January Patch Tuesday

January 10, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Introduction

Chris: Good morning everyone, and welcome to January 2018 Patch Tuesday. Actually, I just realized, we've got our first typo, Todd. You had 2017 instead of 2018 in the year.
 
Todd: Uh-oh.
 
Chris: Yup, first webinar of the year. We did not...we, you know, brought our template forward but didn't update that year on it yet. So we'll get that corrected. Well, so we've got an exciting start to the year, Todd, with Meltdown and Spectre, and kind of a Patch Tuesday that we really got now...you know, it started last week on Thursday and has continued on with yesterday's release as well. So we got a lot to talk about today.
 
Todd: Yeah, I was hoping to really kind of ease into our first Patch Tuesday of the year and we hit the ground the running Wednesday night.
 
Chris: Oh, yeah, my... there's always the, "Hey, tell us what you predict for, you know, the upcoming year." My 2018 prediction was way off. I predicted that the trend we've been seeing since 2011 and the rising cybersecurity threats and everything else going on, it was all a fad and we're gonna have a really boring year this year. Yeah, that week one didn't survive that prediction. So here we go.
 
All right. So, hey, for everybody who joined, thank you for joining us here this month. This is...we've kind of hit a new high water mark for registrants on our webinar here. So obviously, we've been doing something right. And there's obviously a lot of interesting things to talk about. For those of you who might be new to our webinar series, what we're gonna today is we're gonna cover, kind of, an overview of what happened in January's Patch Tuesday release here. We're gonna talk about some of the known issues, some of the challenges, what you guys are gonna be facing. We're gonna try to give you guys some guidance around what you should focus on and how you should go about, you know, pursuing some of these things just because there's...oftentimes there's some hidden things, some known issues that easier to know about before you run into them headlong.
 
We're gonna talk about some of the things on the news which, again, in this case, Meltdown, Spectre, we'll talk plenty about that today. I guarantee it. And then we're gonna do, kind of, a bulletin by bulletin breakdown of what all released here from both Microsoft and some third-party vendors. And we will get into some Q&A time. Now, today is probably gonna be a long one but we will try to answer everybody's questions here today. So if you do have a burning question, hang on towards the end here. We will try to get to every Q&A question going on.
 
Also joining us today is Brian from out content team. Brian is already jumping in and responding to some of the Q&A that might be coming through. So between Brian and Todd and myself, we're gonna try to get everything question-wise that you guys might have throughout the webinar answered as quickly possible. So please utilize the Q&A feature and send us the questions that you have throughout, and we'll try to answer them as quickly and concisely as possible.
 

Overview


All right, getting started, let's take a look at the overview of what we got this month. We did get a Flash Player update from Adobe, not surprising. Only one CVE in this one, not a terribly severe CVE. It was only rated as an important. So that is one that you do...you know, Flash is still a highly targeted product though. So it's always a good one to make sure to roll out quickly. Google had a Chrome release. This Chrome release did not identify any specific CVEs that it was resolving. Google does have a mitigation for some of the browser-level exploits of Meltdown that we'll talk about a little bit as well. There's basically a feature that you can turn on that enables those mitigation features. So we'll talk a little bit more about that in a second.
 
Microsoft, obviously, a big one this month. We've got the 14 roughly, you know, bulletins or updates that they've provided us this month. Three of those are rated as critical, many more are rated as important. Now the thing to keep in mind is just because it has a rating of important doesn't mean you shouldn't move on it. So we'll talk a little bit more about that as well. Mozilla did have a release just last week as well. Their release does add some mitigation around the Meltdown and Spectre...basically the speculation, execution, side channel attack vectors that they're adding mitigation to prevent those. So we will talk about the Mozilla release here. Again, even though there's no CVEs specifically related to it, it's adding mitigation there.
 
And of course, we've got Oracle's quarterly CPU. It did not release yet, but we always try to let you know what you need to worry about. That's coming next week. So next week Tuesday or the Tuesday the 16th is when you'll see the Oracle release. And two of the updates that we always talk about there that you definitely wanna be aware of are the JRE and JDK Java components.
 

News - Meltdown and Spectre


All right, talk a little bit about the news. We've got Meltdown and Spectre. So there's a number of resources here that I'm gonna show you guys, and we do have links for all of these provided in the articles I'm about to walk through here. But, you know, this all started with the Intel vulnerabilities that were disclosed late last year. I believe November is when they first started to surface and make some news. Made another splash in late December with a lot of disclosures and proof of concept code expanding out. And, you know, there was an early release of Microsoft operating system updates, last week, late Wednesday. So Thursday is really when everybody started finding out about that, to start to put the OS-level mitigation in place. 
 
Now, to be very clear, everything that has been done so far is mitigation. The vulnerability here is at a physical hardware architecture level. So what's being done here is there's a number of steps that they've taken to mitigate the ability to abuse this form of attack at the firmware level and at the kernel level in the operating system, and even at the browser level in all of your favorite browsers. So there's multiple layers of what you need to do to properly mitigate this. You're also gonna have to, you know, think about other solutions, like if you've got a virtual infrastructure.
 
You may have seen news articles about all of the major vendors, Azure, AWS, all the major data centers had been applying the firmware updates and OS updates to prevent this. This form of attack, because it's at the hardware level, has enabled an attacker to go from the guest OS in a virtual environment across those boundaries and be able to even glean processor calls that have been made from other guests within the network or within the virtual infrastructure. So this is a very severe type of vulnerability and has gotten a lot of concern because of that. 
 
There's basically three types of vulnerabilities here. There's...also, you know, only some of them are mitigated at different levels. So you do have to do all of the different steps here to properly mitigate these vulnerabilities. Otherwise, you're still leaving yourself exposed for, you know, some ways that this can be exploited. Microsoft's recommended actions are too, if you have automatic updates enabled, blah, blah, blah, you've gotta make sure and do the OS updates. Yup, plain and simple, the OS update needs to be applied. You also need to apply firmware from your OEM device manufacturer. By the way, this also affects more than just Intel. The Meltdown vulnerability is Intel specific, but the Spectre vulnerabilities actually exist within AMD and ARM processors as well.
 
So you need to get the OS updates in place and then you need to get the firmware updates from all the different vendors. Many of them started releasing last year already. My particular Lenovo laptop that I used had a driver update just before Christmas last month that resolved the firmware vulnerability or updated the firmware to resolve or mitigate the vulnerability for my particular device. I've seen posts from Dell, Lenovo, HP, they're working their way back through all of the different platforms and adding support. Intel also is working their way back. This is affecting more than just, you know, the latest processors. This is dating back over a decade, 15 plus years in many cases here where this architecture vulnerability exists.
 
