February Patch Tuesday 2019

February 13, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Good morning everyone. My name is Chris Goettl and I'm joined here this morning by Todd Schell as well. Good morning, Todd.

Todd: Hi Chris. You all ready for Valentine's Day?

Chris: Oh yeah, absolutely. Is that tomorrow already? Oh, jeez.

Todd: Yeah, can you believe it?

Chris: Yeah, I need to decide what I'm gonna do tomorrow, yeah. Thanks for the reminder. So, we're gonna get started here. We're gonna go through and talk about a few different things, but before we get started, couple housekeeping items. One, if you do have any questions or anything, feel free to post those into the Q&A section and we'll try to respond to them as best we can throughout the presentation.

We're also joined by Erica who is the logistical genius behind this webinar series. She'll be assisting with making sure you guys get answers on anything specific to the webinar, any URLs and things she'll be posting to the chat so everybody gets those as we go through them as well. And then we also have Brian from our content team who answers a lot of the technical questions as we go throughout the webinar.

So as you're posting, they will be actively responding to any questions that you have throughout. At the end, we will have some time for some more Q&A. I am getting over a...I had a flu not too long ago here, and I do still have a cough. So if I suddenly need to mute, I apologize. We'll try to keep that to a minimum, though. All right, on that note, we'll go ahead and get started.

So for those of you who may not have caught December or January, this year, we…you know, again, Erica takes very good care of us. She was able to work with the team, the marketing team here and get us a one-click sign up for all 12 2019 Patch Tuesday sessions. Now, two down, if you haven't already signed up for the other 10, you can still go to this URL and sign up for the remaining 10 Patch Tuesday webinars this year all in a single click. So that's a nice convenient thing to be able to not have to worry about signing up each month.

All right, we are gonna go through February Patch Tuesday, the quick overview of what came out. We're gonna talk about some different news related articles. We're gonna get into a little bit of detail around some of the known issues, public disclosures, exploited vulnerabilities of this month, and then we'll jump into…Todd is gonna walk us through bulletin by bulletin and get into details about known issues and things to look out for prioritization and such. And then again, we'll wrap at the end with some additional Q&A follow up.

All right, so starting out yesterday by the time we were turning out our normal Patch Tuesday blog post and content, we had two updates specifically from Adobe that we were really concerned about, and then Microsoft with 17 updates. There is one actively exploited zero day on the Microsoft side, and several public disclosure that we're gonna talk about here in just a moment.

Now, there was a latecomer to the party last night, later in the evening and by later, I mean like it was after 6:00 PM I believe. Mozilla released Firefox as well. So we do have a browser update with security…with CVEs being resolved that did release late in the day. So it wasn't captured in the blog post or the content we put out, because it happened several hours later.

Kicking off with a little bit of news, first one that we’re gonna talk about, you guys may have heard about this guy already. But this set of exploits called…that has been dubbed PrivExchange. The security researcher, Dirk-jan Mollema, posted an article writing up the details on different ways that you can abuse exchange privileges. So he documented several different things, and this was a collection of work that others had done that he took together and kind of pieced together several different concerns. And then he also created some proof of concept tools, this Python tool allows somebody to actually see how to exploit two specific scenarios.

So he was combining several known vulnerabilities in new ways here. In this case, it was kind of three main components that he was able to abuse to be able to perform these two proof of concept exploits. The first one is that exchange servers have…you know, he's arguing that it had too high of privileges, and this prompted Microsoft to take some action there, which we'll talk about. Also, the NTLM authentication between Exchange and NTLM is vulnerable to relay attacks. So he was also able to perform man-in-the-middle attack there, and then Exchange had certain features which made authentication to an attacker with a computer account of the Exchange server. So the attacker could get any Exchange account for that Exchange server, and with that, they were able to perform another variation of a man-in-the-middle attack to gain access to other people's mailboxes.

So he goes through and he talks about all the different negotiations, the different components as they're, you know, interacting with each other and where the attacker could take advantage of those and perform those man-in-the-middle attacks. So this is kind of…all have been happening in January leading up to this that actually some research even from last year pointing out some of these issues. But he really kind of pulled it together. January 29, this ZDNet article ran talking about the PrivExchange zero-day flaws that existed there. And again, kind of rehashing the specific issues that were leading up to a couple of real world samples of how to exploit them through Mollema's sample Python tool.

Microsoft on February 5th released this advisory so giving guidance for PrivExchange elevation of privilege vulnerabilities. It described how to basically disable the EWS max subscriptions so that one of these variations of exploits could basically not be executed because the authentication mechanism that they were taking advantage of could be disabled. So it may limit functionality, but at least it could block one of the types of potential attacks. And that brought us to the public disclosures which actually released which I'll talk about here in a little bit more depth in just a moment.

