June Patch Tuesday

June 14, 2017

Chris Goettl | Manager, Product Management, Security | Ivanti

Join us as we recap the Microsoft and third-party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure and test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Good morning, everyone. My name is Chris Goettl, and with me today is Todd Schell. I'm head of our security product lines from a strategy and product management standpoint here at Ivanti. Todd is on my team and manages all of our patch solutions. For those of you who are new to this webinar series, what we do around Patch Tuesday is some analysis of what's coming out, the issues that come up, and a lot of trying to pull together the right information so people can be more effective in their monthly patching. For those of you who follow other media we do around this, I do a forecast the week before, and this month I was about half correct. I estimated we were going to have a light month from Microsoft and a pretty heavy third-party month. Well, my Microsoft estimation was a little off, and we're going to talk about that today.
 
Todd, we have a switch here this morning. You're in Minnesota, where I usually office, and I'm in Virginia, so we're running around the nation. Last month, we were both in Las Vegas. How's the weather in Minnesota?
 
Todd: It's beautiful, today. We had a big thunderstorm last night, but it's crisp and clear and nice this morning.
 
Chris: It's very hot here in Virginia. It's not as hot as it was yesterday. Yesterday was mid to high 90s. All right, I think we have most people joined in who are going to today. As I said, today we're giving an overview of June Patch Tuesday, including a bunch of news that's happening, some big things happening. We'll go through bulletin by bulletin, or, with Microsoft dropping the official bulletin model, we'll call it update by update of what released yesterday. At the end, we’ll try to answer any questions you might have.
 
In the News

 

Let's start off by talking about some of the big things that occurred this month. I would say the biggest piece of news is that Microsoft released additional updates for Windows XP and Server 2003. For those of you who haven't seen much of the announcements going out, Microsoft did a risk assessment of a lot of the disclosures that came out of the Shadow Brokers data drop. This was a number of things that lead to the WannaCry Attack―a number of SMBv1 exploits, a series of exploits called Eternal, like EternalBlue, and a series of other tools like Double Pulsar, which made it possible to weaponize and use those in a massive global attack like WannaCry and variants like WannaCrypt and others we've seen since then.

 

Windows XP and Server 2003

 

Microsoft did a deeper risk assessment of what was out there. They looked at a number of things in that drop, other risks and disclosures that have occurred, and they decided to release additional updates publicly for Windows XP and Server 2003. These OSs have been end-of-life for a while. That meant that if you were on a continuing support contract with Microsoft, you received the critical security updates that were released privately. Microsoft decided to release these publicly in response to concerns these tools will enable more attacks going forward, so let's take a look at a couple of these.

 

The first thing that came out was an advisory or guidance for older platforms. This is a very important topic to cover. I had a number of writers reach out to us asking how we viewed the fact that Microsoft, two months in a row, released updates for end-of-life platforms. The one thing I will stress is this is unprecedented, this is not the norm. Microsoft is reacting to a heightened level of risk globally, and we don’t expect a continuation of this. The biggest thing to keep in mind is, for those of you on XP and 2003, if you're not on a contract where you're continuing to get additional critical updates, the recommendation is still to migrate off those platforms as quickly as possible.
 
This first article, I have the links in there and the presentation will be available after the webinar, but these links take you to the guidance I'm going to walk through now. This first advisory covers the guidance for the older platforms and basically says these are the bulletins Microsoft says you should be aware of and make sure get rolled out to these systems to ensure you're taking care of the things most at risk. This goes all the way back to 2008: 08-067, 09-050, MS10-061, MS14-068, MS17-010 (that's our WannaCry or SMBv1 exploits), and now MS17-013. Make sure these updates get in place on your systems. This chart cross-references everything and shows you which updates apply to which operating systems. There are a number of additional CVEs that are recommended. These CVEs were released in 2017 and are part of patches that can be applied, and this shows you which OSs are affected by those. Table three, down here, has three additional updates you'll want to make sure are on there, too.
 
There are a lot of updates Microsoft has gone through and assessed, and because of past exploits or disclosures they've seen or recent information from the Shadow Brokers data drop, all the updates included in this advisory are on a high level of threat alert. These are things that have already been exploited or are at a high potential of being exploited and should be taken very seriously.

 

Of these, three that released yesterday for XP and 2003 are known to be disclosed and exploited in the wild already. This first one, CVE 2017-8487, is a vulnerability and OLE that fails to properly validate user input. Using this, attackers could execute malicious code on the system. To exploit this, all they have to do is convince a user to open a specially crafted file or a program from a webpage or email message. This is a prime, targeted-attack-type vulnerability, and in a case like WannaCry, this would have been that first step. Attackers could have utilized a vulnerability like this to phish the user, do a drive-by download, find some way to get a foothold in that environment, and from there is where WannaCry really did its damage by spreading very quickly to many other points. This would be that gateway or foothold vulnerability to get into a system in your environment.
 
