January Patch Tuesday

January 09, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Staff Quality Assurance Engineer | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Good morning, everyone. My name is Chris Goettl and I'm...joining me today is Todd Schell. Todd, how are you doing today?

Todd: I'm doing great, Chris. It's a new year.

Chris: Good. It is a new year. It's, you know, January Patch Tuesday. First Patch Tuesday of the year. You know, it's actually been a...I would say this one is a mild one. So, there's a few things to talk about but definitely the volume of updates we've got, the severity of many of those things are, I would say, lower than we've seen in quite some time so that, I thought, was a positive. So, let's go ahead and go through a couple of things here before we get started.

For those of you who may not have caught the December Patch Tuesday Webinar or may not have seen it yet, 42019. We have a way for you to sign up for all 12 Patch Tuesday Webinars in a single click. Well, at least 11 of the 12, since we're already on today. So, you guys can go to this link here for the webinar 2019 Patch Tuesday after the webinar today, if you have not signed up for all of them yet. You'll see this link in the follow-up email, as well. But that's just a convenient way for you to sign up for all of those and be able to get it all done in one shot so that you don't have to worry about it for the rest of the year. We have a lot of regular followers and, you know, we know that many of you wanted to make it easier to get those so you don't miss a sign up or forget about it at some point.

So, a little convenience there to get you signed up for the full webinar series for 2019. And, it seems to be working quite well. We had several hundred already signed up for everything, all in one shot. So, it does look like people definitely appreciated that. All right. So, we're gonna go through and talk a little bit about January Patch Tuesday, give you a general overview of what's all coming out. We're gonna talk a bit about some recent news, some things to watch out for, some things that are happening, cybersecurity and patch-related. We're gonna go into a bulletin by bulletin break down of the January Patch Tuesday and then we'll wrap up with some Q&A where we can go into more detail on specific areas that you might be concerned about.

All right. So, as we're going through, if you do have any questions, go ahead and post them in the Q&A section and we'll be happy, we'll be responding to those throughout the presentation as well. But, we'll be happy to try to respond to that before the end of the webinar. We've got several people, on the line with us, helping to support answering those questions.

All right, so for updates this month we've got Microsoft... Microsoft did release 17 different distinct updates that we're gonna be going through. Only one of those was actually rated as critical. The Adobe update this month for Flash Player actually had no security vulnerabilities at all. So, that was kind of an interesting one from Adobe, the fact that there's no CVEs in the Adobe Flash Player update that came out. Now, if you've been following our weekly Patch Digest, we did talk last week about Adobe did release Acrobat Reader and Acrobat last week. And that one did include two critical vulnerabilities that were resolved. So that rate of...or rate behind the December update which had 87 CVEs resolved. You definitely wanna make sure that if you have not already, that you go ahead and make sure that Adobe Reader and Acrobat are in your update list this month. Flash Player may not have been a security update in yesterday's release but they did have two Zero-Day Vulnerabilities that were released before November 20th and December 5th leading up to the December Patch Tuesday.

So, if you did not catch that or if you had an IT freeze in December, make sure that those two get done for that reason because there were some Zero Days and a lot of security vulnerabilities before January. But for January, if you were already caught up, it's a pretty lightened month for Adobe. Getting into a little bit of news before we jump into the bulletins. It's the start of the year so there's always, you know, the predictions and things that are coming out. So I wanted to kind of kick off and this one from Forbes, I think, one of the things that happens a lot is the...all of the predictions and everything like that, they can be all over the board, you know, there can be a lot of different things. What I usually try to do when I look at those predictions is to gauge what is the common themes on most people's minds. And I think this Forbes Article kind of gives a good indicator of what those things are. And that's why I wanted to kinda take a look at this one.

So there's...The writer kinda broke it down into a number of areas. There's a lot of predictions around A.I. being used in cyber-technology. And, you know, some of the trends around that. There is the kind of the...Hey, what's the...What's forward-looking at the ongoing cyberwar across the globe? What are the trends that we can expect to see in 2019? Privacy. We had the beginnings of a lot of privacy laws starting up but there will be a continuation towards more and more privacy laws. You know, we had the GDPR launch, we saw the California Privacy Laws going...coming up towards middle or late last year. There's gonna be a continuation of those privacy themes in 2019. And, let's see, cloud. There will always be a continuation of cloud and the concerns around that. IoT is another one that I think he breaks down, a pretty good section in here, too. Yeah, we're getting into IoT right about here.

So, if for nothing else, then I should just give you a general sense of where are things going in each of those areas. That's kinda what I look at a predictions article like this for. All right, so that's a good one there. There is the next article, get back to my own, here we go. The Internet Explorer Zero Day came out towards the end of last month. This happened on, I think it was December 19th. Microsoft released an out-of-band patch. It did resolve an Internet Explorer Zero-Day and we wanted to bring that up. Again, just in case, if there is any of you who were maybe in an IT freeze, didn't get that rolled out yet, we wanted to go through and make sure that you have an idea of what that was about and get that resolved. So Microsoft did release that Zero Day December 19the. Let's see here, according to the advisory, released at the same time with the update package, the IE Zero Day can allow an attacker to execute malicious code on the user's computer. The CVE, in this case, was 2018-8653, can be exploited in web-based scenarios where the attacker would lure a user on to a malicious site that runs code on their computer.

So this was a combination of the IE scripting engine that would be rendering web-based content. Also for apps in, you know, Office as well. So biggest thing to keep in mind here is that came out after December Patch Tuesday. For the January updates, if you do any of the cumulative updates or in the pre-Windows 10 platform if you do the security-only bundles, the IE update outside of that security-only bundle is cumulative. So, either you're doing the cumulative roll up for the month for the OS that you're on, or make sure to do that IE roll up and you will include that if you do January, it will include that Zero Day fix, as well.

So, I wanted to just point that out here and make sure that everybody takes a look at that and is aware that that came out. I saw there was a question from James in here as well about, you know, if...you know, what was the digest that I was speaking to before, That Zero Day and several others we...every week we do a kind of a...we're gonna be tagging this a little bit differently so they're easier to find on here. But, basically, like a weekly patch digest of everything that we released that week. And so, Brian, who also joins us on this Patch Tuesday calls and is answering a lot of these questions as we go through here. Brian does a great job of summarizing what we did for patching that week. He also captures things like the Microsoft Zero Day.

