November Patch Tuesday 2019: Webinar and Transcript
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. In the webinar below, we do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Enjoy the full webinar and accompanying transcript below.
Chris Goettl: We've got an interesting lineup here this month. We actually were thinking that November might be a really boring Patch Tuesday. In fact, Brian, whom some of you heard on our call here and have gotten responses from throughout calls and things, he and the team were actually done here in near record time yesterday, wasn't it Brian?
Brian Secrist: Yeah. Released everything for 4:58 AM.
Yeah. I mean, again, we thought it was looking like a boring Patch Tuesday. But there's still some interesting things, some security issues and things that are definitely worth noting. We're going to go through that. We're going to talk about known issues. We're going to talk about some other things like End-of-Life's new branch release. 1909 is out and available. So we'll talk about a couple of things there. We will have time for questions throughout the webinar and after the webinar. So just a couple of housekeeping items. The webinar is going to be recorded and available afterwards. As always, you'll be able to watch this on demand after. We know that you guys are working in the trenches on a regular basis. So if you have to get pulled away mid webinar, yeah, we will have a recording of it available to you as quickly as we can afterwards.
Chris Goettl: There's going to be some Q&A throughout. So if you do have any questions, please post those in the Q&A section. I see Brian has already responded to our first question for the day. Thank you, Brian, for that. But we've got a group of people on here to help respond to questions as we go through. We'll also have some time at the end to recap questions that we think everybody is going to want to hear the answers to as well. All right. Well, without further ado, let's go ahead and get started.
First of all, again, Microsoft was kind of the only vendor to really release anything significant yesterday. Adobe did have some security releases. They had a total of 11 CVEs that were resolved, but this was for like Illustrator and Bridge and a bunch of the less enterprise wide type applications. They actually did an Adobe Acrobat release earlier and Flash did drop. But it was completely non-security related. It only dropped on the Adobe side, Microsoft did not release an update for it. Again, no security vulnerabilities resolved in that one.
Microsoft was the major focus for what dropped yesterday. There is a huge lineup, a very large lineup of additional releases that have come out between last month and this month that include a lot of vulnerabilities. We will talk about those towards the end here. Including a Chrome-Zero Day that occurred. So a lot of things, again, between there that you might want to be aware of. All right. Starting off with a little bit of news.
First thing, BlueKeep. This is one of those things that we talked about a number of times throughout this year. Originally released in May. It is actively being exploited now. So if you haven't already heard the news, we do have a couple of details in here. There is a security researcher, Kevin Beaumont, who originally discovered and named BlueKeep. Has continued his research on this. He created a honeypot and has been watching for and started to see activity in September. That activity has ramped up since then. So you could see here that monitoring of the honeypots that were created, there was very little activity up until just recently and it's been steadily ramping up since then.
A lot of this comes down to around the same time. The Metasploit module on how to exploit Looky was released. There's again, increased activity of active BlueKeep exploits happening in the world now. The attack in this case, it's not ransomware like WannaCry was or NotPetya. In this case, it's cryptomining that they're actually pursuing. So they are distributing cryptomining software to systems that are exposed by BlueKeep. Again, I provided a couple of different articles in here. There's one here where there's a number of systems that when the attacker is trying to exploit this, they hit a blue screen of death. So the Metasploit module was built in a way where you had to target OSes kind of specifically. If you mismatched the attack with the wrong OS, instead of actually taking advantage of it, you could cause a blue screen instead.
This is talking about how Metasploit is going to be releasing an updated module that's going to resolve the crashes that were happening there. Well, this means that threat actors are going to at some point get their hands on that as well and be able to use the fixed version of that so they no longer blue screen systems. Kind of an interesting angle there but the Microsoft has continued to warn about BlueKeep. This article goes into detail about Microsoft's researching warning about the danger of this. There're still somewhere around the realm of between this article and the next one here. I think they were saying somewhere upwards of 700,000 plus internet facing systems if I can find the right one here are still vulnerable to BlueKeep.
That means public facing IP, hosting app RDP, and doing so in a way where that could easily be exploited. Yeah, here it is. So this researcher was reporting that there were still at least 700,000 plus remaining vulnerable and internet facing. That was as of August. So hopefully, that's trending down since then, but still behind those 700,000, how many systems within environments out there are also still vulnerable? Our point here is it's happening now. There were warnings from Microsoft, from other security researchers, from us, from... If you haven't resolved the BlueKeep vulnerability throughout your environment, we do highly suggest making sure that you make sure that that gets resolved here shortly. It's not ransomware in this case. It is cryptomining that's occurring in this case.
The big impact here is, yeah, they're not going to ransom a system. Yes, right now, there's a chance that it can blue screen a system and disrupt certain users. The bigger impact here is somebody stealthily using up CPU or GPU processing time in your environment and costing you money. From an operational standpoint, this is definitely an operational cost to your company if you get cryptominers in your environment. That's the concern there around BlueKeep
The next one here, Microsoft Guidance for Vulnerability in Trusted Platform Module. Microsoft did not release a patch here. What they released was an advisory talking about the TPM vulnerability. So in this case, Microsoft does not at this point take advantage of the TPM module. They're basically saying their systems are not in need of a patch. But other things running in your environment could be taking advantage of that module. They talk a little bit about what systems are at risk. Windows Client Systems are at increased risk due to prevalence of TPM on client hardware systems. It's more of a concern about the hardware in your environment and if that's relying on that TPM feature set.