This next vulnerability is in Windows RPC and could allow for remote code execution. It’s also disclosed and known to be exploited in the wild. If the server has routing and remote access enabled, an attacker could successfully exploit this vulnerability to execute code on the target system. Remote code execution pretty much lets them do anything in that case. To exploit this vulnerability, an attacker needs to run a specially crafted application against an RPC server that has routing and remote access enabled. If a combination is used with that vulnerability, an attacker can gain access to a system in your environment and launch a payload. In the case of WannaCry, that payload was ransomware. It also would have used the Double Pulsar toolkit to download additional payloads and try to pivot and move throughout your environment. For example, an attacker could use the OLE vulnerability we just talked about, and once on the system, could take advantage of something like this RPC vulnerability to move to additional systems throughout your environment. These types of vulnerabilities used in conjunction with one other is how attacks like WannaCry, or how persistent threats move throughout your environment.
 
The third one is a vulnerability in Remote Desktop Protocol, which could allow for remote code execution, as well. If the RDP server has smart-card authentication enabled, an attacker who successfully exploits this vulnerability could execute code on the target system. They could then install programs; view, change, delete data; basically own the system. To exploit this, all they have to do is run a specially crafted application against an RDP server that has smart-card authentication enabled. So this would be that way to move from the foothold system, where a user let the attacker onto the system, to a more critical system throughout the environment and continue to exploit additional systems. All three of these vulnerabilities have been disclosed and are known to be exploited in the wild, so they definitely need to be updated, especially on these older systems.
 
There were several other vulnerabilities released for XP and 2003. I have a number of the links here. With this one, an attacker could gain additional information to further compromise the system, so information disclosure allows discovery of more systems to attack or more things to exploit. This next one resolves a vulnerability that could allow for information disclosure or remote code execution. Again, as attackers move throughout the environment, they gain more intelligence and are able to execute additional code. The thing about these additional vulnerabilities is Microsoft is not clear on whether they have been exploited or not. I would say they likely have not been detected in an exploit to date but have been captured as part of a disclosure, and Microsoft is concerned they could be utilized in an attack with the level of information disclosed. The fact that Microsoft took the time to release these updates for Windows XP and Server 2003 means we should be concerned about them and look to getting them resolved.
 
For those of you using Ivanti patch solutions, our support teams are in the process of writing community posts to help you identify these vulnerabilities quickly and address them, so be on the lookout for that additional guidance on the Ivanti communities. If you have any questions, please let us know. Gregg Keizer reached out to us earlier this week with questions about whether or not Microsoft owes us updates for these legacy systems. I have some quotes in this article here, and there are also quotes from Susan Bradley, a well-respected security researcher. She has very good advice. As to whether or not Microsoft owes us, definitely not. They did a kindness here to help us respond, but it's not something they owed us. This is a very good article addressing the reality of this. Don't see Microsoft releasing updates for XP and 2003 two months in a row as a change in behavior. It’s a response to a heightened threat level, but it should not be construed as a new norm. If you're dealing with internal battles in trying to convince people to get off those systems, this article has feedback from me and another security expert reinforcing the fact that we can't rely on this to be the new norm. This is a series of one-offs for a special case.
 
New Vulnerabilities

 

Now let's talk about this month's patches for the rest of the platforms. We have two additional Zero Days in the June Patch Tuesday release, which include another SMB exploit and a perfect USB drop candidate. The danger of these two is they are vulnerable in all of the currently supported Windows operating systems, from Vista all the way up to Windows 10 and Server 2016. Because these two vulnerabilities are vulnerable on all of those operating systems, we have another situation where we need to roll these out en masse to everybody as quickly as possible. Let me pull up those two. The first one is a vulnerability in Windows Search that could allow for remote code execution. If an attacker were to execute this vulnerability against Windows Search, he or she could exploit how objects are handled in memory, and if exploited, the attacker could take full control of the system. The attacker has the ability to add additional counts and add, change, or delete data. The scarier part of this is the additional ability to utilize the Windows Search service over SMB in an enterprise environment to further exploit additional systems. This is definitely a larger concern because it would allow an attacker to do the equivalent of what WannaCry did, i.e., have wormlike capabilities that let it exploit additional systems throughout your environment once it gets a foothold. We have a recurring situation here where a vulnerability at a protocol like SMB allows for a potentially far-reaching attack like we saw with WannaCry. Our recommendation, and the recommendation from Microsoft and other security researchers, is to get these updates in place as quickly as possible.
 
