September Patch Tuesday
September 13, 2017
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris: Good morning, everyone, and welcome to the Wednesday...or the September Patch Tuesday. So my name is Chris Goettl, and with me today is Todd Schell. Todd, how you doing today?
Todd: Hello, everyone. I'm good. How you doing, Chris?
Chris: Doing really good. So we've got an interesting Patch Tuesday, we've got kind of a combination of a number of things going on out there, so we're going to cover a few things. We're going to cover just a quick overview of...a high-level view looking at what's coming out. We're going to go into a lot of what's in the news right now. There's a number of things that are going around right now that there's a lot of concern about some of'em, especially some of the more recent breaches and security vulnerabilities that are being exploited in the wild. We'll talk about those a little bit there. And then we'll shift into the meat of the presentation today, talking about the actual bulletins, the updates that released yesterday, from the Microsoft, Adobe, and finally we'll wrap it up with some Q&A.
So as we go through the webinar, if you do have some questions, go ahead and post those to the Q&A section and we'll respond to those as quickly as possible. Some of them will be answered throughout the presentation, but any that remain here, we'll get into that at the Q&A at the end. All right, so starting off with a quick overview, you know, many of you are...I know there's a lot of regulars on here. You guys have seen our infographic, this is the summary level of that. There's a more complete one that actually goes bulletin...that bulletin as well. It bubbles up a lot of the information that people are going to want to see at a glance just to know the scope of what we're dealing with here.
Total of 17 updates across the different vendors. Microsoft and Adobe, all of those are security-related. The two in the other category, there's a couple of vendors that release non-security updates that are testing processes, catch those and automate most of the effort of bringing those in, so they get brought in on Patch Tuesday as well if they're brought into the process. So, we've got two other vendors that released yesterday but they are not security-related. Couple of other things to note here, we do have one zero day -- we're gonna get into more detail on that. There are also three public disclosures, and a few other things that definitely need some attention, so we're going to talk about a number of those. All right, so getting into some of the news. So on the more serious side, the breach is back. We've got a large-scale...
Man: [inaudible 00:02:40]
Chris: ...[inaudible 00:02:43] breach that happened at Equifax. This one has made some pretty significant headlines, as much for the circumstances around the disclosure, as much as the breach itself. You know, I'm not gonna get into the...kind of the circumstances around them delaying disclosure or anything like that as much on here -- I think there's plenty of articles around about that. The one thing that I did wanna bring up is showing this article, it's just probably the best one I have seen as far as the 'what to do'...
Man: [inaudible 00:03:17
Chris: ...to respond to that. So let me show this KrebsOnSecurity article. So Brian Krebs is a security researcher, he writes up a lot of the different breaches and everything like that. I really like his approach here in helping people kind of boil down to what's the reality? Sifting through the, they're offering you free credit monitoring, different things like that. Brian's analysis here, I think, is spot on for the reality of it. It talks about what information was actually stolen there, it does span beyond just the U.S. -- U.K. and Canadian residents were also potentially affected here. There's links to, like, what are they doing about breach? There's the information about the site, where you can go and see if you were affected. Which so far, through a lot of different sources, not just Brian here, they basically said that the site seems unreliable.
It's either cracking under the strain or really is not doing a very accurate job of the portraying, because the same user...or the same person being entered in multiple times could even give differing results. So some issues potentially with that, don't take it at face value. There were some concerns about the legal terms around enrolling for the free credit monitoring. So there's some gray area there. You know, again, Brian kinda gives his response to that. Should you take the credit monitoring? This is probably where I think the most valuable information starts to come out of this article -- should you take the free credit monitoring? Brian goes through quite a bit of depth here in the next few questions explaining what is the credit monitoring really doing for you? Is it really going to help you?
And what is the better alternative to doing that, which he's recommending actually doing a security freeze on your...what's known as a credit freeze, for the major credit bureaus. This makes it so that you basically get a PIN, you can store that in a nice secure location, and make sure that basically nobody can freeze your credit...your information with the credit bureaus, until you want [inaudible 00:05:54]. So he goes through a bunch of things here talking about that. I would say for those of you who have concerns around this, this is probably the best information that I've seen on this. So, that's our first article today. Let's talk about a few more here. The next one that happened was, the Shadow Brokers are back, and they have released another round of hacking tools.
For those of you who recall, back in...earlier this year, Januaryish, they released...basically they had been trying to auction off a bunch of data they had stolen from the NSA, and in this data were a variety of exploits, hacking tools, a bunch of different information. Documents, procedures -- different things like that. The Eternal SMBv1 exploits that led to the later WannaCry, NotPetya, and several other variants of ransomware and malware attacks throughout the middle part of this year, were basically made possible by the release of that Eternal family of SMB exploits. So I think one thing to note here is, this release from the Shadow Brokers is something that you should be taking as a foreshadowing of things to come. The article here from "The Hacker News" -- you bring this one up real quick just because, again, it was a good representation of information about what was going on here.
So it talks about the toolset that actually is being discussed here. In this case, rather than it being some protocol vulnerabilities like the SMB ones, this is actually a framework of tools. And this framework allows for everything from recording conversations using the computer's microphone, capturing data from the webcam, snapping photos, and things like that. Tools for exfiltration data, like browser histories, login details, passwords, keyloggers to capture keystrokes, and ability to access data on removal flash drives connected to the infected computer. I mean, this is a platform designed for a actor or an advanced persistent threat. With a powerful nationstate-driven toolset like this, somebody could do some serious damage. It's a very complete set of tools there. So this potentially being...start to be sold to a variety of different threat actors out there, poses some future risks here.
