February Patch Tuesday
February 14, 2018
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris: Good morning everyone and welcome to the February Patch Tuesday webinar, and happy Valentine's Day everyone. Todd, Happy Valentine's Day.
Todd: Oh, same to you Chris. Thanks.
Chris: All right. So you and your wife went out for dinner last night and got that out of the way already out here?
Todd: Yeah, you know, it's been crazy to getting reservations anymore on Valentine's Day. I mean everything is packed, so my wife and I just shift the day around a little bit and kind of take advantage of that.
Chris: Yeah, my wife and I are kind of the same way. We decided a long time ago that going out to dinner on Valentine's Day was just a circus. So yeah, actually she's volunteering at a local theater where I live. And it's tech week there so she'll actually be at the theater working backstage tonight and I'll be home with the kids. So Happy Valentine's Day to me.
All right, well we've got some spikes in people joining here, so we'll just take care of a few housekeeping items real quick. As you guys are getting dialed in, you know, for those of you who are new to this webinar series, when we go throughout the webinar, we've got a lot of people on here for supporting Todd and myself as we go through. So, you know, in the background we've got [inaudible 00:01:23]. She's the one who handles the recording and making sure everything gets up on the website afterwards and making sure we respond to our questions that are coming in from you guys. We've also got one of our content experts on the call here, Brian Seacrest, not be confused with Ryan Seacrest but Brian is one of our content experts and he has a lot and support us, you know, with answering questions and responding as we go.
And sorry guys, it looks like there's some [inaudible 00:02:01] connectivity there. I apologize for that. See if that helps. All right, so getting into the updates for the month of February, we will start off with an overview. We'll talk about some of the more recent news and also go through some Q&A as we go throughout and towards the end here. We'll have plenty of time for questions as well. Just a quick overview of everything that released, we actually have to do an update to this. We actually had a latecomer to Patch Tuesday yesterday. Google released a Chrome release late in the day. So that all happened after our content team, our creative team had created this graphic. So we'll need to go back and update that to include the Chrome update as well, but we did include a slide on that today here and we'll talk about that as well.
So Google Chrome added to the list of vendors that released yesterday. They had one CBE that we'll talk about when we get to that slide. Covering a little bit of news. So first off, we just wanted to kind of do a recap of a meltdown inspector. As everybody is probably all too painfully aware, you know, there's still ongoing news around meltdown inspector. In fact, I think as of February. I'm seeing dozens again. So I'll talk about everything going on with that.
So this is just a recap of where we're at with meltdown instructor. I've included a few articles here just so you have some of the latest details to look at this one that just released yesterday. Kind of recapping the vulnerabilities and the actions that people should have taken right now. You know, one of the biggest things on here is there's many layers to these vulnerabilities. It's a physical vulnerability in the hardware and then there's mitigation in both the firmware and in operating system updates.
The biggest piece to keep in mind there is this is mitigation. At the end of the day, it's still a physical vulnerability. The hardware level that is acceptable. So these mitigation options may or may not be 100% effective. We might find that down the road there's additional things that need to be changed. But for the speculative side-channel attacks that were identified, or speculative execution side-channel attacks, these mitigation options were there to try to reduce the possibility of somebody exploiting these.
Now if you go through, there's kind of a, a web of a different links through different articles throughout here. I'm gonna cover a couple of these, but one of the interesting facts if you dig deeper into some of these articles was that some of the A/B comparisons, those guys had released a number, I think it was around 130 plus examples of concept code trying to exploit these in various ways. As of yet there has been no news of somebody actively exploiting this [inaudible 00:05:43] investigating how to exploit it. So it's not to the point yet where somebody has actually figured out how to take this into actual environments and truly make it a, you know, productive for a real attack yet. But it's only a matter of time before somebody really gears up for that sort of attack. So approach with caution.
There's a lot of layers to this and a lot of ways that it can cause complications. A couple of those I wanted to talk about here real quick. This article here, which you can get to from the original article, talks about kind of four different levels of what needs to be updated here. You need to be able to install the firmware updates for PC hardware. Now this one, you know, Intel, AMD, ARM, they've all got different firmware updates for this. Intel is the most widely impacted but, AMD and ARM still have vulnerabilities as well. The other thing to be careful of here is there have been some issues with certain chipsets with some of those firmware updates. Intel has been, has pulled some and was re-releasing those and they'll continue to have additional firmware updates as well. So there's the firmware update side.
There is a recommendation to replace older hardware. So this talks about a list of a firmware update that for the surface family in particular, there's a additional comments here about a PRI has well Intel CPU use. So if you're on earlier designs, those are some of the most heavily impacted as far as performance impacts of the vulnerabilities as the firmware gets rolled out. All right, let me try to see...I'm apparently still getting some audio cutting out. So I'm gonna try to switch here quick and see if this helps fix it. All right. Hey do you hear?
Todd: You sound fine, Chris.
Chris: Okay, thanks Todd. Continuing on, I switched over to computer audio, so hopefully that'll help resolve that. Patching is the next piece of this. There's a lot of patches for different operating systems and different pieces of software. So not only is there, OS mitigation but the different browsers. SQL, several VMWare products, many different solutions out there have had meltdown inspector related releases to add mitigation in to try to reduce the chances of somebody using this form of attack. So in the case of like Google Chrome and Firefox, Dave basically reduced timings on how long somebody would be able to take advantage of this window where they could get this additional information by exploiting this type of attack.
