April Patch Tuesday
April 10, 2019
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Brian Secrist | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris: Hello, everyone. This is Chris Goettl and I'm joined here today by Todd Schell. Hey Todd, how are you doing?
Todd: I'm good, Chris. Thanks.
Chris: Awesome. So, Todd, I have to say that springtime here in Minnesota is a rather short affair. It was 70 degrees yesterday. I went out for the most amazing 15 mile bike ride for the first time this year. And springtime is now over because starting in about an hour here parts of Minnesota here are gonna get up to 20 inches of snow again.
Todd: Here in South Texas, it's supposed to hit 92 today. So, sorry.
Chris: I'm not gonna say what I'm thinking right now about that situation.
Todd: I know. Yeah.
Chris: All right. Welcome, everyone. So for those of you who are new to the webinar series here, Todd and I are your hosts for this webinar. We're gonna be going through and talking about a number of things. But I do like to talk about the wizards behind the curtain because they do help us make all this work. We've got Erica [SP] who is...she masterminds the entire affair and makes sure that you guys are getting things like the sign-up links and follow-up e-mails and making sure that me and Todd are on the ball about getting on these events and, you know, staying scheduled for them. So thank you to Erica for making sure that all of this runs smoothly. And then we've also got Brian. Brian is one of our content experts. This guy is one of those who's in the trenches managing our content on a regular basis. He's also one of the people who helps us to flush out known issues and identify the things that you guys want to hear about most.
So as you're going through the webinar, if you do have questions, please post them in the Q&A section. I see he is already actively working on responding to some of those questions that are coming up. And yes, we do have a few of those questions covered in our topics today here, so look forward to that. All right, we're gonna go ahead and get started here. If I can... Well, not clicked into the right window. There we go. That's better.
All right, we'll start off with the Patch Tuesday Overview and then I'm gonna cover some of the most recent news, things to be aware of, some of the fun challenges that are going on out in the world there and some lessons learned. And then Todd's gonna walk us through the bulletin lineup for this month, give you guys a lowdown on prioritization, known issues, and all that good stuff that you're here for.
And we will come back to the question and answer time at the very end, again, where we'll highlight questions that we think that everybody's gonna be interested in. There may be some one-offs that are very specific to certain people's needs that we might not cover in the Q&A section but we'll try to get to as many as possible.
So as you post those questions, again, Brian and Erica may be responding to those throughout the webinar. But towards the end here, we'll try to socialize as many of those large topics as possible. After the webinar, we do a follow-up kind of Q&A, FAQ from the webinar as well. So that's another piece of great content that you can go and grab afterwards to be able to go back and see all the questions that came up and the responses that we gave and even some of those that we might not get to during the call.
All right. So let's get into the overview. So we did have a decent lineup for Microsoft. We've got all the usual updates, you know, the Windows OSes, the browsers, and Office are all represented there. But we also do have an Exchange update this month, it's only rated as important so not urgent but definitely one that you want to look into if you're still running an on-premise version of Exchange. For Adobe, Adobe did have quite a large lineup this month as well.
Actually, they had seven total updates, four of which we will talk about specifically here. Some of the other ones are things that you don't typically patch with a traditional patch management solution, they'd be updated in other ways. But there's a few other updates that we'll cover this month as well. We'll talk a little bit about some Wireshark updates that dropped here on Patch Tuesday.
And one thing not to be forgotten, this is Oracle's quarterly cycle. So, next week Tuesday, Oracle will be releasing their critical patch update as well. So a variety of different products, you know, including things like Java JDK 11, VirtualBox, which if you keep up with conferences like Pwn2Own, VirtualBox had a nice little exploit that racked up a good chunk of change for somebody at that conference. So look for some updates next week from Oracle around several of the products that they are updating.
All right, two zero-days on the Microsoft side that we will be specifically talking about. And there are actually three public disclosures we're gonna talk about. But we don't believe those three have been resolved yet so it's more of a "be aware, they're still out there," and updates could be coming at some point regarding those.
But the researcher, in this case, was trying to make a statement of security vulnerabilities that are resolved within Google Chrome make it into the development branch first. And technically, that's giving an attacker some additional visibility to be able to do something about it before it gets out to the rest of the world. Google tries to block or shadow that as much as possible. But, you know, as this researcher points out, something that, you know, if an attacker wants to develop Chrome vulnerabilities, they can just look at all the areas of Chrome that are being updated within the development branch. And because of the nature of how they distribute that out to vendors to try to get feedback and make sure things are working well before they go stable branch, that does give a little bit more exposure time there.
So this is one of those things that I think the moral of the story on this one is, you know, we want to be timely and responsive to things like Chrome updates. Now, most people argue, "Oh, Chrome auto-updates." Well, there's been many cases where the Chrome auto-updater has been broken and if you didn't push the update, you were stuck at a certain point in time for a very long while, six months or more at times in the past. There's also some vulnerabilities that won't be resolved until the browser is completely closed and reopened.
So there are still some challenges with relying on that auto-updater. It is still a good idea to have a patching solution like Ivanti Solutions that can assess and tell you that it's still vulnerable if that's the case and push the update in cases where the auto-updater may not be working. So a few things about that but that is a disclosure. That is out there right now and Chrome will most likely be releasing an update sometime later this month to push that V8 fix out to stable branch.
The next update here or the next set of disclosures were around the Edge and IE browsers. So there's a pair of these and what they allow the attacker to do is to bypass the same origin policy. So this is a security feature that exists in modern browsers that make it so that it restricts it so that from one website, you can't go and try to load scripts or execute things against another website. So same origin policy means, "Oh, hey, you're coming from this site, you're only allowed to do things at this site." That way, attackers can't do a cross-site attack that could expose something on another website.
