January Patch Tuesday 2017

Patch Tuesday January 2017 Infographic
January 2017 Patch Tuesday has ushered in a new year of Patch Tuesdays with a manageable number of updates.

Adobe has released update APSB17-01 for Acrobat and Reader, keeping in line with the pattern of releasing an update every two to three months. This update includes 29 vulnerabilities, most of which allow for remote code execution. You will want to make sure this update is applied in a timely manner.

As expected, there is a Flash Player update. As always, when there is a Flash Player update, you need to make sure to update all instances of Flash on systems, meaning Flash plug-ins for IE, Chrome and Firefox as well. Some of these will auto update; others may take some prodding before they will update. This is why having a solution that can scan for all four variations is critical to make sure you have plugged all the vulnerabilities in your environment.

Microsoft has released a total of four bulletins, two of which are critical and publicaly disclosed. Microsoft is resolving 15 unique vulnerabilities this month, 12 of which come from the Adobe Flash update. It’s interesting to note that there is no rollup for Windows 8.1 or Server 2012 this month.

Other than Microsoft and Adobe, there are a few other updates available if you are using Foxit Reader, Skype, etc. Although there several of the Microsoft vulnerabilities have been publicaly disclosed, none of the them have been exploited and there are no zero days.

This could be the calm before the storm. We have not seen this light of a Patch Tuesday since January of 2014. Next month you should expect some adjustments and a heavier Patch Tuesday drop as Microsoft changes methodologies.

This is the last Patch Tuesday that Microsoft will be using security bulletins. After January 10, Microsoft will no longer be publishing traditional security bulletins as individual webpages, but instead will only be publishing security update information to the new Security Update Guide. I’m sure there are many questions about what this means and how it will affect everyone so, if you have not already seen the FAQ put together by Microsoft, I have provided a link here.

As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the January Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance.

November Patch Tuesday 2016

PatchTues-Blog-Nov2016

It’s Election Day! I hope you all voted or will be hitting the polls soon, as this election round has been one for the history books. November 8 also happens to be Patch Tuesday. While this is notably of far less concern than hitting the polls today, Patch Tuesday will be delivering updates from Microsoft, Adobe and Google this month and will, unfortunately, still require your attention tomorrow and in the weeks to come.

Microsoft has released 14 bulletins, six of which are rated as critical, resolving 68 unique vulnerabilities.  Two of the vulnerabilities have been exploited in the wild (Zero Days), and three of the bulletins contain public disclosures.

First off, we will get a little closure on the Adobe Flash/Microsoft Zero Day that was identified in October and to which Flash released an update on October 26 which resolved CVE-2016-7855. Microsoft has resolved CVE-2016-7255 as part of MS16-135.

Adobe has released another Flash Player update (which is rated as a priority one and resolves nine CVEs. If you haven’t already pushed the Flash update from October 26, ( ) this will be a high priority along with MS16-135.

Microsoft has a second Zero Day vulnerability this month (CVE-2016-7256). MS16-132 resolves an open type font vulnerability that can allow an attacker to remotely execute code. An attacker can target a user to exploit this vulnerability by crafting a document designed to exploit the vulnerability or by hosting a specially crafted website designed to exploit the vulnerability. The attacker would need to convince a user to click on or open the specially crafted content, but that’s really not a significant challenge. This bulletin should also be a high priority this month.

There are a number of public disclosures this month across several bulletins, which means enough information has been leaked to the public to give an attacker a head start on developing exploit code.  This increases the risk of exploit occurring for these vulnerabilities so we raise the risk level and priority of bulletins that contain public disclosures. See our Patch Tuesday infographics for more detail.

  • MS16-129 for the Edge browser resolves CVE-2016-7199 and CVE-2016-7209
  • MS16-135 for Windows resolves CVE-2016-7255 (which has already been exploited)
  • MS16-142 for Internet Explorer resolves CVE-2016-7199

Google Chrome went to beta last Wednesday. That along with another Flash Player update means we should expect a Chrome update in the foreseeable future. There is a chance it will come tonight, but it’s more likely to come in the next week. As always you will want to be sure that you have updated Chrome to support the latest Flash Player Plug-In.

If you have not already done so, you will want to make sure to include the Oracle updates from their Q4 CPU that released in October. This included a Critical Java JRE update as well as many other Oracle products.

