June Patch Tuesday

June 13, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.


Chris: All right, everyone. Welcome to the June Patch Tuesday webinar. So this is Chris Goettl. I'm actually live here from Madrid, Spain actually this month. And in the room with me, I've got several people who are attending one of our Ivanti shows over here and also are avid followers of the Patch Tuesday webinar. So we decided to do a combination of live webinar in-room for everybody here locally and also the regular webinar for everyone else coming in. So, welcome. And, Todd, how are you doing over there in the U.S.?
Todd: Hey Chris. I'm good. How are you doing over there? Sounds like you're having a good time.
Chris: Oh, you know, it's Madrid, like, the city that never sleeps really literally. They never sleep here, I don't think. I think that, you know, we start, like, you know, breakfast at noon and lunch at 7:00 and, you know, dinner at midnight, and then the real fun begins.
Todd: Yeah, sounds great. I'm jealous. I'm jealous, man.
Chris: Yeah, yeah, I know. Maybe next year. I hear we're going to...I don't even know where we're going next year. Probably somewhere similar. But, okay, so we're gonna get started on the June Patch Tuesday webinar. So it was, kind of, an interesting month. We had what looked to be a rather boring month to begin with. So we're gonna go through a bit of an overview of what we're seeing, talk about some of the in-the-news kind of recent activities going on. Then we'll get into a bulletin by bulletin breakdown of what you need to be concerned about, including some known issues. And at the end we should have a little bit of time for some Q&A as well.
So just getting into the overview level, we do have 17 updates that we are going to be discussing today, not all of them released yesterday. There was a zero-day for Flash Player that we will be covering as well. But we do have 13 of these updates contain user-targeted vulnerabilities. These are vulnerabilities that could be used in phishing attacks, or watering hole attacks, those types of exploits. And, of course, the one zero-day you see on the summary page here is our Adobe vulnerability.
There are a couple of other vendors, ones that don't happen to have any security related updates this month as well. So we'll talk briefly about those guys as well, and then we'll do what we call the In-Between the Patch Tuesdays, where we talk about many of the other releases that came out since last month.
Todd: Yeah, Chris, we added, there was a late release yesterday, too, from Chrome, so we're going to have that kind of as one of the last slides as well.
Chris: I did see that. Thank you. So because I've been on a very opposite schedule, Todd has been towing a little bit of extra workload on this month's preparation, so special kudos to Todd and the team for getting this all together while I'm running around the world having fun. So the first thing that we wanna cover is talking about our Flash zero-day. So this actually came out on June 7th. And so, here's one of the articles talking…speaking about the zero-day exploit. And for those of you watching, we're going to be sharing these links out here as well, and they'll be in the deck that you'll be able to grab after the presentation today.
But the Flash Player vulnerability that was discovered in an exploit in the wild is CVE-2018-5002. It's a stack-based buffer overflow bug that could allow an attacker to execute arbitrary code. It was patched on the 7th by Adobe, and we were able to release that patch very quickly to respond to that as well. Microsoft also pushed out the IE Update, and several other vendors have been responding to that as well.
The exploit itself was identified by, I believe it's pronounced Qihoo 360, and these guys were analyzing this attack and some targeted attacks in the…I believe it was all in Asia and the Middle East is where it was kind of focused. It was specifically in the Middle East, and actually in Arabic language. Let's see here. This was not the article I read first so I'm trying to find the detail specifically about it.
The company also patched several other vulnerabilities, two of those were rated as Important, but the other Critical vulnerability in there was this guy here, the 2018-4945 vulnerability. So two Critical vulnerabilities resolved, one of which was exploited in the wild. Definitely something that if you have not already rolled out, this should be at the top of your list this month.
Switching back over here. So here's the stack-based buffer overflow, the description of the vulnerability, the attacker could gain the same rights as the current user. So in this case, this is a situation where running as a less-than-full-admin will mitigate the impact if this is exploited. You know, in that case, the attacker would have to take additional steps to fully compromise the system, some type of escalation of privilege attack or some other vulnerability to allow them to gain more access. So running as a less than privileged user would limit the attacker's ability to move around your environment quickly.
It does require...the attack requires the user to open a document containing the weaponized Flash Player object. But honestly, how hard is it to convince a user to open an attachment nowadays, right? We're still seeing upwards of 20% of users within your environment will be convinced to click on a phishing email at least once throughout the year. So it's not all that difficult. They basically need to get 8 to 10 users in your environment, and they're likely to have a 90% chance of getting in at that point statistically. So not difficult to, you know, phish a user, which makes this something that you do want to be concerned about.
We've got a public disclosure on the Microsoft side. So this is one of the updates that we'll be talking about a little bit more as we go through the presentation. This is a vulnerability in the scripting engine in Internet Explorer, CVE-2018-8267. In this case, the attacker could corrupt the memory usage in a way that the attack could execute arbitrary code in the context of the user, again. So, again, less privilege will mitigate the impact here.
In this case, the attacker can use this in a variety of different ways. They can use it in a web-based attack scenario, where they've staged a compromised website. They can also use it in the case of in an ActiveX control marked as safe for initialization, and they can embed that along with the IE rendering engine into an Office document. So, even an Office document could be an attack vector for this particular exploit.
They can also use different types of websites. So if they've compromised a website, and that website happens to serve up different advertisements and user-contributed content, that could also be an attack vector for this. So those are the three different ways that the attacker could present this to a user to exploit this.
So being that it's publicly disclosed, there's no detected exploits out in the wild today, but this means that enough information has been disclosed already where the attackers, the threat actors of the world have a jump start on this. They've got enough information to be able to identify and, more quickly, get to a working proof-of-concept or an active exploit. So this puts a higher risk level on any update that contains a public disclosure, which is why we point these out.
Next, a topic that I know you all love, Meltdown and Spectre. So right after the May Patch Tuesday, we did see a new generation, a new variant of Meltdown and Spectre vulnerabilities, specifically Spectre vulnerabilities. This is being referred to as Variant 4 vulnerabilities for Spectre. Eight new CVEs were identified. And this month, we do have...Microsoft has released the updated OS code for that. And also some guidance, as you see here. This was the table pulled directly from the Microsoft article, which I'll actually switch over to real quick here. Let's get over to...that was our... Okay.
