Archive for Patch Management

March Patch Tuesday Overview

March 10, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged ,

After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month.  Microsoft released two new security bulletins addressing 8 vulnerabilities, all not publically known at this time.  It is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.

As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed.  As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (981169).  Microsoft will need time to investigate, implement and test the fix for this known vulnerability.

It is important to note that MS10-016 affects Microsoft Producer 2003.  However, Microsoft is not providing a patch for this product.  They are suggesting administrators remove the affected component on their machines.  Microsoft not providing patches for known software vulnerabilities has become more common over the past 12 months.  This is a great example of why administrators should take time each month and research the information associated with each bulletin.  Simply blindly pushing out patches does not necessarily make your network secure. 

MS10-017 should be addressed first on your network.  Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars.  Opening a malicious Excel document could lead to remote code execution.

Last month, there were issues identified with security bulletin MS10-015.  This bulletin caused blue screen on systems that were recently patched.  Microsoft researched the issue and found a rootkit was the cause of the blue screen.  This is a perfect example of why companies should have a solid patching process that includes testing each bulletin before deploying it to their network.

Microsoft also announced a new security advisory in 981374.  This security advisory affects Internet Explorer versions 6 and 7.  Microsoft has been receiving limited reports of targeted attacks on the browser.  Although there is not a patch available for this issue, administrators should keep an eye on this advisory for more information.

Lastly, Microsoft re-released MS09-033.  They added Microsoft Virtual Server 2005 to the list of affected products.  If you have already patched the previous affected products, there is no action that is needed on those.  Be on the lookout for MS09-033 missing on some systems though.

Happy Patching!

- Jason Miller

Leave a comment »

March Patch Tuesday Advanced Notification

March 4, 2010 · Filed under Patch Management · Tagged

After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month.  Microsoft announced their Patch Tuesday advanced notification today for March’s version of Patch Tuesday.

Microsoft is planning on releasing two new security bulletins.  These bulletins will address 8 software vulnerabilities.  One bulletin affects the Windows operating system, while the other bulletin affects Office.

Affected Products:

  • Windows XP x86 and x64
  • Windows Vista x86 and x64
  • Office XP (Excel)
  • Office 2003 (Excel)
  • Office 2007 (Excel)
  • Office Excel Viewer
  • Office Compatibility Pack 2007
  • SharePoint Server 2007 x86 and x64

Your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed.  As expected, Microsoft is not planning on releasing a bulletin for their recently released security advisory (KB981169).

As always, keep your an eye out for any other vendors who join this edition of patch Tuesday.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory – 981169

March 3, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged

Microsoft posted a new security advisory on Monday addressing a publically reported vulnerability in VBScript with Security Advisory 981169.

This software vulnerability affects Internet Explorer on Windows 2000, XP and 2003.  This vulnerability does not affect the newer versions of the Windows operating system (Vista, 7, 2008, 2008 R2).

A vulnerability exists in the way VBScript works with help files when using IE.  If a user visits a specially crafted website, AND entices the user to press the F1 key, the attacker can gain remote code execution to the target system.

It is important to note:  Simply navigating to a malicious website will not result in remote code execution.  The user must press F1 when prompted.

Workarounds

  • Do not press F1 if prompted from a web site.
    Yes, you read that correctly.  This is a suggested workaround from Microsoft.  If you want to take it one step further, here is an action you could take.

Comical?  Yes.  Security focused?  No. 

Ok, maybe we should look at some real security measures.

  • Restrict access to the Windows Help System.
    This will prevent the help file system in Windows from working.  This is probably your safest bet for a workaround until the patch becomes available.  Typically, workarounds require restricting critical resources on your machine.  In this case, only the help system becomes unavailable.  If you do apply this workaround, remember to unapply this after the patch is released.

 

  • Harden Internet Explorer Security Settings
    Microsoft listed quite a few settings you can set to reduce the risk of exploitation.  The KB article has more information on these actions.

Patch Tuesday is next week.  Seeing how there have been no active reports and the short turn around between now and Patch Tuesday, I do not expect to see this patched in March’s Patch Tuesday.

- Jason Miller

Leave a comment »

Back to blogging, SCUPdates announced

March 3, 2010 · Filed under Microsoft Security and Systems Management, Patch Management, Shavlik General · Tagged

It has been quite a while since I have blogged and I am finally getting some free time to get back to it.  Today, we announced our new SCUPdates offering.  We will be providing third party software updates (non-Microsoft) data files for the System Center Updates Publisher for SCCM.  SCCM users will now be able to easily patch non-Microsoft products without having to create their own updates.

The SCUPdates offering is a data file.  There are no Shavlik products that need to be installed on your servers or workstations.  If you are a SCCM user, you can keep your same environment and use our data in your environment.  Importing the data in your SCCM database will result in patch/product detection on the same reports you see today.

