October Patch Tuesday

October 10, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Todd: Well, good morning everyone and welcome to another presentation of Patch Tuesday here. Today on this you have Todd Schell and Brian Secrist on the line. Chris has been traveling again, so he's not gonna join us today.

Brian, how are you doing today?

Brian: Doing well. How about you, Todd?

Todd: I'm doing great. It was a bit of a relief, we had actually a fairly light Patch Tuesday yesterday, but we have a lot of announcements, so we're gonna get started.

As usual, when we go through our agenda, we're gonna be talking about Patch Tuesday for October, quick overview, we'll jump into "In the News" and cover, kind of, some events there. Brian is gonna cover that portion with us. Then we'll move on to the bulletins and all the patches that were released yesterday from Microsoft and third-party vendors as well, and finally, we'll jump into our Q&A session and answer any questions that you may have.

This session is being recorded, it will be posted to our website in the next 24 hours or so, and you can answer or request...or send in questions I should say, through the Q&A panel in the Webex, or in the chat session as well. And we'll try to keep up with those throughout the presentation and grab any loose ones at the end. So, please, if you do have any questions, let us know.

So moving on to the overview session very quickly, yesterday Microsoft released a number of bulletins, kind of light, like I said. There were 14, the way we break them out here at Ivanti, and we'll go through those in detail a little bit later on, play all the common operating systems. There were also some for Office as usual and Office 365, SharePoint Server and Exchange Server, that kind of makes up the 14 bulletins that we have there.

What's kind of interesting is that the vulnerabilities that showed up in all of these updates were user targeted, so you can see out there at the left-hand side that, you know, all these were exploited via, you know, people sending...people or malicious software sending notifications to a user that they would have to click on to engage in the exploits of vulnerability.

There was one zero-day reported, we'll talk a little bit about that, Brian will cover that in our session as well. And there was one publicly-disclosed vulnerability as well.

Apple did release a major update for iTunes that we'll talk about, they addressed quite a few vulnerabilities in there as well.

Interestingly enough this month, we did not see a security release of Flash Player. There was a release by Adobe, but it was mostly some performance enhancements, nothing from a security perspective. So that got moved down into the other category this month.

So with that, Brian, I'm gonna turn it over to you and I'll let you cover kind of some of the things that are in the news.

Brian: All right, thank you. All right, let's...

Todd: You want me to change over here? I'll give you control of the screen.

[00:03:10]

[silence]

[00:03:30]

Todd: If it will let me. Come on. There we go.

Brian: All right, let me do the same thing. All right, can you see it?

Todd: You're good.

Brian: Perfect. So, what we did, just a few articles, some covering some malware out and just some good stuff in there. The first one is, for those of you that use Google Plus, I'm not sure who you are, but if you are, Google is shutting down Google Plus after an exposure to 500,000 users' data. This is a pretty serious data breach, especially by Google, which is kind of a shame to them even with their Project Zero Day and the amount that they tend to call other...call the vendors out. This definitely reached headlines.

One of the most interesting things as the bug was discovered, it was quickly patched but they did not reveal the flaw initially due to some of the blowback they might have got from that. So, really interesting for there, but just a fun one for...once another data breach. I mean, they're happening every month now.

So, next is McAfee released their quarterly malware report. So some of the interesting highlights from there is cryptocurrency mining is up on the rise. So, where last year it was definitely the ransomware, this year definitely appears to be the cryptocurrency mining.

Kind of interesting about cryptocurrency mining is unlike ransomware which obviously you're gonna find so easily, because your data is being held hostage, a lot of the cryptocurrency malware can be hidden for a long time, just burning your hardware out and raising your electricity bill and pulling down your systems. But otherwise, it can be very hard to find if you don't have the telemetry on your endpoints.

The other notable one of course is exploitable, patchable vulnerabilities rose a whole 151%, which is very high. So, to look further into it, we will provide the link to the full malware report, but some of the interesting facts that we saw is...Let me find a few of them. Mobile malware is, of course, coming up. Ransomware is actually on the decline, where the big one is...will of course be for patchable vulnerabilities, and then last but not least the cryptomining malware is just...is incredible the amount that it's growing.

And then the other one that was interesting is attackers using LNK shortcuts to get into systems. Some are those user-targeted systems that could be remediated through abrogation control.