That's the Spectre article that came out originally on May 3rd identifying the vulnerabilities. And then that's CredSSP. Here we go. This is the guidance for what are being referred to as speculative execution side-channel vulnerabilities. The latest update is... Where do they… Go back to this guy. So they included…they included this in two parts. The first part here was a June update on the original advisory, I believe, which for some reason I'm now having a problem finding today. Update, April 24th.
It's not like they've had many updates to this over the last several weeks. But they basically describe the additional vulnerabilities that are being resolved. And this is the additional steps that you need to take to be able to turn on these mitigations.
So similar to the previous variants, as you deploy the OS patch, for the end-user machines, most of the mitigation was turned on by default. On the server side, you have to apply additional registry values to be able to turn on those mitigation options. The reason that Microsoft did it this way is so you could push the operating system update out but leave the mitigation off until you had time to test it. When you turn those on in a server environment, there's a higher risk of performance issues.
So you do want to make sure to test these out. They have put a warning on the latest round of Variant 4 vulnerabilities as well. But basically the guidance is the same as before. Push the OS updates, get all your firmware, microcode updates in place from all your hardware vendors, then turn on the mitigation options for Variant 4. And that's the table that we've got here in this slide deck.
So this is showing based on operating system. So for Windows 10, you know, Variants 1 and 2 were enabled by default. Variant 4 here was disabled by default. For 2016, all three are disabled again because we're dealing with a server OS. They're being more cautious about turning on those mitigation options.
Now, there are...I think that there's a different KB here for a few of these as well. Again, they've got some slightly different feedback for how to turn on those mitigation options for the earlier variants. The Advisory 180012 contains the rest of the details as we saw right here, talking about the different pages you can go to for all the different hardware vendors to get the microcode updates. There's a wealth of information in here, and it has been updated for the latest round as well. So it's got the history of all the different updates since we began this little escapade.
So the OS updates for this month contain the operating system changes required to enable this, then you need to get your hardware vendor updates in place, your BIOS, your microcode fixes in place, then turn on the mitigation in your environment. All right? So, yes Todd.
Brian: Just to add on that, if you go over to the protect against speculative of the page, sorry, if you could go back to the...
Chris: Yup. Okay.
Brian: ...second pullout tab. And you go two-thirds of the way down. They go over the exact key that you need to flip to turn on...two-thirds. Just keep going.
Chris: They've got a lot of keys you have to turn on those variants to... All right, getting further down.
Brian: That's it, where the features things overwrite 8 and the mask history.
Chris: Got it.
Brian: That's what needs to enable the SSB.
Chris: Okay. And, Brian, we were releasing an additional security tool to turn those on when people already…as well again, right?
Brian: We're working on that currently. This key is a bit different than what was required for the first two so I'm just doing some testing just to make sure what they're suggesting is gonna enable all three and not just get you part of the way there. So we're working on a method that will be as add water and stir, it's much helpful.
Chris: Excellent. So for those of you using an Ivanti patch solution, you know, as you saw before, we were releasing additional tools to be able to turn on those mitigation options, and also be able to audit which ones were turned on and which ones were not. You know, for those of you who are watching the webinar but not using one of our Ivanti solutions, that's the registry keys that they're explaining here. We've bundled those up in a patch that we can push out so we have detection logic and an update that we could push out to turn those on. That's what I was explaining there, just so everybody is understanding their...Microsoft did not release a patch for this part of it. This is something that we're doing in addition. So, all right. Thank you, Brian.
Okay, on to the next. So just to... We've been kind of reviewing this on a regular basis just because there's...a lot of these have reached an end of service recently. But for those of you who have already adopted Windows 10 or in the process of doing so, make sure you're up to date on your branches you've got in your environment and the life cycles that each of those are on. So as a branch releases, it starts its 18-month cycle if you're a Pro or Home user. If you are an Enterprise or Edu license, you get 24 months on that branch. So be aware of what branch you're on, when it released, when it's end-of-service is going to come around for your particular environment.
The branch 1703 was originally scheduled for October 9th. It got extend...actually, it was scheduled for October 9th. That got extended from September 2018. Several of the other branches have either already reached or are getting close to reaching their end-of-life. If you go to this link here, this Windows life cycle fact sheet, they do have... Did that actually open? Hopefully, it did. Let's switch over and see. Nope, apparently not. Come on.
Todd: First I'll add here that 1607 is in that extended level of support right now. And as of this month, we've confirmed that the older ones are no longer being updated automatically. So the Home and Professional versions will not be able to be updated.
Chris: Yup. So the date you see here in end-of-service, that's the 18-month cycle. If you're on an Enterprise or Edu edition, you can add six more months to that. That's noted down here that you're in that extended support for those [inaudible 00:15:58] editions. So we are gonna be coming around to 1607 later this year in just a few months. So keep that in mind if you do have a lot of 1607 branch left in your environment, and you're on that Edu or Enterprise license. We're approaching those dates.
So this is a good page to make sure and track against. And also, if you're tracking this in, especially like in an asset management system, you might even want to stage a report on this to be able to monitor which systems are coming up on their lifecycle and make sure that you're tracking that on a regular basis. All right. So that's Windows 10. All right.
Microsoft did have several notable out-of-band releases this month. These were the Intel micro code updates for some of the other Windows 10 editions. And Brian, refresh my memory here. Microsoft was updating these two add-in…what were they adding in this time around?
Brian: Mostly stability things here. This is their third release for most of them, and I wanna add at the bottom, this is their first update for 1803 as well. This is also…
Chris: Right, so this was the quality issues around the performance impacts, right?
Brian: Yup, and the things alongside, of course, Spectre and Meltdown, this is related.
Chris: Got it. Okay. Just wanted to double check before I went to giving people information. Good. All right. That's why I have all these guys on the phone with me. That way if I don't know something, we have somebody who does. All right.
So some other Microsoft information, we did have a Service Stack Update required for Windows 10 1607. So this was...before installing the June 2018 Cumulative Update, you do want to have that Service Stack Update in place. The XP Embedded Updates. So if any of you are running XP embedded...XP POS systems, basically, those did have several updates that released as well.
