May Patch Tuesday

May 09, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Oh, well, welcome everybody to the Wednesday, May 9th, 2018 "Patch Tuesday" webinar. My name is Chris Goettl and I'm joined here today by Todd Schell. How are you doing today, Todd?
 
Todd: I'm good, Chris. How about yourself?
 
Chris: Doing well. I hear you guys are a nice and sunny down there in Texas. We're getting a little bit of rain up here in Minnesota, but not too bad. Suppose Texas. You guys are gonna be getting into the 90s here pretty quick if not already.
 
Todd: Yep, pretty soon. 
 
Chris: All right. Well, helping logistics side, we've got Erica and Brian also joining us here today. They kind of make sure that everything for the webinar is running smoothly and Brian is here supporting us from a technical content. I'm a support side, so thank you to both of them for a supporting webinar.
 
All right, let's go ahead and get started here. We're gonna just, if there are any questions, we're gonna try to answer them throughout the webinar, but if you do have any, please try to fill those out into Q&A section. And, you know, we've got, again, several people on the webinar here who are gonna help to respond to any questions as we go through, and Todd and I will try to answer as many as possible as well.
 
All right. We're gonna go through and do just kind of a high level overview of Patch Tuesday this month, talk about some recent news and things to be on the lookout for some possible new things on the horizon that we're gonna have to worry about, get into a bulletin by bulletin blow of what exactly released here, what updates you gotta watch out for things like that. And then we'll get in deep into the Q&A here at the end. We may answer several questions throughout the webinar as well, depending on if there's something that's relevant to what we're on at the time. So, again, use that Q&A and we'll get started.
 
All right. First thing is just a high level here. Just, you know, Microsoft and Adobe where the two vendors that released updates yesterday that we're gonna be focusing on today. Microsoft may have stopped doing a bulletin id for their updates awhile ago, but we basically classify everything into, you know, a total update count. So there were 17 updates that Microsoft released yesterday that we're gonna be focused on. And we do have one from Adobe and, you know, I'll bet you'll never guess what that one is.
 
Todd: It could be Flash, maybe?
 
Chris: Maybe. Okay. Yeah, that was an easy one. All right. Softball. So 18 total bulletins we're gonna talk through today. Now, we do talk about a couple of other things things like user targeted vulnerabilities. These are updates that plug a vulnerability that will...to exploit an attacker would be targeting a user in some ways. So there are using a website as the attack vector or a document or email or messaging. So 14 of the updates that were released yesterday include one or more vulnerabilities that could be used in a social engineering type scenario.
 
There were two zero [SP] days we're gonna talk about as well and also two public disclosures that we're gonna get into and these are either things that are already exploited in the wild and definitely bump up the priority list on what should we should be focusing on, or public disclosures, which are an indicator of risk, meaning there's enough information out there already that an attacker could already be putting together an attack. So those are things to be aware of and make sure that they don't linger out there too long, just because, again, they've had some initial exposure. The attacker has a jumpstart on us.
 
All right. So getting in to a. we're gonna cover a little bit of news here, including some of those zero days. Now, the first one, many of you may have heard the news about this thing called Double Kill. Double Kill was the name of the attack that was identified by the security researchers at and I don't know if I got the pronunciation correctly, but Qihoo 360, I believe that's the name of the security firm in China that discovered this. What they basically found is that there was a live attack happening in the wild and what it was allowing an attacker to do was to send either through IE or through a office document embedded with the CVE script runtime engine in there. They were able to exploit a vulnerability that allowed them to gain access to the system.
 
So that is the vulnerability that one of the two zero Days that was plugged this month. And we're gonna get into the specific CVE here, 2018-8174 in just a little bit, but basically this attack allowed the attackers to gain equal control of the system as the logged on user. So mitigating in this circumstance would be things like running these privilege. That's always a good way to do that. Make sure that many of the vulnerabilities that an attacker could exploit, the attacker would have to take additional steps to be able to do much more to the system. Otherwise they're reducing what they can do. And this is a good example of that. So if you're running this privilege, the attacker would then have to take additional steps.
 
Now, this attack in particular allowed the attackers have variety of different ways to be able to exploit a user. It could be through a web-based attack scenario. It could be through user contributed advertisements or content. It could be, you know, through an active application that was properly marked as safer initialization or be embedded into an office document. So this was one of those types of exploits that was perfect. It provided a variety of different vectors for the attacker to present themselves to an end user and exploit that user to let the attacker in the door. So that's the first of the vulnerabilities that are the...or the articles we're gonna talk about today.
 
I'm going back here. The second thing that I did find as I was going through here is Microsoft had announced that they were gonna be working on bringing Javascript into Excel. That's right. Bringing more ways to exploit excel directly in there and support them. With great power comes great responsibility. That's going to open up additional challenges like Bitcoin.
 
So a researcher already went in, and with that release, they proved out very quickly using just a standard documentation for how to embed the Javascript into an Excel spreadsheet and he's got it so that it could create a connection to coin hive forever. So that's anytime you'd launch an Excel document, that is trying to go there, it would be able to accept that right away. So, you know, with this, obviously it's trying to, you know, pop up and, you know, ask the user, ''Hey, is this something you really wanna be doing?" And you know, that's one of those challenges is some end users are gonna know, ''Hey, this isn't a document that I trust, so I shouldn't be accepting any of those things.'' But in other cases, if people blindly accept anything that pops up because they just wanna see what's in the data, they may accept something like this that could run a malicious code within that Excel spreadsheet as bad or worse that's in a macro. So just something to be aware of. It's one new way that we're gonna be challenged to secure Excel documents in the future here.
 