Patching third party products can be quite an undertaking.  SCCM users can patch Microsoft products but they need a way to patch third party applications without adding to their workload..  With SCUPdates, we are providing a new patching mechanism for third party products such as Adobe, Apple and Firefox.

Third party product attacks are becoming more common.  Only focusing on Microsoft products is half the battle.  The Shavlik Data Team puts in a lot of research on these applications already in the Shavlik NetChk product line.  By taking our expertise to the SCCM/SCUP side of patching, we can help tackle the global problem of patching non-Microsoft products.

With the release of SCUPdates, I will be back on my normal blogging schedule.

- Jason Miller

Leave a comment »

MS10-015 Blue Screen Reports

February 12, 2010 · Filed under Patch Management · Tagged ,

I am a bit late on reporting this, but I have been waiting for the dust to settle on this issue.  Each time reports like this float around the Internet, it is important to wait for the vendor to confirm the reports.

On Wednesday, reports started to surface regarding users who were getting the blue screen of death after installing MS10-015.  The MS10-015 security bulletin was released on patch Tuesday that patches the Windows Kernel.

Last night, Microsoft pulled the bulletin from Windows Update as they are attempting to gather information regarding the reported blue screens on affected computer.  The reports were:

  1. User installs MS10-015 manually or through Windows Update
  2. Computer reboots
  3. Computer blue screens on reboot, the operating system does not load

People have found ways around this blue screen by running the recovery CD and uninstalling the patch.

Microsoft’s Security Response Center has just posted an update on the situation.  They have been finding the blue screen is actually caused by malware on the target systems.  Apparently, some malware programs just do not like the Kernel updates from Microsoft.

As many of you are approaching your patch cycle for February, here are some important reminders on patching in general and with this issue:

  • TEST, TEST, TEST.  Patch management programs make patching very easy.  But, you should never blindly push out updates unless it is necessary.  The issues with MS10-015 are a prime example of what can happen when you blindly push out patches without testing them first.  Microsoft and other vendors make every attempt to ensure their patches do not break functionality.  The last thing Microsoft wants with MS10-015 is to fix vulnerabilities but take a “black eye” from causing system crashes.  Take some time and establish a test environment that contains your commonly used systems and programs.  This may slow down your patch deployment, but it will save you a lot of time fixing issues that can come up with patch management.
  • Research the issue.  The reports came out about MS10-015 and research should be done.  How many people are *actually* affected by this issue?  What is the vendor saying about the issue?  How can this patch affect my network?  What does this patch fix (criticality, publically known vulnerability, actively exploited vulnerability, servers or desktops affected)?  After gathering information, you can make the decision on the patch.  Am I will to accept the risk of not patching this vulnerability?  That is a question only you can answer.
  • Report issues to the vendor.  Most vendors have a response team waiting for issues that may come up with patching.  Don’t be afraid to contact the vendor if you are seeing an issue with the patch.  Yes, you will need to fix the affected machines.  But, you will be doing a great service to the rest of the users who may run into this problem.

 - Jason Miller

Leave a comment »

February Patch Tuesday Overview

February 10, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged ,

Microsoft has released 13 new security bulletins for February’s patch Tuesday.  The size of this release is not uncommon.  Historically, Microsoft has had a light January followed by a large February.  This month’s patches address 23 vulnerabilities.  There have been no reports of active attacks against these vulnerabilities.  One of these vulnerabilities has been publically disclosed.

The first three bulletins administrators should address right away:

MS10-006 affects the SMB client on all supported operating systems.  This security bulletin addresses two vulnerabilities.  Both of these vulnerabilities are not known at this time and not being exploited.  Visiting a malicious site that makes a file sharing connection can result in remote code execution.  In addition, a man-in-the-middle attack can happen with this vulnerability as they would be able to respond to legitimate SMB server/client requests with malformed packets. It is important to note that MS10-006 is not related to MS10-012.  Both of these bulletins address issues for SMB but are not related.

MS10-007 affects the Windows Shell Handler in Windows 2000, XP and 2003 operating systems.  This bulletin fixes one vulnerability that is not publically known or exploited at this time.  Visiting a malicious website that contains a specially crafted webpage could lead to remote code execution.  This vulnerability exists in both the operating system and Internet Explorer.  For Internet Explorer, this vulnerability was addressed with the out of band security bulletin release in January (MS10-002).  In some cases, you will need to apply:

Only MS10-002
- or -
Both MS10-002 and MS10-007
- or -
Either MS10-002 and MS10-007

MS10-007 has a table under the “Frequently Asked Questions (FAQ) Related to This Security Update” that will help guide you through what updates will apply to your systems.