Next news, WannaCry is still running around, but this time it's using relevantly enough for cryptomining.

So, of course, WannaCry was an early 2017 vulnerability targeting SMBv1, and the vulnerability was MS17-010, and it was one of our largest attacks last year. But for...there are still endpoints that are not patched and they're still getting hit through some of the...Some of the most common ones are for example domain controllers, switch suspensions, and a lot of those systems that they can't...that you can't afford downtime on are still vulnerable. So, just a reminder that WannaCry is still out, it's still...you're still vulnerable to it if you're not fully patched.

Following the theme of new malware, another piece of malware called XBash is a really fun, almost malware suite. It has so many capabilities that ransomware, cryptocurrency mining, it has a self-propagating worm, and also a botnet when running on Windows systems I believe.

So, for self-propagating worm, just like the previous one, it's using MS17-010 to propagate throughout the system, and it also, of course, will run ransomware I believe on Linux systems, and then cryptocurrency miner for Windows systems. So, it actually uses the Windows systems to propagate further, but it's fully cross-platform which really makes it a unique one.

Finally, this one really caught my eye. It's the first ever in-the-wild UEFI rootkit. So, we're UEFI, of course, should be more secure. This was the first one found in the wild. They believe it was created by some of the Russian organizations, Fancy Bear, APT28, etc. And making sure that your systems are configured with Secure Boot would remediate this, but one of the things that because it's an UEFI, even if you relode the OS, etc., it will just keep reinstalling itself, just like the good old MBR rootkit that we've dealt with for so long.

So, is one, kind of, those reminders that a lot of times getting that Secure Boot configured on your systems can be pretty frustrating. It's maybe worth looking into that secure configuration.

All right Todd, let me...

Todd: We can jump back over to the slide deck.

Brian: Jump back over to the slide deck. There you go.

And for those that are asking questions, of course, I'm usually answering questions right now, but I'll be happy to answer them right after I finish my section.

Todd: Okay, you can see my new Microsoft announcements, Brian?

Brian: I don't quite see it yet.

Todd: Oh, hang on a second. Let's just make sure I'm sharing.

Brian: There we go, I'm seeing it.

Todd: All right. All right, we'll jump forward. There we go. Oops.

Brian: All right. So, per one of the questions in Q&A, Server 2019 and Windows 10 1809 released I believe a week right before Patch Tuesday in October 2nd. Shortly after during the weekend it got pulled. Some of the major issues are it will delete your user profile, which actually happened to me on this specific...the laptop I'm presenting from. So, heads up for those that might have deployed that. It didn't happen on my other computers thankfully, but it did happen on this one.

The latest update for 1809, there was one released today and we'll be going over that. Looks like it did remediate this. However, I...it will hopefully be including that in the latest ISOs. They did pull the ISOs MSDN, just a heads up, so I guess we wait until that next release.

1809 also is the first version of Windows 10 that has these new LCU updates. So, of course, the Windows 10 cumulatives have been getting larger and larger and larger, for example the 1507, the LCU v2015 patches are well over the gate now, and then starting at 1607 Microsoft began releasing the standalone deltas, where if you were N-1 one back between Patch Tuesdays, you could deploy those, and those were a little bit smaller, and then more recently for their SCCM, they'll such [SP] environment, the express updates were provided to basically build a delta for each respective build on your endpoints.

Unfortunately, that really increased the amount of storage necessary to make that possible. So, this is their next approach with the LCU update and it was a very small update, my testing. It installed extremely fast, but I guess once we're three-four months out from here we'll see if we start in any issues.

To give a little more detail, the LCU update is supposed to roll each file that it's updating back to its base RTM version for that feature upgrade and then patch it up, as opposed to doing a delta off of that.

So, ideally it shouldn't cause any problems, but it's more of a heads-up there that if there are shared files, that they could be an issue. That's just speculator, but we'll just see if we run into any issues in the future.

Next slide, Todd?

Todd: Yup, moving on.

Brian: So, some of the stuff that happened over September after Patch Tuesday. Last week Microsoft released an update for Visual Studio 2015 Update 3. This replaced the update from September Patch Tuesday. It is a brand new KB and they didn't mention specifically what was changed, but I believe it's for full remediation of that respective CVE-2018-0952. So, just a heads-up there, if customer...if you have a 2015 Update 3 environment, you may wanna get that out as soon as possible.

