July Patch Tuesday

July 11, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Good morning everyone and welcome to the Ivanti Patch Tuesday Webinar for July 2018. My name is Chris Goettl, and I'll be hosting today's webinar along with Todd Schell. Todd, how are you doing today? 
 
Todd: I'm doing good, Chris. It's another happy Patch Tuesday. 
 
Chris: Yeah. So how's the temperatures down there in Texas? 
 
Todd: You know, it's been great. We've actually had a lot of rain here for like five days straight now and [inaudible 00:00:30] of a drought and the temperatures have been in the mid-80s, so I can't complain.
 
Chris: Actually, that's not bad for Texas at this time of year. 
 
Todd: Was smoking earlier in June.
 
Chris: I'm up in Minnesota. So, yeah, where the humidity's climbing, we're getting into the 90s on a daily basis now. Yeah, we're warmer than you guys with humidity. All right. So we're gonna go ahead and get started here. We're gonna go through just a quick overview of…a high level overview of the 2018 Patch Tuesday. 
 
Then we're gonna jump into some news, some things you'll want to know about both from just a general security perspective, some changes that we're making through communications and things around Patch Tuesday and other content that we've got coming your way that you might be interested in. And then we'll jump into the bulletin by bulletin blow of all the updates that released yesterday, and we'll have some time at the end here for Q&A. Now, we do have a great supporting staff here between Erica and Brian as well. So any questions you have, please enter those into the Q&A section and they'll be trying to answer as much as possible as we go throughout the webinar. But we will take some time at the end to jump into more of the questions from the audience. 
 
All right. And the first question in there is, what recommendations does Ivanti have around Spectre and Meltdown and all plenty of experience? Yep. It does feel like that right now. We are gonna get into that. So hang tight here. We're gonna talk a lot about what just came out and what is still kind of being investigated from a standpoint around Meltdown and Spectre. So, you know, there were several updates that released yesterday. All of these actually are of a security nature, including the ones from Apple. Now, the ones from Apple, they don't specify a severity, the CVEs that they entered as well don't have a severity around them yet. So, you know, I would suggest that the iTunes and iCloud updates be considered to be at least…you know, there's more than a dozen CVEs on both of those. So I think it's safe to say that there's at least one critical CVE in either of those. So I would treat them as a critical update and do tests and get those rolled out in a timely fashion. 
 
So we've got six criticals from Microsoft, a whole bunch of importance. We've got the two criticals from Adobe, which we'll talk about as well. And we do have three public disclosures this month that we are gonna talk about. Getting into a little bit of news going around, the latest on the security front, there is a number of credit card breaches going around right now. A hacking group known as Magecart, these guys have compromised upwards of 800 ecommerce sites and they've exposed them to digital card skimming and they are grabbing credit cards from all over the place. So that's something you wanna take a look at there. This article on DarkReading kind of gets into some of the details there. But there was a breach at some Ticketmaster locations [inaudible 00:04:03] notifying that a breach has occurred in the UK, but there's other sites in Ireland, Turkey, New Zealand, Australia as well where there's suspected potential breaches right now as well. That's not where it's limited to. That's just some of the notables. You know, they go on to talk about how there's a number of different sites, ecommerce sites, that have been affected by this and many of them are, you know, more top tier ecommerce sites. Yeah, here, they talk about it. 
 
At least a hundred of these 800 are top-tier ecommerce sites. So more household names that you may be shopping or doing business at. So just be aware that you probably need to watch your credit card transactions a little bit more closely for a while. Look for any notifications that your card may be in need of getting replaced. Even, you know, if it's getting close to your exploration, I tend to…after my credit cards get passed about a year old, I tend to start looking at getting them replaced, you know, report it damaged or lost and get a replacement card just to be on the safe side. So when you do see a place that you do business with hit the headlines as potentially having been breached, it's better not to wait for a notification and just go and proactively get your card switched out if it's not a huge inconvenience. So that's the first bit of news that we've got. 
 
The second bit of news is around "Two New Spectre-Class CPU Flaws" that were discovered. Intel paid out 100K in bug bounties on these two guys. So these are actually sub-variance. They're calling them sub-variance of…variance 1 and 2 of the Spectre flaws. So Spectre 1.1 is CVE-2018-3693 and Spectre 1.2 of which these are bounds-check bypass store attacks. They're considering these as dangerous, if not potentially more dangerous than the ones that have already been identified. So this goes to talk a little bit about the two vulnerabilities. Again, it's taking advantage of the same architectural flaws in the CPUs. The guidance from Microsoft, I'll switch back to my slides here real quick. 
 
We do have some additional guidance from Microsoft on the speculative execution side-channel, speculative store bypass, and also they did another advisory around the Lazy Floating Points State Restore. So we're gonna jump into these three articles real quick and talk about the latest guidance there and what you should be aware of. So jumping back over to my browser, here we go. The latest for our initial Spectre advisory, so this is the first three variants that were released. Advisory 180002, this one had a couple of updates. If you search for July 10, it takes you down to the specific areas in there where you'll see these updates down in the FAQ. So there was, what are the mitigations for AMD processors for CVE-2017-5715? Customers running on 1709 need to install this KB here for AMD processors to be mitigated. 
 
There's table links that show the effective products and which updates need to be installed to make sure that those are in place. You know, customers running 8.1 and Server 2012 R2, you need to install this month's update and then those mitigations are now in place for the Intel processors, the additional mitigations for…well, I'm sorry, these two KBs are for the AMD processor to be able to say that you've got that in place for the AMD mitigation. Customers running Server 2012, here's the KBs that you need to have in place. So basically, this month, they've updated to prevent the AMD processor or put the mitigation in place for the AMD processors. And then, yeah, for Server 2008, here's the KB article for that one. 
 
