August Patch Tuesday

August 09, 2017

Chris Goettl | Manager, Product Management, Security | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Good morning everyone, and welcome to the Wednesday, August 9th "Patch Tuesday Webinar." So it looks like we've got a lot of new faces on the webinar here today, and several regulars. So welcome everyone. You know, this is gonna be an interesting one. I think it's by far gonna be the most boring Patch Tuesday we've had in a long time, which I think after, you know, the start of this year is probably a good thing. So, you know, for those of you who may be joining this one for the first time, usually we have a lot more excitement, a lot more, you know, kind of I would say maybe even madness to talk about. But yeah, we'll go through several things here. I'm joined here by Todd Schell as well. Todd welcome to the call.
 
Todd: Thanks, Chris. Hello, everyone. 
 
Chris: All right. And, you know, couple of housekeeping items. You know, as we go through this we're gonna do kind of an overview of what came out this month. We'll talk about some things in the news, some things you might need to be aware of, some things to watch out for. Oftentimes, this results around, you know, different product level announcements, changes with some of the vendors that we support, and how they're either delivering their software or availability of their software updates or things like that.
 
We'll get into a bulletin by bulletin view of Patch Tuesday. And last, we'll kinda go into some Q&A around this. So if you do have questions throughout the webinar, go ahead and just, you know, add those into the Q&A section. And as we wrap up here we'll try to get to all the questions.
 
First off, just kinda going through a general overview, for those of you new to our webinar series here, we try to bring a lot of information together as quickly as possible so that you guys have…you're armed with as much information as possible as you get into your change control processes, and into to your monthly maintenance.
 
So a few things that you'll see if you go to our Ivanti Patch Tuesday page, you'll see a few infographics. This is our summary level overview of what came out on Patch Tuesday. But if you go into the PDF version, there's a much more in detail bulletin by bulletin kind of view of this, where you see all 16 of these down in a more detailed level. You'll also see links to our blog that comes out on Patch Tuesday itself and links to both the PowerPoint presentation and the playback of this webinar. So for those of you who maybe need to send this on, and it looks like we've got a couple of people with some audio issues here. But for those of you who may need to step away or, you know, to handle other issues like that there will be a playback available later today as soon as we can get that converted and uploaded to the website. So check there for any of the follow-up material.
 
All right. So talking a little bit of news, first off Flash Player, Adobe has recently announced that they will be kind of tapering off of the Flash Player platform over the course of the next couple of years. And, you know, that was, you know, basically an interesting announcement from them but looking at…for those of you who know Brian Krebs, he takes a very interesting angle on Flash for the most part. He's always had a concern about this as it became the kind of most notorious piece of software on anybody's network.
 
So he had a very good write up of the announcement, the reasons why. He talks a lot about, you know, the decline in usage of Flash overall, the volume and why that's kind of attributing to that. So that's a very kind of in depth write up of that but he also goes into detail of...hey, you know, this is probably a really good thing for all of us because if you look at this, this is a fairly commonly used portrayal of the top vulnerabilities used in 2016. You can see here that almost all of them were Flash Player related. So it's probably a really good thing that we're gonna see this sunsetting. But just so you're aware Flash Player is gonna be declining over the course of the next couple of years here in and until it finally gets to end of life, which the official date for that…let's see if we can get that up here real quick. 
 
Here we go. All right. Which I saw it before…yup. So they'll be supporting it through 2020. So it's not a very concrete date yet, but they basically kind of earmarked it for declining and phasing out over the next three years here. So just you're aware that if you have any applications or anything like that built on Flash, that's something that you'll want to be looking inwardly to see about phasing out over time. The next announcement is around the Windows as a Service Update. 
 
So Microsoft just released this update here which, you know, for the most part, it really doesn't look all that much different than a lot of the information that's been released before. I haven't had a chance to go into an extreme amount of detail on this, but, you know, the announcement just came out on the 27th and goes into a bit more detail about, you know, Windows as a Service, you know. And actually, there is always questions about, you know, what is the current branch that I'm supposed to be on? How often are these things supposed to be happening? A lot of these questions are answered there. But Todd, you know, I know we've just seen this come out here but what are your thoughts on, you know, the Windows as a Service changes, and how it's gonna be affecting Windows 10 users.
 
Todd: Yeah, the big thing for us right now is terminology changes really. You know, we just got used to the CB and the CBB current branch for business terms, and the long-term service branch. And now Microsoft is changing those up. Essentially as you can see here, they're changing the model a little bit. Each release is now gonna be supported for 18 months which is in line with what they were doing before. But the difference now is they're combining the concept of the current branch which was really, you know, like an early preview or a beta if you wanna think of it that way.
 
They're changing the concept and saying, ''You know our releases are pretty solid now." 1703 when it came out it was essentially, you know, really production readymade. It didn't really need to go to a limited number of people. So we're gonna combine the CB and the CBB branches together and we're going to call it this new thing called a "semiannual channel.'' And you can see that they're targeting releases in March and September. I saw in here that, you know, Ben had asked about, you know, when is the current branch for business for 17.03 coming out? And Microsoft goes into some detail in this article talking about they're going to now release 17.03 release in September which will be in line with the semiannual channel approach. So just kind of be aware of that.
 