So Intel went back as far as five years right off the bat and got those quickly out to the OEMs, and they're continuing to work back further from there. So the older the hardware, the longer it may take to get the firmware side of this issue resolved. So two out of three of these CVEs will still be potentially exploitable the older your hardware is. So we've got the patches, we've got the firmware. But, you know, we did kind of a more comprehensive write up that also includes some known issues as well. So if you go this blog post that I put together on Monday, it breaks down and, you know, talks through here's some advisories from a lot of the well-known groups that you're gonna wanna be in touch with on this.
 
CERT did a really good job of pulling together, you know, cross-platform with Linux, with Mac, you know, the other platforms as well making sure that you got links to a lot of the base announcements from all these different vendors on how the issue impacts them. And it literally is a large list of, you know, vendors that are impacted here. The original Intel advisory and the Microsoft advisory we just looked at. Adding one more step on to the guidance here, it's been kind of a little bit of overshadowed but on the Windows server platform, after you install the update you have to go back and enable the mitigation options through certain registry keys that are not part of the patch.
 
So Microsoft has additional article here that, you know, goes through and talks about how to enable these features for the server platforms so that you can ensure that these mitigations are not only installed and available, but are also now actually doing their job in mitigating the impact on environments. Especially, if it's in the following categories, there's increased risk. Obviously, Hyper-V. We talked about the fact that this is allowing a guest VM to break out of the normal, you know, trusts rings and get down to a hardware level and potentially go across into other tenants within the environment. Remote desktop host service...services host, physical hosts or virtual machines that are running untrusted code, any environments like that are running at a higher risk of, obviously, being exploited.
 
There are several registry keys here that you need to enable on a Windows server to make it so that those mitigation features are going to be actually be running on the server side. Workstation, once you install the patch, the mitigation features are on. The server side, Microsoft made a clear separation here, you know, because there's, you know, several challenges with this. If you're in a Hyper-V environment, you gotta make sure, you know, that you fully shut down all VMs to enable the firmware-related mitigation for VMs that have the firmware update applied. You know, there's other issues. Like when you enable these, the server side is where you may notice some of the performance impacts that have been talked so much. 
 
So, you know, there is a possibility of a performance difference after you apply this patch and then turn the mitigation options. The performance impact will be more noticeable on certain workloads. A typical user, they're not gonna notice anything. They may...if they are noticing anything, it is more likely that a service they're connecting to is actually seeing a performance difference than their personal system. So unless somebody's already really running the bleeding edge of the resources on their machine being utilized, they're probably not gonna see much of a difference themselves. It starts to be higher impact when you get to the point where you're crossing this boundary of talking from a user process to the kernel process, you know, more frequently. 
 
Think of it this way. Today, I'm having a face-to-face conversation to me as the user to the kernel. What this mitigation is doing is actually separating the kernel process out into a more sheltered space. So now the user having that conversation, it's like shouting in the next room. A simple conversation of, "Hey, how are you doing today?" Well, I can get a response back and we can carry on with our day. If I start having to talk across that boundary more frequently, you'll get to the point where that crossing that boundary more frequently becomes a little bit more tedious and you start to notice those performance differences.
 
So when you get into environments where storage becomes accessed more frequently, a virtual infrastructure being a good example, you get into an infrastructure where there's extremely high network utilization consistently. You know, there was an article that we'll get over into in just a second here with a gaming company that hosts online gaming seeing a significant performance increase. You know, those are the areas where you may see a performance impact more so. So, you know, that's one of the reasons why Microsoft has you enable these additional keys to turn on the mitigation separate from the patch itself being applied.
 
When you start turning these on, that's when the performance impacts are more likely to become noticeable. So there is the need to not only apply the patch but to then change these values or these registry keys, add these registry keys in and then reboot the system. Firmware then needs to be updated as well to completely resolve the vulnerabilities on a Windows server. All right, there was a very good write up from this gentleman here, Kevin Beaumont. Did a very comprehensive write up, covered a lot of the same things that I was talking about as well. But he also included a nice spreadsheet here.
 
So many of you probably saw some headlines about anti-virus. These updates are changing the behavior about how interaction with the kernel occurs. And it became very clear very early on that some of the AV vendors were not, they were not interacting with the kernel in expected ways. They were putting another virtual machine in-between, they were doing, actually in some cases, doing behavior that actually mimics more of like a rootkit to basically put themselves between the kernel level and everything happening in between at the user level as a form of protection and better ways to capture and detect things happening.
 
Well, with the changes that occurred, those vendors who were doing that type of behavior ended up causing either blue screens or crashes, and could have potentially gotten into really bad states with systems. So Microsoft implemented a registry key. And many of you have probably heard of that key now as well. That registry key needs to be in place or the OS updates will not be applicable. This article has a link to a spreadsheet that's tracking all of the common AV vendors, showing if that vendor is setting the registry key or not and whether or not they added support for the kernel change to make sure you don't enter into blue screen scenario.
 
So it's got good information here about each of the major vendors out there and whether or not they are compliant and working well. We also got cases that we've already come across where, you know, there's a lot of environments where you may not be running AV on certain workloads. AV, in some cases, is a bigger impact to the performance of machine than a protector. So with other security measures in place, AV becomes less of concern for certain systems. Well in that case, there's nothing on that system to then update that flag to allow the OS patch to go ahead and install.
 
So we have adopted a similar model to Microsoft to detect if that key is in place. The Ivanti content has gone a step further and added an additional detection to say if that key is not in place but the system is still vulnerable, we've got a separate, non-deployable detection item that will come up and say, "You still need this update. It's still missing here. It's not deployable until you get that key in place but we're reflecting that reporting-wise." So that's been one of the challenges that we've seen on patchmanagement.org. And actually in Kevin's write up here, there were some responses back to that asking about how do you know if your system is good or if your system is requiring that patch but just doesn't have the AV key in place yet? So we've got some additional logic in there to try to give you that information through the Ivanti Windows content. That way you get more detailed information there. So if you get into a case where you're trying to deploy that patch and it's not deployable for certain systems, that's the reason why.
 
We do have KB articles on each of our patch solutions that give you details on how to push out the registry key, either through GPO or you can use a custom actions script that we put together and be able to push that out and execute it before the patch is in a case where you know you're not running AV, or your AV is good but the key is just not in place. You see there's a number of these guys where they're compliant, but they just have not set the key or don't support setting the key. For those of you using next-gen AV solutions as well, you'll see that there's cases here where like CloudStrike supports the change, so that's not gonna blue screen your system. But they don't support the registry key. Same thing with Cylance, Cyren, and several of the other next-gen vendors. 
 
The reason why, and there's post on some different places about this, but there's the next-gen vendors were concerned that in a lot of cases, they've been brought as an addition to AV. And, you know, until the environment or until the customer is comfortable, they don't drop the traditional AV mechanism right away. So they're saying, "Sorry, the traditional AV vendor has to worry about that one. We can't, you know, worry about that, otherwise we risk a potential situation where if I've got like 360 here, which doesn't support the change, and CrowdStrike, and they put the key in place would that have made it so that 360 conflicts with it and blue screens the machine." So if you run into one of the cases where the key is not gonna be updated for some reason, but you know you're good, you've tested everything and you're sure that you can push that out, there are methods to get that key in place that will make it so you can start pushing patches again. 
 