Other potential breaches that could occur because a very powerful set of tools have now been put in the hands of our adversaries. So, definitely something to be concerned about, to take seriously. If, down the road here, there are vulnerabilities resolved that will plug some of the things that these tools are taking advantage of, those are things to watch out for. So as news develops on this going forward, we'll have to watch that, and as things come up, we'll have to take it more seriously this time around than the global community took the SMB exploits. We don't wanna see more breaches, more vulnerabilities being exploited just because we didn't move quickly enough. All right, another one that's coming up that definitely has some serious ramifications here, is the BlueBorne Bluetooth vulnerabilities, which are reportedly leaving millions of devices exposed to exploit without the need for user interaction.
Proximity is really the only thing here. So there's a number of articles out there. I chose the "PC Gamer" one, of all articles, just because I think they did the best job of covering the breadth of the issue. Let's see here, if I can get to the right one. There's a few articles here, like this one went into detail mostly on just the phone level, but that's not the extent of the vulnerability here. The "PC Gamer" article has the same link to the "BlueBorne Explained" by Armis, the team that was discovering these exploits. Getting down into the details of this one...No, did I go past it already? Where is it? Yep, I scrolled past it. ...So this one is talking about the fact that 5.3 million devices across Windows, Linux, Android and iOS are affected. There is recommendations in here that any devices that use Bluetooth, or that have Bluetooth there are not using it, probably should be disabled.
Older devices with Bluetooth on it may not be updated to block these types of vulnerabilities, so older devices with Bluetooth, you may wanna be even more concerned about turning those things off. I think there's actually...and I thought this was going, but maybe there's another one here. Me, I've gotta move this screen over for a little bit. Come on, go away. There we go. This one from "The Register,"okay here's the list, "The eight different vulnerabilities that have been identified so far." You've got Linux...the Linux Bluetooth stack, BlueZ, Android, two other Android vulnerabilities, the Bluetooth Pineapple in Android, Bluetooth Pineapple in Windows -- this one is patched as part of Microsoft Updates this month -- and the Apple low energy audio protocol RCE vulnerability.
So all of these vulnerabilities were identified as Bluetooth vulnerabilities that this team was able to exploit. They talk a little bit about even having these devices be able to get infected, and then as they come into proximity with other devices with the same vulnerability, basically pass that infection on. So almost like a physical virus for a human, where you come into proximity with somebody who's sick, and you can pass that on -- airborne, pretty much. So it's a pretty scary thought on that, and the researchers involved here are really thinking that this is kind of a tip of the iceberg. These Bluetooth vulnerabilities, there's eight of them so far, and they're suspecting there's much more in there. So as this goes forward I'm expecting that we'll see more Bluetooth vulnerabilities potentially getting resolved there. All right, let's go on to the next tab here. So, a few different, more comical news articles out there.
You know, we always see so much doom and gloom, I thought I'd bring in a few more comical updates this time around. You've got this one here, which came out of Def Con, some hackers that were able to breach and then rick-roll a voting machine. So for those of you not familiar with rick-rolling, it's the song from Rick Astley that people have gotten into the habit of doing what's called rick-rolling and basically tricking your friends into clicking on the link and hearing that song, which then gets stuck in your head and won't go away. So this talks about how they took a WINVoting machine and they were able to hack that, and the video here, the YouTube video -- you could see the cord here -- but they've got a speaker plugged into it that starts playing the music then.
So, that was an interesting article that came out of The Black Hat. This one actually came up in July, but one of my colleagues decided to tweet me this month saying that, "Fearing the fish tank is something that we should all be doing now." Referring to this casino breach that happened. So this one was a fish tank that was hooked up to an IoT device that was monitoring everything from tank temperature, to the water quality and food level -- different things like that. This was the device that was used to actually breach and steal data from a casino. So the security firm Darktrace traced the origination of the attack back to this device. So it doesn't matter what device it is on your network -- whether it's the coffee maker, the fish tank, the refrigerator, the lightbulbs -- many different devices that are connected to our networks could be used against us.
So that kind of spawned a little end of day activity here yesterday for us at Ivanti, and for your viewing pleasure here, I have put together a Top Five Fish-Related Security Puns that we're going to go through here real quick. So first on the list, "Security vulnerabilities always bubble up." I can hear the groans already, and you're all on mute, I know. "Craps, phishing a casino." That was a good one too. "One fish, two fish, don't scare me, phish." "A new meaning to phish and chips." That was a good one. That was from one of our U.K. marketers. She's great, that was a good one. And then top of the list here, "Sounds like they were "Finding Nemo" -- and his date of birth, and his Social Security number, and his credit card info." So that is our Top Five Fish-Related Security Puns for September. All right, so, sorry, that was just a little bit of humor there, as the team was going through and discussion all the different security-related news this month.
Moving into the meat of what we're talking about this month, though, let's go through some of the public disclosures and exploits that were detected. The first one here, this is a vulnerability in Microsoft Edge which could allow security feature bypass. So this one, the attacker could bypass the security features of the Edge browser by, "Tricking the user into logging into a page containing malicious content. To exploit the bypass, an attacker must trick the user into loading a page containing malicious content or visiting a malicious website." I think we can all agree that it's not a matter of, can you convince a user to click on content? It's a matter of, just how many users does it take to get somebody to click on it? So statistically, it's just a mathematical game here before you get somebody to be able to do that. So that's in the Edge browser.
The next one here on Windows 10 in Device Guard, another security feature bypass, this one, "Could inject code into trusted PowerShell processes to bypass the Device Guard Code Integrity policy." So again, in this case, "The attacker would have to have access to the local machine, and then inject the malicious code into a script that's trusted by the Code, Integrity policy." Now this one takes a few more steps to be able to exploit, it's a little bit harder to do so. The one reason why we bring up vulnerabilities like this that have been disclosed is, hackers are...they're creatures of habit. They're going to take advantage of something that's already been done, or take advantage of information that gives them the majority of what they need, so that they don't have to go do all the work themselves. So a public disclosure, even one that's rated as only an 'important,' may be one that gets exploited. So that's why we discuss these public disclosures.
