April Patch Tuesday

April 11, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Introduction

Chris: Good morning, everyone. My name is Chris Goettl and I'm joined here today by Todd Schell, and we're gonna be hosting this webinar for you today for the April Patch Tuesday webinar. With us today also is Erica, who supports us on getting everything set up here, and she also takes care of handling some of the questions that come up and also the content afterwards. Recordings of the webinar, the PowerPoint deck, and everything will be available as soon as we get all of that uploaded and ready to go. And also joining us is Brian, who is from our content team, and he will be on here, supporting us with answers for questions, which I already see some coming through, multiple people asking the same question there. So we definitely are gonna be getting answers on several of those issues that are causing you grief.

Overview

 
So let's go ahead and get started. All right, so we're gonna go through and do kind of just a quick overview of the updates that's released. We're gonna talk a little bit about what's in the news, what's coming out, some things to watch out for, some threats on the horizon, that sort of thing. And then we'll get into a bulletin by bulletin rundown of what released here in April, and then we'll have some time for some additional questions here at the end as well. 
 
All right, so this is taken from the content that we create on Patch Tuesday itself, just summarizing a lot of what released here yesterday. We've got Adobe had released a Flash Player update. That's definitely something you wanna be aware of. They had a few other updates that released yesterday as well, but the Adobe Flash is definitely the one that most people are focused on. Some of the others are updates that, you know, depending on how you're consuming their technologies, their other SaaS products or other solutions that are more middle-ware and other things like that. We've got Microsoft who has released 13 different kind of patch packages, bulletins that, you know, we still kind of group things together in a way where people can more easily kind of identify and find updates. So 13 different updates that we'll be talking about here. Ten of those were rated as critical. We also have a three non-security updates that did release there. We'll make mention of those towards the end. 

In the News and SamSam Ransomware Attack

 
All right, so first thing we're gonna talk about is some more recent kinda security news. Many of you have seen headlines about the attack that hit Atlanta. You know, one thing to take a look at it, this is not your typical run of the mill ransomware. So there's a few things to kind of note in here and just more of a fuel for the fire, making sure that you've got the ammo you need to go in and make the case for ensuring that things are patched, to make sure that you've got other security technologies beyond patching alone to make sure and secure your environment. But I just wanted to kind of talk a little bit about SamSam and not just that, but the group behind the SamSam attack, and how they are utilizing ransomware in some different ways than you typically see it. 
 
So ransomware obviously has been around for quite awhile here. A lot of times it was used kind of the fishy user, you ransom that to some and you hope to get a payout from a certain percentage of those. We saw last year, you know, ransomware taking a different turn, becoming more or less weaponized and being able to take advantage of SMB vulnerabilities in the WannaCry attack and later through some other variants like NotPetya. Those types of attacks took ransomware in a new direction where it became a mass disruptor. The amount of payout from those ransomware attacks didn't really change, total percentage wise, than other ransomware attacks previously. Some paid up, other ones didn't. But the way that it was used definitely had changed. The SamSam attack is, you know, another way of taking ransomware down, kind of, a new path. 
 
You've got everything from, you know, this is taking a much more thought out approach to using ransomware. The attackers behind it, though, are actually facilitating this type of attack. They're orchestrating it as it goes. They may, you know, kind of pre-infect several systems before they actually start to ransom them. When they do this, they're not necessarily using phishing as the way to get that attack into an environment. Maybe they'll use that for entry into there, but once they get in there, the SamSam platform allows them to exploit a variety of vulnerabilities. Also, it lets them use tools like Mimikatz to do password discovery, and guessing those weak passwords, being able to move laterally throughout an environment. Not only that, but these attackers are going to continue to facilitate the attack as it goes. 
 
They're pushing the attack along in different ways. They're adapting to and reacting to the ways that the target is responding. If they plug a vulnerability in one place, they'll try to attack a new vulnerability. If they lock down one system, they'll attack another or try to re-infect that system. So this is taking ransomware in a new direction and one that, you know, definitely shows the fact that there's things like ransomware as a service that just propagate out, you know, phishing scams and other things that are automated, hit a system, and then may not do much more. But there's also these types of threat actors who are using more of a platform of vulnerability attacks, other types of tools like password cracking to be able to take control of the network and persist much more effectively in there. 
 
Now, one thing, you know, to note here is these guys are also always on the lookout for low-hanging fruit. They're gonna attack things like Java because they know that a lot of companies struggle to update those types of updates. They're gonna take advantage of protocols like remote desktop and others like SMB and file transfer and other things like that to be able to move throughout that environment. So again, it's not just phishing scam, get on one system, ransom it, and hope that you get to several others in a campaign. This is, you know, kind of a new hybrid of an attack around ransomware that it warrants a number of different security measures and being able to respond more quickly to vulnerabilities as they come out. So that's the news that we wanted to cover for today. 

Known Issues and Vulnerabilities

 
We're gonna start to jump into some known issues. One thing that you will notice will the content that released today is that we have made some changes to the Ivanti content structure. So a couple of things that had already kind of been happening. There were, you know, with Microsoft changing how they had done, you know, patch rollouts, it had a naturally gotten to the point where certain products, certain updates had already flattened out in our content. There were a few that still kind of lumped in several updates underneath a single bulletin and how we structured things. So we are taking steps here to try to bring consistency to that. If you look at these two articles, depending on which products you're on, they're very similar, but we'll kind of walk through and take a look at this. 
 
If you're one of our Landesk customers, I'll use the Legacy brands here just so you know which product I'm talking about. You see that, you know, the way that the content is structured includes the, you know, MS for Microsoft, the year that it came out. That way you can find something very quickly there down to the month so you can pinpoint it even more. And then you get down to a product level so that you can identify things even further. We also are now going to follow that by the KB number. So for things like Office and Windows 10, you're going to actually see that instead of just one bulletin in our content, there would be multiple in each one of those that have the different KB article at the end of that. But the other ones for, like, the security only for Windows 7, let's say, this would pretty much be very little change from what it was last month. 
 