So again, mitigation being the key word here, this is going to help reduce the chances of people exploiting these vulnerabilities. But when we get to a point where new CPUs start releasing that completely resolve the physical vulnerability, it will be something that people are gonna want to probably start to move forward on as they can. And the last piece here, re-examine your different security components throughout your organization. There were a lot of conflicts throughout here with AV vendors. In fact, one of the things that we'll comment on here today is that, you know, the Microsoft patches this month still will require that AV key be in place. So if your AV vendor did not push that out, Ivanti has provided what we call a security tool to allow you to be able to connect up, or put that key in place if you know your AV vendor is compliant, but they just haven't added that key themselves.
So there's different things like that that you have to look at. Some of these vendors did not do a very good job of...they made sure they were compliant but they didn't actually do the diligence to push that key in place for you. A lot of people have been scrambling to do that themselves or their Windows systems will basically refuse to patch. And that's something built into the Microsoft Patch, not something under our control. But we've created a tool to allow our customers to make sure that key is in place, if their vendor does not support it.
This article here, and by the way, I've got all these in that slide that we were looking at just a moment ago, the root cause of reboot issues is identified. So this is straight from Intel. It talks about, you know, what was the root cause of some of these kind of random reboots and instability issues after applying the firmware updates. A lot of it came down to the Broadwell and Haswell chipsets that, you know, they basically identified and they've made some recommendations here. So if you have been experiencing some of those issues, here's some guidance from Intel on, you know, which ones are effective. You know, that's the best source of information on those particular issues.
This next article here, after the instability issues started occurring, Microsoft released an additional variant of their mitigation patch. So, you know, for those of you who didn't catch the last month, you have to apply the Microsoft OS patches. On the workstation side, it automatically turned on the mitigation features. So the patch put the feature set in place, but there were additional settings that had to turn those mitigation features on to start actually using them. For the desktop side, Microsoft did this automatically when the patch was installed. For the server side, they actually required you to turn on those mitigation features. So you pushed the patch last month but you didn't take any additional steps, the mitigation is not actually enabled yet.
Now since then, they've actually come back and they've disabled one of those specter variant. So this particular update talks about how it's disabling the mitigation against this particular CVE. So one of the three of those, this is something that we again, have released these updates into our solutions as well to make sure that you can push an update out to certain systems to enable two out of three of the mitigation options right now. This third one by recommendation right now is disabled. But that will help you to make that process easier as well.
You know, there's a lot of information across a lot of those. One thing that we have done is we have created a series of knowledge base articles on the Ivanti community. So whichever product lines you're on, these will have the details on exactly which updates you need to apply, what CVEs they help resolve, how to, you know, scan and deploy it specifically for those, how to, you know, turn on the compatibility key using our security tool. Different pieces like that are all included on the community and you will have that for each of the different products. So talking legacy brands here, the Shavlic products, the Landesk products and the Heat [SP] products all have knowledge base articles specific to each so that you find the information that you need. So I have included those links all in here just for convenience there. That way you can find the path to your specific product line.
All right, the other bit of news that we wanted to cover here today is regarding the Flash Zero Day that was discovered. So the Flash Zero Day, this was discovered just earlier this month where basically they were saying that North Koreans hackers were targeting South Korea with a new Flash vulnerability that had not been disclosed yet. And it looks like this dates back to about mid-November as far as how long it's been in use. So Adobe did release an update on February 6th that plugs that zero-day vulnerability. That was released last week, but we wanted to call it out this week to make sure that you're aware of that.
I got to a link to the Krebs article here. And he does, you know, he does a very good job of summarizing the vulnerability and talking about it from that aspect. The actual bulletins that gets updated here, APSB18-03. We're gonna talk about this a little bit later. But just to again, to point that out, this resolves two vulnerabilities. CVE-2018-4878, which was the vulnerability that was discovered being used in the wild to actively exploit systems. The other vulnerability here was while they were in doing this fixed, they had an additional fix that they added as well. Both of these are remote code execution vulnerabilities, so remotely exploitable. Definitely a large concern. So make sure that Flash Player is part of your rollout plan this month.
All right. Covering a few of the known issues, and when we get into each of the patches here, Todd will kind of relate to which of the vulnerable, or the known issues may apply to each bulletin as we talked through it. But Windows 10 Branch Support: End of Life because this is just a reminder, 1607 is scheduled for March 2018, 1703 for September 2018. You know, we talked about this a little bit last month as well, but you can't rely on the extension that Microsoft did in 1511. They did extend and give, again, kind of limited critical updates for 1511 branches for education and enterprise. But, you know, for the next few branches here, we can't expect that, that behavior will continue. So that's a concern there and just make sure that you're updating those Windows 10 branches.
Microsoft is still, as I mentioned before, limiting patch installation based on that AV registry key that was implemented last month. So the details of it are included here. There's multiple Microsoft bulletins that are referencing the need for that key to still be available. There's...oh, sorry, there was a question coming in about WSU [inaudible 00:17:26]. I don't know. Brian, does that cab file reference make sense to you? I'm not sure if I know where that's coming from. So Dan, we'll see if we can get an answer for that question as we're going through here, but make sure that you've got a... I'm sorry, Brian, was that you?