The next advisory that Microsoft put out this month was about a type of attack called unconstrained delegation. So this Advisory 190006 talks about how to prevent this type of exploit from being successful, and goes down to link to a KB article that shows how to update your TGT delegation across different forests to be able to do that. So let's talk about that vulnerability real quick here.

So first of all, just kind of at a high level, what is unconstrained delegation? This is when a service can require a copy of your TGT to act on your behalf when authenticating to other services. So basically, you've got two forests, active directory forests, one of them is a trusted forest, the other one is untrusted. What's being abused here is the ability to make a request from an untrusted forest into a trusted forest, and to be granted authorization in that type of a circumstance.

So there are some guidance here on how to test if TGT delegation is enabled within your environment, and then also how to disable that TGT delegation. So Microsoft's advice here is, you know, to basically go and disable that type of delegation from being possible across forests, and this would basically block that type of attack from being successful, basically preventing somebody from trying to abuse authorization across those different trust domains.

So that's an advisory that also came out that you'll want to take a look at. The deeper guidance here, Microsoft goes on to summarize how to validate this and turn it off again in a little bit more detail. Basically, you know, a forest trust provide a secure way for resources in an AD forest to trust identities from another forest. That trust is directional, and, you know, a trusted forest can authenticate users to the trusting forest without allowing the reverse to occur.

So that's…you know, this feature enables administrators to configure a trusted forest to delegate or deny, take a granting tickets to services in the forest. So with that delegation service on, again, the attacker could abuse this, validating and turning that off will mitigate the risks for that being it will be exploited. Now, they are looking at update timelines here, the enforcement for forest boundaries for Kerberos full delegation will be available as an update to enable this feature on all supported versions of Windows servers. The update will add features to the following systems, so that's all coming in the March 12 timeframe.

As part of the May update, it looks like they're changing the default of that enable TGT delegation flag to set it to “No” by default, so it will be disabled by default as of May. And then in July, there will be an update that will enforce the new flag on existing incoming trust so that the enabled TGT delegation flag will be ignored from that point forward. So they've got a timeline here, a progression of where they're going to be doing different steps to try to mitigate this and eliminate the issue going forward. But until then, they are recommending to go out and validate if enable TGT delegation is turned on. And if it is, to go ahead and turn that off until those fixes are in place at which time that flag will no longer be utilized, it will do things differently.

All right. Last bit of news that we wanted to cover today, getting back to my presentation, that's the wrong one, here we go. So, many of you might be aware that we run a service called patchmanagement.org. This is something dating back many years to our legacy Shavlik brand, but we've continued to run this Listserv as Ivanti. And basically, it's supposed to be a vendor agnostic forum for administrators like yourselves to discuss patch related issues.

We've been aware for some time that more and more organizations have been challenged with being able to continue to use the Listserv service because of its technology limitations. So one thing that it specifically does not support is DMARC. So for those of you who have implemented DMARC and have issues with emailing through that service because of its limitation of not supporting DMARC, we're aware of that and we've been working on an alternative solution. So we are planning a move from Listserv to Google Groups for patchmanagement.org.

So for those of you who are unaware, let me just kinda give you a quick rundown of what patch management.org is. Today, it's just a simple page you go out to, you can subscribe to the patchmanagement.org mailing list. And from that mailing list, you can participate and see discussions between…this Listserv has thousands of members. A good chunk of them are not Ivanti customers as well, they're not using our own patching technologies, they might be using WSUS or SCCM or even some of our competitors for their patching technology. But at the end of the day, you all have similar patching challenges when it comes to actually deploying patches, you know, different things like that.

So today, that's using Listserv, which is an aging technology, one that we're trying to get away from, and we are going to be moving that over to Google Groups. And when we do that transition, the patchmanagement.org page is gonna get just a light facelift. It'll be a little bit more simplified, you'll be able to join the group, you'll see all the different ways to be able to interact with it including subscribing to the RSS feed option, going straight to the Google Group itself so you can view discussions that have been happening out there. So that's a change that's gonna coming here shortly.

We're going to be doing a series of communications around this. There will be an initial communication going out to say that the transition is beginning, how to get subscribed to the new one, and the timeframe at which we will fully cut over to the Google Group communication model. So just to give you a heads up but that is coming, we'll have more communication on that as we get closer.

All right, so we're gonna get in and talk about some of the exploited and publicly disclosed vulnerabilities next, and then we'll jump into the bulletins. So the first CVE that we wanna talk about, this one is actively being exploited today. CVE-2019-0676, it's a vulnerability in Internet Explorer that could allow for information disclosure. So this disclosure exists when Internet Explorer improperly handles objects in memory. Excuse me. An attacker who successfully exploits could test for the presence of files on disk. So at similar vulnerability was resolved at the OS level as well where an attacker could use a similar vulnerability method to be able to view files on disk just by interacting with the Windows OS as well, but this one allows for this attack to be used in a variety of different ways including, you know, persuading somebody to go to a malicious website where they could exploit that and then, you know, check for certain files on disk.