There was one bulletin, one KB. It always had just a single one. The only change we're making for consistency, though, is putting the KB article at the end of the bulletin, so they all have a similar look and feel. They all have similar searchability throughout our products. Just bringing you more consistency along those lines. So that's one change that you will see. Now there's some good and some bad with that. One of the things that is less ideal is when you look at that, it does end up looking that there were a lot more things released for that. Office is one that, you know, as that explodes you kind of see it a lot more pronounced there. Office always had a tremendously large number of KB articles each month that would come out for the Office Suites, for the individual products. Depending on what you have there, there were a lot of individually packaged updates that applied. Where, again, you know, like this one would be the security-only for Windows 7, there's only one. Last month, there was only one. That's because that product was already kind of flattened there. 
 
Windows 10 is the other one that was a little bit more prominently pronounced. You see here that there's right now five different Windows 10 different packages that need to be, you know, identify whether you're going through more of an approval process and you need to choose which ones you wanna approve individually or, you know, however you're doing that in your particular configuration. So that's the content change that we just made. We are looking at, you know, some additional feature content changes as well for Office. Many of you who are on Office 365, you also know about the fact that they've got several kind of release branches similar to what Windows 10 does. So we are working on a strategy to make that easier to identify which branch were you on, make it easier to kind of approve and update those as well. So that will be coming down the road here once we've, you know, kind of confirmed that our strategy there will work. 
 
So that's one change that you will notice this month. And again, it's gonna make it so that in products, you still have the organizational capability to find something more humanly, you know, discernible. I know that this came out in 2018, it's a Microsoft update. It came out in April and it's for the product Office. I know that this one is 2018 April, and it's this security-only for Windows 7. So each of those things, once you get familiar with how restructuring this, make it easier to manage this content, find what you need, approve just the things you want, and do some more cleanly. 
 
So that's what we've done there for a change. We just wanted to point that out. But there's KB articles that explain that structure and mapping. These are updated as we modify our content to react to different changes. You can see here things like the .NET updates as well. They had already kind of moved to this more flattened approach because of technical issues. We had to break those down, you know, several months back to do that as well. So this article for each of the products you've got, again, one for the Landesk, one for the Legacy Shavlik products. Each of those have been updated to reflect those new changes. So that's more just so you guys are aware of that. 
 
All right, moving on here. Other known issues, things to be aware of. Windows 10 branch support. Microsoft had recently changed their end of service, so we wanted to make sure and identify or point out a few things that were coming up. For 1607, anybody on the 1607 branch yet, this month was the last security set of updates for Professional and Home editions. Now on their website, I'll point this out in just a second as well. The link goes to their life cycle page. They do have an extension here for an additional six months if you're on Education or Enterprise. So version 1511 just had its final update that turned off for all supported additions there. 
 
Let's go over to the actual page here on Microsoft's site. They do a pretty nice job of laying this out for you. You see here, the asterisks, though, they are note down here that Enterprise and Education editions get that extra six months. So, again, the 10th yesterday, the Windows 10 1607 End of Life, the 1511 End of Life back in October. The extension for that, six months after that, would've been the April date here. So if you were on 1511 yet, even for the Education and Enterprise edition, that is now coming to an end of service. So make sure that you know what branches you're running on, make sure that you're getting up to at least 1703 to 1709 as effectively as possible so you don't get left without security updates here for a period of time. 
 
All right. Microsoft had a number of out-of-band releases last month that we wanted to point out here. There was a security update for Windows server 2008. This bulletin released after the March Patch Tuesday in early April here. It fixed three vulnerabilities. There was an additional update for IE on March 23rd that resolved seven additional vulnerabilities. There was this Windows kernel update. This was for Windows 7 and 2008 R2 x64 editions. This was a public disclosure. So for those of you who remember this coming up a couple of weeks back, I actually have the article for that one up here. Let's take a look at that one. Oop, I'm on the other way. WebEx is a trying to be helpful and pop up their little menu there, but now I can't get to mine. There we go. 
 
So that Kernel Elevation of Privilege Vulnerability, they're basically in January, so they go back here and talk about any of x64 systems, Windows 7 or 2008 R2, that were updated from January on were exposed to this vulnerability. What it allowed was it basically opened up read and write access to RAM on these systems, exposing and elevation of privilege vulnerability that allowed an attacker to basically run arbitrary code in kernel mode. So attacker could pretty much do whatever they wanted to on that system with full rights. So this came out mid month. Originally they thought it was, you know, less exposed, but then they made an additional update that pointed out the fact that it went all the way back to January. So the KBs 4100480, you wanna make sure that that was deployed out to these Windows 7 and 2008 R2 x64 systems. 
 
One thing that I had not seen in the notes as of yesterday, and we'll try to confirm if they've done any changes since then, but I don't think they have. This was not called out specifically in the Windows 7 or 2008 R2 in release notes, saying that it was included in this month's security only or monthly roll-ups. So in a case where you're using our products to scan and deploy systems, if you see both this and the monthly update available, push bolts out, make sure that you've got this plugged on those systems. Because if somebody were to start taking advantage of this, it would be an easy elevation of privilege and they wouldn't be able to control that system no matter what user privileges they compromised on it. 
 
All right. Let's see here. We've got... There were a couple of known issues and a few of these that you guys are already asking questions about. So let me kind of hit on a couple of these real quick before we get too far in. So many of you experienced the NIC issue that happened previously here where basically on certain VMware systems, the updates that were applied ended up putting basically a generic NIC card, a NIC card with a basic configuration on there that basically collided with the existing NIC card that you would have had on there. This made it so that that system, you would have had to remove the NIC card and readd it to resolve the issue. They put out a patch for that, 4099950. Again, they did not document that this was included in this month's update. There was some kind of conflicting notes on their page for mark as well. So Brian, you were looking into this just now. Do you wanna talk through what you've found real quick here to make sure that I understand this correctly? 
 