Brian: Yeah, I'm looking into it right now. I mean, that's just the offline cab, so I'm just seeing when that updated or where it's located right now.
Chris: Okay, thank you. So Microsoft is still limiting patch installation based on that AV key. So if you have not put that AV key in place or if your AV vendor has not put that in place, that is still a requirement. It's unknown right now how long Microsoft is expecting to keep on requiring that key. I'd say at this point we can probably expect it for at least another patch cycle or two before Microsoft kind of considers themselves in the clear and that everybody's good. They're being cautious about this one because it has the potential of blue screening systems. So you can understand why they're being cautious. But it is one more thing that we all need to make sure is in place.
And again, we've got knowledge base articles talking about how to distribute that registry key if your AV vendor does not do it. We have a security tool that was released to do that for you. So being able to push that out and turn that AV key on if you need it. If you're on a system that's not running AV at all, this was another scenario where that registry key is still required. So a lot of environments where AV may not be on certain systems, you still have to put their registry key in place or the Microsoft updates will not apply.
Public disclosures. We did have one public disclosure from Microsoft this month. This was in the Edge Browser. It's a security feature bypass vulnerability. So the windows 10 cumulative this month includes this public disclosure. The reason we reference public disclosures is because those vulnerabilities, while not yet exploited in any way that has been detected, it puts that, that system at much higher...or that vulnerability at much higher risk of being exploited down the road. Enough information has been disclosed publicly to give attackers a head start.
So this one, it's a security feature bypass vulnerability. It could allow an attacker to host a specially crafted website and be able to basically trick the user coming to that, trick their browser into revealing more information, more data than would otherwise be available. So restricted data that is meant to be kept secure would be revealed to the attacker in this case. From there, would they be able to gain enough information to perform additional attacks? Possibly. So that's the concern around this public disclosure is there's additional information already released that could allow an attacker to develop an exploit around those.
And then we talked about the Flash Zero Day. This is a use-after-free vulnerability, which basically would allow remote code execution if the attacker was able to exploit this. The screenshot that I saw from a Twitter feed was showing that there was a little, like a little blip in a spreadsheet that was able to exploit this. But the attack could lead to arbitrary execution of code and has been detected in use in the wild. So make sure you get your Flash Player updates rolled out. That includes Flash for the OS, for IE, for Google Chrome. Anywhere Flash is installed, this vulnerability is needing to be updated. All right, getting into the bulletins, Todd.
Todd: Thanks Chris. Let's move into these real quickly here. You know, unlike Microsoft who stopped the bulletin approach to business, we've continued to group things together into bulletins and that's the way we're gonna be presenting it here in the presentation today. So first of all, let's talk about Windows 10 update. Obviously it's still addressing the 1511 release, as Chris said, they've extended support for the education and enterprise versions as I have on the note down at the bottom of this one. In addition, you know, they're providing updates obviously for all the regular releases. Under this bulletin, we include Server 2016, IE 11, and Microsoft Edge patches as well. So under this bulletin there are actually five KB articles. You can take a look at those for a complete list of all the CVEs that were addressed for Windows 10 this month.
There were a total of about 36 vulnerabilities. Chris did mention that the one there, the 0771 in Microsoft Edge was a publicly disclosed but not known to be exploited at this point. Let's go to the next slide Chris. We'll talk about some of the issues that Microsoft included in the bulletins. I captured them here. So, you know, as we were talking about that regkey key, the ALLOW REGKEY that's associated with the antivirus updates, all of the KBs for Windows 10 include this. And so if they do detect that, that it has not been updated, they will not apply the patch. So just kind of be aware of that. Specific bulletins called out a couple of issues here on Windows 10 version 1607 and server 2016 in KB4074590. Microsoft has identified a problem with Credential Guard. So right now their recommendation until they have a fix is that you turn it off when applying this patch. So just kind of be aware of that one as a known issue.
The other one and this is actually a carryover from last month, they haven't fixed this one yet. In the latest release of 1709, when you actually do the patch update, you're gonna get an error message on the machine saying it did not correctly install. And actually what Microsoft is saying is well, that's not really true with. The patch does install properly. We should not be throwing that error message. So they're telling you right now the recommended action is just to ignore the message until we get the problem fixed. And like I said, this is a carryover from last month. So they still haven't fixed this issue. So those are all the known issues that we've seen or that had been reported under Windows 10.
Next slide, Chris. Let's talk about the updates for Office this month. There were not nearly as many as there were last month. However, they're still looking at providing updates for Office, all versions from 2007 through 2016. There are updates for Outlook as well. There was an update for Word Viewer and finally, Project Server 2013 had an update this month as well. Is rated critical because all of these have remote code execution capabilities. So it has been updated and ranked as critical. They actually picked six vulnerabilities this month across all these patches. There were no known issues reported. However, you make sure that when you're installing these, you know, these office updates that you do have the latest Service Packs available on your servers and your endpoints and your workstations because they would show up as not applicable without the appropriate Service Pack.
Next slide, Chris. Moving on, talking about Internet Explorer this month. They did release fixes addressing two different vulnerabilities. We've lumped all of these together under this particular bulletin. There are a total of nine KB articles. There is a cumulative Internet Explorer Patch included here and there are also the security monthly quality updates, as well as the Security Only Updates for IE. We lumped those all together. Those particular vulnerabilities do allow remote code execution, so that does result in this particular set of KBs being rated as critical. And also as shown down below there, these will not apply if that regkey is not updated as well. So Microsoft is being very cautious about applying these patches.