The other vulnerability that has already been exploited this month allows for an icon, a specially crafted shortcut, to exploit a system and gain rights equivalent to the user on the system. This is a perfect scenario for what is referred to as a USB drop. All the attacker has to do is craft a device containing the malicious shortcut file and the associated malicious binary. When the user opens the drive in Windows Explorer, or any application that parses the shortcut icon, the malicious binary executes the code of the attacker's choice on the target system. They are in the context of the local user, so I stress the importance of the defense-in-depth approach. It's very easy to see devices are getting used to gain access to an environment in a targeted attack. In fact, at the RSA show this year, there was a pen-testing team called Hak5. These guys ran an interesting scenario at the show in which they dropped 100 USBs during the show. This included things like leaving USBs on counters in bathrooms. Funnily enough, I encountered one. I didn't take it or plug it in or anything, but I did come across one, which was quite hilarious. Others were secretly dropped into vendors’ candy baskets or somebody's swag bag as he or she walked by. One hundred of these USB devices were dropped during a security show. I actually found out about this only a couple of weeks ago at the AusCERT Show in Australia where the Hak5 team was part of the keynote. They talked about their experiment and how far-reaching it was, especially for a security show audience. Sixty-four of the 100 USB devices were plugged in somewhere globally, and some of them multiple times. Instead of doing something malicious, Hak5 put a trace in that popped up to say, "This is device number [1 through 100]," where it popped up, and then a CERT page popped up talking about the importance of device control within an environment.

 

It was an interesting experiment to see how easily a data drop can get inside an environment. This could take many forms. It could be a USB stick dropped in a parking lot or a device an attacker takes into a public area and plugs directly into an accessible system. The attacker might plug the device in and then keep walking. It could also be a device someone finds sitting on a counter in a public space. The person looks around, grabs it, and utilizes it later. Device drops like this are definitely a threat to your environment, and this vulnerability is a prime example of how it could be used to good effect. Both of these vulnerabilities have been detected as being exploited in the wild currently. so for every OS we're dealing with this month, you’ll want to get these rollups rolled out as quickly as possible to plug them.
 
Known Issues

 

Moving on to Known Issues, this month there is a known issue on Windows 10, 8.1 and Server 2012 R2. If you have iSCSI devices and the target becomes unavailable, attempts to reconnect the device will cause a leak, but initiating a new connection to the target will work as expected. Microsoft is aware of this. They're researching it and looking for a resolution. An additional update will come down the road, likely somewhere between now and next Patch Tuesday. There will be a nonsecurity update that will resolve the issue, so look for that. If you’re running iSCSI devices on any of those three platforms, this could cause you trouble, so be aware of that.
 
With the circumstances this month, it's interesting that next week, we have a webinar talking about WannaCry, deconstructing the attack, talking about why it was so successful, what could have prevented it, and how we learn from it going forward. With this month's patches, I think it is very plain that it's not a matter of if something of this scale and size could happen again, it's a matter of when. The vulnerabilities we're seeing this month, which have been exploited in the wild already, have the potential to reach as far as the WannaCry attacks did. If you're interested, the webinar next week, on the 21st, will be me, our CISO Phil Richards, and one of our VPs in the European Market talking about the importance of a defense-in-depth strategy, why protecting against these types of issues is important, and the things beyond patching that you need to do as part of your security program. Take a look at that if you haven't already. It's on our webinars page, and there's a link here, as well.
 
One last thing to talk about here, and this is related to WannaCry, WannaCrypt. Early on, as issues started to unfold, a number of companies reached out to us. We saw the need to do something more than the regular trial of our products, so we offered a 90-day full patch license to anyone in need. This wasn't only for people who didn't have a patch solution. If you had WSUS, SCCM, or something like that in place, but you didn't have the visibility to see you had done all the right updates, the offer was for you, too. We had a number of people come to us to find out if they were secure or not because they couldn't tell. For those of you who are not currently customers of Ivanti patch solutions, the offer is good until tomorrow. There will also be a promotion where, if you are one of our patch customers and you want to take a look at application control and other products like Extraction, additional discount opportunities are available. If you take advantage of the patch license promotion by tomorrow, you'll have the opportunity to take a look at some of our other solutions and purchase those at a discount if you're looking to build out your security strategy. We will talk about that next week on our webinar, as well.
 
Let's go to the rest of Patch Tuesday. At a high level, we're looking at 22 updates across the vendors that released. There is one mistake here, it's not eight Zero Days, it's five, three of which were on the XP 2003 platform and two Zero Days that covered all the current OSs for a total of five Zero Days on the Microsoft side and a number of disclosures, as well. Thirteen total updates, 12 of which are critical for the Microsoft side, 11 of which include user-targeted vulnerabilities. These are vulnerabilities that could be used in a phishing attack, in a drive-by download. These are gateway vulnerabilities, entries into your environment, where an attack gains a foothold and then does whatever malicious thing it’s intended to do, whether that's launch ransomware on a local machine, an attack like WannaCry that’s able to propagate with wormlike capabilities, or set up a command-and-control network like variants such as BlueDoom. These are the types of vulnerabilities that will allow that first entry into your environment. On the Adobe side, four bulletins were released, one of which was Flash Player. That was rated as critical. Shockwave was rated as important. The other two were low priority updates. We have five more vendors who released updates yesterday, and these were nonsecurity updates.
 
Monthly Rollups

 

Todd, we have a number of bulletins to go through. Why don't you walk us through those and talk to us a bit about what we have to resolve.
 