Brian: Chris, could you repeat yourself? Sorry, I was answering a question.
 
Chris: Oh, not a problem. So Brian, the NIC VMware, NIC card issue, you were just testing that out. Do you wanna confirm what you know right now? 
 
Brian: Yeah, I had some end points where I just had only that roll up installed, and then I was just kind of manually installing the securities that release the NIC fix. And then there was one that was blue screen machines. I mainly saw it, and there was still passing the verification desk to offer it further, and I believe it was successfully installed. But I do believe that the roll up should include it as it's not listed in the known issues. But if you want to be more safe than sorry, it may be worth installing those piecemeal, non-security, even if you have the most recent non-security installed. 
 
Chris: Okay. Yeah. So for all of you who are asking questions about those two particular issues, whether it's the V NIC issue or the blue screening issues on those systems, that's to just include both of those non-security updates as well. Brian's testing confirms that if they are required to that system, it won't conflict with the roll-up being applied as well. The roll-up itself does not document or say that it included those, so it's better to just lump these two non-securities in and make sure that you've got the issues completely resolved. 
 
All right. So Steve had another question here saying that Microsoft recommended 4099950 be installed prior to the cumulative. What if they were already installed before that non-security was released? So Brian, again, you haven't noticed any issues if they're installed in another order?
 
Brian: Nope, I haven't noticed that issue. I just believe the main reason they suggested due to reboot, like you'll have to reboot it otherwise. And I know Jay Harbor in Q&A also confirmed that it fixed it. Jay, if you do hear this, if you could confirm whether you've installed before or after, that'd be great. 
 
Chris: Got It. Can confirm fixed for these SBMs we have. Okay. So Jay, if you remember the order you did that in, but otherwise it sounds like several people have confirmed that those fixes, if you do, best to just do them both, do the non-securities and the monthly roll-up. All right, going on to the next page here. We've got a couple other things here that we're going to note. Many of you, you know, in the earlier webinars this year so far, we had a lot of conversations around Meltdown and Spectre. You know, there were these registry keys that had to be put in place on systems to be able to apply the security updates going forward. Because many of the AV vendors out there were interacting with the kernel in ways that ended up resulting in a blue screen scenario after the Meltdown and Spectre mitigation updates were applied. 
 
Microsoft has since removed, last month they removed that registry key from Windows 10 systems and Server 2016. This month they have removed it from the rest of the patches that they have, so they're no longer using that registry key at a patch level. Now if, depending on where you're looking on the Microsoft website, there are notes out there saying that there are some edge cases yet. This is something that they're checking through Windows update and looking for these specific cases where they're still a little bit concerned. That's the only place where they're still looking for that AV key. 
 
So that is not at a patch level anymore for, I think, by the way that they've worded this in other areas, it sounds like there's some home user scenarios, where that could still be problematic. But for the most part, that registry key is no longer required. So any of you who were having issues with that, that's no longer being utilized. So that's good news for all of us. It simplifies things a little bit more. 
 
One other thing that's released this month, Visual Studio 2010 through 2017 has released a security update this month. It does not see security updates very often. This one is not available through the Windows Catalog. They have it as a...you have to go and download the fix individually in those cases. We have added this to our content so we can deploy it out automatically through our product. We'll talk about it towards the end here. We do have a slide on that that we'll talk about. But we've got support for those Visual Studio updates, along with some XP Embedded updates that released as well. So for those of you still running on XP Embedded, you know, those updates are available as well. 
 
The last item here that we'll talk about real quick is Oracle. Oracle is releasing their quarterly Critical Patch Update. But because of the cadence that they're on, it's actually coming out next week. So if you see here, April, July, October, January, that's the release cadence for the next four quarterly cycles for them. Again, if you look at the SamSam attack, and it sounds like actually Jay commented on here as well, that he has a friend that works for the City of Atlanta and his friend is saying that it's been a very unprecedented event for him. The nature of this attack, it's not like typical ransomware that many of you have seen before. This is ransomware with a persisting attacker and a spectrum of ability to move throughout an environment. So it's more like an advanced persistent threat, but one where you don't find out about it at the very end where they actual trade data. You find out about it all throughout is the ransoming machines. 
 
So things like the Java Runtime are definitely being targeted by SamSam. They're still often being used. Vulnerabilities on Java are being used by threat actors in breach scenarios. Many Java instances that are outdated are utilized in an advanced, persistent threat type scenario. So it's one of those where make sure that people understand these products do need to be updated. If they can't be updated for one reason or another, you need to make sure that you've either got a plan to phase out whatever platform that is, that it's not being able to be upgraded on. Wrap additional security around it, whether it's moving into a virtual environment, segregating it from any direct internet connectivity. 
 
You know, I believe that note that I saw about the SamSam attack, there were public-facing instances of web services that had out-of-date Java components. Those were some of the entry points for some of the departments throughout Atlanta. It's a very real threat, low-hanging fruit for an attacker. The Oracle release is next week Tuesday, because the way they basically take the closest to the 17th each month, which this month happens to be a Tuesday. So next week Tuesday, Oracle is releasing their updates. 
 
All right. Let's see. Going back to my deck, we do have one public disclosure released in yesterday's patch release. Everything we've talked about up until now were things that came up between Patch Tuesdays, a lot of out-of-band things this last month. There was one public disclosure that came out yesterday in the release that came out. This is for SharePoint. It's an elevation of privileged vulnerability. So just to, you know, for those of you who might be new to the webinar, public disclosures, just to talk about that for a second. A public disclosure means that enough information has been released to the public that makes it so a threat actor has a jumpstart on creating an exploit. 
 
