September Patch Tuesday Round-Up

ShavlikSecurityThis month may have been a light release from Microsoft, but there was still plenty of updates to deploy. Microsoft released four security updates, one of which was critical, resolving 42 vulnerabilities. On the Non-Microsoft front, there were releases from Adobe and Google to take note of. Adobe Flash had a patch Tuesday release resulting in an IE advisory and a Google Chrome release to update the Flash plug-in. The Flash update resolved 12 vulnerabilities. There was no security updates for Office this month, but there were 18 non-security updates. One of those has run into some issues and had to be pulled. Here is a priority breakdown for security updates this month and details on known issues:

Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):

  • MS14-052: Cumulative Security Update for Internet Explorer (2977629) – This update is rated as critical by Microsoft. It resolves 37 vulnerabilities which could allow for remote code execution. The updates are all relating to memory corruption issues. One of the vulnerabilities resolved (CVE-2013-7331) has been exploited in targeted attacks in the wild. There are a large number of vulnerabilities and one publicly exploited making this a high priority for update.
  • APSB14-21: Security updates available for Adobe Flash Player – This update is rated as a Priority 1 by Adobe. The update resolves 12 vulnerabilities which have a variety of impacts including memory corruption\bypass memory randomization, code execution, bypass same origin policy, and security feature bypass.
  • MSAF-029: Microsoft Security Advisory: update for vulnerabilities in Adobe Flash in Internet Explorer – This update allows Internet Explorer to support the latest Adobe Flash release which resolves 12 vulnerabilities and is rated as a Priority 1 by Adobe.
  • CHROME-111: Chrome 37.0.2062.120 – Resolves four vulnerabilities including one high priority vulnerability. The update also includes support for the latest Adobe Flash plug-in which puts it up in the priority list for this month.

Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):

  • MS14-053: Vulnerability in .Net Framework could allow Denial of Service – This update resolves one privately reported vulnerability which could lead to a DoS, but by default an install of .Net will not be vulnerable to this vulnerability. The flaw is exposed if ASP.NET is installed and registered with an IIS server. This would require customer to install ASP.NET manually.
  • MS14-054: Vulnerability in Windows Task Scheduler could allow for elevation of privilege – This update resolves one privately reported vulnerability in Microsoft Windows which could allow for elevation of privilege. The attacker must, however, have a valid logon credential and be able to log on locally to exploit this vulnerability.
  • MS14-055: Vulnerabilities in Microsoft Lync Server could allow Denial of Service – This update resolves three privately reported vulnerabilities in Microsoft Lync Server. The attacker must send a specially crafted request to the Lync Server to exploit this vulnerability.

Watch List:

  • Adobe delayed release of APSB14-20 - The update will be a Priority 1 from Adobe as it resolves several critical vulnerabilities. The release was delayed to the week of September 15, meaning it will drop any day now. Once it does, you can expect to bump this up to the Priority list for rolling out this month.
  • Office non-security patch pulled by Microsoft – Microsoft did not release any security updates for Office this month, but 18 non-security updates have released.  An issue was discovered with KB2889866, an update for OneDrive, which would cause syncing to another users library to fail and moving of links etc, to no longer be picked up by sync.

For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.

Security Breaches Everywhere: Keeping Your Company Out of the Headlines

Bunker BlogLately, it seems not a day goes by without news of a security breach dominating the headlines. The Target breach last fall set off waves of copycat attacks that still, nearly a year later, are successfully infiltrating the networks of prominent retailers. Recently, we’ve seen the likes of P.F. Chang, Dairy Queen, and Minneapolis-based SUPERVALU join the ranks of hacked retailers.

I sat down with Rob Juncker to chat about these hacks and the unique challenges that companies in certain business like retailer and health care face in securing their environments. In addition to being the Vice President of R&D here at Shavlik, Rob also dabbles in white hat hacking.

 

Anne:  Rob, the Target breach really got our attention as both consumers and as an industry. Now, nearly a year later, what do we know about the Target breach? How did it happen?

Rob:  We know an external hacker managed to take control and infiltrate Target’s system by way of a very unsecure node that was allowed to operate on their network. This was a complicated attack because they infiltrated a node, jumped onto Target’s network, and then had ample time to search the network, to find vulnerabilities, and to infect machines.

They infected the machines by injecting BlackPOS. It located point of sale (POS) devices, looked for specific processes on those machines, stared into their memory, and tried to match data formatted in the same manner that credit card tracks are formatted. After it found credit card data, BlackPOS sent it out of Target’s network to a location where the hackers could grab it.

Anne:  One thing that really stands out there is that they attacked a more or less forgotten node and not the data center. As an IT community, we invest so much of our energy into securing the data center, but from this example we see that isn’t enough.

