August Patch Tuesday 2019

August 14, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris Goettl:
Hello everyone. This is Chris Goettl and I'm joined today by Todd Schell. Hey Todd. How's it going? 

Todd Schell:
I'm doing good, Chris. 

Chris Goettl:
Good. Well we are here in August for the patch Tuesday webinar. Thank you all for joining and good news. is it was like light month. So we're going to have a few things that we want to cover that are pretty serious. But for the most part we've actually got a pretty light number of updates to be concerned about from patch Tuesday. There's a number of third party updates that we do want to talk about as well because this was probably the biggest gap between Patch Tuesdays at LC for a year. There was about a five week gap in between July and August Patch Tuesday, which means another week's worth of third party updates that did have security updates included in them. That we'll be talking about. So we'll get into that here in just a moment as well. So we're going to cover an overview of the Patch Tuesday release from Microsoft and Adobe. 

Chris Goettl:
We're going to talk about a little bit of some of the things in the news, some serious vulnerabilities that are hanging out there that you'll want to be concerned about. And then Todd's going to walk us through all the bulletins, talk through known issues and priorities around what you should be focusing on for this month update. And then we'll have some time at the end here for question and answers. So as we're going through, if you do have any questions, go ahead and submit those. We've got both Erica and Brian supporting us here as well. They will be going through and answering questions throughout the Webinar and then we'll tackle a bunch at the end here as well. All right, so starting off just a general idea of the overall patch release this month, Microsoft had probably their lightest patch release for the year so far, 13 updates that we're really concerned about here. 

Chris Goettl:
All of which were critical in this case. And we'll talk about why those were critical here in a little bit too. Microsoft, I'm sorry, Adobe had two bulletins released. One of which was important to the other one. Actually, Flash Player in this case for two months in a row had no security vulnerabilities resolved. So kind of an interesting one, a change for Flash Player from a historical reference. We haven't seen this little activity on Flash Player probably ever. So it's kind of interesting that we've got two months in a row without Flash Player releasing any security updates. They did do a non-security release, but there were no vulnerabilities identified in it. All right. Covering a few things in the news. The first one, Microsoft did resolve a pair of critical vulnerabilities that have wormable potential. So if you remember blue keep, there's two new CVEs. 

Chris Goettl:
So Microsoft is they went through and did some additional bugs scrubbing and effort around remote desktop services. They found these two CVEs. Both of them are critical. Both of them are wormable, meaning they're remotely exploitable without authentication and would allow an attacker to spread this from system to system without user interaction of any sort. This one does not affect Windows XP or 2003. This pair, unlike blue keep that did. But it does affect everything from windows 7 all the way up through Windows 10 and server 2008 all the way up through server 2019. So all currently supported versions of the Windows operating system are vulnerable to these two remote desktop services vulnerabilities. There's a couple of links that we've added in here. One of them is a blog posts that Microsoft put out talking about the vulnerability. Let me switch over to that real quick. 

Chris Goettl:
So this is basically just going through and talking about the vulnerability, the severity of it. The fact that it is not affected on Windows XP and server 2003, actually server 2008 as well, is not affected. The reason for that is the versions of remote desktop services that are vulnerable to this were RDS 8 and 8.1. which came out after those platforms. So those platforms did not have those versions of RDS available to them. So there are some methods to mitigate this. You can do disabling for most desktop services obviously that would prevents somebody from exploding it because it's not live and allowing them to exploit it. Another workaround is to enable network level authentication. Not a bad idea in general because it makes it so that you have to do the authentication before you can even talk to the protocol, not after. 

Chris Goettl:
So this makes it so that the attacker would have to figure out a way to brute force the authentication before they would be able to attack the service. So that would fairly effectively workaround the issue. Another workaround that they are suggesting this won't help for internal but for external, for those of you running remote desktop services publicly available block TCP port 3389 at the perimeter firewall. And use a method of VPN or some other way for people to access the environment to mitigate that. So it's a more secure way of doing it. So those are the suggested workarounds for that. Now again, these two vulnerabilities are wormable. That means they are potentially capable of causing a significant global security event like WannaCry. So BlueKeep was the first of these came out in May. We've got two more right now. 

