Different vendor perspectives on security and vulnerabilities. Which is right? You decide.


We rely on a lot of software in this highly connected world. We have things such as The Internet of Things, BYOD, Shadow IT. All of these trendy phrases mean we have a lot more riding on the software vendors that provide our connected world, but what are their views on security? By taking a look at some recent press you can start to paint a picture on some of the different perspectives that vendors have on security.

First, let’s take a look at Microsoft. Microsoft has a large following around Patch Tuesday and there is a lot of press and awareness about their security updates. They provide strong recommendations that updates should be applied on a regular basis. Microsoft also has a series of advisories they put out regarding issues that exist when no update has yet to be released. This proactive approach, and open disclosure about the risks to their customers, has been applauded by many, but also brings Microsoft under the gun when things go sour. This year, there have been a few patches that were either pulled or postponed due to quality issues.

For example, a recent Secure Channel (Schannel) update resolved a critical issue that experts say would be an enticing target for hackers. The update, however, has some known issues and has caused problems when applied to some systems. Despite these problems, Microsoft urged the update be applied as soon as possible. This article discusses the update and the impact of the known issues. What is the key take-away from this? That Microsoft prefers full disclosure when it comes to security issues.

Apple, on the other hand, has typically had a very closed-mouth take on security. Updates are typically released without much fanfare. When asked directly about security-related issues, they tend to deny an issue, or play it down, until a fix is available. They tend to lean more towards security by obscurity, or play down issues to be less than they are. While saying less, and preventing as many facts from being released as possible, may prevent some hackers from finding leads to where and what they can exploit, it has brought some scrutiny on Apple.

In this article, Apple addresses the ‘Masque Attack’ and plays it down, saying customers are safe. While Apple’s statement about the risk of exploit coming from third party sources may be true, the majority of exploits on any platform have some form of social engineering involved. The user is the weakest link in many exploits that occur. The Team at FireEye definitely stress a lot more concern than Apple regarding this form of exploit.

A third perspective is the vendor who is providing an application that is used by millions and is quite popular. Many other vendors fall into this category as well. The social media apps that are such an addiction for today’s culture often overlook security. The promises made by these vendors are taken at face value, but are they being met?

Snapchat recently had some issues that were in the news. ‘The Snappening’ was an attack dubbed by 4chan users, which ended up with over 100,000 pictures being captured and shared across the web. This included many questionable photos of a lot of minors. Snapchat has been criticized for misleading users about personal information privacy. The way Snapchat is designed has allowed third party developers to enhance the Snapchat experience, but the design also allowed account information and photos to be stolen. Snapchat’s response? Ban any accounts that utilize a third party app.

So what is the hypothetical result? An account is created by a hacker, the hacker gets x amount of hours exploiting the weaknesses in the Snapchat API, gets some amount of data (account\personal info, pictures), then is banned. The hacker then starts the process over again. They create software to replicate the process of creating an account and going through the process over and over. How well do we think this will play out? Kids, nothing ever really goes away. Conduct yourself in all things on the Internet as if you were standing in front of a crowd. You never know where it may end up.

So we have three perspectives on software security. You can argue the benefits and deficits to each (and there are continuing arguments). Which do you feel is right? Which do you feel is effective? Let us know.



Shavlik in the news- November Patch Tuesday(s)

478641227If you follow patching news, you are well aware that this month was somewhat of an abnormality. As we covered in a previous blog post, this month’s Patch Tuesday was the biggest this year with 16, and only 14 were released on the regular Patch Tuesday. An additional patch was released out-of-band this week and also received quite a bit of attention.

As an authority on Patching, Shavlik is often quoted in the press, and this month was no exception. Our own Chris Goettl was quoted in a variety of outlets, including KrebsOnSecurity, Computerworld, Network World, CIO, CNET, CSO, and internationally at The Register and The Inquirer.