The next item here is that there is a new generation of specter-like vulnerabilities that have been found in Intel CPUs. So this also released just recently here. Some German researchers have found a new set of eight new vulnerabilities at the hardware level in Intel processors. At least one of which is worse than the three that were initially discovered. So, you know, they kind of went through and talked about their findings here. Long story short, we've got a new round of specter vulnerabilities that will be coming. And, you know, when that happens, there will be some additional windows updates, there will be some additional firmware updates. Buckle up, round two is coming.
 
And next one on the list here is... So many of you may have heard about the attack on the city of Atlanta that took down at least a systems and at least five departments throughout the city. This was using an based on the SamSam ransomware. A new generation of this ransomware is being utilized by threat actors to be able to exploit different organizations. Well, that same type of new generation of SamSam ransomware is now moving into the healthcare space. There have been reports of healthcare companies now being hit by the SamSam ransomware versions that this is not starting out with your typical phishing scam that a lot of ransomware attacks would do. This is a, you know, there's a more active threat actor behind this one. It's not just a kind of grab a list of people, try to send it out there, see what you hit, maybe target a specific list of users from the same organization. In this case, they're actively looking for ways to get onto the property. And once they get a foothold there, they start to spread themselves out through an environment and reach a critical mass before they actually launched the ransomware portion of the attack.
 
So that's what they did in Atlanta and they're doing a similar approach with some healthcare organizations now. And a lot of it is coming down to things like this platform has I think it's Jack's Boss is a framework that's supposed to be able to test vulnerabilities in the JBoss Java environment. So this is a Java environment that helps to make it so that it's easier to develop Java Applications runs on Red Hat. It's commonly found in a lot of healthcare organizations, I'm guessing because it's utilized in a lot of healthcare specific applications that are used.
 
But this platform allows them to test JBoss implementations, be able to exploit that. And JBoss becomes then a remote access Trojan into that environment. And from there, they start to launch the attack on the rest of the environment. So this is a combination of exploiting vulnerabilities. And then they do a combination of guessing weak passwords and then using mimic cats once they compromise a system to try to do password matching to get some additional passwords. From there, they continue to spread themselves out again until they kind of reach a critical mass and then they launch the ransomware.
 
So this is a very sophisticated new take on a, you know, a ransomware attack where you've got a persistent threat actor who's pushing the attack along each step of the way. Something to watch out for. And also something to, you know, if you look at your security strategy and you build that out to be able to combat the different techniques being used here, it will reduce the impact of an event like this if it were to happen in your environment. So that, I thought, was a good recent bit of news that was relevant in any discussions you might be having around a security program up upping your game this year.
 
Last article that we'll cover in this part before we move on, Windows 10, April 2018 update has been made available. We've already added that into our content earlier especially between the Patch Tuesday releases here. We'll talk about that a little bit later. But there was an article here that talked about a little bit about, you know, for those of you who are running on, you know, home editions or other things like that, when is your PC gonna update? Well, 1803 via windows update. Here's an article that talks a little bit about, you know, when you might receive that, their rollout schedules, servicing options, additional deferral options, things like that.
 
There's also some good feature right ups out there, but, you know, I just wanted to make sure people are aware of 1803 is out there. It is now available. And if you've got some people configured for that faster track, their assistance may be getting updated pretty quickly here. If you're controlling the rollout of the branch updates then, you know, again, down to when do you want to choose to roll that out? You'll probably wanna start to take some of your early adopters into that creators edition or that 1803 update here fairly soon. Start to feel it out. Make sure that everything is working well in your environment.
 
Todd: I'm disappointed they changed the names, Chris.
 
Chris: Oh, they did? Yep. So they've stopped going with the whole Redstone or Creators, like all the different names that they were giving everything and they are moving down now to a more specific naming. So there'll be a, what is it, April and August? Was August the other timeframe?
 
Todd: We'll see. Maybe. It depends on when they actually...
 
Chris: Yeah, but it'll be April 20, 18 and then the build. So 1803, in this case...or, well, 1803 have you know that that's 18 as in the year, and three as in...well Not April. That would have been March. So depending on how they do that, the naming is gonna be not so much a, a creative name, like Redstone or Creators edition or anything like that anymore.
 
All right. Switching over into our vulnerabilities that were resolved this month. We've got the first one here that we talked about. This is that vulnerability that plugs the Double Kill vulnerability that was discovered not too long ago here. It is a VBScript Engine, Remote Code Execution Vulnerability. As I said before, it provided a variety of different attack vectors. It could be used in a web based-attack scenario. So if they host a specially-crafted website, or if they can get onto a compromise website that allows user contributed ads or content that is one way that this can be exploited. They could also take an ActiveX control marked as safe for initialization, craft at a special way and they could exploit it that way as well or by embedding the IE rendering engine, the VBScript Engine into a Microsoft office document. And that was the way that this was initially discovered in the wild, was that embedded office file. That's it.
 
So that was discovered by the Chinese security firm, Qihoo, and has been resolved in this month's update for the operating systems. So we'll talk about that here in just a moment which updates include that fixed. The other zero day that's currently being exploited. There weren't as many details about where this one's being exploited, but it is actively being exploited in the wild. This what is in the Win32k elevation of privilege, vulnerability. In this case, it's how that Win32 component is failing to handle objects and memory. The attacker could exploit this, but they would have to be logged onto the system to do that.
 
So hypothetically, if I were to have used that previous VBScript vulnerability, got onto the system, but I was taking over a system that I've only had a regular user. In that case, I was reducing my privileges. Now, that I've got log-on access to that system, I would take a vulnerability like this, elevate my privileges, now, I've got broader access and I can start to do more. That's where they would then actively start to move to that next stage of the attack, finding new systems to go to and so on.
 