And there was a Microsoft security advisory that did release here prior to Patch Tuesday as well around this symmetric encryption security feature bypass. Now that advisory is talking about how to mitigate that. It's not a patch. It is more of configuration guidance, if I recall, the article.
So a padding Oracle. Basically, there is a way to…if you're using a cipher block chaining mode with symmetric encryption, there's a way that an attacker could basically view that encrypted data by exploiting this bypass vulnerability. But this article, if you're using that type of encryption, in some case, this article tells you how to modify the way that it's working to mitigate this threat. So this is only a case if you have some specific configured environment that's needing this type of update. So they probably won't apply to most of you but something to be aware of.
All right. So, Todd, we are into the bulletins now. Do you want to take...I can pass you keyboard and mouse? You should be able to drive now.
Todd: Okay.
Chris: Actually, let me do one more thing. I'm gonna get this window out of the way here so these guys aren't looking at a big item on my window here. All right. Go ahead and drive again.
Todd: Let's see if it's gonna move here.
Chris: Here we go.
Todd: Here we go. So we talked about Adobe Flash Player already quite a bit. As mentioned, this was released prior to Patch Tuesday. Again, dealing with the vulnerability, primarily 5002 that Chris talked about in quite a bit of detail. You'll see that I haven't highlighted in red down below there. So just gonna be aware of that. Like I said, it was released on June 7th for that zero-day vulnerability, definitely something that you want to be applying in your environment. Associated with that, obviously, is Adobe's direct update. They released it under APSB18-19, was a Critical vulnerability as well, the way they rated it.
Windows 10 this month had quite a few updates. They addressed 41 different vulnerabilities. Chris mentioned the publicly disclosed one, primarily the 8267. You can see those details earlier in our slide deck here. I didn't include all...or list all the vulnerabilities here, all the CVE numbers, but if you go to the details column from the portal, the update portal, you can see all that information. They do address all versions of Windows 10. You can see we have them listed across the top as well as the most recent releases of server, including 1803. And be aware that along with the Windows 10 updates, they include IE 11 updates as part of those cumulative updates as well. And, of course, you know, the embedded browser Microsoft Edge.
There were quite a few known issues that were identified this month associated with Windows 10, different various versions. This first one here for KB4284880, this was for the 1607 release, there was an issue with shielded VMs and the way that they do VMs in your environment. So kind of be aware of that one. Microsoft, there's no workaround right now. Microsoft is working on a resolution.
The second one here is also a new one. This is for 1709. A known issue here, again, having to do with device guard enabled. Most of this is around different language modes, so be aware of that. Again, no workaround. Microsoft is working on a resolution for this particular issue as well.
And finally, we've seen this one for a while now being carried forward, this is an issue with 1803 from their initial release, has to do with invalid argument being supplied when files or running programs are in a shared folder with the SMB V1 protocol. Microsoft does have a workaround right now, identified under the KB that's listed here, 2696547. However, you know, they still are working on a resolution. They said it's gonna be available later in June. So it sounds like they're getting close on this one. And you might see an out-of-band patch sometime in the month. So just be aware of those issues with Windows 10.
Internet Explorer, not very many vulnerabilities identified this month, only four that were addressed. One of those, of course, is that public disclosure that we talked about earlier. Be aware that, you know, the IE updates come in many different flavors. There's a cumulative update as well as monthly updates as well. That's why there's nine different KB articles associated with the Internet Explorer updates for the month. And, again, they're addressing Explorer 9 through 11. Otherwise, no known issues around these particular updates this month, which is nice, kind of quiet there.
Moving back to the legacy operating systems, you'll see that the next group of slides here all basically identified the same set of vulnerabilities that were updated for these between 6 and 8 different vulnerabilities. In the case of Windows Server 2008, there were 6 vulnerabilities that were fixed. I've identified those here, listed below. They touched multiple different modules within the operating system, including the Windows Kernel Module. There were essentially three...there were three different KB articles surrounding the information for Server 2008. But, again, kind of a quiet month with only 6 vulnerabilities address there.
Looking at Windows 7 now, just for those of you who are kind of new to our call, Microsoft does kind of two update models for the legacy operating systems. They have what they call their cumulative or their Monthly Rollup model, where they include all the patches essentially from October of 2016 up through the current. They've just been slowly building up a cumulative update with all the latest patches from all those months. And that's how we have the MR7 or the Monthly Rollup for Windows 7 and Server 2008 R2.
In case you're wondering why those two are addressed as a group, it's because the operating system kernel is the same for both of those particular releases, whether it's Windows 7 or Server 2008 R2, so the patches apply to both of those. And the Monthly Rollup for this month, they've addressed eight vulnerabilities. Because it is the Monthly Rollup, it addresses, it includes the four vulnerabilities that I just talked about for Internet Explorer as well. There are a couple of known issues, specifically to this one for Windows 7 and Server 2008 R2.
Before I get to that, which is on...it's on the next slide, actually, in addition to the Monthly Rollup, they do what they call the Security-Only patches. So these were the patches that were just released for June. And it includes, again, those same eight vulnerabilities but it is not a cumulative update. So if you're gonna be using the Security-Only patching model, you have to make sure that you apply every month's patches independently.
It gives you some flexibility and making sure that maybe just this month's patches do not impact your applications, do not break anything in your environment, as opposed to the cumulative model, which obviously includes all those patches, like I said, going back to October 2016. So quite a ways back. So just kind of be aware of that. They are the same vulnerabilities. Obviously, the cumulative includes the old stuff plus these eight, whereas the Security-Only includes patches for just these eight vulnerabilities.
Okay, I jumped ahead a little bit. I was saying that we'd had some known issues for Windows 7 and Server 2008. The first one here has actually been carried along for like four or five months now. Microsoft still doesn't have a fix for this particular issue, has to do with the Single Streaming Instructions Multiple Data Extensions, SSE2. So they've been carrying this along for quite a while.