In case you haven’t had a chance to read up on the news yet, here are links to a selection of the articles that include information from Shavlik:

Krebs On Security- Microsoft Releases Emergency Security Update

Krebs On Security- Adobe, Microsoft Issue Critical Security Fixes

CSO- Microsoft patches Kerberos vulnerability with emergency update

Network World- Patch Tuesday: 16 security advisories, 5 critical for Windows

The Register- Microsoft warns of super-sized Patch Tuesday next week

CNET- Microsoft plans big Patch Tuesday this month with 16 bug fixes

Computerworld- Microsoft releases emergency patch to stymie Windows Server attacks

SearchSecurity- Microsoft addresses Kerberos security flaw with critical out-of-band patch

Each month, we review the Microsoft and third-party releases for Patch Tuesday in a webcast, which occurs the day after the announcements are made. Our next webcast is scheduled for Wednesday, December 10 at 11:00am ET/8:00am PT. If you’d like to attend, you can register here. To view our other recent and upcoming webinars, including a recording of this month’s patch Tuesday webcast, you can find that information here.

November Patch Day Round-Up

ShavlikSecurityNovember Patch Tuesday was the biggest this year with 16 announced, but Microsoft only released 14 on Patch Tuesday and today we step up to 15 updates.  As you may recall, two of the updates were not pulled from November, but marked as “Release date to be determined”.  Well today is the day for MS14-068.  Microsoft announced the Critical OS patch this morning.  This update for Kerberos should make its way into your deployment plan if possible.

So if we run down the list of everything that will be touched this month when you patch, here is what will receive updates: All Windows OSs, All versions of IE, MSXML, .NET Framework, IIS (for specific OSs), RDP, Office, Sharepoint, AD Federation Services, and there is still the Exchange patch with a release date TBD.  Aside from Microsoft there is the Adobe Flash update which resolved 18 vulnerabilities and there is an corresponding IE Advisory and Chrome release to update the Flash plugin.

Known issues to look out for:

  • There is an issue with the IE Cumulative and EMET that you will want to watch out for and rising concerns over how bad the Schannel (MS14-066) update really is.

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) – This update is rated Critical by Microsoft and resolves two privately reported vulnerabilities in Windows OLE.  One of the vulnerabilities resolved has been exploited in the wild (CVE-2014-6352) with an exploit known as ‘Sandworm’.  The attack was targeted at NATO PC’s through a specially crafted PowerPoint file.
  • MS14-065: Cumulative Security Update for Internet Explorer (3003057) – This update is rated Critical by Microsoft and resolves 17 vulnerabilities in Internet Explorer.  Many of the vulnerabilities resolved are memory related, continuing a trend we have been seeing since June of this year.  So far there is at least one known issue with this update.  If you are running IE11 and EMET on Windows 7 or 8.1, you will also need to update EMET to version 5.1 which released this month as well.
  • MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) – This update is rated as Critical by Microsoft and resolves one vulnerability.  The issues resolved are being compared to the Heartbleed OpenSSL vulnerability as far as severity of the issue.  Although Microsoft has not received information to indicate this vulnerability has been publicly disclosed, the recommendation is to roll this update out ASAP.  If a worm or mass botnet were developed to exploit this vulnerability the expected could be significant.
  • MS14-067: Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) – This update is rated as Critical and resolves one privately reported vulnerability in XML Core Services.  An attacker could create specially crafted web content to exploit this vulnerability allowing the execution of code on the system exposed.
  • MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - This update has been rated as Critical by Microsoft.  This update was postponed on Patch Tuesday, but was not pulled from the November release.  Well, it released today.  The vulnerability is in Kerberos and affects all Windows Operating Systems currently under support.  It resolves one privately reported vulnerability in Kerberos KDC, which could allow Elevation of Privilege.  The attacker must have a valid domain user account, but with that user account they can forge a Kerberos ticket that will allow them to claim they are a domain administrator.  From there they can do pretty much what they want from creating accounts to installing software and deleting or changing data.  They will have access to your network as a Domain Administrator.  The update should be worked into your deployment plan this month as the vulnerabilities resolved are severe enough to warrant some urgency.
  • APSB14-24: Security updates available for Adobe Flash Player – This update is a Priority 1 update from Adobe resolving 18 vulnerabilities across many types of attack vectors.  You will have OS and browser updates to completely resolve these vulnerabilities.  This is for Flash on the OS.
  • MSAF-032: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – This Advisory is not rated by Microsoft, but following the Adobe rating of Priority 1, this update is recommend to push as soon as possible.  This update resolve allows Internet Explorer to run the latest Adobe Flash release resolving the 18 vulnerabilities.
  • CHROME-116: Chrome 38.0.2125.122 – This update is not rated by Google as it resolves no known vulnerabilities in Chrome.  This update does provide support for the Adobe Flash release.  Again the severity here should be based on the Priority 1 that Adobe has set and should be rolled out as soon as possible to ensure all parts of Flash are updated preventing any exposure to these risks.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-069: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) – This update is rated as important and resolves three privately reported vulnerabilities in Microsoft Office.  An attacker could create specially crafted content to exploit these vulnerabilities allowing them to execute remote code.
  • MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) – This update is rated as Important and resolves one privately reported vulnerability in Windows Server 2003 which could allow an attacker to exploit a vulnerability in TCP\IP, which could lead to an Elevation of Privilege attack.
  • MS14-071: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) – This update is rated as important and resolves one privately reported vulnerability in Windows Audio Service, which could allow Elevation of Privilege.
  • MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) – This update is rated as Important and resolves one privately reported vulnerability in .NET Framework which could allow Elevation of Privilege.
  • MS14-073: Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)  - This update is rated as Important and resolves one privately reported vulnerability in SharePoint Foundation, which could allow Elevation of Privilege.
  • MS14-074: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) –  This update resolves one privately reported vulnerability in Remote Desktop Protocol, which could allow Security Feature Bypass.
  • MS14-075: “Release date to be determined”.  Likely before December Patch Tuesday if MS14-068′s release today is any indication.
  • MS14-076: Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) – This update resolves a privately reported vulnerability in Internet Information Services, which could allow Security Feature Bypass.
  • MS14-077: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) – This update resolves one privately reported vulnerability in Active Directory Federation Services, which could allow Information Disclosure.

Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):

  • MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (3005210) – This update resolves one privately reported vulnerability in IME Japanese, which could allow for Elevation of Privilege.  The mitigating circumstances reduces the potential risk extensively, but this was discovered in the wild, so it has been publicly disclosed.
  • MS14-079: Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885) –  This update resolves one privately reported vulnerability in Kernel Mode Driver, which could allow a Denial of Service attack.  The steps to exploit this vulnerability would require the attacker to put specially crafted TrueType font on a network share and require a user to navigate to it and open to exploit.  Chances are the attacker would find easier ways to exploit an environment so this is less likely to occur.



Shavlik Patch 2.1 Makes 3rd-Party Patching With SCCM Even Easier

PatchWithoutBorderShavlik is proud to announce today’s release of Shavlik Patch for Microsoft System Center 2.1.

This is the second Shavlik Patch release this year, and it represents yet another quantum leap towards making third-party application patching within SCCM easy.

Shavlik Patch 2.1 focuses on five core areas: setup and configuration, automation, core patching capabilities, ease of use and globalization.

  • Setup and Configuration – Our new configuration checker allows you to verify that your SCCM environment is ready to publish and deploy third-party patches. It’s easy for application versions, credentials, and certificates to get out of sync. No problem; the configuration checker will point you to discrepancies in your environment, so you don’t have to guess where the problem exists.
  • Automation – With Shavlik Patch 2.1, you can create and save filters that allow you to control which applications, which vendors, and which individual updates you publish for a timeframe of your choice. For example, say you want to publish all Adobe updates, Oracle Java and Chrome updates, within the last 30 days. You can now build that filter, view the updates that meet that criteria, and automatically publish them.
  • Core Patch Capabilities – With Shavlik Patch 2.1, we introduce a patch details view that tells you lots of great information about each update. Also, Shavlik Patch now handles superceded patches.
  • Ease of Use – You thought Shavlik Patch 2.0 was easy; well, it just got better. Shavlik Patch 2.1 introduces authenticating proxy support, the ability to run scheduled jobs as a different user, and the ability to choose, hide and reorder columns in the updates view.
  • Globalization – Shavlik Patch is now available in 11 languages. Additionally, you can also view translated versions of our User’s Guide. Hablas Espanol? Great, so does Shavlik Patch.