So this is one that would be used in conjunction with other vulnerabilities to move throughout a system where it needed elevate privileges and further the attack. Both of these are at the OS levels and, well, as we go through, again, this one is actually in a couple of the older operating systems, Windows 7 and 2008, 2008 R2. So this one is only on the older platforms, but definitely needing some urgency around the OS updates this month because we've got two open exploits in the wild.
 
Public disclosures, again, these are vulnerabilities that, you know, there's enough information out there where an attacker could start to develop an attack around these. The first one of these 2018-8141 Windows Kernel information disclosure. This one does not allow them to execute code or elevate privileges. But with the information they can obtain through this, they can find ways to further compromise the system. It gives them enough diagnostic information where they can figure out what's my next step, what can I poke out, what can I exploit? So this is even one step further back. You know, they may, you know, get onto the system using that first, VBScripts exploit. They need to figure out what else they need to do. They could use a vulnerability like this one, gain some more information from the system that they should not have access to, which might allow them to take that next step, which might be an elevation of privilege attack. So, again, these types of vulnerabilities use together become a real threat to the environment.
 
The last one here, 2018-8170, is a vulnerability in Windows Image that could allow for an elevation of privilege as well. To exploit this one, the attacker needs to be locally authenticated, not just logged onto the system. So this one is another step more difficult for the attacker to perform. So this one would be used in kind of an inside threat type scenario.
 
All right. Couple of other things that you'll wanna be aware of. We have made some content changes, as many of you may have seen over the last month here. We, you know, over the course of time here, Microsoft changed how they were doing bulletins. They got rid of the bullets and all together. We wanted to keep some semblance of organization to understand at a glance what exactly is this rather than just going to the KB and saying KB 4075139. What is that? Well, if you don't remember numbers very well and relate them to the issues that were happening, we wanted to have a more human readable format still. So we did include that type of bullets and format still.
 
Now, with the way that all of the Microsoft updates have restructured themselves, we came back now and flatten everything out so that it was more seamless. With the way they did Windows 7 and Windows server 2008 and other OSs, things were already flattened out quite a bit, but Windows 10 with all the different branches and with office and with a few other products like that mess. They had a complicated hierarchy in there. And having them all under one bulletin got rather complicated. So flattening this out brought consistency to the content, hopefully still makes it so that it's easily searchable and able to find exactly what you're looking for fairly quickly. But that's why we made those changes. There's links here to some KB articles for the Legacy LANDESK and Legacy Shavlik product sites that tell you how the content is structured that will help you to find any information that helps you to navigate through that.
 
Once you get used to the naming convention, it gets pretty easy to find exactly what you're looking for. But when you first look at it, it can be overwhelming. There's a lot of them. The second thing, this one is not ready to go yet. We're just kinda giving you a little bit of fair warning. Many of you subscribe to our content announcements. Every time we release content, many of you want to be notified about that as quickly as possible so that you know what's coming, you know whether you wanna react to it or not. So we are looking at a new format for this you know, in the future. We've been using a Listserv previously and that is getting a little bit more complicated over time. Some of you who are using a Gmail account, if you've been having some issues recently, like last night, I didn't get my content announcement email because I use my Gmail account for that. And, you know, we've been seeing specifically with Gmail and with a few other more public vendors like that, that there are content announcements are being blocked altogether from their service. So we're looking for new formats for that new ways to deliver these content announcements. More details on that will be coming out soon.
 
All right. Getting into more details of what specific things you need to be aware of this month. We've got Windows 10 brand support, end of service for 2018 says you wanna watch out for 1607 was supposed to end last month. Now, with 1511, they actually block it at the installer level. And the month after they cut it off, it was the installer itself would have rejected trying to install on a home or pro edition. In this case, we did verify this actually even right up to before the webinar here. 1607 is supposed to be supported for education and enterprise editions yet for a little bit longer, but the pro edition is confirmed to still install. We don't know how long that will go on, so don't count on it, but it looks like you get one more month here at least on that one.
 
1703 is scheduled for End-of-Life on October 9th. That'll be for the home and pro editions and it'll have extension on there as well. And then we've got the Windows 10 versions that will continue to receive security updates for six months attached past their EOs date. So 1607, 1703, six months after this date is when education and enterprise would be cut off. So that's just to give you an idea. Now, there is a link to the lifecycle fact sheet. This has the full schedule out there. Microsoft has tried to get down to a very concrete schedule now. Every branch will have an 18 month cycle with a six month extension for education and enterprise. So please review that, make sure you know which branches you have and which ones are coming up on their End-of-Life schedule. That way you don't get stuck without security updates.
 
Some notable April out-of-band releases. These were updates that came out between the Patch Tuesdays that were security related. Microsoft released a few new Intel microcode updates for Windows 10. These released in between, therefore, the different branches of Windows 10. There was this update for Visual Studio 2012 updates five, that included some security fixes as well. And for those of you who recall, on a server OS, if you deployed the microcode updates that would have mitigated the meltdown inspector vulnerabilities that put the mitigations in place. You then had to take an additional step to turn on those mitigation options. Well, it was found out pretty quickly that one out of those three was having some difficulties around performance. So variant to Microsoft, hold the mitigation for that one again, until they put a fix in place for the systems that were impacted by that. They have now released a new....this one is not security related, all it's doing is turning that mitigation option back on now that the previous updates have fixed those issues and they've confirmed that everything is looking good.
 
So if you were one of those environments where variant two is still turned off, that option is now available again and micro Microsoft is recommending turning that mitigation option back on. I would say for that one again, turn it on, make sure performance wise, anything with a heavy load is still performing well at a CPU level, the more...especially for CPU intensive and disk intensive environments, you'll want to make sure that those are not impacted negatively when you turn those back on, but you start to look at that and turning that mitigation option back on.
 