They are still, like I said gonna support each release for 18 months and there will be feature updates twice a year in March and September. And really one of the reasons they're doing this is they're aligning this along with the Office 365 releases that they're doing. So they're synchronizing all that together with all these releases.
 
The other change here is when they originally announced the long-term service branch, they were talking about like a five-year lifetime on that. You can see that they've shortened that down to two to three years now. And they're expecting their next one out as shown here in 2019. 
 
So for those of you that are using a long-term service branch for specifically for like point of sale machines and things like that expect the terminology change long-term service channel now and the next one will be coming out probably in 2019. So we have to get used to some new terminology, but basically, the concept is the same. It's just that there is no CB or CBB anymore. So back to you Chris.
 
Chris: Yeah. And this probably solved the biggest question that we always had which was, Okay. We were only supposed to have a CB and a CBB, but what happens when the next one comes out? What's still in support? Well, under the semiannual channel, you know, view of the world, anything that's within its 18 months is still supported. So really you'd probably have three of these at any given time which the CB and CBB frame of reference didn't really cover very well. So I think Microsoft's change here is just trying to get away from that. You don't just have two in play. Each one will just have an 18-month life cycle and then it will phase out. So as long as you're on A channel release that is still within its 18-month lifecycle, you're still good.
 
So Ben, I hope that helps answer your question there. You know, we'll obviously be going through more detail on this, and making sure that we can answer questions like this down the road as well more clearly. But again, I think this is looking to smooth out some of the confusion that a lot of people had over, ''Where am I supposed to actually be? Which was kind of difficult up until now.
 
All right. So last one here, this was just a more of making sure that you're aware. At the end of July, Microsoft actually released a round of Office updates that included three security fixes.
 
So if you've not done the end of July Office update that came out, do make sure that you account for that in your Patch Tuesday maintenance window here as well. As we go through the Patch Tuesday webinar here, you're gonna see that the only update for the Office platforms that released this month was actually just for SharePoint. But when you go to look at those systems, you should also expect that if you haven't done patching more than once a month here, and you did it before July 27th that you'll actually be seeing some other Office updates as well that actually came out, you know, just a couple of weeks ago here. So just be aware of that. They were all rated as important. There was nothing critical in those. So that's why it was a little bit odd that it came out of, you know, in what would be considered an out-of-band rather than, you know, usually an update at that time of the month would have been non-security related altogether. So, you know, it's just one of those things that you'll wanna make sure that you get that update in place.
 
All right. This month there were no publicly disclosed...there's a couple of public disclosures, but there were no vulnerabilities that were identified as being exploited in the while this month. So that's good news there. There's still several criticals to worry about and we do have these two public disclosures. The first one is a lower severity of vulnerability and one that would take a few more hoops to jump through to exploit. But in this case, it's vulnerability in the Windows subsystem for Linux, which could lead to a denial of service attack. The attacker could exploit this vulnerability and cause the local system to become unresponsive. So to do this, they can run a specially crafted application that can send requests request to the Windows subsystem for Linux, which would then make local system become unresponsive. 
 
By the deeper read on this one, it requires a number of things and a level of code complexity that's making it less likely that this will be exploited at some point. But the biggest thing there is the fact that, you know, this has been publicly disclosed already which means that you know, an attacker has additional advance notice about this vulnerability and could have been crafting something to take advantage of it in advance. So that's one of those indicators of risk that we keep a close eye on to make sure that you're aware of, and, you know, can respond to things more quickly that could result in, you know, an exploit in the near future. 
 
Now, the second of these two is actually a higher severity. This exploitability index is rated as one which means its exploit code is likely. The fact that it's been publicly disclosed that means that, you know, there's a good chance that if an exploit's gonna be coming out in the near future. This is, you know, the top suspect vulnerability being resolved this month that would be targeted.
 
Windows error reporting elevation of privilege vulnerability. In this case, an attacker could exploit this vulnerability and gain greater access to sensitive information and system functionality. This one doesn't give them total control of the system. It wasn't clear how much control they gained, but it wasn't total ownership, but it definitely allows them to get more than what they should. So in a combination like this, if you've got a scenario where the attacker exploits this, they may be able to gain access to more of the system to be able to exploit something additionally that would give them full control.
 
So those are the two public disclosures that we've got. And when we go through all the slides here you're gonna see those marked in…highlighted in red as we go through several slides here. The first one, the Linux denial of service is on the Windows 10 platform I believe, and the Windows error reporting was across all of the operating systems.
 
All right. A couple of known issues to be aware of as well, and you'll see these on each of the respective slides as we go through those as well. This month's monthly roll up for Windows 8.1 and Server 2012 R2, and if you're using the security bundle option for that platform, the IE Cumulative for 8.1 and 2012 R2. If you apply that update, this is a known issue that could occur there. NPS authentication may break, and wireless clients may fail to connect.
 