Chris Goettl:
In general, you should be looking at how RDS is available in your environment and looking for better ways to secure that like the workarounds listed here, either NLA or blocking public access to remote desktop services. And also make sure to get patches in place for these. There's a little bit of updated news around BlueKeep that we wanted to cover as well. There's still a lot of systems globally that are vulnerable to this. Couple of updates that happened since July. In July 1st we talked about this last month. Sophos was the first of several security vendors to publish a video showing the full exploit of a remote desktop. So they showed that they could, they demonstrated a full exploit down to system level access without the need for a user to intervene. All they did was go use the accessibility tools within Windows system and was able to exploit that system and bring up a command prompt that gave them system level access. 

Chris Goettl:
It's an interesting video, shows the real risk of this. And again, kind of reinforces that need to get that BlueKeep vulnerability plucked. The next update here came out on July 23rd. This was a company called Immunity Inc. They released a fully working POC exploit of BlueKeep within their Pen-Testing software. So this module allows somebody to remotely exploit BlueKeep to test and see if the system is vulnerable to it. At the same time, there was an article that was published that also talked about the fact that there's still 800,000 public facing endpoints, still vulnerable to BlueKeep. So that means 800,000 systems running RDP publicly that somebody could access an environment and exploit the BlueKeep vulnerability. Now these new vulnerabilities, any public facing RDP remote desktop service running out there, which there's several more million of those out there could be exploited by this new set of two vulnerabilities. 

Chris Goettl:
So again, for anybody running Windows 7 and later all the way up through server 2019 you do want to get those patches in place and especially if you've got public facing systems running that. The next update here on July 24th, there was BlueKeep module was found basically a module to detect that a system is vulnerable to BlueKeep, was found in a popular crypto mining malware. Watchdog Cryptomining Malware added this module to scan an environment and determine if systems were vulnerable to BlueKeep to be able to start potentially using that as a way to populate under those systems. I apologize to you, by the way. Apparently I'm having some audio issues. I'm actually in South Africa today. So hopefully most of you can hear me all right. But I'm trying to connect up over my laptops. So the sound quality is not right like it normally is. 

Chris Goettl:
So apologies for that. The next thing that I wanted to talk to about today is there was a new variant of Spectre Variant 1. So a variant of the variant if that makes any sense. So this is going all the way back to those Windows kernel information disclosure vulnerabilities, the meltdown inspector variants that were discovered. This update for this variant was actually released on last patch Tuesday. Microsoft didn't release the CVE until later in the month. So if you did the July 9th update, the OS updates there, you've actually already put this in place. This particular variant did not require a microcode update so you did not have to do a driver level change as well. And the mitigation was also in effect immediately upon installing. Sorry again, sounds like my audio is cutting out again. Is that better? 

Todd Schell:
You sound pretty clear to me Chris. It does get a little softer but it doesn't totally go away or anything. 

Chris Goettl:
Alright, I'll continue at this point then and hopefully most of you can hear me. I'll wrap up my part here and Todd's going to have a much better connection. So. Cool. All right. So this variant one again, to be very clear, if you have done the July 9th updates, you have mitigated this new variant. It did not require additional firmware updates and did not require additional mitigation to be activated to put it in place. So that was the July 9th update. All right. Just a little housekeeping here. We always want to make sure people keep an eye out for this. We've got Windows 10 end of life's, they're always going. So if you are on the windows 10 branch 1703, and you're on an Enterprise or Education edition, you're end of life is going to be October 8th for this particular branch. 

Chris Goettl:
So make sure that you know how many you got out there yet and you got a plan to get them rolled over before that date passes us by. For those of you on the Pro and Workstation editions, end of service for branch 1803 is coming up on November 12th. So again, just make sure you know which one's you still have in production and make sure you've got a good action plan in place to get those rolled out before upgraded to a new branch before that date. We're nearly done with this one. If you guys remember from months past here, we've talked a few times about Microsoft switch from SHA1 to SHA2 certificates for older platforms. This month, Microsoft did finally switch over Windows 7 SP1 and Windows Server 2008 R2 SP1 to SHA2 signed only. So if for some reason you were having problems with this on those platforms, make sure that you've applied these SHA2 updates that were required for those platforms to be able to handle the SHA2 signing. 