All right. We did also see Microsoft last month had started removing the registry keys that were required to be able to install the security patches. If you recall back to January, the conflicts that the microcode updates had with AB products. A lot of blue screen, a lot of pain. There was a requirement around putting those registry keys in place to make sure that all the AB vendors had done the right things to make sure that that blue screen wouldn't happen. So behaviors that were happening at the CPU level that the AB vendors were kinda...it was not behaving as documented as it should be done. So those results in, you know, coming out with those blue screens, they put this in place. If the AB vendor had that corrected, they would turn that key on and security patches will be allowed again. Well, Microsoft started backing down from that and has continued to back down from that. So more and more of those patches have stopped requiring that AB key.
 
Microsoft did release...We talked about the Visual Studio update on the last slide there. They released additional security updates for that Visual Studio update 2017 and also for XP embedded. And Oracle had their Critical Patch Update on April 17th, so that was the week after April's Patch Tuesday. But the...see over here real quick. Well, this will swing over to the Oracle bulletin update page. So this has the list of all Oracle products that received an updates. The most commonly requested is obviously the GRE and JDK. For this, there were 14 security fixes and 12 of these were vulnerabilities that could be remotely exploited without authentication. Three of those were rated at an 8.3, so pretty high CBS exploring there and definitely warrants some attention. So best recommendation there is, again, start to roll out and test those Java updates for this quarter's release.
 
Again, looking at the SamSam attack, it's attacking a Java runtime environment platform and Java runtimes anywhere your environment are still one of the more targeted server side, especially the platforms to target to get onto the system. There's a lot of times the remotely exploitable without authentication. These types of vulnerabilities are perfect for an attack like SamSam, that type of attack where they can get on of the system without any user intervention, get a foothold and from there, start to work their way into an environment.
 
All right. I think we have covered...Yes, we have covered all of the news, all the known issues. There was a lot of them. Todd, bulletins.
 
Todd: Thanks, Chris.
 
Chris: Take us away.
 
Todd: Sure. Yeah. Let's walk through the bulletins this month. As Chris said, you know, we're still using the bulletin approach to kind of combine things together into like groups. Chris, you took my slide away. Oh, there we go. So first of all, Windows 10, you can see that the number of things that we're supporting under this Windows 10 bulletin and has really been extended. Also noticed that Microsoft has changed the way their naming server these days. They are now on the same release train as the typical Windows 10 releases where they're naming it server 1709 and they're really server 1803 as well. There were eight different KB articles that were combined under that are grouped together under this Windows 10 update. Not as many vulnerabilities addressed as last month. That's kind of a trend we're gonna see across all of the bulletins this month. This month I just addressed 43 different vulnerabilities.
 
I've highlighted the ones in red that Chris had talked about as either publicly-disclosed or known-exploited. So those are available there with the information. If you want a complete list for Windows 10 vulnerabilities, don't forget, you can always go to the a security update guide that Microsoft puts out every month, of course. And, of course, as Chris mentioned, they did release Windows 10 1803 known as the Windows 10 April 2018 update that was released in April and they already have patches out for it this month, this Patch Tuesday. So just be aware that if you are quickly moving to that, that you have to patch it already.
 
A couple of things, known issues, Chris, on the next slide here. We've seen the first one here has to do with the cumulative update and the way that they're being updated and the issue that has occurred there. They did give a workaround if you're using WSS update or end points as far as configuration manager goes, they do tell you to reconfigure and run a scan a second time to fix that particular problem. Once again, that's only on 1607 so and be aware of that problem.
 
The second one, not quite so radical it's on Windows 10, 1709. They're talking about things showing up that are, have been localized that suddenly are showing up in English. Known problem...something. I think I can cut off there. Microsoft is working on correcting that particular problem as well. So hopefully these two will be addressed next month.
 
Those are the only things that were reported for Windows 10. Internet Explorer this month, all the typical updates as you would expect the cumulative as well as individual updates for the individual versions. Impact this month, there were some remote code execution. There was a security bypass vulnerability that was addressed, and, of course, as usual, through Internet Explorer information disclosure is always a problem. There were nine vulnerabilities addressed, as you can see, none of them that were addressed this month were either exploited or publicly released. Does require a browser restart. No known issues with those however.
 
Moving on, the usual updates for our friend, Adobe Flash Player, as Chris said during our introduction there. We have a release both internal for Microsoft. This is the Microsoft patch. Only address one vulnerability this month, 4944, but, again, does apply across all the operating systems that you see. A list of the above there from Windows 10 all the way down to Windows 8.1. Of course, next ones, Chris, Adobe does their own release as well. So we've classified that and included that here in the list. APSP 18-16 for the year, addresses updates for Windows, Macintosh, Linux and Chrome S, so a number of operating systems there, if you're using any of those. Same vulnerability, obviously this is the same information that's in the same patch that's pulled in by Microsoft and released internally to their customers via WSS.
 
Next. Moving onto server 2008. This month, five different KBs were released addressing a number of vulnerabilities you can see were 10 of them here. Again, this is some of the, you know, much older operating system. Chris mentioned CVE, 8120. There is one of the ones that was exploited. So kind of be aware of that as well. Remote code execution and the elevation of privilege available via these vulnerabilities, covers a number of things. I've kind of highlighted them up there. Microsoft for Windows Hyper v Chris talked about the Win32k component that's being exploited. The Windows common log file system, and, of course, the VBScript engine as well. That's part of the Double Kill and that's that CVE 8174 that Chris talked about. So very important this month to patch if you're running old versions of server 2008.
 
Moving onto the windows seven, Windows 7 and server 2008 R2 machines. Again, rated critical this month because of the, uh, the two exploits that Chris talked about. Same basic vulnerabilities are being corrected in this particular operating system, there are 11 of vulnerabilities fixed plus of course, as part of the monthly roll up, you get the IE vulnerability patches as well, all in one good package. So just be aware, that's the monthly roll up for May.
 
