Integrating with 3rd Party Components: Why Java is still not being updated in your environment.

With the Oracle CPU fresh in our minds I thought this would be a good time to discuss a well-known issue for IT Admins around the world;  updating Java only to find it breaks something in your users environment.  More importantly updating Java only to find that a mission critical app is broken.  Java is running everywhere.  It is one of the most popular development languages and responsible for a significant chunk of cool web development that has occurred over the past decade.  The Jave Runtime Environment (JRE), which renders all of the awesomeness that is Java, quickly turned into the bane of many an IT Department.

According to Cisco’s 2014 Annual Security Report, Java was involved in 91% of web exploits and the majority of those exploits were for versions of Java that were outdated and vulnerabilities that the vendor had already plugged.  That is a pretty staggering number and The Java Logomakes one wonder why you would choose to utilize a product that relies on Java.  So where does the fault lay?  Is it Oracle and prior to them, Sun to blame for the vulnerability of their development toolkit?  To a point, yes, you can say they are responsible, but they also resolve MOST of the known vulnerabilities that are identified in a timely manner (and have improved significantly over time).  There is still a bit more blame to go around however.

You can google ‘java upgrade issues,’ and you will find ample evidence as to why an IT Admin would be a little gun shy around a Java update.  FireFox, Netscaler, printing issues, and especially Minecraft (heaven forbid!) can all be found in the first page of recent Java upgrade issues.  Some others that typically occur are those back office applications that make the business run.  ERP solutions or other critical apps that help you ship product, process orders, etc., could all rely on Java.  Break those and you may be talking about an RGE (Resume Generating Event).   So, no one party really is to blame here.  We have Oracle trying to resolve vulnerabilities in a timely manner and improving on that front.   How about the vendors and the companies who are running Java?  You may need to evaluate a little closer to home and see why you are not upgrading.

Ask your venders:

  • If the latest version of their product supports the most recent Java updates?
  • Do they support updating Java as new versions are released?
  • How do they communicate whether the latest Java update will be compatible with the version you are running?

Ask yourself:

  • Are we running the latest version of the vendors software?
  • What are the limitations to upgrading?  Customization that would not be supported if you upgrade, cost of upgrading, etc.
  • What is your exposure by not upgrading?

The IT world is full of exceptions to the rule.  For every exception there is some risk.  Have you evaluated that risk and have you mitigated your exposure?

Things you can evaluate if you know you have a dependency on an outdated version of Java:

  • Are only required users able to access the outdated versions of Java?
  • Can the privilege level of the users who need to run on the at risk machine be reduced to mitigate exposure if certain vulnerabilities are exploited?
  • Are the machines running Java able to be virtualized and segmented from parts of the network that have direct Internet access?
  • Can you lock down the machine in question to only allow access to the one application Java is needed for and all other web browsing, email, etc.  be locked down?

 

July Patch Day Round-Up

PatchWithoutBorderOracle has released their quarterly Critical Patch Update.  There is a long list of products with updates coming and at the top of that list from a severity standpoint is Java.  With a CVSS base score of 10.0 on some of the vulnerabilities, the 20 new security fixes for Java SE are definitely in need of some immediate attention.  All 20 of the vulnerabilities in Java could be remotely exploited without authentication.  This means exploitable over a network without the need for a username and password.

Oracle Database server may only have 5 vulnerabilities being resolved, but one or more of those have a CVSS base score of 9.0.  Several other products like Fusion, Virtualization, and Retail Applications have CVSS base scores of 7.5 and the rest start to fall steadily from there, but one fairly common theme is the remotely executable without the need for authentication.  Companies running a lot of Oracle software should take some time on Tuesday and review what solutions they have and where they are to see if immediate action is necessary.  Again, for Java, the urgency is going to be far greater.  If you don’t have a breaking dependency on a specific version it would be a good idea to roll out ASAP.