On the servers that you can set the DWORD value that would make it so that you can work around that issue until a fix is in place. So if you do apply that update to either your Windows 8.1 systems or your Server 2012 R2s, you know, that's…it's in the IE Cumulative this month. So if you're doing the monthly roll up, it's being put as part of that. If you're doing the security-only in the IE bundle, the IE Cumulative is where this known issue comes into place. 
 
Windows 10 or the Edge browser if you install KB4034674, it may change the check in Arabic languages to English for Microsoft Edge and other applications. So that's an issue there. And then for several of the updates on Server 2008 this month, you need to make sure that your language packs, if you have any language packs that you're applying those have to be installed before this month's patching. If you do it after this month's patching it will revert many of those updates and you'll have to redeploy them.
 
So for the most part, you know, if you've got a language pack, it should already be applied to those systems. But between now and September if you stage a new system patch it up to date and then apply language packs as you're rolling that out, you could revert several of those security fixes for the 2008 platform. So a couple of things to be concerned about there.
 
All right. We're gonna switch into going into more depth here bulletin by bulletin and talk a little bit more about what came out this month. So Todd, take it away. 
 
Todd: Yeah, just as we go through these, be aware that these bulletin numbers are ones that we've created here at Ivanti just to kind of keep the old system going. And so, you know, as an organizing principle for those of you who are using some of our products you'll see these bulletins in our content as well. So you can help use them to organize and, you know, group things together by operating system or Office or things like that. So we'll go through each one of these in more detail.
 
Obviously, you know, Windows 10 continues to be the focus for Microsoft and this month was no exception. They addressed 42 vulnerabilities this month. The large number…the largest number of any of the patches that were released this month per operating system. As Chris mentioned and talked about the two reported vulnerabilities, I have them highlighted here 8627 and 8633. So just be aware that those are, you know, have been reported and are available in the public for right now.
 
We're seeing the full spectrum of impacts with these fixes this month. So important to once again continue to update, you know, whatever version of Windows 10 you're running and your Edge browser as well. And as Chris mentioned this known issue about reverting back to English when you apply these fixes to your system.
 
Next one Chris. So the next one is, you know, jumping backwards in time a little bit around Windows Server 2008. A number of security updates released this month. There are eight separate KB articles. There were two particularly critical fixes related and fixed this month. One has to do with Windows Search and one has to do with the Microsoft Jet Database Engine. Those could result in remote code execution. So just be aware of those.
 
I've listed the nine vulnerabilities here that were reported this month. And again, as Chris said, it's important that your language packs are in place because if you do apply a language pack after these fixes have been applied, you'll have to go back through and they'll show up as not applied, and, you know, the systems automatically detect this. So it's not an issue, but once again it's more of an operational thing just keeping up and making sure that your systems are properly patched. So they would be vulnerable for a month if you had applied the language packs after, and didn't pick them up until next month. So just be aware of that.
 
This month's monthly roll up for Windows 7 and Server 2008 R2, once again we grouped these together and so does Microsoft basically because it's the same operating system kernel. The monthly roll ups also include IE as we report every month. So you'll see down below there were 10 fixes specifically for these operating systems and seven additional IE vulnerabilities and we'll cover those in a later slide. But essentially, there are no problems with this month's monthly roll up, no known issues. So if you are running these operating systems go ahead and apply this cumulative update.
 
Next up is the monthly roll up for Server 2012. Similarly, there's only one additional vulnerability then was fixed for the previous one for Windows 7. So this month there are 11 fixes which are shown here. Again, as Chris had said, you know, the one that's publicly reported here is 8633. Like the previous roll up, this roll up also includes all the IE fixes. You can go into the bulletin 4034665 for details of exactly what's fixed with this monthly roll up. And again, it includes everything from October until present. So feel free to apply this if you're going with the monthly roll up approach using the cumulative update every month on your systems. No issues around this particular patch as well.
 
Moving on to Windows 8.1 and Server 2012 R2, again basically the same vulnerabilities were addressed as in the previous monthly roll up. The exact same list, exact same fixes. As Chris mentioned earlier, though however, this one does have a known issue with NPS authentication. So make sure…he had given the details early on that earlier slide about going in and making a modification using the DWORD. That KB article down below provides the temporary workaround to get this two to work properly.
 
Getting into the security-only updates, once again these are just the updates for this particular month. You can see that we provided a description of exactly what was touched with each one of these updates this month, the various components in the operating system. These are identified in the KB Article 4034679. But we're kind of seeing across each one of these this month is remote code execution problem. And that's really where your critical fixes come from. Denial of service elevation of privilege and information disclosure, same kind of vulnerabilities that were addressed in the monthly roll up, although in this case, there were no known issues. So you can apply all of these individually if you're going with the security-only approach with your updates each month.
 