On the next slide, Chris, we have the Security-only patches. Keep in mind that the Microsoft support model is quite different between Windows 10 and the legacy operating systems. On the legacy operating systems, which are, you know, when window 7 server 2008, 2012, Windows 8 as well, essentially Microsoft is releasing two types of patches. There's the cumulative patches, which includes all of the security fixes, plus a number of enhancements since October of 2016. They're all rolled up into one big patch and you can apply them and you get everything from, you know, over that historical time period or you can get the security-only patches. The security-only patches are just those security patches that were released in the last month. So if you are applying the security-only patches, you have to be very consistent and apply them month after month to make sure that you're patching all your vulnerabilities. 
 
We break them out the same way here at Ivanti, and you'll see I had the monthly roll up now talking about the security only. Essentially this month, fixing the same 11 vulnerabilities in the security-only patch. Again, Chris, on the next slide, there are a couple of known vulnerabilities or known issues. The first one here is one that's been carried along now for three or four months. There is a known error with the streaming single instruction, multiple data extensions. So be aware of that. There's no work around for that right now. Microsoft says they are working on it. And the same problem exists in the security-only as well. So that same issue exists in both of these Windows 7 patches as well Server 2008 R2.
 
Moving on to Server 2012. Essentially the same group of vulnerabilities are being patched. You'll notice that in this one, however, that CVE 8108 20 that was mentioned earlier, is not part of this group. Only the Double Kill that Chris talked about, the 8174 is being exploited in this particular group. Apparently the other one doesn't apply to server 2012. It's a much older vulnerability. The operating system is slightly different. So just be aware, this is the monthly roll up for server 2012. And then there are no known reported issues with this.
 
The security-only roll up, Chris, on the next slide for 2012. Again, covering the same set of vulnerabilities. These are the, you know, the only the security patches for this particular month. So, again, if you are using the security-only model, make sure you apply regularly every month.
 
Next slide. We'll talk about the other group of operating systems. Windows 8 and Server 2012 R2. In this case, there are 11 vulnerabilities again that are addressed this month. And, again, addressing the Double Kill vulnerability that we talked about under CVE 8174. You know, it's interesting that, you know, Microsoft pretty much addresses the same set of vulnerabilities across all these old operating systems every month. There are slight variations, so be careful when you look at the CVE numbers, but for the most part, there's probably about a 90% overlap in the CVEs that are addressed each month. In case you're wondering why we talked about the groups of operating systems and why we grouped them by bulletin is because of the operating system kernel that Microsoft uses. So Windows 8.1 and Server 2012 R2 are essentially using the same operating system kernel. And as a result, the same attaches apply to both. this particular bullet and shows this security-only updates for windows 9.1 and Server 2012 R2 same set of 11 vulnerabilities that we talked about earlier.
 
Next slide, Chris. Moving on, there were patches this month for exchange server. Again, rated critical because of the possibility of remote code execution on the box. A number of KB articles that were addressed. There were five vulnerabilities patched. It does cover from older version 2010 through 2016. So just be aware if you are patching your exchange server, you wanna make sure that you apply these latest patches.
 
Next one, Chris. Also this month, regular security updates for Microsoft office. You'll notice this month compared to last month, Microsoft did not go back to the versions of 2007. So those of you who are running really old versions of Office, there were no patches are released for those old ones this month. We'll see if that's a trend that Microsoft is finally actually gonna drop support for those. This goes back to 2010, does cover a 2016 for Mac as well. Most of the common applications that are used in Office this month, there were 20 different KB articles as well as a release note for the Macintosh release. They did address 10 vulnerabilities. All these CVEs are internal. They were not publicly disclosed or have been known to be exploited. So that's the reason this one has been downgraded to important.
 
Next one. As usual, Microsoft has continued to provide updates for Office 365. Again, a smaller subset of the vulnerabilities that were identified for Office in general. Only seven vulnerabilities this month. There, you know, of course, these are typically applied under the click to run model. Microsoft does have the webpage that addresses all the updates. I've included it here if you wanted to take a look at that regular updates that are coming out for Office 365. And, of course, it only applies to Office 2016, which is the latest release of Office 365.
 
Next one, Chris, because it does automatically update. There were updates this month as well released for SharePoint server, covers versions 2010 through 2016, I think the only other one in there as 2013. Be aware, it's addressed five different vulnerabilities. Again, this one's rated as important. If you can't get to this one quite in time, it's more important that you get the critical ones out there, but be aware that there are updates for SharePoint server this month.
 
Microsoft did release updates for Microsoft.net this month as well, covers .net framework 2.0 through 4.71. So they're covering the full spectrum of releases there. A number of updates there, two different vulnerabilities that were addressed. One has to do with security bypass that could bypass device guard. So be aware of that. You might wanna take a look and read more about that in the bulletin. And the other one is the ability to circumvent the user mode code integrity policy on the computer. That's the second vulnerability there at 1039. So be aware of that as well.
 
There are a whole series of updates, very specific to each one of the releases from 2.0 through 4.71, so they will be, of course, selected and applied and as appropriate for your operating system when you do the update. Be aware that you don't have to do a restart for these to apply as long as there isn't an application that's using .net at the time it has it locked, so you can update and not have to worry about rebooting for the most part when you're updating your .net updates. Microsoft is using the monthly roll up and on the next slide, Chris, the security-only model for these .net updates so you can be aware of that and apply as appropriate as well, same vulnerabilities or are being corrected in both case.
 
Next, Chris. This month there was a one non security update that was released in bundled. It wasn't by Microsoft, under Power BI. Of course, we recommend that, you know, that you do a grab these non-security updates and apply them as well because there are, there are bug fixes and feature updates as well. With that, Chris, I'll turn it back over to you. 
 
