September Patch Tuesday
September 12, 2018
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris: Good morning, everyone, and welcome to the Ivanti Patch Tuesday Webinar for September 12th, 2018. My name is Chris Geottl and with me today is Todd Schell. Good morning, Todd. How are you today?
Todd: I'm good, Chris. Thank you very much.
Chris: Excellent. Excellent. Also supporting us today, we've got a Brian Secrist who is gonna be supporting us on the Q&A and answering questions throughout the webinar. And Erica, who is basically our hostess managing all of the things, getting the webinar set up, and getting everything posted to the website afterwards. So that's the team that's kind of supporting us behind the scenes here.
We did understand that there were some people having some trouble getting connected in this morning, that's something that we're...you know, because of the marketing platform that we used to communicate all of the webinars and things like that out through that, oftentimes, will cap out after so many emails sent to somebody. So, we're looking at ways to make it so that we guarantee a webinar like this will be sent out from now on. So, if you were one of those affected by that, we apologize for the delay and we're looking at ways to make sure that doesn't happen again.
Speaking of all of the people who make our Patch Tuesday efforts a huge success, I did want to point out that this team actually won an award. So, there's PR World Awards and we were the gold winner for the communications or PR Campaign of the Year. So, this again is just kind of shout out. I mean, you see my and Todd names a lot when things around Patch Tuesday come up, you're starting to see Brian's name a lot more now as well.
But behind the scenes there, as you can see the list of names there, there's a lot of people involved with everything we do around a patch Tuesday a success. So, again, just to shout out to everybody who helped put this together. It's definitely not a one, two or three person job, there's a team of people helping them get all this done. So just a shout out to all of them.
All right, getting into the agenda for today, we're gonna go through a quick overview of Patch Tuesday and what went down. We're gonna go through some news around, you know, what's going on in the market today, some industry level things that you need to be concerned about, some threats out in the wild. We're gonna go through the bulletins that released, and make sure that you guys got a good understanding there. And last we're gonna go through some Q&A.
At the very end after Q&A, I deliberately kind of put this at the end because this webinar is focused more on getting you guys the information you need to know, letting me know about the things that'll help you get through Patch Tuesday smoother, but we do have a few things to bring up here, some announcements on some things happening very shortly.
There's a special offer coming because we do know that there's some non-Ivanti people on this list, and several of you, over the last few years, have been looking at our products as well. So we've got a special offer. We've also got an invite for those of you going to Microsoft Ignite, I'll talk about that in a minute, which comes with some other chances to win some gift cards and some cool stuff there.
And last, we're gonna give you guys a sneak peek of a feature that's coming out in our products here at the latter part of this year. So stick with us for a little bit here at the end and we'll show you guys a couple of new things coming that I think a lot of you will be very interested in.
All right. Going through an overview. This month, we did have a release from Adobe, one security-related update from Adobe for Flash Player, one vulnerability being resolved there. This month, it's only rated as an important. We did have a late addition yesterday that Google did drop an additional release. So if you were keeping up with a content releases last week, both Google and Mozilla released early last week, but there was an additional Google released that also included two additional CVEs late yesterday. So, that was kind of a late addition to our Patch Tuesday content there.
We've got 16 updates from Microsoft, 13 of which are critical, and one of those actually, the OS updates include the zero-day vulnerability that was being exploited, we'll talk about that some more here as well. There are three other updates that were released yesterday and added into our catalog, but those are a non-security nature. We'll mention them, but that's just to let you know that they're out there. There's no security related updates with those.
All right. So getting into some news. First off, we do have a Windows zero-day that was discovered in the wild, and this actually started as a... Let me switch to this link. This started as a public disclosure. Some of you may have caught the news around this one on Twitter. There was a release from the security researcher who was looking into this. She seemed to get very frustrated with how things were going with getting this update resolved and ended up disclosing the updates in a tweet on August 27th.
Shortly after, an analyst over at CERT was able to take her proof of concept code and the disclose information, and quickly verify that this vulnerability was quite, in fact, real and a proof of concept code was very usable. And within two days, there was actually already an attacker using this exploit in the wild.
So this next article here, "Recent Windows ALPC zero-day has been exploited in the wild for almost a week." This zero-day article talks about how this was being used in the wild. This group, a researcher at ESET, Matthieu Faou was tracking the activities of this group, code-named "PowerPool. They were basically doing kind of a low-level spam campaign and targeting a small set of people. And once they got in, the first... They kind of had two stage backdoor to this attack.
The first stage, they would use this elevation of privilege vulnerability. They would get a first stage backdoor onto the system that would basically give them some forensic data about that system, let them know, "Here's what's on there and let them see is there anything of value on that system?" If they found something of value, they would kick off a second stage backdoor, which would again use that ALPC vulnerability.
It would elevate privileges, allow them to, you know, as system be able to install a more intricate backdoor that would then allow them to start to gather the information that they wanted off of that system and be able to take additional actions or exfiltrate data. So, these guys were using that for about a week by the time that started going. So that was the zero-day that was discovered and released by Microsoft, that is CVE-2018-8440.
Sorry, somebody is messaging me saying there's people trying to get into the webinar yet. Erica, I'm having them send the person to you to get the link. So sorry about that. Apologies, everyone. So, this ALPC elevation of privilege vulnerability, this basically allows the attacker to run arbitrary code in the context of local system, from that point, I mean they pretty much own the box. So, it was a very easy way to exploit and elevate privileges to the point where they had total control over that system, and allowed, again, at least one threat actor to take advantage of and launch a campaign to exploit and get onto many systems worldwide. So that is the first article that we wanted to talk about today.
The next one here is around Apache Struts. So if you guys remember the Equifax breach that happened to target the Apache Struts vulnerabilities that were existing at that point. There was a new vulnerability that was identified and has since also been exploited in the wild. So the hackers, in this case, we're using this new Apache Struts vulnerability to be able to basically exploit these environments and load up cryptocurrency mining software to be able to start generating crypto coin.
It's already been exploited in the wild. The CVE in particular here is CVE-2018-11776. This is vulnerable to Apache Struts too installs. Let me see here. There was some specifics around exactly what they're doing and basically all it is... Yeah, here it is, an attacker can exploit this flaw by adding their own namespace to the URL as part of the HTTP request. So, you know, it's something that they can exploit remotely to get in there. Unfortunately, this makes the vulnerability in a trivial to exploit and proof of concept code was already leaked out about this. And again, more and more people would be able to start taking advantage of that.
Now, one of the complications about this and the reason why we wanted to point it out is, this is not something that just has a simple software update. This is a development platform. Its got a component that needs to be integrated back into your application. So a developer will have to take that new version of the binaries and be able to build that into, and deploy that code out to your application to plug that vulnerability.
And the reason I bring this one up, in particular, is because Microsoft had several updates this month that were similar binary level updates. They're not something that you can just patch. So we'll talk about those here in a little bit as well, but that's a prime example of why it's a concern to understand these updates and why they need to be deployed.