Once again, security-only update for Server 2012 same 11 vulnerabilities address. Keep in mind that the security-only updates do not include Internet Explorer, unlike the cumulative updates, so you would have to apply those separately. We'll address those here in a separate slide coming up. So basically the same approach here with Server 2012 is the 7.7 and Server 2008 R2.
 
And finally, the last security-only update 8.1 and Server 2012. Very similar to all the previous. Once again applying each one of these patches individually across all 11 vulnerabilities.
 
One note…sorry Chris, I didn't mean to advance there. Go back one real quick. I have a note in here…that we had announced in the last two months that they had an issue with using ISCLI [SP] devices. And they announced with this particular set of security-only updates that they fixed that problem. However, there is one problem around identifying ISCLI devices with the UI. If you go into the KB article here 4034672, it gives more details, but you won't have a problem with mounting ISCLI devices anymore that resulted from some of the patches released in previous months. So I just wanna bring that to your attention if that's something that you were running into in the previous months. Thanks, Chris. Next slide.
 
As I said, you know, they do separate updates for Internet Explore. This addresses the updates that were released this month. They do both the cumulative as well as the security-only updates. There were 11 KB articles released this month in conjunction with Internet Explore fixing seven vulnerabilities. There was one obviously with remote code execution which pushes this one up to critical, so make sure that you do this, that you do apply this patch. There was also a security bypass, a security feature bypass issue this one as well, so just be aware of the impact of that. It does require a browser restart, but these are pretty straightforward to apply.
 
As usual, our usual security updates for Adobe Flash Player, number of vulnerability sticks this month around remote execution and second one on information disclosure. Be aware that these two vulnerabilities 3085 and 3106 need to be spicks because it is a critical update. Pretty straightforward once again kind of standard for the release of Microsoft for all their operating systems.
 
Chris: Yeah. So Adobe had a few releases this month, and their severities around some of these were kind of interesting this month. As I was going through and taking a look at the Flash update, you know, there's two vulnerabilities being resolved. One of them was a critical vulnerability. The other one was rated as important. And with the nature of Flash, you know, it's pretty much always rated as a priority 1. I can't recall the last time a Flash update was not a priority 1 update. So, you know, that was no surprise.
 
What was really kind of surprising though is when you get into the Mozilla one…let's see here. I might have to jump back up here in a second. Yup. So the security update for Acrobat and Reader, there were a total of 67 vulnerabilities resolved in this update. But Adobe rated it as a priority 2. Now I went in a little bit deeper to look at that because I've seen some pretty big Acrobat updates that had, you know, 60 plus vulnerabilities resolved and none of them were really critical. This one, 43 of the vulnerabilities are rated as critical. You know, so it seems to have a number of issues in there.
 
So one thing that we're doing on this webinar is we're suggesting the priority on the Acrobat and Reader update this month. You might want to address it a little bit more urgently than, you know, Adobe addressing it as a priority 2. You know, I posed a direct question to the Adobe security team about that and I haven't seen a response back yet. But it's just a matter of I'm trying to understand why they rated that the way they did. They don't go based on critical, important, medium, low, like Microsoft does. They do priority 1, 2 and 3. 
 
You know, the fact that Flash Player had one critical vulnerability and the Adobe release had 43, you know, what's their definition around that? So there's an open question about that where in our product catalogs, you're gonna see that the vendor severity is equivalent to what their priority 2 would be in terms of how our products determine things which is critical important. So priority 2 would be rated as an important in our product catalogs. But again we're kinda urging more of put this as a priority 1, put it as a critical update and get it out a little more quickly just to make sure because it just seemed a little bit odd. 
 
All right. Taking a step back here, Mozilla had a release this week as well. They released the Firefox 55, which included 29 vulnerabilities that were resolved, and about five or six of those were critical in nature. There were many more highs and a few mediums and lows, but…so there's definitely a number of things that are exploitable in this release. So definitely, one you want to try to get out as quickly as possible.
 
And for those of you on the ESR branch, the Firefox ESR 52.3 did come out as well, and it does resolve a number of security vulnerabilities as well. I think I might have actually miscounted. I think it's 28 instead of 29 vulnerabilities resolved there. And there were a few more criticals on the ESR branch than there were on the 55 branch. But both of these definitely ruled them out to your environments.
 
All right. We got a couple of important updates here yet, Todd.
 
Todd: Yeah there are a couple of other Microsoft updates this month. The first one, they reached back and touched SharePoint Server 2010. They had one vulnerability that showed up around…and it had a spoofing impact. You can take a look at this old KB2956077. A known issue with this one, obviously since it's such an old system. You must have Service Pack 2 installed before applying this security patch. So just be aware that there is an update if you're running an old SharePoint server.
 
Also listed as important this month, they had a number of updates for SQL Server. It touches 2012, 2014 and 2016. They had three separate KB articles for each one of those particular versions. It's all around one vulnerability, 8516. Rated important because it's really only an information disclosure vulnerability. They also had a note in the KB articles that they have released the cumulative updates for each one of these SQL Server versions. And that this patch will be included in that cumulative update for each one of SQL Server. They said that you can apply either this individually or that you can apply the cumulative update, and you'll be covered either way. So just be aware of that. They haven't had any other issues reported around these particular patches.
 