Rob:  Most people focus on securing the most important assets within their network. The entire Target hack happened on the least valuable parts of the network – a computer designed for remote diagnostics as well as POS’s which are typically the cheapest nodes and the cheapest OS’s. These hackers could have never gained access to Target’s core databases, but they didn’t have to. They simply attacked the nodes where the data is collected.

Anne:  Do retailers face unique challenges in securing their IT infrastructure?

Rob:  Retailers have incredibly complex environments – all of these terminals out on a WAN in all of these stores. Nobody in IT is hands-on because every store can’t have its own IT department, and the devices are running various OS’s that have various third-party applications resident on them. This makes for a perfect storm for retailers to be exploited. Health care providers have similar complexity when you think about all of the nodes spread out throughout a hospital or a clinic.

Anne:  Here at Shavlik we are quick to share the figure that 75% of vulnerabilities exploited in the wild already have software updates (patches) available to fix them. How important is patch management in preventing these types of breaches?

Rob:  If you aren’t properly patched, someone can use off-the-shelf scripts to get access to that network. The Target hack was a professional hack. They knew what they were doing. That was the first, but all of these others are simple variants of the same approach. This has gone from being the work of an experienced hacker to that of a script kiddie. It is now readily repeatable, and we have a population of hackers attacking every site they can find.

Patch management is an important piece of having a full security profile for your entire network. Exploiting a known vulnerability is step one of the process. If you can reduce the ease of doing that, hackers are likely to move on to someone else.

Anne:  Most IT departments are disciplined about patching their data center servers with tools like Shavlik Protect and patching endpoint OS’s with tools like Microsoft System Center Configuration Manager (SCCM). Let’s assume the OS is up-to-date. Is that good enough?

Rob:  No. Because they have POS’s running a Windows OS, it is guaranteed there are third-party applications running on those devices. It could be an embedded internet browser or an embedded PDF generator. Worse, it could be Java which is the most exploited third-party application.

The existence of third-party app’s isn’t a “maybe;” it is a “for sure.” CIO’s around the world should ask themselves, “It’s great the we patch Windows, but do we patch everything else?” If the answer is “no,” are you willing to bet your job on that decision?

Anne:  Of course CIO’s don’t want to risk their jobs over something as simple as third-party app patching, but given the complexity of their networks, are IT departments for retailers faced with a lose/lose decision between knowingly remaining unsecure versus spending all of their time on patching?

Rob:  For those companies who have SCCM, Shavlik Patch for Microsoft System Center makes the decision easy. With Shavlik Patch retailers can patch third-party applications from within SCCM in the same manner in which they patch the OS. They can also completely automate the process which means they can get into a “set and forget” mode for applying third-party updates. Third-party patching doesn’t have to be a difficult or arduous process. If it feels that way, Shavlik can help you out.

 

Patch management is critical, but it is just one piece of the security puzzle. In the next post in this series, Rob will dig deeper into the technical details of the Target hack, discuss how you can determine if BlackPOS already exists in your environment, and explain how you can cut off its communication lines if/when it finds its way into your network.

Also, if you’d like to join a discussion on this topic, Shavlik will be hosting a webinar on September 30.

Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT
Register Now

Updating Your Patch Process

ShavlikSecurityWhen is the last time your patch process was dusted off and updated? Have you accounted for virtualization, BYOD, and ShadowIT in your process? How frequently are you updating your virtual infrastructure? What is your policy around ensuring updates are applied to BYOD devices that are introduced to your environment or have access to your data? How does your policy apply to applications introduced outside of the IT department?

Things have change significantly in the past few years. The demands of the user have changed the threat landscape for IT. You now have a number of new threats and ways to be exposed that you may not have a lot of control over. So how are you dealing with these issues? Have you taken steps to update existing policies to account for software installed on devices not owned by IT? How about devices owned by IT being audited regularly to ensure software purchased outside of IT is being maintained?

If you haven’t, you are not alone. Most companies are just trying to keep up with the pace of their users and the constant changes to their environment. Many companies are still trying to mature their process to handle more than the OS and the standard Microsoft applications. Dependencies on critical applications that are sensitive to changes in software can be difficult, and will hinder the ability to move forward with a progressive policy and strategy for handling today’s threat landscape.