But what this allows an attacker to do is obviously not take over the system or get certain privileges, but they could validate certain files on the system and identify what types of attacks may allow them to go further and actually compromise that system. And this one again has been detected in the wild being used. So IE updates this month, definitely wanna get that in place so that you plug that information disclosure vulnerability.

This one hasn't been detected as being exploited, but this is the Windows variation of this. So this vulnerability as they were investigating this, I'm guessing that they found other ways that it can be exploited as they were researching and resolving the issue. In this case, this is how Windows is improperly disclosing information which again could allow the attacker to read the contents of files on disk.

In this case, this particular one, an attacker would have to log on to the system to be able to run a specially crafted file to further compromise that system where the IE vulnerability allows them to exploit it as, you know, a user targeted attack where all they need to do is convince the user to go to a website to be able to exploit it. So next vulnerability, this is where we'll get into PrivExchange now, CVE-2019-0686.

Now, as you read articles like ZDNet and all the other writers who have written this up, they are speaking of this as a zero-day. Yes, technically, it is a zero-day vulnerability but it was not at the time actively being exploited. So in Microsoft terms, they flagged this as publicly disclosed, meaning enough information or proof of concept code is available to the public to make an attack fairly imminent. So that's why public disclosures are a concern we look for a reason why you wanna prioritize these things sooner.

In this case, this is the vulnerability that could allow an attacker to gain equal rights to any other user of the Exchange server. So this could allow the attacker to perform a man-in-the-middle attack that would give them access to somebody else's mailbox within that organization. So if they get access to one user's mailbox from there, they can use this to compromise and get access to other users’ mailboxes.

In this case, the two things have to be enabled for this attack to be successful, Exchange Web Services, EWS, and the push notifications. If these two things are enabled, the attacker in that environment could then perform that man-in-the-middle attack. The second Exchange vulnerability is where NTLM comes into play. So, this one is an elevation of privilege vulnerability that exists in the Exchange server and allows the attacker to gain equal rights as a domain administrator on a domain controller at that point. So what they're able to do is, again, if Exchange Web Services and push notifications are enabled, they can perform man-in-the-middle attack which allows them to forward an authentication request to an AD domain controller within that environment. And in doing so, they can gain full admin rights to that domain controller. So this one, you know, definitely has some very significant ramifications at that point.

So this one also goes a little bit deeper, they've got a KB article that does get into more detail about. So you remember of Mollema's comments about Exchange having too many privileges within its configuration. Microsoft recognized that as they evaluated, they identified different levels of permissions that they were able to reduce and still keep Exchange functioning perfectly.

So depending on what version of Exchange you're running, different levels of permissions changes will occur when you apply the Exchange update this month. So if you're on Exchange 2016 or later, the AdminSDHolder object will be updated to the allow ACE that grants Exchange trusted subsystems group the Write DACL permission on the group inherited object types, that's a mouthful.

So that's the level of permissions that are gonna change if you're running on 2016 or above. If you're on 2013, this is the level of change that they're going to be applying there. If you are running Exchange Server 2010, the patch itself will not make any changes to permissions. What you need to do is after applying the patch, you need to start this LDP tool and go through and make the necessary permissions changes to fully implement the prescribed guidance that Microsoft has released for Exchange this month.

So there is a patch for all versions of Exchange which address many of the issues with EWS and push notifications to prevent those types of man-in-the-middle attacks, but there is also some privilege changes that if you're on 2013 and above will be implemented as you update the patch. If you're on 2010, you need to manually make those changes. So that's the big thing with the Exchange updates this month is making sure that you understand what version you're on, and any additional manual steps you need to take.

All right, we talked about that one, we talked about that one, and we’ve talked about that one, all right. Last thing here, you know, just to let people know that we've expanded our coverage…oh, we'll come back and talk about that in a second. Let me go through some other update related items this month.

For those of you who have seen this before, Microsoft has done another update for the servicing stack updates for certain Windows 10 editions. And there's a couple of things that we wanted to note for you. You know, for those of you who are still running the Windows 10 version 1607 or the Server 2016 branch, there is a servicing stack update this month. There was also one from back in May 2018. So patches last year had already started enforcing requiring this service stack update or you would not be able to apply the monthly updates until you had done so.

So if you've either done the May servicing stack or February, this month's servicing stack update for 1607, that prerequisite is met and you'll be able to push additional Microsoft updates to it. This month, Microsoft has implemented a prerequisite for branch 1703. If you are on branch 1703, you either need to have applied the January 2019 servicing stack update or the most recent February's servicing stack update. If you have not done one or the other of that, Windows 10 1703 updates will not be able to apply and that was just implemented this month. So that was some known issues identified by our content team. Brian and the team were able to flush those out so that we knew that they existed there.