Chris: Yeah. And interestingly enough, this is the first time that SQL has released an update on Patch Tuesdays since November of 2016. So it's been a while. Yes. Yeah, so for the most part in 2017 here we've only seen the CU updates which there have been a couple of security fixes included in a couple of those. But this is the first time they've done a Patch Tuesday released in quite some time. It is only rated as important, you know, so it's a lower severity. So take your time and get it tested properly and then, you know, roll it out when you're ready. 
 
All right. So one thing we do is we often, you know, there is a challenge with, you know, a lot of the third party vendors. They don't always release on the same cadence. It oftentimes can be a challenge to convince your organization that patching up some of these applications you've gotta do it a little bit more diligently. You know, the Ivanti stance on this, if you attend any of our kind of best practice sessions around patching or anything like that, we will suggest that, you know, especially for end user machines and systems that can go off of the network. It is highly, you know, recommended to patch those systems more frequently preferably once a week even. You know, we typically release content twice a week, and you can see here that there were a number of security related updates that came out throughout the month.
 
Java last month's released there's the week after Patch Tuesday. There were updates for Acrobat, Adobe Digital Edition, Wireshark had a couple iTunes, FileZilla, Apple iCloud, Opera, Chrome and had a couple releases, a lot of applications that were updated throughout the month. And one of the challenges there is the fact that many of these applications are user facing. And the user-targeted vulnerabilities are the first stepping stone that an attacker needs to get onto your network. So the reason why we put such urgency on this and recommend this is making sure that you're plugging many of these gaps as quickly as possible. So for things like Chrome and, you know, Wireshark which is a commonly used tool within your own I.T. organization you may find it throughout your data center. If you're not updating those applications frequently those are those are vulnerabilities that an attacker can take advantage of. 
 
So we put this together specifically to, you know, kind of reflect that and, you know, help people understand the urgency around patching potentially more frequently than once a month for your end-user systems.
 
All right. Onto the Q&A. We've got a number of questions here that we're gonna go through. So let's see if we've got all this. We had a question from Ben. Any news on the resolution for KB3191898? I haven't seen any details on that one, Todd.
 
Todd: No, I just replied too, I haven't seen anything come out on that yet either Chris.
 
Chris: Okay. If we can pull out this article real quick and get a little more detail here it's not ringing a bell, unfortunately, but let's see if we can get some more detail here.
 
[00:33:15] [Silence] [00:33:25]
 
Chris: Okay. It looks like there's still a lot of general discussion around this. And then the recommended approach right now is to roll back the update. Yeah. So it looks like a behavioral change more or less. And, you know, things are for some people that's blocking it altogether. So I would first suggest if you haven't already you may need to open a case with Microsoft because it looks like there's a number of people talking about this, but there hasn't been a response from Microsoft specifically on this yet.
 
Yeah. I don't have any more on that one right now. I apologize for that. Let's See. Menno [SP] had a question here and this one gets into a little bit of product but even more of just like a best practice. So his question here when he originally started on with the LANDESK product brought out…basically just set it to auto-fix any missing critical and important updates to get caught up. Okay, that's yeah, I would definitely recommend, yeah, just if you're, you know, just coming on to one of our product lines and trying to get caught up, you know, it might be a good idea just to rollout in mass to a small group. And then as you get comfortable with it expand it up from there. But his continuing question here is now that they're moving on to Windows 10, and they're fairly up-to-date, they're all on 1607, the question is, "What's the best way to pilot these updates coming and then deploy to your workstations?"
 
So, Menno, this is, you know, one of the things around…there's a lot of ways to do this. The best guidance I can give there is you want to create a pilot group within your organization that's gonna get the updates sooner than everybody else. I can talk about a couple of very large well-known accounts of ours that patch their systems in a very fast timeframe. One customer, in particular, they patch 88,000 end points in two weeks or less. That's their target for that. And how they do it is basically as soon as patches come out on Patch Tuesday, they evaluate and by Thursday that we they start rollout to the pilot groups. And, you know, between, you know, that and the following week, they've got time to identify and flush out any issues and be able to, you know, put the brakes on if something really bad happens. Otherwise, the rest of the organization gets it on week two. 
 
You know, with a lot of the major exploits that we've seen this year so far, you know, the SMB exploits which arguably this was kind of a perfect storm combination of some bad exploits that we saw this year, but it's a magnified view of the reality. If we don't get highly exploitable updates in place in a timely fashion, they're going to be used against us. And the fact that those updates were out there for three plus months in many organizations allowed an attack to happen at a very global scale. It kind of paints the reality of this. We've gotta try to be faster about plugging critical vulnerabilities. And it can be done in a faster timeframe. So my recommendation there again is create a pilot group. That pilot group does need to be made up of real people, not just the systems.
 