Todd: Thanks, Chris. To start off, Chris did a summary of what’s happening with Windows XP and Server 2003, so our first bulletin covers the patches released for those. In particular, as Chris explained, the RPC, RDP, and OLE vulnerabilities were patched with these releases. It included these three CVEs, as he mentioned. You can see them quickly, and down below, as a key reference, the security advisory that summarized the recent security bulletins broken out by operating system. That’s our first bulletin. One quick comment, you saw on the previous slide that there were 13 Microsoft bulletins. We'll address the 12 we've created. The 13th has to do with Microsoft's Power BI, which is addressed in the follow-up slide Chris has.


Next is our Windows 10 update. This release addresses all versions of the operating system, from the original RTM version back in 1507 through the latest, the creator's build in 1703, Server 2016, and Microsoft Edge. We've combined all of those fixes into this bulletin. It's addressed by four KB articles and covers the full range of impacts. We move into a critical because of the remote code execution.

 

We're seeing an extremely large number of vulnerabilities addressed in the updates this month. I couldn't list all of them here. There were 72 CVEs, and Chris covered the two that were exploited―8543 and 8464. There were also three vulnerabilities addressed in this update that were publicly disclosed―8530, 8523, and 8498, so be aware that information is out there in the public domain. Chris mentioned the iSCSI issue that's a known with this update. Last month, you heard us talk about a known issue with several processors and about updating those processors with the software security updates released last month. Microsoft has fixed that issue, so last month’s issue is no longer an issue. It's been fixed in this month’s releases. They've covered it in the bulletin information, so if you're concerned about that, you can find it there.
 
Chris: Microsoft is standing firm on the Kaby Lake processors, meaning anything on a Kaby Lake processor needs to be running Windows 10 or the update service will not be available. That change impacted other processor types also, but that's the issue Microsoft has fixed. For Kaby Lake processors, anything that generation and later will no longer be able to update through anything other than Windows 10.
 
Todd: Thanks, Chris. Next up, in terms of sheer number of vulnerabilities, which are all rated critical this month and all have known exploited vulnerabilities, is our monthly rollup for 8.1 and Server 2012 R2. Monthly rollups include IE updates, as well, so we address those here. This particular update has 52 vulnerabilities. You can see I've highlighted the two Chris mentioned that were exploited in red to make sure we keep track of them. This is very important update for you who are running this newer operating system.
 
Next is the rollup for Server 2012. Again, a huge number of vulnerabilities are addressed―49 in this case―and again rated critical because of the exploitive vulnerabilities. I should mention that all of these, because of the critical vulnerabilities, have the ability for remote code execution, as Chris said.
 
Next is the final monthly rollup, and it’s for Windows 7 and Server 2008 R2. Once again, it’s rated critical because of the vulnerabilities, which is only one less―down to 48. A huge number of vulnerabilities are being addressed in these new security updates. A reminder that Internet Explorer updates are included in these, but they are not included in the security-only updates, as we're going to show here. Going through in the same order, this update addresses Windows 8.1 and Server 2012 R2. We have the same 52 vulnerabilities that were addressed in the security-only updates. I've included a limited description across the top here of what's been fixed with these vulnerability patches. You can go through the KB article, which includes quite a lot of detail on what was fixed. Microsoft reserves the ability to include quality enhancements in their security-only updates, and as you read this month's description in the KB articles, you'll see they have included some quality updates here, in addition to the security-only updates, so be aware of that. I think four or five have been listed in each of these bulletins. To give you an example, some have to do with cryptographic upgrades. They had some bugs in their cryptographic keys, which they fixed, and things like that. They call them quality updates. They're not necessarily security issues, but they addressed them in these updates.
 
Next is Server 2012. Once again, 49 vulnerabilities are addressed with the security-only update. If you are doing security-only, make sure you do it every month. These are not cumulative, they are only the security updates for the given month.

 

The last one is for Windows 7. There’s a KB article here in case you want to look up the information. Forty-eight vulnerabilities and rated critical, again, because of those exploited vulnerabilities.
 
Moving on to Server 2008. An update is provided here, a common set of vulnerabilities, and a much larger number of KB articles because of the disparate nature of all of these. There are 11 KB articles you'd have to look across to get all the information. I've included a summary of the 49 vulnerabilities. This is all easy to look up in our system once you upload the patches, because they are organized according to bulletin, or you can look at them that way.
 
Security Updates for Microsoft Office

 

Security updates for Microsoft Office: A large number of updates were released this month that include versions of Office for Windows and Mac. We’ve included individual applications such as Skype in here, as well. There were updates to the SharePoint Server software, and a total of 47 KB articles. You can see the large number of patches released across individual applications all the way down to Word, up to Office as a whole. Take your time and read through those bulletins and decide what you need in your environment. There were 29 vulnerabilities addressed this month across these applications, so another large number. Microsoft has been busy fixing a lot of these vulnerabilities and this month they hit in huge rollups, so there's a huge number of patches.
 