The third one here is another public disclosure in the Broadcom BCM43xx Remote Code Execution vulnerability. So this is in HoloLens, on Windows 10 as well, and in this case an attacker, "Could take control of an affected system. There, they could then install programs, view, change or delete data. Even create new accounts with full admin rights." They would need to "send a specially crafted Wi-Fi packet" to the system to exploit this. So this is something where, again, they would have to be somehow on the same Wi-Fi network, again, with users going out into the world. Maybe in an internet café, their Wi-Fi is on, they're on public Wi-Fi with a whole bunch of other people, somebody could easily be on that same Wi-Fi and be able to take advantage of that. So three out of three of the public disclosures this month were all on the Windows 10 platform, either in Windows 10 itself or in the Edge browser.
We do have one public exploit this month and this one is...it's a good example of how an update only rated as 'important' is still likely to be exploited if the information is available to an attacker. So this is actually part of the .NET update this month. The CVE that was exploited, basically allowed the attacker to take full control of the affected system. At that point, they are able to "install, view, change, delete data, create new accounts." The one thing here is, this is a good example of how configuring least privilege can help mitigate the impact. In this case, if the attacker is able to craft a document or an application to exploit this -- convince the user to click on it -- the user that clicked on it, the context of that user is the context that the attacker is operating in. If they've got full admin rights, the attacker has full admin rights, if they've got less than full admin rights, the attacker also has less than full admin rights.
So this one, FireEye is the security firm that discovered this vulnerability. It talks here about the approach that was used to do this. This was a recently detected malicious Microsoft Office RTF document that leveraged this vulnerability. So what it was able to do then is, inject a SOAP WSDL Parser Code injection vulnerability that allowed the actor to inject arbitrary code into...or during the parsing of that SOAP WSDL definition content, the...So in this case, the document contained, "Arbitrary code that was able to download and execute a Visual Basic script that also contained PowerShell commands." A very lengthy chain of pieces coming together there to do this. So I think the vulnerability was rated a little bit lower and only classified as an 'important' because of the complexity of doing this, but we have a real-world example of it actually being exploited.
So somebody had the information to do this. Now, FireEye suspects that in this case, it was a nation-state entity that was probably doing this, and it was targeting a Russian-speaking audience. But, you know, the vulnerability being out there, you can bet that it may be available to others and utilized elsewhere. So that .NET update this month -- again, because it's been exploited in the wild -- that one's a much higher risk. So definitely one you wanna get resolved as quickly as possible. All right, couple known issues. We've got this NPS authentication that, "May break a wireless client, making it fail to connect." There's a link there to the Microsoft article. That one, you know, when I looked at the page originally, it looked like it was in the new September KB articles that came out.
When I looked at it again this morning, the pages had been updated with a lot more data, and it looks like that NPS either was last month, an August update as well, and for some reason they had a clerical error when they updated it, or maybe continuing this month. So that's one where, again, that one is potentially able to break on an 8.1 or 2012 R2 system. These couple of Japanese IME may hang in certain scenarios, KBs here. There is a couple articles there, two different KBs that could affect it, and there is a additional update that can fix those systems if you do run into that one. And, you know, at the end of August, when the preview of Monthly Quality Rollups came out, there had been reports from the global community that there were a variety of issues that had occurred there.
This is one of those things where Microsoft has an update pattern where they do security-related items on Patch Tuesday, second Tuesday of the month. Later in the month they do this preview, and the preview is where they're doing quality updates. So that's bug fixes, new features -- things like that -- that are not of a security nature. You know, for those of you who are utilizing our products, it's one of those things where, for the majority of your systems, we recommend that you stay on the Patch Tuesday cycle and update the Microsoft cumulatives on those cycles. For those of you who do run into issues late in the month with the quality update, you can skip over that timeframe and go straight into the next Patch Tuesday cycle, which will -- if you're using the cumulatives for, like, Windows 10, and the monthly rollups for pre-Windows 10 systems -- you get those quality updates as well when that next Patch Tuesday update comes around.
But many of the issues that were encountered by people on the initial rollout would have been fixed. So, again, it's one of those things where, majority of your systems, you probably wanna do the security cycles only, and only do the previews for a smaller group of more technically savvy people who can react better if something does break. It's a good thing to do at a telltale sign to make sure that when you get to the next Patch Tuesday cycle, those quality improvements aren't gonna break something on a mass scale, but if you roll that quality fix out en masse, you could have a lot more pain than you may have wanted to sign-up for. So we just recommend doing that preview at the end of the month as a smaller subset of people, to evaluate and make sure that the next round of cumulative updates coming in the next Patch Tuesday don't adversely affect your environment. All right, Todd...
Todd: I'm here, Chris.
Chris: ...[inaudible 00:25:53] bulletins.
Todd: Sure, let's walk through what happened this month -- and we'll start off with Windows 10. Large number of vulnerabilities fixed this month, and you can see that's 60 of'em were addressed -- I actually ran out of room and couldn't squeeze'em in here this month -- did include the 3 that you mentioned, Chris, that were publicly disclosed. So those are listed here. And if you want a complete list, obviously please go to the Security Update Guide, and you can get a complete list of the vulnerabilities there that were addressed this month. Last month they only addressed 42, so this is a big jump, addressing 60 this month. This known issue at the bottom here, this is carried over from last month. For those of you that were on our webinar, may have seen this. So they're still carrying this forward, looks like they haven't fixed this particular problem with Microsoft Edge yet, as far as resetting the languages to English on Czech and Arabic systems.