Usually, I don't mention the Microsoft non-security releases, but this month, a couple days right after they...Microsoft released...rereleased for 1709 and 1803. They mentioned that they were missing solutions, they didn't mention specifically what was missing or what issues it could cause, but just a heads-up there that if by chance you released, you patched the last non-security, that rerelease did come out.

So, of course this latest cumulative should include those fixes, but if you are running into any stability issues, that could be the reason.

Notably, the dot-net non-securities that were the quality previews that were released last month, did get rereleased as a security and quality update. The KBs changed but actually the binary hadn't in our investigation. So, just a heads-up, if by chance you already released those quality...you already patched with those qualities previews, you shouldn't need this latest one.

Going on to the vulnerabilities, of course zero-days CVE-2018-8453. This is a kernel-level vulnerability that an attacker should be able to run over through a code, through a kernel, which he definitely access a lot of stuff through that. They're actually not raising incredibly high vulnerability, isn't that correct, Todd?

Todd: Yeah. I mean, Microsoft only rated it as important, which I thought was kind of interesting since it was a zero-day and it's known to be exploited.

Brian: Either way, vulnerabilities, of course, can be classified a certain way. An isolated environment, but especially if it's a zero-day, other vulnerabilities could be used in conjunction with this to get into a system. So, please don't underestimate the vulnerability knowledge marked as important.

The next vulnerability, this is a publicly disclosed one, is 2018-8423. So, this vulnerability can be exploited when a user owns a malicious Microsoft Jet Database Engine file. And now this patch will be fixed by changing how Microsoft Jet handles objects in memory. It's not really rated that high for exploitability index, but simply adds up when they're publicly disclosed.

Todd: Yeah, both of this from a CVSS scoring perspective were in the seven range. I think the previous one, the actual zero-day was 7.0 with the base score, and this one was 7.8. And like I said, Microsoft rated both of these as important. So, kind of interesting there.

Brian: Absolutely. All right, and now that we're reaching October, it's good to review the Windows 10 lifecycle.

So, with 1809 coming out, well, got pulled but should be coming out again. This is the last update for 1703, if you're running a Home Pro or Pro for Workstation. If you do run Enterprise and Education, you're still good to go till October 8th for 1703.

For 1607 of course they moved from the 18-month to the 24-month support cycle, so you're still good till April 9th for 1607.

This is not to be confused with Server 2016. That will still be supported for long-term servicing, which should be I believe 10 years. I don't have the exact date there. But that will be the same for your LTSB 2016 as well. That Windows 10 LTSB 2016.

Todd: You should make note too that with the 1809 release, the third version of the LTSB channel will be released as well there. Right, Brian?

Brian: Yes. And just to make things more confusing, it's no longer a Long-Term Servicing Branch, it's LTSC, Long-Term Servicing Channel. So, just keeping us on our toes. But yeah, Windows 10 LTSC 2019 did get released, that is a standalone license. So, not necessarily you can upgrade from 2015 or 2016 to 2019, but it's its own standalone license. Just a heads-up there.

Next. We mentioned this in the last couple presentations, but just a heads-up. We are just reaching month three, our weekly patch blog. I go over what strange vulnerabilities are released for the month or for the week that can be third party such as Chrome, Firefox, etc. It can also be rereleases such as the ones that I mentioned for Visual Studio, etc. And a lot of those news articles I went over, I mentioned as well.

Aside from that, I also do go over any other content we release for the month...for the week, even if they don't have CVEs.

So, if you do go to ivanti.com/blog/topics/patch-tuesday, you can see any that I post. I post every single week, except this week for Patch Tuesday because we cover most the data here.

Todd: Yeah, we wanna thank all of you for coming out to this too. I mean, obviously, our digital team is watching, you know, what sections of our website are being accessed, and there is definitely a high interest in Brian's blog. Because, you know, it's hard to get a summary, kind of, of what happened throughout a week if you have to go out and look for this information yourself. So, thank you all for coming out and visiting that site.

Brian: We have moved to a new Patch Content Announcement System, just a reminder there. If you go to the link above, if you could post that, Todd. I don't know...I'm not sure if you have that available. That will be a page I'll allow...that page will walk you through how to subscribe to all of our different content feeds. Whenever we do post there you'll get an update. And this does replace our Listserv, as our Listserv has been...has some issues because it's an older technology, it had some issues not getting past spam folders, etc.