There's also a new issue that was identified this month, has to do with a missing file. And because of this particular issue, your Network Interface Controller may stop working. They have identified a workaround in this case to fix it, so I've included the instructions here. But if you go into the KB article identified up above for this month, whether it be the Security-Only or the Monthly Rollup, this one up above here is for the Monthly Rollup, the instructions are there so you can take a look at those.
So they're the same thing that I've copied in here. I just want you to be aware that there is an issue with a Network Interface Controller not working. Same thing for the Security-Only down below there. Same issues that I've identified up top here. So just be aware that for this month, those issues do exist, and Microsoft is working on those.
Moving on to Server 2012, very similar in nature, actually the same, almost similar set of eight vulnerabilities that were fixed. In case you're wondering, I do include the CVE numbers here. There are slight variations in the vulnerability for the different operating systems sometimes, so here there are maybe one or two of the CVE numbers will change. Like for example, from the Windows 7 fix to the server 2012 fix. But we do include them here for reference so you know which ones are being addressed.
This is the Monthly Rollup under this particular bulletin. And, again, it is Server 2012 plus the Internet Explorer fixes. And, of course, there's the Security-Only Update for 2012 as well. Again, the same eight vulnerabilities. Unlike Windows 7, there are no known issues for both of these Server 2012 updates. So that's good this month.
And finally, the last group of the legacy operating systems, we're gonna talk about Windows 8.1 and 2012 R2. Again, the common operating system kernel for both of those operating systems. Again, eight different vulnerabilities. These are actually the same as Server 2012, same identical eight that are fixed for this operating system as well. So as you'd expect, they're addressing the same vulnerabilities, and there are no issues as well for the Monthly Rollup nor are there any issues associated with the Security-Only Update this month for those two operating systems...actually four operating systems.
Moving on now, you know, the first set of patches that are identified there were all rated as Critical because of, you know, the issues that were addressed, mostly, a lot of them had to do with the publicly-disclosed vulnerability that we talked about earlier. The next set of patches are all rated as Important by Microsoft.
So the first one are security updates for Microsoft Office. They released quite a few updates this month. I think there were 22 altogether based on the number of KB articles here. You can see it's the Office package in general. There were specific updates for Excel if you want to apply those. Outlook Web App server and Project Server. They did release an advisory this month, 180015, which is their typical defense-in-depth announcement and release. So they actually have a bunch of security updates that they include under that advisory, and release those, but it does not identify specific CVE numbers.
However, they did identify six specific vulnerabilities that they addressed this month, and I've listed them here. And we didn't see any issues in applying these updates this month. And there were no known issues reported either.
As far as Office 365 goes, obviously, this is their Click-to-Run model, where they're continuously updating the various channels of Office 365. I've included the link here. They have kind of a nice common link where you can look every month for information specific to the Office 365 updates. With this latest release that came out on Patch Tuesday, they're addressing three vulnerabilities. And again, as expected, you would have to restart your applications for them to go into effect. But there are no reported issues around these updates. And, again, they're rated Important.
This month as well they've released updates for SharePoint Server. Specifically, they didn't release any for 2010 this month. You'll notice that they're only 2013 and 2016. So there were just a series of releases for those versions. They only fix two vulnerabilities, 8252 and 8254. Restart is required for the servers, but there are no known issues. They did say down below, though, I did note that, and they had this in the release notes, that after installing the updates for the Foundation Service Pack 1 or Enterprise Server 2016, you need to run PSConfig.exe. So they put a note in the release notes on this. So just kind of be aware of that. You need to do that for the changes to take effect.
Chris: Yeah, and, you know, that's one that I wasn't as clear on that before this month. They actually had one of the engineers come on TechNet and do a specific post about this. But basically, after applying the update, there may be several things that need to happen after that and they only happen if you run this PSConfig. Things like if there's a database schema change. If security settings are, you know, recommended to be different, that process will actually modify those settings as well, but it won't do it before that.
There may be even some cases where some additional files are going to be copied out of the install location into the different app bin folders for different web applications on the SharePoint Server. So there's several things that this PSConfig process is going to do post patch install, but they do have...you do this as a manual step afterwards to enable those different changes.
Todd: Thanks, Chris. As we mentioned, kind of late in the day yesterday, Google announced an update for Chrome. It was rated High by Google so we rated it as a Critical level patch. The specific details are included here. They did identify one specific vulnerability, 6149, which they've identified as an out of bounds write. That's what it did. So just be aware of that. So we strongly recommend that you would apply this update for, you know, Chrome as well.
There were a number of non-security updates that we included yesterday. Opera, Nitro-Pro, Blue Jeans, and Shockwave. Interestingly enough, the Shockwave was a non-security update. Usually, they're trying to patch some security bugs in that, but this month it was just a non-security update. So these just happen to come out on the same day, and just wanted you to be aware of them, and we rate them as a recommended.
Chris, with that, I'll turn it back over to you.
Chris: All right. Thanks, Todd. So this is something that we often do to point out different updates that happen In-Between Patch Tuesdays. So we do have some new products that were supported this month. There's the Google Drive File Stream, Zoom Client, and Zoom Outlook Plugin. So if those are products that you guys are using, we do now have support for those.
There were a series of security updates that did release In-Between the Patch Tuesdays. We have the Apple mobile device support, the Adobe Acrobat and Adobe Reader, Adobe Creative Cloud, and, of course, the zero-day Flash Player update that we already discussed. There were three different updates for CCleaner. Not all of those had CVEs in them. But several third-party products, if they've had a CVE at one point in time, because they're in a continuous chain, we treat them as a security patch a lot of times going forward because that basically means that it's going to be...the point you're at right now and the point you're going to could have a security vulnerability being resolved in-between there. So that's why we treat those as such.
Chrome had four different releases, you know. Core FTP and Firefox each had a couple. ESR had three. As you can see, there's a number of different updates that were security related in-between. Non-security updates, several are there as well. One thing to keep in mind with non-security updates is not all vendors identify and report CVEs effectively. They may have resolved internal security issues that they didn't disclose to the customer base. So one thing you do wanna do is you don't wanna leave out-of-date software, you know, there's one thing about software, and that it's got a shelf life. The longer it sits out there, the more sour it might get. So anytime you can update older software as well, it is a good idea to try to do so.
