Remove Apple Quicktime from your Windows systems

RemoveQuickTime

Apple has announced the end of availability for QuickTime 7 on Windows systems. In their announcement they explained their reason for pulling support:

“QuickTime 7 for Windows is no longer supported by Apple. New versions of Windows since 2009 have included support for the key media formats, such as H.264 and AAC, that QuickTime 7 enabled. All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows.”

To add to this, there are two known vulnerabilities that will go unpatched for QuickTime 7 on Windows which elevates the need to remove it. While the vulnerabilities are not being exploited, to anybodies’ knowledge, security experts are calling for removal of QuickTime as quickly as possible and are treating these two vulnerabilities as Zero Days since they have been disclosed and will never be fixed.

In response to this, Shavlik is creating uninstallers for our customers to find and remove QuickTime.

 

March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on PatchManagment.org regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.

 

January Patch Tuesday 2016

2016_01_12_Patch

January 2016 is going to be anything but boring. Microsoft has a large lineup of updates. The bulletin list opens up 2016 with 10 bulletins — minus one. MS16-009 has been skipped and Microsoft went to MS16-010 instead. Is that a small joke relating to Windows 9 skipping to Windows 10? Maybe Microsoft doesn’t like the number nine for some reason. That oddity aside, Microsoft released six critical, three important and six public disclosures, along with a total vulnerability count of 26 resolved for January Patch Tuesday.

Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded. Adobe announced a bulletin for Reader with an additional non-security release of Shockwave and Oracle is gearing up for its quarterly CPU, so expect Java to release next Tuesday, January 19.

Microsoft System Updates and End of Life Scheduling

Jan. 12 is a significant milestone for Internet Explorer support. Microsoft is releasing a final update for all supported IE versions, but after January it will only support the latest available for each Operating System. This means that for anything Windows 7 SP1 and later, you must be on IE 11 to continue receiving updates. There are a few exceptions for older operating systems that only supported up to IE 9 or 10. If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct Internet access. In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.

Windows XP Embedded SP3 is also reaching its end of life today. It will be followed in a few months by Windows XP Embedded Point of Sale SP3, which is due to end on April 12. Retailers will start to sweat if you are still on those platforms after that date.

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. I am guessing there will be those who look into the registry hack that was used to trick Windows XP into thinking it was Windows XP Embedded POSReady 2009. If you have no other recourse, you may roll the dice on that, since POSReady 2009 is really just another distribution of Windows XP Embedded. Moving off of the end of lifed platform is still the best option though.

Oracle’s quarterly CPU is coming on Jan. 19. I mention it now as those of you running Java will definitely want to plan to roll that update out when it arrives next week as well. In 2015, the lightest of the Java updates included 14 CVEs, all of which were remotely executable without authentications. The rest had 19–25 vulnerabilities resolved with more than 15 being remotely executable without requiring credentials.

Microsoft January Bulletins

MS16-001 and MS16-002 are updates to Microsoft’s Internet Explorer and Edge browsers. Both are rated as critical, resolving two vulnerabilities each. The IE patch includes a public disclosure (CVE-2016-005), which puts it at a higher risk of being exploited.

MS16-004 is an update for Microsoft Office and Visual Basic. The bulletin is rated critical and resolves six vulnerabilities including two public disclosures (CVE-2016-0035, CVE-2015-6117).

MS16-005 is a critical update for the Windows Operating System resolving two vulnerabilities including one public disclosure (CVE-2016-009). This is also a Kernel-Mode Driver update. Thorough testing is always recommended. If an application patch goes wrong you can just reinstall, but if a kernel patch goes wrong it will be more severe.

MS16-007 is an important update for Microsoft Windows, which resolves six vulnerabilities including two public disclosures (CVE-2016-0016, CVE-2016-0018). There are a few known issues with this update. To be fully protected you also need to have MS16-001 for Internet Explorer. Windows 10 users who have Citrix XenDesktop should be aware that installing this update will prevent login. Microsoft recommends users uninstall XenDesktop and installing this bulletin, then follow up with Citrix for a fix for XenDesktop.

The way the issue is worded on the bulletin page makes it sound like Microsoft’s methods of updating Windows 10 (Windows Update, WSUS, SCCM) will not offer this update if XenDesktop is installed. It states “Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update.” So, if Windows 10 updates are all bundled, cumulative updates, this would mean that the January cumulative for Windows 10 would not be installed. That means all five bulletins that would affect Windows 10 would go unpatched until the issue is resolved.

MS16-008 is only rated as Important and no public disclosures, but it is a Kernel patch addressing Elevation of Privilege vulnerabilities. Thorough testing is recommended before rollout.