The next article that I wanted to cover, this one's actually a little bit old. It's a bit of a funny article as well, but this is something that came out earlier this year. It was a spam campaign where there was somebody impersonating the FBI and they were very successful in their approach. And again, there's kind of a reason why I'm pointing this particular method out, but yeah, the FBI had to go and message out to people that they, the real FBI, are messaging to warn people about a fake FBI series of communications that went out trying to gather people's information.
So they were using the guise of claiming that there was a Nigerian arrested by the FBI for some of the recent cyber-attacks on Atlanta. This was being used to, basically, provide that person with a form. And if you fill out this form and send it back to us with all this information, you'll get a check at some point for the damages done to you by this attack. So it was a total scam. It was a very successful one. And you know, allowed this a threat actor to be able to get onto a number of systems with malware that we're in this form.
Now the reason I'm pointing that one out as well as is also going to become a very apparent here in just a second. Let me go back to my presentation. The last one here that I wanted to bring up before we switch into, you know, a couple of key things that we tracked and why we track those things is around this a ransomware platform called SamSam. Some of you may be aware of these guys. They're a very successful threat actors. It's unknown how many people are actually involved. It could be one person, it could be a handful. They're very secretive. They're still very unknown and they're also wildly successful.
Their ransomware campaigns are netting upwards of $300,000 a month right now and have been netting several million dollars since 2015 when they first started launching this particular breed of ransomware. Their approach though is a bit less sophisticated. It's not a ransomware as a service platform, it's not automating and distributing itself in all sorts of fancy ways. These guys are using a lot of techniques that are...they're fairly straightforward, they're just, you know, old school hacking techniques.
And their approach here is hitting on a lot of areas where we're gonna talk about a few things again as well. But you could see, again, this group has been very successful. I think... Yup, here it is, $330,000 per month on average and a total of $6 million that this particular hacker group has netted to since they started their attacks in 2015. This according to Sophos research on this particular group.
Now, the thing that's interesting about their approach here is most of the time they're using brute force exploits from, you know, a public phasing web services. A lot of times, they're Java environments. In fact, some of the tools that they used to do that are exploiting JexBoss and JexBoss to exploit, JBoss Java development environments.
One of the other interesting things about what they do is besides software vulnerabilities, they are using a variety of proprietary tools to be able to then spread themselves out throughout an environment. And the interesting thing about this one is, this is not automated. These are actual people actively performing this attack. So, they'll get it into an environment. Once they're in, they'll start to spread themselves around and they won't actually start encrypting anything until they reach kind of a critical mass of systems infected.
And then they'll, simultaneously, launch that against all of those systems at the same time. But you can see here a bunch of tools that these guys are using to be able to...you know, using things like, Mimikatz to exploit and gain access to credentials, using things like PsExec, tools that you may be using in your own environment. They're actually being very successful right now with a lot of RDP brute force attacks to get into environments lately as well.
So, especially in the healthcare space, there's a lot of environments where there might be a remote RDP access and that's how, you know, people might be getting access to that healthcare environment to be able to enter in claims or do something else like that. Well, that RDP rep tool that they're using is allowing them to have multiple remote RDP sessions at a time. They can also brute force, hack those RDP sessions and get into the environment. So a lot of these things are tools that if you are running as a less privileged user, it's going to be able to make it harder for an attack like this to be successful. So it's a combination of a few different security layers here that are gonna be able to stop exploits like this.
All right, so I've kind of built up a few different things there. The reason that I did that is, throughout the webinar, you're going to see us talk about a few different things. The first one, the zero-day. This one's pretty obvious. This is something already known to be exploited in the wild. The urgency there is somebody's already out there taking advantage of it, get it plugged as quickly as possible.
The second one here that we're gonna talk about a few is the public disclosure. So that ALC or LPC or LCP zero-day is a very good example of why paying attention to public disclosures is important. So a public disclosure is a vulnerability that's been disclosed to a public source at a level where there's either proof of concept code or enough information to give a threat actor a head start on developing an exploit. So really what it comes down to is a race.
If a public disclosure goes out, the attacker basically has a race against the vendor to determine who can...if they could exploit the vulnerability before an update can be released and start to plug that vulnerability across the world. In this particular case, the public disclosure around CVE 2018-8440 came out on August 27th. Two days later, a threat actor already took that proof of concept code and was able to start using it in a real-world attack scenario, and that basically gave the attacker more than a week, about a week and a half, almost two weeks of time before an update was even available to already start to utilize this vulnerability using their exploit that they continued developing on top of what was already done.
Once that update comes out, if you're one of those environments that's very mature and very fast at getting updates rolled out to your environment, you may be able to get your production environments patched in as little as 14 days or less. That's ideal. A lot of vulnerabilities will start to be exploited within that kind of two week period after release from a vendor. The public disclosure gives the attacker that kind of advanced notice so that they have less work to do to race you to the point where that update's distributed.
When you get to about four weeks out, a good chunk of the world has the ability to roll out at least critical updates within a 30 day period. So that window starts to close on the attacker. So that two to four-week window is very important for a threat actor to get maximum value out of an exploit that they've taken time and effort to develop. So a public disclosure gives us a kind of a hot list of prioritized list of, "Here's the vulnerabilities that are more likely statistically to get exploited than some of the others."
The next one here, which goes to that FBI article, user-targeted vulnerabilities. These are vulnerabilities that, to exploit them, an attacker needs some assistance from the audience. All of those pesky users that are on your network, if we could just get rid of all of them, security would be a cinch because, you know, three-fourths of the threat would be gone, but we can't. So a user targeted vulnerabilities show you which vulnerabilities, which updates are plugging a hole, that social engineering could let a threat actor onto your environment.
Phishing is still a very real threat. It's not a true barrier to a threat actor. It's more of just a statistical challenge. If they get enough people from your environment, they will find somebody who lets them in the door. And the last one around lease privilege that SamSam is example is a good one showing why it's very important to try to take back those admin rights, to use both patching and application control together to be able to, more effectively, protect your environments.
Actually, that is a really good question that just popped in here and one that I actually had a couple of writers communicate or ask me that question this month as this one came out. The ethics of releasing a proof of concept like CVE-2018-8440. So, in that first article, if you read that one, you see a fairly explicit post on Twitter showing her displeasure with Microsoft and at that point, the world in general. You know, that triggered her to basically go on to disclose this vulnerability and force a scenario where then a number of people were now threatened by an exploit from a threat actor.
If she had not done that until after Microsoft released the update, there's a chance that there could have been much less impact on companies worldwide. So this is something where there needs to be a balance struck. This is a challenge with...you've got vendors like Microsoft, Google, and Adobe, some of them have very, you know, set a release cycles. Oracle once a quarter on the first month of every quarter, Adobe and Microsoft on patch Tuesday. Typically you can expect everything within there with some out-of-band.
That gives you, the companies that need to go, and then patch machines, some predictability. Teams like Google, they're based more on continuous delivery. Well, the browser that can drop at any point. In fact, this is a good month example of that, there was a release with several CVEs just at the start of last week and then another one yesterday with two more CVEs.