Now, being the seasoned SCCM admin that you are, you’re probably thinking, “Wow, that’s cool, but I won’t be able to use it for six months because it’ll take that long to get it working in my environment.”

Umm…no. Here’s the directions for upgrading Shavlik Patch from 2.0 to 2.1 (no kidding check out our User’s Guide).

  • Close SCCM
  • Download the latest version of Shavlik Patch from www.shavlik.com/downloads
  • Install the Shavlik Patch exe
  • Open SCCM

That’s it! All of your configuration settings, filters, and registration info will still be there. We don’t mess with anything in your SCCM database. You can be up and running on Shavlik Patch 2.1 in about five minutes.

With today’s release, Shavlik has also announced the end of life for Shavlik Patch 2.0 on December 1, 2015. We encourage all customers to upgrade to 2.1 at your earliest convenience. Pro tip - there’s lots of great stuff in 2.1.

For more information about today’s release, please join us for one of our Shavlik Patch 2.1 release webinars.

If you are using Shavlik Patch today, please join us for this webinar.

Patch Like a Pro! New Shavlik Patch for Microsoft System Center 2.1 | Wednesday, November 18, 2014 10:00 am CST | Register Now

If you are new to Shavlik Patch, please join us for this webinar.

Why Break SCCM? Get Third-Party Application Patching Without Additional Infrastructure | Wednesday, November 13, 2014 10:00 am CST | Register Now

Tune in later this week as I continue to share more insights on the latest release of Shavlik Patch and how this solution sets itself apart from other third-party patch add-on’s for SCCM.

Shavlik Patch 2.1: When a Good Thing Gets Even Better

477569935Have you ever had the experience where a product you like and use on a regular basis gets better? For most of us, it doesn’t happen nearly enough, but when it does it is a very nice surprise. For smartphone users this may happen once a year or so, or every time your favorite vendor releases a new and improved model of your phone. For me, a good example (and this will probably date me) is from years ago when Sony released the PlayStation 2. It was SOOO much better than the PlayStation 1 that I had been using and I was just blown away.

Well, for users of Shavlik Patch 2.0, prepare to be blown away. Shavlik will soon announce the availability of Shavlik Patch 2.1, a new and improved version of our popular add-in to Microsoft’s SCCM that allows you to publish updates for third-party vendors and for legacy Microsoft products. I can’t give you too many details just yet, but in advance of the release, let me pull back the curtain just a bit and give you a sneak peek at some of the many new features in Shavlik Patch 2.1.

  • Improved Configuration Capabilities: No more guessing, crossing your fingers, and hoping that you meet all the implementation requirements. The next release will be able to tell you exactly what is needed in order to get Shavlik Patch up and running in your SCCM environment.
  • Lots of New Functionality: I am really excited about the many new features that will be available in Shavlik Patch 2.1. You will be able to more easily locate updates you want to publish, you will see more information about those updates, and you will have more configuration options if you work in a proxy server environment.
  • Language Support: Shavlik Patch 2.1 will provide support in a couple of different ways for non-English languages. Interested? Stay tuned!

I can’t wait for the official list of new features to become available next week. I know that Shavlik Patch 2.0 users will be blown away, just like I was years ago by the PS2.

For more information, go to www.shavlik.com/webinars and register for these upcoming webinars:

Patch Tuesday Advanced Notification November 2014

Bunker BlogIt looks like this is going to be the biggest month yet for Microsoft, as it has announced 16 bulletins. This is the highest bulletin count we have seen from Microsoft this year. August and May each had nine bulletins. Nothing has come close to this until now for this year. Of the 16 bulletins announced, five are critical.

We can most likely expect bulletin 2 to be a continuation of the IE Critical update trend, which is likely to resolve more than 10 vulnerabilities relating to memory leaks, corruption, etc. This is a trend we have seen since June of this year and we have no reason to not expect this to be the case.