So we talked about that here in the week 51 update, talked about other things like, you know, we're still on the lookout for a couple more CVEs that were disclosed towards the end of last year from SandboxesEscaper for any of you who are a fan. She's kind of an interesting security analyst that has an interesting way of presenting herself to the public but... So they were a couple of CVEs that were reported there and then there was a Zero-Day and then it went into what updates did we released that week and any of the security things to note there. So that weekly digest can be found on our blog, if you go to our blog and go to the Security section, you'll see, you know, we've already got week 1 for 2019 out as well. So each of these, you know, will typically talk about...this one talked about the Adobe Reader update that kicked off the year. It also talked about Foxit releasing its reader and phantom PDF updates as well. So, that's a good place to get access to a little bit more of this Patch Tuesday-style information on a regular basis.

So that is the IE Zero-Day. Let me switch back over here real quick. One last bit of news here before we get into a couple of other topics. Windows 10 1903 is going to introduce a new reserved storage feature around, and I'll switch back over here to the article, reserved storage for ensuring proper performance and successful update of your device. So it's gonna be a 7GB storage reservation for making sure that the Microsoft updates, branch upgrades, things like that, have enough storage space on a system so it doesn't cause issues. So that's one thing to keep in mind is as you're going to that new branch, is that going to start to use up more disk space than some of your systems may have. They did note, you know, concerns about what about, you know, PCs that may only have 64GB storage? So slimmer tablet models or something like that running on Surface Pro maybe that could have limited storage space, you know, how would that affect a more limited storage system. So that's an interesting bit of news here. One thing to look out for as the new product version, the new Windows 10 version comes out early this year. So that's one we wanted to warn you about. All right, so on the note of predictions, we thought we'd throw one out here too. This one, it's kind of an obvious one. But cyber-security incidents are gonna continue to increase and also become more intelligent, you know. We'd already seen signs of malware that is intelligent enough to know, am I gonna launch ransomware or am I gonna do something else?

So, expect that the cyber-threats that we see are gonna become...slowly become more and more intelligent. They're gonna be multifaceted, they're gonna be automated to be able to adapt to what they see in the environment. And based on what they see, they may be able to determine what, you know, direction they're gonna take from, you know, from an attack standpoint. "Oh, hey, if I landed on a healthcare machine, yeah, go straight into ransomware mode. If I landed on a banking system, oh, no, don't go and ransom the system, go and, you know, start monitoring and trying to, you know, connect to a command and control network and start to scrape credentials and pass those back.

Seeing how, you know, those threats are starting to evolve into this multifaceted type of attack, we ought to expect more and more of that going forward. So, ultimately, we have to become faster and more efficient at stopping them. And, here's a few things that, you know, some things that we are doing. You guys are gonna be seeing more and more of this throughout 2019. But the first one here is something that we talked about a little bit last year but actually, I wanted to show you guys something here real quick. And then for those of you on the patch for Windows product, also let you know that some of this is available right now. So we talked about bridging the gap between your vulnerability management platform and the patch management platform. So, for those of you who are using our patch for SCCM plugin in our v2.4 released last year, I believe it came out late September, that included a feature to be able to import a vulnerability report from many of the vulnerability vendors, and map that to the third-party packages that we support in that catalogue.

Now, we wanna extend that out at some point and start doing the Microsoft ones as well but we did the third-party experience in that one. For those of you on the patch for Windows product, you're gonna see that the next version of the product is actually gonna change names. That name change is for a reason, and I'll talk about that a little bit more here in a second. But, this experience is built in here as well where you're going to be able to go and import CVEs into a patch group, what we call a patch group. All right, so I'm gonna this...I just went in and told it that I wanted to import a list of CVEs. You can use any format of file that you want, so any formatted report from any of the vendors you've got. I'm gonna use Rapid7 as an example in this case. I'll browse to that report on my system.

So, I've got this CSB report. It's from a couple months ago but it's a 450,000 line item report. Not unlike many of you might see in your environment on a regular basis. So I'm actually gonna open this up and I'm gonna start extracting those CVEs. Now this is, you know, for those of you who have to deal with this on a regular basis, this is something that the feedback I've gotten from many of you is you will burn hours doing this level of research. You go through, you go through, you deduplicate the list, you have to then say, "Okay, this CVE maps to this software title. And this software title is at this version. It needs this package to update." So going through all that is a very tedious time-consuming process and can also involve a lot of human error. What we just did took less than a minute. I've got a full list of all this CVEs here that were mapped from that.

Now we did a test environment that actually goes back quite a ways. It also involved a lot of Mac and Linux and other platforms as well. So this was just the Windows platforms. We'll talk about non-Windows platforms in just a second but we can go through and we can then...I'm gonna call this my Rapid7 live demo patch group, create that patch group and all those CVEs that we just mapped are now in a nice, easy package ready to go. I can now start to assess and deploy those patches to my environment. Of course, that went over to my other monitor here. Give me a second. Here we go. Here we go. Here's my Rapid7 live demo list. Here's all the software titles that we had a match on and make sure to pull all those in. So that that 450,000 line item report easily got boiled down to a list of updates that we could deploy out through the product very quickly and very easily. So, you know...

Todd: That's just an off the shelf report, right, Chris? There's nothing special you did with that report, right?

Chris: No, it was a standard Rapid7 report that I exported to csv. All it has to be is clear text and include the CVE IDs so it doesn't have to include any other information than just that. You could actually take...if the vulnerability product you have just lets you cut and paste CVEs directly out of the view into a text file, that would work as well. So with that though, I now have very quickly gone to the point where I can deliver those updates to my test environment and start going through the process. So for those of you who're in patch for SCCM, already there for the third-party products, you just need to go to v2.4. For those of you on patch for Windows, this early access release is available now and we're gonna give you guys the link to that on our community. Where did my browser window go? There we go. There's the SCCM 2.4.

So here's the security controls early access page. Early access just means that it's a controlled release right now. It is production ready but it's one where we release it in the timeframe where we expand out to larger and larger audiences. So right now we've hit our first threshold of roughly a hundred customers that have installed and are using this version of the product since we released it last month. We're now to the second-stage here where we wanted to, you know, start to expand that list again. You guys are the first to hear about us expanding that more. Some of you may already gotten it. For those of you who don't, here's the other features that are coming out in that release. So, you see the CVE to patch identification. We've added REST APIs for those of you who are looking to go from our PowerShell API base to the REST interfaces to do more there. We also now have support for Red Hat Enterprise Linux in this product so you can actually start to patch your Red Hat systems.