So just kinda be aware of that one. This does cover the full range of impacts, all the way from Remote Code Execution through information disclosure, so take a careful look at all of these patches for this month on Windows 10. Next slide, Chris. This month on Server 2008 there were 22 vulnerabilities reported. I got'em listed here, so you can take a look at those. You'll notice none of the publicly disclosed ones are addressed here. As a matter of fact, those three that Chris mentioned are only on...in the Windows 10 bulletin affecting Server 2016, Windows 10 and Microsoft Edge. So you'll notice that the rest of these don't have any highlighted CVEs associated with them. But anyway, they did release a good number of patches this month for Server 2008, this information is scattered across 7 KB articles, and it is rated at 'critical' because of Remote Code Execution.
Next slide, Chris. Internet Explorer this month -- as usual, they've released both a security update, a cumulative update, and individual patches. So those are available and rolled up under this bulletin. Notice that it does address Explorer 9, 10 and 11, as usual. And also as usual, these fixes are included in the Security Monthly Quality Rollup, so you can get'em either way if you're running with the security update or the monthly rollup, it will install these fixes as part of that package. As he said, there were seven vulnerabilities fixed this month -- it does require a browser restart, obviously. One thing that you'll see as scattered across couple of these next couple of bulletins is that the WordPad application can sometimes crash after this particular KB down here, 4025341 is installed. So just be aware of that. You can restart it afterwards, it'll be fine, but the first time it'll crash after launch.
Next one. Starting with our monthly rollups for the...you know, the kind of the more active operating systems -- Windows 7, Server 2008 R2 -- this monthly rollup includes 24 fixes, plus as I mentioned just previously on the slide, the 7 IE vulnerabilities. Same WordPad application crash I mentioned earlier, and you can see here that it does require a restart, of course, as well. This does also include all of the improvement and fixes that were a part of the...as Chris mentioned, the preview released back on August 15th. Next one up of the operating systems is for Server 2012. This one adds two additional vulnerabilities to the...compared to the previous patch that was released for Windows 7. Fixes 25. Once again, this is a monthly rollup so it does include those IE vulnerability fixes as well.
It still includes that WordPad crash, and you'll notice down below here that this is also the first one that talks about the Japanese IME issue that Chris talked about earlier, and I've included here, the workaround is to install that KB, 2960837, in this case. You'll notice that there are -- in the next one, Chris, if you would move on -- there's also, again, another fix for this one. As the second KB article, it is separate, so it is a separate fix for the Server 2012 versus the Windows 8, and Server 2012 R2. This particular rollup this month includes 27 vulnerability fixes, there are also, of course...definitely because it is a rollup, there are 7 IE vulnerabilities as well, and just like the previous ones, it does include the preview information that was released back on August 15th.
Also note down here in the Known Issues, this is the one where the NPS authentication may break, Chris talked about. If you open up the KB article that Chris had referenced article, you'll note that there is a workaround. You have to go in and make a registry change, just be aware of that, but there is a workaround fix for this. And Chris, you had mentioned when you took a look at this -- it is correct, we did announce this last month -- this is a carryover from August as well.
Chris: Okay, so I didn't read that wrong, they did have it last month but they're also carrying it on this month for these cases. Okay.
Todd: You are correct, yep.
Chris: All right.
Todd: Next one. So moving on to the security-only updates. This, once again, breaks down the individual patches for the month. Still, there are 24 vulnerabilities. In this case, you can apply them individually, the same fixes that are included in the monthly rollup, and I have a...they're all identified under the single KB bulletin there, 4038779. And of course, this WordPad crash carries over in here, because it's also related to the monthly rollup as well. Moving on to the next one, we'll talk about the security-only update for Server 2012. Kind of the same issues as the monthly rollup, addresses the same 25 vulnerabilities. Be aware, because this is security-only, it only includes the security fixes, it does not include a lot of the added quality fixes that are included in the monthly rollup, it also does not include the IE vulnerabilities, so you would have to apply those separately.
There was a re-release of a security update for the Windows print spooler that was included as part of this, so just be aware of that. This is one of those things where they're going back in and grabbing things from previous releases and including them in the update. So there is an update for the principal who are in here that would be detected automatically as you run through and attempt to apply these patches on your systems. Moving on to the security-only update for windows 8.1, Server 2012 R2. Once again, several critical fixes in here. You know, just kind of rehashing again, 27 vulnerabilities addressed in this particular release. Like the monthly rollup, the NPS authentication issue exists here as well, and of course, the Japanese IME issue. Both of these have workarounds that are identified, we'll see if Microsoft rolls the fixes into future updates. Moving on to Office now.
This was a huge month for Microsoft Office updates. You can see the affected products across the top of the board there, all the way from Office 2007-2016. The complete suites were updated, so be aware of that. You'll notice down there under the Known Issues thing...under the Known Issues bullet, rather, the one thing that's important for these Office updates is that you have the latest Service Pack in place. So this is especially true for a lot of the older versions, so the patches will apply, for example, back on Office '10...Office 2010, rather, you have to have Service Pack 2 in place. For the individual applications that are identified with updates, if you're only updating...tactically updating individual applications, for example, Excel 2013 SP1, for example, has to be in place for the patches to apply.
