June Patch Tuesday 2019

June 12, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.

Transcript:

Chris: Hello, everyone, and welcome to June's Patch Tuesday Webinar. My name is Chris Goettl, and with me today is Brian Secrist. Brian, how's the going?

Brian: Doing well. How about you, Chris?

Chris: I'm doing well. Hopefully, my Wi-Fi here at a hotel in Jersey City is gonna hold up pretty well today. We'll see how it goes. Been good so far.

Brian: Let's hope we don't have to...I don't have to pick up for you.

Chris: Right. Yep. So actually, you know, for those of you who are regulars on here, Todd Schell decided to take a little European vacation, you know, going on holiday, as it were, for two weeks and decided to start it, you know, right before Patch week. So, Brian's gonna be taking over Todd's role for today. So, normally, when Brian would be, you know, handling Q&A in the background, while Todd and I are, you know, going through slides. You know, we're not gonna have the ability to kind of front-load a bunch of the questions during. So bear with us, we'll try to get through all the slides here and get a little bit of time at the end, excuse me, to make sure and answer everybody's questions. But we should be able to handle it. We'll make it through somehow.

All right. So, getting started here, we're gonna go through just an overview of Patch Tuesday. We're gonna talk about some recent news. And then Brian's going to jump into the bullets and rundown for us. And then again, at the end, we'll have some time for some Q&A. Just giving you a high-level view of what came out this month. We do have 15 updates that released across all of the Microsoft and Adobe stack that are of a security nature. There were a number of other products that did release into our catalog yesterday as well. But the rest of those did not have anything security-related associated with them. So, you'll see things like Firefox and a couple of other things that made their way in there. But those were not of a security nature so we're not gonna be talking about those on today's call.

All right, getting into a little bit of news here. The first thing I did wanna touch on, and, you know, this is more of a...you know, just making sure it's still top of mind. You know, we do have some public disclosures this month, four to be exact, that we're gonna talk about, and those do have some concerns as well. But still, probably the biggest vulnerability you have to worry about in your environment currently is still BlueKeep. So, for those of you who are aware of this already and attended last month's webinar as well, I'll keep this brief, but I just wanted to rehash this a little bit. This is the RDP vulnerability for pre, you know, like legacy operating systems for the Windows side.

So, Windows 7, Server 2008, Server 2008 R2 Server X 2003, and Windows XP. So, Microsoft did release updates for the XP and 2003 platforms for this as well. It's that much of a concern. The vulnerability is Wormable. Let me go and jump into the initial advisory that Microsoft put out by Simon Pope, who's the director of Incident Response over at the MSRC on the Microsoft side. You know, they did release updates for XP in 2003. The reason for that is this is Wormable, it is a vulnerability that is capable of a broad impact, like WannaCry back in 2017. A number of other security firms and researchers have, you know, announced concerns about this as well, including the NSA.

So, this was an advisory that was put out on June 4th, basically kind of reiterating the fact that BlueKeep is a serious security concern. It has a broad potential to, you know, be a potentially global-facing cybersecurity internet here. You know, since then, a number of pieces of guidance have come out, you know, things like blocking RDP at your firewall level. There's a lot of companies... In fact, one researcher found there were as many as 16 million public facing systems that were listening on the two most common RDP ports, 3389 and 3388. There is other guidance to do, things like turn on network level authentication. If this is turned on, then BlueKeep becomes significantly harder, if not gets mitigated to a point where it can't be exploited, you know, using the vulnerability. Disabling Remote Desktop altogether, if it's not required, great, but most of us kind of need that to, you know, support systems throughout our environment, so may not be an option.

But there's a variety of guidance there that is recommended. Now, since this came about, we've been doing kind of a series of coverage on that, talking about the initial release, you know, blog posts from one of our principal SEs around our security products out of the Australia team from Ivanti. Talking about the severity of this one, we covered it in our last month's Patch Tuesday Webinar. We also did another webinar on the 22nd, specifically about BlueKeep. So, on that, Brian and I actually went through a lot more detail about BlueKeep, we even did some hypothetical conversations about if somebody were to exploit this, what might that attack look like? There were a few other kind of pieces of news that came out around that, including on...by May 28th, there have now been six different security firms that have achieved a level of exploit of this vulnerability.