So those are the updates for July, is they've updated the mitigation updates to support those operating systems for the AMD processors. So if you're on Intel processors, June covered pretty much everything you would need there. For AMD, the updates this month should be covering the remaining flavors and now the coverages in place. So that's variance one, two, and three. Variant 4, there was an update for today which basically with July's update, all of the Intel coverage is now in place for Variant 4. Microsoft is still working with AMD to assess availability and readiness of the Variant 4 vulnerabilities. So watch for that in upcoming releases here. But that's the update on Variant 4 is with this month's update, all Windows OSes are covered for Intel processors. 
 
All right. The third advisory here, 180016, this is for the Microsoft guidance around Lazy FP State Restore. This was an additional Spectre/Meltdown vulnerability that was discovered and on June 13th, they discovered this new side-channel speculative execution vulnerability, CVE-2018- 3665. The attacker could basically cause information stored in a floating point to be disclosed across security boundaries. They identified this for Intel Core family CPUs. So this list of KBs here relating to each product, so these are the July updates. This fix is included for the Intel processors there. I think they had a note here that…yep, that this does affect AMD, ARM and Intel CPUs to varying degrees. I'm trying to see if this one was covered for everything on that one or if this was partially covered in this update. I think it's for all known affected versions. This update did get applied for all known versions that are affected right now. Now, it doesn't mean that they won't find some more that are affected later as they continue to assess, but as of the July release, the floating point state restore issue mitigation should be in place. 
 
All right, think that's it for the Meltdown and Spectre advisories. Switching over into…let me go back to my presentation here. Oracle is also releasing their critical patch update, quarterly updates, and putting that in place next Tuesday. So watch for that. You know, this is something that, most of the time, comes at the week after Microsoft's Patch Tuesday release. So we just put this in here, not that it's already released, just a matter of keep your eyes open for this one because next week, you will be getting the Java updates along with anything else Oracle related that is updated. 
 
Just to put it in a frame of reference, the April release had 14 CVEs resolved, 12 of those 14 were remotely exploitable without authentication. Three of those 14 were rated as an 8.3 CVSS score. So with each of these quarterly releases from Oracle, they typically resolve a number of critical vulnerabilities and Java is one of those things where they may not have as many zero days now, but, you know, there are still a lot of CVEs being resolved and attackers know that Java updates are one of the slower applications to get updated and they do take advantage of that. Java is still one of the more highly targeted applications that attackers will use to gain access to their environment because in a lot of cases, I don't even have to have a user. Remotely exploitable, 12 of the 14, I didn't need to do a phishing scam or anything else. This is one of those types of things that allows an attacker to jump from system to system fairly easily if they find a system with Java, an older version of Java on it. So do keep that in mind. Next week, Tuesday, that'll be releasing. 
 
All right. Getting into some of the public disclosures. There's three this month for Microsoft. We've got CVE- 2018- 8278. This is the Microsoft Edge Spoofing Vulnerability. A spoofing vulnerability exists when Edge improperly handles HTML content. So in this case, an attacker can set up a malicious website, convince the user to go to it, and convince them that this is a legitimate website. So a lot of the things that if you go to a fake website and there are certain things you might be able to tell right away that it was a fake website, they're able to spoof those things to make it so that it looks like a legitimate website. At that point then, the user who goes out to that site can be…this can be used in like a chain attack or be pivoting to redirect them to the place they want them to get to so they can do something more nefarious. In the Edge browser, that's resolved this month. 
 
CVE-2018-8213, Windows Elevation of Privilege Vulnerability. This one exists in…yeah.
 
Todd: Chris, I think we have a typo there. That should be 8313. And we have 8314 on the next page. Sorry about that. 
 
Chris: Yep. I'll get that one corrected. Yeah. Let's see, 83. There we go. Better?
 
Todd: Better. Thank you.
 
Chris: All right. Thank you for that. All right. So this one, it allows a cross-process communication to be…they can basically interject cross-process communication and interrupt system functionality. So at this point, the attacker can elevate their privilege level and impersonate an additional process to be able to do something more than they should be allowed. And in that case, they do need to be locally authenticated, which is why the vulnerability was a little bit less severe. But at that point, they can run a specially crafted application and be able to elevate their privilege level. 
 
The next, CVE-2018-821…yeah, that's same typo there, I'll give that 8314. There we go. Windows Elevation of Privilege Vulnerability, so this one exists in the way that Windows is failing a check, allowing a sandbox escape. So the attacker could basically escape the sandbox, elevate their privilege level on the affected system and this vulnerability won't allow them to do arbitrary code execution on its own, but they could be able to use it in combination with another vulnerability to be able to allow remote code execution or an additional elevation of privilege vulnerability that could leverage elevated privileges to execute code. So, you know, between the two of these, 8313 and 8314, majority of the OSes were hit by both of them. Some were…I think 8313 affected everything but Windows 7 and 8314 affected everything but Windows 10. So between the two of them, all the OSes had one or the other on either of them. One of the OSes did not get affected, but those are the public disclosures. 
 
Now, the importance of that is the fact that if there's a public disclosure, enough information has already been leaked out to the public for a period of time to allow an attacker to get a head start. They've got enough information to be able to get ahead of us and exploit this before most companies can roll out a fix. So public disclosures puts a vulnerability at higher risk of exploitation because that additional head start has given them the advantage. 
 