You'll note also that these patches are for both Windows and Mac releases, and I've included here, and there's Live Meeting 2007, the 2 versions of SharePoint 2013 and 2016 are updated with security fixes, previous versions of Lync, and of course now Skype for Business 2016 was updated as well. One thing that was kind of interesting this month, when you take a look at the impacts that were listed, Microsoft included something called Defense in Depth -- I kinda highlighted it in green here -- and it's actually addressed under the Advisory 170015. You'll notice that's the first one of the 15 vulnerabilities that I've listed here. There's not a lot of detail given here, it's kind of vague, we're not really quite sure what they did there, but they referring to this as a Defense in Depth. Chris, did you have something to add on that one?
Chris: Yeah, so you know, this is one of those...this was kind of odd. This was the actual advisory article that was available there, and you could see here, there really is not much data at all. It really just has what affected product, so we don't know exactly what they're doing in this Defense in Depth update. I looked around trying to find out if any of the security writers out there had gotten some inside information and posted it. They had not, as of yesterday. And, you know, in poking around I saw some of the previous ones. This isn't the first Microsoft Office Defense in Depth update that there's been. I think couple months back there was one that was done to basically disable, I think it was the EPS format for a period of time until an update was really.
So my guess here is that this Defense in Depth update is either disabling or configuring something to mitigate risk in a certain area that they know is a concern right now. The fact that they didn't really disclose much about that means that when you apply this, just be ready for potentially some behavioral changes on this one. It's uncertain what exactly they're doing. So that's about what all I had there, unfortunately they just didn't give much detail on this one.
Todd: One thing I'd like to add here on the Office side, last month we talked about Microsoft's move of their Windows-as-a-Service model. They're changing their terminology up, and they're going away from the current branch and the current branch for business. We talked a little bit about that last month. On the Office side, and then we're kinda seeing some of the first terminology changes here. So you'll find that the current channel for Office 365 is now referred to as the Monthly Channel. They're gonna rename the Deferred Channel to the Semi-Annual Channel in January of 2018, so haven't seen that change yet. But what they were referring to as the first release for Deferred Channel -- I can't believe all this terminology, right? -- it's now the Semi-Annual Channel targeted.
So we have seen some terminology changes this month in the Office 365 updates, and I'm assuming we're probably gonna continue to see that as Microsoft moves forward to the complete changeover by the end of this year. So just kinda be aware of that when you see this terminology. Last month we had a link that went back to the Windows-as-a-Service model and the changes there, so you might wanna take a look at that if you have any questions. Okay, Chris, you can move on.
Chris: Yeah, actually there's a couple of questions that came in here that we might just wanna wrap-up right now. So I think the first one here was around the, "When do the security-only cumulative and previews typically release?" So just to kind of clarify this, for those of you who might be new to a lot of those terms, the security-only bundle is a release option that comes out every Patch Tuesday for the pre-Windows 10 platform -- so Windows 7 up through Server 2012 R2. That gives you just this month's security updates in these in a single package. IE is split out from that, so if you do the security-only track, you also need to do the IE cumulative each month. The monthly rollup, in terms of both Windows 10 and the previous version, this is the monthly security Patch Tuesday release that includes the security updates, but it's cumulative so it includes last month's quality preview, along with last month's security updates -- and the previous, and the previous, and the previous.
So the security-only bundle and the monthly rollup come out on Patch Tuesday. The preview of quality rollup, that's the one that comes out late in the month -- usually it's the last week of the month, right around there. This is the one that typically it would have been the large number of non-securities that Microsoft would have released individually, they're all in...for Windows 10, they're all in that cumulative update at the end of the month. That one, if you skip it, when you get to Patch Tuesday next month...So if we skipped this month's preview later in the month, we would get into October, and on Patch Tuesday we would get all of the updates that were released in the preview, but in that couple week's span, they've typically resolved many of the issues that are going on there.
Now, that kind of leads into one of the other questions I'm seeing here, which was the NPS issue that was occurring. "If we had the issue first time around, is it the same this time around?" The fix -- the registry key and the value that set -- looks to be the same as it was last month. My guess is that the registry key is independent of the update, so after that the update's applied, that registry dword that you've already changed should not be affected again, but you may wanna test that to make sure. So the same workaround should be continuing there for right now until they resolve that issue. Relating to Office, so Todd, the question here is, "The Office security updates, are these considered a rollup? Are they cumulative?" So Chad here has Office 2010, and over the summer they've had to defer some of the updates because several of those had broken things. In this case, should he be assuming that this is a rollup of everything that came before? The Office updates are cumulative, aren't they?
Todd: Yeah, I'll have to go and take a deeper look at that, Chris, I'm not 100% sure. These are all identified as...like, for example, Microsoft Office 2010 Service Pack 3, and associated with that this month there were, like, 6 bulletins released associated with this. So I'll have to go back in and dig, I'm not sure if they're cumulative or not.
Chris: Let me see. While we're going through the rest of these, I'll see if I can get an answer from our content guys real quick on that, Chad.
Chris: All right, let's continuing on, there, let me advance your slide, there.
Todd: Thanks, Chris. As usual, this month a release was given for security...for Adobe Flash Player. There's a couple of different severity ratings in here. It's critical for IE and Edge just because the way Adobe had released this and said that there are critical fixes. It's rated as 'important' for Chrome and the Linux desktop browser, so just be aware of that. There were two vulnerabilities that were fixed with this release that could result in Remote Code Execution, and you do have to obviously restart any application that was using Flash Player as you've completed this update. Next slide...
Todd: ...Chris. No problem.
Chris: Clicking between windows, it didn't wanna advance for me. There you go.
Todd: Here we go. And of course, Adobe had released their own bulletin on this, it was 17-28. Basically it addresses the same issues that was covered under the Microsoft release. It does cover Windows, Mac, Linux and Chrome OS, so just be aware that the same vulnerabilities exist across those operating systems and were fixed with this particular release.