One of the problems that you'll have is I.T. will struggle to test things thoroughly because they're going to do things like, ''Yes I applied the update. The system came back online. I can open and log in to critical applications.'' But what happens when the image rendering or the printing or the ability to run a specific job was the part that got broken because of an update? Those are the types of issues that usually bite organizations is when it gets to that next step, ''Yeah we smoke-tested everything, but we ran into something further downstream.''
 
So and this is something that for the most part your department heads throughout the organization in most companies I've talked to, they're usually very on board with this approach. Talk to them, find out who their go-to people are, the people who are a bit more tech savvy, the people who can respond to issues, and, you know, be more flexible to get issues resolved. And basically, the person that within their own group everybody else turns to when something goes wrong. That's the person that should be in your test group, your product group. 
 
Get them in, get that first round done in that week, you know, right after Patch Tuesday, you know, that, you know, Wednesday, Thursday, Friday into that first week. And by early the following week, you should have a very good picture of all your critical apps either being good to go or having some severe issues where you want to pull certain groups out of the patch cycle. So that would be my recommendation there. And, you know, whether you try to condense it into two weeks, three, four weeks, the goal there is still to try to get it in that two to four weeks' span as frequently as possible.
 
All right. I see a question from Ben. So, Ben, I'm guessing this is the possibly the former Shavlik product that you're referring to, but in Ivanti patch, should you remove all patches that were in the approved patches over the years, you can do that cleanup, but the engine is designed to account for that. So if you're doing a whitelisting approach, right, every update needs to be approved to go out to production kind of thing, what we call the baseline approach. If I choose different updates throughout the years and several of those supersede each other replace each other, the engine knows that and it will be able to trim those additional updates out so that it's doing things still fast, efficiently. And if for some reason one of those older updates became missing again and the newer version of it were there, it would still only push the latest needed to make sure that both of them get resolved. So you can do that for your own purposes, but the product knows how to sort through those things and has the intelligence to operate with or without those additional legacy updates still in the list.
 
Rick had a question. Are these slides posted after the call? Yes absolutely. So from our webinar's page and from our Patch Tuesday page, you'll be able to get a playback of the webinar and access to the slide presentation here later today as soon as we get these converted and uploaded.
 
John had a question regarding APSB17-24. The update's not available within Shavlik patch for SCCM. So yeah, John those the content team is actually working on those today. So there is…right now we're on two different cadences for the respective products. The patch for Windows catalog, that is on Tuesdays and Thursdays every week. The patch for SCCM catalog is Wednesday Friday. So the Patch Tuesday updates that's gonna be coming out here very shortly today.
 
Now one thing we are doing just for the all new patch for SCCM users out there, we're working to get those two cadences overlapping so that everything goes on a Tuesday-Thursday cadence. That way the patch for SCCM catalog gets updated as soon as possible on Patch Tuesday as well. We had to basically get the bandwidth needed to be able do things on the same days because that Patch Tuesday is kind of our busiest day of the month. I think that if I remember the stats correctly, it's upwards of 30% of all content we released for the month goes on Patch Tuesday itself. So, you know, obviously getting all of the detection logic, testing everything out and getting it all released. It's a lot of work to do in one day when it's our heaviest day of the month. But we've been expanding that team. That team is getting trained up to the point where we're hoping that we can bring those in alignment very shortly here.
 
Okay. Oscar, had a question. I was patching using the latest Office 2010 update. From my understanding, an attachment issue. Oh regarding the... Yeah. Again, I haven't seen any additional updates beyond the one. So I don't know if we're gonna be able to comment anymore on that one right now. Anish [SP] had a question here. If you've got a newly built Server 2012 R2, it is not taking KB2919355. You know, that…we'd probably need to go into more detail on that scenario. You know, that if you haven't already, open a case with the support team and if there is some type of dependency there that's not being met, they'll be able to dig in and identify what that may be so you can get that resolved.
 
All right. Oh yeah. Menno, yup. Not a problem there. Let's see. What recommendation do you suggest for updating traveling clients with laptops? How do I prevent rebooting if they're in the middle of a presentation? So one thing, you know, regarding Ivanti right now is we do have a variety of patch solutions. For those of you new to the company, you know, we have a series of products that came together over time here. And, you know, we've got slight variations to what each of those technologies can do. So regarding that question there, we are, you know, working to align all of our product sets, you know, to the point where you get the same functionality across them. But there's kind of two things that I would suggest there. One, many of our products have a cloud enabled mode where you make it so that laptop can be patched whether it's on premise or off. 
 
And so, for our patch for Windows side, that is our protect cloud. It's a hosted cloud enabled agent option were basically register your console with our cloud service, and that opens up a pathway for that agent to continue to get policy updates and return results even when it's off network indefinitely. For those of you on the Ivanti Endpoint Manager Legacy LANDESK product, we have the CSA gateway which is an appliance that you basically host in your DMZ, which does the same thing only instead of us hosting it you're hosting it in that case. But you can enable that laptop to go on and off network.
 