Actually, Todd, I'll let you take this one.

Todd: Sure, no problem.

A couple of quick product announcements, and we did this last month as well. Patch for Windows 9.2, basically it's been out there for quite a while now and the final update was provided last...I mean, last year, back in August of last year. We did mention last month that we were going to stop providing content for that, and we are end-of-life in that. However, we have extended it through the November Patch Tuesday.

But for any of you out there, of our customers that are running 9.2, please, please, as soon as possible, upgrade to 9.3. A lot of new features, a lot of new functionality, and there is a change in the content between 9.2 and 9.3. Just wanna let you know that.

Also, we noted last month that we did go through Common Criteria certification for patch for Windows 9.3 update. One is EAL 2+ certified now, and that information is available on our website as well. Just wanted to let you know those two facts on our product side.

So, with that, Brian, I'll let you answer questions and I'll jump into the bulletins. Let's talk about what Microsoft released this month.

First up is Windows 10. As usual and as expected, they addressed the most number of vulnerabilities, 33. There were 49 unique vulnerabilities that they addressed across their entire portfolio this month. Thirty-three of them as I said were fixed in Windows 10.

The two CVEs that we talked about earlier, 8453, that is a known exploited zero-day, as well as the publicly disclosed 8423 with the Jet Database Engine, are both addressed in the Windows 10 updates. So, kind of be aware of that.

There was one known issue as of the publishing of the information from Microsoft yesterday. Not surprisingly, it's associated with Server 2019 and the Key Management system. Looks like it's kind of an edge case to me, talking about applying 2019 Key Management keys down onto a Windows Server 2016 host. So just be aware of that. But it's one thing that they noted and they said that they are working on this.

One other thing that Brian saw this morning, is that the latest updates for 1806 were released, and there were a number of comments below the article talking about how Hewlett Packard systems, in particular, were going through blue screens. Brian, anything to add there on that?

Brian: Yeah, I can. So, this is for...just to give a heads-up, this is for 1803.

Todd: Sorry, I said 1806, didn't I?

Brian: No, that's all right. There's enough numbers out there.

So, for the 1803 cumulative update, customers are getting blue screens with the stock code "WDF_Violation." The specific fix that customers have said is under...by deleting driver HpqKbFiltr.sys. I will post the article from Bleeping Computer in chat so you can see. It's in the comments. It's worth the...I mean, if it was. But just heads-up for those with HP systems, which I'm sure there's plenty.

Todd: We love Windows 10, don't we?

Brian: Don't we?

Todd: Yeah. Okay, moving on. On the Internet Explorer side this month, there were two vulnerabilities addressed, 8469 and 8491. Both of those involved the possibility of remote code execution.

Interestingly enough, if you were going through the security updates guide, you'll see that it addressed only IE 11 or at least it flagged it as such. But if you take a deeper look at the cumulative updates for example, there were updates there were for 9, 10, and 11 across the various operating systems. So, be aware of that as well, the cumulative update does address the usual set of operating systems.

One thing that we don't really talk about though is these cumulative updates also include, believe it or not, updates for Internet Explorer 8 on some of the older point-of-sale systems. So there are some additional updates out there that you should keep track of as well for some of those older operating systems.

Going now into the legacy operating system updates. Microsoft continued the pattern that they did last week whereby they...last month rather where they are now providing a monthly rollup as well as a security-only rollup for Server 2008.

Unfortunately for like the next eight slides here, I'm gonna sound a little bit like a broken record. Across all these operating systems, they addressed 14 vulnerabilities and the list is fairly common, slight variation of one or two vulnerabilities based on operating system type. But you can see that they did address...provide security updates for a number of components including Media Player, Office Graphics, Graphics Component, Windows Storage and File Systems and the Jet Database Engine that we talked about earlier with the publicly-disclosed vulnerability.

So, number of the impacts are pretty common across all these as well, looking at remote code execution. There's a security feature bypass as a result of one of these vulnerabilities, elevation of privilege and information disclosure. So just be aware of that.

These updates were essentially addressed across, like I said, all the legacy operating systems.

So first off here is the monthly roll up for Server 2008, they also released a security-only update for server 2008 as well.