So, this is not hypothetical, there are multiple firms that have achieved an exploit of this vulnerability to take full advantage of it. In this case, if there's that many security firms that have done it, you can rest assured that multiple threat actors have done that as well. So, at this point, they're putting together what an attack would look like, you know, trying to...it's basically if... You know, in the marketing world, it's like setting up a campaign. You wanna make sure that you've got logistics in place to deliver, you know, the attack. You wanna make sure that if there's...you know, what's the back end infrastructure need to be? Is it a botnet that's going to set up command and control systems and, you know, drop down back doors within a whole bunch of environments? Is it gonna be cryptojacking, where is it gonna, you know, lay down some crypto mining software and try to persist in space [inaudible 00:06:56] environments as long as possible, just to generate Bitcoin?

So, whatever is...you know, these threat actors are thinking, right now they're looking at and they're setting up and they're trying to build out that campaign to deliver an effective attack. So, at the end of the day, it's...you know, many different security groups are saying this is not an if situation, it's a win situation, and the win might not be too far off. So, make sure that you've got this plugged in your environment. You know, one other thing that came up as we looked at this is there is another attack right now. This is a botnet called GoldBrute. And this is just drawing attention to RDP, in general. The fact that WannaCry was so successful at exploiting remote RDP services, you know, kind of points out the fact that, you know, there's a lot of public facing RDP servers out there.

And those are vulnerable to vulnerabilities like, you know, the eternal family of exploits that were out with WannaCry and NotPetya, again, now with BlueKeep. But in general, you should evaluate and, you know, figure out how is RDP pre-configured in your environment and should you be mitigating things further. So, GoldBrute, just to be clear, it's not a vulnerability. It is a botnet that is using brute force password guessing tactics to try to get into environments. And then, it's going to set up a command and control, you know, network to basically persist in those environments and wait for orders. So, this can be something where they're selling those systems on the black market or staging for something more advanced to come.

Currently, GoldBrute is targeting upwards of 1.6 million public facing RDP servers, and doing so rather stealthily. So it's gonna set up and, you know, have 80 different systems attack, you know, once single RDP server IP, to try to use a variety of them to guess, at trying to get through the firewall, rather than have one single point, try to guess at that and be caught more visibly by security deterrence. So, they're being stealthy about their approach in doing this. This is RDP, in general, is a common entry point for threat actors. For those of you who attended our SamSam webinars, we did a couple of variations on this for healthcare. And, you know, for government, this last year. SamSam is not only a Ransomware family but also the name of a threat group.

You know, the in late 2018, there were a couple of Iranian nationals that were detained in collaboration with this. So, that group has been slowed down most likely, since that impact, but they were very good at using RDP as an entry point, to the point where they were making over $300 or $300,000, a month in ransoms paid. So rather than trying to exploit a vulnerability out of a system, you know, or phishing a user to have them let you in, they just brute force their way through RDP services that were public facing. So, you should be asking yourself right now, do you have public facing RDP servers? If you do, it's recommended to put them behind a VPN. Yes, that adds a layer of complexity and a layer of cost but it's too easy of an entry point. You know, doing things like turning on NLA to mitigate an attack like BlueKeep is also a good idea. Making sure that there's strong authentication involved there.

Also, enforcing good strong passwords and changing those frequently. Again, you know, those...what GoldBrute is doing, what groups like SamSam have been very effective at doing, is getting credentials for users in your environment, and then using those and you know, brute forcing their way into environments using that type of service. So, this is just a general kind of warning, this might be a good time to reevaluate RDP within your environment. All right, so just to reiterate this, no changes this month on this. But, you know, we've got a couple of changes coming down the road here. Windows 10 lifecycle awareness, version 1703, for those of you who are on EDU and Enterprise editions, October 8, 2019, is your date. Make sure to get off of that platform by then. 1803, November 12, 2019, is when Home Pro and Pro for Workstation additions are coming up on their end of service for the 1803 branch.

