a few issues occurring:

No known issues for MS15-004, MS15-005, MS15-006, or MS15-007 at this time.

MS15-008 has one report of an issue where the setup is a non Windows DHCP/DNS server with 2003 DCs.  After applying the patch to clients they can no longer obtain a DHCP lease from the server.  This seems like a unique situation that not many are likely to encounter.

 

December Patch Day Round-Up

ShavlikSecurityAlthough it was not as large as the November Patch Tuesday, December’s Patch Tuesday still had some important updates to close out the year.  Microsoft released seven bulletins, three of which were critical.  The three critical updates affect Internet Explorer, Microsoft Office, and VBScript engine.  Also, the Exchange update (MS14-075), which was deferred from the November Patch Tuesday, did release this month.

The Microsoft side of Patch Tuesday does not seem all that daunting of a challenge aside from the Exchange update.  Adobe, on the other hand, has added a number of critical updates to the December Patch Tuesday, which effectively doubles the priority 1 list for the month.  Adobe pre-announced an update for Acrobat and Reader, but on Patch Tuesday they released updates for Flash, Shockwave, and ColdFusion.  Shockwave and ColdFusion were lower priority updates, but the Flash update is resolving a vulnerability which was already being exploited in the wild.  We also have a couple of things to for you to watch out for in today’s Patch Tuesday Round-Up.

Known issues to look out for:

  • KB3004394: An update Windows Root Certificate Program in Windows, has caused some issues for companies.  The update, when applied to Windows 7 or Server 2008 systems, has caused a few issues such as MMC functions requiring Administrator authentication even when logged on as an Administrator, Windows Defender Service failing to start, and Windows Update Service being unable to apply additional updates.  KB3024777 has been released to fix the issue by removing KB3004394.
  • An issue occurred on Windows 10 Technical Preview where some users had to remove Office before they could apply the December update.  Recommendation is to try applying the updates before going through the more tedious workaround of removing office, installing updates, then re-installing office.  Most users will not see the issue.
  • Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • Two of the November Bulletins had re-releases for specific affected products.  You will likely see some of those updates being reapplied this month.  Recommendation is to do so as the original fixes were not complete.  MS14-066 (Schannel) update on Vista and 2008 and MS14-065 (IE Cumulative) update on IE 8 for Windows 7 or 2008 R2 or IE10.  In the case of IE, applying the December IE Cumulative will also resolve the issues in the re-release.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

Normally I would start with Microsoft, but your highest priority this month should be Adobe Flash, the Advisory for updating the IE Flash Plug-In and the Google Chrome update to update Flash.

  •  APSB14-27 : Security updates available for Adobe Flash Player – This update resolves six vulnerabilities, one of which (CVE-2014-9163) was discovered being exploited in the wild.  The CVSSv2 base score for this vulnerability is a 10.0, which is the highest that can be assigned and it is Network Exploitable meaning an attacker does not need local network access or local access to exploit the vulnerability.  Admins should ensure they update Flash this month.  Not only for this update, but also for the other two Flash updates that occurred since November.  To fully patch Flash you must also update the Advisory for IE and the Chrome release so you have updated the plug-in for both browsers.
  • MSAF-034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer  – Updates the Flash Plug-In for IE.  Nuff said.
  • CHROME-119: Chrome 39.0.2171.95 – Ditto on the Flash Plug-In.  Update it.  In addition Google released a Chrome update just after the November Patch Tuesday that included 42 security updates, including many High priority updates.  That is two very good reasons to update Chrome ASAP.
  • MS14-080: Cumulative Security Update for Internet Explorer (3008923) – This update is rated as Critical and resolves fourteen privately reported vulnerabilities in Internet Explorer.  Many of the vulnerabilities involve memory corruption, continuing a trend we have seen for most of 2014.
  • MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) – This update resolves two privately reported vulnerabilities in Microsoft Word and Office Web Apps, which could lead to remote code execution if exploited.  The attacker would gain rights equal to the logged on user, so running as less than a full admin could reduce the impact of this type of attack if exploited.
  • MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) –  This update resolves one privately reported vulnerability in the VBScript engine.  If exploited an attacker would gain equal rights to the logged on user.  If the user is a full admin, the attacker would gain complete control of the affected system.
  • APSB14-28 : Security Updates available for Adobe Reader and Acrobat – This update resolves 20 privately reported vulnerabilities in Adobe Acrobat and Adobe Reader.  The impacts vary, but the worst of these could lead to code execution.  Adobe rated the update as a Priority 1, the highest priority Adobe assigns.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) – This update is rated as Important and resolves four privately reported vulnerabilities in Microsoft Exchange server.  Originally slated for November, this update was held until the December release.  Also, if you wait for the cumulative updates before updating, you may want to read up on the latest here.  The Exchange 2010 CU8 ran into some issues and was pulled from circulation then re-released.  The updated RU8 package is version number 14.03.0224.002 if you need to confirm you have the updated package.
  • MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Office.  If you have not rolled this out yet please check on this article which I referenced in the known issues above.  “Cannot insert object” error in an ActiveX custom Office solution after you install the MS14-082 security update.
  • MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) – This update is rated as Important and resolves two privately reported vulnerabilities in Microsoft Excel.
  • MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) – This update resolves one privately reported vulnerability in Microsoft Graphics Component which could lead to information disclosure.

And that closes out December’s Round-Up.  Hopefully you all have your patching wrapped up before Christmas so you can relax, kick back, and enjoy the holidays.

 

 

August Patch Tuesday Advanced Notification

We have a big Patch Tuesday this month.  Microsoft started by releasing 8 updates and slipped in a later 9th later in the week last week.  That is just the beginning.  As of this morning we have updates from Opera, Picasa, Adobe Acrobat, Reader, Flash 13 and 14, and AIR, with likely appearances by Chrome (high likelihood) and a possible FireFox (have had a beta out for some time and likely to release soon).  A couple of things to look out for.  There is a Critical IE, which is likely the continuation of resolving a large number of memory corruption issues starting with the June IE resolving around 60 vulnerabilities and continuing in July resolving about half that many.  There is a SQL patch this month which will need some attention in testing and there is also a .Net patch resolving a Security Feature Bypass.

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 7 bulletins are rated as Important.

Vulnerability Impact:

  • 3 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 4 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 2 bulletins address vulnerabilities that could lead to Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions
  • Microsoft SQL Server
  • .Net Framework

Join us as we review the Microsoft and third-party releases for August Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, August 12th at 11 a.m. CDT.  We will also discuss other product and patch releases since the July Patch Tuesday.

You can register for the Patch Tuesday webinar here.

July Patch Tuesday Advanced Notification

PatchWithoutBorder

Microsoft has announced this month’s Patch Tuesday release.  It looks pretty clean at first glance.  IE with a lot of OS patches and likely nothing all that complex.  The one thing to watch for will be the possibilities of more dependencies.  For those running Windows 8.1 or Server 2012 R2, make sure you are prioritizing Update 1 to be rolled out.  Next month is the cut off after Microsoft extended the Update 1 required for continued patch support on those platforms. There are 6 total patches expected to be released on Tuesday, July 8th. Here is the breakdown for this month:

 

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 3 bulletins are rated as Important.
  • 1 bulletin is rated as Moderate.

Vulnerability Impact:

  • 2 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 3 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability that could lead to Denial of Service.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions

Join us as we review the Microsoft and third-party releases for June Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, July 9th at 11 a.m. CDT.  We will also discuss other product and patch releases since the May Patch Tuesday.

You can register for the Patch Tuesday webinar here.