There is still the Security Advisory 3010060 (CVE-2014-6352), released on October 21, regarding the vulnerability in Microsoft OLE, that has not been patched, which was leading to attacks in the wild for Excel and PowerPoint. It is possible that two of the updates could apply to this vulnerability. Bulletin 6 for Office could be resolving part of the vulnerability and likely one of the critical windows patches is resolving the OS level.

Although Microsoft usually staggers its patches, alternating between OS and app updates, it looks like nearly all machines will have at least a few critical updates to apply, including .NET Framework, Office 2007, Exchange and SharePoint. Exchange and SharePoint being in the mix means that there will be a need for some thorough testing before rolling out updates. .NET Framework also is getting an update this month, which usually means a little longer time on the maintenance window as those patches tend to take a little longer than the average OS patch to install.

Microsoft is making bulletins 1, 2, 4, and 5 available for the Windows Technical Preview and Windows Server Technical Preview, which means that Windows 10 and Server Previews will have updates available. It would be a good idea to run this and see how well the patches apply. The updates will be available through Windows Update and Microsoft is encouraging people to apply them.

On the non-Microsoft front, there is a high likelihood for an Adobe Flash update this Patch Tuesday. So far this year, we have seen Flash release on all but one Patch Tuesday. With that, you can expect an IE Advisory to update the plug-in, as well as a Google Chrome release for the same reason.

Microsoft Security Bulletins:

  • 5 bulletins are rated as Critical.
  • 8 bulletins are rated as Important
  • 2 bulletin is rated as Moderate

Vulnerability Impact:

  • 5 bulletins address vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in Security Feature Bypass.
  • 7 bulletins address vulnerabilities which could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability which could lead to Information Disclosure.
  • 1 bulletin addresses a vulnerability which could lead to a Denial of Service attack.

Affected Products:

  • All supported Windows Operating Systems (Including the Technical Previews!)
  • All supported Internet Explorer versions.
  • Microsoft .Net Framework
  • Microsoft Office 2007
  • Microsoft SharePoint Server 2010
  • Microsoft Exchange 2007, 2010, and 2013

Join us as we review the Microsoft and third-party releases for November Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, November 12th at 10 a.m. CDT.  We will also discuss other product and patch releases since the October Patch Tuesday.

You can register for the Patch Tuesday webinar here.

CVE-ID Syntax change coming, urgent Protect update available!

Bunker BlogThere have been an incredibly large number of vulnerabilities this year, which unfortunately is going to cause a syntax change in MITRE’s CVE-ID.   The current syntax will max out at 9,999 vulnerabilities, so the change is to start adding additional digits.  When the CVE count breaks 10,000, MITRE will be adding an extra digit onto the end of their CVE-IDs.  The resulting CVE change will drive a change in how we import content for Shavlik Protect 9.1 and 9.0.

The deadline for the change is January 15, 2015, but due to the high volume of vulnerabilities releasing this year the change in format may be forced upon us early.  We have released an update for Protect 9.1 and are working on the Protect 9.0 update to prevent the format change from causing issues.  The patch will prevent import of new content from failing avoiding an inconvenience to our customers.  Protect 9.1 Patch 2 is available now and the Protect 9.0 Patch 2 will be coming in the next couple of weeks. Although the updates do not include a security fix, this is a critical bug fix that has a ticking timer.

To upgrade you can follow the instructions below based on version of Protect.

Upgrade Protect 9.1 to Patch 2:

Upgrade Protect 9.0 to 9.1 Patch 2 or 9.0 Patch 2:

  • (Recommended) For 9.0 customers you will now see that auto update to 9.1 Patch 2 is enabled in product.  You can click the auto update link in the bottom right corner of Protect when you open it and it will download the full installer upgrading you to Protect 9.1 Patch 2.
  • If you are unable to upgrade to Protect 9.1 at this time we are in the process of releasing a similar fix for Protect 9.0.  This update will be coming in a couple of weeks and can be applied very easily to Protect 9.0.  The change is entirely database schema related so no binaries are updated on Protect 9.0 console.