MS10-013 affects Microsoft DirectShow on all supported operating systems.  A vulnerability exists in DirectShow when opening AVI files.  This bulletin fixes one vulnerability that is not publically known at this time.  In an attack scenario, a user needs to be enticed into opening a malicious AVI file.  This can lead to remote code execution.  It is important to note that some operating systems may require multiple patches from this bulletin to fix the vulnerability.  Media files are commonly sent and downloaded, so this vulnerability could affect many users.

 

The rest:

MS10-003 affects Office XP.  This bulletin addresses one vulnerability that is not publically known and not being exploited at this time.  Opening a specially crafted Excel file on an unpatched system can lead to remote code execution.

MS10-004 affects PowerPoint in Office XP and Office 2003.  This bulletin fixes six vulnerabilities.  The vulnerabilities are not publically known at this time and not being exploited.  Opening a specially crafted PowerPoint document can lead to remote code execution on an unpatched machine.  With MS10-004, it is important to note that PowerPoint Viewer 2003 is affected by this vulnerability, but Microsoft is not releasing a patch for this version of the viewer.  Microsoft is stating the product has reached the end of its lifecycle and will not supply any future security patches.  You should identify all PowerPoint 2003 Viewers on your network and upgrade them to PowerPoint 2007.  The newer version of the viewer is not affected by this vulnerability.

MS10-005 affects Microsoft Paint on Windows 2000, XP and 2003.  This bulletin fixes one vulnerability that is not publically known at this time and not being exploited.  In order to exploit this vulnerability, an attacker would have to convince a user to open a specially crafted JPEG file in Microsoft paint.  If done on an unpatched system, this would lead to remote code execution.

MS10-008 is the cumulative update for ActiveX Kill Bits.  This bulletin is commonly released every few months for additions to the Kill Bit list for ActiveX controls.  This patch will prevent the following ActiveX controls from running on a system:  Symantec WinFax Pro 10.3, Google Desktop Gadget v5.8, Facebook Photo Update 5.5.8 and PandaActiveScan Installer 2.0.

MS10-009 affects TCP/IP on Windows Vista and 2008.  This bulletin addresses 4 vulnerabilities that are not publically known at this time or being exploited.  The vulnerability specifically affects TCP/IPv6.  If an attacker sends a specially crafted ICMPv6 packet to an unpatched system, an attacker would have remote code execution abilities.  TCP/IPv6 is enabled by default on Windows Vista and Windows 2008 machines.  Your computer can mitigate some of the vulnerability risk by turning on your firewall and blocking ICMPv6.

MS10-010 affects Hyper-V on Windows 2008.  A vulnerability exists that is not publically known or being exploited at this time.  In order to exploit this vulnerability, an attacker must have valid logon credentials to the target machine.  A successful attack would cause a denial of service on the Windows 2008 system forcing a system restart.

MS10-011 affects the Windows Client/Server Run-time Subsystem on Windows 2000, XP and 2003.  The one vulnerability addressed by this bulletin is not publically known or currently being exploited at this time.  Like MS10-010, an attacker must have valid logon credentials to exploit this vulnerability.    If successfully exploited, an attacker could gain elevated privileges on the target system.

MS10-012 affects SMB on all supported operating systems.  This bulletin addresses four more vulnerabilities in SMB, one of which is publically known.  Although, all four vulnerabilities are not being exploited at this time.  The publically known vulnerability could result in a denial of service attack.  In this scenario, an attacker could send a specially crafted SMB packet to a target system.  Domain controllers are the most at risk for this type of an attack.

MS10-014 affects Kerberos on Windows 2000, 2003 and 2008.  This bulletin addresses one vulnerability that is not publically known at this time.  An attacker could send a specially crafted ticket request to a domain controller.  In this scenario, the domain controller would not be able to assign out new tickets.  This would create a denial of service attack.  Clients who already have tickets would continue to operate normally.

MS10-015 affects the Windows Kernel on all operating systems except Windows 7 x64 and Windows 2008 R2.  This bulletin addresses 2 vulnerabilities.  One of these vulnerabilities is publically known, but not being exploited at this time.  In order to carry out an attack using this vulnerability, an attacker must logon as an authenticated user.  The attacker could run a specially crafted program that can result in elevation of privilege and install programs or take complete control of the system.  This bulletin contains the fixes for Security Advisory 979682.

Microsoft has also released a new Security Advisory in 97968977377.  In the last couple of months, Microsoft has been releasing new security advisories on Patch Tuesday.  With new Security Advisories, each should be reviews and workarounds should be applied if necessary.

It is important to watch for items other than security bulletins.  We all can get in a cadence of immediately working on the known security bulletins starting at noon CST on patch Tuesday, but there may be other items that come up on patch Tuesday.

