As you know, Patch Tuesday is tomorrow. On Wednesday, after the dust settles, I will be hosting a Webinar to provide even more information about the latest Microsoft patches and how they may effect your network.
We created this Webinar to provide you with an additional Patch Tuesday resource to make your job easier. I hope you join us and find it helpful.
Here are the details:
Date: Wednesday, April 14
Time: 11:00 AM, CT
Fee: FREE
Register: Here
- Jason Miller
Today, the unplanned patch day started with:
Now, we have more joining the patching fun:
Let’s hope this is the end of security patches for today… Tomorrow is another patching day.
- Jason Miller
Microsoft is going out of their normal release cycle to post a new security bulletin for Internet Explorer. This bulletin fixes a vulnerability that is currently being exploited in the wild.
In the past few years, Microsoft has gone out-of-band with security bulletin releases on limited occasions. In both 2008 and 2009, Microsoft released only two out-of-band security bulletins to fix critical vulnerabilities. With today’s out-of-band release, Microsoft has already released two in 2010, both addressing known critical vulnerabilities in Internet Explorer and kicking off a record year for out-of-band patch releases.
Microsoft typically releases cumulative updates for Internet Explorer bimonthly during regular Patch Tuesday releases, and we were expecting to see the next round of IE patches in April’s Patch Tuesday release. As this bulletin is being released earlier than planned, it is important to note the bulletin contains a total of 10 vulnerability fixes. The other nine vulnerabilities addressed are not publically known at this time.
If administrators used any of the workarounds suggested in the security advisory (KB981374) that prompted this out-of-band release, it is important for them to un-apply the workarounds. This will restore functionality that was lost due to the temporary fix.
With any zero-day exploit that is being actively targeted, it is critical for administrators to patch their systems as soon as possible. Some patch maintenance cycles are scheduled over weekends to accommodate the known downtime. While many are planning for a long holiday weekend, administrators should not wait to patch this until next week as we know that hackers won’t be taking the weekend off.
Jumping on this version of Patch Tuesday:
Mozilla has released a new version of Thunderbird. Thunderbird 3.0.4 fixes known security vulnerabilities in the product. The Mozilla Security Advisory page has not been updated yet and you should keep an eye on the page for the announcement.
Sun has also released a new version of Sun Java. Sun Java 6 update 19 fixes multiple security vulnerabilities. More information can be found here.
Apple is also releasing a large number of vulnerability fixes for Mac OS X v10.5.8, Mac OS X v10.6 – v10.6.2. The release notes can be found here.
As it seems a lot of vendors are in the patching mood today, I will update this blog posting if we find more here at Shavlik.
- Jason Miller
After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month. Microsoft released two new security bulletins addressing 8 vulnerabilities, all not publically known at this time. It is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.
As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed. As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (981169). Microsoft will need time to investigate, implement and test the fix for this known vulnerability.
It is important to note that MS10-016 affects Microsoft Producer 2003. However, Microsoft is not providing a patch for this product. They are suggesting administrators remove the affected component on their machines. Microsoft not providing patches for known software vulnerabilities has become more common over the past 12 months. This is a great example of why administrators should take time each month and research the information associated with each bulletin. Simply blindly pushing out patches does not necessarily make your network secure.
MS10-017 should be addressed first on your network. Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars. Opening a malicious Excel document could lead to remote code execution.
Last month, there were issues identified with security bulletin MS10-015. This bulletin caused blue screen on systems that were recently patched. Microsoft researched the issue and found a rootkit was the cause of the blue screen. This is a perfect example of why companies should have a solid patching process that includes testing each bulletin before deploying it to their network.
Microsoft also announced a new security advisory in 981374. This security advisory affects Internet Explorer versions 6 and 7. Microsoft has been receiving limited reports of targeted attacks on the browser. Although there is not a patch available for this issue, administrators should keep an eye on this advisory for more information.
Lastly, Microsoft re-released MS09-033. They added Microsoft Virtual Server 2005 to the list of affected products. If you have already patched the previous affected products, there is no action that is needed on those. Be on the lookout for MS09-033 missing on some systems though.
Happy Patching!