So, when it comes to making sure that we can get some predictability there, that helps it so that you and the vendors who are supporting the software that you're using can make it so that they can be consistent and they can deliver a kind of a predictable schedule. Threat actors are gonna play by any set schedule. So any amount of time between identifying a threat and an update being released increases that risk it could be used.
Google and Microsoft have come to blows a few times over this in the past 18 months that I can think where Google has a very strict 90-day disclosure policy. If they find something, they play nice, they talk to Microsoft, they say, "Hey, we found this vulnerability, you guys need to plug this," and Microsoft, you know, we'll work on a fix. Well, there's been a couple of times where that disclosure window came down two days or even a week from Microsoft patch Tuesday cycle. Microsoft gave Google the feedback saying, "This is when we're gonna release," and Google said, "Sorry, it's outside of our 90-day window, we're disclosing."
And they disclosed in advance and in some cases, threat actors were able to take that information and develop an exploit to be able to take advantage of that. So this is an ethical grey area. I would say that there's a bit of backstory with this particular researcher. Did Microsoft drag their feet? Did they...were they unresponsive? Something triggered her to basically go rogue here and disclose before Microsoft to get the update in place.
Now there some other things that happened in there that, you know, she actually posted it on Reddit and was trying to sell the exploit at one point as well, at least that's what I read up on. You know, that type of behavior, obviously, there's an ethical boundary crossed there, but in general, vendors do need to be responsive and security researchers should hold them accountable for it. And a disclosure in an extreme case is a way to force that kind of accountability on the vendor.
In a case where, if she would've waited a week and a half, two weeks, the update would have been out and everything would've been fine. In this case, especially because this vulnerability wasn't quite as bad as something like the eternal family of exploits that we saw at the start of the year...start of last year, she could've waited. So in this case, I think it's, an example of that was done prematurely and put all of us at risk for that vulnerability being exposed early. So I hope that...that was a long way to answer that question, but it's one that comes up frequently.
Oh, by the way, I did do a blog post, the Patch Tuesday blog this month. It include a little bit more detail around these and why we do track some of these things. So you should read that because my blog is amazing, no, mostly because we do get a lot of information like that in there. But yeah, that does have some more detail if you want to take that back and use it internally to discuss with any of your teams.
Next thing here, we do have some notable out-of-band releases that came up. Actually, Brian did a really good post...that was my Patch Tuesday posts. Let's go over here. This one came out on August 24th and in here Brian talks about, the SQL security rereleases that came out and specifically which KBs are fixing which specific issues. And then he also talks about the Microsoft Intel microcode batches. The rereleases or release there that cover the L1TF. So full remediation of that vulnerability requires the OS patches that were released on patch Tuesday, August, as well as firmware updates. So there's a couple of good points in here that you'll wanna check out if you're unfamiliar with those topics right now.
All right. Getting back over here. So, Visual Studio had an update three, one CVE addressed, SQL did rerelease for two specific versions, and then there again, just kind of an update on that Intel microcode situation to make sure that everybody is up to date on what's covered and where you need to be at. Okay. I think we've covered the ALPC zero-day pretty well already but we do have three other public disclosures that happened this month. So again, kind of that precursor talking about why public disclosures are important. We just wanted to make sure that you understand why we take these things more seriously.
This first one, CVE-2018-8457 is a vulnerability in the scripting engine that could allow memory corruption to allow the attacker to exploit, execute arbitrary code in the context of the current user. So this is a case where at least privilege comes into play. If the current users have full admin, the attacker now owns that box. They can view, add, change, delete data, whatever they wanted to do there, create additional users, that sort of thing. This is also a user targeted vulnerability. So it can be used in a web-based attack scenario.
They could host a specially crafted websites designed to exploit this, ActiveX controls, marked as, "Safe for initialization," or they can embed office documents with that browser rendering engine and exploit it that way by sending an attachment to somebody. So this is a good example of why that user targeted becomes an indicator of why you should be concerned as well. This particular vulnerability, which was publicly disclosed, meaning enough information is out there that somebody could take advantage of that and develop an attack sooner rather than later has a number of attack vectors that could be used in socially engineered scenarios. So that's the first one. This one is covered by the OS updates this month.
The next one is a public disclosure in Windows itself in the OS. This one, in particular, is in how image files are crafted. So an attacker, in this case, can crap that image file to allow execution of arbitrary code as well. So in this case, another situation where a user could be targeted, you can send them that image file and exploit it in that way, also publicly disclosed. So again, enough information's out there where that's a potential threat.
The third disclosure this month is in a vulnerability in System.IO.Pipelines. It's a denial of service vulnerability. Now, this one, in particular, falls into that category like Struts where it's a binary level component, it's not a simple software update. So this particular vulnerability, if you've got an application that's using that System.IO.Pipelines, it is a service that's potentially vulnerable now to this denial of service attack. So all they need at that point is to be able to send specially crafted requests to that application and it will disrupt that application until the attack is disrupted.
From what I remember reading in this case, once the attack is disrupted, the service will just continue on, but while it's going on, it'll be pretty much...CPU will be cranked up to max and it will be unresponsive. So that's kind of why we wanted to talk about several examples from the real world where these things are really being used to their utmost, and talk about some examples with this patch release that show why we track those things and why they're important.
All right. Getting into a few other things and then will start to get into the bulletins. The next one here, we do have some lifecycle awareness updates Branch 1703. It is scheduled for end of service on October 9th, coming up very soon here. And then if you're running on the enterprise or education versions, you get six months additional leeway. So those of you on 1703, if you're on education or enterprise, you'll get six additional months, but for those of you on home or pro that cutoff is October 9th.
Version 1607 is in extended support now and will end on October 9th. So that six-month window is closing now for the enterprise and education versions. So I strongly urge anybody who was on either of those, you should already be upgrading or you should be planning your upgrade cycles for those branches that are going out of service.
A couple of additional updates around Microsoft, there was Update Rollup for Exchange Server 2010. This was actually part of an update that came out back in May. It crawled under the radar this month, you didn't see it in anything else out there. We happen to catch it because of our QA team and our participation in other processes around the Patch Tuesday. Found that there was an update to one particular CVE from May and we actually found that Exchange Server 2010 Service Pack 3 has an update that released yesterday.
So this is supported in our catalog. We do have that in there and the next slide actually, I pulled the May slide for that and added it in here. Several updates were released for XP Embedded. You know, for those of you running on the XP Embedded POS platform, you know, there were, I think it was seven updates released for XP Embedded this month. And then I'm back to that Struts example, these were the different updates this month from Microsoft that were relating to, basically development platform components, .NET Core 2.1, ASP.NET Core 2.1.
There was also a Microsoft OData and Chakra Core updates this month as well, that also included some vulnerabilities. But the disclosure that we talked about, CVE-2018 8409, that one, you need to update binary components in your application to be able to plug that vulnerability that was disclosed. So that's why we called that one out here. So really quick, this is the slide on the exchange server updates. This is a rerelease just for Exchange 2010 SP3, just to fixed that one CVE. So, you know, note that if you are on Exchange 2010 SP3, that's the only one affected this month.
