April Patch Tuesday Round-Up

We are one week past April Patch Tuesday.  Taking a look back, XP’s End-of-Life may have been overshadowed a bit with Heartbleed and Update 1 for Windows 8.1 and Server 2012 R2.  Let’s start off by recapping Patch Day.

For those of you who caught our Patch Day webinar (playback found here), you may recall the recommendations we gave.  High priority on MS14-017 (plugs publicly disclosed Word vulnerability) and MS14-018 (IE Cumulative which also happens to be Update 1 for 8.1 and 2012 R2 systems).  These two updates are Critical and plug a number of vulnerabilities.  While still important, the other two Microsoft updates are a bit overshadowed by the 3rd Party updates for Adobe Flash and Google Chrome that released on Patch Day as well.  These two updates are also a high priority this month resolving 35 total vulnerabilities between the two of them.  That is triple the vulnerabilities resolved by the 4 Microsoft updates this month.

Let’s take a closer look at MS14-018.  When assessing machines you will see one missing patch on most systems, but for 8.1 and 2012 R2 you will see the missing IE patch and 5 additional updates that make up Update 1 with the biggest and most important being KB2919355.  Without this last one you will not be getting the next round of OS updates on 8.1 or 2012 R2.  Our sources have confirmed what Microsoft stated in their blog on April 10th, that newer patches will apply to 8.1 and 2012 R2 only if they have Update 1 applied.  By the way, you will not see or be able to install 2919355 unless you have applied an important non-security update 2919442 (MSWU-905) as well.  In our Content release on 4/15 we changed the designation of MSWU-905 from Non-Security to Security to ensure the majority of Protect users will see this patch and deploy it so 2919355 will be applicable to the system.

Now, you may have seen a lot of press around Update 1 causing issues on systems.  The biggest was impacting WSUS 3.2 if running in specific configurations.  This will NOT affect Shavlik Protect customers as we have no reliance on WSUS 3.2.  Other issues identified seemed to be around properly licensed systems and got more obscure from there.  Microsoft will be releasing fixes for these issues possibly later today.  A fix for the WSUS 3.2 issues (2959977) appeared yesterday, but a patch did not release.  It will likely release soon.   Recommendation for our customers, get Update 1 applied before May Patch Tuesday, but make sure to test the rollout to your environment.

Last week Thursday’s Content Release was Non-Security related.  There were many updates released, but nothing of a Security nature.  Yesterday, however, Oracle released a Critical Update for Java 7 update 55.  This update plugs 37 vulnerabilities, 4 of which were given CVSS scores of 10.0 which is the highest you can get.  This should be added to your priority list for this month.

Overshadowing everything this month is the OpenSSL vulnerability Heartbleed, which has quickly become a household name.  MPR, radio commercials, notifications to home users regarding services they use, pretty much everyone has now heard of Heartbleed.  Many vendors are still investigating their product portfolios to see how far reaching this vulnerability affects them.  As I posted last week on the Shavlik Blog, Protect customers, our products and services are covered, so you have nothing to worry about.  Evaluate all products running in your environments.  Check with your vendors as they are posting details around products and versions affected.  VMware, Oracle, and many others are still investigating some product lines, but most are identified as being vulnerable or not.  For VMware, the only version of the Hypervisor affected is ESXi 5.5.  Protect customers can upgrade to Protect 9.1 later next week when we make it available via an Early Access release, which will support updates on ESXi 5.5.  ESXi versions 5.1 and earlier, supported by Protect 9.0, are not affected.