So for those of you that are new to, you know, patching and the way Microsoft has changed their kind of software as a service model, there are two versions of patches that they release every month. There's the monthly roll up, which they are essentially combining all the patches for this month with the previous month so that when you do apply the monthly roll up to an endpoint, you're essentially getting all the patches that have been released from...for the last year and a half essentially at this point. And they also offer a Security Only Patch, which is just the patches that have been released this month.
And if you're using that particular approach and you're applying the Security Only Patches, you need to make sure that you apply them, you know, every month. What I've done here or what we've done is we've identified from a bulletin perspective the monthly roll up here. In this case, the monthly roll-up includes both Windows 7, Server 2008 R2, and Internet Explorer. So you are getting all these updates in one particular bundle that is shown here under KB4074598 for this month, so be aware of that. And it addresses 15 vulnerabilities specifically to the operating system and includes the 2 IE vulnerabilities that I mentioned on the previous slide. Again, Microsoft being very cautious here, this patch will not apply if the regkey is not set properly.
And again, here we show the Security Only Patch. This does not include the IE updates, obviously. It does include the same 15 vulnerabilities that were addressed as part of the monthly roll up. Of course, the monthly roll-up goes all the way back and includes things for the last year and a half, as I said earlier. And again, you know, Microsoft is moving forward with making sure that we don't crash systems and so that regkey has to be properly set as well. Up in the description here, you can see that I've included the elements that were patched as a result of these various vulnerabilities, just trying to capture that information there. And you could get more information in the KB itself as usual.
Next slide, Chris. Moving on, the monthly roll up for Server 2012 this month is rated critical as well, 12 vulnerabilities addressed as well as the 2 IE vulnerabilities are included in here. Interestingly enough, Microsoft is not requiring that regkey to be set with this particular monthly roll-up. So it will automatically apply to all of your endpoints regardless of how that regkey is set. Of course, on the next slide, you'll see here's the Security Only Update for Server 2012, Again, the components that were updated as a result of this patch being applied. Same 12 vulnerabilities and again, no known issues right now with this particular one from Microsoft.
The next bulletin will address Windows 8.1 and Server 2012 R2. In case you're wondering how these are lumped together, essentially these are the same operating system kernels that Microsoft is using. So in 8.1 and Server 2012 R2, the patches that would be applied to one kernel will be the same one that's applied to the other. So that's the way they're, they're grouped together from a release standpoint. Again, this is the monthly roll-up addressing the 12 vulnerabilities shown down below there. One thing you should take note of is that, and although this one has 12 and the previous one has 12, there actually are different vulnerabilities.
So be aware that I'm just not copying the list over. These are taken from the bulletin and you should be careful as to if you're for a particular CVE or patching by CVE, make sure you take note of that. Unlike the 2012 one on the previous slide, this one does require that regkey to be set once again. On the next slide, Chris, we have the Security Only for that same set of vulnerabilities that are applied, are being, are being addressed rather. Capture the components here as well. And it's a mistake here. Notice that I should not have copied IE here. This one does not include updates for IE. I'll fix that on the slide.
Next, Chris. And finally, Windows Server 2008, Microsoft is of course still providing patches for this older server. Most of these patches actually were around the specter and meltdown patches. So a lot of the stuff that they've addressed has to do with handling objects in memory. There were a series of KB articles written for that cover all these particular updates. They do fix 11 vulnerabilities with this set of patches. And like the 2012 releases, there are no reported issues for Server 2008. And there is not, a monthly roll-up or a security only for this. They just call it a security update for Server 2008.
Next slide, Chris. Moving on, one of the things that we've done is we've had a lot of requests to break up the way we do Office and the way we create the bulletin and the patches for that. Particularly, we've had a request to move SharePoint server patches out of Office. And I put a note down below here. The reason we've done this is because in a lot of organizations that we work with, there are different groups that deal with desktop patching versus server patching. And there have been some issues in the past where, for example, a desktop group applied the Office patches and they actually applied the SharePoint server patches as well when they didn't expect to do that.
So we have broken them out and we're gonna start covering them as a separate bulletin now. This month, there were two vulnerabilities addressed because there was no remote code execution or known exploitation of those. This is only an elevation of privilege issue. So what we've done here is we've, you know, that we've ranked this one as important this month. So it just be aware, we're gonna start breaking these out separately.
Next slide, Chris. Just kind of moving on, stepping outside of Microsoft releases this month. Adobe did release an update for Acrobat and Reader. This was a huge release. We hadn't heard from them for quite awhile. I think it's been like two or three months now. And with this quarterly release, there are actually 41 vulnerabilities that have been addressed. This was released in bulletin 18-02 from Adobe. So take a look at that and you can see all the vulnerabilities that are there. This one was rated a critical because of the remote code execution capability of a lot of these particular vulnerabilities, I'm sorry.
Next slide, Chris. Chris had mentioned during the introduction that we had a late arrival yesterday afternoon where Google released an update for Chrome. Here's the information on this taken directly from Google's notice. They have released 64.0.3282.167 for Mac and Linux. And Windows is gonna be slowly rolling out over the next couple of days. There was one vulnerability that was addressed in here as well. And although they didn't note the impact for this particular vulnerability, they did rate it as a high, so we in turn have carried over that critical rating for Chrome and want to make sure that you're aware of this and that you apply these patches as soon as possible.