And, you know, the question around reboot, again depending on which one you're in, there's several cases where you can delegate reboot decisions to the user where they can choose to reboot with an extended period of time before it forces the reboot. You can do things like reboot at the next occurrence of a specified time. That's an example from the patch for Windows side. So there should be some options and some flexibility there that should be able to help you out.
 
All right. Let's see. Patches just now showing after scans shows missing patches from 2015 that did not show up last month. So, Ben, that is a good question, one that I think I know the answer to. Let me see if I can pull this up real quick. There was, you know, new product support added. And that may be what is causing that to come up on your system there. So that's where I'm just trying to get back to the scenario that I'm thinking of here so I can reference that.
 
So this month and let me go back here actually one second. We added support for people, Server 2008 R2 Management Studio, are the updates you're seeing for that because we just added support for that Management Studio product. And with that, a number of security updates dating back all the way through back to 2015, were just released for that. That may be the scenario you're seeing there. Otherwise, I would suggest getting a hold of the support team. And let's dig in a little bit deeper.
 
It could be anything from an update being rolled back on the system, a product being uninstalled or a new product having been installed. Each of those types of scenarios could roll back the status of updates on your environment there. So that's the, you know, the one possibility of, you know, a product that just released that might have done it or some other scenarios that could have caused that.
 
Tony and a question. Referencing the cleanup of patches, does a software do the same for end of life service packs? I think I understand where you're coming from there Tony. For an end of life service pack, you know, we're always gonna do a detection of the service back because we need to understand that to properly detect what updates are missing or installed in the system. If you have approved certain legacy service packs but you've approved something newer, it does the same thing there where it says ''Oh you're at this service pack level. I'm gonna take you up to the latest one' even if you have some older ones approved as well." So again it should, you know, our engines should be going towards the latest of each of those as the desired state that it's getting to.
 
All right. Well, more questions here. Neil had a question. Is there any foreseen change in Ivanti and MS patching process for new SCCM 2016? So Neil, I know and Todd actually this might be a good question for you, you're in the more day to day on this. We've got a couple of things we're looking into for the latest SCCM releases. Can you speak to that real quick?
 
Todd: Yeah, sure. So we're actually currently updating the patch for SCCM product to support the latest releases. There are some changes required in the plug in and we should be releasing those here within the month. So it's in final QA testing right now Chris.
 
Chris: All right. Thank you. Paul had a really good question here. Is it safe to remove Visual Studio C++ 2005 Redistributable? It is end of life, how do you check for dependencies? What do you recommend? That is a very difficult question to answer. You know, there's oftentimes no way to tell for sure what on your system was dependent on a C++ runtime. My recommendation there would be, you know, single out one of the systems that definitely has that, verify if it has a newer supported C++ runtime and, you know, in that case uninstall the previous and then test the critical applications on that system. You know, unless you go vendor by vendor and ask specifically if they've moved off of any of those dependencies, it's rather difficult to tell because it's not an easy problem to solve for sure. But I definitely understand your concern there. We at least try to do our best to flag things that are end of life so that you know they're there. But yeah, that's a tough one to solve there.
 
Ron, had a question. Does Ivanti have an email notice service that sends out an email when Ivanti receives a new patch or update from a vendor after Patch Tuesday? We do have that and as we consolidate in each of our catalogs down it's gonna be easier to maintain. But let's see if we can find this easily. Now, this is something that is coming over from some of our legacy websites going away. So as we do that, we're trying to make sure we keep this alive. And it's been an on again off again for a little while there as the old websites got turned off. Oh shoot, I'm trying to find where that is. ivanti.com. But, yeah we've got a notification system for this and let's see if I can find it. Todd, do you remember where we moved that content announcement link?
 
Todd: I don't have it hot here, no.
 
Chris: All right. So Ron, if I can't find it here in like the next 30 seconds, we may have to...you may have to contact support to do this. But we do have a sign up for that. It's a mailing listing that you get email notifications. And actually, I was literally just looking at it here. You can see here is all the XML announcements that came out. I track them on my Gmail account regularly as well. But that is available, and there is a sign up for it, just matter of…I knew where it was on some of the older communities. I don't know where it is on the current one. So you gotta contact the support them and they can definitely get you to the right place to get you signed up for that.
 
All right. Mahesh, how are you doing today sir? Good to see you. We're looking forward to implement the extraction for patch for Window Server with our existing license. Extraction will allow us to create a dashboard reporting patching for Window Servers for managing. All right. So yes, your existing license of the patch for Windows entitles you to extraction standard edition with a connector for patch for Windows. So this is something for any of you who are using any of the Ivanti products.
 
The majority of the products have a standard edition that have a connector for our extraction product that allows you to get access to some additional dashboards, web-based access to reporting things like that. It's a very, very cool tool. It also has the ability if you're using multiples of our products to bring that reporting together in one place. The only exception to that rule is unfortunately on the SCCM side. That's one of our tier 1 connectors. So for those of you using our patch plug-in for SCCM, there is an addition of that new purchase the connector for SCCM and that's where you get access to that.
 
