August Patch Tuesday Round-Up

Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.

Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).

Here is the August summary:

AugustSummary2015

 

For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

July Patch Tuesday Round-Up

Patch Tuesday + 8.  It was a large one this month.  Initially there were four Critical updates from Microsoft, but a fifth Critical released on July 20th as an out of band.  MS15-078 was discovered in the 400GBs of data from the Hacking Team breach.  The fact that the data was part of the breach means that CVE-2015-2426 has been publicly disclosed.  8 public disclosures and depending on how you score them, there are now 7 Zero Days in the lineup of updates this month.  Java is plugging one, Flash is plugging two, and Microsoft now as four (three already exploited and the fourth resolved by MS15-078).   See the summary of updates below for details.

This month there is one issue I know of that people will want to watch out for.  The IE update, MS15-065 is actually a series of 2-3 patches depending on your system.  The first needs to be applied before the other two can be.

JulySummary2015

 

For full playback of the July Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

Good news regarding the IE Zero Day, MS14-021 has released and includes support for Windows XP

Microsoft has announced Security Bulletin MS14-021 on Technet to resolve the IE Zero Day identified on April 26th.  The Shavlik Content team is investigating and will be releasing support for this bulletin as soon as possible.  A restart will be required to apply the patch.  Also, if you have applied any of the mitigation steps you will need to take a look at the ‘Workarounds’ section of the bulletin to see if the steps you chose will need to be reverted.

For those of you on Windows XP, the bulletin identifies variations on IE 6, 7, and 8 and according to the MSRC post today, Microsoft has decided to support this bulletin on Windows XP.  According to Dustin Child’s post Microsoft “…made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system…”.

Watch for the Shavlik Content Announcement later today once we have tested and made it available to our customers.

 

 

New IE Zero Day being exploited in the wild, what does it mean for Windows XP?

internet-explorer1_12

I don’t think anyone will deny that Windows XP was expected to become a target after the EOL, but we couldn’t even make it to the first patch Tuesday after the EOL of Windows XP before a Critical IE Zero Day was discovered.  On Saturday April 26th, Microsoft announced Security Advisory 2963983 in response to attacks discovered in the wild against IE 9, 10, and 11.  The vulnerability also affects IE 6, 7, and 8, so those users still running on Windows XP systems are vulnerable to this Zero Day.

Microsoft released details and means to mitigate a Zero-Day exploit through Word documents

Microsoft released Security Advisory 2896666 yesterday which describes a vulnerability in Microsoft graphics component that is being actively exploited in targeted attacks using crafted Word documents sent by email.  The attacks are limited as the exploit does need some user interaction to be exploited.  The end result, however, makes the attacker able execute code on the target system.  The attacks that have been identified were located mostly in the Middle East and South Asia.

Office 2003 and 2007 are affected by this vulnerability.  Office 2010 is affected only when installed on Windows XP or Server 2003.  Office 2013 is not affected.  Microsoft Lync 2010 and 2013 are also affected.  The Security Advisory includes a “Fix It” to mitigate the risk of being exploited by turning off the TIFF Codex which would effectively block the attack, but also affect any TIFF files that a user would attempt to open.  The “Fix It” also comes with a second tool to back out the change once Microsoft has provided a patch to resolve the vulnerability.

A blog post on TechNet does provide other layers of defense that can reduce the potential risk as well.  The suggested use of the EMET, Protected View, and blocking of ActiveX controls in office documents will help reduce your potential risk.

Avoid the latest Java Zero Day by upgrading to Java 7 today

If you have not ready up on the ZDNet and other posts regarding this exploit here is a link to an article talking in more depth.  If you are still on Java 6 you are vulnerable to this Java vulnerability.  Java 7 update 21 and earlier are also exposed.  There is an exploit kit available to hackers for $450 dollars.  They can purchase a way to exploit this vulnerability off the shelf.  This means it is past time to upgrade your Java runtime.

So, Shavlik Protect users, here are some easy steps to create a scan template to allow you to deployupgrade Java 7 update 25 to your machines to ensure they are up to date.

For users on Protect 9.0 the steps are as follows:

  1. Create a new Patch Group by clicking on the +New > Patch Group…
  2. Name the Patch Group “Java 7 Software Distribution”
  3. Click add and sort by QNumber column.  Select QJAVA7U25N and QJAVA7U25X64N and save the patch group.
  4. Click +New > Patch Scan Template… and name it Java 7 Software Distribution
  5. On the Filtering tab uncheck the Patch Type > Security Patches and Patch filter settings set to “Scan Selected” and click the “…” button and select the “Java 7 Software Distribution” patch group.
  6. Click on the “Software Distribution” tab and check the box to enable Software Distribution.  Save the scan template.
  7. Scan and Deploy the Java 7 update 25.