Servers with TPM modules are also a concern. But that's a matter of... Again, it's not the Windows OS that's vulnerable here. It's going to be the hardware that's in your environment that's vulnerable too. So they're just putting an advisory out at this point. All right. One other piece of news that is more of a positive thing. But there's a little bit of interesting variations here is Microsoft did release Windows 10 1909. This is talking about the fact that Windows 10 version 1909 has released, also Server version 1909 has released. This is telling you some details about how you can get it and everything like that.
The interesting thing is 1903 and 1909 share a common core operating system. So prior to this, you had to do the huge four gig plus ISO upgrade to upgrade a system from 1709 to 1803, 1803 to 1809, and then so on. If you have systems that are already running on 1903, those systems already have the code base to get up to 1909. Those new features are already in place. They're just dormant. So Microsoft has created this feature update. What it's going to do is it's going to basically flip a bid on your 1903 systems and enable the 1909 new features. So for that, those updates were actually pushed out as part of the October Patch Tuesday release. Those features are already in place just waiting for that bit to be flipped.
Now, for anything prior to 1903, you would still have to do the full branch upgrade. Now, as far as Ivanti's catalog is concerned, we are already adding in support for the ISO to be able to push the 1909 ISO out to systems to fully upgrade it from prior to 1903 all the way up to 1909. The feature update change there, that one, Microsoft has not been made available to third party vendors yet. We're keeping an eye on that. We're going to be looking for this. As soon as it's available, we'll be looking to make that part of our supporting catalog as well. So this particular feature enablement update right now is available through Windows update and Microsoft update or through the WSS catalog. The Microsoft update catalog does not have it yet. Again, once we have that, we will make that available as quickly as we can.
All right. End-of-life of Windows 7 and Server 2008 and 2008 R2. Just wanted to make sure that people have their eyes on the situation. Microsoft has scheduled this last patch release for these platforms, publicly available patch release to occur on January's Patch Tuesday this next year. After that, if you want to extend support, you have to meet certain criteria. There's a variety of paid-for options to continue support and there's a couple of specific free options to continue support from Microsoft.
So we wanted to talk about that a little bit because there are a number of questions coming in from people about this. Microsoft allows a paid-for option that you can go and you can extend support through a premium support contract with Microsoft. There's a couple of cases where you can get it for free. These are in cases where your licensing model or where it's hosted are basically accounting for the costs for Microsoft to continue supporting it.
In those cases, you can look into and see, what are the cases where it's available for free? I think it's mostly if you're in an Azure environment. I didn't read this particular article. But the cases where... Is talking a lot more about Microsoft providing free extended support, here we go, for voting systems. Interesting. They also have some other cases where if you have hosted systems in Azure, there's a couple of scenarios where that may make you eligible for support as well. This is talking about how to make sure your systems are prepared for the Windows updates to continue on those. There's a couple of things that you want to make sure are set up on there if you're going to continue support for that. Few of those are making sure that you've got the latest servicing stack updates on those systems. Also, that you've got the Shot 2 updates applied to those systems. Those are the two main kind of prerequisites that need to be there and then you'd be able to continue support for that.
Now, there's more details here, if you're going to continue that support from them with Windows update or something like that. There's an ESU skew that you have to activate here. This activation ID for that. If you're looking for continued support with Ivanti on that, we do have an article available that talks you through some details around that. So basically, what you need to make sure is in place is that you've got continued support from Microsoft, either a paid-for option or a free option, whichever the case may be. You've got the details you need from Microsoft and you are legally eligible to be able to apply patches to those systems going forward.
We can continue to supply the patching for those systems as well, but because of the way that Microsoft controls the releasing of these, it enters into a custom content scenario with us. We have to retain infrastructure and do testing and things around this. So there is a cost involved with continuing this for Ivanti for us to distribute a private content stream for you. For that, you can reach out to us and we can get you more details on that. Again, our endpoint manager and our security controls are patched for Windows product. Both of those product lines are able to support extended support for that. Again, there's going to be a cost involved regardless of the free or paid-for eligibility on the Microsoft side. Our costs are more from an operational standpoint. This is continuing to do content support, supply infrastructure for it, continue licensing of that infrastructure. All those types of things, we have to account for to sustain this for the next couple of years for customers who need to do this. That's what our subscription cost for this extended support is.
So if you need details on that, do reach out to us and we can give you more information about that. All right. We've got a couple of Intel related vulnerabilities that we wanted to talk about here. More speculative execution side channel vulnerability stuff, will say. There's a couple of very complex articles here that we wanted to touch on real quick. This first one is it's actually relating back to a CVE from 2018. CVE-2018-12207 was a denial of service vulnerability if I can speak well today. Microsoft is documenting a CVE that was issued by Intel. The reason for this is making sure that you understand how to turn on mitigation for this particular vulnerability.