Chris Goettl:
Otherwise, if you haven't done that, those platforms don't know how to handle SHA2 yet and there are no longer dual signed with SHA1 and SHA2. So validating those updates would fail and the updates would be not allowed to install. So just to make sure that you've got those in place. Now, September is going to mark the end of this transition period for SHA2 certificates for these other platforms. The good news here is no patch has to be put in place for the September round of changes. Server 2012, Windows 8.1, Server 2012 R2, no patch required. They're just going to stop signing SHA1 at that point and SHA2 will be the only method of signing going forward. And again, all Ivanti patch products already support this change. So you're all set there. As long as you've got the Microsoft SHA2 code signing support requirements met by putting those patches in place. 

Chris Goettl:
Those are patches that are outside of the normal cumulative patches. So you do need to apply them separately. Couple of additional updates of interest this month that you'll want to be aware of. There was a advisory for Microsoft Live. There was an elevation of privilege vulnerability for Microsoft Live accounts. This has already been mitigated. There's no action required for you to do anything about this. This advisory just clarified the fact that a vulnerability existed and has been resolved by Microsoft. So all accounts are now good. So we're just putting it in here to make sure people are aware. If you had any questions about that one, that advisory, no action required on your part, they're just notifying people that a change was made to remove a vulnerability. The next one here, servicing stack updates. 

Chris Goettl:
There were actually no new servicing stack updates for August, so that's good news. There's these servicing stack updates are updates to Microsoft's update services on a system. They make changes that they give us oftentimes a few months to get in place and at that time they may start to enforce those changes to be required before new updates can be applied. So if you haven't done any of the more recent ones this year, in the last couple of months, do check a look at that advisory there. Double check and make sure that you've met those requirements. We do support those servicing stack updates within our products at Ivanti as well. So again, the EPM and security controls platform, you will have access to those patches to deploy them out. A couple of development tools got updates as well. For those of you who have caught this on previous webinars, things like ChakraCore and .Net core and even Java 11 now. 

Chris Goettl:
Java 11 and another tools going forward no longer have a JRE in those. So in a case like that, you have to update the development toolkit and basically run a new build of that application that you've developed using that technology. So if you build web apps using ChakraCore, your web team has to update the version of ChakraCore to the latest. Then they have to run a new build of their application and it will be ready to go. So this was just kind of a general announcement to make sure that you're aware that those are available, but this is not something that has a normal patch to be able to deploy to an environment. All right, so for those of you who do like the information you get out of these monthly Webinar and want to get some more frequent similar updates like that, we do have our weekly patch blog. This is something that Brian Secrist, who was has supported us on this patch Tuesday webinar for quite a while now. 

Chris Goettl:
He does these at a weekly level to try to give similar level of understanding of what came out, where were there vulnerabilities. Is there any other recent security news that people should be aware of and cognizant of. So if you're interested, take a look at those on our Patch Tuesday blog. We do release content multiple times a week. So for those of you who are using an Ivanti patching technology, there are content notifications available for each one of those products. So depending on which one you're using or multiple in some cases, Endpoint Manager, Endpoint Security, Security Controls or Patch for Windows and the Patch for SCCM plugin, all of those have their own stream to be able to make sure that you're aware of all updates that come out as they're released. So do go out and subscribe to those if you want to keep up to date with third parties that come out on a regular basis. All right, Todd. 

Todd Schell:
Okay, Chris, let's walk through this month's bulletin. Yeah.

Chris Goettl:
Yeah. Handing over keyboard and mouse control to you. So now you're all set. Actually, let me mute myself here quick first before you start driving. That way I don't cause you background noise. 

Todd Schell:
Okay. Let's see if I can advance here. Okay. Let's get started with the bulletins this month. Chris did mention that there were two updates released for Adobe this month. On the security side, we did have an update for Adobe Acrobat and Reader. It was rated as critical because there are 76 vulnerabilities that were addressed. So don't forget to go and take a look at this. Here's the link that we've provided off to the bulletin number 41. So be aware that the update is available for Windows and MacOs. There were some questions in the questions thread over there asking about what versions are supported. Basically the updates are available for the DC continuous versions and the classic 2015, 2017 and other versions as well. So all of those were released this month by Adobe. Also, as Chris mentioned there was a non-security update released for Flash Player. 