And kind of as I say every month, there are two approaches to patching that Microsoft has provided us. The monthly rollup is kind of the equivalent of the cumulative patching for Windows 10, whereby they're combining the updates from all the previous months into one single cumulative update, so that when you do apply it, you get their latest updates basically for the last, well, you know, two-and-a-half years now. Whereas the security-only update includes only those security patches for the last month.

So, you know, be consistent in the way you do your patching, depending upon what you need to do. You know, if you're only concerned about security changes to your environment and you're not worried about enhancements to applications and performance and some of the other things that are included as part of the cumulative rollup, you can apply those security-only updates every month.

So just be aware, there are two approaches to patching. If you do apply the security-only, you have to regularly apply them every month to make sure that you get the latest and greatest. And you have, you know, all the patches that you need applied to your systems.

Next group are related to Windows 7 and Server 2008 R2. The monthly rollup does include the IE vulnerability fixes as well. So, you'll see down below there I include the 14 that were addressed. I do not show the two IE vulnerabilities that were shown earlier on the Internet Explorer slide. Again, basically fixing the same set of vulnerabilities that I talked about just a second ago.

There is a known issue with the Windows 7 monthly rollup patch. This particular issue has been carried forward now for four or five months at least. Has to do with losing a device driver...I mean, a network device driver.

They walk you through the process here to reinstall the drivers required basically after a scan and then go in and reapply.

So this is a known issue, it seems to me that they're probably not going to fix this because it is rather old and they are carrying it forward month after month after month. So, just be aware of this particular issue.

And it is only for the monthly rollup for Windows 7 and Server 2008 R2. The security-only update for this particular operating systems do not have this issue. So, again, these are the security-only patches for this month for Windows 7 and 2008 R2.

There are a set of patches for the Server 2012, again, a monthly rollup including the IE vulnerabilities. No issues reported around Server 2012. Likewise, the security-only update for Server 2012. Again, very similar, exact same set of vulnerabilities. But the security-only patches for this particular month, October.

And finally the legacy operating systems, we have the monthly rollup for 8.1 and Server 2012 R2. This one addresses 15 vulnerabilities, so there's one additional vulnerability that's addressed in here. And, again, basically, the same set of fixes, this cumulative update for IE is included with this, no known issues with this one. And finally, security-only. Again, the same group.

And you'll notice that I've highlighted the publicly-disclosed and the zero-day vulnerability in each one of these. So they are addressed and they are covered and there are updates for those.

Moving on to Office 365. Microsoft announced that they are doing a branding change this month. So you will see that it's now called Office 365 ProPlus. You'll also notice that now there's Mac...Office for Mac 2016 and Office for Mac 2019 as well. So they've changed up a little bit of their branding to make things consistent, is what they're saying.

This month under the Office 365 ProPlus set of patches, they addressed five vulnerabilities, some related to remote code execution and information disclosure.

I have changed up the link from previous presentations to go to the release notes now for Office 365 ProPlus. It's a good source of information, shows you all the updates by month and exactly which of the underlying applications they are going through and updating. So, I'll post that link here to our chat session in a little bit. Just to be aware of that.

Of course, they continue the regular updates for Microsoft Office. A lot of updates this month across basically all the components, from Excel through Word. You can notice all the versions were touched for each one of this, from the really old versions, back to 2010, through the latest for 2016.

Interestingly enough they did only fix five vulnerabilities but they were prevalent across all of these applications. So, although it's only related...only rated important, you know, this covers a lot of different applications out there within the Office suite. So, recommend that you do it when you get a chance and fix these particular vulnerabilities.

They did release an update for SharePoint Server as well, basically 2010, 2013, and 2016 were all covered under this. Five vulnerabilities were addressed here as well, just be aware of that. They're related to the Microsoft Office vulnerabilities as well.

And finally, the last of the important releases this month, there was an update for Exchange Server. So just be aware of that. It, again, covers 2010, 2013, 2016.

What's kind of interesting with this one, I put a note on the bottom here, Microsoft released a bulletin from 2011 that covers CVE-2010-3190. If you take a look at the KB articles associated with this particular update, Microsoft will tell you that this particular vulnerability was not initially in scope for Exchange Server when it was originally released. But with the latest release, they do require you to apply it across all versions of Exchange Server. So 2010, 2013, and 2016.