The best way to protect against this zero day is to eliminate the presence of Java 6 and this should be an easy way to do so.

Chris Goettl

 

January 2013 Patch Tuesday Overview

To ring in the New Year, today Microsoft has released seven new security bulletins addressing 12 vulnerabilities.

However, the most notable headline from this Patch Tuesday is a security bulletin that was not released.  On December 29, 2012, Microsoft released a security advisory (2794220) informing administrators of a vulnerability in Internet Explorer was currently being exploited.  Microsoft provided a non-security update to prevent exploitation to that vulnerability.  Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability.  As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible.  Only Internet Explorer browser versions 6, 7 and 8 are affected by this vulnerability.

Of the seven Microsoft security bulletins released for the January 2013 edition of Patch Tuesday, administrators should look at patching MS13-002 first.  Microsoft has identified a vulnerability in Microsoft XML Core Services.  If an unpatched systems browses to a malicious website, an attacker can gain remote code execution.

The other browsing threat this month that needs attention from administrators is MS13-004.  In this security bulletin, Microsoft is addressing a vulnerability in their .NET software application.  If an unpatched machine browses to a malicious website, an attack can gain elevation of privilege on that machine.

The other critical update this month (MS13-001) addresses a vulnerability in the Windows Print Spooler.  If a machine is set up as a print server, an attacker can send a malicious print job to the machine and gain remote code execution.  Security best practices call for printer servers to reside behind a firewall that only allows internal users to print to the print server.  A most likely attack scenario is for an attacker to already be on the internal network.

And as is becoming a recurring theme, this Patch Tuesday is not just a Microsoft-focused security day.  Several non-Microsoft software vendors have also joined in with releases of their own.

Adobe has released security bulletin APSB13-02 affecting all supported version of Adobe Acrobat and Reader.  This security bulletin is part of their quarterly update for Adobe Acrobat and Reader and was expected.

Adobe also released updates for their Air and Flash Player products.  These updates are security updates were not previously announced (APSB13-01).  With any Adobe Flash Player update, Microsoft and Google update their latest browsers to include the new release of Adobe Flash Player.

Mozilla also released new versions of their products.  Mozilla Firefox 18 are new versions of their product that only contain new features.  Previous versions of the Mozilla products also received updates that contain security fixes.

 

Given that the January 2013 Patch Tuesday does not include a security update for the zero-day Microsoft Internet Explorer vulnerability, there is a good chance we will see an out-of-band update from Microsoft before the February 2013 Patch Tuesday.  Microsoft will continue to monitor the threat landscape and decide if this zero-day vulnerability warrants and out-of-band release.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 11/9/2012

It has been a busy week for patch releases.  Here is a quick recap of the happenings in patch management.

 

Tuesday

Adobe released a new security bulletin for Adobe Flash Player and Adobe Air.  APSB12-24 addresses seven vulnerabilities and the following versions address these issues:

  • Adobe Flash Player 11.5.502.110
  • Adobe Flash Player 10.3.183.43
  • Adobe Air 3.4.0.600

It is important to note that the vulnerabilities also affect the Adobe Flash Player 10 product line as well.  In the ‘Priority and Ratings,’ ‘Affected Software Versions,’ and ‘ Summary’ on the Adobe security bulletin page do not list Adobe Flash Player 10 as an affected product.  The CVE filed on behalf of the vulnerabilities state that Adobe Flash Player 10 is indeed affected by the vulnerabilities.  In addition, the Adobe Security Bulletin page has Adobe Flash Player 10 affected in the ‘Solution’ area.

With the Adobe Flash Player release, I also saw a coordinated release effort from Google and Microsoft to address vulnerable Adobe Flash Player programs embedded in their browsers.  Google Chrome / Chrome Frame version 23.0.1271.64 fixes 14 vulnerabilities and includes the latest version of the Adobe Flash Player.  This new version of the Google browser includes a new ‘Do Not Track’ feature that sends a request to a website asking it to not track information.  On the Microsoft side, Microsoft Security Advisory 2755801 was updated to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.

Opera also released a new version of their browser for the first time since June of this year.  Opera 12.10 addresses six vulnerabilities.  In the release notes, you will need to scroll down to the beta section to see that this release actually fixed security vulnerabilities.  They are noted in the beta section for version 12.10.