Chris: All right, so Chad, I did get back word from the content guys already there. They are saying, yes, in fact the Office updates are cumulative, so they will include the previous updates. So if you are having issues with the previous ones here, that's one thing where you're gonna wanna make sure to get those issues resolved before rolling that out.
Todd: And as I mentioned previously, Chad, make sure that you're up to the latest Service Pack and then apply these security updates.
Chris: Yep. All right, our .NET update.
Todd: Yep, moving on to the .NET. This fixes vulnerability 8759 that Chris had covered in quite a bit of detail earlier. Be aware that we've...there are actually four bulletins, sub-bulletins that we released underneath this. Essentially what happens is that all of the .NET Frameworks are specific to the version of operating system that they're running on, so essentially what we do is, we combine them together, lump'em under our own bulletin numbering system. So each one of these 4 bulletins will address, for example, Server 2008, would be one example, Windows 10, etc. So we combine these under those bulletins in that way, and so there will be four sub-bulletins under our overall monthly rollup for Microsoft .NET.
One thing I wanna note here, Chris, as you go to the next slide, which talks about the security-onlies, I just noticed this this morning as I was looking at our infographic. It appears that our spreadsheet incremented this CVE number, so one says 8759 and one says 8760. They are both 8759, so if any of you are using our infographic on our website -- I noticed that first thing this morning -- be aware of that, it's actually the same vulnerability.
Chris: Yeah, we'll have to get that corrected. Excel is doing one of those really nice helpful things where I pasted it and dragged it down, and it incremented the number for me, and I didn't realize.
Todd: Exactly, yeah. We haven't seen any .NET updates since back in May, so kinda be aware of that. It's been a while, and you know, you should apply these on your endpoints.
Chris: There have been some non-security updates for .NET, but for most people updating .NET, security is typically the only ones that they do. So yeah, for those of you who only do the security updates for .NET, it's been a while.
Todd: Yep. Same through for the next one, Chris, as you advance here to Exchange Server. We hadn't seen an update for Exchange Server since July, so it's been basically [inaudible 00:45:15] the month, but there were releases this month addressing two particular vulnerabilities -- 8758 and 11761. So if you wanna take a look at those, you can. These apply to specific cumulative updates. There's a release for SP1, one for cumulative update 16, and version 2016, cumulative update 5. If you do go to the bulletin that's listed there, 4036108, you will also notice that there are 2 additional updates -- one for Server 2016 and one for Server 2013. I think the previous versions are available.
There are no updates for those this month, that's why I've only listed the three here, but if you haven't applied security updates in the past, there are actually five security updates available across each one of those releases. So just be aware of that. This is just basically an information disclosure issue and a possible Elevation of Privilege, so it's only rated as 'important' not 'critical.'
Chris: All right. So one thing that we often do here is just to give visibility into all the other things that came out in between, we put together this slide just to give you kind of a view of what's going on. So, we did add several new products in between August and September Patch Tuesdays: I think it's pronounced Recuva, SQL Management Studio 17, AIMP versions 3 and 4, Allway Sync and Bandicut. Those products were all added here. We had security updates for Opera, Tomcat, Microsoft, Adobe Reader, Chrome, Firefox, Filezilla, TortoiseSVN, WINRar, Notepad++. And you can see it's quite a lengthy list of vendors that had security updated...or security-related updates, or updates that somewhere in their chain have security updates available.
So each one of these releases, while it may not specifically have had a security CVE related to it this month, it's in a chain where a CVE...multiple CVEs may exist. So depending on what version you're at or what version you're going to, we often treat these vendors always as security because you may have a vulnerability on one system, and the next system is one month out of date and perfectly fine from a security perspective, but we have to treat that a little bit differently to make sure that we're giving you that Defense in Depth approach to securing these applications. There were also a number of non-security updates that occurred there. Some of the biggest things we refer to there is just a matter of, especially for systems that can be exposed to more security risks -- laptop users, people who go outside the network, people who are predominantly off-network.
Systems that are exposed to third-party vendors or the vendors that may have access to some systems in your environment, but you don't have control over their environments. Those types of systems, you may wanna get on a more stringent, a more frequent update cadence. Our content teams are releasing content twice a week, so that's just a few things there to keep an eye on. All right, Q&A, you've got the...
Todd: Chris, one thing to add.
Todd: Chris, one thing I'll chime in here real quick on that last slide. You saw on our infographic that there were two additional companies that released yesterday -- that was CCleaner and Evernote, by the way. Just wanna point that out in case anyone was wondering.
Chris: Yep, so there was an additional question about the supersedence for the Office updates if they're cumulative. So the answer, Chad, to the question before is a little bit more complex. So, like, this month there were 51 KB articles on Office alone. Underneath that there were actually 96 different actual physical patches that could be downloaded and applied depending on which variations you've got: whether it's a full suite update, whether it's an individual product update, which version it's on. Each one of those could have a different supersedence chain, so the answer is a little bit more complicated there. You're on Office 2010, I believe, so in that case the update that applied there, if it's, again, in the supersedence chain -- if you see that the previous month is resolved by this month's update -- that definitely would be a cumulative in that chain.
So that's the best way to determine that, but there can be one-off patches for Office for specific versions of specific products. It's kind of a nasty mess when you get deep down into Office detection and everything there. So if you do have any questions there, you can always open a case with our team, go through the specific updates for your environment with our support organization, and we can help you trace that back to determine exactly if the chain you're on is cumulative or not, but that's...Typically the Office chains, whichever one you're in, most of the updates are going to be cumulative -- there are some one-offs that may not be, so... All right, let's go through some of the other questions. Oh, one that came through...Yes, I know, my rhymes there were not...the scale on those was not perfect, so sorry about that. It was just more of a fun little exercise that we did.