All right. So for those of you who aren't as familiar with the blog, we do have...we've started doing a weekly blog posts now as well. Brian is spearheading this and what it is, is kind of a continuation of what we do on round Patch Tuesday. So at the end of every week, we're doing a summary of that week in patching. So this one is from week 34, it's the example we talked about with SQL security rereleases, the Intel microcode patches, and all the third party updates that came out that week as well.
You know, and you can see all the different weeks that we've done that for now, we've been running it for a few months now. And for those of you who have not read those, there's a lot of good nuggets of information similar to what we do in the Patch Tuesday webinar, but we wanted to give a shout out to that so you guys are aware that those blog posts are happening. If you go out to the Ivanti website or you just go to blog.ivanti.com, under Patch Tuesday, you will see those mixed right in with our blogs out here.
You'll also see, we started doing this a couple months ago as well, we are taking the frequently asked questions from the webinar itself and we're populating those into the blog as well for follow up after, for those who maybe wanted to go back and reference question would not have to go back to the video and try to find where it was. So those are a few more assets that were doing regularly that are very helpful for people who would like to get more details like that.
All right. It looks like we had one more question about lifecycle before we move on. See here, yup, couple more things. Patch content, for those of you who subscribe to our patch content announcements. You should be aware now that we moved those from the way we were doing it before, all over to our community where you could subscribe to by email or RSS feed, but were just consolidating across all of our different products where those content releases are being communicated out from.
The note this month is that we have added the community spot for endpoint security, the former heat product, and then specifically the patch for Linux, Unix Mac notifications out of there as well. So you'll see that right here. So for those of you on the EMSS platform, that is now available to subscribe too there. And for those of you on the patch for Windows product, if you're running on version 9.2, the final update for this was on 2017-8-27. The final concept release for this will be on 10-18. That will be the last content update a released for this version of the product before it will end of service. We do urge people to upgrade to version 9.3.
For those of you we did extend the end of life on this a little bit because we had several people who were on that 9.2, version, which was common criteria EAL2+ certified and that's a requirement for their environment. So we got the assurance continuity completed for 9.3 update one, so you can now move forward. So, please, do that as quickly as possible. I know, our last count of active consoles out there was kind of around 800 active consoles out in the world, yet. Several of those are test environments, or other things as well, maybe trial consoles things like that.
But, you know, for those of you who are still running on a production 8 or 9.2 console, please do take a look, make sure you're up on the 9.3 chain. We're gonna be sending out some end of life notices in the product here very shortly as well. So probably late this week, early next week if you see a pop up when you open the product next, that you have to click past that says the product is end of life and going away shortly, do take it seriously.
All right. So before we jump into the posts here, we have one more question around life cycles. "Server 2016 and lifecycle is on there, is it similar to Windows 10?" The answer to that question, Rob, is yes. The Windows 2016 lifecycles are following the same pattern as Windows 10 branch lifecycles. I don't know, Brian, are they tracking that off of the same lifecycle page or is that a separate lifecycle page? You're still on mute, Brian. Brian might not be listening right now. There he is.
Brian: Okay. Sorry about that. So the server 2016 lifecycle should be the long-term sourcing branch lifecycle or supported for 10 years. The other thing that they did want to add about life cycles, Chris, our Q&A was flooded with it. It doesn't look like Microsoft actually push3e forward all of their Windows 10 lifecycles or six or seven, it's actually going to stop April 9th, 2018.
Chris: April 9th. Okay. Thank you for that. So, Brian, clarification, these specifically named Server 2016 is the long-term service branch, right?
Brian: That is correct as well as your Windows 10 LTSP 2016.
Chris: Right. Yeah. Now, for Server 2016... Well, for the server platform, now they're just saying server and then they have the branch number. That set of branches are following the regular life cycle, right?
Brian: Yes. Those were on the semiannual channel. So I expect them to follow the traditional lifecycle. Yes.
Chris: Right. So let me point this out quick because this has been kind of a topic of confusion a little bit, the way that Microsoft has done this. I'm trying to get my window. There's too many things that are blocking it. Okay, there we go. Let me get to server. It's showing a whole lot of patches. I've done that. See if I can find one here that has that listed in there. Where is the Windows 10? Actually, it was... Brian, where's the...? Oh, here it is. All right. So the ones that are listed as server 2016, that's the LTSB, right, Brian?
Brian: That's correct.
Chris: Now, people are going to start to see Windows server and then just the branch number going forward for the semiannual channels for the Server 2016 platform. Those are the ones that follow the regular to about 18 month or 2-year cadence.
Brian: Yes. So that 2-year cadence, of course, is being pushed out to 30 months now. That was kind of why succ [SP] server got pushed out. I would expect that they'll probably be within the 30-month cadence, but don't take my word on that one.
Chris: Got It. So there's a bit of an open question about that, but there is a difference between the LTSB and the regular semiannual branches. All right, so we'll have to try to get more information for next month to look at that further. All right, we're gonna go ahead and jump into the bulletins here and Todd, I'm gonna ask...
Todd: I'm here. Okay
Chris: And of course WebEx is updated. So I'm trying to give you permissions to [inaudible 00:43:01] here.
Todd: The slide refresh has been really slow for me. So I'm gonna work from my slide deck if you would just kind of advance from time to time here. I'll tell you when to do that, is that okay?
Chris: Okay. So we're on the Windows 10 Update.
Todd: Yeah. I'll start with Windows 10 here. So, this month with Windows 10. There were some questions about whether the zero-day was addressed with this month's critical updates and obviously, the answer to that is yes. If you'll notice, down there for Windows 10 this month, there were a CVE-2018-8440 that Chris discussed is addressed this month as part of the critical updates. In addition, the other 2 publicly disclosed ones, 8475 and 8457 in Internet Explorer as well. Those are all addressed this month as part of the critical updates.
Keep in mind that the Windows 10 Updates though [SP] do include, obviously, they're currently active versions of Windows 10, which are 1607 through 1803. We expect to hear something about 1809 here soon on that release, and then the various versions of server, you know, Server 2016, the original one that Chris and Brian were just talking about as well as the new releases of core Server 1709 and 1803. The updates for Windows 10 also includes...the rollups include IE 11, and a Microsoft Edge, it does not include the older versions of IE. So keep that in mind because those versions do not run on these operating systems.
The way we've done it here for Windows 10, obviously, there was a group of 9 KB articles that addressed all the changes. As mentioned, from an impact perspective, I think they're covering the full gambit this month, all the way from remote code execution through information disclosure. Lots of vulnerabilities, 49, as I said. So, they're addressing a lot of problems this month. So it's a bigger update than we've seen in a couple of months actually across the board for all operating systems.
No known issues reported around the Windows 10 updates this month. You might remember that we had a couple of issues from month to month. It looks like they have all been resolved as Microsoft did not report any known issues with the Windows 10 update this month.