This is a case where you've got a guest VM running in a virtual environment. By default, this protection is disabled. Enabling the protection requires actions on the host. So not the guest, the host. So this next KB article, if you click on the link here, goes into those details of what you need to do to enable that mitigation. So here's the registry keys, the details that you need to be able to implement on there. Then that mitigation is turned on for Hyper-V environments.
The next one here is a vulnerability, a new speculative side channel attack that has been updated here. This one is basically... Again, if you're familiar with the Meltdown and Spectre and all the other variants that have happened since then, it's being able to take advantage of the speculative execution capabilities of certain processors that allow better performance because it's basically predicting what's going to happen next. Attackers have found ways to tap into that as well in a side channel and basically watch that and try to glean information off of that. These are information disclosure vulnerabilities.
One of the things that's been pushed back and forth is, what is the big risk of these vulnerabilities? So far, nobody has been actively exploiting these in the wild to anybody's knowledge that I've seen. A lot of this is academic, and the researchers across the globe that have been looking into this have notified Intel and told them about different vulnerabilities. Intel responds with fixes and mitigation and things at a firmware level and guidance for vendors like Microsoft and VMware and anybody who's really working at that kernel level to better protect their platforms against these types of disclosure vulnerabilities.
In this case, this is the latest of this line of vulnerabilities. In this next KB article, Microsoft has actually done a pretty good job of breaking down all the way back to 2017 all the different variants that have come out, the guidance that has been collected here, and showing you even like, "Okay, so for this CVE, it doesn't require a CPU micro code update. No. What's the medication default status? It's enabled by default. No option to disable. Please refer to this advisory for more details."
It goes through all of these and tells you even for like different chipsets. For 2018-3639, Intel requires a micro code update, AMD does not. ARM does. Here's more details about that particular advisory. So going all the way down to this most recent one, 11135, it's affecting the Intel processors. Yes there is a micro code update. So you do have firmware updates that need to be applied from Intel. The protection in this case is enabled by default. More details are available in the CVE here, including applicable registry key settings and things like that. More detailed KB article here is a really good guide to figure out, okay, which of these vulnerabilities do I have to do additional steps for from a firmware perspective, from a registry perspective?
All right. This next one is getting into server and client side guidance for speculative execution side-channel vulnerabilities. Again, Microsoft has updated and made available some additional details around this because of the new recent variant that has been plugged. Their recommendations here, "Apply all Windows updates. Apply all firmware updates. You do need to evaluate the risks in your environment. In some of these cases, certain workloads will take a bigger impact to performance than others." We've seen examples of some of these mitigations when they get turned on. If you're a gaming company and your whole gaming service is online gaming, well, yeah, some of these vulnerabilities might impact you as much as 30% CPU performance.
There were some reports of certain gaming companies that saw some pretty big impacts as these medications were turned on. Your average environment, probably down more at the 1% or less for these mitigations that were turned on. But the point from this guidance is you do need to look at some of these specific advisories and figure out what is the impact to your environment for those particular things. Then each of these KBs, some of them have additional registry keys that need to be turned on to turn mitigation on or enable them. Again, make sure that you're looking at that additional guidance there.
Again, going through for Windows Servers versus clients. This was client side. This was Server side and describing all of the... Because the Server side in many of these cases won't enable the mitigation by default because that's where performance impacts were more common in many of those cases. You can see a lot of these were disabled by default. Again, follow up on that. If you've been keeping up on those, the latest is this 2019-11135.
All right. Getting into... We do have one Zero-Day and one public disclosure we're going to talk about here real quick. We're about to jump into the actual updates for this month. First one here, probably the most concerning, this is a vulnerability in Internet Explorer basically affecting all versions nine through latest and all platforms. This has been identified in exploits in the wild for both older platforms and Windows 10 and latest additions as well. In this case, it's a scripting engine memory corruption vulnerability. Basically, the way that memory is being handled, an attacker found a way to corrupt that memory space and allow them to execute arbitrary code as they see fit. Now, it is in the context of the current user.
One thing to note here is if you are running more strict privileges throughout your environment, least privilege rules, a lesser user on that system, the attacker doesn't gain full rights. They would only gain equal rights to what the user is capable of doing. In that case, they would have to go and take additional steps to elevate their privilege level. An attack like this, if you're running least privilege, you could actually slow an attacker down to the point where they have to do additional steps before they can move on and fully compromise the system. If the users have full admin, well, they've got full rights on the system. They're a full admin. They can go and execute applications, delete data, create new users with full admin rights and so on.
This is a user targeted attack. So it does have web based and email and document based attack vectors. An attacker could create a website specially crafted to exploit this and convince the user to go there. They can create an embed active X controls marked with safe initialization in an application or Microsoft Office document that hosts that IE rendering engine. They can also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. You go to the different sites that have all the ads and stuff on the side. An attacker could use a vulnerability like this to inject malicious bit of content through websites that host that type of content.