All right, we're gonna get into our Public Disclosures now. So, all four of these public disclosures are all at the operating system level this month. All four of them affect the Windows 10 and data platforms, two of them affect pre-windows 10 platforms. And we'll talk about those in a little bit more depth and correlate which ones are affecting which operating systems, as we go through the bulletins. But just to give you an idea of what these look like, all four of them are elevation of privilege vulnerabilities. This first one is in the Windows Task Scheduler. It's an elevation of privilege vulnerability that exists in the way the Task Scheduler Service is validating certain file operations. So, in this case, an attacker could successfully exploit this and gain elevated privileges on the victim's system to execute code.

So, if they got unprivileged access to the system, they can create that task within the Task Scheduler, that's gonna kick off a piece of code that they've developed to exploit this vulnerability. And in doing so, they will get the ability to execute at a higher privilege level. That one, by the way, is just on the Windows 10 and later platforms. This next one, publicly disclosed, windows elevation of privilege vulnerability, this is in Windows AppX Deployment Service. So, AppXSVC and how it's improperly handling hard links. So, an attacker could use this to run a process in an elevated context, they could then get full access to the system to install programs, view, change, delete data. If they wanted to exploit this, the attacker would first have to gain logon to the system. At that point, though, an attacker could run a specially crafted application to exploit the vulnerability and get privileged access on that system.

So, you know, one thing to note here is in all four cases that we're talking about, these are not gonna be your first point of entry vulnerability. They're gonna use something that's more user targeted and able to be exploited remotely. In the case where they get onto a system and they don't have privileged access, these four vulnerabilities are the next ideal step. So, when you see things like they would first have to log on to the system, it's only...that only means that it's a stage of the attack further in. So they would have to do something else beforehand to get a foothold or to get access to that system. But this is where they're going to use a vulnerability like one of these four to get deeper levels of privileged access to that system, and then set up their persistence. Whether it's a backdoor, or you know, gaining access to credentials and running tools like Mimic S to collect more, you know, credentials in the environment.

This is kind of that second stage vulnerability that they're gonna use to gain privileged access. This one, again, Windows 10 and later platforms. The next two here are all Windows, or currently supported Windows platforms. The first one here is a sandbox escape, Windows Shell elevation of privilege vulnerability. So, from a Windows Shell, normally there's a sandbox there that prevents an attacker from being able to do different types of activities. It keeps everything within that shell and limits what they're exposed to. In this case, the attacker could actually escape the sandbox and gain elevated privileges on the system. At that point, they could, again, get in start, you know, executing applications, you know, be able to change data of the system. At that point, they're no longer contained.

And the last one is a DLL injection vulnerability. So, it's a matter of...a vulnerability in how Windows Installer handles sanitizing of inputs. So, as an application's being installed, in this case, an attacker would have the ability to introduce insecure libraries that could let them load up additional capabilities that, at that point, would then be trusted because they've gotten past installing the application. So, you know, it's a way for either a persistent threat actor to introduce, you know, more tools into the environment so that they can do more. Or, in some cases, this can be used in like an insider threat where, you know, that person may not have privileged access. But with a vulnerability like this, they can run a specially crafted application that could allow them to introduce insecure binaries that allow them to do more on that system.

So, if you remember, when the Shadow Brokers released Vault 7, Vault 7 was a collection of applications that allowed DLL injection attacks. And each of those tools were designed for agents in the field to be able to gain a privileged level of access through the guise of an existing trusted application. So there were a variety of different tools in there and the ability to introduce insecure DLLs allowed that insider to be able to basically pull up a new part of that application that was introduced and be able to do things to gain further access on that system. So, the four of these have been publicly disclosed, that means that there is enough information publicly available now for a threat actor to get started on exploiting these. So, by the time an update was released, the race had already started. And the attackers have the advantage of time on their hands.

So, these are not necessarily going to be exploited, but statistically speaking, they are at a higher risk of being exploited than the average vulnerability. All right. So this month, if you were reading closely, there is talk of an exchange update for June. This is not a regular patch or update, but an advisory. So, advisory 190018 is available this June. It's a defense in depth update. It's rather vague on the details and it does affect exchange 2010 to 2019. There are some known issues associated with it as well. The biggest thing here is because they didn't really give much detail on what exactly it's doing, it's rather hard for anybody to understand what's going on. In fact, here is the advisory. So, Microsoft has released an update from Microsoft Exchange server that provides enhanced security as a defense in depth measure. That's it. It's all the detail we got.