- Jason Miller
It has been quite a while since I have blogged and I am finally getting some free time to get back to it. Today, we announced our new SCUPdates offering. We will be providing third party software updates (non-Microsoft) data files for the System Center Updates Publisher for SCCM. SCCM users will now be able to easily patch non-Microsoft products without having to create their own updates.
The SCUPdates offering is a data file. There are no Shavlik products that need to be installed on your servers or workstations. If you are a SCCM user, you can keep your same environment and use our data in your environment. Importing the data in your SCCM database will result in patch/product detection on the same reports you see today.
Patching third party products can be quite an undertaking. SCCM users can patch Microsoft products but they need a way to patch third party applications without adding to their workload.. With SCUPdates, we are providing a new patching mechanism for third party products such as Adobe, Apple and Firefox.
Third party product attacks are becoming more common. Only focusing on Microsoft products is half the battle. The Shavlik Data Team puts in a lot of research on these applications already in the Shavlik NetChk product line. By taking our expertise to the SCCM/SCUP side of patching, we can help tackle the global problem of patching non-Microsoft products.
With the release of SCUPdates, I will be back on my normal blogging schedule.
- Jason Miller
Microsoft just announced another new security advisory for Internet Explorer. With this zero-day vulnerability, a user would need to visit a malicious website that takes advantage of this vulnerability. The title of the advisory is stating the vulnerability could allow information disclosure. Microsoft is reporting there are no active attacks for this vulnerability.
Microsoft has listed numerous workarounds to help mitigate the risk of attack on a system. If you choose to apply any of these workarounds, each workaround should be tested thoroughly in your environment to ensure functionality of your applications.
Tomorrow is the February Advanced Notification for patch Tuesday. We will have to see if this is addressed with this month’s patch Tuesday. I highly doubt this will be addressed next patch Tuesday as the announcement and turnaround time for a patch has a very small window of opportunity.
- Jason Miller
Microsoft has just published a new security advisory. This advisory affects Internet Explorer and can lead to remote code execution on machines. There have been reports of limited targeted attacks which makes this a zero-day exploit as there is no patch available yet for this vulnerability.
Microsoft has posted a couple of workarounds to help mitigate this risk:
With a vulnerability like this, it is very important to be aware of phishing attempts through email, instant messaging or Internet sites.
Because this affects Internet Explorer and is a zero-day exploit, we can probably expect an out-of-band patch release in the coming days/weeks before February’s patch Tuesday.
This could be related to the Google breach reported a few days ago as the advisory page cites Acknowledgements to Google, Adobe and McAfee.
- Jason Miller
A few days ago, there were reports of a zero-day exploit affecting Microsoft IIS. Microsoft has concluded their research and found there is no vulnerability in the IIS code. The findings published outside of Microsoft surrounding the vulnerability were due to improper IIS security configurations. The MSRC Blog has more information regarding their findings around the claimed zero-day exploit.
Patching a system is a good start for a line of defense against attackers. But, improperly configured systems and services should be high on your list as well. An IIS server is typically outside facing and should be “hardened” to prevent unauthorized access.
In the past few months, there have been many claims outside of Microsoft regarding zero-day exploits in the wild. It is very important to remember to wait for the vendor to confirm the claims that are made by security researchers. Microsoft relies heavily on external security researchers, but Microsoft is always the best source of information regarding vulnerabilities and exploits.
- Jason Miller
The U.S. Court of Appeals just sent judgment down on Microsoft prohibiting them from selling Microsoft Word starting January 11, 2010. Microsoft is planning to release a new version of Word that will pull the offending code that started this patent infringement lawsuit.
The good news: Microsoft will still be able to provide support (patching) to the product.
If Microsoft was not able to support the offending version of Word, many people would have vulnerable products for future patches that affect Word.
- Jason Miller
A few weeks ago, we added official support for scanning and patching of Windows XP Embedded devices. Those of you who have these devices on your network and use the Shavlik product line may have noticed no patches were applicable from December’s patch Tuesday. This does not mean those devices do not need to be kept up to date.
Microsoft does not release support for XP Embedded patches the same day as they do for their other operating systems. There is an approximate two week period between patch Tuesday and when the patches become available to vendors.
If you have Windows XP Embedded devices on your network, you should plan accordingly to patch these possibly later than the rest of your machines.
- Jason Miller
