May Patch Tuesday Analysis

May 10, 2017

Chris Goettl | Manager, Product Management, Security | Ivanti

Join us as we recap the Microsoft and third-party security patches released on Patch Tuesday, live from Ivanti Interchange 2017. We will discuss things to watch out for, products to be sure and test adequately, and which patches should be highest priority to roll out.

Transcript:

Introduction

Chris: Good morning everyone. We have more people trickling into the room, and we have a lot more joining us on the phones, too. I see the numbers are still spiking, but I want to get started and talk a little about the logistics that go into bringing this out.
 
I run into a lot of our customers, and people really love what we do with this Patch Tuesday Webinar. They always thank me for it, and they tell me how they have some of our graphics up in their Knox or on dashboards throughout the environment. We love to hear that, because a lot of time and effort goes into this presentation each month.
 
The one thing I want people to know, though, is it's not just me doing it. A lot of very talented people help bring this together in a very short period of time. Yesterday, when the keynote was going on, I had six of them pulled out of the room, and we were in a conference room in a maze of back hallways nobody sees. We went through a bunch of this stuff. One of our creative team, Jared, did a great job of taking all the data Todd and I pulled together and putting it into the graphics we have up on our Patch Tuesday page.
 
Amber, our product marketing manager for our security team, does a great job of keeping our messaging consistent and does an editorial pass on everything we write to make sure we're grammatically correct. We have Kate, who's right up here, who does a great job of helping us get the word out to get people coming to this webinar. There's a huge number of people who help us pull this together, and I wanted to acknowledge them here this morning and let them know their contributions to this are great.
 
We have a lot to cover today, and we have to try and get it all done, so I can get you out of here and over to the keynote, because that's more important than me. I’m Chris Goettl. I've been doing this for about five years. I took over the Patch Tuesday Webinar at Ivanti. Todd Schell is here with me today, as well.
 
Todd: Good morning everyone.
 
Chris: Todd joined me on doing the Patch Tuesday webinars just last month.
 
Todd: Last month was my first time.
 
Chris: He'll be tag-teaming this with me going forward, so I wanted you to meet him. We're going to go through a few things here and talk about some of the big news coming out right now, some of the things happening out there that you're going to want to be aware of. You’ve probably heard a lot of these headlines already.
 
We’ll go through that, and we’ll talk about Patch Tuesday in general. We’ll get into the bulletins and talk through each of the updates, what you’ll want to know about and challenges you might face. I have the answer to your question, Jim. I saw where that information is, we'll talk about that, as well. And we'll have some time at the end for Q&A.
 
In the News

Let's start with some of the news going around. The Intel vPro Vulnerability. You have probably all heard about this. There are some significant challenges with it. It’s not a software level of vulnerability, it’s a hardware level, so how you distribute this is a little different. Things to know about this are Intel may have identified the issue and may have released a fix to the OEMs. The OEMs are still working on that. I've talked to a few of them, and they're trying to sort things out and figure out what they're going to do, how they're going to respond to it, and when the updates are going to come out.
 
Something to keep in mind about this is, if these AMT services are active, it is a remotely exploitable vulnerability that lets an attacker do bad things very, very silently to your system. It is a threat. Disabling the AMT service will limit exposure from remote to local only, so that significantly reduces your risk. Ivanti created a deployment package that can help push a configuration out to disable those services. If you’re interested in that, we have information about how you can do that. This would disable the AMT service, so if you are utilizing it, you would be disabling it until those OEM vendors like HP, Dell, and Lenovo start to release driver updates and make them available to you for each of the platforms.
 
This vulnerability goes back many, many years. I believe the counter's around 10-ish years, so it's not something we can expect them to fix in every piece of hardware going back that many years. There might be some challenges after these updates come out, we have to wait and see what they do, but if they only go back three years or five years and you have seven-year-old hardware, you're still left partially exposed. You might have to do a combination of updates from vendors and some mitigation options like the package we've created.
 
As those developments move forward, as we find out more details, we'll try to share that information as quickly as possible to help you understand what you're going to need to do to eliminate risk where you can and to mitigate risk where they're not going to provide an update. There are some different challenges with that one, and it's still developing.
 