MS16-009 did not drop yet. This could mean it will not arrive until February, or it could come out of band. The last time we saw a bulletin be skipped in the order was an SQL update that dropped between Patch Tuesdays. Keep an eye out for this one in case it comes late. It will likely be a high priority if that is the case.

MS16-010 is an important update for Microsoft Exchange. No public disclosures or known issues, so recommendation is thorough testing and rollout in a timely manner.

Third Party Bulletins

Adobe has released one bulletin this month. APSB16-002 for Adobe Reader is a Priority 2 update resolving 17 vulnerabilities. The only other update from Adobe today was an update for Shockwave, which did not have an accompanying bulletin. APSB16-001 for Adobe Flash actually first dropped in late December with a re-release the next day resolving an Active-X issue. That release likely came early due to a known exploit in the wild (CVE-2015-8651). Ensure that the Flash update is rolled out if you have not already done so.

Join us tomorrow for the January Patch Tuesday webinar where we will discuss the bulletins in more detail.

 

December Patch Tuesday 2015

DecemberPatchTuesday2015Summary

December Patch Tuesday is upon us. Let’s see if we have presents under the tree or coal in our stockings…

Microsoft has released 12 bulletins, eight of which are Critical, resolving a total of 71 vulnerabilities. Adobe released a whopper of a Flash update resolving 78 vulnerabilities. Google Chrome is dropping today as well. Aside from an update for the Flash Player plug-in and its 78 security fixes, there are reportedly security fixes coming for the browser as well.

While Microsoft has quite the lineup this month, it didn’t quite catch Adobe’s 78 vulnerabilities resolved for the month. They did, however, have one public disclosure (CVE-2015-6175), and two vulnerabilities exploited in the wild (CVE-2015-6175, CVE-2015-6124). Here are the highlights for Microsoft:

MS15-0124 is a critical update for Internet Explorer with 30 vulnerabilities resolved in total. Also of note, Internet Explorer supported versions will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. Time to check your browser versions across the enterprise and compare to the versions listed in this blog post:

https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/

MS15-125 is a critical update for Edge with 15 vulnerabilities resolved. This update will be included with six others in the December Windows 10 Cumulative Security Update.

MS15-128 is a critical update for Windows, .Net Framework, Office, Skype, Lync and Silverlight, resolving three vulnerabilities. This is a Microsoft Graphics Component update, which is a shared library that affects many applications. Expect many variations of this update to affect the same system for each product you have installed that is affected.

MS15-131 is a critical update for Microsoft Office, resolving six vulnerabilities. This bulletin includes a fix for CVE-2015-6124, which has been detected in exploits in the wild. The vulnerability takes advantage of a failure to properly handle objects in memory. If exploited, the attacker could run arbitrary code in the context of the user. Least privilege policies would help mitigate the impact if exploited by limiting what the attacker could do. This vulnerability can be exploited in web-based attacks using specially crafted content designed to exploit the vulnerability.

MS15-135 is an important update for Microsoft Windows, which resolves four vulnerabilities. This bulletin includes a fix for CVE-2015-6175, which has been publicly disclosed and also has been detected in exploits in the wild. While this is only rated as important, we recommend treating this as a high priority. This update resolves Kernel memory handling. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. At that point they could install programs, view, change or delete data or create new accounts with full user rights. This is a Kernel update, so thorough testing is highly recommended.

Windows also released its Windows 10 December Cumulative Update (3116869). This update includes seven bulletins: MS15-124, MS15-125, MS15-126, MS15-128, MS15-132, MS15-133 and MS15-135. This update includes five critical bulletins and MS15-135, which includes CVE-2015-6175. This vulnerability has been publicly disclosed and detected in exploits in the wild.

APSB15-32 is a Priority 1 update for Adobe Flash Player, resolving 78 vulnerabilities. This bulletin includes a large number of code execution vulnerabilities and a few security feature bypass vulnerabilities. To fully resolve these vulnerabilities you need to ensure you update Flash Player on the OS, as well as the plug-in in your browsers. You will need to update IE, Chrome and Firefox plug-ins to fully ensure these vulnerabilities are resolved.

Google has also released an update to Chrome resolving at least 7 vulnerabilities by initial reports from Google. It will also include support for the Flash Player plug-in and the 78 vulnerabilities resolved there. This is recommended to be a high-priority update this month.

Join us tomorrow for the December Patch Tuesday webinar where we will discuss the bulletins in more detail.

August Patch Tuesday Round-Up

Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.

Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).