More concerning about this issue is until Microsoft gets to a point where they're confident that all of these vendors are compliant and that there's a reduced risk of blue screens happening, you know, there's only a few vendor, major vendors left that haven't reacted yet. But there is enough customers out there that are running those vendors or others that aren't even on this list that Microsoft has basically said, "We're gonna require this key for the OS updates until we're sure that it's not an issue anymore. So expect probably the next two to three patch cycles to require this key for the OS updates to be deployable.
 
So it's something that you're gonna wanna face and tackle now, make sure that you test it and make sure the system is, your systems are compliant, and push out the registry key in cases where you know the key won't be affected. Now, also keep in mind that if the patch is not deployable but you are on one of vendors that this should be supported, the reason that it's not deployable right now is likely because your AV on that system did not update properly. So again, approach with caution. If a system is not deploying the patch, be sure you understand why before just enabling that key and starting to push the updates out or you may risk a unstable system situation.
 
All right, let's see here. We've talked about the server guidance, the additional keys that need to be put in place. This one where we've been having some additional discussions around this. Microsoft has a fairly comprehensive article, you know, showing how to do this, even having Powershell scripts that you can download and run on a system to enable those. You know, so we've got the ability to through, you know, our different solutions from Ivanti for patch management, you've got the ability to push out a script like this and execute it before or...you know, after all the patches are done, you could execute that script. We're even looking at, you know, do we add an additional detection item, a separate Ivanti-specific KB which is going to evaluate if these changes are turned for a server OS. So what it would do is look at it and say, "Is the patch applied? If so, are these, you know, registry keys properly enabled," to try to give you an ability to audit more easily if you've actually turned on the mitigation features.
 
Now, this is entering into an area where there's a little bit of caution on our part. You know, whenever we do a detection only signature, that enters into a supportability issue. How does the user know that, you know, this is of detection only? How does that impact your compliance reporting? So there's a lot of concerns with that. One thing that I would ask here is if anybody has a strong feeling on that, would you prefer us to add a detection-only signature for if the mitigation is actually turned on for the servers? And would you want us to include that as what we deem a security patch, or a separate patch type that's called a security tool where you pick if you want to try to detect that one or not? 
 
So if you've got some feedback, pass that through either the Q&A or the chat window for us so we can get some feedback from you guys. You know, in all things that we do, Ivanti always tries to give you the best information possible. A good example is the AV signature. With the Microsoft platforms, it's gonna prevent a blue screen situation but you lack a visibility around, you know, if it's still missing or not. We've gone that extra step to say there's a detection only signature that's gonna show that that's still missing even if it's not deployable right now. This is a similar case. We want to go that extra step but we want to make sure we understand the impact to you guys before we do.
 
All right. Another known issue with this, for those of you running AMD processors, Microsoft realized that there were some other issues with AMD CPUs with applying this OS update. There's a little bit of finger pointing around exactly what happened but basically what it comes down to is if the Microsoft update is applied, there are certain AMD CPUs that are not working as expected or documented by AMD. So they're working with AMD to try to resolve these issues. They have put in some additional detection, probably just in Windows Update, that tries to look for and see, "Is it an AMD processor? If so, don't allow the patch to be deployed."
 
No key or anything else to trigger off of, it's literally looking to see is it an AMD processor and just blocking it all together. It's not a very good mechanism for that. It's using WMI, it's using, you know, methods that are not gonna be as consistent. So we have not done any additional mitigation on this item yet. If you're running AMD processors, our recommendation is test thoroughly, make sure that you know the AMD processors in your environment are safe to deploy to. Otherwise, potentially hold off until an update comes out here for this one.
 
All right, that was just another article about the AMD processes. That was Microsoft's response about the AMD processors where they're basically saying, "Yup, if you're running an AMD system, best not to do anything until we release an updated version." Mozilla, they didn't have any CVEs in the release that they just did last week. But again, there's an advisory in here and they've basically done some things around timings to limit the potential of exploiting this form of attack. The speculative execution side channel attack is based a lot around timings. So they've tried to shorten those up and making it so that those buffer timings are reduced to the point where they are not available to the user process to be able to exploit this.
 
Google has a... and I don't think I have that one open on here, but let's see here if I remember Google site isolation. So the site isolation feature has been in there for a little bit now. There is a simple command you can put in and... [inaudible 00:27:55]. Yeah, here we go. If you put this string into your Chrome browser, you will be presented with this feature set. Enabling that will make it so that you've turned on the ability to abuse JS through the browser and try to exploit the side channel attack as well.
 
So for those of you who commonly use the Google browser or allow it in your environments, best approach for that is to probably enable that through the Chrome templates and get those pushed back out to the Chrome browser within your environments. Google has said that they're going to be including additional mitigation in future releases. The 64-bit edition that's due to release here fairly soon is supposed to ship with some of those mitigations already turned on. And then a later release for the 32 bit is supposed to turn these things on by default as well and potentially add more.
 
Todd: Yeah, because they're targeting a January 23rd release on this next version. So it's still a little ways out. Later in our slide set, we have a link to the Google mitigations and also kind of their schedule.
 
Chris: Got it. Thanks, Todd. Okay, so these links get you to the major articles that I was pointing out. And in those, you know, those two articles, the one that we did and the one that we found that really did a great job of bringing everything together, from those two pages you'll be able to get to all of the links that I've shown you pretty much. Some of the news related ones, you know, that are less consequential that are just talking about the issues out there, you won't find in those articles. But they're less of an issue. All of the ones that you're gonna wanna know about, all of the ones that have details that you're gonna need are within these first two links there. So the deck is going to be available after the call here, and you guys will be able to get access to that to get those links and again be able to include that information in change controls, in any reviews that you have coming up here to talk about what additional steps need to be taken.
 
All right. Oh, well, real quick. I mentioned it already but next week Oracle CPU, January 16th. Expect that, expect some critical updates for Java JRE, JDK, for Middleware, for many of the other Oracle products and platform updates that are coming here next week. Other known issues, Windows 10 branch support end of life for 2018. This is just a good thing to keep in mind. Branch 1607 is going to stop support in March. So expect March is the last security update you're gonna get for 1607. 1703, later in September this year. So make sure any of your systems that are on those branches that you start to prioritize those getting those upgraded to a later branch.
 
For those of you still running Windows 10 version 1511, the end of life for home and pro has already occurred. Microsoft did extend education and enterprise editions but that's, they're getting limited critical updates only. The recommendation from Microsoft is, again, move as quickly as possible because that's gonna turn off here in a little while. And again, don't really on this extension for 1607 and 1703. You know, there's only so long before Microsoft is no longer gonna give us these extensions of support. So you gotta get to the point where you can track and be able to do those Windows 10 branch upgrades as quickly as possible.
 
