Third-Party Patch Add-on for SCCM: Enhance or Invest?

SCCM Plug-inYour company has made the decision to use Microsoft System Center as your systems management solution. You have spent months and precious dollars getting all of the moving parts to work together. Congratulations, you are now a fearless SCCM user!

Now it’s working well for most things, but one question keeps nagging at you, “What about third-party application patching?” Continue reading

Microsoft pulls MS14-045 and recommends uninstall if you have already deployed

BSODLate last week Microsoft revised MS14-045 removing links from the Download Center for security update 2982791.  Microsoft updated KB 2982791 documenting three known issues that have been verified causing Microsoft to pull the download links for the update and recommend uninstall of four specific KBs.  The worst of these issues is a possible blue screen.  If you have installed any of the four updates, Microsoft recommends uninstalling them and waiting for a re-release of the updates.

  • KB2982791
  • KB2970228
  • KB2975719
  • KB2975331

Shavlik recommends that all Shavlik Protect customers uninstall the updates and also go into the Patch View in Shavlik Protect and search for MS14-045.  Select all variations of MS14-045 and right click and delete them.  This will ensure the version of the patch with the known issues is removed from the console.

Customers with Distribution Servers should also take steps to delete the patches from the distribution servers in their environment.  You can right click in the patch view and go to column chooser.  Drag the Download File Name into the Patch View grid allowing you to see the name of the patches.  Find and remove these from the distribution servers in your environment.

 

Blue Screen (Stop 0×50) after applying update KB2982791 to Windows 7

BSOD

Reports have started popping up regarding a Blue Screen of Death (BSOD) after applying MS14-045 to Windows 7 systems. If you are seeing issues please go to this Microsoft forum post and let them know. Microsoft MVP Susan Bradley and others have started a support case with Microsoft and are asking for anyone else who sees these issues to let them know so they can collect all possible information in one place and help Microsoft quickly find and resolve this issue.

All is not doom and gloom, however. Many reports for members of PatchManagement.org (mailing list focused on patch management issues), have reported successful deployment of these updates. The Shavlik Content Team did not encounter the BSOD during our Patch Tuesday testing. LANDESK and Shavlik employees have not reported issues either. I personally deployed 11 updates including MS14-045 (KB2976897 and KB2982791) to my own Windows 7 x64 system on Wednesday morning without issue. So, while this is not an epidemic affecting all deployments of the Kernal-Mode Driver patch, it should prompt Admins to take a little extra time to test if possible.

 

 

August Patch Tuesday Advanced Notification

We have a big Patch Tuesday this month.  Microsoft started by releasing 8 updates and slipped in a later 9th later in the week last week.  That is just the beginning.  As of this morning we have updates from Opera, Picasa, Adobe Acrobat, Reader, Flash 13 and 14, and AIR, with likely appearances by Chrome (high likelihood) and a possible FireFox (have had a beta out for some time and likely to release soon).  A couple of things to look out for.  There is a Critical IE, which is likely the continuation of resolving a large number of memory corruption issues starting with the June IE resolving around 60 vulnerabilities and continuing in July resolving about half that many.  There is a SQL patch this month which will need some attention in testing and there is also a .Net patch resolving a Security Feature Bypass.

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 7 bulletins are rated as Important.

Vulnerability Impact:

  • 3 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 4 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 2 bulletins address vulnerabilities that could lead to Security Feature Bypass.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions
  • Microsoft SQL Server
  • .Net Framework

Join us as we review the Microsoft and third-party releases for August Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, August 12th at 11 a.m. CDT.  We will also discuss other product and patch releases since the July Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Internet of Things Makes Patch Management Unruly

MediaCabinetWhen installing my new television the other day, I found that I had to install a new network switch in my multimedia cabinet.  It turns out that the new TV had a place to plug in a network cable and being naturally curious, I wanted to find out what I got when I plugged the Television into a home network.  It turns out I get the same things that I already have on my DVD player, my Tivo, my AppleTV, my receiver, and my Windows Media PC.

OK, you got me.  I’m a nerd when it comes to my entertainment center.  Who else needs a 6-port switch for their entertainment center?  I know wireless exists, but Gigabit Ethernet is the way to go for streaming content from my other Windows computers and from the Internet.  All of this is very cool and very geeky. Gartner describes this as the Internet of things.