According to Gartner’s “Improve Patch Management” article, written last year by Ronni Colville, an organization will shift from reactive to proactive as it matures its processes.  Companies that are still reacting to critical security updates and zero day threats are likely still operating at the ‘Awareness’ or ‘Committed’ levels. Advancing to ‘Proactive’ or higher takes some effort and commitment from the entire business. Policies need to be properly documented and communicated to all teams from Security and Audit to operations and business lines or application owners. The teams all need to be committed to the process and management needs to support this commitment. The correct tools also need to be in place to support the platforms and applications in the organization. These tools should also give you the level of visibility needed to report up the organization, ensuring all parties get the proper level of visibility in the process and progress going forward.

So what is holding you back? The most common reasons I hear for a company to struggle with maturing their patch processes are:

  • Not all teams are supporting the process. In many cases one or more business lines or application owners will not allow applications to be updated that could cause them an outage. This is an obvious and very difficult issue to overcome as these are typically the business critical apps that the company relies on most.  This is also one of the reasons that Java Runtime is one of the most unpatched applications in your environment. 91 percent of web exploits involve a version of Java and the vast majority of those are versions that are outdated or have reached the end of life.
  • In some companies, the virtualization admin is outside of the operations team and not governed by the same policies. This is a common gap leaving the Virtual Infrastructure unpatched. That means the hypervisors running multiple virtual machines are potentially vulnerably and in the case of VMware, the tools on each of the VMs are out of date and potentially vulnerable.
  • Free tools like WSUS are considered ‘good enough’. Unfortunately the products that it covers fall into the 20 percent bucket for applications targeted by opportunistic hackers. With the average user being able to install their own applications, highly vulnerable products like Adobe Reader, Flash, Oracle Java, Apple iTunes, Google Chrome, and Mozilla Firefox all go unmanaged or require manual effort from the IT Ops team.  So far in 2014 Adobe has released a Priority 1 update for Flash seven of eight patch days.

I can relate one personal story. We had an expense system that unfortunately required an extremely outdated version of Internet Explorer to be able to run. Because of this requirement, we kept certain machines available with the older version in order to be able to continue using the expense system. Users would have to remote into those systems to use the expense application without issue or they would have to take manual steps to finish their expense report. We ended up switching to a SaaS based solution for many of our HR applications and the rest are slowing moving to this platform as well. It was a change that took the commitment of HR, IT, and upper management, but once completed, all parties are happier for doing it. Not only were we able to remove some very old and hard to secure systems from the environment, we made HR’s life easier as well as significantly decreasing the time and complexity of entering expenses.

Tell us more about the problems you are facing and the issues holding you back from maturing your patch process. We have heard many of the pains from our customers on how to improve their process further, but we would like to hear from you as well.

Patch Tuesday Advanced Notification September 2014

PatchWithoutBorderSo far we have four bulletins announced for September 2014, one Critical and three Important. Back in August Microsoft put a hard deadline on implementing the Update 1 (KB2919355) for Windows 8.1 and Server 2012 R2, making it so users need to install Update 1 in order to keep their systems updated.

The first patch Microsoft will be rolling out is for Internet Explorer and is Critical. For the past few months we have seen large numbers of vulnerabilities primarily around memory corruption and memory leaks being resolved in IE. It’s likely we are going to see a continuation of that trend that started back in June, but it’s probably going to be a fairly clean month for IE.

Of the three Important updates, there are two vulnerabilities that could result in a denial of service attack and one that could result in an elevation of privileges. These bulletins affect .Net Framework, the Windows Operating System and Lync Server. The .Net update is going to be the most important thing here and IT managers should make sure they are testing it adequately before rolling it out.

On the third party front, we are expecting an update from Opera any time now. They have updated their change log, but the new version (24) has not yet been made available on their downloads.

For Adobe we anticipate an update for Flash to be quite likely this month. So far in 2014 there has only been one patch Tuesday without a Flash update and that month there were two updates outside of patch Tuesday, one of which was a Zero Day. If there is a Flash release, you can expect a Microsoft Advisory update for IE to update the Flash plug-in and most likely a Google Chrome update to support the plug-in as well.

Microsoft Security Bulletins:

  • 1 bulletin is rated as Critical.
  • 3 bulletins are rated as Important

Vulnerability Impact:

  • 1 bulletin addresses vulnerabilities which could allow Remote Code Execution.
  • 2 bulletins address vulnerabilities which could result in a Denial of Service.
  • 1 bulletin addresses vulnerabilities which could allow Elevation of Privileges.

Affected Products:

  • All supported Windows Operating Systems.
  • All supported Internet Explorer versions.
  • .Net Framework.
  • Lync Server.

Join us as we review the Microsoft and third-party releases for September Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, September 10th at 11 a.m. CDT.  We will also discuss other product and patch releases since the August Patch Tuesday.

You can register for the Patch Tuesday webinar here.

Taking IP to the Cloud – Is it Time?