All right, they do have a servicing stack update for branch 1709 and for 1803 that released this month as well. We do recommend getting those tested and put in place before they come around and implement a prerequisite check for those branches as well, which would then prevent any updates from applying if you have not done those servicing stack updates.

All right, there were updates this month for Visual Studio versions 2017 and 2017 15.9, also there was an update for Team Foundation Server 2018 version 3.2. And for those of you who are running any of these development binaries, ChakraCore, .NET Core or the Azure IoT Java SDK, these are components that don't have a "patch package" to be able to deploy. A readily available, just click here, it’s gonna run and do that. These types of binaries are vulnerable. They do have security updates that were made, but this requires developer interaction.

So your DevOps team within your organization, if they are integrating any types of components like this and don't confuse .NET framework with .NET Core, two totally different things. .Net Core is a development binary, .NET Framework is an application that can be updated. But any of these that are implemented in your environment, that development team has to take the new binary as they become available and integrate those into your product and push to production. So we bring that up just to make sure people are aware these did have updates, there were security vulnerabilities relating to them, but you need to make those teams aware that they have to take action. It's not something that you as the patch administrator will be able to do.

All right. Windows 10 lifecycle. We again just kind of bring this up just so people are aware, April 9 is our next big Window here. We've got the upcoming end of service for Home Pro and Pro for Workstation editions of branch 1709 on April 9, and then branch 1607 is coming up on its end of service for Enterprise and Education editions as well. So that's the next Window that we're gonna hit there. Make sure that if you're running either of those branches on those additions that you're finalizing any rollouts to get those up to a supported branch before we hit the end of service day.

Our weekly patch blog, this is something that we've been doing...we started this up last year, we're still trying to, you know, keep awareness up for that, make sure people are aware of this type of information. Just to give you an example, and this is something that Brian who's joining us from our content team, he's doing these on a weekly basis. It's summarizing what non-Microsoft updates are coming out on a regular basis. It's talking about other issues like as PrivExchange as that advisory went out, you know, he was talking about that advisory as that information was, you know, going out to the public.

So, this is something that happens on a weekly basis and does pass along similar information to what we do in the Patch Tuesday webinar. So, if that's of interest to you, you can get to it from our Ivanti blog if you go to...oh, that’s the Patch Tuesday page, sorry. Blog, Patch Tuesday, you'll see that you've got each week summarized in there and you can see the details on each of those. So good information, a lot of good stuff in there, we're just again trying to make sure people are aware that that's constantly being updated. All right, Todd.

Todd: Hey Chris.

Chris: You're up.

Todd: All right, thanks. Let's go through the bulletin this month and see what all was released. We'll start with the update, Chris mentioned a update came out for security Adobe Acrobat and Reader, and major number of vulnerabilities addressed this month, 71, so take a look at this. You know, and very important from a point that there were a lot of vulnerabilities in here that were critical around this remote code execution, the ability for, you know, attackers to run things remotely on your system through these vulnerabilities. So make sure you do, you know, update Adobe Acrobat and Reader, once again, a heavily used application in almost everybody's environment these days especially Reader.

Moving on to Windows 10, of course, you know, Microsoft's flagship operating system these days, sorry about that, updates were released for all the versions from 1607 through the latest, of course, Server, you know, 2019. So be aware of that, that these Windows 10 updates also include updates for IE 11 and Microsoft Edge so they are updating the latest browsers as part of these packages. A total of 52 vulnerabilities this month, large number, much more than we've seen over like the past six months or so. Chris talked about, you know, the IE vulnerability zero-day which is 676 there, have it highlighted in red. One should be aware of that one and also the other one 636 which is just publicly disclosed. Too many vulnerabilities to list here on this slide, but there are 52 so go in and take a look at those if you're interested in that.

There are a number of known issues this month reported for Windows 10, 1607 and Server 2016 in particular had a number of issues reported, I want you to be aware of these. Chris mentioned obviously on that Windows 10 lifecycle slide, 1607 is approaching its end of life in April here, and I think a lot of these vulnerabilities are surfacing because of, you know, the weaknesses that are now showing up in that operating system.

This particular issue, you're going to see across a group of our products today, there's a problem with virtual machines running and the way that they work with this particular release, so be aware of this. There is a workaround that Microsoft has provided. They highly recommend in multiple places that you take a look at their best practices with regards to handling this particular issue so just be aware of that one. Second issue is on specific to Lenovo laptops that have limited memory available, they have a workaround identified here on how to restart the machine and disable a few things, just particularly double check the way BitLocker is set up for recovery in your system. Microsoft says that they're working with Lenovo on this one to resolve and should have something here soon.