So breaking down into a few of the specific releases. So for Firefox, they did resolve one vulnerability. The other, ESR resolved 1 vulnerability, the same one in the Firefox 60.0.2 release. The ESR 60.0.2 release had 16 vulnerabilities resolved, so there were several there. And then Visual Studio 2017 had 2 vulnerabilities resolved.
Wireshark, a tool that a lot of you probably commonly use, if you have those floating around your environment, it's a very vulnerable product and often has security vulnerabilities, 8 this time around. And just think of an attacker being able to turn Wireshark back around on you and used against you. So it's kind of a nasty combination if they get their hands on that one. Thunderbird, 13 vulnerabilities resolved. And we got some VMware Workstation updates for Pro and for Player resolving three vulnerabilities.
So those are the CVEs that we were able to identify in the updates that came out In-Between Patch Tuesdays. Make sure you're aware of those if they are products that you're concerned about, and make sure to get those into your test cycle as well. All right.
Oh, I'm sorry, we had more. Acrobat took an entire page by itself.
Todd: Yeah, sorry, Chris. We had so many I had to put them all on one page.
Chris: Right. So we've got the APSB 18-09 Acrobat Reader Update, and that had 13 vulnerabilities...actually, that's more than 13. I think your number was copied over...
Todd: Oh, yeah, fine. Yeah, sorry.
Chris: I don't even want to try to count that with...it's making me go cross-eyed. So there's a lot of vulnerabilities resolved in Acrobat. So make sure that's also in your test cycle for deploying out along with that Flash Player zero-day.
And a couple of things. For those of you in the European market, we are trying to branch this out, so that at that time of day, not 5 p.m., like we're dealing with here today. So we are trying to get into a model where we're going to run an additional Patch Tuesday webinar. And I've actually been having a conversation with some of our local SCEs [SP], and we are going to try to bring in some other technical resources that speak your language as well.
So in markets where we where we can, we're going to try to bring in especially, I think, the first we're going to tackle is gonna be the French market, where those guys are going to start to observe and begin to be able to take over and do a separate run in French natively for that market. And we're gonna look to try to replicate this in more markets as well.
We do understand that, you know, Todd and I, sorry, we speak English. We're not bilingual or multilingual. So we try our best to get this content out to you guys. We're gonna try to get it into some additional time frames and some additional languages for you going forward.
So in July, we're gonna do a European friendly time. We're gonna try to get to the additional languages as well. But that will be Thursday next month at 2 p.m. CEST. So that will help you guys to be able to pick that up at an earlier time of day for you on Thursday. If you do still want to get the webinar earlier, you can always grab the recorded version or try to catch the live version yet on Wednesday. We tried to discuss getting it earlier than that, but a lot of times, we are modifying this deck right up until the time we go on live right before you guys stepped into the room here.
And for those of you on the phone, I had Brian and Todd, and we were making some modifications to the deck literally right before we got started here. And that's pretty typical, finding known issues, and other things, we'll be getting that right up to the time we go live.
So we also have a new bimonthly series on Windows 10. So a lot of you guys are getting further and further into your Windows 10 migrations. So we do have a webinar series hosted by Rex McMillan and Adam Smith from our UWM...our UEM team, and these guys are going to be providing more insights, especially for those of you guys looking at what's coming new, and also the different struggles around branch upgrades, and other things that we know we're all facing together.
So if you guys are interested in that series, it is related to...and a lot of you are experiencing those challenges as well, we wanted to let you all know about that series starting up.
All right. On to the Question and Answers. So let's see. I know that Brian, Erica, and Todd have been responding to many questions as we've been going through here, but let's go ahead and see what we've got left for questions to answer. All right. There's our Welcome statement. We've got links coming out.
Question from Devin. "So for the zero-day targeting Flash..." I think this one is... So the zero-day targeting Flash Player is separate from the Meltdown and Spectre vulnerabilities. So the Flash zero-day is a vulnerability just on the Flash Player product. The Meltdown and Spectre patches are separate from that. So the OS update for Windows this month gives you that last Variant 4 fix for the operating system, then you need to get your BIOS updates from your vendors, and then you need to turn on that additional mitigation option for Variant 4. But those are two separate issues there.
Let's see. "If you manage Windows 10 devices via SCCM, the latest version, 1803 is only supported on SCCM 1802 and later." Thank you for that, Jose. So, yeah, for those of you who are on the SCCM side, make sure you keep your SCCM versions up-to-date with your Windows 10 and Server 2016 branch versions.
We drive a lot of those changes on the Ivanti products through content changes. So for the most part, there's very few times that you have to update our products in line with your branch updates. But as new branches come out, just stay tuned for if we had...if there is a breaking issue at some point, we will have an update available for it as quickly as possible.
All right. Question from Valo. "What's the best way to upgrade the Win 10 1511 machines? They have 10 users in their environment, who do not allow us to reimage them completely."
Okay, so this is kind of a difficult question to answer without some more conversation. But if you have a provisioning capability, either through SCCM, through Ivanti's Endpoint Manager Platform, there's a variety of options there, you can reprovision the OS completely that way. Within our patching solutions, both Endpoint Manager and in Patch for Windows, we have the ability to push the branch upgrades. They're slightly different in the approaches but basically in, like patch for Windows, we treat it as a service pack. When you scan a Windows 10 edition of an older branch, you would see the ability to deploy the newer branch. For that, you do need to download the ISO from Microsoft site. Those are all gated so you can't get direct access to them. We can't go directly to and pull that down for you.
So it is a manual step to get the ISO, put it in place. But once it's there, that becomes a service pack deployment option within patch for Windows. And Endpoint Manager has a similar approach where they can push out the branch upgrade as well after you download the ISO and stage it correctly.
So, on our support pages, for those of you using the Ivanti products, there are documents there that show how to get at and configure those things. But, again, if you're not using the Ivanti products, that would be a case where probably use of a provisioning tool of some sort would be your best option.