So this feature basically makes it so that, yeah, the attacker can bypass that same origin policy and go and execute things against another website from a malicious site that they've created. So they can do some interesting targeted attacks with that and get up to all sorts of nasty business. The funny thing about this...I was talking to a writer at the...I can't even remember which one it was...I think it was TechTarget yesterday. And we joked about this, where this particular set of vulnerabilities, the recommendation right now is, yeah, that you're at risk here so you might wanna use an alternative browser for the moment.
And then we talked about the V8 vulnerability here and the fact that that's still exposed there. So the best thing to do is not to use the Chrome browser for a little while if you're concerned about that. Okay, so all right. Firefox wins for this month. That's the safest bet at the moment. In all honesty, joking aside, each of these browsers have vulnerabilities. They're constantly being resolved. I don't think any one is safer than the others. Biggest thing is make sure that you're getting these updates out in a timely fashion to plug them as quickly as possible.
All right. Moving along, we do have just another courtesy announcement here because we know a lot of you are members of patchmanagement.org. We have started the transition from Listserv over to Google Groups. So for those of you who are not familiar, patchmanagement.org is something that Ivanti hosts. We keep it as a vendor-agnostic place where you all can come together and talk about challenges around patching.
So there's a very active user-driven community. We try to keep even moderation of that Listserv to members of the community. We've got a very active crowd there. Susan Bradley, a well-known name in the patch space as well. She's not an Ivanti employee. But she is one of our strongest advocates out there and she and several others manage moderating that community.
But this is a place to cultivate and talk about patch-related issues. Well, that group is moving off of an older Listserv technology because of security issues around support for DMARC and other things. We've moved over to Google Groups. So if you haven't already seen that notification, there's some information in the Patch Management Listserv messages that are going around, you'll be able to see that there, click on it and get subscribed to the new Google Group.
End of Life. This has been a hot topic this month and kind of inadvertently was the center of my conversation in last week's Patch Tuesday forecast. I was seeing the number of products that are coming up for end of service and really, you know, starting to see a lot more questions on patchmanagement.org, on other sites, and even getting questions directly from customers around what do you do in these situations. So I wanted to hit on that topic a little bit here because this is very relevant to patching. It's what happens when patches are no longer available. So we'll start off with Windows 10.
Yesterday was the final release of Windows 10, version 1709 for those of you on a Pro license. So no more security updates if you're a Pro licensee going forward. That means that next month, it's not that there's no vulnerabilities, it's just that you're not getting an update to plug those vulnerabilities. So you wanna make sure that all your 1709 systems are getting upgraded to preferably 1809. The other that came up on its end of life here is 1607. So those of you who are on Enterprise or EDU editions, yesterday's update was the last branch 1607 update. So make sure that you've got a good action plan in place and that you're getting those systems upgraded as quickly as possible.
Now relating to which branch should I go to, 1903 is still lingering in the wings and has not made its debut yet. The latest news is that it's going to launch in May. It will still be called 1903 to keep the consistency of the old 309 cadence, but that is going to be the new time frame where we're gonna see 1903 released. And so in this case then, we would recommend 1809 is a good stable version. It's also, for those of you on Enterprise and EDU editions, it's got the longest lifespan for you. If you're on that Enterprise or EDU license, the 09 branch every year is going to have a 30-month life cycle. So that gives you more time on that branch for the majority of your users so that you don't have to get into as frequent of a cadence of upgrading. 1809 also is the branch where Microsoft is moving away from Express updates or Deltas.
So for those of you who have seen all the size of these things growing, 1809 is the first branch where Microsoft introduced the go-forward update model which is the LCU package. This LCU update model is significantly smaller on the front-end than the regular monthly rollups and significantly doesn't require any back-end calculation if you're doing the Express model. So the way that Microsoft tried to do this traded off front-end size for back-end size and calculations and other things that had to happen there. Neither was a good model. The LCU way of packaging these solves both of those problems and gives us a much smaller monthly update size.
So 1809, that's your desired branch right now. Everybody who's looking to see where you go next, we would say suggest that and then wait for the 1909 later this year to make your next jump. The 1903 group, that's where you wanna get your pilot users up to. Use that as your way to test out and see, okay, "Are there any new breaking changes or anything we have to look into before we start moving more and more of the populace?" But getting on to that 09 branch gives you the most life cycle.
All right, so now that's just Windows 10. So we talked about...I apparently didn't have the 10 here in that one but Windows 10, 1709 and Windows 1607. XP. So for those of you who are running an XP Embedded POSReady 2009 edition, yesterday also, last update for the XP Embedded family of OSes. So yeah, you wanna make sure to move along to the latest Embedded OS version. Java 8, end of life back in January, that was the last quarterly update for Oracle, was the last Java 8 public update available. If you're on a commercial license, which most of you probably are, the update that's coming out next week for Java 8 is only for private use. So under their licensing terms, you're not supposed to use that.
What we've done in this case is we have what we call drop-in support. That way for those of you who are paying for extended Java 8 support, you're going to be able to get the installer from Oracle next week. You'll be able to take that, drop it into our patch repository and be able to deploy that out. There's documentation on that situation on our communities so whether you're on EPM, on Patch for Windows or what's now Security Controls, I'll talk about that in a moment, or our patch for our SCCM plug-in, there's details about how to take an update and drop it in place into the repository and make it so that a patch like that, where we have protection and deployment logic, but can't get the installer for you, that makes it so you can drop it in and be able to use that.
Next one on the list. Also yesterday, this was the last update for Shockwave. I know it's been around for a long time, it's been dying for a long time, but this is officially now the end of that unless you've paid for extended support again. So we've got a slide talking about this a little bit more in-depth in just a little bit here, but Shockwave did release a bulletin yesterday. There's no public download available for it. So, while there's an update that was created, it's only available if you've done the continued support. So if you didn't, our recommendation is get it out of your environment because they just identified seven critical remote code exploits that attackers are gonna look at and say, "Okay. I can assume most Shockwave installs are not gonna be able to protect themselves against these seven vulnerabilities." It's open season on Shockwave. So if you can't continue support for it and get the update, get it out of the environment.