And finally this month, to kind of to wrap up what we released on Patch Tuesday, we lumped in some non-security updates if the vendors that we support, roll those out on a Patch Tuesday. This month, CCleaner and Bandicut were two applications that were updated. Again, we just put these in the recommended category, these were non-security fixes. And recommend that, you know, you put them in as soon as possible, but it's not a critical emergency right now because there really were no security fixes in these particular applications.
And finally, last two slides here, Chris mentioned that there was an update based on that Zero Day Vulnerability last on February 6th last week. So we included the information here for you rather than tack it on at the end. Here's the information for Flash Player. Microsoft did release...their internal release on Flash Player addressed two different vulnerabilities. And, of course, that Zero Day that Chris talked about earlier that was being exploited is 2018-4878, which I've highlighted in red down below there. And, of course, like I said, this was released back on February 6th last week. And finally the equivalent directly from Adobe that Chris showed you the bulletin information, same information essentially. And this was released last week as well. So just be aware of that. Chris, with that, I'll turn it over to you talking about between the Patch Tuesdays.
Chris: Thanks Todd. So, you know, there's often a lot of things that go on between Patch Tuesdays. That's one of the things that, you know, a lot of, a lot of times there's a lot of things that people lose visibility on just because there's no clean way for them to organize and be able to catch it all. So one of the things that we've had, you know, we actually have done this and then stopped doing it for a while because we weren't sure if the information was being used by people. But by request of our audience here, we had a request to bring it back just to keep that visibility on what was coming out in between. So we've kind of expanded this a little bit here as well. So you see we've got a, we did a new product support for the JRE 9.0, both 32 and 64-bit editions.
There were a number of security updates between Patch Tuesdays this month, including, you know, many for like VMware Workstation Player. You know, other ones as well that a lot of the browsers did a lot of specter and meltdown related mitigation releases. So there were a number of vulnerabilities that were resolved there. And there's a lot of non-security updates that also got updated here and you'll see down here at the bottom where we...outline that we had released to...of what we call security tools, which actually there were a couple of questions coming in about. I'll talk about those again here in just a second.
So here's a breakdown of many of the vulnerabilities that came out for a lot of the different releases since last Patch Tuesday. You can see here vulnerabilities for Phantom PDF, for Thunderbird, Apache Tomcat, Apple iCloud, iTunes, Wireshark, the VMware products, many different workstation and player additions had several CVE that were resolved there. And the Java Runtime and JDK updates that released in between Patch Tuesdays also, 15 for the Java 8 Update 161 and 20 that were resolved on Java Runtime 9.0. So there's a lot of different updates there that you definitely wanna be aware of that all happened. You know, Java released just after patch that was the following Tuesday and then several of those throughout the month.
All right, so we do have a lot of questions coming in and I see that, you know, Bryan and Erika have been helping out with responding to many of those as well. But let's see if we can't dig in and respond to some of these as a group here as well. Let's see, we had a question about the AV registry keys. So this was those security tools that I've mentioned. Let me go ahead and pull up. If you go to, and depending on which product line you're on, there should be one on each of the communities. So if you're on the Heat products, if you're on the Shavlic products, or if you're on the LANDESK products, they'll have...the articles will kind of go into detail about this.
So for those of you on the LANDESK side, there is, where is the AV one? Here, we go about Antivirus products and meltdown and specter sector security vulnerabilities. So this is talking about the registry key and, you know, the information there. So this is the one on the Shavlic side that talks about putting that key in place as well. Let's see here. This is the name of that security tool. So if you look in our catalog, you'll see this IVA18-002. It's under a patch type called security tools. So it's not something that's scanned for by default. You wanna make sure to specifically scan for that. So, you know, you'd wanna follow this article here to figure out how to do that, but that will help you put that key in place. For this specific product line, this article will show you how to do that specifically in the patch for Windows product. If you're on one of the other products again, there's related articles for each of those. So on each of the communities you can find that information.
Yep. So Devin commented here on the Adobe updates. So Flash was released on the 6th and Microsoft released a patch for Windows 8.1 and Windows 10 the day after. So yeah, those mostly came in all last week. Let's see, other questions. So there was a...asked for a little bit more clarity on the difference between the monthly rollups and the security onlys. So we've had a couple of different times over time here, Tony, that we've done blog posts and talked about this over the last couple of years since these changes all went into effect. But on the pre-Windows 10 platforms, Microsoft offers the OS updates in two different models.
There's the monthly rollup. So that monthly rollup is the Windows 10 model where everything's included, it's cumulative, it's including both security and non-security items all in one update. So in January on Patch Tuesday, they added the January security updates. Later in the month they released that included, did a quality update release that was the same chain, that same rollup that included the non-security updates. So February this month, the security update, monthly rollup for Windows 7 let's say, includes the quality release at the end of January and last month or last month's security updates, as well as everything that came before. So the cumulative model, you get security and non-security, it's all cumulative. Going forward, you're gonna get everything that, you know, came previously. The Security Only...
Todd: Be aware, those are getting really big, right Chris?