All right. Next one, this one is... We wanted to more clarify this one. This is a public disclosure on how to bypass the security features of Excel. In this case, it's only on the Mac. So Office 2016 for Mac is the version that's vulnerable. Now, the security feature bypass in this case, the attacker is able to craft the Excel spreadsheet to specify that a macro should be run. Really, the danger of this one is they bypassed the security features around whether macros should be run or not to make it so that it can still run one even if you possibly disabled that. The real danger of what's happening in that is in the macro that they're also including in there.
In this case, the Office for Mac updates tend to stagger behind the Microsoft, the Windows updates for Office by a couple of days. This is just to let you know that this is out there. You may not see the actual Office updates for Mac for a couple of days yet though. All right. That wraps up the exploited and probably disclosed vulnerabilities this month. Again, just to specify a few things around end-of-life of Windows 10 branches, we already talked about Win 7 and 2008 and 2008 R2. But for those of you on Windows 10 version 1803, if you are on the Home Pro or Pro for Education or Workstation editions, the 1803 edition did receive its last patch update this month. So do make sure that if you're on one of those editions that you're getting those 1803 branches out of your environment.
The next end-of-life we've got coming up then for those of you on the Home and Pro editions is going to be May 12, 2020. For those of you on the Enterprise and Education editions, April is the next point where you've got to be concerned. We did add a slide in this month. Normally, we haven't talked about LTSB. There's a lot less people using it than I think Microsoft or anybody initially anticipated. This being in here is more of an FYI for any of you that are using it. The October 2020 date is the first LTSB end-of-life that we're going to see.
Now, one thing that I think... I've had a couple of cases of this come up. It's not widespread but enough to make mention of it is Microsoft's support around Windows 10 is very specific. If you're on the Pro or Home licensing, obviously, we're not worried about Home as much here but Pro licenses, the support for your edition under your license agreement with Microsoft ends sooner than the Enterprise and Edu and much sooner than the LTSB.
There's been some confusion in some companies to think, "Oh, no. Updates are still available for the branch that I'm on." Well, are you on the LTSB? If you're not on the LTSB, then know certain editions aren't going to have updates available for you yet. So just make sure that you've got a clear idea of which branch you're on, what licensing you're on, and when the end-of-life is, so periphery to those. That's what we adhere to. From our product standpoint, our product catalogs will support all the way through to the LTSB. But it'll be specific to the licensing that you're on and the edition that you're running is what we make available on those platforms.
All right, Servicing Stack Updates. Last month, we talked about this in quite a bit of depth because they happen across the board. Well, guess what? Microsoft did nearly across the board this month. Only one edition of Windows 10 did not receive a Servicing Stack Update this month. So round two, we've got another round of these. I would suggest that... Again, last month, I cautioned that when Servicing Stack Updates come out, we have seen them become a prerequisite in as little as two months after release. So you don't want to ignore these. Especially if you're going to be continuing support for Server 2008 and Windows 7, you need to have the Servicing Stack Updates in place before January. So make sure you get those updated. I think, though, with two back to back updates of all Servicing Stack Updates, let's see what happens in December if things start to slow down, then start to roll out across the board.
But it seems that Microsoft is making some pretty big Servicing Stack changes right now and hopefully they'll let up in December and we'll get down to a stable SSU branch on those. Now, for those of you who aren't familiar with the Servicing Stack Updates, these are not part of the normal cumulative updates that happen each month. This is the update infrastructure within Windows. So the Servicing Stack Update is making necessary changes that Microsoft needs to make in advance of some change to their regular patch stream coming down the road a little ways.
So if you're going to deploy the Servicing Stack Update, you've got your regular monthly update, and then you've got the separate Servicing Stack Update that has to be applied. So just make sure you understand that that is a separate patch. It's not part of your normal monthly patching. It's not included in there. All right. If you do need additional information on a weekly basis, we do actually kind of a subset or a smaller version of what we do around Patch Tuesday on a weekly basis. Brian is the host of this series. Writing up the latest patch releases that come out in our catalog covering Microsoft and third parties, along with security details, CVE analysis, and other interesting security events happening around. Things like the Google Chrome Zero-Day that happened November 1st, back in September when the IE Zero-Day occurred. This weekly patch blog is a great source of being able to keep tabs on those types of events and a really good source of that continual information.
Then our Patch Content Announcement System, if this is your first time on our webinar series, this is another content notification system we've got that lets you know whenever we release new content into our catalog. As you'll see, after we go through the patches for this month, there were a whole lot of security releases between October and November Patch Tuesday. If you're not subscribing to these, if you're not checking out our weekly blogs, you might be missing a whole lot of security concerns out there. That's why we want to make people aware of those content streams. All right. Todd?