Microsoft News

A few things from the Microsoft side: we have the vulnerable malware protection engine. This one got announced the day before Patch Tuesday, so Monday. A researcher over at the Google team found a vulnerability that could allow this engine to be exploited by a remote code execution by crafting a special file and letting the engine scan it. You don't even have to open the attachment in an email and this could potentially be exploited. It sounds pretty scary.
 
The researcher dubbed this thing crazy bad. He said it was one of the worst things he'd seen in a long time. When Microsoft announced their advisory, they announced it would automatically update in the defender engine within 48 hours, typically, depending on how frequently your updates are received. Within 48 hours of that fix going out, your system should get that change automatically through the content update.
 
When I read up on this, Microsoft positioned it as not as bad as the researcher did. If you're familiar with their exploitability index, they listed this as a two, which means it lets me do some bad things, but it's not extremely bad. It's hard to tell based on the original researcher versus Microsoft's take on it, what it really is. If you are using Defender, there is a KB article on how to force that to update sooner, if you want to force that update to make sure it's there. There are also ways to tell what version you're at to confirm you are at a version that is protected. There are more details on the advisory on Microsoft's site.

 

The other piece of news for Microsoft is the Kaby Lake processor change. You have probably heard about this, as well. I've had several conversations this week about that already. Anybody who is purchasing hardware that has the Kaby Lake processor―I believe laptops last fall and desktops starting at the beginning of this year―moving forward, if you put anything older than Windows 10 on that hardware, you will not be able to update those systems as of April. They push out a change to the update service that breaks updates on that system for Microsoft updates. This is going to present a challenge. It’s one more way Microsoft is forcing us onto Windows 10 with very little choice. For those of you running older operating systems, especially our healthcare customers and a few others, it's a real challenge to try to get everybody over to Windows 10.
 
I had a conversation with one of our customers this week who said HP honors a one-year timeframe for older hardware when new hardware comes out, so you can continue to get a consistent baseline while you're testing new hardware. I heard a report from him that at least some OEM vendors are already running out of some of that older hardware. Some companies went into panic mode and bought thousands of units of  older hardware. If you're concerned about that, I recommend reaching out to your vendor earlier rather than later to see what the concerns are and maybe buy a few extra devices to have on hand as those diminish. That is going to be a challenge going forward. Those Windows updates can block any OS and Microsoft application updates since that change went to effect.
 
There is a workaround, we'll call it, a way to get around this that’s already distributed on GitHub. It's an interesting take on it. We're not saying, "Go for it." We're also not saying, "Shy away from it." It's your choice on whether to do that or not. The challenge if you do, though, is if you're running a Windows 7 machine on a Kaby Lake processor and you have an incident, when you go to Microsoft, they'll say, "Sorry guys. Upgrade to Windows 10, and then we'll talk."
 
There’s another challenge, too. If you go that route and then push patches out through one of our solutions, you would push out those updates. Each time you do, each month, you would have to redo the workaround because each update is cumulative and will put that change back into effect. So it's going to be a fun situation, and I'm sure there will be more news coming down the road about that. Those are the things from Microsoft.

 

Google News

Another one that's been circulating quite a bit is the Google phishing scam that went down. I know a lot of you have seen this one. We talk a lot about phishing, the way that goes down, how easy it is to convince somebody to do it. Reportedly, there are already a million Google users affected by this. By "affected," I mean actually clicked on it and were exploited. That’s the latest global number of people impacted I read, as of a few days ago. A million people in a very short time. This just came out last week. That's how easy and scary phishing scams can be. This one is interesting. It's not exploiting a vulnerability in software, it's exploiting a user and taking advantage of how we share documents. This is one of those situations where it's important not to stop at any single security control. If you attended any of our security track sessions this week, or if you attended the State of the Union yesterday, you’ve heard this already. A layered approach is what you need. These types of things are why. You need to patch because it's going to reduce that surface area. You need to educate your users to make sure fewer of them are duped into things like this. The more healthy paranoia your users have, the less these types of things can affect you. There are other things like educating people on things like two-factor authentication. That's a way where, if attackers exploited this, they couldn't continue to use it because they would've needed your two-factor. This is definitely a real threat, but two-factor authentication and education are two ways you can reduce the risk of this type of thing impacting your users.
 