Chris: All right, thanks Todd. Just to give everybody a heads up on some other things that came up throughout what we call between the Patch Tuesday, there's often a lot of updates that come out. And as I mentioned before, that's why a lot of you subscribe to our content announcements. There's a steady stream that's always coming out. So this month two new product support items that came out, we did add support for Windows 10, 1803. Now, that was adding detection support so that we were prepared for Patch Tuesday to be able to detect any new updates that need to be rolled out for that OS and also being able to detect that OS and determine what additional updates needs to be applied. We are adding the support for the branch upgrade here shortly. I saw that Brian already answered the question in the Q&A for somebody else already, but I'll make sure to mention it for everybody there. This will be supported here fairly quick, unless we find any major issues with it. You should be seeing that in probably the next week or two here.
 
Java runtime environment can is out and available and had its first update as well towards the end of last actually just I think a week ago. So 10.0.0.1 was already released for Java runtime time. You could see there's a number of security and non-security related updates that came out as well. Several of those, you'd have CVE information and just to kind of go through that, we had updates from PeaZIP [inaudible 00:43:44] SeaMonkey was resolving. 7-Zip had a single CVE here, but it was one that was identified in proof of concept code where there can be different types of attacks that could work there with raw formats archives. So that if you're running 7-Zip throughout your organization, it was a difficult vulnerability to exploit, but there is proof of concept code out there for that.
 
Google Chrome did have a critical CVE resolved in their latest release there. So make sure that chrome is getting updated structure environment, and we have Foxit phantom and Foxit reader updates. So for those of you who have turned to PDF alternative. If it's Foxit, you've got six vulnerabilities to resolve as well. So go ahead and get those updates rolled out.
 
All right before we jump into Q&A one last plug for interchange. Interchange is Ivanti's corporate show where it's going to be happening next week in Dallas. And Todd and I will be there. So we'll have a number of...Oh, yeah, absolutely. We'll have a number of sessions, a product also industry related. We're gonna do things like a patch management best practices. We're going to have a lot of hands-on lab, bootcamps. You all have access to all of our product experts, PMs, SEs, a variety of different people there. So if you're interested, details here. All right. I have done my part for marketing.
 
Q&A. It looks like we've got some very active conversations going on out there right now. I'm gonna go through and recap some of the high level one or the most notable ones here? And we'll continue to work through some of the questions here.
 
First one, we'll go, we'll go hit this one up just because it's very recent. 1803 updates, a question from Alex asking if there were any issues being seen so far. He's deployed the two computers now and it's froze both of them. Just a blank screen after login. Alex, sorry to hear about that.
 
So Brian did have a couple of early tests with this and it's been pretty successful, but our environments are fairly clean. We have a lot of applications loaded up on these things, but we can only customize them so far and catch so many edge cases. I would say that I'm approached with caution right now. You know, make sure that you're getting a solid test, done a few test environment systems first before you go rolling out to too many users. But, yeah, I would say that so far our internal tests have been fairly clean.
 
Let's see. Shelly responded back, "1803, we're having to uninstall AB product before it will install." Okay. So, and, Shelly, I'm not sure if you...can you respond back with which AB vendor you're utilizing there that might be good for the audience to know if you have a chance to just so we can share that. Again, from our internal tests, the environments that we did it on, we're fairly clean, but that doesn't mean there aren't issues out there. If you recall, the Creators released, Microsoft broke even some of their own things like Powershell and a few other things like that that were broken right off right out the gate. So our recommendation is definitely to start investigating, but it sounds like already two people out of this audience are seeing issues. So it's, you know, it's not perfect yet, of course.
 
Let's see. "Can we finally install maze cumulative and not have to install the separate nick patch?" So Brian's response on that one and I think our best guidance yet is to push the updates. There was the nick updates that many of you are very aware of, painfully aware of. We can confirm that the 4099950 update that resolves the issue will still successfully deploy after that make [inaudible 00:47:56] is applied. Our recommendation is to make sure that 4099950 is across your systems and then deploy the cumulative otherwise, you may have to test that first and confirm in your environment if it's still having any nick behaviors. We haven't seen major issues related to that on our end. We monitor a lot of different channels for our Patch Tuesday content. We haven't seen people complaining about it still, but that could be because most of them have pushed out the non-security bugs fix as well. So there's the non-security update will still install. Chances are it's just a good precaution. All right. 
 
Brian: To that add to that, I just tested it on one of my [inaudible 00:48:50] environments with the May update and it didn't re-add the nick. It preserved my static IP, but, again, it's still a heat on the side of caution.
 
Chris: Okay. Thanks, Brian. Okay, follow up on those nick issues. I think we've covered that. Pretty good. Brian had a question about Visual Studio patch that came out. He was installing on a dark corner. And Brian, Ryan Seacrest, I think we had a couple of exchanges back and forth here. This is a large multi gig installer, right? So what they've done is they've got a stub installer is that...will work or pushing out currently?
 
Brian: Yep, that's correct. There's not really a full installer with a Visual Studio 2017. There's some options where you can download the binaries locally, but in terms of like the O365 group policy where you can kind of point to a local area, I haven't bought a lot of good documentation around that at the moment. That's kind of one of the issues with the, with an air gapped environment right now.
 
Chris: Got It. All right. Question around...Oh, this was about the 1803 branch upgrade yet we're working on that. It will be released here soon. Bob had a question about enabling the spectrum of variance two mitigation. "Is there any KB that needs to be installed first?" Basically if you got, you know, the monthly is pushed out between January and now, that puts the mitigation in place. So running that new or that KB, that released just a couple of weeks ago here to turn on the mitigation again, will work. I would say the, you know, the way to make sure that you're at the latest of any of those micro changes is obviously to be at April or May and then push that update out. But it will turn on that mitigation for anything January and later. All right. That was more with about the Visual Studio.
 