Oh yup, Michael thank you. Yeah, and this is what I was thinking happened right now. For the moment we've got this on a...we're trying to migrate this over to the Ivanti website yet. But the Shavlik website is now down. So for…let me get back to Ron here quick. I'm gonna send this out to you there. And actually, I'll send this out. Anybody who's interested in this, I'll send it out to all attendees to the chat real quick. That's how you get to that subscribe form because that's where you'll see the…what's consolidating down to be the Windows catalog going forward. That's where you'll get email announcements for that directly. And thank you, Michael, for sending that over I appreciate that.
 
Todd: Yeah, we are working on migrating that, Chris, over to the current Ivanti site.
 
Chris: Yes. Yeah. I just didn't know the status of that project. And yup, Daniel has found it as well so thank you guys for sending that over. I'm trying to sort through and make sure we get to most people's questions here. All right. Machines showing missing patch count 1. It's looking for Office 2016 when user actually has an Office 2010 or Project 2016. Okay, so Ruddell, [SP] the scenario you're in you're doing a mixed Office install. There's…what I would suggest here is you're possibly in a case where that mixed environment is coming up with a patch that looks applicable, but may not be or vice versa it may…you know, there's a couple of ways that can go. Open a support case. What they're gonna do is they're gonna be able to get a deeper assessment off of that machine and get that logic over to our content team so we can sort out exactly what needs to be done.
 
One other thing I would suggest doing is before you contact the support team, run that patch manually, the one that was being identified as being likely needed for that system. If it comes up saying, "This is not applicable to that system," most likely what's happening is it's a detection issue where with all the permutations of how you can mix and match Office on a machine it is possible to get a scenario where we could have a patch that for all other detection purposes should be applicable to that system. But because you do just one subcomponent of Office, the detection thinks it's applicable, but it really wasn't. So that one you're definitely gonna need to contact support or they'll be able to get you sorted out and get that detection updated if it's something that should not be applicable. All right. Let's see.
 
Todd: Chris, I could answer the last one there that came from Paul. He was asking about the SCCM plug-in and the difference between where you're running WSS and where you're running your console. The answer to that question is yes, we have fixed that problem. It will be released in the fall release which is kind of scheduled right now sometime right after midnight. Chris.
 
Chris: Awesome. Thank you, Todd. Perfect. Let's see. I've got everything in the Q&A. So let's see if there's any more in the chat side here that I've missed. All right. Rusty had a question. Will existing agents be upgraded automatically to the latest version once the console is upgraded? Yes, absolutely. For the formerly Shavlik…the patch for Windows Server product, when you upgrade the console, the agent will auto-update automatically when it when it goes through all that. One thing to check Rusty is if you are using distribution servers after you upgrade, make sure to queue up a sync to your distribution servers. If they're distributing agent updates as well content and such that will make sure that the agent update is available out there for the systems as they start to check in so that they don't miss a window.
 
Let's see. Are there any future advances in having the ability to remove third party patches completely, such as a right mouse click tool type of addition? So, Bob, that's a pretty good question. Depending on which product you're in, obviously those on our full endpoint management platform, you know, that obviously would have, you know, our patching endpoint security features there can also rely on our endpoint management capabilities which have the ability to remove software. That is something where if you're not on that product, put in a feature request for that. We've talked about it many times. There are several requests for it and our backlog. Just a matter of priority wise. It's is climbing the list, but it's not top of the list yet. So enter a feature request on that, and that will help push that up the priority list.
 
Let's see Additionally, I need to upgrade WinZip 21 from 15. I didn't see that as an available option. Will this be available? So actually Bob, one thing that we should probably do and this is something that Todd and I could definitely use a deeper conversation on. One, to understand, you know, which product you're on whether it's our proprietary or if it's the patch for SCCM product line. We talked about a couple of different scenarios there. One of which is, you know, you've got the need to do things like when it comes to managing software you can install that new, update existing, upgrade from one version to another or remove. So basically the two questions you have there are two of those elements that we talked about. And that's something that Todd and I have had conversations around. Reach out to us here. Let's talk more about that, and it'd to be great to get some feedback from you specifically on that.
 
All right. I think we got everybody all questions answered here.
 
Todd: There was one last question on the Q&A section again, Chris, about pulling superseded patches that Microsoft may pull. And the answer is yes, we are in sync with that and we do pull them.
 
Chris: Yup. As quickly as possible as well. Usually, in fact we have been known to pull a patch earlier than Microsoft if bad things are happening. So if we see something catastrophic with an update, oftentimes we'll be submitting to Microsoft before, you know, we release it out to our customer base. That's only happened a couple of times overall that I've been here and I've been with the company for 13 years. But yes, whenever an update comes out that Microsoft pulls or any other vendor pulls, we will likewise pull that as quickly as possible once we've identified that it's happened.
 
All right. Well, thank you, everybody for joining us today. A lot of great questions, and a great turnout. The playback and the presentation will be available here this afternoon as quickly as we can get it turned around. And looking forward to talking to you next month. Thanks.
 
Todd: Thanks, everyone, bye.