Todd: Yeah, they're sticking by April Patch Tuesday will be their last update. So we'll see.
 
Chris: Right. All right, we do have an additional public disclosure that is out there. For those of you running Office for the Mac, there is CVE 2018 0819. This is a vulnerability that can allow a file to spoof antivirus or antispam scanning so that it does not work as intended. So this is a definitely concern. There is a disclosure out there so that an attacker does have a jump-start on being able to develop an attack around this. So make sure that you get those Mac Office instances updated as quickly as possible. We talked about obviously these three disclosures, these are all related to the Meltdown and Spectre vulnerabilities.
 
We do have a zero-day this month as well. For Microsoft Office, there is a memory corruption vulnerability. This vulnerability is in Office Suites and then Word specifically if you have individual installs of that. It allows an attacker to craft specially crafted Word, WordPad, or, you know, web content that can exploit this vulnerability. They would have to convince a user to open a file. We all know that phishing is more of a statistical game than a real challenge for attackers. So yeah, we do need to be concerned about this. Somebody will, you know, obviously has already exploited this.
 
And also, if you run a user as a less privileged user, that would mitigate the impact. The attacker in this case only gets equal rights to the current user. So if they exploit an administrator, they got full control of the system. If they exploit a low-level user then they would not have the ability do much more. They would then have to go and try to find a way to do a privilege elevation or some other vulnerability to gain further access to the system before they can move on. So privilege management here is definitely a mitigation for this zero-day that's out there being exploited. So make sure Office is prioritized on your updates this month. All right...
 
Todd: That one is kind of interesting, Chris, too just to add what Microsoft did there. You know, they have their equation editor in Word and other pieces of Office. And that was really designed, it's pretty fundamental capability that Microsoft releases. And as a result, they had an API that allows other third-party products to plugin to do equation editing. So it was kind of interesting that they actually just turned that off because apparently that's how the exploit was occurring.
 
Chris: Yeah, usually when you have something that can handle equations and stuff like that, a lot of the protected mode features of Office now are trying to prevent things like that in Excel. And yeah, absolutely. That's a problem.
 
Todd: Just wanted to point that out because some of our, you know, some of our customers, users out there may be interested like, "Why can't I use my equation editor anymore?" Well, it's because of this patch.
 
Chris: Got it. So all right, that covers the general, you know, what we're seeing in the news, a lot of the concerns that are going around. We're gonna switch over to talking, you know, through the bulletins now. So Todd, why don't you give us a rundown of the Microsoft bulletins that got released this month.

Bulletins
 
Todd: Sure. Thanks, Chris. So starting off obviously with Windows 10, again, rated as a critical this month. They fixed 21 different vulnerabilities. Impact really around remote code execution, elevation of privilege, and information disclosure. There were a number of KB articles. So kind of go through and read those. I pulled out the key vulnerabilities that you need to be worried about there. Obviously, the three that are related to the Meltdown and Spectre have been publicly disclosed. So I just wanted to make sure that you're aware of that. The other, you know, remaining vulnerabilities you can pull through the security update guide, just like all this information.
 
Kind of re-emphasizing down below there that, you know, the Windows 10 version 1511 will be supported through the April Patch Tuesday at this point. And that's what we're being told by Microsoft, so we'll kind of keep that in mind and keep an eye on that. So there are a number of issues with Windows 10 update and Chris has pretty much gone through them in detail on the next slide here. I've kind of captured the information from the bulletins. Those are the bulletins that reference these problems. The first two have to do with calling those particular routines. There is a workaround given right now by Microsoft as far as changing the authentication level. For those, you can go in and read those in the bulletin.
 
The third one there has to do with anti-virus. Chris has covered that in quite a bit of detail. It has to do with updating the allowed reg key. And then, finally, the AMD issue obviously is covered by quite a few bulletins. So I've listed the version of Windows 10 and the KB is down below there for you to take a look at. So if you wanna read more about these particular common issues, all four of these did appear across those operating systems version releases. And I have one--next slide, Chris--the next one is just one problem that was specific to the new release of 1709. You can read about this one as well in that KB. Essentially, what's happening is Windows update history is showing that this failed to install. But in reality, it is. So it's just kind of a false positive. You can go in and it will, second or third time through, I think it will read properly. But they know this is an issue and obviously all of these they say that they're working on. And so, just want you to be aware of these particular issues on Windows 10.
 
Next one up, obviously, Microsoft Office had a lot of patches this month. They addressed 19 different vulnerabilities. As Chris just covered, the one on 802 has been exploited. That was the one with the equation editor we just talked about. And the other one for Mac OS that Chris talked about is publicly disclosed but not exploited at this point. There are a number of different impacts. Interesting that we see some spoofing and tampering this month, not something that's very common as far the Microsoft release go. So you might wanna read through those and take a look at them. There are actually 36 different KB articles. You can see that Microsoft actually went back to 2007 for most of these releases and made changes. So just kind of be aware of that is well.
 
Another thing is when you're patching all of your office applications, these patches are very specific to the service packs that are being run. So the patches are really being released mostly, or almost all, exclusively for the latest service pack for each of these applications. So make sure that in addition to, you know, to thinking about applying these patches that you do have the latest service pack installed for each one of these applications. So I kind of noted that down at the bottom there as well. So lot of activity for Microsoft Office this month.
 
Internet Explorer, as usual, has a number of vulnerabilities. Five this month. They did update specifically for the Spectre and Meltdown issue is shown there with those publicly disclosed vulnerabilities in red. So they did update 9, 10, and 11. So just kind of be aware of that. And it's kind of a standard update this month for Internet Explorer this month otherwise. Next one, Chris.
 
Getting into the monthly roll-ups, just kind of a reminder for those of you that are new to how Microsoft does their patching, or, you know, they have beginning in October of 2016, Microsoft started actually creating two types of patches, security-only and monthly roll-ups. And the monthly roll-ups have essentially been accumulation of all patches, all security patches, and some additional features as well since October of 2016 into one, kind of, big massive patch. And they've done this for several of the operating systems. Obviously, Windows 7 and Servers 2008 are two I have addressed here. The reason that these two are grouped together is because they are the same operating system kernel essentially, so the patches are very similar.
 
In this particular case, for this monthly roll up, they addressed 10 vulnerabilities specifically this month. Keep in mind that, you know, basically, all the vulnerabilities from October of 2016 through present have really been addressed. So there's really a massive list of CVEs that are covered by this particular monthly roll up as all the monthly roll-ups. Just want you to be aware of that. This particular month, elevation of privilege and information disclosure, you'll note that while previous ones were critical updates, this one rated just as important because there is no remote code execution or known exportation of any of these particular vulnerabilities.
 