Todd: Hey, Chris?
 
Chris: Yep. 
 
Todd: Sometimes we get some questions around, you know, why haven't you released to given patch or where is this, this patch? One of the things we should probably point out about Patch Tuesday is that although the bulletin come out first thing, usually, you know, noon central time for us here and you know, we'll start putting together the Patch Tuesday information. A lot of times the patches themselves that are associated with those bulletins don't actually show up immediately for download. So, for example, we got pinged about Office 365. Where are the Office 365 patches? Well, they didn't actually get released by Microsoft until close to 10:00 o'clock central time last night. So as a result, we didn't create the content for those. So I just want everybody to be aware that things, although the information is available right away for the most part on the portal, the actual catalog of patches does not immediately show up for us or, you know, for everybody out there.
 
Chris: Thanks, Todd. Cool. Come on. So there's a couple of questions around the content announcements that I mentioned. I'm gonna send a link over here to everybody through the chat there, but let me talk through this real quick. So if you are on our patch for Windows product, you can go out to this xml announcements, signup here, this xml subscribed, SPX, it redirects you here, so don't be too concerned about that, but this basically puts you into that listserve. Again, it makes sure that it's a corporate email address in that your spam filters aren't blocking it. That's the best way to get through. Gmail is starting to block our communications there, which is one of the reasons why we're switching to a new format.
 
If you are on the LANDESK or Ivantoi patch manager products, the Legacy LANDESK product, there is a community page that you go to to subscribe to the content announcements there. Now, if you subscribe to this versus that methods, you're getting a slightly different variation of the same content. You'll see some additional underscore INTL like other things added onto it. But for the most part, those content streams are almost identical. If you are on our patch for SSCM [inaudible 00:53:25] product, you go to you can go to and subscribe to that via RSS feed from our...we have a blog that basically gets to those content subscriptions for people who want to subscribe via RSS feed is just one way to do that or getting your community page set up so that basically all of our content feeds for the different products, because there are some slight variations, are going to be getting a similar page to how the Legacy LANDESK product, the Ivanti patch management, we're just doing it, where you'll be able to go to that page, subscribe and receive via email anytime we update content to that community page. 
 
This is something that we're working on right now and we'll be releasing more detailed to you in the very near future on how to subscribe to those. But this KB article is the best way to get to those different subscription options. You can even follow our Shavlick xml on twitter and see those via tweets as well. So that gives you an idea of how to get at those content announcements.
 
All right. Let's see here. Trying to go through and see if we've got really good coverage on all the questions. There was a question from Dan about, "How do you disable the Javascript and Excel through GPO?" That's a very good question. I don't know if that article really talked about that much in depth. Now, this being fairly recent, official documentation from Microsoft to learn how to run Javascript from Excel, how do you disable it? I'm guessing this article probably didn't touch on that because it's supposed to be saying, hey, check out this new thing. Try it out. I would assume that there will be...Interesting. I don't know offhand where that might be in here, but I would guess that you may have to check Microsoft's KB articles. That'll be an interesting one to see here is how are people going to block that if they're concerned about it.
 
So content updates. I announced that one. So Devin had a question. Yeah, we did cover the zero days, so the Double Kills was resolved and there was another Win32K zero days. So push the OS updates this month and you'll resolve any of those zero days that were out there. So Shelly who had mentioned that their AB needed to be reinstalled after getting up to the latest branch, mentioned that she was on Kaspersky. So if you are running Kaspersky, it looks like the latest Windows 10 branch may need to uninstall and reinstall. We have, you know, had experiences with Kaspersky in the past where a new Mac and Windows 10 branch additions, they tend to have to add an update in there for their agent to run correctly sometimes. So that I'm guessing they'll be getting to a point here where that will update. And if you've got that on your pre 1803 branches after you upgrade, it should be fine. So one thing I would do there is probably go reach out to them and see if that's a known issue, and see if they're going to be releasing an update that will make that smoother. It has happened for them and a few other vendors in the past, but Kaspersky seems to be one where that happens more frequently.
 
Oh, so Scott had another issue that they've been reporting that they've been seeing is around 1803 incompatibilities with Intel SSDs. So another one to have a heads up around. Oh, and Shelly said she heard that the AB issue is the same for Symantec. So, yeah, I would say for right now again, make sure that your AB will continue to work afterwards, but I'm guessing many of the AB vendors maybe having to make some changes as the branch gets released.
 
Let's see. "Any thoughts on why Microsoft released in Emergency Patch for CVE 2018 8115?" Let's see. This guy was...Oh, the Windows host compute service Shim remote. This one...Yeah. They don't have any clear indication of public disclosures or exploits on this one. So it wouldn't have been that. The complexity is difficult enough that it shouldn't be an easy thing to exploit. My only guess on that one, it might've been in a private disclosure situation, if Microsoft doesn't respond within a fast enough time frame, the person who discovered the vulnerability may have disclosed it publicly. So the urgency around that since there's no other indicators here might have been that the true private disclosure, they were reacting within a certain timeframe to make sure it didn't become a public disclosure. That happens from time to time. So that's the only thing I can think of offhand, Michael, that might've been why they did that.
 
Let's see here. Trying to just read through and see if there's any more major ones that. Yep. So, Scott, we talked about the content updates that, you know, back to this KB article, you can subscribe there. "Recently deployed Office 365, how often will Ivanti display updates patches?" So, Bill, same thing we do for regular office patches, as soon as they release, we will add that to our content as quickly as possible. As Todd mentioned a little bit ago, Office 365 has been releasing late into the evening on Patch Tuesday. So we've been responding on Wednesday with an update to those pretty typically. It already happen for April. It happened again this month. So again, we will respond and get that Office 365 update out as soon as we possibly can once it's made available. For security updates, we tend to read, you know, try to target, release into our content within 12 hours of release for vendor, you know, but we'll obviously work as hard as we can to stay as close to that as possible.
 