This is not saying that an exploit is actively being used at this time, but there's enough information out there, potentially even proof of concept code that's publicly available. And it definitely puts this as a higher risk level than other CVEs that may have been resolved this month. So one thing that we do is, in some of the content that we provide, we may prioritize updates like this a little bit higher than normal because of the additional risks that may be involved. That's something that we put some additional risk level on. 
 
In this case, this one is on SharePoint. It's an elevation of privilege exploit. Basically an attacker can, they have to be authenticated, which makes it a little bit more complex for the attacker to do this, but they could exploit the vulnerability by sending a specially crafted request to the affected SharePoint server, and at that point then they would be able to elevate their privilege level and be able to do much more on that system than they should have been able to do. So that's the vulnerability in this case. That was the only vulnerability on SharePoint this month, I believe. All right. Todd?
 
Todd: I'm here, Chris. You've been doing a good job. 

Bulletins

 
Chris: All right, well, let's switch over and start talking about each of the individual bulletins here. Why don't you get us started with that? 
 
Todd: Okay, sure. Let's start with the biggest one as usual, is Windows 10, of course. This month, they fixed the vulnerabilities across the various versions of Windows 10, as well as Server 2016, IE11, and Microsoft Edge. A number of KBs came out this month. There were five of them. As Chris mentioned, we're going to include the KB articles in conjunction with the bullet and titles that we've created here at the top of the screen. I'm not gonna go through and itemize them as part of my regular slides, but you will see those when you take a look at our actual created content. 
 
As Chris mentioned, the important thing for this month, the actual final update for Windows 10, 1511 went out yesterday. That was for the Enterprise and Education editions, which are under the extended servicing offer. So you will not see next months an update for Windows 10 1511. Like Chris said, it's now totally at end of life there. And as we roll over with 1607, we will only see updates for Enterprise and Education versions starting next month as well. So just keep that in mind for Windows 10. 
 
Next slide, Chris. There is one issue that's still nagging. It's been around, if you've been on our webinars for the last couple of months, this one's been actually out there for like three months now. It gives a failed install error message, even though it has successfully installed. So just be aware of this. Microsoft keeps saying that they're working on a resolution, but they haven't shown one yet. It is only for Windows 10 version 1709, so be aware of that as well. 
 
Next one up is Internet Explorer, a number of updates here for Explorer 9, 10, and 11. There are a number of KB articles for individual updates, as well as the cumulative update for these browsers. This particular month they fixed 13 vulnerabilities. These revolve around remote code execution and information disclosure. There are no known issues with applying these updates, so it's good to hear that they're not having any problems with this. Again, this is rated as critical because of the remote code execution. 
 
Next slide, Chris. Moving on, Chris mentioned that there were updates for Adobe Flash Player. This particular one was released by Microsoft itself, included the information here, kind of applies across all versions of the operating systems as shown here. It allows for remote code execution. They did fix six vulnerabilities. Basically this is the repackaging of, you know, the Adobe Flash Player fix that's released by Adobe, which is shown here on the next slide. Chris, if you want to advance that one. This is the actual Adobe Flash Player release. I've included that here, just kind of in conjunction with the Microsoft one. This was APSB18-08, so there are eight releases for the month. Once again, same six vulnerabilities. In the information here, it does show that this does update older versions of Flash Player 29.0.0.113 and earlier. So just be aware of that. And like I said, it's available from Adobe and as a pass on or a version from Microsoft as well. 
 
Chris: Yeah. So one thing to always note about Adobe Flash is, depending on the system that's got Flash on it, it may have multiple instances of Flash that need to be updated. So there's, I believe if I recall correctly, there's about 11 different ways that Flash Player can be packaged up through plugins that can be installed on a system for different browsers, IE, Chrome, Mozilla, embedded in the browsers. There's different ways that they may package and deliver it in their browser and then update through there. So if you'd take the Chrome kind of packaged version, they would be updating it through that way, the kind of the desktop edition which has installed outside of the browsers. 
 
So I've had systems in the past where I've had upwards of four different Flash updates that had to be applied each month because of the different ways that I had Flash installed on there. So if you do see multiple instances of a Flash patch, that is why, it's because you're getting the IE plugin or the Chrome plug in or the desktop installed version the different ways that it can be installed there. 
 
Todd: Yeah, one thing to add there too, Chris, keep in mind separation here. The Adobe version includes updates for things beyond Windows. So it does include the Mac, Linux and. you know, Chrome operating system upgrades as well. So, as usual, we have an update for Windows Server 2008. Number of bulletins this month with regards to this, there were six different KB articles. You can see the list of updates include the JET Database Engine, Adobe Type Manager, Font Driver, Font Library. There is a Windows Kernel update this month as well, RDP and SNMP Service. So a number of different services and functions in the operating system were updated. 
 
It did fix 19 vulnerabilities listed here, and you'll see that these vulnerabilities plus a number of others are updated across the following operating systems as well, or no known updates with Server 2008. Actually, Microsoft's done a good job this month of cleaning up a lot of the known issues that kind of revolved around the patches that they had been releasing. So you'll see that on the next slide. 
 
Move on to Windows 7 there, Chris. So for the monthly roll-up for Windows 7, for those of you who are new to the webinar, Microsoft does release two different types of updates for the Legacy operating systems. There's what they call the monthly roll-up starting back in October of 2016. They started combining all the updates for the operating system into one, what they called the monthly roll-up, so that if you apply this monthly roll-up, you're basically getting all the patches for the operating system for the last year and a half now. So big patch, just be aware of that. 
 