Next slide, Chris. This one does contain some of the same issues that I just mentioned for Windows 10. Although it didn't have those service issues, it does have the issue with anti-virus. And it is a known issue with the AMD devices as well. Next slide, Chris. The next monthly roll up is Server 2012. This one is by itself because obviously Windows 8 is no longer supported directly, which is of the same kernel as Server 2012. So we're just calling it 2012. Very similar list of vulnerabilities, this fixes 13. So there are three additional vulnerabilities then were supported for Windows 7. Essentially, all of this is covered under a single bulletin listed there, 4056896. This one still rated as important, although it does add in denial of service impact that was not seen in the previous patches for the previous operating systems. 
 
Next one, Chris. Similar issues as well again here. This one, although it did not have issues with regarding with the AV and AMD issues, it does have the issue when calling these particular routines. So just be aware of that. And again, Microsoft in the bulletin has published a workaround there, in which they say they're gonna fix next month. Monthly roll up for 8.1 in Server 2012 R2, once again, a similar set. These are actually the same set of vulnerabilities that were addressed for Server 2012, and this does include the IE vulnerabilities as well. So this monthly roll up, if you apply it, will bring this particular operating systems up to the latest version. Again, same, similar issues. This one has the full set of four that we saw earlier for Windows 10 and others. So just be aware of that, just, you know, brought them to your attention here again. 
 
Next one, Chris. Moving on, for our Server 2008, you know, Microsoft is continuing to provide support for this. They have addressed the Meltdown and the Spectre issues here as well. They picked seven vulnerabilities. There were a number of KBs that were released. This one, again, just rated important because it only really has an elevation of privilege and information disclosure. Level of impact, interestingly enough for this one, there are no reported issues for this particular server release. 
 
Next one, Chris. Now we're getting to the security only. These were the patches that were released for this particular, these particular operating systems for this month. So once again, depending upon the patching approach that you're taking, if you're applying the monthly roll up, you're getting all the patches back to October of 2016 as I said earlier. If you're applying the security only patches, you have to apply each security only patch each month to get the latest updates. So...and these patches do not always include some of the other things that Microsoft adds into the cumulative or the monthly roll up. So these are security only for this given month, so you have to basically apply each one individually. So December, January, and when February comes out, you'll want to apply that one as well to get the latest of each month, for that particular month.
 
Same CVEs that were addressed earlier, basically the same issues as well for the antivirus and the AMD devices that we talked about. Security only, next one, Chris. For Server 2012, very similar to what I talked about previously. This one, again, is rated important. This does address the CVEs that were publicly disclosed again. Same kind of issues you'll see on the next slide. Again, dealing with those particular system calls and the workarounds that Microsoft has provided.
 
And finally, our last security only update here for Windows 8.1 and Server 2012 R2. Interesting, for those of you that have applied this, Microsoft reissued this one yesterday. So there was a second release of this one. They made some updates to it. So just kind of be aware of that, our systems and our release process, you know, takes that into account. But I just want you to know that this one has been released again and was updated yesterday for the second time. Similar problems to what we've seen before as far the issues regarding anti-virus and AMD, etc.
 
This month, Microsoft did release updates for SQL Server. These were rated as important as well. Going back to Server 2008, 2008 R2, 2016, and 2017, these are, once again, for the Spectre releases. There are eight different KB articles. This is only has to do with the information disclosure. And interestingly here, they said there were no reported issues with this. But, you know, I would pay attention and as you're applying those, make sure you do them in a test environment before rolling them out to production.
 
In addition, this month, Microsoft released updates for .Net. In a similar fashion to the way the operating system updates are done, they do monthly roll-ups and they do security only for these as well. For this month on the monthly roll up, it's rated as important because of the CVEs that were covered with this particular update. I want you to note that there are actually sub-bulletins under this and we released with the names given down below there where we capture the KB article name in the update title. Those are for each one of the legacy operating systems that I talked about earlier where we're going through like 7, 2012, 2008, and 8.1 operating systems. Be aware that although up there on the affected products, I have .Net framework 2.0 through 4.71, depending upon the operating system, the range will vary. So for example, on Server 2008, those go all the way back to .Net framework 2.0. Whereas version 7 and the more modern operating systems only go back to 3.0 and above. So kind of be aware of that as well. So it's something to be aware of when you're taking a look at this .Net framework updates.
 
And then it just speaks to vulnerabilities. Here are the security-onlys for this month. Same two vulnerabilities that were addressed, but again, you know, this is security only for this particular month. I think the last one was back in September when they released the .Net update. So they don't release this every month. But again, because of everything that's going on, we're seeing a lot of updates this month from Microsoft.
 
Next one, Chris. Like Chris said, they did release a update for Adobe Flash Player rated as important because of the nature of this particular problem. Just an information disclosure, has a relatively low impact, so it was only rated as important. Addressed only one vulnerability, 48.71 as being listed here. But it does impact obviously a wide range of operating systems as you can see where Flash Player can run there up above. 
 
Okay, Chris. And of course, Adobe themselves obviously released their equivalent. So if you want to use the patch directly from Adobe, it was APSB 18.01, their first released of the year. They rated that as their priority two. It has to do with an out of band read of information using Flash Player. Again, they how they're...you know, they come up with the information disclosure description. And this does affect Windows, Mac, Linux, and Chrome. So it does cover a wide range of operating systems out there.
 
Chris: Okay, then. Flash Player is one of those where typically you may see multiple updates being required. You could have Flash for desktop, that's the application install of it. And then you could have the variety of different plugin models for Chrome, Firefox...well, not Firefox anymore, but Chrome and IE and so on. So if you do see multiple of that one, do deploy them all because it's just the different varieties of it that are installed on that system. 

In-Between Patch Tuesdays
 
So one thing that we do talk about as well is we talk about what we call in-between the Patch Tuesdays. These are the things that came out throughout the month since December Patch Tuesday. And really, the thing to keep in mind here is for those of you who, you know, you've got a lot applications in your environment, you got concerns around, you know, securing those third-party applications, this is giving you fuel to go back to your teams and ask for at least specific systems to be patched more frequently. You know, for a critical system server environment, you may stick with the once a month. But for an end user environment, there's...it's more of an as things come up. If there's a browser update that requires, or that has security updates, or if there's a Flash update with security vulnerabilities being resolved, those type of things you don't wanna wait too long to do that because oftentimes, they are highly targeted for user-targeted exploits.
 
So our recommendation is to try to get down to once a week cadence for especially for, you know, laptop users that can go in and out of the environment. But in general, just user systems, you wanna patch those more frequently to take things like this into account. You got a number of security updates for many of these products. You know, Chrome released this patch cycle may not have included any CVEs, excuse me. But the one before that or the two before that that released between the patch cycles, you know, one or both of those could have included CVEs. So different things like that are definitely a concern. 
 