With Oracle’s CPU today Java should be added to the top of the priorities list this month.   Three updates in particular should be considered a top priority as you are conducting your monthly maintenance.  Flash Player, the IE Cumulative Update, and Oracle Java.  The July Patch Tuesday update to IE to resolve 23 memory corruption vulnerabilities, one of which was publicly disclosed, appears to be a continuation of the very large IE Cumulative update from June which had over 50 fixes to memory corruption vulnerabilities.  The Adobe Flash player update resolves three vulnerabilities that allow an attacker to bypass security features.  Adobe Flash has had critical release every month in 2014, and on Patch Tuesday for six of seven months.  It is looking to be a permanent fixture for IT Admins to prioritize each month.  If you haven’t been keeping it up to date, there is ample cause to do so.

July Patch Tuesday Advanced Notification

PatchWithoutBorder

Microsoft has announced this month’s Patch Tuesday release.  It looks pretty clean at first glance.  IE with a lot of OS patches and likely nothing all that complex.  The one thing to watch for will be the possibilities of more dependencies.  For those running Windows 8.1 or Server 2012 R2, make sure you are prioritizing Update 1 to be rolled out.  Next month is the cut off after Microsoft extended the Update 1 required for continued patch support on those platforms. There are 6 total patches expected to be released on Tuesday, July 8th. Here is the breakdown for this month:

 

Security Bulletins:

  • 2 bulletins are rated as Critical.
  • 3 bulletins are rated as Important.
  • 1 bulletin is rated as Moderate.

Vulnerability Impact:

  • 2 bulletins address vulnerabilities that could allow Remote Code Execution.
  • 3 bulletins address vulnerabilities that could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability that could lead to Denial of Service.

Affected Products:

  • All supported Windows operating systems
  • All supported Internet Explorer versions

Join us as we review the Microsoft and third-party releases for June Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, July 9th at 11 a.m. CDT.  We will also discuss other product and patch releases since the May Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Welcome to the World of Shavlik Product Documentation

Joe Andert

Joe Andert

Hi everyone, and welcome to my corner of the world at Shavlik. For those who don’t know me, I am a technical communicator at Shavlik and I’ve been providing documentation for Shavlik products for more years than I care to admit. I’ve been with the company for all these years because the people and the products are simply the best!

When I was offered the opportunity to write a series of blog articles, I jumped at the chance. I am not in marketing so I won’t be writing flowery prose about our products. Rather, I would like to use this forum to provide some real meat and potatoes material, information you can use right now to improve the way you use our wonderful products. Sort of like those “The More You Know” public service announcements you see on TV. Continue reading

What We Learned from Microsoft System Center Configuration Manager Users

I’ve worked in the systems management arena for some time now.  Working with disgruntled Microsoft System Center Configuration Manager (SCCM) customers for most of my career, we had some assumptions going Customer Serviceinto this research.  Fortunately, the data proved us wrong.  After doing a survey of 150 IT professionals, we found some surprising (or maybe not surprising to you) finds about ConfigMgr.

1)    Configuration Manager customers actually like Configuration Manager.  Weird.  We were under the impression that many people picked SCCM because of politics or it was included in their Enterprise Agreement.  This is not the case.  In Shavlik’s study 72% of SCCM customers chose SCCM because it was the best fit.

2)    SCCM customers would like Configuration Manager to be the central hub of IT activity.  But surprisingly, 27% of SCCM customers currently use add-ins to solve problems not solved by Microsoft.  This means that either they are unaware of some of the gaps or they are solving these problems by using additional tools not integrated in SCCM.

3)    Third-party patch management was reported surprisingly high as a missing feature of SCCM – 38% of respondents selected third-party patching as a high priority. This is a great case for Shavlik Patch for Microsoft System Center an add-in solution that takes care of the third-party patching problem.  Even though Microsoft is the master of OS patching, they fall short on third-party patching and tend to leave these “treadmill”-type activities to the other vendors

Respondents expectations for a Microsoft System Center Configuration Manager add-in

Respondents expectations for a Microsoft System Center Configuration Manager add-in

4)    SCCM admins don’t want additional crap in their infrastructure.  Setting up SCCM was difficult enough.  Adding more databases, interfaces, and potentially servers and infrastructure does not constitute an “add-in” product.  Add-ins should use the native functionality of SCCM with either no additional or light additional components that are leverage the existing infrastructure and software.