- Jason Miller

Leave a comment »

February Patch Tuesday Advanced Notification

February 5, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , ,

Microsoft announced their February Patch Tuesday Advanced Notification yesterday.  As expected, this patch Tuesday is going to be quite large.  They are planning on releasing 13 security bulletins.

Bulletin breakdown:

  • 11 bulletins apply to the Windows operating system
  • 2 bulletins apply to Office (Office and PowerPoint)
  • 5 bulletins are rated as Critical
  • 7 bulletins are rated as Important
  • 1 bulletin is rated as moderate
  • All operating systems are affected

The sheer number of bulletins may take people by surprise.  In October 2009, Microsoft released the same number of bulletins in a single release.  Comparing this month to October, this month should not be quite as bad for administrators.  All of the bulletins this month affect common applications that can be pushed out with a blanket patching cycle.

In October, the bulletins affected a great magnitude of products.

  • Operating systems
  • .NET
  • Windows Media Player
  • SQL Server
  • Silverlight
  • Visual Studio
  • Visual FoxPro
  • Report Viewer
  • Forefront Client Security

Microsoft will be addressing one security advisory during this patch cycle.  Security Advisory 979682 will expire as one of these bulletins will patch the vulnerability.  Security Advisory 977544 and Security Advisory 980088 will remain active as Microsoft will not be providing patches for these vulnerabilities.  Administrators should review those advisories and put in safeguards where necessary.  Microsoft is stating they have not been made aware of any active exploits on those two vulnerabilities.

In this patch cycle, you should look at patching iTunes as well.  Apple released a new version of Apple iTunes earlier this week.  This version will fix security vulnerabilities in your iPhone.

As with any patch day, you should be on the lookout for any other vendors releasing patches on Tuesday.  It is not uncommon for Mozilla or other companies to release security bulletins.

More to come Tuesday when the bulletin details are released.

- Jason Miller

Leave a comment »

New Microsoft Security Advisory Announced (KB980088)

February 3, 2010 · Filed under Current Threats and Vulnerabilities, Microsoft Security and Systems Management, Patch Management · Tagged

Microsoft just announced another new security advisory for Internet Explorer.  With this zero-day vulnerability, a user would need to visit a malicious website that takes advantage of this vulnerability.  The title of the advisory is stating the vulnerability could allow information disclosure.  Microsoft is reporting there are no active attacks for this vulnerability.

Microsoft has listed numerous workarounds to help mitigate the risk of attack on a system.  If you choose to apply any of these workarounds, each workaround should be tested thoroughly in your environment to ensure functionality of your applications.

Tomorrow is the February Advanced Notification for patch Tuesday.  We will have to see if this is addressed with this month’s patch Tuesday.  I highly doubt this will be addressed next patch Tuesday as the announcement and turnaround time for a patch has a very small window of opportunity.

- Jason Miller

Leave a comment »

Out-of-band January Patch Day Number 2

January 21, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , ,

Microsoft has gone out-of-band from their normal release cycle for a critical security bulletin release.  The bulletin addresses the zero-day vulnerability described in Security Advisory KB979352.

The last time Microsoft went out-of-band for a security bulletin was last July.  That bulletin addressed vulnerability in the ATL library.  Unlike the July out-of-band release, this bulletin fixes a zero-day exploit that is currently being attacked.

This bulletin, MS10-002, applies to all supported versions of Internet Explorer on all supported operating systems.

Only 1 of the vulnerabilities has been publically disclosed and is currently being used in targeted attacks.  The other 7 vulnerabilities addressed by this bulletin are not publically known and are not being used in attacks.

It is important to note that this is a cumulative update for Internet Explorer.  Multiple vulnerabilities are addressed by this bulletin.  With each patch, administrators should test the patch to ensure functionality is not broken in Internet Explorer by the fixes.  In the case of this patch, Administrators should deploy this patch immediately to all servers and workstations as the exploit code has been published for the one known vulnerability.

Microsoft typically releases a cumulative Internet Explorer update every other month.  February’s patch day would mark the usual schedule for a cumulative release.  Microsoft rolled the fix for the publically known exploit with the cumulative update.

-Jason Miller

Leave a comment »

MS Out-Of-Band Bulletin Release Date Announced

January 20, 2010 · Filed under Current Threats and Vulnerabilities, Patch Management · Tagged , , , ,

Microsoft has just updated their advanced notification page for January 2010.  They will be releasing an out-of-band patch for the Internet Explorer zero day exploit tomorrow, January 21.

More information can be found here.

They have also updated the Security Advisory with more details and clarification around the vulnerability.

- Jason Miller

Leave a comment »

« Previous entries
Next Page »