Microsoft Changes Update Releases

The last change I'll talk about, and this came around last month. Microsoft made a significant change. They stopped using their bulletin model for how they release their updates. It kind of breaks down from a user perspective, however. The bulletin gave us a few very necessary things. It gave us a hierarchy, a way to organize things, so we can find things quickly and easily. I'm not hooked up to a machine where I can demo how that worked, but last month on the webinar, somebody asked me a great question, and I was able to go in and show why that hierarchy was necessary. A few quick searches and I found exactly the update they were asking me a question about and could give them the specific answer they needed.

 

If I’d had to find it by a KB number, it would've been a much harder search. I might've had to search for several of them because some things have 10, 12, even 20 KBs in one bulletin. Something Ivanti has done―and we’re always trying to bring additional value. We're not here only to support an update from a vendor, we do it in a way that helps you be more effective―so we've continued what we're calling our artificial Microsoft bulletins. We have a KB article on the Ivanti community that helps you identify how these translate. As we switch that engine into some of our other products, you'll see this more and more. By that count, we're saying there were 13 Microsoft bulletins this month, distinct variations of an update package that would be deployed to a machine. We'll talk about those. Ten of them were Critical, two were Important, and 11 had user-targeted vulnerabilities, which are vulnerabilities you could utilize in a phishing scam.

 

Adobe News

 

Adobe had one update, which was Flash Player. It was critical. Seven vulnerabilities were resolved there, and it also has user-targeted vulnerabilities. Then we had PDF-Xchange. This one happened to come out on Patch Tuesday. They didn't have anything security related in their announcement.

 

Google did an update yesterday, as well. We weren't expecting that because they did a security update not too long ago, just last week. This one was out of the blue and looked a little odd. It didn't have much documentation with it from a security perspective, so we're watching that one to see if they bring in any CVEs or anything else on it. There was one comment on it last night when I was taking a look at it, which noted this release came out but doesn't look like it supports the latest Flash plugin yet. I'm wondering if they were trying to do that, it released, and something went wrong. Maybe it didn't support the plugin correctly or they have something left to do. We'll watch for that one, but watch for the Chrome update because you might want that to make sure you get all the Flash plugins updated on your system.
 
I've talked enough, Todd, so I'm going to hand it over to you now, and we'll go into each of the bulletins.
 
Todd: Okay, Chris, thanks. When we started this gig last month, you didn't tell me we were taking the show immediately to Vegas.
 
Chris: I've actually done this from England twice. This is my second time doing it from Vegas, but last time I was in my hotel room. This is the first time in five years I've done this in front of a live audience.
 
Todd: We actually had to get dressed, usually it's a t-shirt and shorts and stuff.
 
Chris: I was telling some of our team I have a t-shirt I usually wear when I do this. It's an '80s retro t-shirt. It has the Mario Brothers Bob-omb on it, and it says, "I'm the bomb." It mentally sets my frame of mind for this, but I had to dress the part today.
 
Todd: Cool. Let’s dig into the bulletins a little as we go through the second part of the presentation. We've made some changes since last month. We're still learning how best to name these bulletins, so in this month's content release, you’ll see we've changed it up. We have the date and month in the middle, and then we have the name for what that particular bulletin addresses, the applications of the operating systems, etc. You'll see that as we go through some of the changes today.
 
As Chris mentioned, one of the first bulletins has to do with our usual update of Adobe Flash Player. Microsoft rolled this in for all of their operating systems, and as Chris mentioned, there are seven vulnerabilities addressed in this release.

 

Security Updates

Second in our bulletins is our security update for Internet Explorer. It addresses versions 9, 10, and 11 of Internet Explorer. An interesting note here, I copied Microsoft's quote directly from their bulletin regarding how they're doing this. They say you should update your operating systems now and use this cumulative update for Internet Explorer. Last night, Chris and I were in Chat arguing about this. I said, "No, this is the way Microsoft says you do it." He said, "Well, I've been doing this and they're actually including the Internet updates directly in their regular security-only and their cumulative updates, as well."
 