The name change is because we're actually about to launch a new module in this product as well. Application control and privilege management. This is gonna be an addition so you would have to purchase this module in addition, but all of the other features, you know, the REST API, the CVE to patch feature that we just showed, all of those are included with your base patch for Windows license. The Red Hat support, if you got available servers seats, you could just start patching Red Hat as well as server seats as server seat Windows Red Hat doesn't matter. If you need additional seats, all that is a volume purchase of additional ISEC server licenses and then you can start patching Red Hat, as well.

So, that's the new version available and the link to that is right down here, to get 9.4 build 34105. Again, the name change you're not gonna have to reap and replace or anything. When you upgrade you'll just see the name change from Ivanti Patch for Windows to Ivanti Security Controls. All right. So, the next one...Because I know several of you are also on our endpoint manager platform, the next release coming soon here 2019.1 will have a similar import feature there. So I know several of you are interested to see, "Okay. When do I get that feature?" That's when you guys are gonna see it. So in the next release, late March, early April, depending on the timeframe there. They kinda do a similar early access into general availability as well. So watch for that 2019.1 release. That's when you guys will get that CBE import feature as well.

All right. So going beyond that. That's kind of starting point. If you look at the vulnerability management process from detection of a vulnerability to remediation of the software update or configuration change, end-to-end, there's a lot of places where there is manual steps, there is, you know, time delays, things like that. That gap between the VM product and the patch management product is the first kind of stepping stone. And we're working very hard to get all of our products to the point where they can bridge that gap. The next ones here, where I wanted to give you guys an idea of how we're helping to build some of these challenges in 2019. More visibility, more telemetry to try to stay ahead of these cyber threats that are becoming more automated and more intelligent, we've gotta get to the point where we can do things faster. Well, if you look at the patch management process from the point where we prioritize what needs to be deployed. Whether it's coming from the security team through that vulnerability management tool or just being prioritized by you guys, the next step is testing.

The biggest challenge with that is you only have so many test systems to deal with. You know, if you look at a vendor like Microsoft, they learned a long time ago that they can only have so many tech systems in their environment to replicate with their customers do. So, they created the insider program. Windows 10 users can get on that insider track and get releases sooner but with that, they also accept a little bit more risk. You know, that's how Microsoft has kinda tackled that get more data sooner. What we would like to do is give you guys more visibility into a larger set of test data, but to do that rather than, you know, you can only get the patches so early in the process. So what we'd like to do is we'd like to be able to collect data from all of our customers globally, anonymized, and be able to present that to you so that you can get a better sampling of systems. If you can only test ten Windows 10 systems within your environment every month, that's, you know, a lot of small numbers, you're gonna miss some things. But if you've got those ten plus ten from the next company and 20 from the next and 30 from the next, if suddenly you've got 5,000 Windows 10 systems that within the first 24 hours have updated to that latest update, if you get to 10,000, 30,000, 50,000 systems that have rolled out that updates, you start to see a much better, more accurate portrayal of, is that update gonna be able to install without, you know, blowing up in my face?

So, that's kind of a first step.is...they'd be a patch install without error. All right. So if we've got 10,000 systems with less than a 1% failure rate that tells me, you know, the initial sniff test, yep, it's not sour, it's not gonna blow up in my face. What's the next thing I'm concerned about? There it's reliability. Okay, after the patch is installed, how many systems rolled it back within 24, 48, 72 hours? Like, how many people rolled that update back for one reason or another? That's gonna tell me the next thing I need to know. Downstream, did it break something else? So, this is the next step in that. And again, without enough sampling, you don't know how big of an impact that's gonna be. So you wanna have your insider group within your company, you know, this is just a patch best practice, you want to include some of your own user base, your power users, in that test cycle as well, to make sure that the downstream issues get flushed out early before it gets to the whole department or the whole organization.

The next thing you wanna get is you wanna get that feedback of what those known issues are. So whether it's a known issue described by Microsoft, we cover a lot of those on the Patch Tuesday webinar. Whether it's...we already know of a few different support issues that are happening with some of these updates we're gonna talk about in a little bit here that are blowing up in Reddit and other forums. Patchmanagement.org, which we host, if you guys aren't familiar with that one, great source of patch related issues. But, how do you aggregate all of that data into a place where you can consume it easily? So these three challenges, we're actually wrapping all this up in a single experience. And in 2019, you're gonna see more about that from Ivanti. And it's called patch intelligence.

So this is something that's gonna be coming out of our Ivanti cloud platform. I know...I've seen a couple of names on the list already. I know some of you guys are regular attendees of Interchange. You guys saw a little bit about the Ivanti cloud last year at some of our events. You're gonna see some really cool demonstrations of these this year. The patch intelligence interface is coming together. We're gonna be launching that at Interchange coming up here in Madrid and Nashville, depending on which market you're in. So those are gonna be launching sooner. We're gonna be starting to get more customers onboarded to that. But, think of it as a central place where you can go and you can see the updates that have been released. You could see data from your on-premises environment rolling up into that dataset and from there you can start to see that map to everything. You could start to get risk information, reliability information. You can submit and also see those known issues and start to get an idea of that there. The goal here is: give you a bigger set of test data to evaluate from, give you a better understanding of reliability and risk of deploying those patches to your environment, and give you easier insight into that collection of known issues, whether they're from the vendor, from us, from other companies like yourselves who are using our products and bring it all into one experience so that you can make those decisions faster.

The biggest goal there is, you know, if you go back a couple of years the average enterprise was taking 100 to120 days to roll out patches on average. That average has come down quite a bit. The best data I've seen recently showed at roughly 38 days on average, companies that are, you know, typically more cloud facing or, you know, early adopters of technologies like that, where it seemed to be the sampling more from this company. So there might still be more Legacy premise-based products that are companies that drag it out a little bit further. But for the most part, 38 days is kind of the new average that's out there. The challenge though is vulnerability is...half or more of vulnerabilities that are gonna be exploited already start happening within that first two to four weeks of release from the vendor. There will be some Zero-Days but when you hit that 14-day mark the risk starts to increase significantly, of the number of those that will be exploited. So how do we get from 38 days down to 14 days? That's what this feature set and what patch intelligence and that CVE to patch feature are about. It's about getting you over those time-consuming stumbling blocks more quickly, getting to the information that you need to make better decisions and getting a higher level of confidence to start rolling out updates sooner.