And finally, the last one for 1607 here on this particular page, we saw this one last month, this is a carryover, getting an error around group policies, has to do with the length of the policies and they're telling you to basically, you know, set down your policies for your minimum password length to less than 14 characters. Microsoft says they're working on a resolution for this one as well.

There was also another reported issue around version 1803, has to do with being able to pin things, pin a link on your start menu or Taskbar. No workaround right now, but Microsoft is still working on a resolution for this one. Number of reported issues are way down for Windows 10, I think for those of you that were on the call last month, I had like five slides worth of issues. So it appears that a lot of the updates that came out this month have addressed all of those problems. One of the big ones had to do with connecting to a hotspot if you remember that. So very important that you push out these Windows 10 updates this month and get your systems up-to-date.

And in particular, think hard about 1607 because as we saw on that lifecycle slide, two more months. Basically, April will be the last release for all 1607, no updates after that. And you should start thinking about moving over to some of the later operating systems. In particular, you should move to the latest version 1809 because of all the update improvements that they've made in that particular process. We've talked about that, the LCD updates that they've implemented, the cumulative updates, LCU, I'm sorry, so that those updates are much smaller and much faster to install. So if you're looking to move up the Windows 10 chain, I would definitely recommend that you move to the latest version.

Moving on, taking a look at Internet Explorer this month, there were updates for 9, 10, and 11 releases, total of 11 different KB articles depending upon, you know, what operating systems you're running. There were three vulnerabilities reported in particular that zero-day 0676 once again, so make sure that you do apply the Internet Explorer updates this month if you’re just running that browser yet.

Moving on to the legacy operating systems, we'll start with the oldest one, Server 2008. Keep in mind, you know, before I dig into this one that there have been a number of articles out on the Microsoft sites and others talking about the end of life of Windows 7 and Server 2008 and 2008 R2. All those will come to end of life, end of support at the same time next January, not too far away, something to start thinking about for these older operating systems. Microsoft has talked about how they're going to provide extended support for these. Obviously, pricing has been released, it's not cheap. I think it starts at $50 in endpoint and second year, it goes to 130 or it goes to 200, something like that. So be aware of that, it's gonna be pricey. Definitely recommend that you move off of these old operating systems and start that process now.

Anyway, jumping into the actual updates for 2008 this month, they address 24 vulnerabilities. Chris talked about the Advisory 190006 so be aware of that. They've called that out for all of these older legacy operating systems, so take a look at that and there is that one publicly disclosed vulnerability, 0636, as well.

As far as known issues go, I talked about that there is a known virtual machine issue about failing to restore successfully. Microsoft provide details on this. This is particular to the AMD family of processors for machines, so be aware of that as well. It's obviously a smaller group then, you know, every machine being affected. But if you are running any of these AMD processors, you may run into these particular issues. It does apply…this issue is known for both the monthly rollup and the security only update this month, so just be aware of that. They do provide a workaround as far as just shutting down the virtual machines and restarting them after applying the update and you shouldn't run into this problem.

This is a continuation of Server 2008, same vulnerabilities. I mention this every month, but just for those of you who may be new on the call, on the legacy operating systems, Microsoft releases both a monthly rollup as well as a security-only update. And the monthly rollup is essentially a cumulation of patches that have been applied since essentially, you know, August of 2016, so there is a long number of patches that have been put together in one large update for these operating systems. So that you call that the monthly rollup. So if you are trying to bring a system from an unknown state up to the latest version, you'd obviously want to do that.

For those of you who are doing regular patching month-by-month and are not necessarily interested in all of the updates and you're more interested in just the security updates, Microsoft does release a security-only update each month addressing only the security vulnerabilities associated with the operating system. For example, this month with this particular 2008 update, only those 24 vulnerabilities would be addressed.

So if you are doing the security-only model and using just those updates each month, you wanna make sure that you do it religiously, meaning that every month, you do apply the security-only update because you are not getting any of the previous patches. So just be aware of that, once again, it comes down to, you know, your own patching methodology and what's required within your environment.

A lot of reasons why you want to apply the monthly rollup, for example, you have applications that, you know, may break with some of the older patches or something like that and you only want to apply security updates. So once again, it comes down to your patching methodology and the approach that you're taking. But be aware there are monthly rollups as well as security-only updates for each month.

For Windows 7 this month, they actually address the exact same set of vulnerabilities, again, the 24 shown here. The monthly rollup does include the IE portion as well so when you do apply the monthly rollup, you're getting those three vulnerabilities that I talked about earlier with Internet Explorer. Once again, Windows 7 patches include the Windows 7 itself, Server 2008 R2 and IE.

You'll notice that as far as known issues go this month, we have that same issue with virtual machines that I talked about earlier for 2008. There's also another known issue around the event viewer may not show the event descriptions for the network interface cards. There is no workaround for this right now. Microsoft says they're working on a resolution and they're expecting that out with the March updates, so be aware of that issue as well. The Windows 7 release obviously includes a security-only update as well. Again, the same 24 vulnerabilities that were addressed with the monthly rollup, and the same issues as I said associated with that.