Chris: This is one of the first that didn't have any exploited vulnerabilities in it, but there are still a number of critical security vulnerabilities in here
 
Security Updates for Internet Explorer

 

Todd: Right. Next one up is Internet Explorer. We still have 9, 10, and 11 out there. They have a cumulative update as well as the very tactical, individual updates for each of these versions of Explorer. There's no exploitation this month, no active exploitation on any of the six vulnerabilities addressed this month, some of which do allow remote code execution. You have to restart your browser as part of this process. It’s still rated critical because of that remote code execution capability. If you're running the security-only updates, as I said earlier, you’ll want to apply the Internet Explorer ones, as well. The monthly rollups include the Internet Explorer updates, so keep that in mind. You wouldn't have to use this if you're doing a cumulative update every month.
 
Chris: This might be a good time to bring up a couple of frequently asked questions we've had regarding the monthly rollups versus the security-onlys versus the Internet Explorer update. Todd, one of the questions we commonly get asked is, "If I do the monthly rollup, do I need to do the IE update, as well?"
 
Todd: You wouldn't have to, in that case, because it's included in there.
 
Chris: Okay. If I do the monthly rollup, do I have to do the security-only update?
 
Todd: No. The monthly rollup includes not only the security and Internet Explorer updates we talked about, but also some quality updates Microsoft slips in every month. Using the cumulative, you get everything in one package, and that's the downside―one package. It's pretty big.
 
Chris: Right. For the monthly rollups, the simplest way to explain it is that's exactly the Windows 10 model, everything all in one, OS, IE, and everything is cumulative. If I skip last month but do this month's rollup, I get all of last month's, as well. With the security-only, you do need to do the IE, as well, and the security-only is this month's updates. Next month will be the updates for next month, and so on. We wanted to go through a couple of the commonly asked questions about that for those of you who may have joined this webinar for the first time.
 
Security Updates for Flash Player

 

Flash Player: It's pretty consistent that you get Adobe Flash updating each month. The last of the Microsoft updates is actually the IE plug-in for Adobe Flash, so the update was critical this month and includes nine vulnerabilities being resolved. If you're running Flash in IE, this is the update you need there. The Flash Player update includes more, such as the OS install of Flash. IE would need to be updated, Google Chrome, Mozilla Firefox. The same nine vulnerabilities are available in each of those plug-ins, so you might see multiple Adobe updates missing on a given system.
 
If you're like me, I typically have IE and Chrome on my system, but in some cases, you may have all three browsers, and if you have the plug-in installed for any of those, at the OS level, each would need an update. For the most part, the auto updater in each plug-in should take care of it, but if the auto updater is not functioning correctly, that can result in Flash not getting updated. Also, from the reporting standpoint, having the visibility to be able to report on all instances of Flash on a machine and make sure they're all in place, that's the importance of making sure you do this. There are auto updaters that are supposed to take care of that for you, but, as an example, Chrome had about a six-month span last year when the auto updater was broken. Each month, I looked at the release notes and saw the same two or three people asking, "Is the auto updater fixed yet? It doesn’t look like it's working yet," so, it's very easy for an auto updater to be broken for a period of time and not do its job. It's also very common for auto updaters to prompt the user to initiate the action. I don't know about you, but my experience with users doing updates is typically," I'll get to that, just not right now" or "I don't care about that," so it's one of those areas where ensuring you have the ability to push and ensure those updates are in place is very important.
 
Security Updates for Shockwave

 

Adobe had a second security-related release this month for Shockwave, with only one vulnerability. As I read this one, I did a double take. It’s a Priority Two for Adobe, which in Microsoft terms would be an Important, but the vulnerability is rated as Critical. It might be harder to exploit or something like that, but it's still a bad vulnerability. It’s a judgment call on this one. If you have Shockwave in your environment, you might want to roll it out quickly, rather than letting it sit around, to make sure you have it in place in time.
 
A number of other updates came out yesterday for additional third-party vendors. There was the Mozilla Firefox 54 release, Opera, Dropbox, CCleaner, Power BI, and FileZilla. These updates were of a nonsecurity nature. They may have critical bug fixes and other feature updates, but they didn't have anything security-related in this particular release.

 

One thing to note with third-party updates is you're updating the version in place. If I'm on the latest version of Chrome, but I'm three updates back when a Chrome release comes out, the release might not have anything security related, but the two in between might have. It's not a good idea to let these things stagnate too long as they can accumulate a lot of vulnerabilities. That Firefox 54 release, while it’s a new version including new features and bug fixes of a nonsecurity nature, depending on what version you're coming from, it's possible the update includes security fixes for some of your machines because there were steps in between that were vulnerable.
 