The question about the links to the articles that we were using there. The majority of the links that should be in there, but I'll take a moment to grab the rest of the links that I showed today and make sure that they are either in the slides or in the speaking notes on each slide there so you guys can reference those by grabbing the PowerPoint here. Question from Greg, "New to Patch Tuesday, we've just taken over WSUS." Okay, so this was the question over monthly rollups versus the quality preview and when they release. So I think we've answered that one. Another question from Jim, "Have your customers experienced the 1703 feature update breaking the Edge browser?" So Jim, this was the...I may kind of mentioned early on in the webinar about some releases that have come out recently that different people have been struggling with.
We've had reports of a number of kind of the quality updates that have affected people's environments differently. I didn't have the specific list of examples up in front of me. There've been a number of issues with both 1703 and several of the different components, the creator's update breaking things. It's been a little bit of a mess there on some of those. So if you're experiencing some of those, one thing to do is, if you have not already done so, try to open a case with Microsoft and make sure that the issues you're seeing are...you know, they're aware of them. I'm guessing they are, but yeah, it's been kind of all over the board. I don't know specifically on 1703 if the Edge browser was one of those. ...So question from Darryl was, "Will the Service Packs be listed as a patch that needs to be installed if it's not installed?"
So Darryl, depending on which product you're on from our organization, you would see potentially slightly different variations of how this is represented. But if you are on an earlier version of Office, not the latest Service Pack level, you would see a missing Service Pack available for that. I'm wondering if I have one here for my example. So this is showing the patch for Windows product -- these are all showing missing patches. You could see here informational items. Those informational items are meaning...or they're indicating that I'm at the latest Service Pack level for the products that are displayed here. So you could see here that I've got the latest Service Packs for things like Visual Studio and SQL Server. If I had a missing Service Pack for those, you would have seen that as a missing Service Pack instead of an informational item.
And if you're at the right Service Pack level, then the patches would show properly as missing. Depending, again, on each of the different user experiences, if you're on the legacy LANDesk product or the legacy e-products, what you would see is slightly different, but they would all be able to show you if you're missing a Service Pack, and if you're at the latest Service Pack level, then missing the patch. But all of our detection logic should get down to a level where you get the right things displayed for the state that your machine is in this case. So I hope that answers your question there. All right, from Andrea, "Considering the cumulative updates releasing each month and covering previous security patches, when can I go back and start cleaning old patches downloaded on the Ivanti console in order to free up hard drive space?" So that's a good question.
You know, what I often recommend to people is, if you go back and clean up anything older than six months, typically it's pretty safe. The way that most updates work now, especially for the OS updates, the cumulatives keep replacing what was there previously. You wanna keep probably a good two to three months around, though, because you'll have a system that'll come online after a while that may not be at the right Service Pack level. We have features in our products that make it so that you can patch those systems even if they're off-network or if they're an off-line VM, but there's cases where, oh yeah, we've got a loner laptop that gets pulled out of the closet once in a while. You know, so having a couple months around is not a bad idea. If you do delete an update that is needed again, it'll be re-downloaded. So usually six months and later, deleting anything that old is typically a safe bet.
Luis, "Does the same bundling holds true for .NET? Security-only update versus security and quality." So yes, .NET was one of the applications to adopt the newer update model fairly quickly, so you will see a security-only versus a monthly rollup on Patch Tuesday for. NET updates, if they release there. And you can see a quality that will typically come out. So actually we did have, I did notice that there was a quality update for .NET Framework that came out late August. So those are quality-only fixes or bug fixes, things like that, not security-related. So yes, they are using that same model.
Todd: We're hoping Office would eventually get to that but they're not there yet. Right?
Chris: Yeah, I think that they've got a bit more to clean up. Office 365 has already adopted the Windows 10 model of everything on the cumulative, and then they do the security Patch Tuesday release and then they do the quality preview. But I think the older Office platforms are going to be a little slower to catch up, right?
Todd: Yeah. If ever.
Chris: Yeah. So Russell had a question about Adobe Reader -- 11.0.22 not available on reader download website. So that's a good question. I had not heard that. I don't have a good answer for ya' on that one. I haven't seen or heard anything about that one to give me any reason why that would be the case. Yeah. Adobe, again, did a number of releases between Patch Tuesdays this month, I think it was two or three that they had there. So the next question was from Jim, "Is there any danger in selecting both the security-only and the monthly rollup for scan and deploy and protect?" So Jim, we actually put a number of things in place in the patch for Windows platform that basically, if you have a patch group that approves both of those updates, it would make sure that only one of them gets applied. In most cases that's going to be a matter of the order of detection.
I'd have to ask what specific order that would happen in, I'll see if I can get an answer on that, but we do many things to protect against both of'em delivered to a system simultaneously. What happens there, if you do install both, is you could blue screen the machine. In fact, it typically will blue screen the machine. So we take a lot of effort to make sure that we...when we do detection, we only detect one of the two, and when we do remediation, we only deploy one of the two. And even down at the execution level, making sure that if one of'em was executed and another one somehow worked its way in, that it would block it from being installed. So I'll see if I can get an answer on the order of which those things would show up if you do happen to have both of'em in there. All right, I think we're getting through a lot of these. There were a couple of audio issues at the start of there.
BlueBorne, question about that. "Does it affect the latest Bluetooth 4.0 spec?" So Mike, in the articles that I've read so far, it didn't go that deeply into it. My guess is, yes, it does, because even the latest devices are seeing that as being detected as vulnerable -- the updates being detected as vulnerable -- but they were not very clear on that. Now, does it potentially push for something more secure, like Wi-Fi Direct? Potentially. Bluetooth is one of those things that's so widely distributed throughout the world right now, though, that it's gonna be...it's like moving the Titanic. A slow course correction could take a long time. So while I'm not sure whether Bluetooth 4.0 specifically is vulnerable to these, yeah, I think that in general, moving a direction away from Bluetooth long-term, it's probably going to happen. So a few questions about the slides being available after the webinar.