Grarage2

Keep your IT Security Garage Closed

A couple of years ago we moved from a rural community to a more active suburban area. Being closer to retail, we discovered that the area had much more traffic than our previous dwelling. Before we hardly locked the front door. Now we had to take additional security measure to protect our valuables and family.

One day, a few months after settling into our new home, the garage door was left open. We were sure we had shut it the night before, but it was definitely open the next morning. All the valuables in our cars were stolen including my work PC and travel cards, my wife’s purse, and even the “big ball of keys” that usually gets stored in the drawer but happened to be in the car’s cup holder.

After cancelling all the cards and re-keying the house, we decided to increase our security efforts for the home. With recent attacks and loss of credit card data and even very personal photos of celebrities, many are asking how can we increase our security efforts.

Like my move to a more trafficked neighborhood, many organizations are considering creating either private, public, or hybrid Clouds. With today’s security, are we ready to move our valuable data and IP into the Cloud?

Recently I attended VMworld 2014 and many of the messages coming from VMware were around moving your data and infrastructure to the Cloud. They announced a couple of initiative and products around virtualized infrastructure, rapid creation of applications, and security, all trying to build confidence for customers to move to the Cloud. Even the theme of the show was “Be brave” which I translated into “make the move”.

I’m curious how many IT organizations have plans to move their critical data and workloads into the Cloud. Do you feel this move is brave or more like leaving your garage door open? Do you feel that there are enough ways to secure your valuable data in the Cloud as you move to a place with considerably more traffic or are you cautious with recent stories of data leaving popular Cloud implementations?

The good news is we have yet to see a major online retailer such as Amazon get hit with large data loss. It looks like building secure online applications does work. But are the benefits good enough to outweigh the risks of making the move?

Thank You for Joining Shavlik at VMworld 2014

 

ShavlikBoothVMworld2014

Last week I was in San Francisco for VMworld 2014.  We had a great week and a lot of traffic in our booth.  We had over 1500 people stop by the booth between Sunday and Wednesday.  We crammed crowds of VMworlders into the booth for live demonstrations of Shavlik Protect 9.1 (Ryan from our SE team lining up another crowd for a demo and Becky loading up more snap bracelets to give away).  We slapped a couple thousand blue Shavlik snap bracelets (which are also a stylus) on the people who stopped by and a few drive by’s who didn’t stop to talk.

KateVMworld2014

We also had hundreds of Shavlik users stop by the booth as well.  I think I met a couple dozen long time users who remember HFNetChk.  That dated them pretty much all the way back to the beginning of Shavlik and the original command line assessment tool based on the original MBSA.  It was great talking with you all and hearing the things you liked and those things you would like to see improve in the product.  Keep that feedback coming as that is how we ensure the product does what you want.

Make sure to catch us in April at RSA.  If you do you can join us for snap bracelet target practice. Below is Kate from our Field Marketing team loading up with snap bracelets between demos.

MS14-045 re-released today and everyone wants to know if they need to uninstall the previous version

Microsoft re-released MS14-045, which was causing blue screens for some customers. Our content team did release an out-of-band content update to add the new version of MS14-045. It was released as a new KB (2993651). The Microsoft bulletin has answers to many common questions in the Update FAQ, but the one question most people are asking me is do they have to uninstall the previous one if it is not blue screening systems. Microsoft states in the FAQ that the patch will install over the top of the previous version, but they are recommending uninstall even if you are not having issues.

For that reason, Shavlik Protect will still show the original KB if you have already installed the original. The new version replaces the previous one, so if you have not installed it you would not see the original by default. We kept the original in product but marked it as non-deployable so customers who had not already installed would not accidentally do so. This also removed the ability to uninstall if you had already deployed the original update. Our support team has created a set of custom actions to remove the original patch. You can view that KB here.

 

 

Shavlik Team Takes the ALS Ice Bucket Challenge

Shavlik Vice President Rob Juncker brings IT deployment models to the ALS challenge. Rob, who was nominated by Pertino CMO Todd Krautkremer, nominated Odell Tuttle, VP of Engineering at SportsNGin, Stephen Poppe, CIO at Roto-Rooter, and Pat O’Day, CTO at BlueLock.

 

In the photos below, Shavlik team members Chris Goettl, Kate Borsheim, and Anne Steiner also take the plunge.

chirsKateAnne

Shavlik Protect 9.1 Patch 1 released

PatchWithoutBorder

Shavlik Protect 9.1 Patch 1 is now available.  The update includes fixes for 18 customer reported issues.  The Patch is available for download from the Shavlik Protect downloads page as of yesterday.

We will be monitoring adoption rates and will set the patch for auto update for Protect 9.1.4334 in the next few weeks.