You know, one interesting question, and this is one I actually see on a regular basis is, you know, that the Edge browser is supposed to be more secure. Well, at the end of the day, the Edge browser is still a browser. And even with all of the additional security capabilities in the Edge browser, they've introduced vulnerabilities that didn't exist in IE and they've also taken care of some that are still in IE that don't get effected by Edge, but there's still many vulnerabilities in any browser. So the biggest thing there is yes, Edge is more secure and the way that Microsoft also makes it more secure is if you're using all of the Defender capabilities as well. So Edge by itself is not necessarily as secure as it could be. If you're using AppLocker and Defender and all these other things, Edge becomes more and more secure, but you really do need to take the full stack to get the full brunt of that Edge is more secure. So yeah, that's a good question, Darryl, and one that, you know, I will agree that it's more secure, but it's definitely not a lesser concern by any means. Any browser is needing to be updated regularly. 
 
All right. We did have an out of band here that we did want to bring up, this one. Let me pull up the advisory for it here. This is the June 2018 updates that was released by Oracle. The Outside in Library was updated and three CVE were resolved in that update. So Exchange Server was released midstream in June here. So that update is available, if you didn't catch up with that one before. So that resolves the Oracle Outside in Library vulnerabilities. 
 
All right, I'm gonna move this over. It's in the way of my next article. The next thing we wanted to talk about is making sure that everybody's aware of the branches you're on for Windows 10. The 1703 is scheduled for end of service by October 9th for those of you on Home and Pro editions. For Enterprise and Edu editions, you get that additional six months past that. 1607 is already into extended support. So it's in extended support and we'll go until the October Patch Tuesday release. There's a link here for the Windows lifecycle. You know, if you're ever in doubt, go out here and take a look, make sure that you know which branches you've gotten your environment and, you know, the end of service dates for those. Again, if you're on Enterprise and Education editions for 1511 and later, you received an additional 6 months of coverage if you were on those editions of the Windows 10 Branch. So basically six months past the date that you're looking at there. So when we hit the October 9th end of life here, the Enterprise and Edu will get an additional 6 months, but 1607 will be completely end of life to that point. 
 
All right, so that's our Windows 10 public service announcement. Switch back over to here. One other thing to note here is if you are on Windows 10, version 1607 or the initial release, the Long-Term Service Branch of Server 16, you do need to make sure that you've got the Service Stack Update in place, otherwise, updates past a certain point would not be applicable until that Service Stack Update is in place. So the Service Stack Update is KB 4132216 that must be installed before the cumulative update 4338814 can be installed on those versions. 
 
So make sure that you've got those in place. These are not patch updates, but they are development tool updates. ASP.NET Core, ASP.NET Web Pages, Visual Studio, if you're using tools like this, Chakra or any of those other…even if you're using PowerShell development tools as well, those binaries do get security updates alongside a lot of the regular security updates. So make sure that, you know, from a security perspective, that whether it's just an internal development team or your dev-ops team, whoever is doing updates to those applications, once they start on that train, they've gotta keep those updates, those binaries being updated as well. Otherwise, they're leaving exposures in whatever application you've integrated those binaries into. So that's one thing that is happening more and more, is a lot of people are utilizing those development tools, but as you integrate those binaries into your products, that comes with a little bit of extra baggage that you have to update. So just keep that in mind. 
 
All right. A couple of things that we've started doing, we did start doing a Weekly Patch Blog. So one of the things that we did get requests for on a regular basis is, you know, "Hey, we do a great job around Patch Tuesday and we bring you all sorts of cool information, but what about all the other, you know, the weeks that come in between?'' So we've started a new format here and Brian, who's been doing a lot more work with us around Patch Tuesday, he's from our content team. He's been starting to write these weekly blogs that summarize what came out in the last week. So there's a breakdown in here of a little bit of the security news. So our security team even, is feeding us interesting, notable things that they're seeing on a regular basis as well. The one that they put in this month was around the creator of Have I Been Pwned. He had some great tutorials around, you know, putting together an https running as a default protocol on your sites. So if your, you know, corporate website is still on http, this is a great tutorial on getting that switched over to https. You know, a good guidance there, getting…just general security tips will be coming out in the first part of it. 
 
The second part of this weekly blog is around the security releases. So if we did release a security release in that week, we talk a little bit about, you know, kind of like we do in this Webinar. We'll talk about notable CVEs. In this particular Thunderbird update, the EFAIL vulnerability that we've detailed back in March, Thunderbird's update in just a few weeks back here, actually last week, no, two weeks ago. We're in…that was the July 6 one. Okay. So last week's update, we included that one, the Thunderbird updates, plug those EFAIL vulnerabilities. But then you can see here, there were three criticals, several importance, and some moderates and a low, 12 vulnerabilities altogether that were resolved linked to the Mozilla security page. Some other non-security updates that came out, so you could see all the other applications that got updated. 
 
One thing that I always stress there, and actually, I even saw a really good post on Krebs on Security that I read this morning as I was looking for some other notable news. You know, one thing that…Krebs, you know, kind of outlined Brian's three rules to, you know, secure internet safety. You know, makes sure that, you know, if you didn't go looking for it, don't trust it. Basically, if something gets fed to you and inquires any kind of clicking on a link or a download or anything, that's not to be trusted, you should definitely question that and validate it before you do anything. If you go and get an update from that point forward, you need to make sure to continue updating whatever application you installed. So if I grabbed Flash Player, I need to make sure that that stays updated on a regular basis. If I grabbed, you know, something like Notepad++, I need to make sure to update that on a regular basis. Even if it's not security related, you know, a lot of times, a lot of the smaller vendors, they may not disclose vulnerabilities, things like that, but there could be security vulnerabilities that are being plugged without your knowledge in there. So it's always important to keep those types of updates constantly being updated as well. 
 