Todd: The other thing, too, Chris, there, like you said, you would have to really talk to them about what's your environment. But if they need to run on 1511 for some reason, the best they can do is obviously to get the final cumulative update that was released for 1511. And at that point, they would have to look at, you know, how do you mitigate any additional...because, obviously, there are no patches coming out for it anymore because it's not supported. So there we have to be very careful about where they run that operating system. I'm assuming they might have to run it because of the applications that they have will only run on 1511. I don't know the exact situation. But in that case, you'd have to turn to some, you know, other mitigations to make sure that those systems are protected.
Chris: Absolutely. Whenever you've got an end-of-life situation like that, we do recommend additional mitigation options, document how you're protecting that system further, whether it's virtualizing it, segregating it away from other environments, reducing the access to it to only specific users. There's a variety of ways you can do some additional protection there. It's always best to get those old branches or old pieces of software out of your environment, but there are always going to be, you know, some edge cases where you do need to keep something around. Just make sure you're supplementing with additional security controls and measures to make sure to reduce that risk.
All right. So let's see. We've got a question from Peter. "We use Patch Manager from Ivanti. Will you make available Windows 10 patches if someone will get Microsoft extended support for up to 30 months?"
So we do a custom content support for Server 2003 right now. We have not had any requests for Windows 10 branches yet. So, Peter, what I would suggest doing is why don't you reach out to us. Let's talk about and figure out your needs there, and we may be able to do a what we call a custom content agreement to be able to support that. But, yeah, that's something we can definitely talk about. We do have cases of that that do exist. But with each product or platform that we do that for, there are special considerations. So we'd probably want to have a discussion first about that.
All right. And, Brian, maybe you solved this one already. But Peter was asking a question. He would like to see if we can get a brief explanation of what the Root Certificate Update is that was required to install these Flash updates. I did not get that deep into it. Can you give us a brief on that?
Brian: Yeah, I wanna see if I can answer that question. I wasn't sure exactly with what Peter was referring to about the Root Certificate Update. However, for Windows 10 1607, where the cumulative required in Servicing Stack Update, the Flash update required it as well. The Servicing Stack Update, it's the series of compatibility and stability fixes that Microsoft has been releasing for each version of Windows 10. And this is the first time that they've required a Servicing Stack Update for a security, but that's what I believe Peter is referring to.
Chris: Okay, I'm going to try to pull up that link real quick here just so we have it. There is the Windows 10 update, next two slides. All right, where was our Servicing Stack. I thought we had a link for it in here but maybe we didn't.
Brian: I'm getting it for you right now.
Chris: Okay, yup. We'll try to pass that link through there for you Peter so you have that. But it sounds like that same Service Stack Update for certain Windows 10 versions might have been the issue.
All right. Question from Julie. "Did I miss the Windows 10 2016 Server discussion slide?" Actually, no, but we need to probably clarify that a little bit better here. The Windows 10 and Server 2016 are actually on the same slide. So this is…basically the same kernel applies to both Windows 10 and 2016...Server 2016, similar to, like, Windows 7 and 2008 R2. And, you know, these are often a Workstation and Server edition paired together. So the same update for the most part applies almost identically in all of those cases.
In rare cases, there will be slight differences between the workstation and the Server editions. Like in the case of the Variant 4, on the workstation side, they might have had it enabled. And on the server side, they'll have it disabled by default. But for the most part, the same vulnerabilities and things are applying to both of those stacks. So that's where that was in the presentation there, and that's why you probably didn't see it. It was because it was on the same slide as that.
Oh, thanks, Jose, for the comment there. So addressing the TLS 1.0 deprecation by Box, he was able to publish out the necessary updates there and then push that out. That's great news. Let's see. So, yup. For those of you who are asking about the recording, recording and presentation will be available here after the webinar today. So Erica is also one of our people supporting this effort each month. She does an awesome job at making sure that all the content that we provide gets updated on the website and turned out to you guys as quickly as possible along with the follow-up emails and things that let you know when it's available. So that will be coming as quickly as we can turn it around.
Let's see. I don't have...
Todd: Hey, Chris.
Chris: Yeah, go ahead.
Todd: One thing we're going to start to add, I talked to Erica after Erica was telling us before the meeting today or the webinar today is that we're going to start adding some of the questions and answers, the most common ones. We're going to include those in a blog after each one as well.
Chris: Excellent. And thank you.
Todd: We will anonymize them. So you won't be…you know, there's no public humiliation here.
Chris: Right, yup. Well, GDPR, for those of you in the room here with me, we're gonna make sure it's compliant. Don't worry. So a question here from Adele. "Why are Monthly Rollups now classified as n/a for severity." Oh. So for those of you on our patch for Endpoint Manager side, there is a...basically, this is the way that the content being utilized there has changed. We're going to be doing a fix there for that in the future. But basically, it's the difference between vendor severity and security versus non-security patch types that we have in this content stream.
So that's something that if you reach out to Eran, the product manager for Endpoint Manager, and let him know that you've got some concerns there, he can explain how we're going to be addressing that issue, but that should be addressed here in the near future to make it so that we can better handle that. We've got all the content to do it. Just a matter of, with the engine change that happened in January, the way that content is pulled in by endpoint manager, there are some UX changes that have to happen to take in some more of that content the way it used to be. So we're working on that. Apologies for that.
Question from Paul. "Can you talk about KB4284826 issue again?" All right. Let's see. What was that guy again? This is one reason why we kept those bulletins is because throwing a KB number out there sometimes is rather difficult to find exactly what's going on. Let me do this. It might be easier to go straight here and say, "Give me that KB." Here we go.
So this was the Monthly Rollup for Windows 7 and Server 2008 R2. So it did include the...the rollup did include some of those additional updates that release with resolving performance issues for the earlier variants of Meltdown and Spectre known issues. Let's see here. We had the network device issue. So if after updating this there's an issue with Windows and third-party software that's related to a missing file, an INF file, because of that, after you apply this update, your Network Interface Controller may stop working. If that's the case, there's some additional workarounds here to get that NIC card back into operational status. And they are working on an issue to resolve that.
The other is that Streaming Single Instruction Multiple Data Extensions, that's a mouthful, they're working on a resolution for that yet. No workaround currently available. So that error that you're getting on that SIMD extensions is still out there.