Some upcoming ones that you're gonna want to be very aware of, Windows 7, 2008, 2008 R2. January sounds like a long ways off, but especially on these platforms, you're probably still on them because you have some platform, or product, or application in your environment that requires it. Time to, you know, buckle down and figure out what is the action plan to move off before January. Or in all of these cases, if you can't move away from it, removal is obviously the best option. What else should you be doing besides that? Just saying, "No, this has to stay," that's not the answer. You have to take additional action.
And some of those actions are not gonna be cheap. So whether it's continuing support from the vendor or taking those workloads and virtualizing them to say, "Okay, yeah, we've got a bunch of people who are right now on Windows 7 because they need access to this particular app. Let's take those and put them into a VDI environment upgrade the user to Windows 10, give them access to a VDI environment that gets them on to the Windows 7 system where that application runs."
Yes, it's a little bit more pain for the user. Yes, it's a little bit more cost on infrastructure, but it is moving the workload over. So now we can apply more restrictive app control and privilege management policies, we can reduce access to that environment, we can segregate that environment from the rest of our populace, and we can limit or remove altogether any internet connectivity to those workloads. If you aren't taking these steps, this is what could happen.
Conveniently, not for these guys but for the rest of us to learn this lesson, Arizona Beverages had a ransomware attack. And if you go into and read up on the details, they can't say exactly what went down. But in here, you will see outdated versions. So most likely they were running Server 2003 possibly later or earlier than that even. There could have been some 2000, there could have been, you know... But that is a huge problem. If you're not taking steps to take those systems that you know you have to hold onto for a while and taking those additional not without cost steps, this is what can happen. And I'm guaranteeing you right now, this organization is looking back on that saying, "Yeah, it would have involved some cost but we should have taken additional steps."
Now there's other issues that happen in here, too, that you should learn from. They didn't have good backups. So they couldn't restore and they ended up having to bring in a whole lot of security services vendors to be able to come in and try to help them recover from this. They may have had to pay the ransom.
You know, right now, the Dridex malware that hit them, from what I understand, not in this but I think in another article, they were saying that there's no decryption tools available. Yeah, the IEncrypt. There's no decryption tools currently available for that. So they couldn't get access to that data and if they don't have a good backup, then they have no way to restore. So they're really in a painful spot. Not only did they neglect some serious security risks, but they also didn't pay attention to the recovery systems that they would have needed to recover from an issue like this.
So I don't harp on these to, you know, beat a dead horse. I do see this on a regular basis where organizations, you know, between prospects and customers we talk to, friends, colleagues, and relatives that I have in the industry as well. I know that this is a common issue with a lot of companies. "Yes, there's a system that runs on a legacy platform. No, we can't upgrade to it. It's a $100 million project that's gonna take us the next five years."
Okay, that's not the end of the conversation. What do we do to mitigate this instead? Is there a $10 million short-term solution of virtualizing, of limiting access, of locking things down? What are the additional steps you're taking? If you haven't gotten into that hairy part of the conversation after you've gotten past the business issue of, "We can't upgrade right now," then you're not done. So get back in and have that conversation and use this as an example of why it needs to be done.
All right, I'll get off my soapbox. I apologize. You can't tell I'm only slightly passionate about topics like this. All right. Getting back into the updates for this month. There are two zero-days that were resolved in Windows this month. Both are Win32K Elevation of Privilege Vulnerabilities. Aside from these two that were known to be being exploited, there's a number of other elevation of privilege vulnerabilities resolved in the OS this month. So do make sure to get these OS updates out as quickly as possible. Because there's attacks in the wild that are going to be able to get, you know, local access to kernel access at this point to be able to do whatever they want to if they can exploit these.
Now, if you read this, you know, there's...yes, they can exploit a vulnerability that would allow them to basically run arbitrary code in kernel mode. They own the box. The attacker would have to log on to the system to do these. So this is not the start of the attack, this is how they're going to further compromise that system. So if you go back to your anatomy of an advanced persistent threat, the attacker is gonna first start with some type of phishing attempt, some type of way of exploiting a user to get on to that box. "Oh, hey, we've got three public disclosures in three different browsers right now." That would be perfect opportunities to gain that first foothold.
So they're gonna use something that's browser related or user targeted like an Adobe Reader vulnerability. "Hey, they just plugged some." Flash, "Oh, we just plugged some there, too." That's gonna be the first step. Once they're onto that system, this is the type of vulnerability they exploit next to gain full access to that box. Now they can run whatever tools they want, they can get access to additional credentials, they can start to get access to system tools.
And this is where they go into a more stealthy mode of being able to use the credentials that are valid and the tools that you've approved for use in your environment against you. And that's how they start the lateral movement to spread throughout your environment. So this is definitely of concern when I read things like, "must log on to the system to exploit this." Don't write that off as, "No, it's too hard. They're not gonna do it." This is just step two, three, or four in the line, it's not step one but it's still gonna happen.
All right. Now let's talk about some of the other challenges. And I know somebody already asked the question about Sophos. So let's hit that one up first. Sophos Central Endpoint and SEC. There are reports already of the Windows 7 and 8.1 updates causing systems to fail or hang after they reboot, after the April 9 updates are applied. So do look into the community posts that they've got out there if you're running Sophos. They are working on the issue and they may, you know, have a timeframe here or some information that can help you understand when it might be the right time for you to start pushing those updates out.
For those of you not on Sophos, the change that probably hit this is one that multiple other AV vendors could be affected by. So our recommendation right now is regardless of the fact that there may not be other reports yet, make sure to test this out with your own AV solution on the Windows 7 and 8.1 platforms. And, you know, do that monthly rollup and make sure that your systems come back up without hanging and that everything's good there before you go rolling out to everybody. But that's just a good one to know about, you know, if you're on Sophos for sure. But even if you're not, make sure that you do some additional testing there.