So that's something to look out for in a week. Try not to get too commercial on these webinars but this is something that, you know, as you're looking towards predictions, as you're looking towards the rise of security incidents, these are the types of things that are gonna help us combat that. We strongly believe this. We've talked to a lot of you and we feel that you agree in many cases as well, that these are the things that are gonna help us get there faster. So we're excited to share that with you and, you know, as we get more into the year, we're gonna give you a couple more snippets to that and tell you when there's opportunities to jump in and take advantage of that.

The last part here, you know, this is primarily around patch management but the other two areas that are gonna give you your biggest bang for your buck in reducing the things that make cybersecurity incidents successful, extending past patch management into privilege and application control. You know, if you look at any of the big successful breaches that happened last year, it wasn't just a patch that was exploited. There is a combination of the official user, you exploit though with software vulnerability, you launch a payload that gets your something else. You grab some privileged access, some credentials met environment and then you use a variety of existing tools within that infrastructure or tools that you as the attacker bring along with you on trusted payloads, to start jumping from system to system. And slowly you work your way around until you find what it is that you're looking for. That's the day in the life of a threat actor. So privilege management and application control are the other two pieces that really round out what it takes to eliminate the majority of the threat to your environment. Doing those three things well, will mitigate or eliminate 85% or better of the cyber threats that are out there. So that's kind of our prediction and our recommendation as you go through 2019. This is how we're gonna start to get ahead of the incidents that are coming.

All right. Enough harping on that. Let's get into a little bit more about some of the updates coming. Delta updates...update, you know, it's...we've got an update about Delta updates, yeah. So, the final Delta update is gonna be on February Patch Tuesday. For those of you who might not be familiar. Microsoft, when they released Windows 10, they got us out of this cumulative update model. Each month, that size of that update was growing bigger and bigger. So Microsoft tried to come out with different ways to reduce that size impact. And one of them was this Delta package. So if you've been keeping up with it, you know, going from December to January, that Delta package is smaller than the full cumulative that's been growing and growing and growing for how many months, however long that branch has been available. You know, some of those had been a Gig and a half or bigger. While the Delta package could get it down to, you know, that Gig and a half package to maybe less than a Gig. Well, those Delta packages are going away. The good news is for 1809 and later, Microsoft has switched to a new model of package that eliminates that size issue almost entirely. So that is a non-issue for the 1809 branches and later but for 1803 and earlier branches that are still under support, the last Delta package is gonna be coming in February and then that size issue becomes kind of an impact again. So, just fair warning that, you know, that's coming up here in February. The last Delta will be provided. The sooner you get to that 1809 or 1903 when it becomes available branch level, that size issue more or less goes away.

All right. We do have one public disclosure how is that we didn't wanna to talk about this month. This is a public disclosure that is a vulnerability in the Jet database engine that could allow remote code execution. So this vulnerability was publicly disclosed. You know, what that means is enough information was released to the public about this to give an attacker a jump start on being able to create an exploit. So either, you know, a threat researcher disclosed the information about the vulnerability or even proof-of-concept codes for it, enough to make this at higher risk. Now, with this, there's actually 11 Jet database vulnerabilities resolved this month. All of them are important or lower in severity but this important CVE is at higher risk and should be treated as more than an important CVE because of the fact that a lot of the legwork for that attacker has already been done. It's more likely to be exploited. There's been a lot, actually. If you look back at 2018 and earlier, there's been plenty of exploited vulnerabilities or public disclosures that led to a later exploit that were only an important severity on a CVE level. So the severity alone isn't always the best indicator to go with. You have to take a combination of things.

All right. So that is being resolved. We'll point out throughout the rest of the bulletins where that vulnerability comes into play. And you'll see that in a lot of cases we elevated an important bulletin up to a priority 1 rather than a priority 2 in our classification because of the fact that it's more at risk because of this disclosure. All right. There is another update here so, you guys, have probably heard a few times now in the last three or four months here about these servicing stack updates. So Microsoft did release one servicing stack updates this month for Windows 10 branch 1703. The servicing stack update, they are...basically, think of it as the update system, the Windows update components of Windows needs to get an update. Whether that's to be able to handle, you know, a known issue or to better secure the process or give performance changes, things like that. Those servicing stack updates are separate from the normal update hierarchy. They're not in the normal super-seasons chain. So you have to do that install and the monthly update for Windows 10 1703 this month. If you don't do those, there may not be any initial ramifications but at some point, there could be something down the road where you won't be able to continue updating unless you've got that servicing stack update in place. So it is a good idea to get those in within a reasonable timeframe.

We did have some Visual Studio updates for 2010, 2012, 2017. You know, in a lot of cases, your development team is usually the ones that are doing those updates, depending on your organization and how it runs, this is more of a, "Hey, guys. Be aware those are updated." Just so that you can inform those teams that there were some security updates. There's also a number of updated development components. So if you go back to a notable breach from last year, Equifax. It all led back to this thing called structs. Structs wasn't something that could just be patched. There wasn't an off-the-shelf, run this installer, boom, structs is updated, you're all good.

No, Structs was a development component similar to these. So ChakraCore, .NET Core, ASP.NET Core. There was even a PowerShell core that I've seen from time to time. Each of these are development components. You can take that and build it into an application. When you do that you enter into that continuous mode of having to keep that binary component up-to-date then. When Microsoft releases updates for any of these core binaries, the development team within your organization that built that application have to take the new version of the binary, they have to build it into the product and then they to release them again. So for those of you who know that your DevOps processes are adopting components like this, those teams do need to be aware of when these core components update. And it happens pretty regularly. Most months last year, we saw core updates alongside the .NET updates and ChaktaCore almost all the time when browser updates are coming out. So keep in mind that those are a development process to update, not just a simple patch that can be deployed.