As Chris said, it's covered by a single KB article, in this case it's 4093118, as I've listed here. It does include both all the security vulnerabilities that have come out this month and previous months, as well as all the IE vulnerabilities that are fixed from that previous slide that I showed. So you can see there are a total of this month of 33 vulnerabilities that would be fixed, for example, for Windows 7 under this monthly roll-up, so just be aware of that. 
 
On the next slide, they also continue to release what they call the security-only updates, and essentially what these are all the security dates for the previous month. So these are everything that came out between last Patch Tuesday and yesterday, and includes, again, addresses those 20 vulnerabilities that I've listed here, but these are only the security updates for this particular month. So if you are applying security-only updates, you need to apply, you know, regularly every month to get the latest update because this only includes, like I said, what's been released in the previous month. So in this case we have all the Windows 7 and Server 2002 R2 updates. 
 
You can see on this on the next slide, Chris, for Windows 7 this month, there are a couple of known issues. These ones, these have both been around for a while as well. Last month they reported that there is a memory leak with SMB servers. Microsoft is continuing to investigate this. We do not know of a workaround at this point. I had gotten several requests during the past month if anything was out on that, so we don't have any additional information. They also have an issue with SSE2, the streaming, single instructions, multiple data extensions. There's also an issue with that right now that they're working on as well. So be aware of that. And this applies for both the monthly updates, our monthly roll-ups, I'm sorry, as well as the security-only issues, so just be aware of that as well. 
 
There was a monthly roll-up this month, of course, for Server 2012. The monthly roll-up, again, like I said, includes the IE fixes as well. There were 21 vulnerabilities addressed, and it does include the 13 IE vulnerabilities as well. Again, no reported issues with this. So there is a monthly roll-up. The next slide shows the security-only Patches for Server 2012. Again, a number of components have been addressed as a result ofthese patches that came out in the past month, including the Scripting Engine, Graphics Component, Windows Kernel, Data Center Networking, Windows Application Platform and Framework as well. These are bundled together under a single KB. 
 
So like I said earlier, there's both KB for the monthly roll-up and there's also a separate KB for the security-only update. So you can take a look at each one of those individually. Again, no reported issues this month with that particular security-only patch. Monthly roll-up for Windows 8.1 and Server 2012 R2, as I mentioned, every month the reason that these are grouped together under a single KB is because the Windows 8.1 operating system, as well as the server 2012 R2 operating system use the same kernel. 
 
So the patching methodology that Microsoft uses applies to both of those operating systems. and that's the reason that we lump them together, as well as Microsoft does under a single KB article. So you can see here, in this case, for the monthly roll-up, it's 4093114, addressing 23 different vulnerabilities. So they're expanding upon that list from the previous operating systems a few more vulnerabilities they fixed for this particular one, like I said, Windows 8.1, Server 2012 R2. 
 
Again, no known issues. Rated critical because there is the possibility of remote code execution. Also, some of these vulnerabilities allow for denial of service, elevation of privilege and information disclosure. And if you ever wanna go through and read about each one of these individually, you can see where this information comes from by clicking on or opening up the appropriate bulletins, for each one of those. 
 
Chris: Yeah. So, you know, one thing I often do is go through and look at several of the CVEs that came out and see how bad some of these are. If you look at the critical CVEs that came out for both the OS and for the browsers this month, there were a number of critical vulnerabilities in there. For the operating system, there was two critical kernel vulnerabilities that have been resolved. There were also some graphic and font type critical vulnerabilities that were being resolved. 
 
So the Font type and the Graphics Driver vulnerability specifically can be used in a user targeted attack. So an attacker could basically craft a file or a website, send that to a user through a phishing scam or other type of method like that and be able to exploit those vulnerabilities. So that's why the OS updates were rated as critical this month. That's definitely a reason to wanna focus on and get those results.
 
For the browsers, IE and Edge, there were multiple scripting engine vulnerabilities that were rated as critical. Each of those could be exploited in a user targeted scenario. So whether the attacker is... Basically they have the ability to craft a website or web content and be able to entice the user to it, and with that, being able to compromise that system. So, the OS and IE updates this month definitely have enough critical updates, or enough critical vulnerabilities being resolved to warrant some attention. You don't wanna leave those out for very long. 
 
Todd: The past three months, we've had just a few that were rated important for the security-only or as the roll-ups because the IE vulnerabilities pushed them over the top to become a critical. And here's the security-only updates for those. Again, here I have itemized some of the additional fixes. Like Chris said, we had a Windows Kernel Update. You can see that there was a Hyper-V update in here, some virtualization as well. So these definitely warrant your attention as a critical update for the security-only this month. 
 
Next one, Chris. Moving on to Microsoft Office. Number of updates for Office this month, specifically the Office Suite itself, 2007 through 2016, there was an update this month for Office 2016 for Mac and there were individually updates for Excel and Word basically all versions, all the way back to 2007 through the current one, 2016. As Chris said earlier and he was showing you on the screen there in the Windows product, there are a lot of KB articles usually associated with Office, which is one of the reasons that we've broken them out individually. 
 
This particular month, there were 22 of them, plus, you know, there's a separate release note section for Mac as well. So, you know, like I said, a number of individual patches will show up as bulletins this month, 22 of them to be exact. There were 10 different vulnerabilities fixed. Because of the way these were rated by Microsoft, they are only important, so just be aware of that. 
 
Chris: So one thing to note is, our content team was wrapped up last night, and then Office 365 updates still had not released. That released late last night, early in the morning. And our content team is working on those Office 365 updates today, and we'll be releasing as soon as they're available. 
 
Todd: Yup, I think it was on the next slide, Chris. Maybe. Did you keep it in there?
 
Chris: Yep, we did.
 
Todd: We did keep it in there. 
 
Chris: Sorry. 
 
Todd: Even though they hadn't been released, we kept the slide in there. No problem. 
 
Chris: Just to note on this, they'll be coming out later today. So if you are looking for the Office 365, it's coming. 
 