In this case, there were some third party releases that we wanted to point out. The Firefox one, like we talked about that had the mitigation options for the speculative execution side channel attack, no CVEs resolved but it's adding that additional mitigation in there to prevent browsers from being able to allow JS Script, or, you know, JavaScript to be able to execute that side channel attack as well. Google Chrome released, but there were no CVEs in this particular one. They do have the mitigation release coming up here for the 23rd where they're gonna be doing additional steps there. So keep an eye out for that one
 
Here are some CVEs that did get updated in some of those. Thunderbird for those of you guys utilizing that, there was five vulnerabilities in the last update there. VMware tools did resolve a vulnerability here and Apple iCloud is resolving several vulnerabilities there. So, you know, it's just a good idea to keep an eye out for these third-party updates and, you know, try to resolve those as quickly as possible because there's often security vulnerabilities in those.
 
One other thing to keep in mind for those is that Chrome this month being a good example, hey, the latest release was more of feature release. But what about the three before that? Did you get those, any of those rolled out? And did any of them include CVEs? If you look at your average vulnerability assessment of an environment, this is actually something that I'll be doing a webinar on next week is what we call "Bridging the gap between your vulnerability assessment engines and your patch solution", a lot of times, a system that has hundreds of CVEs vulnerable on it can usually be tracked down to even just a handful of applications that are just grossly out of date.
 
You know, I have an example where we used Rapid 7 in a live demo where we basically did the equivalent of Windows update, do all the Microsoft updates, get it fully up to date. We did the Rapid 7 scan, showed that there were still 1,100 CVEs detected on it. And we did a patch scan and deployment with it using this integration that we've done using our APIs, pulled all the CVEs in that were detected, deployed all the patches, it ended up coming down to five applications. You know. Chrome, Firefox, Java, Adobe Reader, Adobe Flash. And we took 1,100 down to about 20 remaining configuration changes and false positive.
 
So that's how these third-parties can affect your environment. They can account for a lot of vulnerabilities. And trying to bridge that gap and, you know, work with security teams to resolve those vulnerabilities is important and we're doing things to try to make that easier for you. All right, so enough harping on that for the moment.

Q&A

Let's go back and look for any additional questions here. Brian and Todd have been doing a great job of answering a whole bunch...actually, Erica as well has been helping to answer questions on many of the questions coming in here. Let's see.
 
Todd: Let me bring something up real quick, Chris. One of the things Brian just pointed out to me is that Server 2008 and Server 2012, Microsoft specifically said that they have not implemented the Meltdown or Spectre fixes for those because of the limitations in those operating systems, and they're working with Intel to come up with a solution right now. So that was actually in that bulletin that you had that talked about...it was question number three on one of these bulletins that specifically asked why there is no specific fix for that yet. There it is.
 
Chris: Got it. Thank you for pointing that out. I did looked over that and I saw it in the bridge just now as well, but they do have it as not available for those two platforms at the moment. So the OS update for those this month did not include these mitigation options yet. All right, so that is good to know. In most cases, you may choose to take additional precautions to try to limit exposure of those machines until a fix code does get in place. Let's see, we've got...and a few of these were answered directly. But I'm gonna restate them just because I think they're good questions that other people might be asking as well. 
 
You know, one of the question was from Peter. This one is more of a general question, but he had some issues with patching of Adobe apps. They keep failing when he tries to deploy them with having to do with a Microsoft certificate there. This one, and Brian, I think your response down below to Peter was about that one, that we are looking into a potential situation there already. Or was that related to a different one?
 
Brian: Which one, again? I'm sorry.
 
Chris: He was saying that he has some issues with some Adobe apps that are giving a Microsoft certificate error when we try to deploy them.
 
Brian: I hadn't looked into that one though.
 
Chris: Okay, I just wanted to make sure your response wasn't to that one. So Peter, what my guess is on this one is the root certificates in your environment may need to be updated and that's why these are failing. That is one possibility. In general, that's usually what I see when I see things like this failing for a certificate reason is it can't validate the certificate for that because your root certificates on that system are not up to date enough to allow it to validate that. If that's not the case, we would need some additional logging to determine more. So if you haven't already, open a support case and they can probably help you get down some more specifics there. In general though, if I see a certificate like that, that's the first thing I usually have people check. 
 
Another question, also from Peter it looks like, has it been confirmed that if Microsoft is releasing a Windows 2003. I leave an ad in XP version of the Meltdown and Spectre mitigation. We have not seen a publicly available release of those patches for 2003 or XP. If they do release one, you can rest assured that if it's publicly available, we will be turning it around as quickly as possible. 
 
John had a question. Does the increased risk also affect VMs on ESXI? So actually, and I didn't have a specific link for it but I did receive an email. Let me see if I can pull this up real quick. So, not Adobe, VMware did release an advisory as well. Let me pull that one up real quick because that was also a good one there. They give some guidance around, you know, what you should do there, VMware advisory. No, I can't type. If I can find this notification quick. All right, here's the one. So this advisory kind of goes through...and sorry, it's a small font there. But it's going through and giving some guidance around what's affected.
 
So yes, there is a risk there as well. This vulnerability does allow a guest to break out of the normal, kind of, protective layers that are there and be able to get access to what else might be going on through the same processors. Their guidance here, you wanna deploy the updated version of the V-Center Server listed in the table. You need to deploy the ESXI patches or the versions of ESXI and Workstation Infusion. You also want to ensure that your VMs are using hardware version nine or higher. Third-party requirements. They do, you know. recommend deploying the guest OS patch as well and making sure that you've enabled, again, that server KB from Microsoft to enable those additional registry keys to turn on the mitigation. And then, you also want to do the firmware update for the physical hardware. 
 
So yes, the risk is there for VMware as well, and their guidance is pretty clear on exactly on what they're expecting you to do. And it is, unfortunately, to update literally everything. So that one, again, when you start to deal with the virtual environments, that's where it's gonna be a little bit more painful to get everything up to date and in place because there's so many more layers into it. This is also probably one of those types of workloads, again, where you're in a virtual environment, storage access, things like that are happening more frequently. This is the type of scenario where performance impacts may be more noticeable. But if you have not already seen it, the VMSA 2018 0004 is the advisory from VMware on this issue that's got the guidance that they're recommending.
 
All right, let's see what else we got. And I know we're just over, you know, the hour here. So those of you who have questions that you're wanting us to respond to here, we're gonna continue to keep responding if you wanna hang around. For those of you who have what you need, again, we'll be releasing the PowerPoint and a recorded version of this as quickly as possible. Erica and the team backing us up do a great job of turning that around as quickly as they can. So watch for that and thank you for joining us this month. 
 