Todd Schell:
So be aware of that again, because it was non-security Microsoft did not include it in their bundled updates this month. Moving on to the first of the bulletins for Microsoft we'll talk about Windows 10. They did release updates for all versions, obviously of Windows 10. There were 93 unique vulnerabilities included in the all the Microsoft updates this month. And believe it or not, 78 of them obviously apply to Windows 10, which is the current operating system and all the different variations thereof. So there were, like I said, 78 vulnerabilities addressed. One thing to kind of make note of across all of these updates both Windows 10 and the Legacy updates in general, I try to provide a list of the CVEs here in our slides, but this month actually Microsoft did updates on over 30 plus CVEs for each one of the operating systems. 

Todd Schell:
So even though there were fewer overall updates released, they've definitely addressed a lot of vulnerabilities this month. As a result, you'll see that all of the operating system, and actually the application updates this month are all rated critical just because they've addressed so many vulnerabilities. And some of those had a very high severity allowing remote code execution. So I won't have a list of all the CVEs in the slides this month, but if you go off to Microsoft's update guide, you can obviously pull down the list of CVEs that are available in each patch. And of course you'll see those CVEs if you're using any of our products associated with each patch as well. Anyway, there were updates across all the Windows 10 operating systems, including the desktop and server versions. And as usual there are quite a few known issues. 

Todd Schell:
We'll start with the oldest release, which is still in support version 1607 and server 2016. They have been fixing issues. There were actually, I think seven last month. We're down to four. A couple of these are actually, one or the two of these are new ones. These first two issues here. The first one has to do with minimum password length when you are connected into a cluster. The workaround for this is to minimize or limit your password length down to 14 characters to avoid this access problem, this error that you're receiving here for password. This problem has been around for quite a while now. Actually, it's been around for I think almost a year. So I don't know how aggressively they're working on this one, but just be aware of it. Second issue here has also been around for quite a while. It's a file rename issue has to do with permissions within the system itself. 

Todd Schell:
The workaround they give you is to attempt to do this process from something giving you administrator privileges. So be aware of that. This is an issue across a lot of operating systems here in Windows 10. We'll talk about each one of these. Because of that, the little blue tag that I have up to the left there, file rename is something that we've added into the slide set here a couple of months back so that we don't have to duplicate this particular issue. But if you are looking at our slides, and by the way Erica does post this on our website upon completion of our patch Tuesday Webinar, you can go back and look at these and you can look the first time that it pops up in the slides. I will give a full description of what Microsoft provides in the bulletins, but after that I'll just refer to it as the file rename issue. So these are the first two issues with 1607. 

Todd Schell:
The next two issues are around a previewed execution environment, also referred to typically as a PXE Boot. And so I've called the particular issue PXE Boot. And you'll see this applies across not only a lot of Windows 10 operating system variations but some of the Legacy operating systems as well. So there is a mitigation provided in the KB referenced here, 4512816. Microsoft is working on a resolution for this one as well. Something new that showed up this month is this net query API. A bug as I refer to it here, has to do with any applications that are using this API to pull up information. Basically there's an error after it pulls up a certain amount of records. So just be aware of that. There is no workaround for this unfortunately, but Microsoft is working on a resolution. Moving on to the next versions of Windows 10, we have 1703. 

Todd Schell:
The only issue associated with this operating system is the file rename issue. Moving on to 1709, getting to the more recent ones, this particular one has that file rename issue as well as the PXE Boot issue we talked about. Moving up to 1803 in addition to the file rename and the PXE Boot issues, there is a problem during log-on. Basically after you've applied the update and done a reboot, you may get a black screen during the first log on. This issue actually popped up last month as well, so they haven't resolved this one yet. They do give a workaround. The updates are actually properly applied. It just gets hung up on reboot. So you have to basically do the Ctrl+Alt+Del here and select the power button and do a restart again. Microsoft is working on a resolution for that and you'll see it is popping up on a few operating systems. So I did give it the name tag here as well. 