Next slide, Chris. Moving onto Internet Explorer, there were updates obviously released for 9, 10, and 11 this month. They did pick six vulnerabilities of one, which is the public disclosed one that I've highlighted in red there. Number of forms of updates for Internet Explorer, they do, do accumulative update as well as several individual updates as well. So depending upon what approach you're taking to your updates, make sure you apply the proper set of patches. But again, we've marked it as critical because of that public disclosure and so was Microsoft, and we know that there were six vulnerabilities fixed this month in Internet Explorer.
Next slide, Chris. We didn't have a change this month in the way releases are done for Windows Server 2008. We were kind of surprised, hadn't seen anything on this prior to the release. In the past, Microsoft had done just the general security update for Server 2008, which was basically a month to month update, but this month, they broke it out and they've done a monthly roll up and they've done a security only.
And as we've talked about in past webinars, the monthly rollups have been in effect basically since September of 2016 when they started including, you know, basically all fixes every month into a large rollup. So, when you applied that rollup, you were getting all the fixes over the last, whatever it is now, over two years of updates. The security-only updates, however, are just the patches that were released or fixes that were released for that particular month. So if you are doing in your patch cycles, security-only, you needed to make sure that you would apply the security-only patches every month to get all of them.
So what they've done now with a Server 2008 is they've done sort of, kind of a hybrid here. I took a look at the files that were included in the monthly rollup, in every other operating system, the monthly rollups do include the Internet Explorer updates. But in the 2008 or this inaugural monthly rollup for Server 2008, they do not include Internet Explorer. Keep in mind that for Server 2008, because it is a much older operating system, you are only applying Internet Explorer 9 on top of this. So keep that in mind as well, but you will have to apply separately even if you do this monthly rollup patch this month.
We suspect that Microsoft did this because of all the reissues of different types of patches over the last couple of months. We've talked about some of the issues that they had there. I've included the update information here in the description. As I mentioned, I did take a look at the files that were included in this monthly rollup. The vast majority are from July and August, however, there are some updated files that go all the way back to November of last year.
So from a cumulative update standpoint, it looks like they have included quite a bit of the latest updates, basically starting a kind of the first of this year onward. So kinda keep that in mind. They did address 17 vulnerabilities this month. Of course, the two publicly disclosed in the one that's known, exploited there, I've highlighted in red as well. There are no known issues with this particular release this month.
Next slide, Chris. Moving on to the security only update for Windows Server 2008. As I mentioned, this is the first time they've broken out a security-only update. Essentially, it includes all the files from August, all the updates that they've done for those 17 vulnerabilities. So it looks very similar here on the slide from a slide where perspective, but keep in mind that these updates are only from August. Again, I did look at the files. There were a few cherry-picked files that were older, but it looks like these are only the August updates and as I mentioned, the monthly rollup on the previous slide does include many more fixes. So depending upon what approach you're taking, make sure you apply the proper update.
Next slide, Chris. Moving on, we'll talk about the monthly rollup for Windows 7 and server 2008 R2, very similar set of vulnerabilities each month across these legacy operating systems. You'll notice that there were 18 in this rollup compared to the 17 and the previous operating system. There are some slight differences and some slight vulnerabilities, usually one or two that are included in that list that I include here. So keep that in mind when you apply these. Again, this is the monthly rollup. It includes all the updates for quite some time now, and also includes that IE update as part of this monthly rollup.
There is a known issue, Chris, on the next slide. This one has been carried along now for four or five months, looks like Microsoft is not too aggressively trying to fix this one. I wants you to be aware of it has to do with dropping a network interface controller devices. They do give a workaround, but you will have to go in and reapply. So we configure the driver in this case for your NIC card. Keep in mind, this is not the problem that was so widespread earlier this year around virtual machines and the network interface cards. This is a very targeted, much smaller problem. So kind of be aware of that. And like I said, this one's been carried along for quite a while now.
The next slide, Chris, shows the security-only updates for Windows Server and the Server 2008. Again, the same set of vulnerabilities. Again, only the vulnerabilities for this particular month does not include IE and does not include all those older vulnerabilities as well. But essentially, they're addressing the same set of 18 vulnerabilities that are in the monthly rollup as well.
Moving down next to Server 2012, 19 vulnerabilities addressed this month and this does include, like I said, the IE vulnerabilities as well. Listed the vulnerabilities that are addressing this issue and in this particular release. No known reported issues around this monthly rollup for Server 2012. The next slide shows the security-only roll up. Again, same set of vulnerabilities addressed but does not include all the larger set of fixes that were done over the last two years.
Moving onto the monthly rollup for a Windows 8.1 and Server 2012 R2. Just as a reminder, you know, why do we group these together the way we do? It has to do with the operating system kernel. When Microsoft releases these patches, they are specifically targeted at a given operating system and the kernel that is running, and Windows 8.1 and Server 2012 R2 happened to be running the same operating system kernel. So that's why you see these groups together the way they are both by Microsoft and by us in our both in approach here.
A little bit larger set of vulnerabilities and then the previous operating systems, there are 22 that are fixed. Again, that zero-day 8440 as well as the Internet Explorer vulnerability, 8475 that we talked about earlier, that was publicly disclosed. And finally, the security only update. Again, no known issues with this, same 22 vulnerability, same issues, different KB number. You can always go in and take a look at these KB numbers. In this case, it's 4457143 or you can go in and read about this particular update in more detail.
Moving onto Office 365. There is a critical update in this one this month that does fix four vulnerabilities. There is the possibility of a remote code execution as well as information disclosure. I've included the link that points back to the TechNet article covering, in detail, what's released for... This will basically under the click to run model for Office 365. This month, they primarily addressed only Office 2016, none of the individual applications. So keep that in mind as well. It does require an application restart, you will see that when you go through your update process. No known issues reported with this month's update so far.
Once again this month, we're surprised to see a .NET update. Chris talked a little bit earlier about the problems with, like, the specific ones in the development side. This is in the general .NET update across all the operating systems that are out there. There are different versions of .NET for all the different operating systems. That's reason you see that there are 10 different KB articles, 10 different releases as well. They did include the update all the way from .NET Framework 2.0 through the latest release, which is 4.72.
It must have been an important one, this vulnerability 8421 allows a remote code execution as they've now done .NET updates for the last three months in a row. So kind of unusual to see that. They do .NET updates the same way they do application updates. So you'll see there's a monthly roll up and on the next slide, you'll see there is a security only a version as well if you're just doing tactical updates from month to month. So keep in mind there are these .NET updates. The nice thing about these is that you don't actually have to do a restart unless the files are locked or are being used at the time. So they're not necessarily requiring a reboot every time.
Next slide, Chris. Chris had mentioned that there was a tactical last minute update. Chrome kicked out an update in middle of the day yesterday, which we were kind of surprised about. There were two vulnerabilities identified interestingly enough, although they give a short description of them on Google's website, they still don't even have CVE numbers assigned to them. So must have been very important for them to include these, did allow for a remote code execution. So, if you are running chrome in your environment, you wanna make sure that you apply this update as well. And we rated it as number one from a criticality standpoint.