November also marks the second month of the new servicing model. Here is what you should expect for actual packages to be deployed this month.

The Security Only Bundle (SB16-002) will include the following bulletins: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.

The monthly rollup (CR16-002) will include the following bulletins in addition to quality fixes and previous months’ updates: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.

As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the November Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday

 

CyberSecurity Awareness Month: CyberSecurity Tips for Road Warriors

GettyImages-537708180

Security Tips for Road Warriors

A couple months ago one of our product evangelists reached out to me and asked how to better protect himself and his personal information in his travels.  As he settled into a hotel and a day later saw it in a headline as one of the latest exposed to credit card theft he felt a bit exposed.  I would have loved to tell him some magical tips that would 100% safeguard him from that day forward, but in short, you cannot prevent it.  There is no way to know who the next breach target it or when the breach could have been occurring.  The only guarantee you have is that another breach will occur and odds you will have used your card there at some point.  You can, however, reduce the impact when any of your information does get nabbed.  Now, you can go to extremes.  Cancel all credit cards, just use cash, close all of your social media and online accounts of all kinds, but nobody wants to live that way either.  The key is balancing the risks.  I talked to many road warriors within our own company and we have some tips and tricks that can help you out.  Our road warriors range from my light 16-20 weeks or so of travel per year to Simon, Doug and Rob who spend more than 50% of their year on the road and take us to all parts of the globe.  Here are some of the tricks we use to safeguard ourselves and to mitigate the impact if our information becomes exposed.

Phil Richards, Chief Security Officer:

I recommend reporting your credit card as stolen/lost/missing to the credit card issuing company at least annually.  This allows you to receive a new credit card number, and invalidates the old one. Many hotel chains and retailers that have had credit card info breaches. For the road warrior, it is highly likely that your card is among them.  By changing the CC number, the stolen information is useless and cannot harm you.

Rob Juncker, VP of Engineering:  

I never go anywhere without my HooToo.  It’s a wall charger with 2 USB ports, an Ethernet port, a fully portable charger (so it’s like a power brick) and embedded router.  The best part about this device is it has full router capabilities.  I have it setup so my computer always connects to it, and then I bridge the hotel Wifi to my personally secure wifi, or use the Ethernet port to plug into the hotel jack.  – I have it set by default to disable all inbound and just allow outbound.

Doug Knight, VP of Systems Management:

For the record, I told Rob about the HooToo, but since he beat me to it here is a tip for additional layers of security and anonymity if your travels take you to countries where you need some extra protection and ability to bypass some levels of content filtering. I subscribe to a VPN service called Private Internet Access.  I setup a L2TP and then run their default client on top of that.  The IPSEC client gives me encryption and some anonymizing and the L2 VPN even allows me to get thru (pretty reliably) the “Great Firewall of China” to reach content that may otherwise be blocked. For the server setting in the L2TP VPN, it’s best to enter the IP address for the server locale you wish to access instead of the DNS name. To obtain an IP address for this purpose, you can ping it or you can go to http://www.ping.eu/ping and enter the server name to be able to get IPs for the server you would like. Do this before you leave the country.

Simon Townsend, Chief Technologist:

I don’t just evangelize about the great security solutions we have at AppSense.  I use them regularly.  I run as a standard user on my Windows machine and have a local admin account that is used only for installation and initial setup.  I run AppSense Application Manager on my system and by default cannot install or run anything that I download under the context of my own LANDESK account.  If I need to install something locally I use RunAs or AppSense self-elevation to give myself temporary permission to perform those actions.  If I need to do something that is only going to be temporary I will bring up a VM snapshot that is NAT’d.  This provides a Deep Freeze style solution that I can revert easily and separates the task I am performing from local data as it would not be exposed to the VM.

Chris Goettl, Senior Product Manager:

You never know what is observing traffic on public wifi or if the connection you are on has been compromised.  Early in my career I connected to a hotel wifi and their router had been compromised.  My Gmail session was hijacked by a man in the middle attack and within a few hours suspicious email began flooding forth from my account.  Needless to say I changed my password, enabled two factor authentication (also highly recommended) and became infinitely more paranoid during my travels.  Now wherever I go, after connecting to the hotel wifi I immediately connect to the corporate VPN before connecting to email or opening my browser.  The VPN tunnel provides an additional layer of encrypted protection from prying eyes.  I have also just ordered a HooToo and will be adding that to my travel defenses.