If you are an SCCM admin or have experience with SCCM in your IT career, please respond to this Blog and tell me what you like/dislike about SCCM.

Protecting my Mom – Part 3 – How Easy is it to Get Hacked?

Keeping our moms safe can be a daunting task.

Keeping our moms safe can be a daunting task.

In our first installment of “Protecting my Mom” we discussed some phone phishing attack that I was targeted for. This was followed by our second part where I found myself being attacked over a Wi-Fi network that was setup for the express purposes of compromising machines that roamed onto it. In this final installment, we take on the role of an attacker and are reminded of how easy it is to be hacked.

My challenge to myself was simple,  how fast could I target a machine and compromise it using off the shelf tools. My goal: 5 minutes from start to finish. How much time did I need? The stopwatch showed a mere 2 minutes and 13 seconds. Scared yet?  — After doing that I was. After being the target of a hack twice in the span of less than a week, I decided to go from being the “prey” to being the “hunter.” How hard is it to be hacked? And if I was hacked, how long does it take me to start grabbing data that I could use? Don’t worry, I’m doing this as a bit of a test and I’m using my own Virtual Machines, so I’m not turning my abilities on any other person, it’s more of a challenge to see how hard it is. Continue reading

Did you know … ?

Did you know?

Did you know?

Here it is my turn to contribute to the Shavlik blog, and I am stricken with “bloggers’ block.” As I try to think of insightful things to say, (those who know me know I rarely say insightful things), nothing comes to mind but questions.

So in the spirit of acceptance of things that can’t be changed, let’s just go with the questions gig.

Did you know…?

  • Shavlik is hosting two webinars this week. “Getting Started with Shavlik Patch” will help new or trial users of Shavlik Patch get up and running and optimize their third-party patching process within SCCM. “Simplified Third-Party Patching for Microsoft System Center” will explain how Shavlik can help you select and deploy third-party patches all from within SCCM. Getting Started with Shavlik Patch
    Wednesday, June 18, 2014 10:00am CDT
    Register Now
  • Continue reading

Protecting my Mom – Part 2 – Wi-Fi in the Wild

In the first installment of “Protecting my Mom,” we discussed some phone phishing attacks that I was targeted for. What was a truly believable attack that would have been successful if it had targeted someone that wasn’t so computer-savvy. In this second part, we discuss a real-life attack that occurred to me at the Minneapolis/St. Paul airport while I was preparing for a flight.

Access DeniedWe’ve all been there, right?  With all the technology we have grown accustomed to in life some have theorized, either jokingly or seriously that Maslow’s hierarchy of needs should be reviewed to include a layer below Physiological needs (“Breathing, Water, Sleep…”) called “Connectivity,” which includes Wi-Fi, Ethernet, Web Browser and a terminal of some sort. In those desperate times where you are away from you home, or in a public place, you scour for available Wi-Fi.  Through my years, I’ve connected to countless networks… in fact, I just looked at my list of Wi-Fi networks that I’ve connected to and it’s well over 40. Continue reading

Message to CEOs – You are now responsible for data security

CEOs are now responsible for data security

CEOs: Get your IT house in order

It seems that the Target disaster gets even worse.  In the wake of Target losing their 35-year veteran CEO, the message is clear to CEOs: “You are now responsible for the security of your data!”

In the past companies have simply blamed IT for not having good security practices in place.  If credit card or personal data left the company due to hackers, an IT director or even the CIO would be blamed.  Many companies would shrug their shoulders, scold their IT department, and try to handle the bad press.   It was a disturbing trend. Continue reading