Chris: Yep. They do increase in size, those...not as bad as Windows 10 and they're capping somewhere between 500 and 600 meg. But they have grown quite large. The Security Only Bundle does a couple of things. One, it keeps those non-security updates out of the equation. Two, it is just this month's security fixes for the OS. Now, in the case of supersedence, you could get something that was fixed previously because it's been re-fixed in this release. So that's one thing to be cautious of is this doesn't mean that everything that happened in January won't get touched this month. If one of the fixes in this cumulative, or in this security only bundle supersede something from last month that was fixed, that could cause the same thing to happen there. So if something broke you last month, you wanna make sure you understand what's going in this month to make sure that the same fixes isn't there, just additionally changed to further resolve whatever issue it was.
The Security Only Bundle also separates Internet Explorer out. So if you're doing the security only method, so again, you see here all these SO 7881, those are the security only bundles. If you were doing the monthly rollups, you'd see MR. If you do the security only, you also have to do the IE update. So that's one key piece there is, that's not bundling in IE with it. You have to have to do that separately. So hopefully that's explains more about the difference there.
Todd: It really comes down to some best practices, too, Chris. I might add a few comments. For example, if you're gonna build a new system and you take, you know, a Microsoft download and install the base operating system, it would behoove you to, you know, immediately installed the cumulative rollup at that point so that you would bring it actually to the latest patch version across, you know, all the patches that have been released for that operating system. And from that point forward, then you can make some decisions. Do I only wanna apply the security only every month from that point forward? Or do I wanna continue to apply that cumulative update?
And, you know, there are a number of reasons why you would choose one over the other. As Chris said, you're only applying the security updates if you do a security only every month, so you don't have to worry about the impact of all those other quality improvements if you don't wanna include those or if they break your applications. So there's a number of kind of best practices that you can think about when, you know, you approach this.
Chris: Yeah, that's a very good point. So Kari [SP] had a question about how do I see these bulletins and what KB in the bulletins? So Kari, depending on which product you're on, you know, where you would be able to see this information will vary. But, you know, we're working to make sure that each of the products have, you know, the ability to get down to the level of detail necessary. So in the case of the patch for Windows product the patch view, it's gonna take a second to load up here. So my patch view here allows me to see, you know, all the different bulletins and you can see here if there's, let's go to...
So here's the Windows 7 rollup for last month. Or, the security only, sorry. So here you can see all the affected products. You can also see the details around the bulletin details information like that, the blanket KB article, if you can switch between these here and see which KB articles are effective for each of those, if they're the same one or if they're different ones. Which specific product I'm looking at will show me the information relating specifically to that one. So you can get very detailed in, you know, the level of detail you're looking at in the product here. When you look at a result, again, depending on which product you're at, this one is showing me exactly which KB applied to this particular machine.
So in this case, if we look at the MS18-01-W10, this is the Windows 10 cumulative and the specific KB article that relates to my specific edition of Windows 10, my branch of Windows 10. So I'm on 1709, I got this KB article that's the one that applies to mine. If I would've gotten it on 1703 and that was a different KB, I would've seen that information specific to that machine. So again, depending on which product and where you're looking at it, there's different levels of detail for that. If you do have more questions about that, it might be a good question for, you know, to follow up with the support team to get more detail on them.
Let's see, I think we answer the AB key questions. There was a question here from Phil understanding around Google Chrome, they were gonna be stopping supporting of Symantec certs. That I remember reading that as well. I'm trying to think of. I can't remember if they gave a specific... Okay, so early 2018. That's kind of what I was remembering was they gave kind of general information about when they were gonna do that. I don't recall them giving a specific date yet. So yeah, you've got about as good of information as we do. I don't think they've really disclosed exactly when yet.
Let's see here. What is the expected performance impact from doing the Microsoft patches without doing the microcode patch first? So Ben, I'm guessing you're talking about the firmware updates. So, when you're dealing with the meltdown and specter vulnerability, there's the OS patch, there's the Firmware Update, and then there's the mitigation options actually being turned on. So on the workstations, if you applied the OS patch, it applied and it did the...turned out the mitigation options right away. So that in itself could have started to cause some of the performance issues that people were seeing.
Doing the Firmware Update is where more of the impact of performance really came into play. For the server-side, just doing the OS patch and the firmware, a lot of companies were not seeing any issues yet when you turn on the mitigation options. Again, there's registry keys for that. That's when a lot of companies started seeing those performance impacts. So it varied quite a bit. Oh, and Brian might have found the... Let's see if we got. Let's see.
Brian: Pull that a little bit right there. Just a simple, easy to read timeline.
Chris: Okay, here we go. Thank you, sir. Appreciate that. Yep. So we're here getting close to March. So Chrome 66 released a Beta which will removed trust and Symantec issued certs that are not before the day prior to June 1, 2016. So that's, you know, this is probably the best article on that, which actually I didn't even get when I did that search. So apparently they're not doing a very good job of getting that. Let me send that out to the wider audience here. All right Phil, there's...I just sent that back out through the chat to everybody. So if you need that information, Phil and anybody else, that is a great source of information on that. So thanks Brian. All right.
Todd: There was a question here, Chris, about our database from Andrea and it is a SQL based. Yes, it is a separate version of SQL.