Next slide, Chris. Moving on to Office and the important bulletins for this month. There were a number of fixes provided in Office this month, they addressed five different vulnerabilities. As I show up above here, the effective products were Excel going all the way back to 2010, the latest version of Office 2016, and Office 2016 for Mac, and also different versions of Word from 2013, the last two basically, 2013 and 2016.
Now notice that we rated this as important because it really is important from a perspective of the Windows operating systems. But as I included down in the notes section below, the update for Office 2016 for Mac is rated as critical. So I didn't give it an overall critical, but if you are using, you know, these updates on your Mac OS systems, make sure that you do upgrade Office 2016 as it is critical.
Microsoft also had a bulletin specifically talking about link for Mac version in 2011. They said they will not fix this particular CVE, which is a security feature bypass vulnerability, be aware of that. They recommend that you upgrade to Skype for Business on Mac and get the latest version there, obviously, as well. So two important notes around those of you who are doing Macintosh updates, but general for the Windows update, it's rated as important. I just wanna bring that to your attention.
Next slide, Chris. Moving on, there was an update for SharePoint server this month. Again, rated important, three different vulnerabilities that were addressed. They allow for elevation of privilege and information disclosure. No known issues around these, but once again, if you're running SharePoint server in your environment, you should be sure to include these as soon as possible. But like I said, they're not rated critical at this point.
Finally, we get our usual updates for Adobe Flash Player. You'll notice that there's a discrepancy between what Microsoft says [inaudible 00:57:35] rating these here. Adobe, and the next slide, I actually has the Adobe...here is the Adobe one, they're rating it as important. There's basically an information disclosure through privilege escalation around this particular vulnerability.
For some reason, Microsoft has gone into their bowl and then rate it as remote code execution. Not sure if that's an error or what's going on there, but in this case, we've gone with the rating that's applied from Adobe. So we've kept both of these, the ones specifically released from Adobe as well as shown on the next slide, Chris, the actual Flash Player update that's released from Microsoft. We've rated those as important this month.
Chris: Yeah. My theory on that one is adobe, not too long ago, it started to change. They do a priority one, two, three type system there. They changed priority one instead of being basically like there's critical CVEs resolved in it, that means that there's some vulnerability being exploited in the wild, that's a priority one. So they've put priority too, for anything that includes security vulnerabilities that are either critical or important, but nothing's being exploited.
So I think the way that Microsoft is queuing off of their priorities and how they're doing their ratings, there's a little bit of a grey area in there where if there's one CVE, the CVE is only listed as important, but their priority is still a priority two, which Microsoft is probably blank it assuming is critical then. I've seen this a couple times now and that's the best I can come up with as to why it's happening.
So we do have a number of updates that came out between Patch Tuesdays, you could see we do regularly released content twice a week typically for our catalogs. So you can see a number of different security updates that came out in between. There are several, including the Chrome release that came out early last week, which resolved 21 vulnerabilities, a Firefox released that fixed six vulnerabilities. Actually, sorry, the Firefox ESR fixed six, the Firefox regular branch fixed seven vulnerabilities. WinSCP, Wireshark, and Plex Media Server, all had vulnerabilities resolved as well.
So it's a good idea to keep an eye out on those other products that do have security vulnerabilities. You know, this is again the difference between the vendors who try to stick to a predictable schedule versus those who continuously released as soon as they have a build available with security fixes. So there are a number of security-related items that will come out in between Patch Tuesdays and we try to call that out. And one of the reasons why Brian's a new blog series at the end of each week doing kind of a digest summary of what happened are really nice to have. That way you get a heads up on when security updates are being applied there.
All right, we're gonna jump into some Q&A, and then after the Q&A, for those who wanna hang out for a little bit, we got a couple of cool things that we wanna talk about. But Brian, let's jump in and take a look at some of the questions going on there. It looks like you've been talking with a few people. Let's start with the updates errors that Kim was seeing with the KB4457144.
Brian: Yes. So as Kim mentioned, she was having issues where KB4457144 was failing deployment as the rollup for Windows 7 just to review. It looks like another customer was having that issue on the Reddit SSM and Megathread. However, one thing I'll mention is in my testing I do, deploy gets a completely unpatched box, nothing's been effectively passion outside of SP1, and we did not have those deployment errors. So it might be a pretty specific issue, but I'm gonna keep following it and see what the issue could be and if we can do anything in our content to work around that.
Chris: Yep. So just a quick heads up and I know Greg had asked a question of, "Were there any known issues happening so far?" I think he was asking more for conflicts with other software, but for those of you on Windows 7 yet, do some additional testing in advance before rolling that out because it looks like there might be at least some edge cases that could end up with an error. But again, I think as the next couple of days go by, we'll see more details on some of these if they're widespread.
Brian: Absolutely. One question that I had, Chris, that I want to ask you what sources...someone's asking for sources for keeping up to date public disclosures, etc. In my experience, I kind of just crawl the web, different articles, etc., which, of course, I cover in my weekly blog, but did you have any other recommendations?
Chris: Yeah. So Microsoft does a very good job of identifying public disclosures directly on their CVE pages. So if we go back to any of the vulnerabilities that we talked about here, so here's the ALPC vulnerability, this one had both a public disclosure and an exploit in the wild. So Microsoft does a really good job of identifying these things very clearly with a lot of the other vendors. Like I mentioned for Adobe, they bring it up to a priority one if there's an exploit in the wild. But disclosures...oftentimes you won't see disclosures. You'll just see call outs to security analysts who might have been doing research on things on their bulletin pages.
So a lot of times we're watching, you know, Brian, Todd, myself, and a host of other people are constantly keeping an eye out for articles and things like that, like, the Struts vulnerability that was exploited and you know, all the different articles there. We're constantly perusing and trying to find these types of data sources. It's a bit difficult to keep tabs on, but we try to bubble that type of information up to the Patch Tuesday webinar and to other, like, weekly digests as quickly as possible so you can start to see those things happening.
For those of you who haven't seen it, our Patch Tuesday graphic... Let me go out here real quick and show you guys this. From our main page, if you go to the Patch Tuesday page, you'll see this infographic. This is the full summary of everything that happened, but we'll actually put the public disclosures that exploits that we know about, into the notes on there. And you could see down here, like, if there's... These three that were non-securities are listed there with non-security on it.
You can also see things like we talked about user targeted, we talked about privilege management, mitigating impact, we track those things on here as well. So this is where you can see those four different indicators that I talked about that we try to track. That's where we show a lot of this information. And you'll notice, I don't know if there was a good example of this month, but if there were an important update, but that important updates either had exploits or public disclosures, we would put the threat risk higher on those particular bulletins. So that's where we tried to bubble some of this information up too, just to give you an idea. That's a good question, though.