Chris: Yeah, this one's kind of a funny one. You have two choices on the pre-Windows 10 platforms. You can do the security-only, which is a bundle of all the security updates for the month for the OS. If you choose that option, you have to do the IE update also. Or there's the monthly quality rollup. If you choose that one, it's the rollup of OS, IE, all the nonsecurities, and the securities from the month before, so it’s the cumulative one. Their documentation last night definitely conflicts with how that works, so I deployed the monthly rollup package for several machines. I then went back and did the reassessment, and the IE did not apply, it was already taken care of, which confirmed there are documentation errors.
 
Todd: I've highlighted two of the vulnerabilities down below. The first one, 64, is a disclosed vulnerability but not an exploited one. This vulnerability allows an unsecured browser to access secure data over to an HTTPS site, so it's an important one. Once again, it’s disclosed but not yet exploited. The second one is an exploited vulnerability, and this is a memory corruption issue that allows remote code execution. We call that out on the bulletin as the worst case from an impact standpoint.
 
Moving on to Microsoft Office: There were a lot of Office releases this month that covered a range of full Office packages from 2007 to 2016 to individual updates for applications like Word, PowerPoint, and others. There’s an interesting vulnerability here, number 261. This is an exploited vulnerability that has to do with the way graphics handling is done, particularly in Word applications. For example, you can take an EPS file and capsulate a postscript file and embed command code in there, and this vulnerability allows you to run that through the system. Interestingly enough, this isn't a Web browser problem. The browsers pulling down those graphics will not try to execute. It’s in the Microsoft application itself, so important to note on that one.
 
Next up is our Windows 10 cumulative update, and it addresses lots of vulnerabilities this month. There were 42 altogether. There are two I want to call out in particular of the highlighted batch. These are both only disclosed, we're not seeing them exploited out in the wild yet. The first one, 229, has to do with JavaScript handling engine resulting in memory corruption and objects and memory being executed. That's only disclosed, not exploited.
 
The second one is 241. This is a Microsoft Edge browser problem. It's a security-bypass vulnerability. If you can get a user to go to a nondomain page and open it, with some special code, the attacker can modify the URL so your Intranet zone web pages can be accessed. You should be aware of that one. It's not exploited yet, it's only disclosed. Two important points on Windows 10.
 
Chris: Microsoft resolved 56 vulnerabilities this month. If you're on Windows 10, 42 of them are in the update you're going to apply. With this update model, they're pulling more and more into a single package, and that's a lot of vulnerabilities all in one place. You’ll definitely need to get those rolled out.
 
Todd: Next up is Server 2008. A large number of vulnerabilities have been fixed there. An important one here is 263. It’s a vulnerability that's been around for quite sometime. It's only a problem in 32-bit systems, but you'll see it across almost all of our bulletins, because there are aspects of each running on older systems. This vulnerability can result in a lot of problems. We've included the full range from remote code execution all the way through information disclosure from an impact perspective.
 
Next up, we have our security-only update for Windows 7 and Server 2008 R2. Once again, there are a number of changes they've made and security aspects they’ve fixed. There are 27 vulnerabilities. The only one from an exploited standpoint is 263. You'll see that covered on our infographic through each of these.
 
Chris: This is one of the first of that security-only bundle I talked about. If you're deploying this version, you need to do this and the IE update to get all the updates or all the vulnerabilities across that platform.

 

Todd: One important thing to keep in mind, I took a look at all the bulletins, and as far as Known Issues, the only thing that applies across Windows 7 and Windows 8 had to do with the AMD Carrizo DDR4 processor. If you download these onto systems using those processors, it allows you to download an update this time, but you can't download updates in the future. Microsoft's working on that, but that's something to be aware of in Known Issues.
 
Chris: That’s part of what they were doing to try to stop the Kaby Lake systems from doing that. They accidentally pulled in a few other things at the same time, so they're working on that.
 
Todd: Next up is the security update for Server 2012. Remember that last month we dropped Vista and things like that, but 2012 continues to live. Once again, a common set of vulnerabilities for this operating system. We dropped a few from Windows 7 and Windows 8, but there are 24 vulnerabilities, and we see that old one for the Windows 32 system.
 