Todd: Yep. Thanks, Chris. Yeah, there were only four vulnerabilities associated here. They were with Excel 2016 and the Office Suite 2016. By the way, that link that's in there to the TechNet article, that's a good one to keep on hand if you're looking for what in particular is being updated with your Office 365 click-to-run updates. So just be aware of that. You can go in and search and sort, looking for kind of what Microsoft has released and what are the effects. It's a good one to keep on hand. 
 
Next slide. Chris had mentioned that, you know, there was a security update for Visual Studio this month. It does affect basically all releases from 2010 through 2017. It fixes a single vulnerability. In our testing we did come across an issue with the 2013 patch in particular. It appears to hang when there's not an active desktop session. So that's what showed up in our individual testing. You won't see that on the Microsoft site. Microsoft has not yet released the patch for Visual Studio 2012. 
 
They have a KB out there for it, but we're keeping an eye out, and we'll release our content for that patch as soon as we hear from Microsoft. So just be aware, that one's not yet available. And like Chris said, these will not be available through WSS. Y you have to individually download those and apply them to your development systems running Visual Studio. 
 
Chris mentioned SharePoint server this month. There were updates for basically all releases of SharePoint server. Four different KB articles. It fixes five different vulnerabilities. As the one Chris talked about earlier, the CVE 2018 1034, this was the one that was publicly disclosed and could be exploited, you know, using that information. So just be aware of that. Rated important this month. Chris, you wanna move on? We can talk on the non-security updates or... 
 
Chris: So yeah, just to give everybody a heads up, there were three other updates that released in our content yesterday. These were Bandicut, TortoiseHG, and Tomcat. These three were not security related. So again, they are here just as a reference to let you know that those were in there, but they were not of a security nature. One thing to keep in mind is not all vendors track vulnerabilities the same way. So, you know, the one thing you don't wanna do is you don't wanna ignore updates from products like this on your network for very long throughout there. We've seen, you know, products like Notepad++ or a lot of more obscure third-party applications that are not everywhere in your environment do have vulnerabilities from time to time. 
 
So, even though the latest update did not have any vulnerabilities in it, somewhere throughout the history of that product, there would've been updates or could have been a vulnerability resolved, that it's a little bit harder to see those risks. So it's not a bad idea to try to clean some of those non-Microsoft products that are not typically up in the headlines, get those updated from time to time. But again, these three did not have any direct security vulnerabilities identified or resolved in them. So we're just letting you know what those were. 
 
We do talk a little bit about what happens between Patch Tuesdays. You can see here there's a number of updates that come out that, you know, you just wanna be aware of. You know, you can see here, there's both security and non-security related. The ones that we specifically have vulnerability data on, iTunes fixed 20 vulnerabilities in their latest update. Firefox resolved one in the 59.0.2 and in their ESR 52.7.3. Apple iCloud did update and resolved 20 vulnerabilities as well, and Thunderbird resolved six in their release that they had. 
 
So those are just, you know, so things to be aware of. Those are third-party applications that released outside of, you know, Patch Tuesday events specifically. But they're ones that you wanna make sure to keep an eye on, get those results because they are additional vulnerability structure environment. 

Interchange

 
Just to note, we do have our Interchange event coming up here in May. This is gonna be at the Hilton Anatole in Dallas. This show in includes things like bootcamp tracks, different technical tracks for our product lines, direct access to experts for all of our different solutions, including Todd and I will both be there as well. And you can still take advantage of a promo code here to save an additional $100 off the registration. But the early bird pricing did just close on last week. So that's something to be aware of. Take a look at that. 
 
There will be doing things like product roadmap updates, you know, product demonstrations of new releases coming your way, that sort of thing. So you could take a look at that and get a lot of that information at the show along with getting access to get hands-on with other products you haven't played around with, or talk to product managers, engineers, SCs, with a variety of the product experts at the show. 
 

Q&A


All right, getting into some of the questions. Brian has been doing an awesome job with responding, and Erica, both, have been doing a great job of responding to a lot of these as we've gone through. Let's go through and try to see if we can find any more that we need to respond to here. Let's see here. For patch 410...is that included on the monthly roll-out? So here, there was a question from Steven. "Did KB 4100480 get included in the monthly roll-up?" See. 
 
So yeah, this was that kernel updates. From what we know, they did not specifically document that this was included in the roll-up. So what we're recommending at this point is approve this patch along with the April security-only or monthly roll-up and push both out the systems if they're detected. Just make sure that it's better to be safe than sorry on this. It's only for the x64 editions of Windows 7 and 2008 R2. But because of lack of Microsoft documenting that, it's better to make sure that that patch is in place because of the nature of that elevation of privilege attack.
 
The next question was from Alice Kerr [SP]. "There was an issue of WiFi disabled due to mark patch." Okay, so that was, yup, the network card issue that I think we've talked about. It has affected, you know, any of the virtual systems that NIC was effected on, also that blue screening of Windows 7 systems. Both of those, we're recommending approving and pushing those two non-security updates along with this month's updates to make sure that those get in place. 
 
Let's see here. Somebody who had a question about the out-of-band IE patch, again, to see the KB number on that. Let me go back up and see if I had that in the slide deck. Nope. Give me a second here. Too many monitors, here we go. I'm going back up to the top. That was KB 4096040. That should answer your question there. It looks like many of the same NIC questions that we already answered. 
 
Andrew had a question about specific to the SamSam attack we talked about and Java in there. His question was, "Does this also affect products such as Cisco ASCM, Humboldt?" You know, in those cases, if those products do not allow you to update the JRE, if you're locked into a specific version, you are potentially exposed on those systems. So I would say for each product that integrates with Java in your environment, you do want to, you know, make sure that the Java run-time is able to be updated on those. 
 