So, I saw some interesting exchanges on patchmanagement.org, you know, some people that were going back and forth saying, does anybody have any clue whatsoever what this is doing exactly? And nobody really has any details yet. There were a few that tried to reach out to the exchange team at Microsoft, no word back from that, at this point. So, you know, this probably goes back to, you know, if you remember, back in February, there was the PrivExchange vulnerability that was so prevalent in the news. It came to light that there were a few different vulnerabilities that were, you know, exploitable to let an attacker become a man-in-the-middle attack directly in Exchange and be able to intercept emails, change them and do other stuff there, and also be able to gain access to the domain controller and do other things.

You know, the researcher that was bringing all this to light had been, you know, focused on Exchange for a while and, you know, talked about the risks of Exchange, how privileged of an application it is. So, my suspicion is, this is a continuation of Microsoft's attempts to try to mitigate or eliminate other, you know, security risks within Exchange Server. But the fact that they don't give us much detail about exactly what this is doing, makes it a little bit hard to make a decision on what to do about it. Now, if you look at the two KB articles, you've got a host of known issues. So, you know, there's a couple of different known issues here that, you know, could cause problems for you. So, before you take any actions on this, I would say go look at the articles. This one's for 2013 and 2010. This one is for 2019 and 2016. And determine, you know, are these known issues, you know, worth the pain in your environment, you know, or is this something that you don't want to do at this time.

So, that's about all we can give you for guidance on that one, just because, again, the vagueness of that defense in depth update. Okay, so we've been talking about this one for a few months now, the Microsoft transitioning from SHA1 to SHA2 code signing support for legacy operating systems. There is one change this month, Microsoft resolved an issue in... I was trying to highlight and it clicked instead, apologies there. So, in this advisory, Microsoft did a re-release of the Server 2008 SP2 SHA2 update. So, just to be clear, this is not part of the normal monthly updates, this is a separate patch you got to push. Microsoft is specifically resolving an issue around SHA2 support for MSI files. So, all these legacy systems, especially from legacy apps that use MSIs, this fixes a known issue with the MSI files being able to execute properly.

So, if you are continuing to run Server 2008, you do absolutely need to get this in place. And the next slide, we'll talk about the next round of dates that you really wanna be concerned about. But the 2008 SP2 update did get re-released because of an issue conflicting with MSI files on SHA2 signing. Now, we are coming up on June 18th. There's two sets of changes that are going to be implemented on the Microsoft side. Windows 10 updates are gonna be changed from being dual signed over to only supporting SHA2 on this date. There should be no need for customer action at this point for any of the Windows 10 platforms. But that's just a notification to you guys that, you know, if you did have anything that was still only SHA1 signed, that's gonna be a bit of a problem.

Now, most cases, it's probably a legacy app that might not have even been supported on Windows 10. So probably not an issue there but just fair warning. Now, for those of you running on WSUS 3.0 SP2, this is the point where that will absolutely require SHA2 or updates will not be able to be deployed. So, this webinar is public, you know, we do have some non-Ivanti patch customers on here, if you are using WSUS 3.0 SP2 do be aware that these SHA2 certificate updates need to be put in place before June 18th, otherwise your July patches that you're gonna try to push out will not be able to execute.

All right, servicing stack updates. We do have a couple of servicing stack updates that came out this month. And just to give you a heads up on that, there is an update for Windows 10 1607/Server 2016. This is a prereq to be able to receive new updates. So, you must push that out. Now, this is obviously for the LTSB. So, for those of you still continuing on the long term service branch for this, that is a [inaudible 00:24:12] you have to have this KB in place. So, either the May or the June servicing stack update will fulfill the requirements. But without either of those servicing stack updates in place, you will not be able to get additional updates going forward.