The last of our security-only updates is for Windows 8.1 and Server 2012 R2. Once again, addressing that code kernel, we’re down to 23 vulnerabilities, with that win32 allowing for remote-code execution. They addressed a common set of vulnerabilities across a lot of these operating systems this month.
 
Monthly Rollups

 

The first of our monthly rollups is for Windows 7 and 2008 R2. I’ve referenced the cumulative bulletin this builds on from last month. They've taken 4015552, added all the updates this month, and rolled out this new cumulative bulletin. You can see this is based on a single new bulletin that fixes 23 vulnerabilities, two of which have been exploited. That one is only a disclosure.
 
Next up is the monthly rollup for Server 2012, the same kind of thing. They've combined all the updates from last month. These things are getting big, right Chris?
 
Chris: Yes, the cumulatives are definitely growing. We talked about this with Windows 10 especially. The Windows 10 update for the 1607 is over a gig. I was updating my personal system yesterday, and luckily I got the Delta, which is only half that size, 500 meg, so that was great.
 
Todd: Moving on to the rollup for 8.1 and 2012 R2. This is the approach we've taken with our bulletins. We're taking them from an operating system perspective and combining them, so you can quickly look up bulletins by operating system. You can always drill down into the CVE list, as well, to find what you're looking for. There are 29 vulnerabilities across this group. We rolled-in the IE update, as well, so it includes those fixes.

 

This is the release on Adobe's Flash Player, their private bulletin APS B17-15, which the Microsoft release is based on. It has the same seven vulnerabilities. This fix for Flash Player covers not only the Windows operating system but also the Mac, UNIX, and Chrome OS. It stretches across all those OSs.
 
Chris: One of the things about Flash Player is you have to do Flash Player at the OS level. If you use the browser plugin for Chrome, IE, or Firefox, you need to get all those in place to patch that system fully. I've had systems where I've had each of the browsers and each of the plugins, so I've had four Flash updates every month. Don't be surprised if you see it a few times.
 
Todd: Dropping down in priority, this month we have two of our Microsoft.NET updates. One is our security-only update, which is targeted at individual operating systems. I haven't listed them here, but there are four bulletins for each of these. On the security-only side, you'll see I have sub-bulletins listed. We include the bulletin number in the title, so you can find the one you're looking for. There is a minor issue in this release, which is a security feature bypass they’ve fixed. It’s not a privilege escalation problem, so it keeps you at the same privilege level. It does fix this one vulnerability, which is the only vulnerability addressed by the .NET update this month.
 
On the monthly rollup side, these are cumulative patches for .NET, just like they're doing for the operating systems. We have four patches, and you can see the bulletin numbers there. It includes the updates from the previous month.
 
There are a couple of things we rolled out this month. The PDF-Xchange issue from transfer was only a software update that happened to get rolled into our monthly update. There really aren't any security implications. Chris mentioned Google Chrome. I grabbed this information from the release we did late last night. We got bulletin Chrome-195, it's for release 58, and the .110 on the end. This came out of their main channel, and as Chris said, it was surprising they released so soon after releasing only a week or two ago.
 
Chris: One of the things we try to talk about on this webinar is prioritizing your time and effort. This month is kind of a brutal one. If you look at everything that released, aside from the two that didn't carry anything security related, .NET's the only one that wasn't Critical and didn't carry a Zero-Day or a public disclosure, so do them all as soon as possible. Yes, it's a brutal one this month. IE had a Zero Day, Office had a Zero Day, and there was the Windows Zero Day. All of those packages have a Zero Day in them. The challenge we're facing this month is everything's a priority. And I think that wraps up the presentation.
 
Q&A

Todd: If you have any questions―we're going to do a combination. We have people online, and I have a team who will come around with microphones, so we'll take a combination of questions. Yes, go ahead.
 
Domingo: All right, thank you. Domingo Thomas [SP] from Garner. I have a quick question on Chrome. We have been having a lot of challenges with the Chrome plugin for Flash. It's been there for a couple of months. You mentioned they might have changed something in this update that allows the plugin to update?
 