And his third rule, just to kind of wrap up that conversation is if you're no longer using it, remove it. Those are important rules to live by, but when we get into the third party updates that didn't necessarily have a CVE related to them, there could still be things of a security nature that were resolved in those releases that weren't disclosed at any level. So we always recommend those additional third parties. If there's an update available, get them up to date. It just helps to make sure that you're moving forward and that older technologies, older applications, aren't exposing you and become a problem later. 
 
So that's our weekly summary, but if you go to the Patch Tuesday page, you could see we've got the Week 27, Week 26. We also started doing a posting of the Q&A. So if you look at…oh, that was not the Q&A, that's the…we're doing a European version of that. Where is the Q&A? Here it is. So for the June Patch Tuesday, you could see a lot of the questions and answers that came out of the webinar. We're gonna continue to try to do this on a regular basis as well. So a lot of the questions that get asked in here, we'll try to get the notable ones up on the FAQ as well. So all of that can be found under our Patch Tuesday page. You can sign up for…actually, that was on the blog. So you can sign up for all the different webinars here, but if you go over to the blog and under Patch Tuesday, you'll see all of these new posts that we're doing there around the Patch Tuesday webinar, the weekly posts, and the FAQ from the Patch Tuesday questions. So there's a lot of good stuff there that we wanted to make sure you're aware of. As a lot of this audience, you're the ones who have asked for that and we definitely heard you and wanted to bring more of that information to you. 
 
All right. Next thing that we wanna talk about before we start getting into bulletins, we do have…for those of you who don't know, we do release content on a fairly regular basis, typically twice a week for any of our content streams. And we do have announcements that go out for that. So you can subscribe to those announcements and you can get notifications. 
 
Well, we are moving where those announcements are coming from. The current LISTSERV that we're using is it's an aging technology. We wanna get off of it. We wanna move over to, you know, a platform that gets caught less by spam filters, things like that, and also, you know, is more secure and gives us better control over how we manage those lists. So starting yesterday with the XML announcement there, you're gonna see each of our content announcements will refer to this as well. But we got a community post here that talks about the different notification streams depending on which product line you're on. We are coming out with Linux and Mac ones here, just a matter of we got to develop those content streams first, the communication around those, but you can subscribe via email or RSS Feed. The subscriptions can be managed from the news page on our community. 
 
And let me just switch over to the community real quick. So here's the page that talks about, here's the different content streams that are out there, whether you're on a patch for Windows, patch for SCCM, or a patch for Endpoint Manager, the heat product will be coming. We'll be trying to get notifications similar to this setup as well. But the current notification mechanism for that is still what we have today. So if you've clicked into the link on how to set this up, it goes through step by step, you know, going into the notifications, creating a new stream, choosing which stream you want to subscribe to, turning on the email notifications if you want to, and being able to go back and edit those streams at any point if you choose to do so. So I've updated that now and I've subscribed to a couple of the streams, but you can see that if I go and edit my stream, I've got two places that I'm subscribing to. I've got the patch for SCCM and patch for Windows. I've turned off my email options, and now in here, I can see the stream of here's the two data sets that are coming together, the notifications around those, and I'll start receiving the email notifications as well as that happens. 
 
So that is the notifications, and again, we're gonna continue to run the old method of those for the next month here. But as of the August Patch Tuesday release, we're going to be switching over to just the new content notifications going forward. So be on the lookout for that. Go ahead and get signed up for the new channel streams, the content streams there. And, you know, again, if you have any questions about that, do let us know and we'll be happy to, you know, help you get set up on that, but the page that they set up for talking you through how to do it is pretty comprehensive. 
 
All right. Todd, over to you. 
 
Todd: Nice work. All right, so let's dig into some of the bulletins that were released this month. I'm gonna actually start off with the non-Microsoft pair from Adobe here because this first one is kind of amazing. Adobe Acrobat and Reader, they released an update yesterday that included 104 vulnerabilities. This is one of the largest ones that we've seen in a long, long time. So just be aware that there are updates available for both Adobe Acrobat and Adobe Reader. Also included in noting here, talking about end of life where the Adobe Acrobat 11 that took place last year, they were pretty adamant about including this in, you know, their notifications in their bulletin. So just wanted you to know that as well. 
 
Also, of course, as usual, we get our Adobe Flash Player update for the month, no different this month. They addressed just two CVEs, so it wasn't nearly as extensive as they had for Reader and Acrobat, of course. But once again, they've released a separate bulletin as APSB18-24, included updates for Windows operating systems including Desktop Runtime, Google Chrome, IE 11 and Edge as well. So be aware of that. There are both Mac OS, Linux, and Chrome OS updates included with that. So a pretty extensive update there. 
 
Now moving into the actual Microsoft updates for the month. Of course, as usual, Microsoft included the update for Adobe Flash Player along with their updates. It's lumped under our bulletin 18-07-AFP for Adobe Flash Player, addresses all of the operating system versions that's shown there that were to have an embedded Adobe Flash Player component covered under an advisory and to KB 338832. 
 
Windows 10, Chris talked a little bit about the updates there. Quite a few vulnerabilities addressed this month. The Windows 10 updates include all of the versions, the desktop versions. You see 1607 through 1803, Server 2016, and of course the new version that they're releasing now, Server 1709 and 1803 that are in their own channels. Includes IE11 and Microsoft Edge, so very comprehensive roll up under the Windows updates. Number of severities that were addressed this month that kind of covers the full spectrum here from remote code execution all the way through information disclosure. Chris talked about the public disclosures. All three of them are included in the updates this month. I have them highlighted in red here as far as the public disclosures. Like I said, you can open up the bulletins and go to the security update guide for a complete list of the CVEs. 
 