All right. This next topic, I talked about a little bit last month but this is the last public availability update for Java SE 8 this month. So, Oracle is actually having their patch cycle next week on 15th. This is more just to make sure it's at the top of mind for you guys so that if it's a concern you include that in your patching cycle. But for those of you who are running Java 8, there is a change in public support. After this January update, those Java 8 updates are no longer publicly supported for business customers. They've got some specific language in the article that Erica just shared. You should go take a look at that and see, do you fall into an area where you would then have to switch over to paying for those Java updates. Many cases where you are developing a Java application internally in doing that. Yes, there would then be a charge involved to continue using Java SE 8, So that's something that your organization should be evaluating and figure out, is that a concern? We have had a few questions about how is Ivanti gonna continue supporting Java 8 going forward. So what we have done is we are changing, after the January update, we're gonna change to what we call drop in support mode. This will make it so that those of you who are on patch for Windows, patch for SCCM or patch for EndPoint Manager, you will see the contents available in the product but we will not download the installer for you. You would then need to go to Oracle site and grab the installer and drop that into the product. This is a liability issue. It's not something we enjoy doing but it helps keep us and Oracle on good terms so that we can continue to provide good support for you guys.

So the onus is on you as our customer to make sure that you're compliant with Oracle's licensing terms. If you are, you just get that installer, drop it in place and boom you can continue patching Java 8 until they're no longer available. There may be a cost involved to continue doing that. That's what you need to evaluate on the support terms there.

Now, we've got articles for, you know, that drop-in support and what that means. For those of you who are on the Endpoint security EMSS product, our Legacy e-product, you can use the content wizard to be able to deliver those Java updates as well. The product did not support a model where we could do the drop-in support because of the nature of how it works. So the content wizard is how you would support Java 8 in EMSS. So that should cover for the most part how each of those products works. Hopefully, that helps answer most of the questions there. But one thing I would urge is, do evaluate those terms that Oracle has changed around the support for that. They have kind of three categories of support. Business or enterprise customers where you gotta get on a paying model to continue. There is a middle kind of corporate use where you may just need the JRE but it's because you're using something else not being delivered by you that falls into a middle tier that may still be free, but you need to evaluate that and make sure. And then there's the home user kind of model where, yeah, for that, for those of your running Minecraft at home along Java 8, you know, you can continue to support JRE for a little while here. So, those are kind of the tiers in there but you should evaluate that and make sure you know which category you fall into and stay compliant with Oracle.

Now, the going forward. And, actually, I thought I'd change this in there. I didn't. But the transition here is, you know, you go from Java 8 up to JDK 11. Now, notice I didn't say SE or JRE, I said JDK. In Java 11, there is no longer a JRE. There's no longer the separate runtime environment. You only have the development kit. What changed now is Oracle has gone to a model where using either this Jlink or Jmod, your development team has to basically develop the product and then they package it up using Jlink or Jmod where all of the runtime binaries that are necessary for that application are lumped in with the application and then delivered together. So there's no separate JRE anymore. What this means though is, the way that you guys are distributing Java Applications internally is changing. As you go to JDK 11, as you move to this new model it's gonna change how you guys are supporting that. You should be questioning how do we identify if we are a vulnerable version of that, make sure that your vulnerability management vendor is able to track that. How do you make sure that you're up at the latest patch level for that new binary? Well, that means that every time Oracle does their quarterly release, your development team has to get that new JDK version and update to it and then basically rebuild with the updated version of those binaries, again using Jlink or Jmod so that you got the proper packaged application with all the vulnerabilities resolved that gets redistributed to the environment.

So, it's definitely something you wanna look internally, make sure that you get an understanding of... Yeah, so that last one, the obsolescence link there, I just like the word and whenever I find words like that I usually grab the dictionary definition of it. But there's two issues that you wanna look at going forward. How long do you have Legacy Java apps running around your environment? Software obsolescence is one of the bigger pains and, you know, more notable causes of security breaches. The majority of times that Java is part of an exploit is because Java was on an outdated version that had updates available for months, if not years. Having an outdated version of a piece of software in your environment is a security liability. You want to identify where those are, figure out what's the time table before you can get rid of them and then make sure to get rid of them before, you know, they become the way that somebody gets on to a system. The second one we talked about, under this new model, how are security vulnerabilities identified? How does the development team update, repackage, and redistributed that? And how do you make sure that you're good from a vulnerability standpoint on that? So, those are the two things that I would say that you need to investigate internally for those of you who are running Java.

All right. Windows 10 life cycle. One small change on here, Microsoft did update the change, the release date, date of availability for branch 1809. For those of you who remember that got pulled and rereleased. It's January right now, but coming up on April, we've got Windows 10 1709 for Home Pro and Workstation editions, that will be end of licensing and then April 9 same date there, 1607. For those of you on the enterprise or education editions, those branches are coming up rapidly on their end of service date. No security updates available past April so make sure that you got those branch upgrades moving forward.

We talked about this a little bit already but I always like to do another plug on this because a lot of people find this interesting. In fact, a couple of you on today's webinar already said, "Hey, wait a second. What's that? How do I find those?" These weekly blogs that Brian's been doing are a great source of this type of information. We're gonna continue to put out that information as quickly as possible and make sure that you can get to those. We'll be trying to do some more things to tag them in certain ways this month as well.

And then our patch content announcements. If you go to our community pages, we've got a different way to sign up and subscribe to our content announcements so you know when new things come out on a regular basis. All right. For this being a light month, there was obviously a lot to talk about there than I expected so I'm gonna switch over to Todd.

Todd: Thanks, Chris. Yeah, that was all good stuff. I mean, it's important information. Let's jump into the bulletins of actually what we were released this month. Obviously, Windows 10 being, you know, the most important from a rating standpoint. Microsoft rated it critical this month. Updates across all of the normal operating systems from 1607 through 1809 for your desktops. Of course, the latest server versions 2016, you know, all the way through 1709, 1803 etc. There are a bunch of bulletins around this so I strongly encourage that you look into those and read about them. As Chris mentioned, one of the things that drove this one up was this vulnerability with the Microsoft Jet that was publicly disclosed. So be aware of that as well. Probably kinda more interestingly this month in addition to just the updates are all the known issues. And I have a whole series of slides here that I wanna go through with known issues this month so that you're aware of it. Come on, change slides. Here we go.

So we're gonna start with one of the older operating systems, 1607 here. And you could see that I actually have this page and another page of issues that exist around 1607. This particular first issue here has actually been on the book since the beginning of this release. When they changed the previews, the August preview quality roll-up, it caused some issues with SQL connection. They did provide some information on this. There is no workaround for this so just be aware of it. This next issue here around the system center Virtual Machine Manager surfaced this month. This is something that's new. They did provide a workaround where you run this utility to modify these .mof files. Be aware of that. They do want you to upgrade obviously to the latest version, 2016 update 6 so be aware that as well, as at their current workaround.