Next bulletin has to do with Server 2012. The monthly roll up this month addresses one additional vulnerability so there are 25 fix this month. Essentially, there is, you know, kind of the same overlap of all the vulnerabilities that we've been talking about. Again, as Chris talked about Advisory 190006 applies to this one as well.

For 2012, same set of known issues that we saw earlier for Windows 7 having to do with the virtual machine as well as the event viewer for network interface cards. So be aware of those. Same thing, they’re working on a fix for this for March of 2019. And again, there is a security-only update available as well addressing those same 25 vulnerabilities.

The final legacy operating system is the monthly rollup for Windows 8.1 and Server 2012 R2. This one also addresses 25 vulnerabilities and also the 3 IE vulnerabilities, so a total of 28. Again, the same set basically of vulnerabilities that are being addressed. It does affect a large number of components within the operating system, so very important that you make sure you get these updated as well. This particular one does not have the event viewer and NIC card problem that I talked about earlier, but the VM machine issue still applies once again on those AMD processors and, of course, the security-only version of this as well.

Moving on, there were updates this month for SharePoint Server. They did address all versions going all the way back to 2010 as well as up through the most recent release. This is an update one for the 2019 version of SharePoint Server. They addressed four vulnerabilities this month, and they rated this one as critical as well. So make sure you update your SharePoint Server.

Chris spent a lot of time on Exchange Server this month, and the issues associated with the different vulnerabilities there. Microsoft did release updates for all versions of Exchange Server, 2010 through 2019. Chris talked about this particular KB article around shared permissions earlier but I've included it here as well, once again addressing those two publicly disclosed vulnerabilities, 0686 and 0724. One thing to make a note of, you'll notice that when I looked at these particular KBs yesterday, these particular vulnerabilities around these KBs yesterday, 724 hadn't been actually marked as publicly disclosed by Microsoft. But we're highlighting it here, because the information is out and available now and we know that they'll be changing or updating that as a publicly disclosed vulnerability in their own KB articles.

Digging in a little bit deeper here, there were specific KBs released for each one of the updates they provided yesterday. As I said, 2010 all the way through 2019, interesting. Like you see the number of updates, they’re up to updates 26 for 2010, it’s been around for quite a while obviously. Just to kind of further emphasize, once you've applied this update as Chris said, there are a number of manual things that you need to do as far as setting up and changing the privileges and permissions on that Exchange server so be aware of that. Definitely go back and take a look at this particular KB article for details on that.

There are a couple of interesting things as far as known issues go as well. After you install this update, for example, on Server 2019, the accept button disappears. They give a workaround within the KB articles so go in and take a look at that as far as how to set up your shared calendars. Chris also talked about, you know, the Active Directory forest and setting up the permissions and sharing between those. They did identify that there are some potential issues there as well, they go into more detail in the KB article, so definitely take a look at that. And I already mentioned down below the manual steps for setup required on 2010. So definitely a focus this month on Exchange Server.

Moving away from the critical updates, let's talk briefly about some of what we ranked as the important updates this month and Microsoft as well. Security updates for Microsoft Office, not a lot of updates this month. Normally, you would say see a lot of the individual applications being individually updated. This month, they called out Excel, Office, and the Office versions for Mac, so there are updates for those, seven vulnerabilities addressed.

The impact of these are obviously remote code execution and security bypass, Microsoft provides more details in the KBs around the particular vulnerabilities associated with those impacts. So take a look at those if you're interested, but again, an important update this month addressing seven vulnerabilities in Office.

Of course, we continue to get the click-to-run updates from Office 365 and now Office 2019. Be aware that there are essentially two versions of Office 2019 depending upon where you purchased it. They have updates based on retail, so you'll see an Office 2019 Retail, and you'll also see an Office 2019 Volume licensing update as well. So two different updates there, but it does include the exact same updates as far as vulnerabilities that are addressed. This particular month, they addressed six vulnerabilities in those spread across the various applications within the Office Suite.

There was also a .NET update this month. As Chris mentioned, this is for the .NET Framework. So these are the .NET framework that's running on all of the individual endpoints out there. They addressed two vulnerabilities this month that were around remote code execution and spoofing. Provided a little description up here about what they're doing, one of them has to do with the way .NET checks for source markup of a file that could remote in code execution. The second vulnerability they addressed had to do with URL parsing that would result in, you know, a privileged communication to an untrusted service which was, you know, what they're calling spoofing, so be aware of those two.

There are 11 KB articles. The reason there are 11 is because each one of these .NET Framework updates has its own individual KB article depending on the operating system it’s being applied to. Like the operating system updates, Microsoft provides both a monthly rollup as well as a security-only update. So once again depending upon the technique or the process you're using for updating your systems, each one of these is available and there are only 10 KB articles related to that particular update. Same two vulnerabilities, just be aware of that.