That's one of the things that I strongly recommend any product you take a look at it, if it's using Java, talk to them about their forward compatibility. Can you keep updating it? If there is an issue that happens with it in the future, how quickly do they respond to it?" So Andrew, in that case, I would assume that those two products are potentially vulnerable to it. Make sure to scan those systems with either a vulnerability assessment tool or one of our patch solutions. If Java is detected as outdated, it is potentially exposed to that type of attack. The way an attack like SamSam is exploiting a system, it doesn't matter what Java is wrapped in. If Java is there and accessible, it could be utilized. Let's see.
 
Todd: Chris, there was a comment made about auto update and the fact that we did not disable auto update for some things. You might wanna talk about that because we're looking at making a change here. 
 
Chris: Yeah. Actually, so this is one where we've kind of had mixed feedback over the years. You know, there was, as people started to, you know, really focused on supporting third-party applications, there were a lot of companies that preferred to keep auto updaters on and, you know, push the patches out more centrally. And, you know, a lot of that came down to, well, what if the users off network? What if they choose to update that before we get around to our next patch cycle? So different reasons like that, we had kept it, you know, basically the setting that was on there for the most part would be each update should have honored that. 
 
But if you had the auto updater on, we had tools in many of our products to be able to turn those off. We are going to take a more active approach in turning off the auto updaters. Brian, do we...Todd, when are we going to be pushing that out? Are we doing that with Java next week or did we start with Flash this week? 
 
Todd: Brian, do you know if there any changes made this week? We are going to do that with Java next week for sure, but I don't know whether there was any changes made with Flash this week. Brian, do you know offhand? 
 
Brian: Yeah, there were no major changes done for this release. We are definitely looking to get that out, but we just want to get these securities out as fast as possible. 
 
Chris: Okay. So yup, watch for that. That'll be changing in the near future here. For those of you on the patch for Windows products, you can use...we've got some of the scripts that we have in there can disable the auto updaters on systems. And for those of you on the EPM platform, you can definitely go and configure that as well. But in the future here, we are looking to shift towards disabling those auto updaters. So that's a change that we'll be making here in the near future as well. 
 
There actually had been a couple of mentions of a desktop wireless issue. So wireless NIC non-virtual trying to... So Joey had this question. "Following patching in April, wireless NICs non-virtual were disabled or removed? We also had instances of standard non-virtual, non-wireless NICs being completely removed, disabled as well." Yeah. Anybody else who might be seeing those issues? And Brian, I don't know if we haven't seen anything like that in our internal testing. All of our systems remained, you know, network cards were still working fine after that, right? 
 
Brian: Yup, that's correct. 
 
Chris: Okay. And I applied my Windows 10 updates this morning and did not see any issues with my wireless NIC there. So yeah, Joey, that's one where I did not see anything in a confirmed known issue that Microsoft has. One thing you can do is, if you're not already a member on it, you can go to patchmanagement.org. Those guys tend to get a pretty good handle on issues like that. This could be an Edge case where something is not hitting the bulk of environments out there, but it could be, you know, a smaller percentage of people in certain environments are running into issues there. 
 
Oftentimes patchmanagement.org will be the first place where I'll see hints of those types of cases come up. So that may be a place to go take a look at or even ask the question of. There's a very strong community of practitioners. They're not any one vendor, you know, a customer as well. There's Microsoft people using just the Microsoft products, Ivanti customers, some of our competitors as well. That is a community focused on allowing you guys, the operations people who are dealing with these things day-to-day, to share issues and support each other there. So that might be a good place to ask that question and see if anybody else has seen it out there. I haven't seen anything else on that yet, though. 
 
Todd: Chris, Julie had a question. She was asking if we've seen any inconsistent application of Office 365 updates via SCCM. I have not. We have not had any reports from our customer base of anybody talking about that. So not sure if it's maybe an environmental issue for her or something else. 
 
Chris: Yeah. So Julie, on the SCCM side, our customers, you probably included, they are more focused on our third-party catalog for that one. So we don't hear about Microsoft-specific issues on the SCCM side. So that one might be, again, another one to ask about in the patchmanagement.org community. Those guys may have...some people out there may have seen similar there. 
 
So Hade [SP] had a question about the promo code. Let me go back down to the Interchange promo code here real quick. I'll bring that up. INT18WEB100, that's the promo code to use for the registration on that. That'll get you $100 off the price there. All right, let's see how we're doing on other questions here. I think I got all the ones on the chat side. Let's see. Why are you doing that? Sorry, I'm trying to copy and paste out of the chat window, and it doesn't seem to want to let me do anything but use all the text instead of just grabbing the one piece that I wanted. So bear with me for a second. I'm gonna pull up a KB that somebody is asking me a question about. 
 
All right, so Michael had a question. "Known issue with NICs being created and static IP addresses being removed with March updates." I was curious if this was the... May replace the previous. So that was that case that we talked about there, one of the two known issues that we have mentioned already. So make sure to apply that non-security update, this bulletin here, and then the static IP addresses, that same bulletin fixes that one. So Michael, I think that's the...so 4099950, that's your fix for those known issues. 
 
Let's see. So Bill had a question. He's on the Endpoint Manager 96 SP3, and will add patch Office 365 Pro. So Bill, the integration there does allow you to patch Office 365 as well. There is a KB article on the Ivanti community that talks about how to configure Office 365. So by default, when you push updates to Office 365 from our catalog, it's basically going to check in with the main branch, the one that keeps up-to-date with where Microsoft is more of a tip of what they're doing. 
 
If you are on one of the other branches for Office 365, it also talks about how to configure that properly within your environment. So if you keep on one of the older branches, you just need to make sure that's configured in your environment, and each of your systems know how to point to that, and the update will trigger from what updates you've applied to your specific branch. But yes, Office 365 should be supported. I don't know of a reason why 96 SP3 would not. But if you're having concerns with that, it might be a good reason to call the support team and confirm with them as I haven't heard of a specific issue there. 
 