Todd Schell:
1809 has a lot more reported issues this month. In addition to the four shown here. Another issue has to do with Asian language packs being applied. This particular bug has been pulled forward several months now. So I think it's shown up for the last two or three months. Basically applying that install, there are some issues where you'll get an error message as shown here, the matching component not found. Essentially if you do an uninstalling and re-install, that's kind of their workaround. A little excessive, but until they get it resolved, that's basically what you have to do. And finally, moving on to the latest release, 1903, there is that a PXE reboot issue talked about earlier. And two additional issues that showed up, Window Sandbox, this particular issue was in last month release as well. There's an error, a message that will pop up for devices that are changing the language. 

Todd Schell:
I'm sorry, in 1903. There is no workaround for this right now. The second issue, this is new this month has to do with systems that are using MIT Kerberos realms and connected into that domain. There is an issue with the connectivity with these. As a result, Microsoft recommends not installing any update. This particular update this month if you're using that particular MIT Kerberos connectivity. So be aware of that particular issue. Moving on to the next operating system. Actually moving onto Internet Explorer first. There were updates this month for obviously IE 9, 10 and 11. The current supported versions. There are 12 different kb articles depending upon which version is being applied on which operating system. So they're quite a few kb articles associated with Internet Explorer. They did fix four vulnerabilities this month. I did list them here because they're a small set. 

Todd Schell:
They had to do with remote code execution and security feature bypass obviously does require a browser restart when they're applied. And there is a known issue that's kind of been carried forward from month to month now several times. Basically what's happening is after you apply the update, WSUS may still tell you, even though you're running Explorer 11, it may tell you that you should apply an Explore 10 update to your system. So it seems to be a detection issue as far as the patch goes in their detection logic. So they are telling you that no, it is properly patched. Because you've gone through and done the IE 11 update, just be aware of that. You may get this message saying, Hey, you should apply this other update as well. Again, it has been carried forward now for I think three months. So be aware that Microsoft is working on a resolution for this, but they don't have one just yet. 

Todd Schell:
Moving back to our Legacy operating systems, we'll start with Server 2008. They did address 35 vulnerabilities this month, large number of vulnerabilities. And in this monthly roll up there are also the two IE 9, two of the IE 9 vulnerabilities are addressed. Because IE 9 is the only supported version on Server 2008. Also note this month kind of rare. There were no CVEs that were reported, exploited or publicly disclosed. Been a long, long time since we've seen that. So kind of be aware that we don't have any really hot issues right now. Although Chris did talk about the two CVEs related to remote desktop services, which you want to definitely get taken care of. Lot of different impacts this month. Five different things here. All the way from remote code execution through information disclosure. 

Todd Schell:
Server 2008 in particular here has that PXE Boot issue that was talked about back under Windows 10. In addition to the monthly roll up, Microsoft did release a security only update for Server 2008 as well. It includes only specifically the 35 security vulnerabilities. We talk about this every month, but basically for every one of the Legacy operating systems, there's a monthly roll-up, which includes a cumulative set of updates from all the way back to October of 2016. Whereas the security only updates include just those updates that were released in the last month specifically for security vulnerabilities. The monthly roll-up includes not only performance enhancements but the security updates as well. So depending upon what your patching methodology is, if you want to bring your system up to date with all the latest stuff, apply the monthly roll up. 

Todd Schell:
If you're more concerned about impacting the applications, maybe you have some Legacy applications that are sensitive to operating system updates. You may want to just methodically apply the security only updates each month. So once again, it comes down to your patching methodology, but be aware that there are two releases each month for these Legacy systems and we break them out as separate patches as well. There was an update for Windows 7 and Server 2008 R2. Very similar set of vulnerabilities. They did fix 38. The monthly roll-up does include all four of the IE updates because you can run all three versions, excuse me, of IE on those. There was a security only update as well, for Windows 7 and Server 2008 R2. Same set of new vulnerabilities that included this month. There are some known with these that we'll cover here. 