There was an update for Flash Player this month. We didn't see one last month, but we see one this month, came out under Advisory 190003 for Microsoft. Only one vulnerability addressed this month related to an information disclosure. Of course, Adobe does their own update for this as well, they released it under bulletin APSB19-06, the security update for Adobe Flash Player. Same vulnerability addressed because of the importance and, you know, the number of users in the Microsoft system, that's why Microsoft automatically rolls these updates into their own regular Microsoft releases as well.

With that, Chris, I'll turn it back over to you to talk briefly about what happened throughout the month between our last Patch Tuesday and this one.

Chris: Thanks Todd. So, you know, we often talk about what happens in between Patch Tuesdays. The additional updates that come out. That series of weekly patch updates that we're doing on the blog now really focuses in on that as well, but there's a number of products that released outside of Patch Tuesday. Towards the end of January, both Mozilla and Google released browser updates, you know, there's typically additional updates from as you can see here, Apple CCleaner, Google Chrome, Evernote, Dropbox, Firefox, FileZilla, many of these products include vulnerabilities as well. So this is just to keep you up-to-date on and aware that, you know, these updates are out there and that they did include vulnerabilities that were resolved.

So, you know, the iTunes release that happened, 14 vulnerabilities were resolved there, Apple iCloud, 12 vulnerabilities, Firefox, the release they did towards the end of last month had 7 vulnerabilities there. ESR, similarly, that had three vulnerabilities resolved, and then Thunderbird with 4. Java, the Java updates that came out after the January Patch Tuesday the following week, did fix three vulnerabilities for update 201, update 202 fixed four vulnerabilities. The Java Development Kit also released resolving again three and four vulnerabilities depending on which build you went to.

And then Wireshark had a couple of updates for versions 2.4 and 2.6. So this is just to let you know the information that, you know, we have on that vulnerabilities that were resolved. A lot of customers that I've engaged with use this as a way to better engage with their teams internally and talk about release cadence for, you know, making sure that updates get applied to systems as frequently as possible.

So if that's the case, where you're trying to push for weekly update cadence for especially laptop users who go in and out of the environment very frequently or end users who have some of these applications that are more vulnerable, this is information that can help you make that case that, you know, leaving those updates out there for a long period of time can increase the risk that you're exposed to.

All right, getting into some of the Q&A, there were a few questions about the Exchange update. One of them was around, do those vulnerabilities affect Office 365? So, no, it was only for the on-premise Exchange so that shouldn't be an issue there. There was a recommendation from Mark, I believe, gave this recommendation of, you know, going in and, you know, making those recommended permissions changes to Exchange using the LDP tool. You know, be cautious with that, you're getting in and playing with permissions that could break your Exchange environment for those of you on the 2010 Exchange configuration. So I do definitely agree with Mark on the recommendation of approach with caution to make sure that you're following those steps exactly, and that you validate everything is working correctly afterwards.

Even for those of you on 2013 and later, you're pushing out an update that will change permissions in your Exchange configuration. So in doing so, after you do that update, best to get in and test thoroughly especially any automated tools or, you know, integrations that may be taking or using the Exchange platform as well making sure that all those continue to run just fine.

Let's see, Brian, what do we have? There were a couple of servicing stack questions that came in here, are there any in particular that we want to touch on? It looks like one of them was a question over, are these servicing stack updates cumulative? Go ahead and touch on a few points there.

Brian: Of course. So, yes, in my experience, the servicing stack is cumulative. If you install the latest servicing stack that should work for your prerequisite, etc., you shouldn't need older patches. In our experience, once we install the latest even when we try to manually install the old ones, they do not apply. So you should be good there.

I'm just looking through some of the other questions. One question was, any word when Microsoft will certify 1809 for business use. In our experience, we've seen that when the latest major version comes out, so in this case 1903, they do tend to set the previous one as ready for business. Your best rule of thumb if Microsoft isn’t too clear in documentation is when they stop releasing kind of the TechTalk Cadence that when they stop releasing updates after Patch Tuesday and between Patch Tuesday, that's usually where they feel that stability is good enough.

Some customer did ask any updates on the SMB share issues for Windows 7 and 2008 R2? I did mention that that did get fixed by a non-security fix, KB 4487345. If you do run security-only, you will need that to get this fixed, but if you do run a rollup, that should be included. And see if there's anything else right now. Anything else that you've seen, Chris?

Todd: Let me add one thing real quick Brian. This is Todd. We often get asked, how can we directly install, you know, version changes in Windows 10 going from one release to another directly with the patch products? The reason behind that is a legal reason. When Microsoft is going from one version to another, there is licensing involved with that. As a result, we can't go directly out to their download site and pull them, for example, the latest version of 1809 and provide it to you.