The next one is also new this month. After installing the updates on server 2016, they saw an issue with Microsoft Outlook clients failing with this particular error. Meaning, they cannot perform a search. Again, they provided a kinda temporary workaround to actually fix the symptom, as they say. Not necessarily they didn't fix the issue. And also on 1607 this month, a new issue here around passwords. In this particular case, they gave us a workaround to actually change the domain default minimum password length to be less than or equal to 14 characters. That's kinda their temporary workaround. And this next issue also surfaced this month. You know, Windows failed to startup on certain Lenovo laptops. So be aware of that. They do say that they are working with Lenovo on this issue as well.

And then, finally, this last issue here is actually, you're gonna see this one across multiple versions of Windows 10 where they're having difficulties with third-party applications authenticating to hotspots. This could probably be a very important topic for many of you with regards to authentication for wireless activity so just be aware of this one as well. Microsoft is working on a resolution for all of these issues.

Now, what's particularly concerning about this release in 1607, we don't talk about it too often here on the Patch Tuesday webinar but as far as the long-term service channel, long-term service branches, 1607 is one of those. And, by the way, there are three long-term service channels. There's the original 1507, which is still being carried forward, so you will see updates for 1507. There is 1607, obviously, as I just mentioned. So the fact that there are all these problems as a long-term service channel causes me some concern. And then the Iatest one is 1809, which they just released, that's also a long-term service channel as well. So those are the three moving forward that are gonna get long-term support and the fact that there are a lot of issues in particularly this one, 1607, is especially concerning.

Moving up from 1607, 1703 has the same problem that I talked about earlier with the SQL connection so be aware of that, as well as the third-party applications having this authentication issue. Again, Microsoft working on those. 1709 same issues carrying forward there. I just wanna point those out to you as well with the different KB number, particularly to 1709. 1803 has a couple of additional issues in addition to the ones we just talked about. There is this issue which actually carried forward from last month. After installing this update some users cannot pin a web link on the start menu or the taskbar so beware of that one. That's kinda new for this 1803 in addition to the problems I just talked about. And then, you know, as far as the latest version goes, it seems to be actually the most stable, 1809 in Server 2019. They do have this new issue, like I said, it carries across all of these.

And, interestingly enough they do have this problem. They have this particular KB here with some of the fixes in here. It's a known issue also that this is also related to this but this carries across all versions which is kinda interesting. I hadn't seen a KB that addresses all versions of Windows 10, but that particular one does. And again, Microsoft, of course, says they're working on a resolution to these. For some of these on the hotspot issue, they have said that they will have a release prior to the end of January for some of these versions and for other versions they said they will have it in the February Patch Tuesday release. So they obviously kind of know what the problem is and they're aggressively working on it. But just be aware, there are quite a few issues with Windows 10 this month.

For Internet Explorer this month, they actually only fixed one CVE so be aware of that one. It does affect Explorer 9, 10, and 11. Again, there are a lot of options around Internet Explorer. The cumulative updates include, you know, the Internet Explorer updates as well as at the security-only updates you can apply these independently so be aware of that as well. Looking at some of the Legacy operating systems, updates for Server 2008 this month's, they did have an update on one of the particular Spectre issues. This one is the Speculative Store Bypass related to this CVE-3639. This is only for AMD computers so they do have a fix for this-this month. They did address the security vulnerability in the PowerShell remote endpoints. They specifically called this one out so if you actually go into the bulletins, like, for example, this bulletin for the monthly roll-up for Server 2008, you can get a lot more detail on that particular issue. And then, of course, they have addressed the number of vulnerabilities in a lot of different individual components within 2008, including the Kernel Storage and Filesystems, wireless networking and, of course, this Microsoft JET Database Engine issue. As Chris mentioned, we'll carry this forward. I generally highlight the ones in red that are either publicly disclosed or have been known to be exploited. This particular month in the monthly rollup, they addressed 15 vulnerabilities in 2008.

In the security-only update for Server 2008, obviously, they address the same 15 vulnerabilities. I mention this every month but Microsoft does release two types of updates for these Legacy operating systems. There is the monthly rollup which includes updates going...and typically all the way back to October of 2016 when they started this process. And then the security-only updates specifically addresses just this 15 vulnerabilities. Sometimes they'll sneak in some kind of a performance enhancement but generally, they call it security-only because they're only addressing these 15 vulnerabilities. The monthly rollup includes not only these 15 vulnerabilities but like I said, CVEs going back basically to October of 2016 at this point.

Moving on to Windows 7. On the monthly rollup, this month's they also addressed 15 vulnerabilities. The monthly rollup does include the IE update as I mentioned so in addition to the 15 here, it does include that IE update. Also know here, this particular update also includes that Spectre fixed as well as the PowerShell remote fix, as well. There are some known issues around this particular update. if you've been on our Patch Tuesday webinar you'll notice that this particular issue has been carried forward now for, I guess, five or six months at least. This has to do with network interface controller that may stop working on some client configurations.

They do give a workaround. They do not say actually that they're working on a fix for this, so my guess is that we're gonna be stuck with this workaround. but one thing I'd also like to bring to your attention the...you know, Brian, who's on answering our questions here and the rest of our content team are always looking for kind of the latest issues that are occurring. And this morning, we've seen some problems around this Windows 7 update concerning connections to SMB file shares, particularly the V2 file shares. Erica will share this link out, talking about this but there are some known new issues. I haven't seen anything other than this particular report so far. But you may run into this and, you know, we're waiting for some larger collaboration across the field but this one popped up this morning with some people who are doing German updates in particular, in Germany.

Brian: There is a...hey, Todd, there is a workaround below on that, on the page as well. I'll post it in the chat.

Todd: Okay, great. Thanks for the update, Brian, I appreciate that. So just be aware of that. This is on the Windows 7, the monthly rollup. They did, of course, do a security-only update as well. Again, addressing the same 15 vulnerabilities. And again, that publicly disclosed 0579 vulnerabilities. As of yesterday, this particular non-reported here was coming from Microsoft. Brian, have you heard if the security-onlys have that same SMB file share issue or was that only the monthly rollup, do you know?

Brian: Let me look in that. I'll verify that when we get to Q&A.