Between the Patch Tuesdays

 

That's one reason we do this slide. It’s what I call the Between the Patch Tuesdays slide, and it’s actually back by popular demand. It covers what products we've added, and we've added two products to our catalog this time―DocuPrinter and Beyond Compare. Security updates that released in between Patch Tuesdays are covered. Unlike Microsoft, most vendors release when they release. We had Apple Mobile Device Support, Gimp, Apple iCloud. Opera had three releases. Opera uses the Chrome plug-in or the Chrome SDK to build its browser out, so when Chrome releases security fixes, the Chrome plug-in Opera uses releases and has security vulnerabilities that need to be resolved, as well. If you’re running Opera, between the three here and the one that came out yesterday, rest assured there were security updates included in those four, so it's a good thing to get those updated.
 
Other products are Vmware Workstation, and Firefox had another release, which had security updates. If you only update Firefox once a month or ensure it gets updated once a month, yesterday's release might not have had any security updates, but this one did. Vmware Tools, Adobe Acrobat Reader, Chrome, FileZilla, WireShark, Skype―a lot of products released between the Patch Tuesdays. A number of nonsecurity updates released―CCleaner, Dropbox, Microsoft had 48 nonsecurity updates throughout their portfolio, PDF-Xchange, Prezi Desktop, TreeSize.
 
That gives you an idea of how many updates happen. Our content team releases twice a week, every week, so there's a constant stream of updates. One thing we recommend is that systems that can leave the network, laptops especially, get to more than a monthly cadence. It's preferable to be on a weekly cadence for those systems to ensure vulnerabilities are not exposed beyond your network perimeter where they're even more susceptible to attack.
 
Questions

 

All right, we have time here for some questions, so let's see what we have.
 
Kevin has a question: Can you link to that forecast? I think the forecast last week was on Help Net Security. Normally it would be under Patch Tuesday, and you would see the forecast each month, like this one here for April, another for May. I have to get June up there, but I can get the link included on the slide deck before we send it out, but yes, we can do that.
 
Another question: Will this deck be available after the call? Yes, it will. If you go to the Ivanti website, under Resources, you will see a Patch Tuesday page. This page has upcoming webinars. We have the program built, so we should be able to start posting the months coming up very soon. As we've been transitioning websites, we've been building out that infrastructure, so we're on track to post several months’ worth of Patch Tuesday webinars going forward. Under here, you'll see previous months, so for May, you'd see the infographic, the summary, the PowerPoint presentation, the webinar playback, and links to the blog. That's where you can always find that information.
 
Next question: When are the June patches going to be available for download? Depending on which product line and the catalog you're working from, they should be available already. Depending on which product line you're on, it may be coming shortly. That's something we’re working on from the product management side. Todd and I are responsible for getting all of our patch solutions into a single catalog. Several of our products are scheduled to start those transitions this year. If you're on the legacy Shavlik product lines, that released yesterday evening shortly after 10 pm. Todd, did the HEAT catalog update yet?
 
Todd: It should have. They posted most everything last night, so it should be up-to-date.
 
Chris: Okay. If you’re on the LANDESK catalog, that should be updating shortly, this morning.
 
The next question: When are those twice-a-week patches released? Joel had a good question. If you are on the Shavlik catalog, it’s every Tuesday and Thursday for our Protect product line, and every Wednesday and Friday for our Patch for SCCM catalog. Again, as each product line comes down to that particular catalog, everything will be on the same cadence.
 
Another question: HP had a keylogger issue where it could capture all keystrokes with one of its drivers. Out of curiosity, would that be included in this rollup or another in the future? That's a driver level vulnerability, and you'd want to look to HP for that information. Depending on which of our product lines you're on, if you're on our UEM solutions, we update those drivers fairly regularly, and it should be available there. What we're talking about today is more of the software-level patch updates. I'm not sure about the HP keylogger issue you're seeing, but I would expect that if it's been released… Our products that support the driver catalogs, for example our Patch for SCCM catalog has the ability to sync the HP driver catalog, and our UEM solutions have, from the Legacy LANDESK side, have the ability to manage drivers, as well. Those should be getting that as soon as it's available.
 
Kevin had a question about the AMT vulnerability provided in the LANDESK updates: The second vulnerability to AMT was released this week, or last? I don't have specifics around that right now, Kevin. That's something, Todd, we should take a note on and see what additional AMT vulnerabilities were discussed there. We might have to follow up with an additional blog post or something along those lines to provide more information.
 
Todd: Okay.
 
Chris: Sorry, Kevin, we don't have that information right now. We were knee-deep in Microsoft vulnerabilities and everything that was going on there, and we didn't even see that one.
 

Joel had an interesting question: As Microsoft is moving away from the Patch Tuesday model, how are IT admin scheduling and coordinating pushing out patches? Microsoft is definitely talking about moving away from that model and toward the “as things release, they release” model. I think as that transition starts to happen, which it's not yet―they're still on the monthly cadence of update Tuesday, and I don't foresee them switching off of that immediately. Over the next couple of years, it is anticipated that at some point, Microsoft will go to more of an Apple-style cadence where updates are released as they’re available. When that happens, I think the biggest challenge will be changing people's expectations and policies around regular maintenance and having a window that's available more on a weekly basis. When updates initiate, you may initiate that testing phase, and depending on how long your process is, if it's a one-week process, you have your window on the weekend when you do it. If it's a three-week process, you know we're going to start initiating now, and the window we have three weeks from now is where actual production and implementation would occur.