 

Do you know your Patch Management Posture?

How well do you know the security posture of your environment?  Do you know how effective your Patch Management process is? Can you provide stakeholders with a quick look at the state of your network and show how protected you are in real time?

In today’s world with so many devices connected to a network and with the BYOD option becoming more and more of a norm, it is now more important than ever to have visibility into security risks for an organization.

Visibility into your security posture is the key to providing the knowledge necessary to take action on security measures that you can control. So how do you get visibility into your current security posture and what are valuable insights?

What are valuable insights?

  • When were devices last patched?
  • What are the outstanding patches missing from a device?
  • How many and what are the severity levels of the patches needed?
  • What devices are non-compliant and of those, which ones are the most security risk to the organization?
  • How quickly are patches deployed to devices after each patch is released?

How do you get the visibility into your security posture that is meaningful to you? Xtraction

Xtraction allows an organization:

  • To decide what is meaning information
  • To provide access to that information anywhere from a browser at anytime
  • To report real-time results based on the current state of the production database

Xtraction for Shavlik Protect provides a number of default dashboards as part of the Report Bundle offering.

These dashboards have been designed to give visibility into the security posture of an organization and to provide the insight needed to aid in prioritizing meaningful action.

Since the release of Xtraction for Shavlik Protect Reporting Bundle, 2 additional dashboards have been created and are available on the Xtraction for Shavlik Protect landing page of the community website.

Visibility into Security Posture

April Patch Tuesday Round-Up – Oracle Quarterly CPU Commentary

java_logo

Patch Tuesday continued!  Today Oracle released their quarterly Critical Patch Update.  This is the day that Oracle product updates all come together.  Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, and several other products.  Oh, and Java, we don’t want to forget Java.

Across all updates it looks like 121 CVE’s were resolved in total, the oldest of which dates back to 2011 (CVE-2011-4461).  Seven of these vulnerabilities rate a 10.0 CVSS, which is the highest base score rating on the CVSSv2 scale.

There are a few indicators that can help you prioritize what updates you should worry about first. Exploit code examples being available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands.  Beyond that things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.  If you look at Verizon’s 2015 Data Breach Investigation Report, the CVSS data provides a profile for vulnerabilities more likely to be exploited.  If you have not already read this year’s report, check out the vulnerabilities section.  I did a write-up on the Java Out-of-Band release that came out on March 24th.  The Verizon report shows a progression of all vulnerabilities, vulnerabilities exploited, and vulnerabilities exploited under one month from publication.  Using the pattern for those exploited in less than a month 7 out of 7 of the CVSS 10.0 vulnerabilities fit the pattern.

Based on that, I would recommend the following priorities be added to your April Patch Tuesday activities.  Java SE (4 of 7), MySQL (2 of 7), Sun Systems Products Suite (1 of 7) should be updated in this update cycle.  I know many of you are already a week in, but these are the ones that stand a higher chance of being exploited before your next monthly patch cycle.

Happy Patching Everyone!

April Patch Tuesday 2016

April_PATCH12f

April’s Patch Tuesday is looking and sounding like a spring weather forecast.  The forecast is calling for rain, but it turned out to be partly cloudy.  There has been some mixed feelings about a newly announced vulnerability, or vulnerabilities as it were, in Samba.

Badlock is a vulnerability recently identified in Windows and Samba. There are eight CVEs related to Badlock, categorized as man-in-the-middle and denial-of-service attacks. The primary CVE is CVE-2016-2118. This is a multi-vendor problem, so two CVEs were opened to track for each vendor.

CVE-2016-2118 is the vulnerability for Samba and CVE-2016-0128 is for Microsoft, and is related to MS16-047. CVE-2016-2110 describes a vulnerability in negotiation of NTLMSSP, which allows for a downgrade attack. Luckily, Windows 2003 and Vista have introduced ways to protect against this type of downgrade attack. The rest of the vulnerabilities are specific to Samba, versions 3.0.0 to 4.4.0.