Todd; Okay, great. Thanks. Moving on, again continuing with the Legacy operating system's Server 2012 monthly rollup addressed a couple of additional vulnerabilities, 17 because it is the monthly rollup includes the IE update as well. I noticed here that we have that publicly disclosed vulnerability. Also, note that the hotspot issue authentication. So hotspots is also part of this 2012 known issue, I should say, for this monthly rollup for server 2012 so be aware of that. You may see this on the Legacy operating systems in addition to Windows 10. Didn't see this problem with regards to Server 2008 or with regards to Windows 7 and Server 2008 R2. It only showed up here under Server 2012.

The security-only updates for Server 2012. Same ones, obviously, again, in this case, there were no reported issues so apparently, that is not an issue with the security-only updates. So if you're doing that should not run into that hotspot authentication issue. And finally, the last of the Legacy operating systems, the monthly rollup for Windows 8.1 and Server 2012 R2. One additional vulnerability from the previous. They have 18 vulnerabilities they fixed this month. Again, this monthly rollup does have that authentication issue so be aware of that, on these older boxes with Windows 8.1 and Server 2012 R2.

And finally, the monthly...the security-only, I'm sorry, for 8.1 and 2012 R2. Again, same issues. It also includes the speculative, the Spectre update, the Speculative Store bypass vulnerability, and the PowerShell issue as well. Moving on from operating systems, next up we have a couple of servers. We've had kinda regular updates the last couple of months for both SharePoint and Exchange Server. This month is no exception. Fixed the single vulnerability here in SharePoint server. You'll notice that it does allow for remote code execution spoofing and elevation of privilege so even though it's only one particular vulnerability there are a number of impacts on the endpoint so be aware of that. It does include updates for 2013 all the way through the latest version which is 2019 SharePoint server. So if you have updated and are running that make sure that you get this particular fix in place as well.

As I mentioned, in addition to SharePoint server, we've had regular updates for Exchange Server, This one has updates also through the latest versions. Fixed this particular vulnerability 0588. And this particular issue has to do again with that PowerShell API and the way it's granting permission to contributors. They have fixed this particular one so be aware of that. They do report this known issue which is kinda interesting. I don't know why they don't say this for most updates but I guess it must have been a particular problem with the Exchange Server. So, if you do manually download the update probably on some of the older versions and double-click it because you're not typically running it as administrator, you're basically end-user mode, it will not update all the files. So they want you to make sure that when you run this in the future that you do indeed go through and make sure that you run as administrator. You right-click on it, enter your administrator credentials and run appropriately. So be aware of that issue. They called it out specifically for Exchange Server.

We get our typical set of Office updates this month. These are the standard on-premise versions of Office, not the cloud versions that we'll talk about in just a second. We got updates all the way from 2010 through 2016. Got an update for the latest version of 2019 for Mac and Outlook, Word, Office online web app server and they also had a special update for Skype 8 if you are supporting Android devices, so be aware of that as well. Six vulnerabilities fixed this month. No known issues reported. Obviously, there are some application restarts required sometimes on reboots depending upon what combination you're doing as well so be aware of that particular problem with that particular requirement.

We do of course get our regular security updates for Office 365 Pro plus. We need to add actually 2019 as well in here now they've released 2019. So we do have updates for that, overlaps with the vulnerabilities that reported for the on-premise versions of Office. So you can see here we have five of those six vulnerabilities. I included the link here. You can go in and take a look at the release note, specifically for Office 365.

This month we did have updates for Microsoft .NET. They also released this in an MR monthly rollup form as well as a security-only form. And in the past, they've stopped going back so far but this month they did release an actual service pack update for 2.0. So for those of you who are running older versions of Microsoft .NET framework, typically on Server 2008, that's where you're acquired to run the older version, they actually did a service pack update this month. Be aware of that. They fixed this particular vulnerability that could result in information disclosure with this particular CORS configuration issue, so be aware of that. And I said, like, there is a monthly rollup as well as a security-only update for Microsoft .NET as well. So you have that option to install.

Finally, as Chris mentioned there were releases for Adobe Flash Player this month. They had a 19-01 released that came out on Patch Tuesday. You noticed earlier that the 19-02 for our Reader in Acrobat actually came out prior to 19-01 so be aware of that, those were released last week, fixing some critical bugs that Chris mentioned. Microsoft, of course, followed suit with an update for a Flash Player internal to their normal monthly updates or Patch Tuesday updates, 19-01-AFP. Again, fixing non-security bugs but as usual, strongly recommend that you move forward and apply this on your endpoint as well. With that, Chris, I'll give it back to you to talk about between the Patches Tuesday. We have a couple of short slides.

Chris: Yeah. So, one thing we do talk about quite frequently is what happens in between Patch Tuesdays? For those of you who had been following that weekly digest or for those of you who commonly, you know, keep an eye on third-party updates, there's a lot that happens in between. And many of those will have CVEs. So this is just kind of a quick rundown of many of those third-party updates this month. Foxit Phantom PDF had three that they resolved. Adobe Acrobat and Reader those were the two that were released last week. Google Chrome had one CVE in the 241 release. Foxit Reader had the same three vulnerabilities there and then the Foxit Reader Consumer version, same three vulnerabilities there.

So this is one of those things that we, you know, just try to make sure that people get a regular dose of this and understand that Patch Tuesday isn't everything and there's a lot of things that happen outside of Patch Tuesday, you know. There's a lot of reasons why you may even wanna consider going to a weekly cadence for your endpoints. Servers may still be once a month but endpoints and user machines, there's a lot of updates that you can be applying between those patch cycles. If you're doing it more frequently you're more secure, you keep more of those ways than an attacker will come at you secure.

All right. So let's get into some Q&A real quick here. We have...I'm gonna go through just a couple of quick things that came through before, So Ken had a question about...so we don't use Java for any in-house developed apps, strictly third-party. So if, from understanding the situation correctly, then with Java 11, the quarterly update will have to be integrated by the vendor and sent to us. Yes, that's correct. Now, once your vendor switches over to Java 11 that basically should be it. You would no longer have JRE installed on that user's machine to use their applications, you would just install that vendor's application and each time they update you would have to then just update that application there. But, yes. So keep an eye on those vendors, Ken. The ones that you do have a Java application from, make sure that you understand that when they move over to Java 11, you know, at that point you'll wanna get rid of the old JAVA instances in your environment if they're no longer needed because they'll be basically just accumulating security vulnerabilities at that point.

Oh, Brian will answer that one there too. Either way though, it's a good note for everybody else if you didn't catch that before. Let's see. Todd, there was one question here from Julie, what was meant by the third-party applications having difficulty authenticating hotspots? Which update was that that had the authenticating hotspot again?