We talked about Shockwave. And this one, when we looked into it here, we all had a good chuckle about this, but we've got Sophos, that's... Oh, I didn't pull up the... Thought I had... Oh, here it is. So if you go to Adobe's bulletin page or the...that's the Flash Player one. Let me go back here. Here it is. Yeah, there's Shockwave. So you go out here, you read the bulletin page and you're gonna go looking for the download. When you click on this... Oh, it's End of Life?
So yeah, they did announce an update. It has seven critical vulnerabilities. But you cannot download the product anymore. They have pulled all public download access. So this kind of leaves you in an awkward state where, hey, you know, attackers now know of seven nasty little arbitrary code execution vulnerabilities that they can go in, try to debug and figure out how to take advantage of and you can't patch it unless you've got that continued support contract.
So if there's any Shockwave at all in your environment and you can't take it as a, "Oh, no, we don't run Shockwave," double check because there could be a few instances out there yet. Go out, look for those. If you can't patch it, remove it because it is gonna be a target. I expect to see some exploits of that in the near future. So that's our little community service announcement about Shockwave.
Last one here. This one is regarding the Windows 10, 1809 March Quality Preview. So getting our nomenclature correctly, the monthly quality update is the Patch Tuesday security-related update. Later in the month, Microsoft does their quality preview. This is where those additional non-security changes, feature changes, other bug fixes all come into play. That released last month. So the late March release started causing blue screens for a number of people for a number of different reasons. So if you're running the 1809 branch, what we're suggesting is just making sure to do a little bit of extra testing. We do have an article here that talks about...so you could see here there is actually quite a variety of different situations.
Like this guy, he was rebooting to do a boot into Windows 8.1. Okay, well, what happened there that caused it for him? It may or may not happen for you, but there's a number of other people all with slightly different circumstances and they're all reporting blue screens after that 1809 Quality Update was applied late last month. Now, because of the nature of Windows 10, everything is cumulative.
That means that the security update that just released yesterday includes changes from that quality update, end of March. So if you're running on branch 1809, it's not happening to everybody, it's not guaranteed to happen to you, but we're recommending right now making sure to test that on your 1809 system before rolling it out en masse to make sure that it's not something that's gonna hit your environment. So just, again, kind of a notice there to make sure that you're not gonna get hit by something that others are starting to see.
All right. This, we talked about last month. Just be aware, Microsoft is switching to SHA2 certificates. If you are on Windows 7, 2008, 2008 R2, any of the older platforms, there is an update to push for that and you have to have that in place before June or you may get a disruption in updates. So this is the advisory talking about that and giving you the information that you need to be able to apply that update.
Other updates of interest. Again, we talk about these most months but there is a new set of servicing stack updates for Server 2008 and Windows 10, 1809 and Server 2019. So these servicing stack updates, it's separate from the normal cumulative updates. It's something you do have to install separately. They are changes to the update infrastructure for Microsoft. So this could affect you if you're running WSUS or SCCM. It could also affect just Windows updates in general, which, even the way that any other vendor pushes a Windows install, no matter if it's completely outside of WSUS or SCCM, the update services running locally on a box do come into play to read through the manifest and execute in certain parts of that.
So, if that servicing stack could affect that, there could be things that could cause problems there for you. Our recommendation is do keep up with those servicing stack updates to make sure that, down the road, you won't have any disruptions. And the last piece here, there is a number of development tools, Azure, ChakraCore, ASP.NET Core, many different development components. These do have vulnerabilities on a regular basis. Several of these were updated this month.
This is not something you can do from a patching perspective. This is something that the DevOps team that manages that application has to do because they have to download the new binary, go into code and basically swap that out and say to use this version instead, package it up and deploy that out again to production. So, this is one of those things where it's an awareness thing. If those teams are not actively keeping up with this, you could be exposed to more and more vulnerabilities over time and that could be the way that an attack is getting at your most valuable data.
So if you go back to Equifax, that Struts update that was talked about so notably that was some patch administrator's fault for not putting in place, that actually falls into this category. It wasn't one person not pushing an update. It was a team of developers, QA people and business people who would have had to make the call to update that component, develop it, bake it in, push the new package out to production and so on. So, that's something that if you're not actively...if you're not aware of active update and maintenance for applications like that that are using components, it's something to bring up and look into.
All right. One other thing that many of you are going to start to see this if you're on our Patch for Windows product. There is a new version available but it's actually under a new name, Ivanti Security Controls. So this update is already out there. You're gonna start to see things like...after today's webinar, you'll see some references to it in the follow-up. Later this week, you're gonna see a notification if you're a Patch for Windows user that the update is available.
And in the product in a very short while here, you'll start to see in-product update notifications saying there's a new version available. We wanted to talk about this here because we know we've got a lot of you on here. But this is one where the upgrade is free, no additional cost just like always. It's just if you were calling this "Patch for Windows 2019.1.1," it would be the same upgrade that you've always gone through. It's just under a new name.
Now there are some cool new features in here. We've added support for Red Hat. So for those of you who have server licenses available yet and you have Red Hat systems, upgrade to the latest and you could actually start patching Red Hat systems with those available seats. If you don't have any available seats, then it's just a volume purchase of additional server seats to get that functionality, but it's there waiting for you as soon as you upgrade. That CVE Import feature we've talked about a couple of times, the ability to take a bunch of vulnerabilities by CVE ID, import them and build up the list of updates that need to be applied in less than a minute, rather than spending hours doing that research. That's in this release.