For those of you sticking around, Jay had a question. You know, there's a lot of conflicting information about registry keys needed for the patch to be installed. Are they needed no matter what? So this one where Brian responded directly to Jay, but the answer here is Microsoft requires them if you're using any of their deployment platforms, Windows update, [inaudible 01:02:41], SCCM. If you install the patch manually, it won't do this validation. This validation is at a detection level. Ivanti has also implemented this detection criteria in our detection. We went, again, a step further and made it so that if you're in a case where the registry key is not present, we'll still show a detection only missing item so that you've got an audit trail showing that it is vulnerable on that system.
 
But yes, that registry key will be required. There were several questions about that custom script that I mentioned. I did send a link back out via chat. Otherwise, if you go to whichever product set you're on, whether it's the Shavlik products, the Landesk products, or the [inaudible 01:03:29] products for patch management. Each of the communities have a variation of this KB article specifically for the versions that you're running. So grab that custom script KB from whichever community you're running off of, and that should give you the details on how to roll that registry key out in a case where you're AV vendor is compliant but that just hasn't been updated yet.
 
Now again, I will caution you. Make sure that you're in a case where the key is not updated for a good reason. If you have a case where AV is not up to date and that's why the key is not present, just putting this key in place could end up in a blue screen situation. So use with caution. It's one of the reasons why we didn't take a proactive just put the key in place, kind of method there. We want to make this available and make it easier for you, but we also need to protect you from a situation where it is necessary to not push the patch yet.
 
All right. So Steven had a comment about the doing an additional detection-only patch for the server platforms to say, "Is mitigation enabled in the case that the patch is applied?" So Steven, thanks for that. And anybody else who also added some guidance there, thank you for responding. We will have some internal discussions here and look into, you know, possibly releasing an additional detection item that would be a detect only. It would look for that requirement and see if that system is up to date but not turning on the mitigation options yet. So we'll have discussion about that and hopefully have an update for you here soon.
 
It looks like Todd had a comment about the AV problem with Symantec. Apparently, there is an ongoing issue there where the patch preventing updates, basically, Symantec released a patch to put the right things in place, change the behavior, and also put that key in place. For some reason, even after the reg key and erasure engine are put in place, it's still not detecting right and it's not allowing the patch to be deployed. So Symantec is currently working on an additional hotfix on that. For those of you on the Symantec platform for AV, you know, probably tune into when that hotfix gets re-released by Symantec to figure out when you'll be able to deploy. You should be seeing it as a missing detection-only signature today so you'll know where you're missing that patch yet, but you probably won't be able to do much about it until Symantec gets their re-release out.
 
All right, the next couple ones were about the KB article for custom actions. And looks like Brian and I probably posted within seconds of each other with the link. Windows 10 1607, question from Seth, will receive no more security patches after April. So 1611 was...let's go back up my list here to, okay, come on. There we go. Going back up, sorry for cycling through so many slides here so quickly. There we go. All right. 1607 is the last patch cycle for 1607 will be March on the current schedule. So expect that, yes, April's Patch Tuesday will not include security updates for 1607. 1511 April is the last cycle where they're receiving critical security updates for edu and enterprise edition. So 1607, Seth, is the... March is your last patch cycle. By April, we're not getting security updates anymore.
 
Brian: We're don't know if Microsoft is gonna do anything that's similar to what it did for 1511 at this point, but we'll see. 
 
Chris: I will say, don't rely on it. Start trying to roll that up. All right, let's see if there's any others. So Asher, you know, asked for a best strategy to do the updates. The order that, depending on what platforms your working with, VMware kind of had a specific order in what they were defining. At the OS level for Microsoft, they are suggesting the OS update first, then the firmware. In the case of a server, you do the OS update, then the additional registry keys to turn mitigation, then the firmware is the order that they had it in. I don't know if there's any adverse effects to doing the firmware level before the OS level. I would expect that by doing that, you could issues with how the pre-patch OS level is interacting with the kernel and the firmware no longer behaves the same way that it's expecting.
 
So the OS level would be recommended first. So workstations, OS, then firmware, servers, OS, additional mitigation option turned on, then firmware. All right? So thank you for everybody who grabbed that VMware advisory, and through the link in there. I appreciate that. Did we...yup, so the beeps, Erica, where for everybody. Unfortunately, that's the way WebEx works. David had a question. If you apply the firmware update, why do you still need to apply the Hyper-V operating system updates?
 
So basically, the challenge there, David, is you're changing behavior at a firmware level, but the OS not expecting that behavior. Until you apply the OS updates, it doesn't know how handle that change in behavior. So that's the reason why they need the combination of OS and firmware. I would think that if you do the firmware only, you could see some potential issues with some applications and how they're interacting with the AV. As a good example, by the doing the firmware would AV have become, you know, ineffective or had issues by doing it that way. So with these changes the OS level is changing behavior at the OS level for how you're interacting with the kernel. The firmware changes changing behavior between the kernel and the actual hardware on how they're handling these types of calls. I can't give you more detail than that. I don't know that deep of a technical level why it was necessary, but that's my understanding from the reading that I've done. Okay.
 
We got the VMSA link for everybody there already. Mucine [SP] had a question regarding the monthly roll-ups. Does this address previous monthly roll-ups from previous years? Yes. So, Mucine, the cumulative roll-ups each month are taking, it's a bundle of all updates or all updates for this month, and it's cumulative meaning it includes all previous fixes within that chain. So from the point that Microsoft instituted this Windows 10 from the very beginning, for the other platforms if you're using the cumulative, it goes back, I believe they even went back a year or two before they changed the model. And those are included in the roll up.
 
Todd: It did grab a few select fixes, Chris, that they thought were critical or important to include when they started the process, yes.
 
Chris: Yup, yup. There's articles out there that show exactly which ones if you're, you know, going back that far. But at this point, if you've done any of the cumulatives, you included everything that all of the cumulatives before have included. For those of you on the pre-Windows 10 platforms, that's why there's the difference between the security-only bundle and the cumulative. The cumulative is the everything including non-security fixes and feature changes. The security-only bundle is just this month's changes. Now, that doesn't mean that, you know, you basically could install one month and never, you know, get anything from before. If this month, let's say this month there were, you know, 15 CVEs resolved. Last month there were, you know, 20 CVEs resolved and one of them, this month did a change to fix the issue further, well the ones that weren't superseded, you know, those fixes wouldn't be included in this month's. But the one that there was an additional change that superseded that would be included in this month's bundle as well.
 
So there's cases even in the security-only, I know it's a complicated scenario, but if you do the security only bundle, and some of those fixes are superseding previous ones, that's the case where the previous month's change for part of the security only bundle would be pulled forward into the new security-only bundle. So the security-only bundles prevent a lot of that cumulative issue of, "Hey, you've got to take everything all the time. But there's still sometimes a supersedence case where some of those fixes will be coming forward even though you're using the security-only bundle model.
 