There were some known issues reported this month for Windows 10. The first one is one that's been carried over now for basically three months that I've seen. It's an issue on 1709. Has to deal with, you know, the wrong language information being displayed in Device Guard so you can see that they're still don't have a workaround there working on a resolution. That one was identified actually in Microsoft's release notes. One additional one that I found that really wasn't pointed out in the release notes has to do with Windows Server 2016 as well as version 10…I mean Windows 10 version 1607 had to do with a DHCP failover server and the endpoints not getting the actual updated IP addresses as a result of renewing their leases. So kind of be aware of that one in case they should happen. They don't have a workaround right now and Microsoft is working on a resolution for that one as well. But they have actually taken care of quite a few known issues that we've been carrying forward from month to month. So you'll see we only have these two for Windows 10 and there's one for Windows 7 that we'll talk about here in just a second. 
 
Internet Explorer this month, this one's rated as critical as well because of the remote code execution, no public disclosures or known exploits this month. Six vulnerabilities that were addressed includes updates for Explorer 9, 10, and 11. So be aware of that. It is very critical. So very important to keep, of course, Internet Explorer, up-to-date. Starting with the legacy operating systems, we'll start with Server 2008. You'll notice that Microsoft rated the severity of this update as only as important, but because of the publicly disclosed CVE, we recommend moving it up to a priority one as far as addressing and the particular vulnerabilities here. There were seven vulnerabilities addressed with this release. I've included a note in here, Chris talked quite a bit about the Spectre and Meltdown vulnerabilities. There were additional details provided in the KB articles about these. In particular, they address the speculative bypass Chris talked about, as well as the indirect brands protection issue on the AMD Variant 2 Spectre problem. 
 
So kind of be aware of that as well. And they were updated with this release. It's kind of interesting to note that Microsoft does not…although they reference updates to these prior CVEs, they do not list them or include them in the monthly roll up, so kind of be aware of that as well. So they're going back and touching and updating the code around these CVEs, but they're not listing them as part of the cumulative update or a change with what they're doing. So when you do searches, you'll get some interesting results sometimes on what's actually included in the cumulative update.
 
Moving onto Windows 7, Windows 7 and Server 2008 R2 this month may address seven vulnerabilities here. Actually, a very similar set that you've seen for the 2008 and this carries through through the next couple of legacy operating systems as well. Chris had mentioned that only one was publicly disclosed here. It's that last escalation of privilege issue. CVE-2018-8314 did not include the other ones in this particular update. As I show here, they did address seven vulnerabilities along with the six IE vulnerabilities with this update. 
 
We do include Windows 7 and Server 2008 R2 in the same bulletin just because they are the same operating system, Kernel, and they're covered under the same KB article because of that. In this case, it's 4338818. And so the update that's applied for both these two operating systems are included in the one KB. This is the monthly roll up. Notice that it's rated as critical because of the disclosure. I said there was one known issue in Windows 7. It's only in the monthly roll up. It's not in the security only one that we're gonna talk about here in a second. This particular issue has been carried forward now from last month, has not been addressed yet. So they're still identifying it here. This has to do with an issue where a network interface controller stopped working after you've applied the update. They provide a workaround which is a little bit cumbersome obviously, but they do provide a workaround and they say that they are working on a resolution for this particular issue. So once again, the same issue was included in the updates last month and carried over this month as well. 
 
Microsoft does do both what they call the monthly roll up whereby they've been rolling together all the patches and all the updates since October of 2016. They also release a monthly security-only update for just the patches for that particular month and we identify them in the same way. You'll notice that their previous bulletin had an MR7. This one has an SO for security-only update for seven. So these, if you're going to apply the security-only updates, you have to religiously apply the security-onlys every month whereby with the cumulative, if you apply the latest one, you're getting all the updates back to you, like I said, October of 2016. So kind of be aware of that as well.
 
The security-only for this month is rated only as important, but because of that disclosed issue, we do recommend and give it a rating…a priority of one, just to make sure that you're covered in case this publicly disclosed vulnerabilities should suddenly pop up with a known exploit. Again, they've included some of the Spectre updates in here as well. I have identified that information in the description for this particular issue.
 
Moving on to the monthly roll up for Server 2012, one additional vulnerability I addressed with this that was not covered in the Windows 7, that's that additional elevation of privilege vulnerability. In this case, it's 8313. Again, I've highlighted them in red here for everyone so you are aware of which ones those are. This is the monthly roll up, includes everything, like I said, from October 2016 up to present. So there is this monthly roll up for 2012, addresses the 8 vulnerabilities listed here, plus the 6 IE vulnerabilities. Security-only for this month, again, rated only as important. We have recommended and upgraded it to a priority one as shown in the left-hand corner there, just because of the publicly disclosed vulnerabilities. And again, you know, this is a security-only, so if you're doing security-only updates, make sure you apply these security-only every month. 
 
Finally, the last of the legacy operating systems here, we have the monthly roll up for Windows 8.1 and Server 2012 R2. Same eight vulnerabilities that were addressed for the previous operating system, so that's covered as well. And again, the six same Internet Explorer vulnerabilities. They do include, like I said, the Spectre vulnerabilities for this release as well. And finally, we have the security-only update, again, only rated as important. Includes the same eight vulnerabilities that I listed previously and no known reported issues around these operating systems. So that's good. 
 
Moving on to Microsoft office, this month, just the maximum security of important. Based on the CVEs that were disclosed here, we've given a priority of two. This month, they released updates for all versions of office. They released an update for the Mackintosh version of Office 2016. Access was covered this month as well, and Word did not see any updates for Excel or Outlook this month. They did include an update for Lync 2013, and finally Skype for Business 2016 also received an update as well. Just a note on this, these patches were released quite a bit later in the day yesterday, so there was somewhat of a delay from Microsoft on releasing these even though they released the bulletin information up front that I have included here. There is an additional advisory. It's 1700017 that talks about, you know, just kind of the general overview for Office in some of the vulnerabilities that they included there as well. 
 