And they did in there that they were going to include it in the next cumulative update for Exchange Server 2016. They didn't say anything about the older ones, but be aware that you should apply this. You will be offered this separately as a KB update this month. So, just be aware of that.

Brian, anything else on that that you're aware of?

Brian: No, it was super interesting looking into that one, because that specific KB, it's simply just Visual C++ 2010 Redistributable, and you can really apply it to anything. So, we had to do a little bit of fancy, fancy work, and only basically detect exchange as a whole and get it applied there.

Of course, when the latest cumulative comes out for 2016, we should be covered, but they did not mention 2015 or 2017. So, this is definitely an interesting one.

Todd: Okay. Thanks, Brian.

Moving on, let's talk briefly what happened between the Patch Tuesdays. As we talked about it earlier with Brian's weekly blog, a lot of this information is covered week-by-week throughout the month in between the Patch Tuesday, but we summarize it here for the webinar. We did add new product support for Blue Jeans 2, Project R for Windows, which is a statistics package, and NVivo 12 was added as well.

A lot of security updates this month. You can see the list here of how many that were released for each one of these particular applications. And of course, non-security updates as well that we continue to provide support for. So, a lot of activity here in September leading up to Patch Tuesday.

For the last couple of slides of today's webinar include the usual updates with the associated CVE information for those vendors that do supply it. In this case here on this slide we have the Thunderbird and the Firefox releases, and you can see a number of vulnerabilities were fixed.

The big one though, once again from Adobe, Acrobat and Reader had a number of different updates depending on the different forms of these particular applications, and they fixed 86 vulnerabilities.

So, last month was light, but the previous month for August they also provided a large release, fixing a lot of vulnerabilities in Acrobat and Reader. So, make sure definitely that you're up to date.

I think, you know, although there are 86 listed here, well over 40 of these vulnerabilities are listed as critical. So you wanna make sure that you definitely update any Acrobat or Reader that you have running in your environment.

Likewise, some other major updates, Foxit PhantomPDF 9.3, and Foxit Reader 9.3 also went through and released some major updates. For each of these fixes, 42 different vulnerabilities. So, again, make sure if you're using these in your environment that you do provide these third-party updates.

And so with that, that completes kind of the main presentation for this Patch Tuesday. As I said, kind of a light patch Tuesday, kind of consistent as far as Microsoft goes, just patching the legacy operating systems and fixing basically those 14 vulnerabilities I discussed, and of course the usual Office and Windows 10 updates as well.

So with that, Brian, you wanna take a look at some of the questions and talk about some of them?

Brian: Yeah, no problem. I'm just gonna start at the top of the Q&A. I've answered most of them, but if I miss them, I should be able to, excuse me, cover them here.

So, to start at the top, kind of one of the first questions by Michael Bell, just wanna give everyone a heads-up that the servicing stack update that was released this month, there were two servicing stack updates, one for 1809 and one for Windows 7. The Windows 7 one has a known issue where you may find yourself stuck on stage two of two or stage three of three on the reboot. If you press "Ctrl + delete," it will bypass that and let the customer get into their endpoints, but for your end users, you may wanna give a heads-up if you're heavy on your Windows 7 on that.

The interesting thing about these two servicing stack updates is they were classified as critical securities. Of course they didn't have any CVEs, but nonetheless, we do classify them as such. So, just giving a heads-up that you will most likely be deploying those if you do a security-only release.

Mark did ask if anyone installed the 1809 update as I mentioned before. I did. I lost my user profile. Joke's on me. But hopefully, the new ISOs that drop hopefully this week will be good to go.

Just one second.

Todd: Brian?

Brian: Kevin did ask if the...I'm sorry?

Todd: I was gonna say, Brian, I just posted the Bleeping Computer release, I posted it to the chat section.

Brian: Perfect. Kevin did ask if the servicing stack update by Windows 7, he mentioned is not chainable in our content right now, where it installs one first or not.

Microsoft does recommend installing the services stack update in...for nearly all cumulatives before you install any...install the services stack before you get installed the next security updates. We have not made that the case because the patch does install, it does work. The only case that our servicing stack is completely required to continue is 1607 and Server 2016. We're kind of been doing that going forward. If we do notice stability issues, etc., I definitely believe we'll change our position on that, but that's currently kind of the way we're going about it.