Todd: Yeah, that one's been out for like four or five months now, Chris.
Chris: Yeah. I think it's February.
Todd: I don't know how aggressively they're working on it or maybe it's just an edge case for a few people, I'm not sure.
Chris: Yeah. So it's still out there. No workaround currently available but they're supposed to be getting a resolution for us. So, all right. I think I have exhausted all the questions in the chat window. Let's switch over to the Q&A window. Let's see. All right. It looks like... Oh, we do have several in here.
All right. So we've got some sharing and some screen...okay, that's an issue, Windows Server 2016 Update not being detected on some of the servers. Okay, so, Michael, if you've got a case where there's some detection issues there, make sure to get that open with the support team very quickly and we will get on those to see if we can resolve why there's detection issues there. Brian, do you know…have any support escalations come through already relating to detection of Server 2016?
Brian: Nope. Later in the Q&A, it looks like Michael found me the Servicing Stack Update with [crosstalk 00:53:58]. So I think [crosstalk 00:54:00].
Chris: Okay. So, got it. Got it. Okay, perfect. Let's see. Okay, yup. So we got that. Yeah, so relating to that Service Stack Update, this, again, has been kind of a one-off. So, yeah, Michael, and for those of you who ran into the same thing, it's not something very typical, but that Servicing Stack Update is required for 1607.
All right. So Tom had an issue when trying to get the 1709 Delta Patch for Windows 10. He's getting a hash issue on the Delta Patch. So…
Brian: I can add to that, Chris. I just talked to our team about that. It looks like the minor build updated overnight. So we will most likely be releasing a V2 of 1803 and 1703.
Chris: Okay.
Brian: It doesn't look like it's been announced on any of the blogs. But because the hash changed on that, allowed us to investigate it. So we're gonna probably be releasing a patch today. Happy Patch Wednesday.
Chis: Got it. Patch Wednesday is always good. So, Tom, and any of you that are on the EPM side, whenever you see that hash error on that, that means that from the point where we initially released the content, the binary has changed. So if you do run into that, there's typically two cases. This case being where a binary was kind of still fixed and re-released after we had already released content. So on those, if you do find that, let us know as quickly as possible. We also do try to have some regression cycles that go through and test downloads and things to try to validate those things. But if we haven't run that in a while and you already see one, let us know.
The other case where it can happen, and this is one where because of the nature of some vendors, and I think...Brian, is Chrome one of those that does it this way, where basically the third-party vendor only has the latest download available when they release a new version?
Brian: Chrome is definitely the biggest suspect there.
Chris: Okay. So if you go to research the Chrome Update, and you're searching, like...I mean, they released four Chrome updates in-between this month and last month's Patch Tuesday, you have to go to the latest one because that hash won't be correct anymore for two, three, four versions back because it's no longer publicly available. So you would have had to get that download already, and we are gonna be putting in some additional logic changes on the ECM side to make it so that, in a case like that, if you did have the public download before the new one came out, EPM will look for...find the old version that's not publicly available locally and be able to validate that hash that way. So we are doing a change there to try to make it so that the older versions will be able to be supported even if a new one comes out, but that is one other way this hash issue can come up.
All right. Let's see. A couple of audio issues. Okay, that was the [inaudible 00:57:28] issue.
Todd: Chris, Alex was asking about, he uses Qualis in his environment to scan for vulnerabilities and is wondering if it's a challenge for him to match up those vulnerabilities against patches. So I want to talk a little bit about some of the work we're doing with PowerShell on our API interface on the patch for Windows product.
Chris: Absolutely. So that's a common challenge. If you're getting a report from your vulnerability guy...or from the security team on your vulnerabilities that have been detected, and they need you to confirm if you've got those resolved, it can be kind of a difficult challenge to cross-reference all that information.
So one thing that we've done already in the patch for Windows product, and we're extending this out to the other patch products as well, is we have APIs that allow us to script the process of pulling CVEs from the vulnerability vendor, passing those into and building up a list of the patches that need to be deployed to resolve those. So that can make it so that you take all those CVEs passing through, here's the list of things that need to be updated, go and resolve all those, let the security team know, should be good to go, and they'll come back through and do another vulnerability pass.
Now we do have the CVE data in our products. Each one is a little bit different in how it's represented. And we're gonna be working to make this type of data more and more accessible as well. In the current release, I'll be showing you patch for Windows as an example here. If you go into the, what we call the Patch View, close those, loading, please wait. All right. So let's grab something Microsoft. Patch Information. So you see the CVEs down here. So you can find that information there.
We're going to be doing things like making it so that we want the CVE to be searchable from a Cross-Columns Search here. That's a matter of, right now, the way that this UI was designed, if we put that in there, you're going to end up with...well, let's take that Acrobat Reader Update, if there's 40 some CVEs resolved, the way it's currently designed, you'd see 40 some lines for that one update if we put that column in there. So we're going to be making it so that data can be used in a Cross-Column Search but not represented in the grid so that it doesn't kill the user experience, and making it so that there's different ways to search by CVE as well through different interfaces like this.
API has the ability to take in those CVEs and find the corresponding patch already, and that would show up in what we call a patch group. So as you do that, then, you would then see the corresponding patch show up in this list by doing that type of a search. So this is patch for Windows. Again, if you're on EPM or patch for SCCM, we're gonna be doing releases over the course of the next couple cycles here where we're gonna to be adding in the ability to do similar integrations on those products as well. So this is definitely something that we want to enhance and give you a better experience and help you bridge that gap between the security products and the patching solutions, okay?
Todd: Chris, I posted in our community page where we talk about the API integration with Qualis for patch for Windows. So those of you, if you look in the chat window, there's a link that will take you there and will show you the scripts and stuff that are available today if you wanna do some of that and play around with it.
Chris: Yup. So we got Qualis and BeyondTrust out there right now. We've been speaking to Rapid7 and are getting access to their latest release, which has a more updated REST interface that we'll be doing a similar integration with. And, again, we'll be trying to expand that as we can to the other products and for other vulnerability vendors. But if you do have a vendor that we haven't already talked about, if you've got somebody with a little bit of scripting capability, you can easily take the examples we've got already and adapt them to work with another vendor's API very similarly.