 

I think companies are going to have to adjust to the style that as updates come out is when the process initiates, but there'll be a more nebulous kind of frequency to it. I think a lot of it is going to change the way we do things today. It's a very good question and one that probably warrants some future expectations. That might be something where we do a thought piece on the future of how patching will work in a non-Patch Tuesday scenario. I don't see that happening this year or even next, but it's something Microsoft has been talking about.
 
Todd: It's part of their Windows as a service model. They're getting into more of a DevOps approach to business.
 
Chris: That's it for the chat questions. Let me see what we have in the Q&A section: Will the XP-2003 Vista updates be automatically downloaded by WSUS? That's a really good question, Mark. We saw some of those updates made available in the Windows catalog, but it's one of those things where, if you're using WSUS, you may be able to do that. If you're using SCCM, as we saw last month, the updates were not available. They may or may not make them all available through that infrastructure. One thing we’re doing is each of our products are releasing those updates directly in our product catalogs, so anybody utilizing our software definitely has access to those updates.
 
Craig has a similar question. Our content team keeps an eye on the Windows catalog, as well, and I would have to follow up with them to see if those are available through there. Again, I think at a WSUS level it may be, but at a SCCM level it may not be. They've retired the agents in some of the Microsoft platforms, so it's not really available through those. It's hard to say.
 
Todd: You mentioned earlier that our support guys are posting information to the community, and I think one of the things they're looking at is locations of the various patches so people know where they are.
 
Chris: Right, we're trying to help make sure people are aware of where to download them if they need to put them in place manually.
 
Jeff had a question: Does Ivanti Shavlik Protect, in particular, cover us for everything you were talking about today? Yes, all the updates we talked about today are included in the update that went out last night, so they would all be located in there.
 
Jose has a question: How soon will the slides be available? I would like to say later this afternoon. It depends how quickly I get the recording downloaded, converted, and off to our Web team to post. There will be a follow-up email to tell you once those things are available, but I would say by tomorrow morning, they should be in place.
 
Jeff had a question: Should that be 8.1 and 2008 R2? Yes. When Microsoft packages updates and talks about them, they're usually across the workstation and OS platform. In most cases, where you have an 8.1 patch, you have the same thing applied to 2008 R2 and 2012 R2. Windows 10, 2016, Windows 7 and 2008 R2 are the two that are paired up.
 
Todd: Right, 2012 R2 is the same kernel level of 8.1. That's why we bundle them together.
 
Chris: Yup. That's where they're paired up. It would be 8.1 and 2012 R2. Thanks, Todd.
 
Next question: You mentioned that security updates are not cumulative, and we need to install each month. Is that the Microsoft process or Ivanti? That is the Microsoft way of packaging them. There is a security-only bundle that has the OS patches for the month, and the IE update would coincide with that. If you do the monthly quality rollup, that's cumulative each month and includes the OS and IE all in one package. That's how Microsoft does it. We break it down to make it easy to do the security-only or the full cumulative, whichever you choose, and to make sure you don't get both of them on a system, because bad things can occur if you get them in the wrong order. Systems could get unstable. It's a complication we've specifically coded so you can choose one or the other, but we make sure both do not get delivered.
 
All right, H. Smith has a question: Try not to miss versions of Chrome, so my question, let's say you were on v50 and you missed v50.1, then v50.2, but get 50.3, that should roll the previous fixes in, correct? Yes. Most third-party updates operate on a cumulative model like the new Windows 10 model. If I skip three versions of Chrome and go to the latest, I get everything that came before.
 
Mahesh, good morning, sir, good to see you: Any new updates available for Shavlik 9.2 or do I have to upgrade to Ivanti 9.3? We don't have any additional updates planned for 9.2, so it would require moving to 9.3. We might have to have an offline conversation. We're probably going to do a 9.3 update 1 in the near future, Mahesh, so why don't you reach out to me and Todd, and let's have a quick discussion. I know you were looking at a couple of things on 9.2 before you went to 9.3 to make sure they tested well in your environment. Let's work through that and make sure everything's good. Otherwise, we'll try to queue up everything for update 1 for 9.3 to make sure you can transition.
 
Bill had a question: Does anybody know what's going on with Server 2016? Even with all the critical patches yesterday, I still show no missing patches with 2016 servers. Interesting question, Bill. Are you using WSUS, SCCM, one of the Ivanti products? That would be the question I have, depending on which product you're on. I think the LANDESK patch catalog isn't updated yet, but I expect that will happen sometime this morning. The content team is overseas for that one, so it usually lags a little behind. Again, that's one of the things we're addressing later this year. It'll be with the U.S. time zone content teams very shortly. To help me understand I’d want to know which product you’re using, so I can better answer what you might be running into.
 