Hopefully, that helped more than confuse, but that's why they've got that difference there. Ron had a question. Is there a tool out the sides running PowerShell scripts to test if the patches applied or are working? Yes, there are a couple of tools that are available. And I'm in the wrong browser. So here we go. In the write up that I did here, I included...and actually in that, the Microsoft article, there's the PowerShell method to determine if those things are running. But Intel has a detection tool that you could run on a system that basically will give you a response back on that. I'm guessing there's other tools out there by now as well to determine if the system is venerable too that.
 
And the Intel one there is looking at both the OS level and the firmware level to see if that's the case. I went through it with one of our ops team to talk through how it was working. And we saw that in cases where the firmware was updated but not the OS, or vice versa, that it was still showing a, hey, you know, the system is potentially still vulnerable. It doesn't look like everything is in place. That tool particularly, works for Windows and several Linux distributions. So there's a couple of tools right there but a Google search will probably find a few more tools that have been cropping up. There's some other researchers out there that are more than likely releasing tools and quick fixes to try and identify those cases.
 
Let's see here. Okay, I think we've answered all questions here. Todd, Brian, do you guys see any others that we haven't answered? There's one here from Paul about will the registry changes to enable the mitigation features be included in the patches. Right now, Microsoft is not including them. They're leaving it up to the user to turn the mitigation features on. They're just putting the mitigation features in place so that you can do that. I expect they're gonna keep that separation because of the...because once you turn on the mitigation features, that's when performance issues can start to occur. And because performance issues are more likely to occur on the server platforms than anywhere else, that's why they've made that separation for the Windows platform, the server platforms. I expect they're gonna keep that model. 
 
Todd: There are some questions Chris about how Microsoft's handling the AMD issue. Is it just a detection and they're not patching? Or how are they handling that, I guess, in the feed right now?
 
Chris: Yes, so Brian and I had several conversations about this. After that issue was discovered and after, you know, Microsoft made a post about it, we did not see any changes to the OS patches or the Windows catalog. So we don't think that WSoft [SP] or SCCM are doing that additional check. We're expecting that just Windows update was changed to look for that behavior. And all they're doing is looking at WMI to try to determine which processor is running, which WMI is not the most reliable thing in the world which is why we were concerned about any methods to try to look at and prevent install on AMD processors. 
 
Now, the AMD issue is not on all AMD processors. It's just a specific set of them that are behaving differently than the documented information that Microsoft was given. I expect that it's in a lot more consumer hardware than in commercial builds. But it is good to be cautious if you're running AMD processors. Again, the way that Microsoft is doing it, I don't know if WSoft or SCCM are doing that evaluation.
 
Let's see, a question from Eric. I'm using EMSS. I won't need to implement the registry key change to roll out the updates, is that correct? So Eric, two specific registry situations. The AV one, that's dependent on who you're using for your AV vendor. If the registry key is in place for the AV part, then you're good. If the key is not in place, you know, there are few cases where the vendor is not putting down that registry key, again, we have that tool to put the AV registry key in place. The server registry key is, in all cases, you need to take that additional step. You know, we're going to, we've got our support teams looking at documenting how you would take the Microsoft PowerShell script and potentially push it out through our software to turn on mitigation on those systems. And again, we talked about adding a detection-only signature for that, but you definitely need to do these server platform's turning on the mitigation features. Those registry keys need to be done by you. Microsoft is not including them in the patch.
 
Michael Johnson had question about, "What was the link with the VMware information?" Let me go back up and get that. This is the URL... where is it, come on. Go away, there we go. Here is the VMware advisory that talks about the information there. I had an email version of it, I didn't have the direct link. But here is the actual page. It talks through the recommendations from there, the relevant products that are affected, and so on. I'll put it back into the general chat to all participants there again just so you have that. 
 
Tom had a question or a concern there. He's seeing some failures around APSB 18-01, the Flash update. Okay, so, Brian, we may have to take a look at that one and see...we'll probably have to talk to support and see if we're seeing cases of that. But the cases where the new model of updating was not working so he's saying he had to go back to the non next-gen update to be able to get it to the newer version. And those were all succeeding. So that's something we might wanna take a look at there. So Tom, one thing that would be helpful for us, if you can open a case just to say what you saw and specifically how you resolved the issue, we may be able to get that documented and shared out for additional users, additional customers if they're having the issue.
 
Todd: Yeah, Chris, I didn't notice that in our testing. But yeah, I'm definitely gonna look further into it.
 
Chris: Okay, and thanks Tom for bringing that one up. We'll take a look. Again, issues like this start to trickle in to our support teams. We've already had a conversation, you know, this morning with the escalation teams just to get a feel for what's going on there right now. Majority of the issues we're seeing are people who are contacting us about the, "Hey, I'm getting this update. It shows as only detection. It's not letting me deploy." We're pointing people a lot to those articles that are describing why it's happening, how to get the right registry keys in place, thins like that right now. I'm guessing some more of these issues are gonna start to bubble up, like the one you might be with seeing the Flash Player update, as the week carries on here. If you can contact the support team though and get us some details, we can definitely take a look and see if there's anything more we can do, and we can also make sure that if that comes up for others, we've got a good response for them.
 
All right, I think we've responded to most everybody's questions, and we've definitely run over on time. I appreciate everybody who hung around for additional questions. Michael, the VMware claim that they're not susceptible because they don't run on trusted code, that's possibly in some of their hosted environments. I would watch out for that claim. If it's you running a virtual environment, they have no control over what's running on your guests. If, you know, it's one of their hosted environments, then, you know, they're telling you that, "Hey, you know, we don't run any untrusted code on our platforms, so your information is not susceptible in our environment."
 
So, be cautious of comments like that. VMware does have an advisory as we see here. It's got some very specific information on how to do this. The side channel attacks are a problem for their environment. But if you put these mitigations in place, you will be protected against those things. All right? Let's see. Matt, the registry keys that we were talking about there before to turn on mitigation, that was for the server platforms only. The workstations, once the patch is applied, the mitigation option should be enabled. In the case of my system, I even run the Intel tool afterwards to verify everything was good. I did not have to turn any of those additional keys. They were...everything was turned on once the patch was applied for a workstation. I think that is everything that I'm seeing, guys.
 
Todd: Yeah, I don't see anything else. A lot of questions are answered several times. So I think we're good. 
 
Chris: Yup, I think we got to the point where we've exhausted everything. So thank you everybody for your time this week. And, yeah. Adele, I like your comment there, "Now, we're all gonna go shopping for some Prozac." Yup, I definitely would be. If you look at my blog post yesterday around Patch Tuesday, I had gotten so sick of rehashing all the same details so many times that I decide to rewrite my post in "Star Wars" episode intro form. So that was the point I was at yesterday. So yes, I think we're all there and can't wait to be done with this one, right? 
 
Thanks everybody for joining us this month. And, you know, again, the recordings, PowerPoint, and everything will be ready as soon as possible. You'll see those on the Patch Tuesday web page after the webinar is done here today. And we'll talk to you again next month. Thanks.
 
Todd: Thanks.