All right, how are we doing on questions here? Do you guys see any others that we should probably respond to? All right. There's a question from Dan that I'm not sure if we have the answer to offhand. "Is Chrome still planning on dropping the Lock SSL TLS icon?"
I hadn't heard about that yet. So apparently, they're planning on getting rid of that icon altogether so you can't see that SSL or TLS is good on a site. I don't know. Brian, have you come across that at all in your reading, or Todd?
Brian: I haven't run across that…
Todd: No, I haven't seen it either.
Chris: Okay. Yeah, sorry, Dan, we don't have an answer on that one today. Louise and anybody else who's looking for that again, we'll send out...from our page, you can always go to ivanti.com, and from there, get to our Resources page. "I'd like to stay on the U.S. site." Thank you.
See, he tried to, you know, help me out there. It's great. So if you go down to our Resources, the Patch Tuesday page here, this is where you can get at all things Patch Tuesday. Actually, hey, look, it's me. I was actually at the Microsoft Ignite conference, and we had a session we did there with, like, over 450 people. So that's the one they chose to use for this page. Patch Tuesday-related. But you can see here we've already got the June page up. It's got the infographic in the blog already. You're gonna see the presentation and the webinar playback get loaded up here later on today.
And you can always sign up for the upcoming webinars so you can see that, right now, June is up there, but we'll be getting July and, you know, the other ones loaded up here as soon as they're available for the webinar signup as well.
All right. Alessandro is asking, "Was anybody aware of Windows 10 1803 issues with remote app mode applications?"
Brian: So I can at least add a bit to that. People have mentioned they have had issues with remote desktop and remote apps in 1803. They mentioned there would be an update going out the Q3 of the third week of May. And currently, I haven't read any major solutions.
Chris: Okay, so solution is still pending on that one.
Brian: I need to read a little bit more about it to give a clear answer, but I do not see a fix.
Chris: All right. So Jose came back saying he's got 1,000 plus Windows servers on multiple ESXi servers, and the scan reports are from Qualis. Yeah, so, Jose, if you are on the patch for Windows product, we do recommend go to the... Oh, hey, look I need to do a Lenovo update. Yeah, those BIOS updates are available now. All right. So, yeah, go out and check out that Qualis article that we've got. That will show you how to configure the script to be able to pull the CVEs directly from Qualis and build up that software list within patch for Windows. So check that one out.
All right. Windows 7, 2008, NIC issue, different to the previous VM NIC issue? Yes, that is a different NIC issue. Yeah, it seems to be kind of a reoccurring thing, network card issues on a lot of these OSes, yeah. So that was a different NIC card issue, Peter.
Todd: Correct. It wasn't related to VMs. This was actually a hardware thing.
Chris: Right. All right. Do we have any...I'm looking through and I see a lot of these have been responded to or are replicating questions we've already had. Brian, Todd, do you guys see any others that we need to respond to here?
Todd: I think we're pretty close.
Brian: I think we're good.
Chris: All right. So, actually, there's one more here from Joe. "Is there a way to subscribe to the Patch Tuesday content?" And Erica may be able to respond better on this. But basically, once you register for our webinar series once, your follow-up emails will always respond back and let you know that the next registration is available and try to remind you of that. So once you're entered into the flow once, again, it's kind of what we call a drip campaign. It continues to try to give you the updates about here's the webinar recording playback, here's the next webinar in the series, that sort of thing.
If you're not getting those emails, double-check your clutter or spam filters and make sure they're not getting nabbed there. But we do try to keep that in a continuous mode. If you're not getting those for some reason, let us know, and we can try to see what's going on there. But typically, it's either clutter or spam filters that are grabbing those if you're not seeing them.
All right. So, Mohamed, I see your question there as well. So this is gonna get into a deeper conversation. Sounds like you're having some problems with scheduling some patches to deploy. Depending on the product, and specifically what's going on, we're gonna need to get deep into troubleshooting there. If you've got a support case open already, I would need to check into the status of that and figure out what's going on and on which product. So if you have not already, get a case open, because they are going to need logs to be able to determine what's going on.
If you do already have a case open and you're having difficulties there, you can reach out to me directly and I can take a look at and try to see if I can reach out to the teams doing that. But, yeah, it sounds like...depending on which product you're on, it sounds like you're getting a credential error. And so there's basically the credential that you're using is not working on those end points. So that can be any number of things where you have credentials set. It could be a few different things there so we are gonna need to get into more details.
And, no, there's no charge for a ticket if you are a current customer under a support contract, which if you're getting patch content, you definitely are. Even if you're a trialing customer, those types of support cases are not additional charges with Ivanti. So if you open a case, we should be able to walk you through that.
So Kenny had a question. And, Erica, this is something that we might have to, you know, take a look at how we can do this better. "Could we give somebody a way to opt-in and always be registered for Patch Tuesday webinars?" So that's something that I have had a question about a couple of times over the years. That's something that we'll have to have an internal conversation about and see if there's something we could do.
The way the webinar is currently built, they are separate events, so we'd have to figure out some way to tie those together while being compliant with all privacy issues and things like that. Everybody in the room here in Spain is smiling at me about that one since we're talking a lot about GDPR this week. But, yeah, so we'd have to look into that and give some type of an opting option to continue in a series and then be able to do that. So we'll take that under advisement. I think it would be a great addition, for those of you who are regulars do not have to worry about that. So, all right.
And, Pong, I think, again, with your question as well, we do have the Support team available to be able to walk you through and find you the guidance that you need for getting Windows 10 patches identified for your workstations. So depending on specifically what you're looking for, again, if you reach out to the Support team they can probably lead you to some documentation or some specifics around that.
All right. Well, great, guys. I appreciate...we're a little bit over on time already. Thank you for joining us once again. You know, I know that, you know, there's a lot of information coming at you guys very fast, kind of like drinking from the fire hose every month, but we try to get this out to you and in a format that helps you try to manage it better. So, thank you for joining us for our webinar, and we'll see you again next month. Thanks.
Todd: Thank you.