Todd Schell:
On both of these, both the monthly roll up and the security only version. There is the PXE reboot issue we've talked about repeatedly. There is also an issue with IA64-based devices. I did include, there's the error message that Microsoft provided in the bullets. These are actually three separate lines here. There's file, status and info. I apologize, I had to squeeze them in here on the slide, but I wanted to include the information. So if you see that information, you'll know that you have this particular problem. There is a fix for this out there, actually. They did release another kb to take care of this. So be aware of this. You can apply this 4474419 and then restart your machine. So just be aware of that. I saw earlier also in the Q&A, in chat sessions, people talking about the issues with Symantec and Norton Antivirus having problems on certain operating systems. 

Todd Schell:
In particular, this shows up here for Windows 7 and Server 2008 R2. The issue has to do with the fact that they've changed the assigning methodology to these SHA2 certificates and they're not being properly identified down at the end points. So I didn't include it here because I ran out of room, but if you go to the KB articles for this release here, 4512506 and 486 there's also an additional link in there that goes back to the Symantec website that talks about workarounds and things you can do there as well. So be aware of that. I think Brian was also taking a look and answering some of those questions over there in the Q&A. Moving on to Server 2012. Same set of vulnerabilities were addressed here. Kind of the same thing as far as the Internet Explorer updates as well. Server 2012 had two issues, the file rename issue and the PXE Boot. 

Todd Schell:
Like I said, these are kind of prevalent across all the operating systems. So we're going to hope that Microsoft gives them some priority and gets these resolved quickly. There was also a security only update for Server 2012 same vulnerabilities. Again, just those vulnerabilities, the 38, this month and the known issues again with the file rename and the PXE Boot. And finally the last of our Legacy operating systems. We have the monthly roll-up for Windows 8.1 and Server 2012 R2. I mention this every month to, for those of you who are new the Webinar, the reason these are lumped together, this 8.1 and Server 2012 R2, is because they use the same operating system kernel and the updates apply equally to both of those. So they're bundled together in the release. They addressed 39 vulnerabilities this month on these particular operating systems. 

Todd Schell:
Again, file rename, PXE reboot issue here. And finally the security only update for this as well. Again, all of these are under a separate kb article. Moving off of the operating systems. We did have updates from Microsoft Office this month. They were rated critical. Typically you'll see these from Microsoft as important. But this monthly wasn't critical because of one of the particular vulnerabilities, the CVE-2019-1201. Although it's not publicly disclosed or anything and I have not highlighted it red like I usually do here. It did get some special attention because it does allow remote code execution. So be aware of that one. But anyway, there were nine vulnerabilities addressed across all versions of Office 2010 through 2016. They did release updates for Mac as well. Office 2016 and 2019. There were updates, individual updates for Outlook and Word as well. 

Todd Schell:
Again, this in general, the Microsoft Office suite for the typical on-premise installation as well as the individual standalone applications. Of course, Microsoft updated their Office 365 Pro Plus and Office 2019, which are their software as a service version. So you do get the latest updates every month automatically online with their click to run methodology. They did address six vulnerabilities this month, including that CVE-2019-1201 that I mentioned earlier. So it was rated critical as well. So you want to make sure that you get your latest office updates. And finally like Chris mentioned, it was a very light month so we didn't see a lot of stuff outside of the base operating systems, but there was an update for SharePoint server this month. 

Todd Schell:
It also addresses that particular 1201 vulnerability. Primarily they're dealing with a lot of cross site scripting vulnerabilities. So they talk a little bit about that in each one of these with regards to these particular vulnerabilities. They did provide SharePoint updates for 2010 through 2019. So all of the currently supported versions do have an update. There are no known issues actually around this particular update. So that kind of completes the bulletin List for this month. Again, we have all the operating systems. We have the Office updates and SharePoint Server as well. So with that, Chris, I will turn it back over to you and you can talk a little bit about what's happened between our patch Tuesdays.

Chris Goettl:
All right, thanks Todd. So as I mentioned before, there was five weeks between July and August Patch Tuesday this year. So we do have quite a lineup of security updates that came out. So this is actually more of what aside from the Microsoft updates, which are all critical this month and have a couple of nasty vulnerabilities, this is a lot more of what you need to take a look at and make sure that you're addressing from security vulnerability perspective. Come on, there we go. Advancing again, sorry. The first one here is a set from Apple iTunes. There were 18 vulnerabilities resolved across a couple of updates here for iCloud. There's also the iTunes update here. So again, 18 vulnerabilities between those make sure that you get those updated. Camtasia had an update for 2018.0.8, which resolved six vulnerabilities. 