Microsoft has released a total of 13 bulletins this Patch Tuesday, six of which are critical. Piecing the Badlock CVEs together, it seems the only MS Bulletin related to Badlock is MS16-047. This is an important update for SAM and LSAD Remote Protocols. Based on feedback from Badlock.org, PoC code will be introduced in the near future, so count this one as a public disclosure and treat it as a higher priority this month.

Aside from Badlock, there are three more public disclosures and three exploited in wild (Zero Days) this month. One of the three Zero Days is the Flash for IE Patch, which resolves 24 vulnerabilities, including CVE-2015-1019 Zero Day in Adobe Flash and AIR.

MS16-037 is the Internet Explorer Cumulative.  This bulletin is rated critical and resolves six CVEs, one of which is publicly disclosed (CVE-2016-0160). It’s important to note, many of the vulnerabilities can be mitigated by proper privilege management and use of the Enhanced Mitigation Experience Toolkit (EMET).

MS16-038 is an update for the Edge browser. This bulletin is also rated as critical and resolves six vulnerabilities. Similarly, most of the vulnerabilities are user-targeted and can be alleviated by proper privilege management.

MS16-039 is an update for Microsoft Graphics Component.  It is rated as critical and resolves four vulnerabilities, two of which have been detected in exploits in the wild.  The two Zero Days are CVE-2016-0165 and CVE-2016-0167, and should be considered a high priority for you this month. Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.

MS16-041 is an update for Microsoft .Net Framework. The bulletin is rated as important, but includes a public disclosure (CVE-2016-0148).  To exploit this vulnerability, the attacker would need to gain access to the local system, with the ability to execute a malicious application. Although it’s rated as important, the fact that is has a public disclosure puts this bulletin at higher risk of exploit.

MS16-046 is an update for Secondary Logon. This update is also rated as important and includes a publicly disclosed vulnerability (CVE-2016-0135). The attacker must first log on to the system, but after doing so, could run a specially crafted application that could exploit the vulnerability and take control of the system. Again, even though this vulnerability is rated as important, because it has a public disclosure, it’s at higher risk of exploit.

Adobe recently dropped a Flash update on April 7, 2016, and today, they updated their blog to say it also applies to Adobe AIR. This update included 24 CVEs, but most importantly, CVE-2016-1019, which is being actively exploited. With this vulnerability, an attacker could cause a crash on vulnerable systems, allowing the attacker to take full control of the affected system. This is a high priority update and should be pushed out to all systems without delay.

For Flash updates, keep in mind you need to update the plug-in for all of your browsers that have Flash installed. Today, Microsoft released the critical update for Flash Player for IE, and Google Chrome’s update also supports the latest plug-in. So if you are like me and run IE, Chrome, and Firefox, you may need to apply four separate updates to fully patch these Flash vulnerabilities.

Oracle is releasing their quarterly CPU next week on April 19th. Java will have an update and it will be critical, so be prepared for that. The January CPU included fixes for eight CVEs, seven of which were remotely exploitable without credentials and three that had CVSS scores of 10.0. Although it may sound like a lot, this was actually a smaller update, compared to 2015’s four. Last year, April 2015 was the smallest release with only 14 CVEs addressed, all of which were remotely exploitable without credentials and three that were CVSS 10.0.

Mozilla released Firefox 45.0.2 today, but reported no security fixes. This is great news and means we get a free pass on this one today! In case you’re counting, the last security Firefox update was Firefox 45, released on March 8, 2016.

I am going to end my Patch Tuesday blog  post with my new favorite quote from the closing statements of the Verizon 2015 Data Breach Investigations Report, specifically the section on Vulnerabilities: “The lesson here isn’t ‘Which of these should I patch?’ Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest.”

Join us tomorrow for the April Patch Tuesday webinar where we will discuss the bulletins in more detail.

March Patch Tuesday 2016

MarchPatchTuesday2016Sum

March Patch Tuesday has a great deal of updates, but no public disclosures or exploited vulnerabilities as of yet. Let’s start with what we know for sure: Microsoft has released 13 bulletins, five of which are critical and eight are rated as important. With these bulletins, Microsoft is resolving 39 total vulnerabilities this month. On the non-Microsoft front, Adobe is releasing two bulletins, rated as Priority 2 and 3, that resolve four vulnerabilities. Additionally, Mozilla FireFox 45 has been released and is rated critical, as it resolves 22 vulnerabilities.