Todd: I think he mentioned down below, Chris, he's using Protect 9.3.
 
Chris: Oh, really? Okay, in that case, I would go to Help, Refresh files, and force the refresh files to make sure everything's good. You can even go into your patch view, and if we look at the MS-17s, you'd see there was a ridiculous amount of the Office bulletins this month. There's the Server 2016. This one, 4022715, you should see the affected products, 2016 should be showing. This particular update is the one that would show on 2016, so if you hit Help, Refresh files, check in here, make sure you see that. If it's still not showing at that point, it’s most likely because of a filter collision on your scan template. Try the default security patch scan to see if you can detect it there. If it's still not working, I would say call support quickly, and get that opened up because there might be something else going on that needs to be fixed.
 
All right, next question: Monthly security update which includes non-security updates, is that true? Yes, the Windows 10 and pre-Windows 10, the monthly rollups, those will include non-securities, as well. On Windows 10 and Server 2016, you really have no choice. On pre-Windows 10 systems you could do the security-only, which, for the most part, should not include the nonsecurity stuff, so feature changes and things like that would not be part of those security-onlys.
 
Todd: Yeah, Microsoft does slip some things in, As I mentioned, this month in the security-only they have a few quality fixes, but they're usually pretty minor.
 
Chris: And like the one Todd mentioned, the fixes for cryptographic services, those are like critical bug fixes in something as important as the crypto service. You really don't want that to crash and be inoperable. That's why they slip some of those in. They're not directly security related, but they can make security-related things unstable on the system, which is bad. For the most part, they've been good about that, but they reserve the right to slip additional fixes in, which gives them control where you don't really have much of a choice anymore.
 
Andrea had a question: Considering the latest patches are quite big in terms of size, I'm running out of storage space. That is definitely a concern. You’ll want to delete the previous patches to free up space. A couple of things we've done to try to help with that, and things we'll be looking toward to help make it more efficient, one of which is most of our products now support Delta patches. On Windows 10, if you do the Patch Tuesday releases, not the preview that comes out later in the month that includes all the nonsecurities, but the Patch Tuesday release each month, if you do only those, every month you could do the Delta, which is about half the size of the full update. That's an easy way to shrink it down quite a bit.

 

Microsoft is working on what they call the Unified Update Platform, or the Express Patch Service. As they develop this service, we'll be looking at how we can integrate with that. That's supposed to make the size of these much more efficient. It's supposed to make the Delta patching process more efficient and get the size down considerably. As that releases, we have on our roadmap to start executing on that as soon as it's available to see how quickly we can get that rolled into our own products.
 
All right, TJ had a question: When I deploy with pairs to the computer, does it run a scan prior to patching or just patch what it currently has of record? I'm assuming you're talking about the LD patch, yup. Both scans should run prior to patching. It should validate everything when you do that repair. If for some reason it’s not, if you're not seeing something on there, we may have to look at that, but, yes, I'm pretty sure that's how the repair works.
 
Eddie had a question: Will there be a link to today's recording? Yes. the Patch Tuesday page will be updated later this afternoon or before tomorrow morning, hopefully, to have a June section with links to everything you'll want, including playback, presentation, and so on.
 
Bill’s question: How can you tell what download catalog you are on? What product line are you on specifically, Bill? Are you using WSUS, SCCM? If you're using one of the Ivanti products, is it the HEAT product line, Shavlik product line, LANDESK product line? That would help us respond to your question a little easier.
 
Another question: Is there a different webpage to sign up for the upcoming Patch Tuesday webinar? Yes. There's the Patch Tuesday page, which should have registration ready for all of the webinars. There is also the webinars page here, which should also have the Patch Tuesday webinars. I mentioned briefly before that we’re transitioning webpages. We had more automated processes when this was housed on shavlik.com, but those have been rebuilt now, and we should have multiple months that you're able to register for in advance. We're getting that sorted out, so apologies to those of you looking for the link. I know it didn't get out there until this week. We’re working to sort that out to make sure you have a longer runway and can register well in advance.
 
All right, we are over on time, and I apologize for that. Thank you everybody for sticking around longer. It looks like most of the questions were answered. Bill did come back to say he is using Protect, so I would definitely say do that Help, Refresh files, under, Help, About. You would also see the patch definitions, which you can see here. I'm on 2.0.2.2635, so if you're on that version, you should be all set. If you're not on that version, your definitions haven't been updated to last night's release, and that's how you know you need to get those. Did that help? Refresh files should force the catalog update. If you're not on that 2635, contact support, and they'll get you sorted out, all right?
 
I think we got everybody else, so thanks everybody for... Oh, looks like Bill did find the resolution, good. All right, thank you everybody for joining us this month, and thanks, Todd.
 
Todd: Thank you, Chris.
 
Chris: I think we answered most everybody's questions. Watch for that webinar playback and presentation on ivanti.com late tonight or early tomorrow. Thanks.
 
Todd: See you next month.