Chris: Yep. So...and again, we do have multiple products depending on which one you're on, but they're all SQL based today. All right. Trying to see what other questions we haven't really touched on yet. Long-Term Servicing Branch versions of Windows, do those continue to receive security patches? Yeah. So the LTSB, the, the Lucas, the End of Lifes that we talked about before, that was relating to the regular branches, not the LTSB. So there's a different end of life for the Long-Term Service Branch that is much further out so.
Brandon had a question about how are bios updates deployed using LDMS. I am not as familiar with that feature set in there, but if I recall correctly, where did that article go? It was this one here. No, that's not the one. Too many windows open. Last one. I must have clicked through on that one. Here we go. Bios firmware driver updates. Here, Dave, one of our specialists here talks a little bit about this, but I couldn't remember if he referred to usage of that feature set in here.
Yeah, he had the links to the vendor websites in there. So that one, there's probably a good article on the community about how to push the firmware updates through there. I don't know a location of that off-hand, but if you can't find one, get a hold of the support team and they can relay you to the right article to show that. It's a feature that's been a, the LDMS product per very long time. Part of the system management feature set, so we definitely have documentation on that, just a matter of it's in an area that I'm not as familiar with.
All right. Robert had a question about explaining the Security Tools. So yes, let me see here. Let's pull up the article, let's go to this article. So we have a category of patches called Security Tools. These Security Tools are...they're basically, they're not a security update from a, you know, from Microsoft or Adobe or anything like that. A lot of times they're additional tools that may be used. So we put the malicious software removal tool into this category. We also do things like these tools here, which, you know, may be needed to solve a very specific problems, but they're not a typical patch.
So in this case, you know, there's a couple of different ones being described here. Let's go into, I think...oh, the section logic for that isn't specifically there, but I think we can go in here and get to it pretty quick. So here we go. So these are the security tools that we've just recently released around Meltdown Inspector. If you look here, it gives you specific details about, it's disabling the fixed for the mitigation options for Windows Servers. It's designed to turn off that that particular mitigation feature that was causing some of the performance issues.
And I believe, I don't know if I was on the right article or not, if we go over to this one. Yep. So there's, this one's talking about there's an enable and disable, two variations of this. One that turns it on, one that turns it off. But this is showing you specifics to the patch for Windows product, how to enable that one. Now you'll be able to utilize this tool in the LANDESK product as well. That it's just a matter of there are approved and deployed slightly differently.
Todd: Yeah, Chris, there were some questions about what keys we're actually talking about there. Those are the ones that were captured in that introductory slide at the beginning of our presentation today. So when we talk about the, we were calling it the AV regkey. It's actually the, what is it, the quality compatibility, I guess Microsoft calls it, the quality compatibility regkey. Those are one and the same.
Chris: That is the same, yep. Which...here we go. This is that specific registry key. Now the other tool is turning on or off the mitigation options. So that's a series of three additional registry keys, once the patch is applied, that can turn on those mitigation features on a Server OS or turn off that one in particular, the one that was having performance issues on both server workstation or OSs. See I know there's a lot of confusion there at times, but the Microsoft article about those additional turning on the mitigation options, that is this article here. And these are the three additional registry keys that are used to turn on the mitigation features. So this is one that we talked about last month, but we'll go ahead and share this out again here as well. So check your chat window there. There's some additional links coming your way that describes those additional mitigation registry keys to turn those features on and off.
Brian: To add to that third key in that list, is just for virtualization servers. The other two are relevant to workstations and servers.
Chris: Got It. Thanks, Brian. So again, questions about getting access to the slides and the recording. Both of those will be made available to you guys later here today. Erica is going to be getting all that content ready to go and distributed out to everybody here after the webinar's done. So Harold had a question, you know, that's about which UI I was looking at a little bit ago here. So that was the patch for Windows product or the legacy Shavlic product.
This webinar kind of came up through the years from the Shavlic side and we've expanded it out to the other products audiences as well. So you were seeing the patch for Windows UI. That's one that I use a lot of times to be able to get in and see details about the content because it's one that more intimately familiar with. It is different than the Ivanti management console that you're using from the legacy LANDESK side. So the same catalog is being used, a lot of the same content will be available, just a matter of it'll be in a different experience so.
So Joey had a question. Is the security tool just the scan template? I'm scanning and deploying against that. Yeah, so Joey, to scan for those security tools is if you're in the patch for Windows product, you would create a patch group with that particular patch added to it. And in your template you would scan and deploy including that patch group as well to be able to do that. So that you can create a template to specifically go and do that for you.
And I'm trying to see, there's been a lot of questions back and forth here, so we're just still trying to look through and make sure we got everything. So there was a question from [inaudible 00:58:54] about checking patches before announcing their applicability. So if I understand your question correctly, you know, it's more about what does Ivanti go through to validate those patches before we release. And actually, you know, Brian is on the team that does a lot of that, but we actually have an extensive team that, you know, will go through, they will...we have tooling as well.
So the patches are downloaded, basically broken down into their component parts. We find out all the information, the bits and bytes about it, what's gonna be modified, what platforms does it apply to, we'll check it against additional sources. So we will check against the vendor's KB page, we'll check it against, in the case of Microsoft, the Windows catalog to compare detection logic, things like that. And then we put it through an exhaustive test cycle against a suite of virtual systems that do a combination of things, from a system that's never been patched before that that patch applies to, to a system that's in some various state of patching, to a system that's up-to-date as of last month and just applying just the latest update to that as well, to regression test that in many different ways to make sure that the patch one is detected properly, two, applies without issue to that system, and three, after reboot will come back up and detect properly.