First, taking a closer look at Microsoft, we have critical updates for Internet Explorer (MS16-023) and Edge (MS16-024), as expected. These updates resolve 13 and 11 vulnerabilities, respectively. Microsoft’s claim that Edge is more secure appears to be valid, although this month’s activity does not make that big of a difference. So far in 2016, IE has had 27 vulnerabilities, as compared to Edge’s 19. As you would expect, the vulnerabilities resolved in both browsers involve exploiting a user through specially crafted web content. In this situation, an attacker who convinces a user to click on specific content can gain the same user rights as the actual user. If that user is a full admin, the attacker would gain complete control of the system, allowing them to create accounts, install, remove apps and delete data, among other things.

10 of the Microsoft updates affect Windows, including the other three critical updates from Microsoft. MS16-026 resolves vulnerabilities in graphic fonts, while MS16-027 resolves vulnerabilities in Windows Media and MS16-028 resolves vulnerabilities in Windows PDF Library. In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content. As a result, the attacker would gain equal privileges as the current user; so least-privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacks privileges because they can only execute out of the sandbox.

Microsoft Office and Sharepoint are both affected by MS16-029, which is rated as important and resolves three vulnerabilities. For all of you ops guys out there, I know there is some uneasiness around patching Sharepoint because the updates cannot be rolled back easily if something goes wrong. If you are on a virtual machine, you can take a snapshot prior to the update. That way, if anything goes wrong, you can quickly revert back. If you are not yet virtualized, consider making the switch – doing so will make life a lot easier.

There are six more important updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE. Last on the list is an update for .Net Framework. .Net is always interesting because you can have various versions on a machine. As a result, it can also take a bit longer to install updates for .Net. So, if your servers take a while to install updates, know that it’s due to multiple .Net versions requiring updates.

Now, switching to the non-Microsoft updates:

Mozilla has released FireFox 45, which resolves 22 total vulnerabilities, eight of which are critical. The vulnerabilities range from buffer overflows to font vulnerabilities, with the sheer number of updates making this update a priority for this month.

Adobe has released two bulletins so far. The first is APSB16-006, a Priority 3 update for Digital Editions that resolves a critical vulnerability. Although there is only one, it is critical and could lead to code execution; which makes me wonder about the priority. The second Adobe bulletin is for Adobe Acrobat and Reader. APSB16-009 resolves three vulnerabilities, including yet another critical that could lead to code execution. This bulletin is rated as a Priority 2.

While we haven’t seen it yet, there is evidence a Flash update could be on its way. If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it. This could signal the change in distribution that Adobe has warned us about for a few months now. Either way, if Flash Player drops, expect a bulletin from Microsoft for Flash for Internet Explorer, as well as an update from Google Chrome to support the latest plug-in and updates for Flash Player at the OS and FireFox plug-in levels.

Join us tomorrow for the March Patch Tuesday webinar where we will discuss the bulletins in more detail.

Why you should #fearthetoaster!

Back to work after a long holiday weekend! I thought I would start the week off with a recap of LANDESK Interchange 2015. The show was great! The very first keynote showed off some of the new workspaces which bring together LANDESK Systems Management and Service Desk features for the user that will make life easier. The ability to use your phone to take an image of on-screen errors and have a solution presented to you, without having to contact IT directly, was pretty cool. The new security workspace was also very interesting to see, but the highlight of the keynotes for me was on day two and three.

The keynote on day two focused on Security. Rob Juncker, Tom Davis, and Steve Morton talked about how more devices are being connected to the internet every day. The Internet of Things is bringing us more innovative life experiences than ever, but with this more connected world we have larger concerns. Self driving cars, internet connected toasters, voice activated TVs (which vendor admit are spying on you), and much more are getting connected every day. Rob then scared everyone by talking about that internet connected toaster and how it may be used as an attack to potentially burn down a house. Scary realization.