Yes, they will available on...you'll get a follow-up email, you'll be able to go to our Patch Tuesday page, and they'll be available there, and our webinars page there's a playback that also...Let's see here. ...So Ron had an issue with Windows 10 system in his environment that on build 10240, has not updated since 12/20/16. I gotta go and see what version that was again. ...Sorry, I'm trying to look this up real quick. Without seeing the specific release that was for that...Windows 10 build. ...Fifteen-oh-seven, yeah, that...so 1507 end-of-life was, I think...
Todd: ...Yeah, there are no patches published for 1507 anymore.
Chris: Yep, so that end-of-life was released on 2015...I'm just trying to think. Yeah, it's about that timeframe that that would have stopped, so you would want to move off of the 1507 build. Let's see if we can find a Windows 10 [inaudible 01:02:28].
Todd: Yeah, the last update was May 9, 2017.
Todd: For 1507.
Chris: ...On the lifecycle page there should be a section for Windows 10 builds. Version 17 -- okay, so that one's only going through the most recent. There's another page, I'd have to go and take a look for it, but there's one that goes into detail on each of the different versions of Windows 10. Okay, here it is -- end of support May 9, 2017. So that one, if yours stopped updating in December 2016, there might be something else going on there because it did continue through May 9, 2017. And we've got 1511 coming up here in October -- end-of-life there -- so if you've got 1511s out there, make sure that you're moving forward out there. And as this cadence keeps going, basically 18 months...Correct, Todd? Is that...
Todd: Yep, that's right.
Chris: ...the cadence now, 18?
Todd: Eighteen months window.
Chris: So if it released on August 2015 -- 18 months later, that's the end-of-life. April 2017, 18 months later, that will end-of-life. So that's the new cadence now is, every one of'em will be 18 months exactly. So your 1507 build, definitely not getting updated after May, but why it stopped in December is a good question. All right, let's see, what else did we have for questions here, or are we fairly tapped out? ...All right. ...So Elgin [SP] had a question about the OS and .NET patches causing multiple reboots during patching. It's early to see reports from customers, but...See if I can get any answer from the team here on this.
Chris: All right, and I'll see if I can get an answer on that one here, but I hadn't heard anything yet, Elgin. Question from Steve about the phishing attempts involving FedEx. "The email claims that you have received an important package from FedEx, the email wants you to click on the tracking package link." I had not seen anything specific about that one in particular, so that...I don't know any details about that one yet. Let's see, we covered that, we covered that. I think we are pretty close, here. ...Okay, there is...Prashant [SP], your Chrome issue where it's getting applied multiple times on one device, that's one where, contact our support team. We would probably need to get into some specific details around the detection on that system. It's one of those cases where, if, for some reason, there is a way that Chrome could have had multiple versions installed, it could've shown up that way.
Why that would happen, I'm not really sure, but I haven't seen anything like that. I would say open a support case. We would have to get a scan log from that system -- a full scan log -- and be able to troubleshoot it that way. ...So another question from Joel, "Windows 10 Pro license -- no matter what they do at a GPO level, it seems to want to patch itself as well." So Joel, that's something that we have had reports from some customers. There were different things that have worked for some people versus others. One thing that Microsoft has kind of done is, making it very difficult for the Pro users to do much of anything to manage it, kind of forcing people up into that Enterprise agreement. We had a couple of customers who, in working with it, they had to do some things where, like, even the GPO getting pushed down didn't actually make the changes occur.
They had to physically change it at those systems to get it to actually take. I've heard various reports of that. No real, good, clean, solid answer that worked for each of those cases, though. So I would say next step would be, take a few of those systems, try to make those changes manually and see if it takes, and again, try to work through that. And I think even some of the responses back from people who have tried to contact Microsoft about it were, "Oh, on the Enterprise edition...or the Enterprise edition, you don't have to worry about that." So it's been kind of an unhelpful response there. So back to the OS and .NET simultaneously. I'm talking to one of our testers right now. He said that, "In their testing last night they did not see it." He does know that the OS rollups have definitely had some changes to reboot, but he's not thinking that .NET would cause a additional reboot to happen. "Larger OS rollups can definitely need multiple reboots, like the branch upgrades," but yeah, the .NET update, in conjunction with just a regular Windows monthly rollup should not have caused multiple reboots.
So depending on the circumstances there, those additional reboots may have been caused by something else. We'd have to probably see a few cases there and be able to dissect exactly what happened there to find out more. ...All right. Actually Josh had a link here that he sent over about, "Why WSUS and SCCM managed clients are reaching out to Microsoft online instead." So that link would be potentially a good one to take a look at, here. See if I can put that in the browser. And then I think we'll probably wrap there for this month. All right, so this might be a good article there to figure out, in the case of your Windows 10 Pro systems and why they're still reaching out. So actually, this looks like it's definitely one that I haven't seen before. So it's talking through a few different scenarios and what possibly might be causing it to happen. You might wanna take a look at these and see if that helps out.
My guess is that something, again, there is just kinda stuck, and even with the GPO trying to enforce, it's not taking. So I think that's where some customers manually during the registry keys, changes and things, would resolve it. This article might help you out with that issue, though. So take a look for that one. And I think for this month, then I think we've got all the questions that we had coming through answered for the most part. Thank you for joining us this month, and we'll talk to you again in October.
Todd: Thanks, everyone.