Windows 10 1809 and Server 2019. This servicing stack update did get released this month. Right now it is not a prerequisite for being able to continue patching those systems. But, you know, best to get it out in a timely manner so that when Microsoft does make it a requirement down the road, it won't be a problem for you. All right, couple of development binaries. So, you know, we've just gone through our Ivanti interchange events in both Europe and the U.S., and I've had conversations with a number of companies about this there. I just came back from London last week at the InfoSec conference and had a number of interesting conversations of the same sort there as well. I'm gonna keep on hitting on this topic until I feel like I'm not being asked the question or surprising people with it anymore.

But, for organizations that have embraced DevOps, if you're using...you know, integrating development binaries like Azure, you know, ChakraCore, .NET Core, you know, even the transition over to Java 11, there's no love for a JRE. So, you know, in that framework, you've got the .NET Framework, that's the equivalent of the...like if you're on Java 8 running or having the Java JRE installed at the endpoint where the application is gonna run. In both of those cases, every month, you can update the .NET Framework, you can update the Java JRE, and all security patches are put in place, but you didn't have to change the application. If you embrace .NET Core, or if you transition now over to Java 11, there is no framework at the endpoint that you update any longer, it's directly integrated into the application. What that means now is, your DevOps team is now responsible for updating the security vulnerabilities within that application.

So, for Java, that means that every quarter, when Oracle comes out with their CPU, their critical patch update, that means that your DevOps team has to take that, update the JDK...hey, JDK can be patched yet, we've got support for that. But you have to update the JDK first. And then they have to basically recompile the application so it takes the new JRE components that are now integrated directly into the application, that are now updated to plug those vulnerabilities and then redeploy that application. So, long story short, if you've embraced DevOps, your security, DevOps, and operations teams should sit down and have the conversation about how those DevOps delivered applications are being updated if they're integrating binaries like this.

Other examples of, you know, binaries like this would be things like Apache Struts, the component that was so notoriously brought up as the way that Equifax's breach occurred. Some patch administrator failed to update Adobe or Apache struts, which was not the case because you would have needed, you know, a business analyst to evaluate the project, a developer to bake it in, QA people to test it to make sure it rolled out correctly. You know, there were multiple people that would have been involved with a decision like updating Apache Struts. So, you know, this is something where I've seen too many companies right now that haven't fully understood the implications of this. So, again, if you have any questions about it, let us know, we're happy to, you know, get on the phone with, you know, your teams as well and talk through the details of it. But this is a...it's a change that is being implemented because of the embracing of DevOps and other binary components like that. And it's one where a lot of companies are misunderstanding how security vulnerabilities are gonna be resolved going forward.

All right. This one...just to make sure we're still, you know, getting some questions out there as well about this, we did have a name change in one of our Ivanti Patch Solutions. Ivanti Patch for Windows is now Ivanti Security Controls. Got some great new features, expanding with a new module that's available for purchase in there if you want application control and privilege management alongside your patching capabilities. The patch part of this, if you're a patch for Windows customer, today, you get free upgrade to Ivanti Security Controls for the patch module. With that, you're gonna get access to a really cool new feature called CVE Import, and also our Red Hat Linux support. If you've got server [inaudible 00:29:03] available, just like a Windows Server, you can now support a Red Hat Server.

So those capabilities are included there for you and the upgrade is free for the patch module. Additional flavors of support will be coming soon for CentOS followed by macOS followed by SUSE, and additional ones to come. So be on the lookout for that. But that's one of the reasons for the name change. The other is the fact that we've added a new security module in there. So, patch obviously is no longer, you know, a good name for this because it's now multiple security controls, multiple platforms. So, that being said, just wanna make sure that people are aware of the name change. It is still the same product base underneath. Your upgrade will be the same kind of easy, you know, download the installer next, next, next, done, no real concerns there.

If you like our Patch Tuesday Webinar, and you wanna get more weekly updates, Brian does a weekend review of each week, of what we release for patching. Gives a lot of the same type of detail, you know, what's in the news, what are big security issues coming up, things to know about different updates, known issues, things like that all come up. And that's that Weekly Digest that you can check out on our website as well. And our content announcements, again, we made a change just recently. We've not heard a big outcry or anything from our customer base so we feel it has gone off without a hitch, very seamlessly, and nobody really noticed the difference. If you go looking for those content notifications they're on the new community. And, you know, they're basically just, here's the breakdown, content notifications for Endpoint Manager, for Endpoint Security, for ISEC or Patch for Windows, whichever name you're under, and for our patch for SCCM plugin as well.