So that's kind of the update for Microsoft Office this month. A little bit smaller than usual. Only 13 KB articles. The release notes here refer to the 2016 for Mac release. They did release an Office 365 update as well, again, rating it as important, didn't address nearly as many vulnerabilities as in the overall Office suite. They did fix three vulnerabilities that are listed here. As usual, you can go to the link that we've included here on the TechNet site that includes information about all the latest Office 365 updates and the different channels that they're supporting here. And this is all around 0ffice 2016 of course because it's a regular update. They did release an update for SharePoint Server again this month. They addressed three additional vulnerabilities. Impact here, there is remote code execution and elevation of privilege. Just be aware that this is rated as important. Again, just the priority too because none of these are publicly disclosed or known to be exploited. So they did produce SharePoint Server update this month as well, covers Server 2013 and 2016 versions of that particular product. 
 
We did get some .Net updates this month. Microsoft does a similar release whereby they do a monthly roll up of previous releases and they also do a security-only. So we break them out the same way here in our bulletins. They do include updates from all the way back to 2.0 up through the most current release, 4.7.2. We will actually include the KB article and break these out across all the different releases between their versions 2, versions 3, and versions 4. So there will be an extensive number of articles. There's nine different KB articles in this particular case. 
 
It's kind of interesting, you know, when I put the information together that's included in the description here, you can tell that different groups within Microsoft are providing different descriptions on what they're doing. In the .Net updates, they've included a little more information about how they address each individual CVE, which you typically don't get in some of the other descriptions for some of the other KB articles. So it's kind of interesting. So I included some of that verbiage here when I put this one together yesterday. As I said, three different vulnerabilities includes…severity is around remote code execution, security feature bypass, and elevation of privileges. 
 
Restart is not necessarily required. That depends upon whether the files are currently being used or they are locked at the time. Again, it's rated important, we give it a priority two. Same thing here for the security-only update, basically addressing the same set of vulnerabilities for the month, and again, the same description. Interesting that there's a difference in the KB articles. I didn't dig into that, but there were only 9 KB articles for the monthly roll up ones whereby there's 10 for the security-only updates.
 
Chris talked about also the fact that there were additional releases done for non-Windows products. There was a security update for Apple iTunes. Again, as Chris mentioned, it was not rated by Apple. So we've kind of given it a priority two here for right now, talks about different vulnerabilities or 14 addressed with this particular update. There were some feature updates in here as well, so it wasn't just a security-only update, so kind of be aware of that. This is version iTunes 12.8 for Windows and the same vulnerabilities were addressed for Apple iCloud. Brian mentioned to me this morning that Apple actually pulled their iCloud release back down for the moment and it looks like they're doing an update to that. So kind of be aware of that. This is for version 7.6 on Windows as well. 
 
Non-security updates this month. Apple also released mobile device support. As Chris mentioned, don't necessarily know if there were any security fixes in there, but as always, we recommend that you apply these updates as soon as they're available. Chris. 
 
Chris: Yeah. So there's an interesting thing about the Apple mobile device support. This is actually a sub-component or a service that gets installed with iTunes, and when you update iTunes, this has to be updated as well. But there's also people who choose to run this independently and we actually have a method where we can extract that and update Apple mobile device support if it's installed without the full iTunes install being there. So that's kind of an interesting one and why we have it broken out individually where you might not see it anywhere else. 
 
So talking a little about some of that between the Patch Tuesdays, here's just a quick overview of some of the new products that we added in: Visual Studio Code and VMware Horizon Client 4. Security updates from a variety of different vendors, including the major browsers: Chrome, Firefox. There's FileZilla. Thunderbird had that set of vulnerabilities that were resolved that were identified back in May. So that's a good one to look at there. So there's a variety of updates that you'll wanna take a look at there and the non-security updates again, just to make sure that no software gets stagnant on your network because those ones could be that piece of low-hanging fruit that people will take advantage of at some point. So if you don't need them, often, it's a good idea to get rid of them. If they are gonna stick around, it's best to keep them up to date, whether there's known security vulnerabilities or not. 
 
Third parties getting into a CVE breakdown, the Firefox CVEs that were 15 in that one. Twelve in the thunderbird release. We had the ESR release, there were 10 vulnerabilities resolved and Firefox 61 had an additional 18 fixes. Opera had one. The Apache Tomcat release had one. And I actually did three different versions, all had a CVE result, same one. And we are running a few more webinars this month than normal. So to try to reach our overseas crowd a little bit easier, we have a couple of new things that we've added. We've got a more European-friendly time. Unfortunately, we couldn't do it today at that more friendly time because, you know, we're oftentimes still getting known issues and things updated even up till the point where the webinar starts on Wednesday each month. 
 
So we're going to do a run of the Patch Tuesday webinar tomorrow morning, earlier in the morning, so it's gonna be 1:00 p.m. BST, 2:00 p.m. CEST. So it'll be basically a repeat of this content and just at a more friendly time for people to catch it live. Right after that, in our French market, we're actually gonna have one of our French SCs who is gonna be doing a repeat of the Webinar in French. So the French audience, our field team over in France actually suggested trying to do a run in in local language as well. 
 
So those are a couple extra things that we're doing to try to reach more of the crowd globally. And there's another one that a lot of you may be interested in, we've got a bimonthly series called Insights for Windows 10 and the Enterprise. So this is hosted by Rex McMillan and Adam Smith and talks about a lot of the topics that are coming up with Windows 10 updates, Branch upgrades, you know, different trends that are being seen there, good migration tips, best practices. So it really does…you know, we wanna kind of make sure people that are in this group are aware of that because we think it's a topic that a lot of you will be interested in. So take a look at that. The second round of that webinar's gonna be coming up here in August 22nd. So if you're interested in that one, go ahead and get out there and sign up for that. 
 