Todd: Brian, you might mention that Microsoft also released a service stack update for Windows 7 this month, right?

Brian: Yup, that was the one mentioned at the top. So, with the issues of paying. Yes.

Next, Hector did ask that he's had issues with Windows 7 [inaudible 00:40:01] mail, and...Just a second, I wanna do...Oh, I actually...Sorry.

Hector said he's had a problem with Windows 7 docs [SP] just not able to get email. Any patches that I'm aware of that would affect Outlook.

In reply I was talking about this month's patches but he mentioned it was from last month's patches.

So I will say this year specifically I've had a lot of customers and forums mention a lot of issues around Outlook. I don't believe last month I had any Outlook-specific patch. However, the big thing with...you know, I'm just looking back. No, I don't see any. The big thing with Office patches is although they say, "Hey, this affects Outlook, this affects the suite, this affects PowerPoint," the components are shared so much between those programs that even if you have an environment with just Outlook installed, it there might be...and no Outlook patch was released explicitly, there still might be a handful of patches that were applied.

I hadn't read about any of that, Hector, but I'm actually gonna look that up after this because I'm very, very curious.

Streuman [SP] was asking bout his Windows submittings. He has been installing the cumulatives but he's afraid that he hasn't deployed all of the older patches when they were at a piecemeal system. If they are kind of all in one patch there.

Hate to break the news, but Microsoft was going to be a releasing a larger update that should have accomplished that. I have noticed that the newer cumulatives come up, sometimes they are covering the old ones, but not always. So, really the...as far as for Windows 7, the best behavior is to just do kind of a larger scan and how much time it will take. Just really get all the security patches in one patch group and just do a large kind of blanket scan to kind of figure out what's missing on those.

I found that to be best behavior for it. Definitely getting Windows 7 and 8.1 up to date from like a base image is definitely harder, and I have to say in defense of Microsoft's cumulatives, it does make things simpler, albeit a bit harder to control.

Adam Hurwitz [SP] did ask if Microsoft provides a spreadsheet with all patches available.

I did mention that Microsoft has the MSRC portal and they have a security guidance area, which lists all of the patches that they've released for each month. It's a pretty good place to go by.

It is only security. So for example when Flash, for example, released this month without any CVEs, that's actually within that group and any other non-securities can be found there. But, it will be just...it does give good insight there.

There was a question, "If I'm applying patches via groups, how do I identify which servers need which patches?"

So, in my experience, I've kind of just looked at the base common kernel. So, if it's Windows 6.1 or, like, for Windows 7, 2008 R2, and then your 8.1s will affect 2012 R2, and then Windows 10 2016, etc.

Because Microsoft has moved to these cumulative updates, really if it affects that respective OS, it really affect the sister server. I haven't really noticed much of a difference there. It's pretty much across the board.

So, if your environment's primarily 2012 R2 for your servers, just include the 8.1s in your patch group and you should be good to go.

Donald mentioned that he's having cumulative security updates for October 2018. Actually, server automation runs off of the catalog and we did get those to show up at our automation. So, could be your catalog settings. So, just a heads-up there.

Now I'm gonna get down to the questions I haven't answered. So, give me just one moment.

Shawn asks if there are any zero-day call-ups or patches that should be focused on immediately.

Hey, latecomer, yes, there was a zero-day that did drop, I don't know if I have it. They were in front of me. I think I do. No, I don't believe I have it straight in front of me.

Yes, there was a zero-day that affects nearly all OSs. It's a kernel update, so definitely make sure to get on that. It was...Do you remember the CVE number, Todd?

Todd: Yeah, it's 8453.

Brian: 8453.

Todd: And it's basically included in every KB for basically every operating system this month.

Brian: Yes. Lucida is mentioning that on 1803 she's experienced NIC cards being removed on Dell laptops. Ooh, that's a really good question. That's a really good question because, yeah, we...I'll keep it out for that one, just as...for everyone else.

Marcus asks if the feature on demand for Windows 10 1809 is lacking RSAT. Any other way to get them back.

So, I have noticed RSAT needs to be reinstalled every single time. Usually, that should be...there should be a download through the Microsoft site. There is a features on demand on ISO I have noticed on the MSDN, but you're mentioning that it's not on there anymore. That's a really great question, I'm actually gonna have to look into that one. Heads-up for RSAT for those that...heads-up for RSAT for those who do move to 1809.