And for those of you who are interested, there is a new security module. Now this one is an additional cost. But application control and privilege management, we have an engine here from our AppSense legacy platform that you can actually turn on in here. If you're interested in that, again, there will be details coming here shortly. But you can actually request a trial of that by going out to the Security Controls landing page. If you click on the "Start Your Free Trial," that's gonna take you here. And if you're a current Patch for Windows customer, you can click on this link here and it's a very similar form but what this does is goes in and says, "Okay, this is an existing customer on Patch for Windows. They want to try the application control and privilege management feature set."
So then you'll get a trial key for that so you can kick the tires and take a look at that. So a lot of cool stuff that just came out there, and the biggest thing to keep in mind is that upgrade is free for the existing patch feature set you're on. The name change is just cosmetic. It's still the same product you're used to. All right, I think that is it for my part here. Oh, a couple of last things. For those of you new to the series, we do this webinar for Patch Tuesday. But we do have a weekly digest series that Brian does for us here that covers the same type of material. What came out from a security perspective? What known issues? What industry issues are happening that you might wanna be aware of? So taking a look at that weekly blog keeps you up to date throughout the month because there's a lot that happens in between these Patch Tuesdays.
And for those of you subscribing to our community announcements for patch content, we are very close to making the shift from the old community over to the new community. There should be no action needed on your part. We're moving everything over and you should just see a continuation of those announcements about new content releases. It will look a little bit differently. But we figured a way to do this so there should be minimal disruption to anybody out there. If you do see your content announcements stop for any reason, contact support and they'll get you to the new community location when we make that transition to sign back up. But that shouldn't happen. We've taken extra care to try to make it so that that transition will be seamless and you guys don't have to take much action. Okay, that was it. Todd, it's your turn.
Todd: All right, Chris. Thanks.
Chris: All right, you should have control now.
Todd: Yep, let's jump in here and we'll start talking about the bulletins that were released this month on Patch Tuesday yesterday. So first of all, we'll go through the Adobe updates. As Chris mentioned, there were several of them released. We had an update for Adobe Acrobat and Reader that was rated as critical, fixed 21 different vulnerabilities. Chris took you to the general Adobe site there a second ago to look at Shockwave. But if you click on this link here, it will take you over to the Acrobat and Reader update. So just be aware of that. There is the possibility of remote code execution and information disclosure associated with the particular vulnerabilities that were addressed here. And this release is for Windows and macOS. So it covered both of those.
There was also, as usual, every month, there's typically an update for Adobe Flash Player. So this month, they addressed two different vulnerabilities covering a number of plugins, you know, Flash Player for Windows, macOS, Linux, and Chrome. So be aware of that as well, and Microsoft, you'll see here in a couple bulletins in the future here, they do rebundle this and send it out as well. So there is an update from Microsoft as well directly for Flash Player.
Shockwave Player, I think Chris beat this one to death pretty well. As he mentioned, there was an update. It does address Shockwave Player from 126.96.36.199 and earlier. There are seven vulnerabilities that were addressed as he covered. And also I put a note on here just to make sure for emphasis, Shockwave Player is officially end of life and on extended support. So, as Chris mentioned, in order to get this update, you have to be subscribed with them, with Adobe specifically.
Here's Microsoft's update for Flash Player. You can see their update covers... I did list all the operating systems that Microsoft includes, this particular update applies to. It's covered under two items. There's a bulletin, KB4493478, and also Microsoft also releases a general advisory around this as well. And in this case, it's 190011, so if you see either of those, it's addressing this particular Adobe Flash update. Same two vulnerabilities are addressed in here that Adobe includes in theirs. So basically the same thing. It's just repackaged and sent out through Microsoft distribution channels.
Jumping into Windows 10. Did have a large release this month for Windows 10 addressing 50 different vulnerabilities. The two Chris mentioned, those Win32 Elevation of Privilege vulnerabilities that were known to be exploited, did include them here just so you have that list. If you want a complete list of CVEs, you can go into the security update guide on Microsoft's update web page to get that complete list. This month with Windows 10, you'll see that a large number of the issues that we've been carrying forward for several months have been addressed for some of the newer operating systems. But there are still some issues with older operating systems.
So let's start with the oldest, 1607, and Server 2016. Chris did mention that, you know, this is the last update that's going out for 1607 this month. So there are some feature and some security issues as well that Microsoft has listed. The first two here, in particular, have been carried forward for several months. So apparently these are not going to be addressed by Microsoft, so you won't see any more updates for this. So obviously, we're not gonna get any fixes unless Microsoft does some kind of a special release. The first one is around the Virtual Machine Manager. We've talked about this one the past several months. Microsoft does provide some workarounds and they really do recommend that you go in and take a look at their best practices guide for virtual machines, especially for this particular 1607 release.
There is also this issue around the password length and being shared between cluster services. We've talked about this one for the past several months as well. There is a workaround, it's setting back your policy length to be less than or equal to 14 characters, that allows everything to work properly. So be aware of that. There is a new issue that showed up this month. That's this third bullet here. You'll see this for several of the Windows 10 operating systems. And it has to do with the URI schemes that they've used and the way that these links are going out to trusted sites.
Microsoft does provide a couple of options. I didn't include all the details here. So you wanna go in and take a look at the KB for additional details. But essentially, they want you to either open the URL link in a separate window by right-clicking on it or you actually go into, you know, where you configure your browsers, go into protected mode and take a look at how you set up the local internet and trusted sites so that these links will work properly. So they do give a couple of workarounds. They say that they are working on this one as well.
One final issue with 1607 and Server 2016, there was some issues around the PXE startup device setup with Windows deployment services. They go through actually and provide quite a few options. I didn't include them all. There were three options they provide in the KB article. So when you go into 4493470, you'll see a lot of detail around this. So if this is an issue for you, go in and take a look at it. They do provide some workarounds, it has to do with resetting some registry keys and things like that. Essentially what they're asking you to do is disable the variable window extension on these and Windows Deployment Services servers, so be aware of that.