Todd: That occurred across like almost every one of the operating systems this week, this month.

Chris: That was across most of them. So, basically, after applying that update, Julie, if you have...there could be instances of applications where they may stop authenticating to hotspots correctly after the updates applied so this update is implying changes to...yeah. So here's one of them. After applying this update, third-party applications from this system may not be authenticating correctly to those hotspots, It probably will be dependent on each application that...and how they use hotspot authentication. So if you start to see those issues it is traced back to this but most likely from what I've seen of issues like this in the past, if that vendor is doing something where things are a little bit more static and don't dynamically adapt to changing the hotspots, when you're moving around a building and you jump from one hotspot to another, if the application doesn't catch that and reestablish a connection, that's when you run into this and that's most likely what their known issue is referring to.

Let's see. Brian, what do we have for additional questions that you want to go through, ones that you've responded to already?

Brian: I will say, I got my hands nice and tired as to what questions was that. So I did wanna circle back on the SMB v2 networking issue for 2008 R2 in Windows 7. From some of the other things I've seen on Spiceworks etc. it does appear that it's present not just on the rollup, but on the security-only as well. So I'd heavily recommend getting a test group in there because it definitely [inaudible 01:09:07] or vary it kind of depends on how your applications are set up on your endpoints. So just a heads up there.

What else did I...I'm scrolling through it real quick. My apologies. One customer was having issues with the latest 1809 updates and video drivers. I did reply that video drivers are known to have some issues with 1809, compatibility issues. I know you went over that, Chris, on some of the earlier Patch Tuesdays where they're switching their driver models. So just a heads up for anyone that does update to Windows 1809. Video drivers are like the number one thing you need to update before you perform the upgrade because you're gonna run into issues otherwise. What else?

Chris: Yeah, so just a personal note. Like, I find that when my home system updates, I will oftentimes have...if I do have some driver issues I have to reboot again and they'll usually clear themselves up. I haven't seen too many persisting ones as long as you keep that video driver up-to-date. Depending on your video driver vendor, you know, NVidia is probably one of the fastest at rolling out updates but most of them are pretty good about it nowadays. Just keep up with the latest video drivers and usually, it's not an issue.

Brian: I'm just checking if there's any other major questions. One moment. [crosstalk 01:10:49]

Chris: Prashad had one that was more product level. So, can Ivanti Patch Management do the job without SCCM? So, yes. Actually, Prashad, Ivanti has several patch management solutions, you know, for different purposes. So for companies that are running Microsoft systems center, we have a plugin that gives you all the third-party applications nicely and easily packaged up and all pre-tested and everything so you could easily consume those without down a lot of work on your own. If you're not using SCCM, we have our patch for Windows are now in the new version Ivanti security controls. Or, if you're looking for an alternative to SCCM, you do want full systems management, but not SCCM, we do have our endpoint management solution that does have patch integrated directly into it. So, yes, we can absolutely do with SCCM or without SCCM, not an issue. Just reach out to us and we can find the solution that best fits your needs.

Brian: We did just have one question. What's the best way to identify which Java applications aren't used on a network in relation to moving to JRE 11 so compatibility can be identified? I think that's a kind of a question that we can't answer a well because we haven't seen a lot of JRE 11 applications or Java 11 applications. What are your thoughts, Chris?

Chris: Yeah. I have not seen a Java 11 application yet, so the biggest thing there is I expect that your vulnerability management solutions are going...those are the guys that are gonna be looking at and seeing that there's Java binaries on the system. So, I would look there first. To a patch management solution or to a systems management solution, you're going to see that vendors application and it's not be gonna be as easy to know is it a Java app or not. But a vulnerability management solution is looking a little bit more deeper and...I mean, there's cases where I ran into like Rapid7 or Qualys or one of those where they're seeing a Java vulnerability that we're not because Java is not actually installed but they see a lose binary or DLL on that machine that is not part of an installed application. So my thought on this is your vulnerability management vendor is the one who's going to be able to pick up where those Java 11 apps are coming in because there's no install of Java. It's the vendors install but the binary is underneath that, I think, the vulnerability management vendors will pick of those up.

Brian: I don't honestly see anything else.

Todd: Chris, one thing you might wanna jump back to are the Delta updates. We didn't... we kinda jumped over it a little bit just to cover it in a little more detail.

Chris: Sure.

Todd: These past months, as Chris mentioned there was that IE update that came out on the 19th of December and one of the things that Microsoft did as part of that is they have now keyed their Delta updates off of that particular issue. I think you're more than a few slides ahead.

Chris: Okay. So that was the IE issue. Now, here's the Delta slide.

Todd: There you go, there you go, yeah. So, what they did was when they released that Delta update on December 19th...they released that cumulative update on December 19th so the Delta updates that came out just this Patch Tuesday are now keyed to that December 19th release. So if you're running just the Deltas and you have not applied the cumulative update from December 19th, you will not be able to apply the Delta update because it doesn't recognize the original December Patch Tuesday update. You'll be forced to apply the full update for this particular month, so be aware of that. I've included the quote here from Microsoft talking about what they did, so just be aware of that. And the important thing is if you're using any of our patch products, we basically enforce the Microsoft logic. We're not overriding anything to be able to apply a Delta update to the December Patch Tuesday release. We do require that the December 19th release be applied before we will show the Delta as applicable. So, just be aware of that a bit of a change if you are using Delta updates this month.

Chris: Yeah.

Todd: Thanks.

Brian: We did have one more question coming from Sankar about that CVE import feature we talked about. So, for all of our products that are gonna be able to do this, it could be any vulnerability management vendor. So, Qualys, Nexus, Tenable, Rapid7. You saw me do that one in the demo there. Crowdstrike. Any vulnerability management vendor as long as your reports can be exported into a file format, text, csv, tsv, xls, it doesn't matter. As long as that has CVEs that we can scrape out of that file. So that's the only requirement there. Make sure that your Qualys reports, Sankar, make sure that that has the list of CVE IDs, as long as it does, you should be able to import that file into the experience end product and we will map those IDs for you, so.

Chris: All right. Well, I apologize we went a little bit long on time here today. I apparently went a little bit long harping on best practices and Java and other things this month. So, hopefully, that was informative. If not let us know and I'll tone it down next month. Thank you for joining us and we look forward to seeing you guys in February.

Todd: Thanks, Chris. Good seeing everybody.