You know, essentially, you have to use your Microsoft licensing credentials to go pull down that ISO and locate it within your environment. And from that point on, most of our products can take that ISO and install it on an endpoint. But that initial download from Microsoft requires, you know, your credentials be used to show that you're authorized to download and use that file.

Brian: Yeah, absolutely. There was one question around, do servicing stack updates automatically apply ahead of other patches? At the moment, it's something that I can't say that I can guarantee. I would recommend doing have a two ways thing, but we have heard you and it's definitely somewhere considering about setting that installer.

Chris: So there was question on about the known issue on Exchange where the services may remain in a disabled state after you install the security update, and if it would affect people who are using any of our particular product lines. So regardless of which one of our Ivanti products you're using or any other product if you're just using Microsoft or even if you apply the patch manually, that known issue can occur. It's something in the patch behavior, not something we have control over. So when it comes to a known issue like that, those are patch level known issues that, you know, we're making you aware of as you do these things and this behavior could occur. It's not something that we unfortunately, you know, would have any control over.

Another known issue that was talked about before with that, the password character length. So let's see, I think that was…which patch was that, Todd? Trying to get to the right one here, but basically, the issue was if you have a minimum password length over 14 characters, you could hit this known issue. If your minimum password length is not over 14 characters, which I'm guessing is probably less common, most people don't have a minimum password length over that length. If your minimum password length is 14 or below, you won't have that issue. But let me try to find it here real quick.

Brian: Yeah, let me see. I’m reading about right there.

Todd: It's windows 10 1607.

Chris: Yeah. So...

Todd: You know, the KB [crosstalk 00:57:41] is 4467684.

Chris: So yeah, if you're on this platform and your minimum password length is greater than 14 characters, you could hit that cluster service, failing to start with that 2245 error. So again, most of you should not be seeing that. If you do run a minimum password length greater than 14, then it's something you could run into. All right. Let's see, Kenny had a question about how best to handle Office 2019 volume licensing through endpoint manager? Kenny, I'm not sure offhand where you might be able to get that information.

Brian: I can answer that question.

Chris: Oh, thank you Brian.

Brian: Yeah. So within endpoint manager, I'm gonna see if I can find the link real quick, but I'll just rattle it real quick on top of my head. In endpoint manager, kind of the workflow as you use the Office 365 utility allocating LD log on to download the binaries and state, we've updated the O365 utility config file to include the volume licensing CDN URL. So you should see a new entry there to do it. We've also released, and we'll be releasing new [inaudible 00:59:23] that will target the 2019 volume licensing. I believe we released the one from last Patch Tuesday, the new one should be coming out within the next day or two.

Chris: All right, perfect. Thank you, Brian. I did not know that answer up hand. So let's see, I'm looking to see if there is any new or any additional questions here that would probably be good for the full group. But while we're looking through those, I did want to bring up, we do have a couple of events coming up over in Europe. For our customers in India, we do have our Interchange corporate events happening over there. This is gonna be the week of March 11, early bird fee or sign up prices are going to be live until end of day today. So if you did want to try to get that with the early bird pricing, you can still get that using that web code today.

So this event, it's a great way to engage with our product teams, and you'll be able to talk with product managers with some of our lead developers, with our UX and design teams. You to get hands on with the products, see what things are coming up, you know, with our products in the next year. And it's just a great event to be able to interact with and get very deep technically with the products. So if you're interested in that, the early bird sign up for Madrid is still available today. After that, you can sign up yet, but the price goes up, I think the 50 Euros off will be no longer valid there.

We do have a U.S. version of that event coming up in April, the end of April in Nashville, and early bird pricing is available for that until March 29. Again, it's a great way to be able to interact with our teams and get specific hands on knowledge with the products. So look into that if you have not already, it's a good event to be able to get a lot more detail about that. And even work with Ivanti partners as well, we have I believe 12 plus partners that will be participating in each event as well. Partners who integrate with or enhance our products in some way, compliment them, you know, and so on, so a lot of good opportunities there.

All right. Guys, do you see any other questions that we should go through here?

Brian: No in particular, I think we...

Chris: Okay. Most of the ones that I think we needed to cover as well that the full group really needed to see. All right, so thank you for joining us this month. Next month since we'll actually be in Madrid over Patch Tuesday, Erica and I will be doing the Patch Tuesday webinar with a live studio audience. So we're actually coordinating right now getting a room set up there, which will be about 5:00 p.m. on Wednesday. We'll be doing a live version of the Patch Tuesday with some participants in the room there with us, and then Brian and Todd will be joining us remotely as usual.

So, you know, for those of you who are in Europe and attending Interchange, look for that as an opportunity to watch the Patch Tuesday webinar live. All right, thanks everyone and have a great month.

Todd: Thank you. Goodbye.