Shelley is also mentioning that Outlook 2010 had issues for the September Office updates. So those there are a month back, just a heads-up. Otherwise, I think I...Did you see anything else on there, Todd?

Todd: No, there were a couple of things, talking about Adobe Creative Cloud and support for that.

Brian: Oh yes. Yes. So, for Adobe Creative Cloud mentioning that there were no Creative Cloud updates published through us at the moment. We're currently looking at that at the moment. Don't worry, we haven't ignored it.

So a couple issues that we noticed around it. Number one, Adobe Creative Cloud currently requires a sign-in after upgrade, after the last two releases. So currently if we do a deployment, it just hangs in the background because it's asking for Creative Cloud to be logged in. We're trying to figure some ways around that, but currently, we haven't found any major guidance.

If I can't see something, please post here, I will get on it immediately, but we have contacts, they'll be asking for further guidance around customers that are doing automated updates and deployments, and currently, we're not finding much around that.

I hate when my hands are tied by vendor changes there, but I hate [inaudible 00:48:07] many times every month. And usually we can work around them with some fancy deployment logic, I can't say I've...we've found much here at the moment.

Anything else you see, Todd?

Todd: Well, Sam was asking for me to repeat the patching approaches that we recommend based on Microsoft's updates.

So, real quickly, basically Microsoft offers two different versions of updates. They offer a cumulative update across all operating systems including obviously Windows 10, which is totally based on a cumulative update. Whereby you apply one update and you get every update that's been released in the last two years basically. So that's kind of one model.

The downside to that is that you're getting everything that Microsoft decides to roll into that cumulative update. It includes not only security fixes, but includes, you know, a lot of other additional operating system changes for performance enhancements and things like that. It's not a bad thing, it's just the approach that Microsoft has taken with the cumulative update.

The other approach you can take the patching is if you would like to maintain more of your system configurations and only update the operating system for security. Microsoft offers a security-only update with just the security patches for the previous month.

This is not available for Windows 10, Windows 10 is cumulative only, but for the legacy operating systems, and I'm calling legacy Server 2008 through basically Windows 8.1 and Server 2012 R2, all of those operating systems updates are available with security-only patches. The thing about those patches is you have to, I'll say, religiously apply them month-by-month to make sure that you're getting optimum security within your systems.

So those are the kind of the two approaches to take to patching your operating systems.

And with that, Brian, I don't see anything new...

Brian: Well, we just got three more, let me see if I can...

Todd: Okay, go for it.

Brian: Natalia was asking when patching services would be a good idea to get vulnerabilities from messes [SP] or do and import via CVE.

That's a good question. So, with the cumulative updates, really you're kind of installing everything or nothing. So, messes please use your vulnerability scanners. But in terms of building a patch list, I think like going via CVEs for example from Microsoft MSRC portal, will be just efficient not because...you're not gonna get along with the patches anymore. Where before that try to figure out, like, hey, of these 15 bulletins released by Microsoft, which ones are actually relevant to me? That's where a vulnerability scanner would have been really useful. I think after the fact, that's where a vulnerability scanner would have been the best.

And, yeah, I mean, running the vulnerability scanner beforehand, it's great too just with the cumulatives kind of doing it all at once, it's usually one or two patches max.

And then John did mention...okay. Okay. So, John was mentioning that for the October update that our stack will no longer be downloaded from Microsoft Download Center, it will be included in the Features-on-Demand section. So, I do need to look into how many hoops I have to jump through there for my schooling here. So, just heads-up for anyone else on here. Thanks for the information, John. That's all I have.

Todd: thanks Brian.

Just one last note. We offered this last month as well, Chris talked quite a bit about it. If any of you are interested who aren't currently customers, we are offering two different approaches if you wanna try out our...Oops, why does it keep jumping forward? I guess Chris has a timer on it.

We are offering a 30-day full license for your entire infrastructure if you wanna try out any of our patch products, or 20% off any particular product as well.

There were some questions too about this slide deck. This slide deck will be posted to our ivanti.com patch section on our website, as well as a recording of this particular presentation.

So, thank you all for attending. Brian, thanks very much for filling in for Chris, appreciate that.

Brian: Of course. Thank you.

Todd: And we'll see you next month. Thank you very much. Bye-bye.