Chris Goettl:
Chrome, this is actually across three updates that they did between Patch Tuesdays. We've kind of lump them all together here and just put down that if you get the latest version of chrome, there's 20 vulnerabilities that have been released since pre July Patch Tuesday till now. So 20 vulnerabilities resolved with the latest chrome update. Out of that series of three that released there. Corretto. This is basically the kind of wrapped version of the OpenJDK that is most popular out there. So JDK, OpenJDK, is just a collection of binaries, but a lot of vendors will tend to take those binaries and wrap them together to deliver more clean installation of them. So Corretto had 10 vulnerabilities resolved in that release. The Amazon Corretto update also 10 vulnerabilities resolved there. 

Chris Goettl:
So again, if you're using OpenJDK, the Corretto version there, that's probably the most widely distributed version of OpenJDK. Make sure to get that updated to resolve those. Java 8 did have an update that resolved 10 vulnerabilities. The JDK 11 also had an update resolving 10 vulnerabilities. So if you are switching over to JDK 11 as most companies have done at this point, this is where things kind of shift over to what we talked about before with those development binaries. You could update the JDK with an update. That update makes it so that those vulnerabilities are plugged there. And then your development team has to basically run a new build and deploy it to update the application for all versions in the field. Cause there's no longer a JRE to update on the end point where the application is running. 

Chris Goettl:
Now it's all baked into the application and done at run time or at build time. So if you're running Java 11 applications, they your development team needs to do the JDK update or you can do the JDK update from Ivanti products as well. Once the development environment is updated, they run a new build to resolve the software vulnerabilities in your applications. JDK eight. For those of you that are still under agreements to run the older version of the JDK, you can also update that one, 10 vulnerabilities resolved there. VirtualBox had a couple of releases resolving 14 vulnerabilities each. TortoiseSVN fixed three vulnerabilities there. It's hard to see that down below there. Normally I have two monitors. I apologize. 

Chris Goettl:
The screen wasn't set up very well for today. Snagit had updates for several versions there. One vulnerability resolved. Wireshark also resolved one vulnerability. So that wraps up our updates for the month. Now I know that a number of questions had come through already and some of them have already have responses here. So we're going to go through and we're going to field a couple more and talk about the ones that I think everybody will want some responses on. So one of the ones that came up, and I don't know how well we addressed it yet, but there was a link in here before about the Symantec issue. Let pull that link up real quick. And Brian, I don't know if you had already responded to that one yet. I haven't been able to get in here yet.

Brian:
Yeah, that's all right. I already responded to it. I mentioned. Yeah, it does affect Windows 7, 2008 R2. On the Symantec article, the big line that kind of came up for me was updates that are only SHA2 signed are not visible as an available download when certain versions of Symantec endpoint protection are installed. So I'm unsure how that affects kind of our third party patching solution. But I'm going to do a little bit more research on that. But you may not have any issue because it may be related to the WSS API and how that downloads them. I'm not sure at this moment. But either way, just run it through your test group and just make sure your Symantec stuff's up to date before you do this. I mean it's kind of the best advice I can give at the moment.

Chris Goettl:
Yeah. In a case like this, normally this type of issue doesn't affect Ivanti products because we're not utilizing the WSS infrastructure. There's a lot of patch vendors out there that do basically are just an overlay for WSS, those products would be affected. Ours typically are not. The fact that our support team hasn't bubbled any of this up through the normal support channels yet leads me to believe that in this case, I think Brian's right. We're not going to see an issue with Ivanti products on this. For those of you on FCCM or WSS, that could be a problem there or just doing regular Windows update. So but yeah, we'll have to try to see if we can get more details about that. If we do identify an issue with any Ivanti products affected by that as well, we'll get our support team to post a kb about that.