Please note that if you have not applied Patch 2 for either version, there will be a point in the not too distant future where you may not be able to import new content.  We would like to avoid this as much as you would, so plan for this patch update as soon as possible.


The Shavlik Team

Shavlik Team Enjoys Halloween Celebration

480206651The Shavlik team took some time out today for its annual Halloween celebration. The day started with breakfast treats and moved into a costume contest, pumpkin decorating contest, and finally a group lunch. A good time was had by all (well, except maybe our QA manager).

We hope you all have a wonderful Halloween and avoid being spooked by any security issues.

In the photos below, (top) the Renewals team gets into the Halloween spirit; (2nd) The costume contest finalists; (3rd) Two entries into the pumpkin decorating contest; (4th) The pumpkin carving contest winners (5th); The pumpkin carving contest runners-up; (6th) Two Shavlik team members enjoying lunch.

IMG_2873 IMG_2889 IMG_2892 IMG_2890 IMG_2882



Cloud Security: Thunderbolts and Lightning… very very frightening

469850273I have the pleasure of doing a large volume of phone calls with our customers, consulting with them on various aspects of Information Technology and Information Security.  Recently, a large number of questions have been focused on proper cloud adoption and what goes into cloud security.  With that focus, let’s shed some light onto cloud security and discuss how to evaluate your security posture as it pertains to it.

First off, when you are choosing cloud, you really are taking on two different security postures and positions.  Those are:

  • Your Security:  Since your network is accessing a cloud provider, the security posture of your network comes into play as to how that data is securely accessed.  Questions like, “Can someone exploit your internal network to gain access to the cloud provider?” have to be considered.  The risk of your security coming into play with a cloud provider varies depending on the type of provider and service they are providing.  IaaS or PaaS has a lot more risks here than a pure SaaS environment.
  • Their Security:  Beyond your network, the greater risk is exploiting the provider’s network which would allow someone to make off with your data, and potentially that of your customers’.  Depending on the data you store with the cloud provider, this could result in very sensitive information being leaked out.

Since the topic of “your security” is very broad, let’s focus on the security of the cloud provider.

In our threat and risk matrix, we break down cloud security into three different buckets:

1)      Prevention:  Preventative measures are specifically designed to deter, defend, and discover a threat coming at a cloud provider before the threat is realized.  In some cases, this is in the form of blocking IPs, patching regularly, and IDS systems that can flag irregular traffic patterns or identify common attacks against the platform as they begin to occur.  A good provider will have some level of prevention up front on their cloud, and also implement best practices to have their preventative counter-measures tested by themselves and third parties at regularly scheduled intervals.

2)      Detection:  Hopefully, the preventative measures are successful and these are never needed, but it’s always a good idea to have detection measures in place too.  Those cloud providers that have a robust model for cloud hosting will all have this as a vital component in their stack of threat and risk management.  Detection goes beyond the prevention and finds malware or attackers in your environment as they happen.  In our cases, while we don’t allow things like Javascript and SQL injection in our code (Which we routinely test for as part of our automation as well) we flag when we see users trying to do this.  It gives us an inside edge and also results in their accounts being instantly shut-down while we seek clarification from them as to why the bad input was occurring.

3)      Correction:  Finally, in the cases where there are security exploits, or a diagnosed risk during the preventative controls, there is correction.  This is the part where we take all of the feedback from people evaluating our products, the risks that we can identify and proactively get them back into our coding process and build/architecture process.  This phase sews up all the loose ends to ensure that our risk and threats are constantly managed and mitigated.

With all of the above, a cloud provider should be able to very easily answer the questions for you surrounding the various controls they have in place around prevention, detection, and correction.  If you are satisfied with their answers – they are likely a good provider for you.  If they don’t have all three in place… well, just remember, most gamblers in Vegas end up losing money.