So, if you did happen to get a disruption in receiving those notifications, this is where you can go to re-sign up for that. Just make sure that people are aware that that changed. We're probably now two months into that change and things seem to be going quite well so should be good there. All right, Brian. You are up, sir. I'm gonna hand you keyboard and mouse access there. Yep, go ahead and close the participants' Window there, otherwise we're gonna have a gray screen on everybody's view.

Brian: Oh, let me do that.

Chris: Let me take control here for one second. There you go. Now everybody should be able to see a full screen again. Go ahead.

Brian: Are we good now?

Chris: Yep.

Brian: So, just letting you guys know, during this bulletin time I know that you guys do tend to have the most questions so I'll try to get through this quickly so I can answer those questions. And forgive me, I'm not as smooth as Todd but we'll get through this. Clicking, there we go. All right, so for our first bulletin, of course, we have our usual Adobe Flash Player. This first one is a APSB19-30. This is the one supplied by Adobe themselves. This is...there are three different types of flash that are released here. Flash for Internet Explorer, for Windows 7 and earlier, MPAPI was for Firefox and PPAPI for those that run it independent of Chrome. If you do have...if you just run the built-in Chrome one that should update automatically. This is rated as critical. There's only one TB but considering there's remote execution, it is critical. So make sure to get that in there.

Of course, we have the corresponding Windows package update for Adobe Flash Player. This affects Server 2012 and all the way to the latest version of Windows 10. Exact same CVE, just make sure to release to include this in your patch group. This is under MS19-06-AFP, as opposed to a APSP. For our next one, we have a Windows 10 update. So, the Windows 10 update affects old version of Windows 10 from 1507, those that are running LTSB up to 1903. This will be their cumulate of course, so that includes IE and Microsoft Edge. Flash is separate though. There are 60 vulnerabilities total in all of these, and, of course, the four publicly disclosed vulnerabilities are there as well.

For known issues, we do have quite a long list here. So the first one is for 1607 Server 2016. This is for SCVMM, and the issue is around networking and logical switches. So, the best workaround is doing some modification to the SCVMM environment. The next issue is one that we've seen quite a bit, or things related to it, which is the cluster service may fail to start with a "password too short" error if the Group Policy minimum password length is configured with greater than 14 characters. So, the best workaround there is to set the domain default to 14 characters and...still working on a resolution around that. The next issue is around file rename. This issue has plagued us for a while. This is on Cluster Shared Volumes and renaming, you can run into permissions issues. So best workaround on this is use elevated privileges. That's kind of the best option right now. Again, Microsoft working on that one, but we'll see it throughout the other patches.

To continue known issues. This one I did see on the Reddit Sysadmin and other forums. After installing the 1607 Server 2016 patch, this June one, you may run into issues for Hyper-V hosts that have BitLocker enabled. This is definitely a bigger problem. We do have a link here for some workarounds. But just a heads up to those, you may wanna test group especially those Hyper-V servers. The next issue for 1607, still 1607, is on AD FS. This may run...you may run into an issue here when you using IFRAME during non-interactive authentication requests. The best workaround here is to modify kind of your configuration on your AD FS. So, again, if you have AD FS 2016 on these endpoints, make sure to look at that configuration change.

So, now we've got over all the main issues, we should see these old tags for file rename or ADFS, e.t.c. On pretty much all Windows 10 there will be that same file rename issue for character...when your password's over 14 characters and you'll need to do the same fix for kind of any version around that. So, for 1803 and 1809, since it was plaguing us so much, the PXE start issue...so that was under Windows Deployment Services. They did a security fix there. But it caused some issues for PXE boot, for a lot of endpoints. So that does appear to be resolved, so good news for you that we have no issues there.

And then for 1803, again, the filename was fixed. For 1809, and this is server 2019 as well, PXE start, which I assume you'll it see more on Server, it's fixed there. And then file rename was also...is still a problem. So, one issue that that is coming up from last month is that printing issue for Microsoft Edge or UWP applications. You'll receive an error where...a configuration problem for the printer. So, the workaround, unfortunately, it's just using another browser such as IE, Chrome, Firefox, e.t.c. But that may cause a bit of an issue for UWP applications, but, hopefully, you'll be able to press print to PDF e.t.c.