All right, getting into the Q&A, let's see what we got here. Let's go up a little bit. So we are gonna be, after the webinar, for those of you who might be new to the series, we do post the presentations, the webinar playback and everything. You'll get an email notification as well afterwards that will notify you when those are available. Typically, it's gonna be, you know, a little bit later in the afternoon here as Erica is able to get the recording converted and get everything uploaded to the website. She does an awesome job getting that turned around and out to you guys. But definitely, check back for that. 
 
The product….okay. So Michael has a good question here about product lifecycle differences between Server 2016 and Windows 10. So with Server 2016, basically, it's kind of changed a little bit. The initial release with a Long-Term Service Branch, they introduced a semiannual channel. This started on 1709 and now has 1803 as well. Those are going to coincide with the Windows 10 branches. So the semiannual channel for Windows Server, they're kind of dropping the year off of that for 2016 and just calling it Windows Server Semiannual Channel. Those should coincide with the Branch releases and end of service dates similar to Windows 10. That is the situation there. And then, of course, the LTSB will follow similar end of life sys Windows 10 LTSB. 
 
Let's see. So Russell had a question. No Flash update for Firefox. Well, there's a couple of things there. The Flash update, when we update that, it's not specifically for Firefox, it's the NPAPI plugin. So when it shows up on there, if you're on a machine and you've got Flash for IE, Flash desktop, Flash in Chrome, and the NPAPI plugin on Firefox, you may see Flash multiple times on the same system. So we are covering the plugin updates there. And I think I've had this conversation with Brian before. I think there's 11 different ways that Flash can find its way onto a system depending on which plugins, what versions of browsers, different things like that. So there's a good chunk of different variations of Flash that we update each month as new updates become available. 
 
Let's see. Question from James, Microsoft support has pretty much stated that WSS 2008 R2 version is not going to be able to update Server 2016. Okay. Interesting. Yeah. So, my guess there, James, is that they've just kind of run into a barrier there for some reason on 2016. We don't rely on WSS with our technologies. So if, you know…it's either one of those cases where you're gonna have to move forward on WSS or you can obviously look at alternatives which obviously Ivanti has a few patching products that could serve that purpose. But yeah, I hadn't heard of WSS 2008 R2 not working with the Server 2016 updates, but they are getting to the point where even SCCM additions, if you're not up to the latest SCCM version, it won't be compatible with later branches of Windows 10 and Server Semiannual Channel. So if you're a viewer who's on the Microsoft Stack, expect that you're gonna have to keep up to date with the latest WSS and SCCM versions to be able to support that. 
 
Richard is getting isolated reports of BSODs after applying 4338819. Brian's response to this, and I haven't heard anything else yet either, is we don't have anything coming in yet. So if you do get more details or a pattern starts to develop their, Richard, that would be helpful to help us understand and maybe even look at if there's a distinct pattern. Is there something we wanna pull, you know, to try to prevent that? But if it were pretty widespread, I think we would've heard about it by now. There's got to be something specific in that scenario. 
 
One other source and this goes for everybody on here that, you know, if you are running into issues like this, one of the best places to go for patch related issues just to see what everybody else is running into, you could try Reddit, you could try other things, but patchmanagement.org, this is a community that we established a very long time ago back in our early Shavlik days, and we still continue to host today, but this LISTSERV is full of a bunch of companies who are talking about issues as they're developing there. 
 
So there's a core…and we stay out of there. We want to keep this as a vendor neutral territory for people to talk about patch related issues. So Ivanti doesn't have our nose in there constantly advertising or anything like that. In fact, I, you know, prevent any even suggestion of doing things like that. The group of people who moderate that are also people working in the industry. These are people who deal with the same things you're dealing with on a regular basis. You know, Ivanti supports this community, but it is moderated and, you know, the communications that go on there are central to that. So Richard, I would suggest, you know, take that issue out there and post it to the LISTSERV and see if anybody else is seeing that, and oftentimes, if there are, you'll start to get a cluster of people with that issue and you could submit tickets together to Microsoft to get more emphasis behind it, and often, get a little bit more attention. So that would be my suggestion there. But yeah, so far, we haven't seen too much along those lines. 
 
All right. Jose had a question here. Windows 10 1607 Edu, Enterprise, extended support end October 10th. Does that mean October 9th is Patch Tuesday? That should be correct. Let me check my calendar. 
 
Todd: Yeah, that's what they did in April, Chris. They released in April and that was the final release, for example, for 1603. So they will actually do the 9th release and then that's it. 
 
Chris: Yeah. That should follow the pattern that we'd expect here, the October 9th Patch Tuesday will be the final 1607 security update. 
 
Todd: There's been a couple of questions around the Service Stack Update, Chris. 
 
Chris: Yeah, I was just getting it done. 
 
Todd: Yeah, go ahead. 
 
Chris: Go ahead.
 
Todd: I was gonna say on the Service Stack Update, there were some questions around that. So first of all, that only applies to Windows 1607 and Server 2016. And the way Microsoft has set that up, it's basically you can think of it as a prerequisite to the cumulative update patch. The Service Stack Update was released actually prior to the patches last month, so you have to run the Service Stack Update as a separate patch and then and only after that will the cumulative update show up as applicable for the 1607 and the Server 2016 update. So they have to be run as two separate patches. They're not bundled together in any way, shape or form. And you have to run one followed by the other. And luckily, right now, that's only for those two particular Windows 10 operating system. 
 