Todd Schell: Sounds good. Hello, everyone. We're going to walk through the bulletins for this month. Let's start with Windows 10. Obviously, releases came out for all versions of Windows 10, including the update to 1909, which I see I have not included on this slide. Series of 16 different KB articles. There's a lot of KB articles around all these different versions as well as the Server versions. Chris did mention that the one IE vulnerability 1429 is known and exploited. So be aware of that. There were 58 vulnerabilities fixed this month.
If you want to go in and get a complete list of those, I think most of you know how to use the security updates guide on Microsoft's page for the complete list. Of course, our metadata in our products also include a list of all the CVEs as well. It is rated critical this month because of that known and exploited issue. Talking about known issues for Windows 10, actually, Microsoft has done a pretty good job of cleaning up from last month. We still have a few that are being carried forward regularly. Specifically this file rename issue. We've talked about this for almost a year now. Not sure how aggressively or if Microsoft is actually going to fix this one. You'll notice that it is generically assigned to this one KB here 5232 specifically, meaning that all versions of Windows 10 are experiencing this particular issue.
They do have a workaround for it right now. They said that they are working on a resolution but like I said, we've been carrying this one forward for almost a year month by month. Moving on to version 1607, and Server 2016, you may be wondering why this is listed in here. This is part of the long-term service branch. This has this file rename issue as well. But there also is an issue around this minimum password problem. This particular issue has also been carried forward many, many months now. Be aware of that one. There is a workaround for this where you can basically go in and set your minimum policy for password length equal to or less than 14 characters. I'm not sure how aggressively Microsoft is working on this one. This one actually only shows up I think, for this particular server 2016 issue.
As I mentioned, that file rename issue covers across all versions of Windows 10. There is another one that's been introduced this month. Specifically, this has to do with the Out Of Box Experience around using basically Asian languages: Chinese, Japanese, and Korean. This one was introduced this month, is first time that we've seen this particular issue. It does apply against all these additional newer versions of Windows 10 as you'll see here. I haven't listed for all of them. They have a workaround right now. Basically, you can set the keyboard language to English, go in and make your changes, then switch it back to the foreign language that you're using.
The KB article particularly here provides more details. So you can go in and take a look on this one as well if you want some additional information that I couldn't capture here. I said that the 1803 has this Out of Box Experience problem as well as the file rename issue. 1809 has this issue that's been carried forward for many months now, has to do with Asian language packs. They do provide a workaround that's pretty detailed. I might want to go in and take a look at this one. But this one's been known for quite a while and has been carried forward for many months as well. 1809 also has the file rename and the Out of Box Experience on those Asian languages as well.
1903 also has this new issue with the Out of Box Experience issue with Asian languages too. Obviously, this would carry forward into 1909 as well. But 1909 being just released, hopefully, they'll get this one cleaned up pretty quickly. Chris talked quite a bit about Internet Explorer update and the fact that we have this known and exploited vulnerability 1429. So be aware of that. There actually were only two vulnerabilities addressed this month and IE it does cover versions 9, 10, and 11. There are a number of different types of Internet Explorer updates from cumulative to standalone security only update, so be aware of that as well.
Once again, there were other updates with only two vulnerabilities in IE this month. Nice thing is there are no known issues on IE right now. Going back to the Home, the legacy operating systems will start with Server 2008. There was a critical update this month for Server 2008. Addressed 31 different vulnerabilities. There is the monthly roll up version which includes the IE updates. It is rated critical, obviously, because of this known and exploited issue. That's included in this update.
Chris did talk about the Intel vulnerabilities. You'll notice that only one particular vulnerability, this 1135, was addressed this month. I'm not sure if the other one applies to this just because it's an older operating system or why it wasn't addressed. But they did include this fixed for the Intel vulnerability. Once again, there's additional guidance. Chris had listed those earlier to go in and enable registry settings and things like that to make sure that you're patched properly on servers and client endpoint. Be aware of that as well.
Once again, only one of those Intel vulnerabilities was addressed this month in Server 2008. There are no known issues around that particular update. There was also a security-only update released for Server 2008. I cover this every month, but just very quickly, the monthly roll up includes series of patches going back basically to October of 2016. They've picked out all the latest and greatest in there. So you get all the updates in one single update.
The nice thing about that is you can apply one update and you get them all. The downside to that is it may impact a lot of your legacy applications that you're running on top of these operating systems. As a result, there's also a security only update that Microsoft releases each month with only the vulnerabilities that have been identified in this last month that are addressed. In this case, only 31. So the 31 specific vulnerabilities are included in this particular update, CVE 45 and KB 4525239. All of those 31 vulnerabilities are addressed. Very tactical. If you're going to apply the security-only updates, you have to make sure you do month by month to make sure you get all the latest vulnerabilities addressed.
Moving on, once again, Windows 7 and Server 2008 R2 also were updated this month. You'll notice that this one does include both of the Intel updates. I've listed them here, as well as the specific security components that were fixed this particular month. A few more vulnerabilities addressed within Windows 7 and Server 2008 R2. There were 35 plus, of course, those two IE vulnerabilities in the monthly roll up. No known issues around this particular update. There was also a security-only update released for Win 7 and Server 2008 R2. Again, the same two Intel vulnerabilities were addressed as well as these six component updates. Basically 35 vulnerabilities included in the security-only update here.