Another issue that does appear to have [inaudible 00:37:14] is around Asian language packs. We're running into an error, PSFX_E_MATCHING_COMPONENT_NOT_FOUND. Uninstalling and reinstalling the language packs after or select check for updates, and then the April 2019 update should fix it. Last but not least, for 1903, this was one issue that I think reared its head during the mid-month cumulative for 1903. One new feature of 1903 that's really cool is Windows Sandbox, lets you spin up a little kind of clone in memory of your environment so you can open things securely, e.t.c. It does appear that there's issues with Windows Sandbox with these latest updates. So, hopefully, we'll see a fix. I thought they had fixed it but it looks like it's come back once again.

Next, we have IE for this month. This does affect IE 9 through 11, 9 for 2K8 SP2 and 10 for 2012 R2. There's also...they also released an additional update for Server 2012 and IE 11 since currently those are both being supported at the same time. Seven vulnerabilities here and so marked as critical. The next I'll be going over kind of server 2008. First, I'll go over the rollup then the issues and the security only. So just to give you that flow. So, for Server 2008, this is the monthly rollup, so this will include security and non-security fixes going back. So, if I [inaudible 00:39:01] trying to get some up to date real quick, I would use that monthly rollup. This includes quite a few improvements and fixes that were on the mid-month quality preview. So, here we'll have 36 vulnerabilities fixed in the security only, as well as the seven including IE. So, just to add up, this will include the IE 9 patch as well. I did notice that in testing that they did increment [inaudible 00:39:32].

It also...this also does include the latest ZombieLoad vulnerability fixes e.t.c. This is just a software site. So, just a heads up for those that do...that want to get [inaudible 00:39:48] on this, you will need to look to your vendor for firmware updates, etc. For known issues, they're pretty much exclusively assigned to this servicing stack update. So, if you're ever in Server servicing stack update alongside either the monthly rollup or the security only update, you may run into an issue where your restart is stuck on stage 2 of 2 or 3 of 3. This issue we've seen on Windows 7 as well [inaudible 00:40:18] and now server 2008. If some of your end-users see that, just pressing Ctrl+Alt+Delete should only occur...you should be able to log in and be good to go.

One thing I haven't mentioned there to prevent that issue. If you do install the servicing stack separately to the security only monthly roll-up, you should avoid this. So, if you do want to reduce your [inaudible 00:40:41] that would be a good way to do that. Now is the security only, this will only include the security fixes for the month, and that is the 36 vulnerabilities. This does not include IE, so you will need that separate IE patch if you're looking to have that smaller footprint. This does include two of the publicly disclosed fixes. And then we should have the same security fix for micro, sorry, ZombieLoad, the microarchitectural data sampling. And then this will have the security fixes that were also included in MR.

Next, for Windows 7, we will have the monthly rollup first. This has a few more CVEs, 40 CVEs plus the 7 IEs. And again, two of the publicly disclosed vulnerabilities will be here. This does address an issue with HTTP and HTTPS string character limit for URLs when using Internet Explorer. I believe this was related to the issue that we were running into from last month where end-users were having problems accessing the UK gov websites. There's actually a not secure release mid-month to try to fix around that. So, for known issues here. First one, McAfee, this one has been following us around for quite a bit. Looks like there's still some performance issues, and also perhaps some unresponsive aspects. I haven't read it...this is kind of related to Sophos, I haven't read it much around the unresponsive aspects of McAfee, but Sophos had an issue for the last two months. Currently, that's not in the known issues. But do keep an eye out for that if you are running Sophos because I'm sure you've dealt with some of the issues, especially while trying to get the BlueKeep fixes out.