October Patch Tuesday Round-Up


Microsoft had a rough month.  Instead of the nine announced bulletins they released eight.  Of those eight, three updates were plugging vulnerabilities that were being exploited in the wild.  An additional Microsoft Security Advisory has caused some issues and was pulled from the downloads site.  On the Non-Microsoft front, there were releases from Adobe, Google, and Oracle that should be on your high priority list.  Oracle released their quarterly Critical Patch Update which included many high severity vulnerabilities in Java SE.  Adobe Flash released which also caused Internet Explorer and Google Chrome to release an update to support the plug-in.  Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-056: Cumulative Security Update for Internet Explorer (2987107) – This update is rated as Critical by Microsoft and resolves fourteen privately reported vulnerabilities in Internet Explorer which could lead to Remote Code Execution.  The vulnerabilities are all memory related exploits and the update is changing behavior of how IE handles objects in memory to resolve these vulnerabilities.  One of the vulnerabilities resolved (CVE-2014-4123) has been exploited in wild as a sandbox escape.
  • MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) – This update is rated as Critical by Microsoft and resolves three privately reported vulnerabilities in .NET Framework which could lead to Remote Code Execution.   On .NET 4.0 iriParsing is disabled by default, but on .NET 4.5 this feature cannot be disabled.  If you are running .NET 4.5 this is a higher priority.
  • MS14-058:  Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) – This update resolves two privately reported vulnerabilities in Microsoft Windows which could lead to Remote Code Execution.  Both of the vulnerabilities (CVE-2014-4148 and CVE-2014-4113) in this bulletin have been reported in targeted attacks in the wild.  The vulnerabilities ideally could be used in concert, but the reported attacks were exploiting each in separate attacks.
  • MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) – This update is rated as Important and resolves one privately reported vulnerability in Microsoft Windows.  Although only rated as Important, this update resolves a vulnerability (CVE-2014-4114) that has been detected in targeted attacks reported in the wild.
  • APSB14-22: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe and resolves three vulnerabilities in Adobe Flash Player.  Two of the vulnerabilities are memory corruption issues and the third is a integer overflow which could lead to Code Execution.  In addition to the Flash Player update there is an IE Security Advisory and a Google Chrome update that need to be deployed to resolve the vulnerabilities in the Flash browser plug-in.
  • MSAF-031: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – This advisory updates Internet Explorer to support the latest Adobe Flash Player Plug-In update.  The Flash Player update is a Priority 1 update resolving three vulnerabilities.
  • CHROME-114: Chrome 38.0.2125.104 – This is a High priority update from Google to update the Adobe Flash Player Plug-In. The Flash Player update is a Priority 1 update resolving three vulnerabilities.
  • Java7-71: Java 7 Update 71 – This update is part of the Oracle Critical Patch Update release for Q4.  The release resolves 25 vulnerabilities, 22 of which are exploitable over the network without authentication.  Oracle has rated this update as Critical.  It includes one vulnerability with a CVSS score of 10.0 and several other 9′s.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) – This update resolves one publicly disclosed vulnerability and is rated as Important.  The vulnerability is mitigated by XSS filters in IE 8, 9, 10, and 11 and workarounds are available to block ActiveX controls for Local Intranet Security Zones.  A user would need to be convinced to view a specially crafted website or click a link in a email message or Instant Messenger message to be exploited.
  • MS14-061: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) – This update resolves one privately reported vulnerability and is rated as Important.  An attacker must convince a user to open an attachment or access a specially crafted website.  If exploited the attacker would gain the same user rights as the current user.  Limiting users to less than Administrator user rights can mitigate the exposure if exploited.
  • MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) – This update resolves a publicly disclosed vulnerability in Microsoft Windows and is rated as Important.  The vulnerability is part of the Message Queuing component which is not installed by default.  It must be enabled by a user with Administrator privileges.  An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):

  • MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) – This update resolves one privately reported vulnerability in Microsoft Windows which could lead to Elevation of Privilege.  The attacker must have physical access to the system to be able to exploit the vulnerability.
  • FF14-012: Firefox 33.0 - Mozilla released FireFox 33.  This update does not include security fixes, just new features and bug fixes.

Watch List:

  • MS14-A12: Security Advisory KB 2949927: Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 – The update has been pulled due to issues impacting systems after update.  Some have had to be restored by CD-rom to resolve.  If you have already deployed this Advisory you may need to roll it back.   

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.