Another legacy update for Server 2012 does include basically the same vulnerabilities. There were two additional address. So there are 37 plus those two IE vulnerabilities. One difference here for Server 2012. You notice that that file rename issue is a known issue for this legacy operating system as well. Of course, the security-only version, basically the same updates without the IE updates. The 37 vulnerabilities addressed here. That same file rename issue carries forward into this release as well.
Finally, last of the legacy groups, we have Windows 8.1 and Server 2012 R2. Basically the same 37 vulnerabilities addressed here. File rename issue once again carried forward. Both of those Intel issues were addressed. Finally, the security-only update, same one, same group, same information there. Covered under a different bulletin of course. There was an update for Exchange Server this month. Didn't have a 2010 update, but 2013, 2016, and 2019 were recovered. They were all addressed basically in the same KB article. It was a remote code execution of vulnerability having to do with the de deserialization of metadata via PowerShell. They talk a little bit about that. You can go in and look at this particular vulnerability 1373 if you want more details.
Interestingly enough, if you read the release notes from Microsoft every month, they do include a list of known issues and they list those bulletins. They cover this one all the time for Exchange Server. I don't know, it's pretty obvious, but you must install this update with administrator privileges. If you don't, it will appear to apply properly, but they won't actually apply the fix for this particular vulnerability. So just be aware of that. Make sure you instalL the Exchange Server updates with administrator privileges.
Moving on to the final updates that are marked as important this month, there are updates for Excel, all versions 2010 through 2016, 2016 for Mac. This includes updates for Office of the same range, and also both versions of Mac. Office for Mac 2016 and 2019. Chris talked about this particular vulnerability which was publicly disclosed for Mac only. It's 1457. So be aware of that. That's in the Excel macro issue that Chris talked about. There are no known issues with this particular update. So be aware of that one as well. Again, rated important. This is one that you want to get around to as soon as you can, but obviously not rated critical.
As far as the online versions, we're talking here about Office 365 ProPlus and Office 2019 which are typically updated via your click to run approach. Rated important as well this month, addresses a similar group of vulnerabilities. Obviously, not the Mac OS one because it's not part of this group of updates, so slightly different vulnerabilities but fixing four vulnerabilities here and rated important as well.
Finally, our last Microsoft update for SharePoint Server. Again, most of the Office vulnerabilities carry over to SharePoint Server as well since it hosts a lot of the similar applications. In this case, there were only three vulnerabilities addressed. They had to deal with a security feature bypass issue as well as an information disclosure issue. I've included a couple more detail up here. You can go in and look at these three particular CVEs if you want more information about how these particular vulnerabilities have been addressed. Again, no known issues around this one, so no problem with SharePoint Server. They do go all the way back to version 2010. And obviously, each version is covered up through 2019. There were six different KB articles to cover all the different variations that are available for SharePoint Server this month.
As Chris said, it was a fairly simple Microsoft release this month. But between the Patch Tuesdays, we had a lot of activity. So Chris, you want to jump into some of this?
Chris Goettl: Yep. Absolutely. Regarding the Microsoft updates, biggest one again is that IE update being exploded in the wild, make sure to get that one rolled out as quickly as possible. Also, browsers across the board with Google Chrome having their Zero-Day just recently. There's a number of releases that came out between our Patch Tuesdays. There's a couple in here that we wanted to note because there are some actively exploiting vulnerabilities in here as well. From Apple, you've got Apple iTunes and iCloud updates that came out that resolved several vulnerabilities each. The more interesting vulnerability here is the one that was not documented.
There was a vulnerability that did not get documented as a CVE but is actively being exploited. That's actually in the Apple software update service. Now, this is a service that's included in iTunes. It's included in iCloud. Many of the Apple products use it. A vendor, actually, a partner of ours called [inaudible 00:47:16], those are the researchers that discovered this vulnerability actively being exploited and reported it to Apple. Apple resolved the vulnerability, but they didn't actually document the CVE around it. Make sure that you get up to the latest versions of iTunes and iCloud because that support services part of each of those. If you've got that anywhere in your environment, get up to the latest version of that to resolve that active exploit.
Now, one thing to keep in mind is it is possible to orphan the Apple update service on systems. If you install or remove iTunes or remove iCloud or different things like that, that service can be left behind. For this reason, we actually include the Apple service itself. That update service, we actually broke it out and manage it as a patch on its own. Not only do we add support for iTunes and iCloud, you will actually see that we added an independent Apple support service update as well in case you get into one of those orphan states. That's not something that Apple does, though. If you can send to an orphan state there, their update services aren't going to touch it anymore.
WinSCP did release an update with two vulnerabilities resolved there. Acrobat Reader, this one came out and resolved 68 vulnerabilities. So there was quite a big one there that didn't drop on Patch Tuesday. It dropped after that and before the November Patch Tuesday. It did have quite a few CVEs being resolved. Google Chrome, again, we talked about a Zero-Day for Google that was actively being exploited. This Chrome release will resolve that for you as well.