Chris: They've had some differences over the years. They've had cases where the Chrome update was required before you could update the Flash plugin, and there were periods of time where it could be updated independent of Chrome having to be updated. I saw a comment on that Chrome update last night saying, "It doesn't look like I can get the latest Flash Player update yet." My guess is they pushed that update out, and they have something else coming. In the next day or two, I would expect that Chrome will support the latest plugin. Why it wasn't there yet, I'm not really sure.
 
While we're on the topic of Chrome, they did a security release just last week. If you don't do weekly or biweekly patching, make sure this Chrome update is in place. By updating this one, you're getting the security fixes that came out in the last one, as well. I think what happened here is they probably had a two-step process where the release last night was preparing it so Chrome can take the latest Flash, and they still have to push that. I'm kind of suspicious about why they didn't do it right away, but I think there's something still to come to handle that part.

 

All right. Do we have another question back there? Go ahead.
 
Ed: Good morning. Ed Nelson, 3M. I have a similar question along the lines of Chrome. Historically, one of the beauties of Chrome was that Flash was baked in, and it would update every time Chrome updated. Maybe I missed something in the last few months because I've started seeing the new plugins, but I want to know why it's now separated and can be patched separately outside of the Chrome patch. What is Google doing, or Adobe? What has caused the separation for the baked-in Flash within Chrome to now be patched separately? 
 
Chris: This is something that's gone back and forth over the years. I said earlier that it's not just me who does a lot of this stuff. I have a team of people all over the place who help, and our content guys up in Minnesota do a great job of researching these things as they happen. This question has come up several times over the past five years. Things like, "Hey, it looks like Chrome has made it so Flash Player automatically updates, so I don't have to worry about doing both." Our products could still push the update if it didn't, but it should've auto updated itself. Then there were long periods of time when the auto updater was broken for Chrome and for some of its plugins. That's where a product like ours came in again and made sure you could update Chrome and the plugin. It's been kind of back and forth. I don't know the specifics of what's going on recently, but I do know that with the last couple, they've had to be released and then the Chrome frame could be updated.
 
I couldn't tell you more about that, but that's what I've seen. The important thing is there are a lot of products that support an auto updater, but those auto updaters are not always reliable. I remember a period of about six months last year when the Chrome updater was broken. The same group of people were on the Chrome Forum every month saying, "Still broken. When you going to fix it?" Yes, there are some challenges with auto updates, and that's where a solution that can handle third-party products helps you handle issues when the auto updaters don't do their job, and you get visibility and consistency. That's the most I know right now.
 
All right. We'll take a couple from the Web now. Here’s a question: "When does the Windows 10 1703 normal edition release? Will it require a new ISO image to be able to push it?" The answer to your question, Ben, I have half the answer. I'd have to look up when the 1703 goes fully in production. I don't know that offhand, but it will come with a new ISO, and that ISO will be about 4 gig.
 
Do we have another question from the live audience? Otherwise, I'll take a few more from the Web. Brian has a question: "I’m still very confused. Wasn't Microsoft supposed to be switching so there would be one update package that would fix all Patch Tuesday vulnerabilities?" Yes and no, Brian. The answer is they have done that for the most part for the OS and IE. Windows 10 cumulative rollup and the pre-Windows 10 platforms with the monthly quality rollups are doing the OS and IE together. In the case of Windows 10, you get Edge, as well.
 
The challenge is all the other product lines―there are silos within Microsoft. The Office team is still doing more of a patch by patch. .NET is on their cumulative rollup, but it's a different cumulative rollup than the OS and IE. They're trying, but it's still very siloed. I don't know if they'll get to a point where they combine. In fact, I would say, from what we've seen with customer demand―many customers say, "Give me a security-only that's not cumulative," "Break IE out so I can do those two independent of each other"―it seems like there will continue to be a mix. I don't know if and when Microsoft will put every package into a single update. By the way, if they did that, the size would increase that much more.

Any other questions from the audience? Got one back there? Yes.
 
Participant: I haven't found an InfoSec person who could answer this for me, so maybe you can. When you see an IE cumulative update that is released as Critical, and the next month you see a cumulative update that's rated as Moderate―companies that have policies like ours, we do Critical and Important, but we set aside the Moderates. How can that be? How can you have a Critical component included in a cumulative Moderate update?
 