The final day of the event, we had a guest keynote speaker, Marc Goodman, author of Future Crimes. Marc hit on all the topics from they keynote the day before and really opened some eyes. Marc talked about the exponential growth of technology and the proliferation of internet connected devices. And while really cool things may come of these trends, ultimately, it is leading us to a world where crime knows no borders, no boundaries, and becomes less and less personal. A good example of this is the hacking ring which reportedly has stolen up to $1 billion from banks globally. These are not street thugs walking into banks with masks on, but cybercriminals with the skills to target more than 100 banks in 30 countries.

Marc talked about the risks the future brings if we are not diligent about security. Risks like exploiting vulnerabilities in a car and he even went as far as to share this photo in reference to the previous day’s keynote conversations around toasters #fearthetoaster.

killertoaster

 

While no toaster exploits have occurred yet, the message was clear. In a future where more of our world will be connected, more of that world will be exposed to risks. Marc’s message was about awareness. We can do great things if we work together. If companies do their part in securing the customer and personal data they collect, and if the new innovators creating the next connected device do so with security in mind, we can mitigate these risks.

Check out Marc’s Update Protocol on his website and his book Future Crimes.  There are some tips here that will help you protect yourself and your company.

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.

Different vendor perspectives on security and vulnerabilities. Which is right? You decide.

ShavlikSecurity

We rely on a lot of software in this highly connected world. We have things such as The Internet of Things, BYOD, Shadow IT. All of these trendy phrases mean we have a lot more riding on the software vendors that provide our connected world, but what are their views on security? By taking a look at some recent press you can start to paint a picture on some of the different perspectives that vendors have on security.

First, let’s take a look at Microsoft. Microsoft has a large following around Patch Tuesday and there is a lot of press and awareness about their security updates. They provide strong recommendations that updates should be applied on a regular basis. Microsoft also has a series of advisories they put out regarding issues that exist when no update has yet to be released. This proactive approach, and open disclosure about the risks to their customers, has been applauded by many, but also brings Microsoft under the gun when things go sour. This year, there have been a few patches that were either pulled or postponed due to quality issues.

For example, a recent Secure Channel (Schannel) update resolved a critical issue that experts say would be an enticing target for hackers. The update, however, has some known issues and has caused problems when applied to some systems. Despite these problems, Microsoft urged the update be applied as soon as possible. This article discusses the update and the impact of the known issues. What is the key take-away from this? That Microsoft prefers full disclosure when it comes to security issues.

Apple, on the other hand, has typically had a very closed-mouth take on security. Updates are typically released without much fanfare. When asked directly about security-related issues, they tend to deny an issue, or play it down, until a fix is available. They tend to lean more towards security by obscurity, or play down issues to be less than they are. While saying less, and preventing as many facts from being released as possible, may prevent some hackers from finding leads to where and what they can exploit, it has brought some scrutiny on Apple.

In this article, Apple addresses the ‘Masque Attack’ and plays it down, saying customers are safe. While Apple’s statement about the risk of exploit coming from third party sources may be true, the majority of exploits on any platform have some form of social engineering involved. The user is the weakest link in many exploits that occur. The Team at FireEye definitely stress a lot more concern than Apple regarding this form of exploit.

A third perspective is the vendor who is providing an application that is used by millions and is quite popular. Many other vendors fall into this category as well. The social media apps that are such an addiction for today’s culture often overlook security. The promises made by these vendors are taken at face value, but are they being met?

Snapchat recently had some issues that were in the news. ‘The Snappening’ was an attack dubbed by 4chan users, which ended up with over 100,000 pictures being captured and shared across the web. This included many questionable photos of a lot of minors. Snapchat has been criticized for misleading users about personal information privacy. The way Snapchat is designed has allowed third party developers to enhance the Snapchat experience, but the design also allowed account information and photos to be stolen. Snapchat’s response? Ban any accounts that utilize a third party app.

So what is the hypothetical result? An account is created by a hacker, the hacker gets x amount of hours exploiting the weaknesses in the Snapchat API, gets some amount of data (accountpersonal info, pictures), then is banned. The hacker then starts the process over again. They create software to replicate the process of creating an account and going through the process over and over. How well do we think this will play out? Kids, nothing ever really goes away. Conduct yourself in all things on the Internet as if you were standing in front of a crowd. You never know where it may end up.

So we have three perspectives on software security. You can argue the benefits and deficits to each (and there are continuing arguments). Which do you feel is right? Which do you feel is effective? Let us know.