All right. Oh, so, JT, the Powershell issue I was talking about this one, goes back to the Creator's update that they did in 2017. That one was the one that they broke Powershell when that went updated and it got fixed a little bit later. I haven't heard of any Powershell with 1803. That was the previous one. I was just using that as an example to, you know, the kind of putting the, a frame of reference that, you know, nothing's off the table. Even some of Microsoft components may break after upgrade in some cases. So definitely this early on, I would say make sure Whiteglove do some thorough test environment testing around it and start to roll out to your test user groups, your early adopters if you feel that everything's looking good there.
 
All right. We're a little bit over on time here, so I'm gonna roll through and see if I can answer any more of these fairly quickly. So Windows 10 stopping Windows 10 from using Windows update. There have been a number of articles released since windows 10 in originally went out on disabling the updates through GPO. You know, home edition doesn't respect the GPOs at all. There were a few points where pro also did not respect those GPOs, but the, you know, their customers complained and Microsoft relented and made sure that those things were behaving properly. But GPO is the most effective way that we've heard that those...to block from updating on its own. I have heard in some cases that, you know, if that GPO did not take on a system that some people have had to go down there and, you know, kind of a tweak that GPO to kick in and pick up, kind of force it to take down the changes and it would work again. But that I haven't heard of cases like that in awhile. So GPO is the most effective way. 
 
All right. Ron had a good question. "What level of product is Ivanti Patch for Windows considered? Legacy?" I'm absolutely not so I can tell you without a doubt that the patch for Windows product and Ivanti patch manager are and patch for SCCM are all going to be moving forward. In fact, some of the...spoiler alert for those who are going to Interchange, I'll be talking about this next week in my roadmap discussion, but a patch for windows. Our Q4 release this year is going to include several things cross-platform pack support, the inclusion of our AC and privilege management capabilities from the absent side and all of that coming together in a new product that will be called Ivanti Security Controls. And we will be having additional features rolling into that. And, again, that will be one of our kind of two major go forward platforms for the security product lines. For any of you who are on a product other than the, about the Ivanti patch manager or the patch for Windows products, again, we will have ample opportunities to be able to migrate over to the go forward products. There's no urgency to do that. You'll actually be getting zero migration. We'll be able to guide you through those processes. We're gonna actually gonna have some communication coming out here, post Interchange around those migrations.
 
So if any of you guys are on sort of Legacy heat products or have any other questions about that, please let us know. But absolutely, we will make sure to get you over to the go forward products. There won't be any immediate end-of-lifes on those products. So again, don't, don't feel like there's some clips that you're about to come up to right now that's gonna be waiting for you there and we will have ample opportunity to move over at the right time for your organization on that as well. But good question, Ron.
 
Actually Thomas responded back on the Javascript and Excel issue. He said that you'll need to block the repositories URL for custom functions. Custom functions by default are enabled, disabling them will kill macro creation. And I'm guessing, to Thomas's point, right now, there may be some more difficult ways to block that, but I'm pretty sure that in the very near future here, we'll see some creative ways for people to block that type of behavior. So definitely something to keep an eye on.
 
So, Dan, good question. "Where is the presentation going to be available at?" So if you go out to ivanti.com, under our resources section, you will see...Come on, Patch Tuesday. And under here, you'll see all of the upcoming webinars so you can register for, you know, June will be going up there fairly shortly. You can see past webinars. So right now you see that May, we've got the infographic and blog, you'll be seeing presentation and webinar popping up here as soon as Erica has a chance to do that. Yep.
 
All right. So, yes, there will be recordings available. We just talked about that. Thomas had a question of, "EMSS Patchlink will eventually migrate to this?" Yes, Thomas. That's the direction we planned to go there. You will be getting an ample communication and you will have ample time to move over. There will be no cost to that migration and you will get several new features along with the capabilities that you have today. So more details on that will be coming very shortly. If you want, please feel free to reach out to your rep or to me directly. We'll be happy to get one of our product managers to jump on, do a more in-depth roadmap conversation. Talk to you about how this is all going to shake down. But our goal is to get as quickly as possible back to the point where we can start to drive more interesting things.
 
Actually, in the coming months here, I'll probably be doing a couple of teasers as far as additional content that will be launching with our cloud platforms. We're gonna have a hybrid model where you'll be able to take advantage of both on-premises and cloud features together. We've got over 15,000 patch management customers worldwide across our products. With that, think about all of the different comments that you guys passed over today. Just about the 1803 branch upgrades. If we had a better way to drive that level of community intelligence all out to you more programmatically, a place where you can go and look at a dashboard and see, "Hey, 1803 branch people are testing it. Here's how they're rating it. Here's the risks of pushing it out here. By the way, here's a list of comments talking about, 'Oh, yeah, I had some problems with my AB or it had some problems with a this or that.'" That's the type of experience we wanna drive here and we're working actively towards that.
 
So there will be a lot of cool things coming and...Oh, Thomas, you're going to be at Interchange? Absolutely catch me while you're there and, I do have some one on one time available yet, so if you not already checked the schedule there, you can schedule some one-on-one time with me as well or Todd and, we can go into more detail on that. All right.
 
Well, everybody, thank you for joining us for this latest installment of the "Patch Tuesday" webinar. As always, it's great to see such a large and active base that's interested in knowing more about, you know, what we're offering here that makes it worthwhile and make it so that we'll definitely keep on doing this. So thanks for your participation. Thanks for all the great questions and we'll see you again next month.