Chris: The challenge there is when you go with the cumulative model, you have to make a decision. Is it Critical from this day forward? Or, are you going to tell people what the tip is? In this case, if I've been doing it diligently, I know last month was Critical, but this month is Moderate, so I can change my urgency around it this month. Do take into account, however, how Microsoft is labeling it, so if you skip last month, and it says Moderate this month, for you it’s Critical because you didn't do last month. So the answer is a decision has to be made on how you represent that. I'm guessing they like to show a Moderate whenever they can because it happens so infrequently now. With the way they’ve bundled it, out of 13 updates this month, only .NET was not Critical. That would be my best answer to that question.

Another question from the Web audience: "What can organizations do today to reduce the network impact of the growing size of roll-up update packages?" Thanks, Duncan, for passing that one over. Duncan's one of our principal systems engineers, so he was actually taking a customer question he received recently and throwing it over to me in front of a live audience. Much appreciated. For those of you who were in the State of the Union discussion yesterday, we talked about this at a high level. Microsoft is working on a couple of things. They released this Delta update for Windows 10. We already support it in our legacy Shavlik Windows engine. In fact, it’s the one I pushed to my system last night. It was only half the size of the full update, if you did the cumulative.
 
The challenge with that is with the Windows 10 cumulative, you have the Patch Tuesday release with the security updates and then they have this quality preview at the end of the month. If you do the quality preview, it breaks your ability to use the Delta next Patch Tuesday. If you want to take advantage of the Delta, which is the way to reduce the size on Windows 10, you have to do only the Patch Tuesday release for all your systems. Use that quality preview on a select set of systems where you're going to test the nonsecurity changes, but for the rest of the production systems, go Patch Tuesday to Patch Tuesday. That way you can take advantage of that significant drop in size each month.
 
Going forward, Microsoft is working on what they're calling the Unified Update Platform, or what many of you have heard of as Express. Express is supposed to get to a point where it's taking the Delta format down to where everything operates on it, and the size of these things gets significantly smaller. That hasn't released yet from Microsoft. It is on our radar, I've planned time and adjustment into the roadmap for each of our products this year, so when that comes out, we're going to try to integrate with that as quickly as possible. Until we get more details from Microsoft on how that platform works, I can't tell you much more, but it is on our radar, and we are working to try to reduce that size when and how we can.

We have another question back there.
 
Chris: All right. The question was about the Windows 10 Delta. The first question was how not to push both of them at the same time. Microsoft made this change, but we had already done it. I know you're on the legacy LD product right now. The Shavlik engine, which is going to be transitioning very shortly, already separated this out. If you're doing a security-only template, you would only get the Patch Tuesday release and would be able to do the Delta-only. If you did security and non-security, it would try to identify both of those, so that's where it becomes more challenging. The way we've identified it lets you filter it so the one including the non-security doesn't get distributed. You'd only be doing the security-only.
 
Microsoft announced last month that they’re going to make a change. When they release the preview later this month, it should be classified as a regular nonsecurity update. The only flag you get otherwise is critical or no severity. They're making that change because of that pain point, but the way we've identified this with our metadata should make that easier. It’s probably something we should take offline with Eran and talk more about the experience, and we'll try to help you sort that out near-term until the engine switchover, when I think it will be more clear.

“Why isn't the Delta in that catalog yet?” That I would have to check on. I know it's in the legacy Shavlik catalog because I pushed it to my machine last night. I would have to check with the LANDESK team to see if that was delayed in coming. We'll try to find that out and get you an answer. Stop by afterward and I'll give you my card, so we can follow up on that.
 
All right. A couple more questions from the Web, and we have a little more time, so "Are there any early indicators of patching changes for the new Windows 10 edition?" I don't know the answer to that right now. Microsoft continues to force us down the Windows 10 route with Kaby Lake and all the other fun stuff that’s going on, so I think you can expect they will do everything in their power to push everybody forward. I've had several people ask about Windows 7 end-of-life and when that happens, will Microsoft allow people to extend support and all of those challenges. My guess is they're going to do as they've always done, which is not talk about that at all so you have to go to them if you want to extend support. Even then, they'll probably make it a challenging conversation because they really are trying to force us to Windows 10. That's the best I can answer that one right now.