Brian:
There was a question as to whether other remote desktop applications such as TeamViewer, remote access applications are vulnerable to the CVEs mentioned the wormable ones. BlueKeep almost. No, those shouldn't be. It's anything that just has the, use of the RDP protocol. So you should be good. I mean those that use, for example, remote desktop manager or things like that. Yes. The client isn't necessarily vulnerable but the underlying service is. So just yeah, get that out as soon as possible. I mean concerning this affects Windows 10. The impact could be a lot larger if this gets exploited. Nothing else really outside of that. Other, there was one question when does Ivanti update their patch XMLs for latest updates. We try to release them the day of. We're pretty consistent on that. I'm central time here, so we we try to get it out probably within those first 10 hours. We were pretty quick this time. I think our release code showed about 4:30. Had our back. But it just kind of depends if we run into any issues, et cetera around that.

Todd Schell:
Yeah. The one thing I should mention on that, Brian to, is the timing of some of this. A lot of times Microsoft may not post some of the updates even though they'll post the bulletin information. So timing on this is kind of interesting sometimes and that it may seem that we're delayed in posting things for some reason, but actually maybe the Office updates for example, won't be posted until 12 or 14 hours later. And obviously once we start, we have a time required to get it out.

Brian:
Yeah. That's a very good point. Because a lot of times, I'll use Office 365 as an example. Microsoft releases kind of the kbs for it, but sometimes the Microsoft CDNs might not update for 12 to 24 hours. So that is a really valid point.

Todd Schell:
Yup. One other thing I saw in the questions and answers some people mentioned that they were seeing the black screen issue on other operating systems. I'm sure Microsoft has some kind of a threshold after they get so many reports of a given issue before they will actually roll it into a given bulletin. A lot of times some of these issues like a black screen issue in particular may be very environmental and very specific to certain environments. Maybe it has to do with some application you may be running that maybe Microsoft is not testing with. So a lot of variations in here. But I think in general the things that Microsoft brings up are fairly widespread to some degree. So they are pretty common problems that you may as whole run into. Just want to point that out from a perspective issue. 

Chris Goettl:
Yeah, there's a couple of product specific questions that I'll take care of real quick here. And then I think we're pretty much wrapped up for this go around. One of them was from Elgon. The question was around our CBE import feature that we have in each of our products. For the patch, for SCCM plugin, right now that feature covers just the third party updates. So Elgon, we do have plans to come back around and extend that to the Microsoft updates within SCCM at some point, but that one does require us to do, today the plugin doesn't have to cross over into Microsoft patches. That one's going to require us to do a mapping into the Microsoft side and publish directly into the Microsoft side of the catalog. So that one is going to require us to do some additional work. That's why it's not done yet. 

Chris Goettl:
But for EPM and for security controls that, we can publish both the Microsoft and third-parties today because it's both sides are operated by our technology. So Yup. I'm not sure of a timeframe on that yet, Elgon. The next release we've got coming up for patch for SCCM is going to be coming out on or just before the Microsoft Ignite show, and it's going to be focused around publishing as well, but it's going to be around publishing based off of the SCCM inventory. So you'd be able to basically go into an experience where it's going to go look at your inventory across your environment and suggest the updates that you should be publishing based on what is already known about your environment. So another way of identifying and making it easier to publish third-party updates. Again, we've got to come back around and extend that into the Microsoft side of the catalog to round that out as well. 

Chris Goettl:
The other question looked like it was more of a agents specific issues. So Jerry, you had a question around scan date versus check-in date for the agents not matching up. That's something where we would probably have to get more specific details. I'd suggest opening a support case on that one. Hard to say what might be causing that offhand. Typically, when a patch scan occurs, the check-in happens at the same time. But there can be cases where check-in may have happened at a different time than that. So they might not be lining up. So, depending on which product you're on, there things that could cause that. There are few cases where that may not be identical. Any other questions you guys are seeing here that we want to take a look at? 

Brian:
Not particularly. I'm not seeing anything particularly. I think we should be good. 

Chris Goettl:
Okay. All right. Thanks everyone and apologies for the audio quality this time around. Again, I'm on a hotel Wifi in South Africa, unfortunately this time. So my audio is not quite as good as it has been in previous webinars. But next month I should be back at my desk and doing it from there. So it should be good there. Thanks for joining us this month and we'll talk to you soon. Thanks.