All right. So Kenny had a concern with... So in January there was the 1709 updates that broke the ability to update systems properly. He's still having problems even with the March update, that's still failing. So Kenny, I would say check with the support team on that. Actually, Brian, it looks like you were getting a fix to him in the chat window. All right. But yeah, if you still have troubles with that as well, contact the support team and get a case open. I thought that the rolling back and then reapplying after that was resolving the issues for people. If you're still having troubles with it, they may have to look into it further. 
 
All right. Looks like that one was answered. So Jeff had a question. "Can all content now be found on the Ivanti site or should we still use Shavlik in our search terms on Google?" So Jeff, you know, while the Landesk and Shavlik products, I'm gonna use the Legacy brands here just to help people understand the difference there. While those two products are utilizing the same engine, if you look at like these two articles are talking about the same type of content, but there's slight differences to how that content is structured. 
 
In here, you've got this _INTL. In some cases there are some subtle differences to how the two products have implemented. So for the most part, you may see very similar articles between the Shavlik community and the Ivanti community, which is the Landesk product. So in those cases you should get down to the product specific posts for that. While we try to make things as consistent as possible across the products because of, you know, the user experiences around everything, the way that things are done, there will be variations even if they're only slight. So it is best to get down to either the Shavlik or the Ivanti community specifically for the product that you're on. 
 
And as we go forward, you know, for those of you from the heat side, we will be transitioning over and consolidating again to get everybody on the same catalog and engine. That way we can at least say everybody got the latest content. While that content may look a little bit differently, while the products may behave a little bit differently, we wanna get to the point where there's this much similarity as possible. So that's one reason why I would still suggest, make sure to go to the product, community of your specific product, just to make sure you don't get one of those variations and get confused. All right, that question was answered.
 
Todd: Chris, there were a couple of customers who reported in that even though they applied the monthly roll-up this month they're still having the NIC issue. So that patch should be applied separately is what we're recommending right now based on what Brian is saying. 
 
Chris: Got it, yep, yeah. So that kind of confirms again, but make sure to do those non-security updates, which specifically, you're talking about 4099950 and 4099467. Those are those two non-security updates that will resolve the NIC issue and the blue screens on Windows 7 systems. All right, I think we've gotten to most of the other questions. So a question came in from Jeff again, the KBs that we just talked about, those are classified as non-security. So your template is probably configured to the point where you're not seeing the non-security updates. 
 
If you do need a little bit of help with configuring that to make sure you got it right before you roll it out to the environment, contact the support guys. They should be able to help take a look at your configuration and make sure it's set right to include those two patches. Again, more with some of the NIC updates there. All right, I think we've answered the majority of the questions out there. Did Windows 10 update include the IE patches? Yes, those were included there. That one's answered, answered. 
 
Todd: Includes IE 11.
 
Chris: Right.
 
Todd: Yep.
 
Chris: All right, everybody, I think. if we did miss one, I apologize. There were a lot of questions in there, but I think we have... Oh, actually here's one more that came in. You definitely only want to apply either the monthly roll-up or the security-only bundle. You know, in a case like that, you can do both. It's not gonna hurt anything but the monthly roll-up includes the security-only bundle. So you're really just duplicating data across the wire on that. So if you're doing the monthly roll-up, that's all you need to approve. All of the security-only updates are included in there. 
 
If you're doing the security-only, you want to make sure to approve the IE update as well. So for pre Windows 10 systems, if you're doing the security-only patch, you do IE in a separate tab, so you want to do the two of those each month. But that just makes it so you're not including the non-security fixes in that are included in the roll-up in there. So for the most part, try to use the roll-up. If there's any reason why you can't do that because the roll-up has non-security fixes or something in there that are breaking things in your environment, that's when you can move over to the security-only bundle. And in that case, you're doing the security-only and the IE each month to make sure you get all those vulnerabilities. 
 
APSB-18.08 content, then release. So the Flash update was in last night's update. Let me go and look at this just to make sure. 
 
Brian: Nope, whatever...
 
Chris: What did you say, Brian?
 
Brian: That's the release, yeah.
 
Chris: Yep. So that was in last night's content release. So Elgan, one thing to check there is do a help refresh files that will force the patch for Windows console to update that content. If you're looking for it in the patch view and it doesn't show up yet, this happened on my system earlier. I did the refresh files. I already had this window open. I had to close it and reopen the patch for you to be able to see the new content populate because it loaded into memory before you did the refresh files potentially. 
 
So that might be one other thing to check just to make sure if it's just your cache set of data that you're looking at here is not including those updates yet. If you do have any issues beyond that, contact the support team, but that is if you're seeing all the other April updates, that Flash update will be in that same content release. 
 
All right, well, everybody, thank you again for joining us this month. I hope we were able to answer most, if not all, of your questions there. Let's see. Let me grab. There was one more question about making sure to get those KB numbers. I'm gonna grab those real quick if I can find them again. Oh, and, of course, I can't get back to the one that had both from side by side very easily. Give me one second here. All right, give me a second here to chop this up and grab the two numbers that you need. And where's the other one? There it is. 
 
So if you guys look in the chat window, I just sent those two KB numbers out to everybody in the audience. Those are the two non-securities that you need to worry about. Yep. And Michael actually, Michael included...I missed a digit on there. Thanks, Michael, for including that on there. And make sure you catch the 7 on the end of that second number, 4099467. 
 
All right. I believe we've gotten to everybody's questions. Again, if we missed a few there, I do apologize. Thank you again for joining us this month. You guys are going to be seeing an update as soon as we get everything loaded, that'll have both the recorded version and the PowerPoint presentation available to you here later today. And, we hope to see you again here next month. Thank you.
 
Todd: Thanks, everybody.