 

“Has the Google Chrome issue with McAfee been resolved?” Stephen, I'm not sure. I don't know that I've seen that issue, so I don't know the answer to that offhand. I would have to look that up.
 
Do we have anymore out in the audience? Otherwise, I'll continue with some of the Web questions as we have more coming in. "In regards to the Intel vulnerability, does AMT have to be provisioned in order to be exploited? Also, what is the link for the Ivanti package to mitigate the remote attack?" I believe the package is on the Ivanti community. I would have to search for it to find the specific KB, but there is a KB that describes the method we're using and has the package available to push that out.
 
"Does the AMT have to be provisioned to be exploited?" My understanding from everything I have read is AMT being provisioned makes it remotely exploitable. Without it being provisioned, there's still a risk of local exploit until those BIOS updates come around, so there are two levels of risk. If you mitigate the broader risk, you significantly reduce your risk, but there is still a local risk. If somebody's at the local machine, they can do a lot of other nasty things and that's probably a lesser issue at that point, but if you can disable or unprovision that AMT service, you're reducing the remote exploitability.
 
"MS 1705, IE showing as Critical on your presentation, however, under the Shavlik Protected it's showing as Moderate." Good question, Mohammed. I would have to talk to our content guys and see if we can get that one sorted out. They might've accidentally misclassified it. I'll take that one, and we'll look into it.
 
"MS 1705 IE, should be Critical, rated as Moderate." I was talking to Rob who's our VP of R&D. He's messaging one of his guys on the content team right now to see if we can get moving on that right away.
 
Question from Tim: "Good morning, when can we expect to see replication of May 27 MS security patches available on HEAT EMSS?" I haven't looked at every product to see when it's up there. I would have to check on that.
 
Todd: Should be there shortly.
 
Chris: Should be shortly? All right. 
 
Todd: Meaning probably today.
 
Chris: Next question: “Microsoft now uses security update guide.” Yes, that portal. “So if you install the monthly rollup, you do not need to install the IE updates?" Correct. Again, I had to verify this myself last night because Todd and I got into our intellectual debate again over what the reality was. We went straight to the source, which was to deploy the monthly rollup and then reassess to see if the IE was still showing as vulnerable. Contrary to the documentation, as of last night, the monthly rollup includes the IE updates. If you do the rollup, you get both. If you do the security-only, you have to do the IE, as well.
 
Todd: Separately, right?
 
Chris: Yes. All right: "10 S is the new edition for education competing against Chromebooks. Will the IE supersedence issue be fixed in Ivanti Logic?" Eric, I would have to know more about that issue and what it is. I would say, first of all, let's make sure there's a support case open on that, if you think there's an issue with how supersedence is being detected. Second, if you send me some specifics around it and the case number, I can ask the team what's going on and see if we can get that sorted. Because right now we have three different Windows content streams, I would ask you to include the specific product you're using, so I know which content stream we're talking about. We are trying to bring everything together, it’s just a matter of a time before we get it all.
 
It looks like that might be all the questions. I’ll double check under Chat and see if there are a few more there. Well, there are a few more. "Lately noticed Adobe patches are each requiring a reboot in our SCCM configuration one app patches, then wants to reboot, then the next." Normally, Adobe updates like a Flash update might require a browser reboot but not often a system reboot. I would say, if you're using Ivanti’s third-party catalog for that, open a support case and let's take a look and see if there’s something configuration wise, or if there’s something in our content. I would expect I would have a lot more people beating down my door if that was hitting everybody, but if you haven't already reached out to the support guys, then let's take a look at that.
 
Let’s see: “Sent a question about Adobe patches. My PC crashed, so not sure if that was answered.” Oh yeah, that’s the line I just read, Doug, sorry. All right, it looks like we've answered all the questions. Anymore from the audience here? No? All right.
 
Todd: No? Good.
 
Chris: Well, thank you everybody for joining us, and we'll see you next month for another round of Patch Tuesday. Thanks everyone.
 
Todd: Thanks everybody.