Additional Windows 10 issues, 1709, that same issue that I just talked about with the URI schemes, same recommendations they provide here. Same issue again on 1803 with the same recommendations there. 1803 also has this issue with the preboot environment, so be aware of that in 1803. And then finally on 1809, same two issues. So these are carried forward. There were quite a few issues, though. This is an important month. There were quite a few issues that were carried forward for several months up until, if you were on our call last month, on all these Windows 10 operating systems. Microsoft has gone through and corrected a lot of those issues, so if you actually dig into the bulletins and read, you'll see that they have addressed a lot of these issues that were being carried forward. But be aware that these still exist in the various Windows 10 releases.
Moving on to Internet Explorer. They did release their usual updates for 9, 10, 11, which include both security updates as well as cumulative updates. They fixed five different vulnerabilities in the various versions of IE that are listed here. The same issues around that URI using trusted sites that I talked about just a minute ago are also shown underneath the bulletins for Internet Explorer, so be aware of that. Moving on to the legacy operating systems. They did release obviously, an update for Windows Server 2008. And they did a monthly rollup, which included all the previous updates they've done for Server 2008 and they also include IE 9 which, as you know, is still supported on top of Server 2008.
They did address 29 vulnerabilities this month, including those exploited vulnerabilities that Chris covered earlier. There are a couple of issues around the update this month. In particular, they have an issue. This is a new one that surfaced, haven't seen it before, around the unconstrained delegation of Kerberos tickets, has to do with the the expiration time, so be aware of that. They did provide several workarounds as to how to get around this particular problem. Does say that Microsoft is working on a resolution for this particular issue, so maybe we'll see something either early in the month or at the next Patch Tuesday in May.
In addition to the monthly rollup, they also released a security-only update with just the particular vulnerabilities, the 29 that I talked about here. If you want a full list of these, you can go in and take a look at the KB article in particular to get that list. Same issue on the security-only update. There was a monthly rollup for Windows 7 and Server 2008 R2. You'll notice that they did, actually, I went in and compared the lists, they did actually fix the same 29 vulnerabilities that were addressed for the regular Server 2008. They did include in the monthly rollup the five IE vulnerabilities as well. What's interesting for this is, in addition to the security updates that you see here, there were additional protections in here for Spectre variant 2 vulnerabilities, this 5715 in particular and the meltdown vulnerability 5754 for these VIA-based computers, so be aware of that.
They also put a note in there that these protections are enabled by default for Windows Client but disabled for Windows Server. So be aware there are some additional instructions in the KB that talk about how to go in and enable it on your server. The main reason they don't enable it by default is it can be disruptive to your business processes sometimes. So you wanna make sure that you go in and read about these under the KB article itself, particularly for Server 2008 R2.
There are some issues around this that they released. It's the same Kerberos issue that we talked about for Server 2008, same basic workarounds covered there. And this applies to both the monthly rollup as well as the security-only update that I have included here. The security-only update also includes these protections for Specter and Meltdown. Moving on to Server 2012, there were some additional vulnerabilities that were addressed, the same 29 from the previous two operating systems I talked about. And there were two additional vulnerabilities that were fixed in this release. Same publicly disclosed and exploited information were fixed, covered with this particular release, so be aware of that.
And that issue that we talked about earlier with the PXE setup, PXE start issue does apply to the Server 2012 updates, so they do once again go in and talk about disabling that variable window extension on the deployment server, so be aware of that. Same kind of three workarounds or options provided, they cover them again in the KB articles associated with Server 2012. Notice that the Kerberos issue was not called out here for Server 2012. So I assume that it's not an issue. We'll be tracking that and see if anything else is published on this.
In addition to the monthly rollup, they did release a security-only update for Server 2012, fixing specifically just these 31 vulnerabilities. Just as a reminder for some of you who may be new to the call, Microsoft does release both a monthly rollup which includes a lot of updates going back basically two and a half years now for the updates or they release a security-only which is the monthly-only set of security vulnerabilities that they've addressed, for example, in April.
Different patching methodology or a different approach depending upon what you need in your environment. With the monthly rollup, you apply the monthly rollup and you get all of those cumulative updates like I mentioned for a long time. If you apply the security-only update, you're getting only those security updates that were released in the last month. So if you are going to go the security-only route and use just these updates, you have to patch every month to make sure that you get the latest updates. If you do the monthly rollups and you've missed a few months in the past, you're guaranteed to get whatever Microsoft has released in the months that you've missed.
So kind of be aware of that. Two different approaches. The security-only updates are generally smaller and they also obviously only affect the operating system for that particular month. So if you're worried about testing a smaller update if you have some sensitive applications running in your environment, Chris talked about that a little bit earlier with this end of life, for example, Windows 7 and Server 2008. You wanna make sure that when you do a lot of testing ahead of time to make sure that you're not breaking some of those legacy applications and going through and applying the security-only updates month by month, is often the methodology that many of our customers use when it comes to that particular approach to patching.
Moving on a little bit here. We're gonna move on to the monthly rollup for Windows 8.1 and Server 2012 R2. This particular update also includes the updates for the Specter and Meltdown. They had the same comment in here about the client versus server. So be aware of that, it's enabled for your typical desktops but it's not enabled for Windows Server. You would have to go in and enable those. Instructions are provided in the KB articles. Comparing vulnerabilities, they looked at the same 31 that were addressed for Server 2012 are addressed here, same information once again around those exploited vulnerabilities. And these particular desktop and server operating systems are also affected by the PXE boot issue.
And finally, the security-only update for Windows 8.1 and Server 2012 R2. So you can also get these particular updates as well. So these are all the critical updates so far. Notice that those were rated critical by Microsoft as well as by us because of those exploited vulnerabilities. Moving on to some of the important updates, maybe not quite so, you know, imperative that you do the patching but also still very important. Microsoft did release updates this month for Excel versions 2010 through 2016. So all four versions that are available there have updates this month as well as Office 2010, 2013, 2015 and 2016.