For those of you who have heard about the changeover from Java 8 to Java 11, the JRE going away, all sorts of different challenges like that. One of the things that people have been switching to is alternative Java Runtimes like Corretto. If you are one of those companies that has made that switchover, make sure that you're updating that. We have added support for Corretto. They resolved 18 vulnerabilities in their latest release.
The Amazon Corretto branded edition, 17 vulnerabilities resolved there. That gets you up to basically the Java 8-232 equivalent. Firefox did release an update as well resolving 13 vulnerabilities. All of your browsers might be vulnerable right now. Make sure they all get updated this month. ESR branch also got an update with eight vulnerabilities resolved. Foxit Phantom, if you're using one of the PDF alternatives out there, they're just as vulnerable as Adobe's PDF products. They're a nice target because everybody uses PDF format. So make sure that you're updating those additional vendors as well if you're using Phantom, or there's a couple of other PDF alternatives out there. They do need updating as well. As you can see here, 9.7 and 8.3 received updates with 11 and 15 vulnerabilities resolved in each of those.
Oracle did release their patch update, their quarterly updates last month as well. That happened the week after Patch Tuesday. If you haven't already taken action on that, and you are running Java 8 or Java 11, there are vulnerabilities that have been resolved here. So Java 8, make sure that you are eligible for continued support there. If you're using the Oracle version of that, you want to make sure that you're covered there. 18 vulnerabilities resolved on that.
If you're on Java 11, notice that there's just the JDK. So the way that Oracle changed things in Java 11 is now JRE is no longer a separate install prerequisite at the endpoint that you have to run. The JDK builds the application with the necessary JRE components built right into it. So in a case like this, if you've switched over to Java 11, you need to update the JDK versions in your developers environments. Then they need to basically republish or redeploy that custom application that they've written so that the new JRE components get deployed there as well. Otherwise, those vulnerabilities are going to be hanging out there in your custom app because the JRE is packaged together with it now.
Thunderbird, nine vulnerabilities resolved there. VirtualBox had a couple releases here for different versions, fixed 10 vulnerabilities on each those. All right. As you can see, there were a whole lot of vulnerabilities resolved outside of November and October Patch Tuesday. Again, that's why we talked about and have those additional weekly and regular content stream updates that you can tap into to find out what's going on there.
All right. We do have some interesting questions coming in, actually one of them relating to... Oops. I'm going to take back my control there. There we go. Leah made a comment here. For those of you who are on Microsoft E5 agreement, you get the first year of that ESU coverage for free. So again, there's a couple of different ways you could have free coverage. Just need to look into what those are and make sure you've got details around them.
Daniel had a question here around continued support for Windows 10 branches. This is again one of those that one of his colleagues was telling him there may still be security patches released for previous versions of Windows 10 that have gone out of service. Our understanding is, no, if you are on a version that the end-of-life has occurred, then no, you're not eligible for those continuing streams. Now, keep in mind that what's releasing, yeah, it might be for that branch, but it might be for only specific license cases. So I almost made this mistake this month just by reading through 1703 reached an end-of-life in October last month for Edu and Enterprise customers.
They released a patch update for the 1703 branch this month. But if you read carefully, it was only for surface devices. So people may not be reading the full details of what's released in there. So for each branch, there's an end-of-life date for Pro. There's an end-of-life date for Enterprise Edu. There may be continued support for surface devices aside from that. Then there's the LTSB branches that yes, there's the 2016 branch of LTSb. That's going to continue on for a while. But unless you've installed the LTSB edition, those patches don't apply to the regular branches equivalent of that.
So make sure that you've got the right versions and the right editions lined up on that. To our knowledge, though, Microsoft has not done a continued support for somebody on a branch and edition that has reached an end-of-life. If there is some information about that that anybody has come across, please let us know. But so far, we haven't seen any continued support scenarios for that. All right.
Delano asked a question around, "Does Ivanti provide any patch policies or procedures to aid in developing an effective patch program?" Delano, this is something where we host an Ivanti event each year called Interchange. Interchange 2020. The first event for that is actually going to be in Prague next year, but we'll also have a US event in Vegas following that about a month or two apart. So at that event each year, we have a session specifically on patch management best practices. Typically, we'll follow that up with a webinar of that same session.
So if you go to ivanti.com and go to our resources and under webinars. Hey, it's me. The search on here for patch, we should find it here. Okay. There was a blog post about it there. There is a webinar that aired for that as well that should be available to watch on there. I was thinking I'd find it on the search there but apparently, there's been a number of different practice webinars that have come up on there. We see down in our recent product category. Let's go into security solutions 2019. There we go. If you go down to the recorded webinar section and use those filters, it'll find it much more easily. But we ran this webinar in May. It covered what we did in that session at our Interchange event. So that gives us some good best practices and things there. We do have a variety of different guidance for people depending on your scenario, always more than happy to share that and help you to establish better kind of best practices around that.