 

Wednesday

There was another release from Google for their Chrome and Chrome Frame browsers.  Google did not release any update notes for this new version, so I am assuming this release is a non-security update fixing very minor issues with Tuesday’s release.  **Update: This is my mistake on reporting. I inadvertently thought Google Chrome released twice this week without release notes for the latest. Although I have seen this happen in the past, only one version of Chrome was released by Google this week.**

HP released their first update since June of this year for their System Management Homepage product.  HP System Management Homepage 7.1.2 appears to be a security update and is rated as “Recommended” from HP.    The release notes for this newer version states “Improved security features.”  Vulnerability information for HP System Management Homepage releases typically take a few weeks after the product release, so I will be watching the national vulnerability database for more information.

 

Thursday

Apple joined the busy patching week with a new release of Apple QuickTime.  Apple QuickTime 7.7.3 is a security update addressing nine vulnerabilities. One of the vulnerabilities fixed with this release is remarkably from 2011 (CVE-2011-1374).

 

Friday

AOL Instant Messenger 1.2.0.2 has been released to the mainstream.  This product typically does not have release notes associated with each version.  I will be waiting to see if a CVE is released that would mark this release as a security bulletin.

 

Other News

Next Tuesday marks the November 2012 edition of Patch Tuesday.  Microsoft is set to release six bulletins addressing 13 vulnerabilities.  This Patch Tuesday will be highlighted by the first security bulletin releases for the new Microsoft Windows 8 and Server 2012 operating systems.

There are reports of a Zero-day vulnerability in Adobe Reader.  No confirmation or information has been released yet by Adobe.  There is a chance that Adobe could be releasing an update for Adobe Reader on Patch Tuesday.

I will be back next Tuesday to talk in detail on all of the activities for the November 2012 Patch Tuesday.

Happy Patching!

 

– Jason Miller

This Week in Patching – 10/19/2012

It is that time for a weekly recap of the happenings in patch management.

This week was highlighted by a critical security update from Oracle.  Oracle released updates for their Java programs with Java 7 update 9 and Java 6 update 37 during their quarterly update.  These updates address 28 vulnerabilities.  Some of the vulnerabilities addressed by this update were zero-day vulnerabilities.  With any patch addressing zero-day vulnerabilities, administrators will want to patch as soon as possible.  Apple also released an update for the newer version of Java.  This update release coincided with Oracle’s Java release.  The next scheduled update for Java is set for February 19, 2013.

On Wednesday, Adobe released new versions for their Adobe Acrobat and Reader product lines.  Adobe Acrobat / Reader 11 (or XI) does not contain any security fixes from the version 9 or 10 product lines.

On Thursday, VideoLAN released a new version for their VLC media player.  The release notes for VLC media player 2.0.4 state there are fixes for “security issues” but no CVE has been submitted for this version.

The Document Foundation released a new version of their LibreOffice product that prompted some confusion.  The release version for LibreOffice has steadily been increasing on a normal cadence.  LibreOffice 3.4.x was followed by 3.5.x.  On August 15th, LibreOffice had a new major version with 3.6.x and has since been followed up by minor version increases (3.6.1, 3.6.2).  Yesterday, LibreOffice 3.5.7 was released.  This version number is lower than the 3.6.x branch and has confused people.  From a LibreOffice blog posting, they have stated that the 3.5.x branch will continue to receive updates as will the 3.6.x branch.  The 3.5.x branch is intended to be a stable branch where the 3.6.x introduces new features to the LibreOffice program.  LibreOffice 3.5.7 (released yesterday) and LibreOffice 3.6.2 (released on October 4) both do not contain any security fixes.

Happy Patching!

– Jason Miller

Microsoft Releases Out-Of-Band Security Bulletin

Microsoft released one new security bulletin in their September 2012 out-of-band release.  Security bulletin MS12-063 addresses the zero-day vulnerability that has been discussed lately.  It is important to note this security bulletin is a cumulative update for Microsoft’s Internet Explorer browser.  There are four other vulnerabilities that are being addressed in this security bulletin release.  These four vulnerabilities are not publicly known at this time.

As this security bulletin contains a zero-day vulnerability that warranted an out-of-band release from Microsoft, administrators will want to apply this update as soon as possible.

With the security advisory for the zero-day vulnerability, administrators may have applied a FixIt workaround to help mitigate the risk of the vulnerability.  This workaround does not need to be removed before patching.  The FixIt workaround hardens the browser and administrators will need to decide if they want to remove this workaround.

Happy Patching!

 

– Jason Miller