The other day my DVD player graciously reminded me that its software was out of date and needed a firmware upgrade.  It took about 20 minutes before I could watch a DVD frustrating me and the kids waiting to watch the movie.  The Tivo just updated overnight.  The Windows Media Center updates what seems like just about every time I use it and the AppleTV mysteriously has new icons for me to play with every time I switch over to it.  Who’s tracking all these updates?  I’m hoping they give me new features but more importantly, I’m hoping they keep me secure.

HomeAutomationTake this to the next level.  My buddy has connected all his lights, thermostat, home security, doggy door, and who knows what else to the Internet.  It’s gotten to a point that home thieves don’t need to know how to break glass or work a lock, they need to know how to hack your home security.

With all of these devices connected to the internet, how secure are you? HP investigated the companies who create these products which include intelligent appliances, garage door openers, sprinkler controllers, remote power outlets, etc and found them to be lacking some basic security measures.  These include plain text communication, storing passwords that were easy to hack, and stored and unencrypted personal data.  Do you know if you name, address, or even credit card information is stored on your garage door opener?

On the bright side, these vendors are coming up with clever ways to at least update these devices from the Cloud, sending down new firmware to fix security issues.  However, how do you know if you have the latest software on these devices?  How do you know if your personal information is encrypted and your data safe?

What if you are a business and you have some of these devices in the workplace.  Is it IT’s responsibility to secure these devices?  This poses a question of “who is responsible for securing and updating the Internet of Things?”

Share with me your thoughts on what IT is doing to prepare for the Internet of Things?  What are some of the ways patch management will change in the future?

The Communicators Corner: Demystifying Distribution Servers

This is the first of many “meat and potatoes” blog articles that I will be writing throughout the course of this year. In this article, I am going to talk about one of the most useful, but also one of the most underused and misunderstood, features in Shavlik Protect – distribution servers.

Most of you are familiar with Shavlik Protect and love it for how it simplifies your patch, threat and power management activities. But you may not be familiar with distribution servers, or you may be reluctant to use them because they don’t seem simple to implement. While it’s true that distribution servers add a level of complexity to your administration activities, in many cases they are well worth the effort for the value that they add. Continue reading

Integrating with 3rd Party Components: Why Java is still not being updated in your environment.

With the Oracle CPU fresh in our minds I thought this would be a good time to discuss a well-known issue for IT Admins around the world;  updating Java only to find it breaks something in your users environment.  More importantly updating Java only to find that a mission critical app is broken.  Java is running everywhere.  It is one of the most popular development languages and responsible for a significant chunk of cool web development that has occurred over the past decade.  The Jave Runtime Environment (JRE), which renders all of the awesomeness that is Java, quickly turned into the bane of many an IT Department.

According to Cisco’s 2014 Annual Security Report, Java was involved in 91% of web exploits and the majority of those exploits were for versions of Java that were outdated and vulnerabilities that the vendor had already plugged.  That is a pretty staggering number and The Java Logomakes one wonder why you would choose to utilize a product that relies on Java.  So where does the fault lay?  Is it Oracle and prior to them, Sun to blame for the vulnerability of their development toolkit?  To a point, yes, you can say they are responsible, but they also resolve MOST of the known vulnerabilities that are identified in a timely manner (and have improved significantly over time).  There is still a bit more blame to go around however.

You can google ‘java upgrade issues,’ and you will find ample evidence as to why an IT Admin would be a little gun shy around a Java update.  FireFox, Netscaler, printing issues, and especially Minecraft (heaven forbid!) can all be found in the first page of recent Java upgrade issues.  Some others that typically occur are those back office applications that make the business run.  ERP solutions or other critical apps that help you ship product, process orders, etc., could all rely on Java.  Break those and you may be talking about an RGE (Resume Generating Event).   So, no one party really is to blame here.  We have Oracle trying to resolve vulnerabilities in a timely manner and improving on that front.   How about the vendors and the companies who are running Java?  You may need to evaluate a little closer to home and see why you are not upgrading.

Ask your venders:

  • If the latest version of their product supports the most recent Java updates?
  • Do they support updating Java as new versions are released?
  • How do they communicate whether the latest Java update will be compatible with the version you are running?