Brian: Todd, let me add one more thing real quick. Other OSes such as 1803, 1709, do specify in their release notes that they do recommend the servicing stack to be installed before the cumulative. However, the installer does not require it, so we're not enforcing that. 1607 is the only one where the 1607 patch won't physically install until that servicing stack is there 
 
Todd: Good clarification. Thanks, Brian. 
 
Chris: All right. I'm just filtering through here to find a bubble of some of the more prevalent additional questions. Most of these are kind of one offs. So Doug had a question about the Adobe Reader update that was released yesterday, and when would that be released to the Ivanti catalog? So if you're on patch for Windows or patch for EPM, that's already available. If you're on patch for SCCM, that's getting updated here a little bit later today. We're working to get to the point where the SCCM catalog will release simultaneous with everything else as well. But there's some tooling and some bandwidth that we got to get in place to make it so the team can release everything on the same day. So we are working towards that, but those will be released today, Doug, if you're on the SCCM catalog. If you're on any of the others, it should have already been released into there.
 
Let's see. Couple other questions that came in, one from Rick. Any thoughts on updates classified as feature packs? Just started noticing the syncing to our WSS server. So the feature packs are…you know, those are with…a lot of times, they will be like…they're kinda like the replacement for service packs. So it gives…you know, Microsoft is trying to give you a way to choose when you're gonna take major feature related changes versus just, you know, regular updates and things. Now, depending on which products there are, it looks like you were seeing .Net in that particular case. You know, .Net has a monthly roll up and they've got the security-only a bundle option similar to how they do the OS updates. But I believe they'll have, occasionally, they'll have these feature packs that can basically take you up to a new .Net version. I think it's…it's almost like a point release of that. Brian, am I remembering that correctly? Do you know? 
 
Brian: Yeah, that's correct. A feature pack will be where the other security updates will just update 471, 462, whatever you have running. The feature packs will push you up to a newer version or distribute that through your network. 
 
Chris: Right. So that might take you from 471 to 472 or, you know, that'd be the feature pack. It's almost like that service pack level. Okay. Just wanted to make sure I had that correct. Got It. Question from Amy. Actually, that's really product-specific. I don't know if I know the answer to that offhand. Is it a good practice to move replaced patches in the "do not scan directory" for the patch for Endpoint Manager? 
 
So Amy I would actually suggest that maybe you follow up with the support team on that one and see what their guidance would be. I personally would think that, you know, keeping that clean would be a good idea, but I don't know what a lot of the…like if the support team or some of the principal SCs have some different guidance there. Typically, I tell people that, ''Yeah, you know, if you've got…your repositories are constantly growing, your list of things that are approved for what to scan for, whatnot to scan for, occasionally, you wanna clean some of those things out.'' Specific to the patch for Endpoint Manager Product, for those of you who are on that product line, we did make the switch over to the same engine that's in patch for Windows, the legacy Shavlik engine. 
 
If what you're approving to scan for is only January and later updates, you're completely on the new engine. If you've got a mix of, you know, 2017 items and earlier in there as well, you're actually using a hybrid of the new and the old engines and not getting the full kind of performance enhancements, improvements of the assessment and everything there. So from that regard, I would definitely recommend going through and, you know, cleaning up, you know, what's on your approved list, getting it up to just January and January 18 and later items there, and also kind of cleaning up, you know, patch repository and things like that just to keep space cleaned up. It's typically a good practice, but following up with somebody on the support side, they may have some additional guidance for you there. 
 
Question from Craig to workaround the issues of killing network adapter is, should I just hold back on a monthly roll up and only do the security update? Todd, was that only for the roll up? I'm trying to remember if it was on the SO as well. 
 
Todd: See what I have in there. For Windows 7?
 
Chris: Nope. Oh yeah, there's the… 
 
Todd: There are no known issues for the security-only.
 
Chris: The security-only.
 
Todd: I didn't remove that. No, the answer…
 
Chris: Actually, Craig, that might be a good way to mitigate that risk further, is switch over to the security-only until Microsoft get that issue resolved because there was somebody else earlier, I'm trying to see, Connor, actually responded when we were going through that slide and said that the workaround in his environment has only been about 50% successful. So it's been rather painful there. That's actually not a bad recommendation. Is the security-only bundle, you can switch over to that and run with that for, you know, the next couple of cycles here. And then when they do get that fixed, you could switch back to the monthly roll up. But that may be a good way to circumvent that issue from happening again. So Connor, you may also wanna consider the same thing. That may be a good…that's a good recommendation, Craig.
 
Todd: That's something I'll definitely experiment with though before you go and do it, you know, Enterprise one. 
 
Chris: So yeah, switch over to that, deploy out the SO, see if you've got kind of the same issues that looks like the known issue that doesn't apply to the SO. But yeah, it's always good to make sure that as you're switching what model you're on, usually, it's worse going from the SO to the MR because you're introducing all the non-securities and the feature changes, too. Typically going from the monthly roll up to the security-only, you're gonna have less concern but it is a different packaging of the update. 
 
All right. So we're over 10 minutes over already. I wanted to see if there's anything else that looks like a burning question. Todd or Brian, do you see any more in the list that looked like a really important one we should cover? 
 
Todd: I didn't see anything else. 
 
Brian: I'm good over here.
 
Todd: That was requested multiple times. I think we're good. 
 
Chris: Okay. All right. We're gonna wrap there. I think we've got the majority of questions that I either answered through the Q&A or directly on the webinar. The other ones are kind of one offs. And yeah, you know, I see a couple of comments of appreciation of some of the new content that we've been providing. You know, we're glad to keep on expanding what we do there and we just wanna make sure it's useful to you guys. So whatever feedback you have, please let us know. And thank you for joining us once again, we'll talk to you next month.