Todd: There's other thing, Chris, I'd like to add to that, if you notice, if you go to the portal, Microsoft's portal, for example, they actually do a with each month released a list under their release notes section that shows vulnerabilities that they're aware of, not necessarily that they're publicly disclosed yet, but vulnerabilities they're aware of that they don't have answers for yet. Those would obviously be maybe a little bit higher risk for future exploitation and public disclosure.
The other thing is, obviously, going to the micro [SP] website, you can always see the latest vulnerabilities that they are listing. Those will be another, another source of just looking for these, but as Chris said, in general, we haven't found any kind of central repository where people keep track of public disclosures specifically. There you go Chris [inaudible 01:06:15].
Chris: This advisory that came out this month is for Windows denial of service vulnerability. There is a CVE for it, there's not an update for it, but they're giving guidance around configuration to work around this issue. So that's another thing too to watch out for some of those advisories.
Chris: All right. Brian, we're a little bit overtime here. What other hot questions do we have that we wanna cover right now?
Brian: Nothing too much. Mikael did ask how many updates there been to spectrum meltdown and are they all patched differently or just them the roles include all necessary patches? So, the answer to that question on the monthly option to include all necessary patches, however, you will require additional registry configuration to turn some of those remediations on. I will answer that question with the link, but it's one of Microsoft's MSRC. Other than that, honestly, it's been pretty open. Dipash [SP] did ask, "Could you please start some [inaudible 01:07:17] as Microsoft says, one patches is not applicable, how recalls is still flying in the most vulnerable?" What is your point of view?" So the answer to that on... Go ahead.
Chris: Sorry, I saw that one too and wanted to respond to that too. Go ahead, Brian.
Brian: My initial comment was frequently there is additional configuration necessary such as SharePoint server. However, I can also add that a lot of vulnerability scanners work at a super small world, like they're looking at specific files, specific configuration and perhaps, it's been superseded. I can't speak to Qualys definitions, but on most likely, it's just additional configuration necessary.
Chris: Yeah. So, yeah, Dipash for... I know this is a common question that comes up as well. Vulnerability assessment and patch assessment are two different mechanisms. There's ways that a vulnerability engine will still show something as vulnerable and the patch engine may not show it as applicable. There could be an error on either side. So whenever that comes up, you should definitely dig in deeper into what was the detection logic that came back from both sides of that...you know, what was being looked for.
So when we troubleshoot this with any of our customers, you know, to reconcile, which is the vulnerability assessment or the patch assessment, correct, in this case, we do get down to, you know, what do we assess? So for specific updates, we try to show very clearly, "Here's the information that we're assessing to, you know, say that this patch is installed." In this case, this one might be registry only. This one, you know, if there's...actually, there should be followup details and some of these. I think there's an issue in this right now.
I'm not a developer builds, but there's file detection and registry detection listed in our product for what we're looking for. And then also, if you look at a specific result, which I'll show you the result from my machine earlier today, I was just catching myself this morning. If we detect a missing update, we give what we call a reason for it, why did we detect that this was missing? Yep, there's a couple of things in this new build that aren't being shown right now. So the reason for item would normally be showing right here and very clearly say, "This file is supposed to be this version, it's detected as this version."
Now your vulnerability vendors should have similar levels of understanding of what's being detected. Here's a couple of edge cases that often happen. The meltdown specter vulnerabilities, as Brian said, there's three specific things that need to be done to completely mitigate those vulnerabilities. There's the patch, the OS update. So if you're up to August or September for your OS patching, you've got all of the code fixes in place. There's certain registry keys that need to be turned on, on the server side.
They need to be turned on to be able to start enforcing those where some of those, there's three or four now that will be turned on automatically if it's a workstation, but not if it's a server, and there's guidance in Microsoft's KBs on how to turn those on. We've also got a special patch that we created to turn some of those on as well. The third part of that is the driver level and that needs to also be updated. Now, your vulnerability assessment will be looking at things like those additional factors as well, where the patch assessment is looking to say, "Has the patch been applied?" So both assessments are showing the right information from their points of view in that case.
Another case where it's kind of going the other direction, where it's a false positive, in a case like Java. If you've got a situation where a Java runtime DLL has been put on a machine, maybe it's baked into an application, your vulnerability vendor found that DLL and they're saying, "You've got a vulnerability because you've got this DLL that's old or out of date." The patch management product comes by, does the scan, Java is not installed. If you went into add/remove programs, you would not see Java there.
If we tried to install Java, it would not be doing an update, it would actually be doing a fresh install of it, that vulnerable DLL would still be in place because it's not known to the OS or tied to an installed application directly. It's under some other application, that's how it got there. So those are examples of where there will be differences between your vulnerability assessment and your patch assessment.
And again, in those cases if you're using us for patching on any of our products, we're always happy to help dig into those types of issues, but yeah, reach out to Qualys [SP] in your case, Dipash and then possibly Microsoft if you find that it's something they're said to look into those. So I don't know if we had any other specific questions regarding the patches right now, Brian, did you see anything else? Otherwise, there's another life cycle question around Oracle that I was gonna answer.
Brian: Oh, yes, please, please. [inaudible 01:12:45] another one.
Chris: So there is a question... I'm sorry, what?
Brian: I was like, that was the other one I was gonna ask you about."
Chris: Oh, okay. Yep. So this one is a question that's come up a little bit lately as well. Adobe did a similar thing recently, so it's a good topic to talk about. But around Oracle, Java, they've been changing their model to say that you have to have a site license to be able to, you know, install Java updates. Okay. So there's two different things, when a version of Java comes to its end of public support, so Java 8 is coming up on its end of support, that's going to stop getting public updates.
If you want to continue running Java 8, you need to contact Oracle. You need to basically buy in on their extended support program and then you will be privately given additional updates for that, but those are not publicly available. And then there's another situation where, you know, Java, in general, is doing a similar approach where Adobe did with Flash. I can't remember if it was early last year or the year before, but they basically said, "You need to request a site license to distribute Flash Player throughout your environment."
So you basically just had to go to a job site, you had to fill out a form and then they said, "Yep, you're good, you're approved." So how it comes for things like both of those scenarios. In the case of a product that's no longer supported, that has an extended support with a vendor like Oracle or even Microsoft. We have several customers who have extended Server 2003 support with Microsoft and then they extended a continuing support contract with us to provide a catalog of those 2003 updates.
So we received the updates from the customer, in this case, build the content for that and return back to them the detection logic for it, but that all happens in a private release catalog because those are not publicly available. The same thing would happen with the Java 8 updates. After their end of life, if you needed to continue on with that, you'd have to contact Oracle and continue support with them and then if you have a patch product that needs to push it out as well, that's how you'd have to work out details on continuing support through that product as well.
For the site license kind of model, we make it available for you guys to scan for it and deploy updates for that software. It is on you, your company to make sure that you've got the proper site license with vendors like Adobe or Oracle, if they require it to distribute updates for those applications because that applies to both software deployment and to software updates for that. So even to deploy Flash Player through whatever software update our software deployment tool you're using, you should have their site license for that. And then updating it through us, if that's the case. Similarly, you'd have to make sure that's in place. I hope that answers the question there. There's kind of two distinctly different scenarios that are going on there, though.