Ask yourself:

  • Are we running the latest version of the vendors software?
  • What are the limitations to upgrading?  Customization that would not be supported if you upgrade, cost of upgrading, etc.
  • What is your exposure by not upgrading?

The IT world is full of exceptions to the rule.  For every exception there is some risk.  Have you evaluated that risk and have you mitigated your exposure?

Things you can evaluate if you know you have a dependency on an outdated version of Java:

  • Are only required users able to access the outdated versions of Java?
  • Can the privilege level of the users who need to run on the at risk machine be reduced to mitigate exposure if certain vulnerabilities are exploited?
  • Are the machines running Java able to be virtualized and segmented from parts of the network that have direct Internet access?
  • Can you lock down the machine in question to only allow access to the one application Java is needed for and all other web browsing, email, etc.  be locked down?

 

July Patch Day Round-Up

PatchWithoutBorderOracle has released their quarterly Critical Patch Update.  There is a long list of products with updates coming and at the top of that list from a severity standpoint is Java.  With a CVSS base score of 10.0 on some of the vulnerabilities, the 20 new security fixes for Java SE are definitely in need of some immediate attention.  All 20 of the vulnerabilities in Java could be remotely exploited without authentication.  This means exploitable over a network without the need for a username and password.

Oracle Database server may only have 5 vulnerabilities being resolved, but one or more of those have a CVSS base score of 9.0.  Several other products like Fusion, Virtualization, and Retail Applications have CVSS base scores of 7.5 and the rest start to fall steadily from there, but one fairly common theme is the remotely executable without the need for authentication.  Companies running a lot of Oracle software should take some time on Tuesday and review what solutions they have and where they are to see if immediate action is necessary.  Again, for Java, the urgency is going to be far greater.  If you don’t have a breaking dependency on a specific version it would be a good idea to roll out ASAP.

With Oracle’s CPU today Java should be added to the top of the priorities list this month.   Three updates in particular should be considered a top priority as you are conducting your monthly maintenance.  Flash Player, the IE Cumulative Update, and Oracle Java.  The July Patch Tuesday update to IE to resolve 23 memory corruption vulnerabilities, one of which was publicly disclosed, appears to be a continuation of the very large IE Cumulative update from June which had over 50 fixes to memory corruption vulnerabilities.  The Adobe Flash player update resolves three vulnerabilities that allow an attacker to bypass security features.  Adobe Flash has had critical release every month in 2014, and on Patch Tuesday for six of seven months.  It is looking to be a permanent fixture for IT Admins to prioritize each month.  If you haven’t been keeping it up to date, there is ample cause to do so.

July Patch Tuesday Advanced Notification

PatchWithoutBorder

Microsoft has announced this month’s Patch Tuesday release.  It looks pretty clean at first glance.  IE with a lot of OS patches and likely nothing all that complex.  The one thing to watch for will be the possibilities of more dependencies.  For those running Windows 8.1 or Server 2012 R2, make sure you are prioritizing Update 1 to be rolled out.  Next month is the cut off after Microsoft extended the Update 1 required for continued patch support on those platforms. There are 6 total patches expected to be released on Tuesday, July 8th. Here is the breakdown for this month:

 

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 3 bulletins are rated as Important.
  • 1 bulletin is rated as Moderate.

Vulnerability Impact:

  • 2 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 3 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability that could lead to Denial of Service.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions

Join us as we review the Microsoft and third-party releases for June Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, July 9th at 11 a.m. CDT.  We will also discuss other product and patch releases since the May Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Welcome to the World of Shavlik Product Documentation

Joe Andert

Joe Andert

Hi everyone, and welcome to my corner of the world at Shavlik. For those who don’t know me, I am a technical communicator at Shavlik and I’ve been providing documentation for Shavlik products for more years than I care to admit. I’ve been with the company for all these years because the people and the products are simply the best!

When I was offered the opportunity to write a series of blog articles, I jumped at the chance. I am not in marketing so I won’t be writing flowery prose about our products. Rather, I would like to use this forum to provide some real meat and potatoes material, information you can use right now to improve the way you use our wonderful products. Sort of like those “The More You Know” public service announcements you see on TV. Continue reading