So we do a variety of different tests to validate that content before we distribute that to our customers. Each of the products also do some different checking as far as like downloading validation of the binaries, distribution and all that stuff as well. So there's a number of different checks and balances that happen throughout here to validate that quality. Brian, Todd, I don't, I'm trying to see if there's any other ones that we really haven't touched on. A lot of them are variations of questions that we've already had. Any others that you guys are seeing that we haven't hit?
Brian: I was just glancing through them as well, Chris. I see towards the end there, there's one from JC Munoz about patch fixing colonization. See that one?
Chris: Is that in the chat or in the Q&A?
Brian: That was in the Q&A.
Chris: Q&A, all right.
Brian: He was asking about 1511 specifically on the Security Only Patches.
Chris: Okay, let's see here.
Brian: At 1047 that came in.
Chris: Yep, I've got it now. Yeah. So JC, when Microsoft went to the extended limited mode of support for that 1511 branch, that one, it's still a cumulative package, but they have limited that to basically just doing critical security updates. So it's not getting, you know, the same set of updates that went into the later branches. If you looked at each of those CVEs individually, it would be only the ones that were rated as a critical. So if we looked at there were 36 vulnerabilities resolved this month for the Windows 10 cumulatives. In the 1511 branch, only those of those CVEs that were rated as critical would've been resolved in that particular branch. So it's not the same as the rest of the branch is going forward. So that one's kind of a one-off. We didn't go into that much detail on that one though.
All right. I think we have a hit the majority of questions on there. Actually there's one that just came in here. What is the web link to check server patch downloads? I'm not sure. Not sure what your question is in regards to. Todd, any ideas?
Todd: No, I mean we go to the individual vendors when we pull down the patches themselves and our products actually reach back to Ivanti at content.ivanti.com. So those are the.
Chris: Right. So yeah, I guess if it's regarding where do those patches all originate from... Yep. So, okay, thank you for clarifying the Microsoft link. So we would be pulling directly from the vendor. So...and on each of our communities again, like for making sure that you've got the right things open, we should have the...I think that's what, it'll find it here. So this article shows the primary download center for each of the vendors that we support. So if you're in a situation where you need to whitelist where updates are coming from, these are all the different places that we have a source coming from.
And specific to Microsoft, we've got basically going directly to download that microsoft.com. It's getting them directly from there. Now underneath that is the direct link to each of the packages. That's a much deeper level of the content, but it knows exactly where to get those. And Microsoft's distribution of patches is distributed out through, through CDN. So it's, wherever you're located at, it's gonna grab from the nearest Microsoft download center. So hopefully that answered your question there.
All right. I think we have tackled most of the questions out there. And Joey had one more question here. Are we still scanning for and deploying separately the meltdown and specter patches, or are they included in the cumulative or anything else yet? So, good question. If you're on Windows 10 or Server 2016, it's cumulative. It's in the OS package, it's a role above that. If you are on one of the earlier platforms, so, you know, 2012 R2 and earlier for the server side, you know, Windows 8.1 and earlier for the workstation side, if you do the cumulative, it's all included each month. So this month is gonna include all the stuff from last month. If you do just the security only bundle the... And Brian, did you mention to me that when you guys did some validation around that this week as well if the security only bundle applied the last month changes to... And he may have had to drop, unfortunately.
Brian: I'm still here.
Chris: Did this month's security only bundle, did that make the changes to the meltdown update from last month?
Brian: I actually hadn't verified that through the Powershell command list. I can look further into that because it is really good question.
Chris: Yep. Typically Joey, if you're doing the security only last month updates, unless something else got fixed additionally and superseded a change from last month, would not have been included if you're doing the security only bundle. Any of the cumulative rollups, yes, the answer is it would be included. Again, I think, that's an open question of did Microsoft have any additional changes in the February security only that brought some of those changes forward? That's a question I think we'd have to do some validation around, unfortunately.
Brian: And don't forget, you have to run through and still enable those on those reg keys on the server side after you've applied the patches.
Chris: All right, thanks everyone. If we missed some of your questions, we do apologize. There were a lot coming through this month with everything going on. So Devin had a follow-up question around that line of questioning we were just on there. If you don't want the spectrum meltdown patches, there's a chance that you could do the security only patch this month and not get those included, but that's a gray area right now. If they superseded any of those changes from last month, that could be a problem.
Okay. So actually Margie already just found an article here. Let me see if we can pull this up quick and answer that question. All right. Currently it's not gonna... Oh I had too much information in there maybe. come on. Oh, you're gonna be a pain like that. WebEx is not letting me pass in the right level of information here. Here we go. Number 12 on the FAQ. I have not installed the January 2018 Security Only Update. If I install February. Am I protected from the vulnerabilities describing the advisory? Yes. Okay. So they did include those. So answer to that question is yes, they did include those in the security only for this month as well. I had a suspicion they may have, but that confirms it. And thank you Margie for a finding that article and the specific reference there. Awesome. Thank you.
All right. Okay, everybody, I think we're gonna wrap there for this month. We appreciate you joining, as always. You guys coming here each month and participating in this webinar is what keeps us doing this. So we hope to see you again here next month. Thank you.
Todd: Thank you very much. Bye-bye.