Let's see, "How does Ivanti upgrade Windows 10 1809 to 1909, 1903, etc.?" So to Dan's question here, we treat it almost like a traditional Service Pack would have been treated. Basically, yeah, if you just continue to patch that system, you're patching it with the cumulative updates each month. But you can stage a service pack upgrade for that system. Depending on which product line you're on for us, if you're on our endpoint manager or our security controls or patch for Windows product, each one of those takes a slightly different user experience approach to it. But that basically, you set up the ISO for the branch that you want to go to. You schedule the install of that branch, and you have control over when it gets pushed out to those systems.
So there's slightly different ways that it works in each product. But yes, we do have support for that. Now, the 1903 to 1909 feature update flag, again, that one, we're going to be looking into once Microsoft makes that available to the Windows catalog. We'll be pulling that in and being able to support that very quick feature flag update for those on 1903 to enable the 1909 updates. Let's see, Brian. What have we got for additional questions that are going on right now?
Brian Secrist: Right. Hey, there. Let's see. You guys hit me with a lot of questions today, so catching up. It's a common question, but I just wanted to address it. People are asking about Server 2016 and install times. They take forever. I know they do. It's probably my least favorite thing to test on my content stream. Honestly, we've talked to Microsoft about it. We're kind of unsure whether we'll see resolution on that. As of Windows 10 1809, they changed their install package and that helped a lot. If you are upgrading Server 2018 in the future, you will see that go down, but I think Server 2016 is going to be notorious for install times.
There was one question about, do we have anything that covers Intel Graphics Driver vulnerabilities? That's a great question. Depending on our product, we do take in some vendor drivers. But it depends on the vendor releasing those associated Intel Graphics Drivers. That is something we've looked into in the future. We've looked into but it's become very difficult because it is kind of vendor by vendor basis. So at the moment, I'm going to say currently, your mileage may vary on that, but it's definitely [inaudible 01:00:17] directly from Intel, not currently.
Chris Goettl: Yeah. Just to add a little bit more detail about that. If you are running on our endpoint manager platform, we pull in the driver catalogs from Dell, HP, Lenovo. We basically make those catalogs available in the Endpoint Manager product. For the patch for STCM solution, we also can pull in those driver catalogs as well. So if you're running on one of those two products, we do have support for driver updates from the distributors. The Dell, HPs, Lenovos of the world. So that's where we do driver support today. So go ahead, Brian
Brian Secrist: Let's see what else we have. See if there's anything that's super valuable to go over. A lot of the questions are actually addressed throughout the webinar. So I don't want to cover anything. I think we're actually looking pretty good just right on time.
Todd Schell: One thing I can add in real quick, Brian. There have been quite a few questions around SSUs in particular. I think one of the things there is that each one of the KB articles include specific details on the order that SSU should be applied. There was an update, for example, to handle Shot 2 information. So the Shot 2 resigning of the patches. There was the order around making sure that the proper order between the SSUs and the Shot 2 updates were applied. So I think if you have questions on that, go ahead and take a look at each one of the individual KBs for each particular operating system.
Peter had one interesting comment too. He said, "So if I'm up to date but now a new SSU comes out, would it make sense for me to apply the CUs for the month, wait a little bit and then apply the SSU a couple of weeks afterwards?" The answer to that is yes, that actually probably would be a good practice. Typically, an SSU is not an immediate requirement. As Chris said, it's typically two months before you would need an SSU you to apply future patches. So I think that would probably be a good approach. Any comment on that one maybe, Brian?
Brian Secrist: Yeah, I don't have much to add there. It's really enough in our testing. The only OSes that require servicing stacks as a prerequisite is Server 2008, Windows 7 2008 R2 and Server 2016. Everything else, there is not a prerequisite to have the patch installed. But if you are running into patch installation issues, it's a great way and the first place to stop.
Chris Goettl: Continuing on with the OSes that are retiring in January, Rinaldo had a question about that. As I stated before, if there are certain cases where you're eligible for free from Microsoft or eligible under certain license agreements from Microsoft to continue patching those platforms, again, as we talked about before, like an E5 agreement, you're going to get the first year of those ESU updates for free. Then you'd have to pay after that. If you're running under certain volume license contracts, certain cloud based hosted environments, you may get free coverage for a while as well. In any of those cases, if you need us to support the content for that, that is an additional cost. We can't make those updates available publicly. We also have to continue to maintain infrastructure and test those updates for those platforms, and for a much smaller set of customers. So we do unfortunately have some operational costs with that.
So we do have a custom content support agreement that you can subscribe to. There's basically a yearly fee for that in addition to your existing product license. It's a flat fee. If it's 50 systems or 5,000 systems you're managing, it's one price for the year of coverage for that platform. If you do need more details about that, reach out to us and we can talk you through that.
All right. Any other burning questions that we think we need to resolve there? Otherwise, I think we got a lot of the big ones out of the way.
Brian Secrist: I think we're great.
Chris Goettl: All right. Well, thanks, everyone. Again, we'll talk to you guys in December at our next webinar. As always, thank you for joining us.