Office 2016 and 2019 for Mac also received updates this month. They did address eight different vulnerabilities, some of these around remote code execution and elevation of privilege. I didn't see anything around known issues looking through the bulletins. There are nine different KB articles surrounding these particular updates. But once again, rated important, this is for your on premise update of Microsoft Office.
The automated updates. Coming through Office 365, now known as Office 365 ProPlus and Office 2019. There were only seven vulnerabilities, one less than the on premise updates. So these are typically done through the Click-To-Run model on the Microsoft update from the internet. Did include the link here. Erica will copy that in the chat session pointing to the release notes for this month. Again, no particular issues known around these updates this month, again, rated important for Office 365. There were updates this month for SharePoint Server. All versions from 2010 through the latest, 2019.
There were six different KB articles that address these particular vulnerabilities, had to do around spoofing. The vulnerabilities in particular that were resolved were for cross-site scripting. So just be aware of that and you can read through the details here. Again, only rated important but important that you get them implemented as quickly as possible. Finally, Chris did mention that there was an update for Exchange Server this month.
There were two vulnerabilities that were addressed, has to do with the way Outlook Exchange Server, Outlook Web Access fails to handle web requests. There are some known issues around this. We brought some of these up in the past, have to do with the way Microsoft does their Exchange updates, in particular, you want to make sure that when these are installed, they're run as administrator.
Microsoft specifically calls out that these updates sometimes appear to work properly, but if you don't install them as administrator, you could run into some issues, so be aware of that. There's also a known issue that they posted around, when you go in and actually look at the systems after the update that Exchange services may remain in a disabled state, so they want to go in and you may have to go in and turn on those services manually. So you go in the Services Manager to restore the startup type to automatic. So just be aware of that if you do go through and update your Exchange servers this month.
There were a couple of other security updates that were released on Patch Tuesday, in particular, there was an Adobe Air version 32 and Opera Browser 60 were released. They were called out as security release by the vendors, however, they didn't include any CVE information. So I can't talk about the particular vulnerabilities that were addressed but once again, rated as important, important that you go in and update these. We make sure that you update your third-party applications as regularly as possible. Okay. Chris, you wanna take over from here and talk about what happened between the Patch Tuesdays?
Chris: All right, so, as if you didn't have enough already. Yeah, we do have a lot of additional updates that came out between the Patch Tuesdays. These are just some of the highlights of what came out. So Apple iCloud, they did release and fix 20 vulnerabilities. There were some Workstation updates that fixed a couple of vulnerabilities. Continuation of the Workstation Player and Pro versions here and then getting into Firefox, there was an ESR release that resolved 10 vulnerabilities. We have a Thunderbird release that resolved two.
The Firefox 66 release, that resolved 21 vulnerabilities, two more in the 66.0.1. So shortly after, they released again, so run right back out there and do one more. FileZilla did have an update. iTunes fixed 19 vulnerabilities in that one. And PuTTY with five vulnerabilities. So what we try to make people aware of there is the frequency and cadence of updates that come out. There's a lot of vulnerabilities that come out outside of today, you know, like yesterday's event there around Patch Tuesday. Many of these vendors are in continuous delivery mode. So there's a release whenever they've got it ready. So that is the type of thing that if you are trying to make the case for why end-user systems especially need to be updated more frequently, like on a weekly basis, that's some of the ammo you can use to make that case.
And this is one of those where I do get challenged once in a while. People say, "Yeah, nobody can actually push out updates that frequently." But I've talked to very large companies who can actually do this. We were just over in Madrid at our corporate event, Interchange, and our keynote, we had, one of our guests for that is actually an Ivanti customer. And these guys are patching 66,000 endpoints globally. They are a chain of grocery stores and, you know, they're quite large and their cadence is weekly updates. They may do, like, server infrastructure and things like that, you know, on a different cadence. But their end-user environments especially, they're trying to keep those to a weekly cadence of updating security updates.
So these things can be done. It could be done at large scale. It just takes a disciplined mentality and a corporate culture to drive that security. We've had larger customers who are doing a 14-day SLA very easily. So it can be done and it can be challenging at times and I totally get that. But it's one of those things that we always try to make sure people are aware of, you know, that's the target you wanna get to. All right, switching over into some Q&A. So, Brian, you've been doing an awesome job of responding to a bunch of these. Let's give the highlights here if you wanna jump on.
Brian: Yo. Can you hear me?
Brian: Just making sure. So I'll start from the top and go down so it's not in any particular order. The first one was about Windows 10, 1809, and I have read a few articles around this. So this is a good question about 1809 not being really actively pushed by Microsoft anymore. So I haven't read any definitive article around Windows Update not pushing it anymore, but I wouldn't be surprised if that's the case. A few other articles had mentioned that 1809 had been pulled from volume licensing. I cannot verify that but, either way, I think this is a good example of poor release and 1903, they don't wanna have the two collide. But I just wanted to kind of mention that.
Next question was around Sophos. Does this affect Windows 7 and 2008 R2 and 2012 R2? Yes, it definitely affects all of those platforms. But then the next question was does this affect just the rollup or the security-only, etc. I believe it affects both. Per the website that Chris is looking at right now, the top link is going to the monthly update of Windows 8.1 and the bottom one is the security-only of Windows 7. So I think by association, it probably affects both. So I would be really cautious, especially if you're running Sophos, for any related patches there.
Chris: I think it's safe to say especially because these share the same kernel as the OS version from that branch as well, you know, Windows 7 2008, 2008 R2, 8.1 and the 2012 family. You should approach those platforms with caution and make sure that if you're running Sophos that you test against those updates to make sure it's not gonna have that effect on your environment. Again, they're investigating what the situation is but, yeah, I would say that those two sets of kernels, you should approach those with caution.