Here is the August summary:

 

AugustSummary2015

For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

July Patch Tuesday Round-Up

Patch Tuesday + 8.  It was a large one this month.  Initially there were four Critical updates from Microsoft, but a fifth Critical released on July 20th as an out of band.  MS15-078 was discovered in the 400GBs of data from the Hacking Team breach.  The fact that the data was part of the breach means that CVE-2015-2426 has been publicly disclosed.  8 public disclosures and depending on how you score them, there are now 7 Zero Days in the lineup of updates this month.  Java is plugging one, Flash is plugging two, and Microsoft now as four (three already exploited and the fourth resolved by MS15-078).   See the summary of updates below for details.

Good news regarding the IE Zero Day, MS14-021 has released and includes support for Windows XP

Microsoft has announced Security Bulletin MS14-021 on Technet to resolve the IE Zero Day identified on April 26th.  The Shavlik Content team is investigating and will be releasing support for this bulletin as soon as possible.  A restart will be required to apply the patch.  Also, if you have applied any of the mitigation steps you will need to take a look at the ‘Workarounds’ section of the bulletin to see if the steps you chose will need to be reverted.

For those of you on Windows XP, the bulletin identifies variations on IE 6, 7, and 8 and according to the MSRC post today, Microsoft has decided to support this bulletin on Windows XP.  According to Dustin Child’s post Microsoft “…made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system…”.

Watch for the Shavlik Content Announcement later today once we have tested and made it available to our customers.

 

 

New IE Zero Day being exploited in the wild, what does it mean for Windows XP?

internet-explorer1_12

I don’t think anyone will deny that Windows XP was expected to become a target after the EOL, but we couldn’t even make it to the first patch Tuesday after the EOL of Windows XP before a Critical IE Zero Day was discovered.  On Saturday April 26th, Microsoft announced Security Advisory 2963983 in response to attacks discovered in the wild against IE 9, 10, and 11.  The vulnerability also affects IE 6, 7, and 8, so those users still running on Windows XP systems are vulnerable to this Zero Day.

Microsoft released details and means to mitigate a Zero-Day exploit through Word documents

Microsoft released Security Advisory 2896666 yesterday which describes a vulnerability in Microsoft graphics component that is being actively exploited in targeted attacks using crafted Word documents sent by email.  The attacks are limited as the exploit does need some user interaction to be exploited.  The end result, however, makes the attacker able execute code on the target system.  The attacks that have been identified were located mostly in the Middle East and South Asia.

Office 2003 and 2007 are affected by this vulnerability.  Office 2010 is affected only when installed on Windows XP or Server 2003.  Office 2013 is not affected.  Microsoft Lync 2010 and 2013 are also affected.  The Security Advisory includes a “Fix It” to mitigate the risk of being exploited by turning off the TIFF Codex which would effectively block the attack, but also affect any TIFF files that a user would attempt to open.  The “Fix It” also comes with a second tool to back out the change once Microsoft has provided a patch to resolve the vulnerability.

A blog post on TechNet does provide other layers of defense that can reduce the potential risk as well.  The suggested use of the EMET, Protected View, and blocking of ActiveX controls in office documents will help reduce your potential risk.

Avoid the latest Java Zero Day by upgrading to Java 7 today

If you have not ready up on the ZDNet and other posts regarding this exploit here is a link to an article talking in more depth.  If you are still on Java 6 you are vulnerable to this Java vulnerability.  Java 7 update 21 and earlier are also exposed.  There is an exploit kit available to hackers for $450 dollars.  They can purchase a way to exploit this vulnerability off the shelf.  This means it is past time to upgrade your Java runtime.

So, Shavlik Protect users, here are some easy steps to create a scan template to allow you to deployupgrade Java 7 update 25 to your machines to ensure they are up to date.

For users on Protect 9.0 the steps are as follows:

  1. Create a new Patch Group by clicking on the +New > Patch Group…
  2. Name the Patch Group “Java 7 Software Distribution”
  3. Click add and sort by QNumber column.  Select QJAVA7U25N and QJAVA7U25X64N and save the patch group.
  4. Click +New > Patch Scan Template… and name it Java 7 Software Distribution
  5. On the Filtering tab uncheck the Patch Type > Security Patches and Patch filter settings set to “Scan Selected” and click the “…” button and select the “Java 7 Software Distribution” patch group.
  6. Click on the “Software Distribution” tab and check the box to enable Software Distribution.  Save the scan template.
  7. Scan and Deploy the Java 7 update 25.

The best way to protect against this zero day is to eliminate the presence of Java 6 and this should be an easy way to do so.

Chris Goettl