All right. I think we got most of the questions. The most of the rest of the questions coming in are specific to... Oh, there was a Long [SP] mentioned here that VMware recalled the VMware tools tend up three release that went out last week. Brian, was there a known issue around that one? I didn't see that one.
Brian: I just answered that question with VMware KB.
Chris: Oh, perfect. All right. Yep. My Q&A just refreshed now and I see that as well. Perfect.
Brian: We're good to go there. Yeah, there was definitely a known issue, a new VMware tools did release today. I'm not sure it affects 6.5, but keep an eye out for that one.
Chris: Got it. Awesome. Okay, we're gonna wrap up a couple more things real quick and and then a wrap up for this month. The next one that we wanted to talk about, and guys, we're not trying to make this into a marketing webinar, absolutely not. But I've had a number of you over the years, you came to this Patch Tuesday webinar because you needed additional information and through the course of that, you get kind of exposed to how we do things at Ivanti and some of our tools that we do that with.
So this is a call out to any of you who are not using an Ivanti patching product today. It's an offer that we wanna extend to you if you're interested. It's a free 30-day full license of one of our patching solutions. So if you're using Microsoft System Center, it would be a 30-day license of our patch for SCCM plugin. If you are looking at utilizing a completely different patchy solution, whether it's in the data center or the desktop environment, we've got other patching solutions that can do that job for you.
So if you're interested in that, we do have this promo here, it's just a quick and easy form to fill out and that will give you a full site license. If you tell us you've got 500 machines, 5,000 machines, 10,000 machines, it doesn't matter, we'll give you a full license for 30 days. So that's on offer we wanted to extend there. We're only a couple of weeks away from Microsoft Ignite. So for those of you who are going to be going to Microsoft Ignite, we did wanna send out a special invite to stop by our booth that we'll have there. I personally won't be there this time around, but Todd, you're gonna be going to Microsoft Ignite, right?
Todd: I will be there. Looking forward to it.
Chris: Awesome. So there is a schedule, a demo link here in the PowerPoint for people who are going to be there for sure. If you wanna stop by, just stop by for fun. Grab some giveaways, things like that. If you also wanna catch a demo, the first 40 people who sign up for these in-booth demos are gonna get a gift card as well, but we'll have lots of stuff going on there. The whole team's gonna be in Hawaiian shirts. You saw kind of a theme in the background here, it's kind of a, you know...you'd prefer beaches over breaches. Makes sure things are secure so you can take a vacation once in a while. That's kind of the theme for it.
So it'll be kind of a cool laid back booth. We'll have a lot of a new product demos, things that are coming soon, which actually I'm gonna give you guys a quick sneak peek around and our conversations around Qualys are perfect because that's gonna springboard directly into this quick sneak peek.
So one thing that is a constant challenge for, for companies out there is you guys are responsible for patching. You got people within the security team, some part of the organization that are responsible for doing that Qualys scan, or Tenable, or Rapid7, whatever the case may be. And you guys have to...you know, you each have your responsibilities. Security says get this done...and actually, even a conversation I had at VMworld just a couple of weeks ago with a longtime customer, this guy's like, "Yeah, I get that list. And they basically say, "Yup, fix it. You got three days."
Okay. Well, a lot of times these reports are 50,000 plus line items long and you got to do a lot of research and figure out what even needs to be done. So a lot of time and effort goes into reducing that list down to something actionable. So we've got a new feature coming in, a couple of our upcoming releases here. For those of you on the patch for Windows product, you'll notice that there's a slight name change here. It will, in the next release, be called "Ivanti Security Controls."
There's a variety of new things coming in there, including application control being built right in as a new module that you can look at there. But there's this new feature called "Import CVEs into a patch group." So if I go in here, it's just a very simple interface. I can go and browse too and grab that report that I got from the security team.
In my example here, I've got two different formats, XML or CSV, the same report that's generated two different ways. This is a nearly 65 meg. I'm report from Rapid7. It's actually almost 450,000 line items. That's 450,000 CVEs that were detected in this test environment, and I'm going to import that. So let's go ahead and add a link to that file, start extracting those CVEs. And now this is the point where you're going, and de-duplicating, and trying to research down, "Here's the CVE I'm worried about, what are all the applications that need to be updated to plug that CVE?"
And "knock on wood" everything should come back. Hey, there we go. In less than a minute, I now have this cross-reference. Here's all of the CVEs that we mapped directly to a software update within our product. Now the ones you see on the right side here, this environment has Linux distros and Mac as well as we bring each of those flavors into the Ivanti security controls product, more and more of the CVEs will be coming over, but this is all the Windows ones.
I've got a patch group down here, I'm gonna add this to an existing patch group in this case, and it will either create or add to that existing patch group. I can go into my patch view and from here, be able to go back to my attached script tab, that will be on the right tab. Here's all the software titles that it mapped for me, so that in less than a minute, I got this full list from that Rapid7 report. That's everything we need for the Windows platform. I go and deploy those and the Ivanti engine is going to go through and make sure that if any of these are replaced by something newer, which you see a lot of them are, it's not going to go and deploy every single one of those.
It's intelligent enough to know, "Oh, hey, you know, you're two or three patches behind for this product. Well, you don't need to do these other ones, we're just gonna take you to the latest one for that." So it actually trims down and efficiently does the minimal set of patches that you need to be able to get this updated. So I ran a demo of this at a VMworld and literally, it got down to one of my systems that I was demoing on, 5 updates, took 1200 CVEs down to barely a dozen remaining on 1 system.
So this is a new feature coming out in a patch for Windows, soon to be Ivanti Security Controls, that is going to be in early access in November, right around there, give or take. And then coming in our patch for SCCM plugin our 2018 dodge three release there. So in October, we're releasing the similar feature for our SCCM based where you'll be able to import. Again, it doesn't matter which vulnerability vendor, as long as that report is a file that has CVEs in it, it can be a pdf, a doc, a text file, XML, or CSV, as I showed. It will pull all those in and then the SCCM experience show you a list of, "Here's the updates, which ones do you wanna publish? Click here," and off you go.
So a great new feature coming. If you're going to Microsoft Ignite and you're interested in seeing that live, we're gonna have the SCCM demo and the patch for Windows demo of that new feature coming here very shortly, along with other things that they're gonna be showing at the show next week.
Last thing, this is a new webinar...a new series that we're gonna be running called the "IT Leadership Summit." So, I'll be doing a presentation along with 11 other presentations that day. It's a virtual summit. You just register for this free virtual event and you can see the sessions that we're gonna be having. We're gonna have experts from Forrester, myself, and experts within Ivanti and externally for our ITSM platforms, our endpoint management platforms, our identity platform, a variety of different topics that are gonna be covered there. So, it's a great free event that you may wanna look into as well.
All right, and that is it. We ran a little bit long today, I do apologize for that. But thank you for all of you who stuck with us throughout the whole presentation, and looking forward to seeing you next month.
Brian: Thanks, everybody.