Brian: Yeah, absolutely. One thing that Sam noticed was the March servicing stack update for Windows 7 actually includes the standalone SHA-2 patch. So if you want to kill two birds with one stone, that's a great, great option there.
Chris: Oh, that's cool. That was nice.
Brian: Yeah, I totally missed it in the release notes. It's an awesome one. What else? So this is actually a really awesome one. [inaudible 01:01:45] has been having some issues actually deploying the April updates because it affects the Windows storage components. The last time this happened was in March 2016 where if you had USB mass storage devices blocked in GPO, the patch would fail at install actually. Just a heads up for those that do have that GPO setting, you might need to disable that before you can run the April updates. That was a huge, huge thanks on that one.
Chris: Hey, Brian there was a product-specific question from Chris K. He's using Patch for SCCM. And he's no longer seeing VideoLAN or the VLC product in there. Is that something we are aware of?
Brian: I answered that one. I said I'm gonna make sure the latest patch is covered right after this webinar. We haven't pulled VLC for any reason. So if you're not seeing the product detected on your environment, yes, please, please let support know. We'll get that fixed as fast as we can. But I'll be checking that right after this just to make sure. Sometimes those things can... Okay, someone else replied they're having a couple issues.
Chris: Yeah, completely content...
Brian: Okay, I'll have a look at it after this. If you would like to, please contact support and make a case. Otherwise, I will look at it after this.
Chris: Yeah, so if something happened there, guys, yeah, open a case up and we'll look into it from this end as well and hopefully, we meet in the middle with a quick update on that.
Brian: Yeah, hopefully, it'll be fixed before you even have the case made. Let's hope. Are you seeing anything else, Chris, right now?
Chris: Let me look through the Q&A side better here. I was looking through the chat side already. Todd, do you see anything that is worth mentioning?
Todd: I think all the big topics were addressed that I see.
Brian: There was one clarifying question that someone had about Security Controls about whether security controls is just for cloud customers. Nope, not at all, it includes all the features, a patch for Windows. It's just the additional Linux application control features. So it is not something that's only for cloud customers at all.
Chris: Correct. And that's something where Endpoint Manager, Security Controls, you know, we're gonna be...even our patch for SCCM. The SCCM side, too, we're gonna be creating cloud connectors for our Ivanti Cloud platform that you'll be able to choose to use. They're gonna provide a whole bunch of new capabilities things like that and additional things that you'll be able to integrate with that will really solve some interesting IT problems. But yeah, the Security Controls upgrade is just like any other you've done on Patch for Windows in the past so it's the same as always.
Todd: There are a few questions around servicing stack updates, in particular, are they cumulative? You should always just apply the latest one. They are cumulative, they typically include updates from the past, so Microsoft generally will point you to the latest version and that's the one you should apply.
Brian: Okay, perfect. Rodney had one question about the [inaudible 01:15:05] time zone patch for Windows that was released between the months. We have it in our data. If you have any other particular questions about that, please let us know but we have released that in our content.
Chris: So there was another question regarding that large customer I referenced before. This question was from Joe. He's curious about how are they validating those updates being rolled out. So, Joe, they're doing a few things. There's some in product information that they're using to gauge how quickly things are rolling out and how well those are being implemented. So if you're getting a lack of visibility there, let's look into that from a support standpoint to make sure that you are getting all the feedback you should. Because any of our patching solutions should get to a good terminal state letting you know this installed correctly or it didn't and so on. So if that's not happening, we can sort that out from a support perspective.
Now, they are going beyond that and they're looking at a variety of things. They are using vulnerability assessments to gauge what should be being done and also as an additional, you know, belt and suspenders validate through another source another set of eyes to make sure that things are actually accurate. They've got a very mature pilot program so they've got users who are involved early on in the process and getting feedback from those users very quickly. So it's a combination of things, Joe, to take a large enterprise like that or actually any company and making that shift to 14 days or less SLA or even a weekly cadence, it does take more than just technology to do that.
So if you're interested in some more details, we actually talked about this a bit in...we just did our 2019 version of our patch best practices where we talked about a few of these things and that's something where I think if I recall correctly, Erica, we're coming around after Interchange Nashville here in May and we're gonna do that as a live webinar. So in the near future here, we're gonna be doing a best practices webinar where that's one of the parts that we'll be talking about.
So, let's see. Does Ivanti Patch for SCCM package MSOffice patches by CVE? So [inaudible 01:07:46], with our SCCM plug-in, we're doing the content and delivery of the package into the SCCM system for the non-Microsoft products. Microsoft is, you know, who's packaging the Microsoft Office updates there. So if you're talking about the CVE Import, that's one where we know that the way that we've done that for the SCCM plug-in to date gets you all our packages the third-party packages. If you want to publish Microsoft updates through that same functionality, that's something we're gonna be working towards. If you haven't already, you know, you can go out to our user voice feature request environment. You can request that there.
Also, you could reach out to us, Todd, myself we can get you in touch with the product manager for that team. We'd love to talk about what you guys are doing there. And we do have some plans on what we wanna do in the future. It'd be great to get your feedback on that. So yeah, reach out to us if you would and we'll be happy to have a conversation about where we're going with that. All right, guys are we seeing anything else? I think there was a lot more about Sophos but I think we've covered that one pretty well.
Brian: I think we're doing pretty good.
Chris: All right. Yeah, I think that covers the majority of the major ones. So, great. Thanks, everybody, for...I know we hung on for a little while here, answered a few more questions. But we do appreciate you guys sticking around. And I did see a couple of fellow Minnesotans in the crowd there, too. Yeah, I already see that the ground is covered in white, you know. Yeah, the snow is here. So hopefully, everybody's in a nice place where they don't have to drive too much if you're up in the region here. But for those of you in the nicer parts of the world where you're not getting snow today, have a great week, have a good patch cycle, and we'll talk to you again next month. Thanks.
Todd: Goodbye, everybody.
Brian: Thank you.