There's another issue with Internet Explorer 11 around Power BI reports, very specific ones with...have line charts with markers. Really, the best fix around this is to modify your Power BI report to be more compatible. Hopefully, we will see a fix mid-July, so maybe...not even the next July Patch Tuesday but when they do the quality preview, not security rollout, mid-month. Of course, with the MR we have our security only. So this just includes just the vulnerabilities and [inaudible 00:43:15] those not security. So, for example, if you're having issues with the IE and UK gov websites, you may need to install a non-security alongside it. This does have those two vulnerabilities, those publicly disclosed vulnerabilities. And again, the same for 40 vulnerabilities fixed in the monthly rollup.

Moving on to Server 2012, this monthly rollup for server 2012. And this will have the 32 fixes plus the 7 IE fixes just like 2008-2008 R2. This will have two of the four publicly disclosed vulnerabilities. This does address security vulnerability between Windows and Bluetooth devices. I was reading about this on the Reddit Sysadmin. No one was mentioning that they're running into issues yet for those that are dependent on Bluetooth connection but definitely something to keep an eye out. 2012 is also fixed, addressing an issue with that PXE boot that we mentioned on Windows Deployment Services, so you should see fixes there. For known issues, the first that...we usually see this repeating over some of the previous ones. So, first, we'll see the IE with Power BI. Again, the best fix around this is to remove showing markers and hopefully we'll see a fix in the future.

And as I mentioned in the previous slides, PXE start issue should be resolved, but that file rename issue should still be present kind of throughout the line. Same for the security only update, doesn't appear that...IE issue is present in the security only. But you should have the PXE start issue resolved and the file rename issue will still be present in the security only update. And here's the security only update for Server 2012. Again, this addresses that issue for PXE, as well as fixes that issue around Bluetooth devices. So, if you are dependent on the Bluetooth devices, definitely recommending checking that when you roll out your test group. This fixes 32 vulnerabilities, does not include the IE vulnerabilities. We'll need to deploy it separately.

Of course, for 2012, one thing to keep in mind, if you have rolled out IE11, the monthly rollup does not include the patch for IE11. It only includes for IE10 at the moment. Once they do the hard switch to IE11 that should change, but you will need that separate IE11 patch if you are doing that monthly rollout, and you've already rolled out kind of IE11 to test groups. Moving on to 81 and 2012 R2. This includes 29 fixes, a little bit less than the ones previously. In the 7 IE vulnerabilities, 2 of the 4 publicly disclosed vulnerabilities are present here. This addresses some of the Bluetooth issues that we had previously. But again, there may be some further Bluetooth issues with the new fixes. PXE start is also fixed here. Same issue with IE that Window 7 was having is fixed in the monthly rollup. For known issues currently, fortunately, nothing net new from what we brought up previously. But you should see the PXE start issue resolved, the file rename issue is still present. For Windows 8.1, the McAfee performance issue perhaps even booting issues may be present here. So, if you do run McAfee security software, please please make sure it runs as a test group and seek out McAfee for more guidance on this. Hopefully, they'll be updating their software to be more compatible with these newer updates. And then, the IE11 issue regarding, as I mentioned, accessing certain websites is still present. That's where the monthly rollup will resolve that or writing the latest IE fix because as it is [inaudible 00:47:33] should fix it.

The security only update. This just doesn't include IE and again, so those non-security fixes. This has 29 vulnerabilities, 2 of 4 which are publicly disclosed. And again, just some of the same fixes that the MR included. Now moving on to Office. Office was super light this month with only three main patches for Office 2010, 2016 and 2019. This included three vulnerabilities. And just marked as important but they are remote code execution vulnerabilities. You'll probably notice these most in...these are usually exploited through kind of phishing attacks, opening files e.t.c. So definitely good to get this fixed as soon as possible. This does also include MacOS. For those that don't have the MSI install of Office 2010, 2013, 2016, a full build was released for Office 365. Make sure to get that rolled out. This doesn't include two of those vulnerabilities as opposed to the three, also marked as important.

Next, we deal with SharePoint. There were quite a few SharePoint patches going from SharePoint Server 2010 to 2019. This affects Word Server, Project Server, web apps, and I believe, SharePoint [inaudible 00:49:10] on a couple of us on the specifics. This has fixed six vulnerabilities also marked as important.

All right, giving it back to you, Chris.

Chris: Thanks, Brian. So, we are getting down towards the top of the hour here so I'm gonna move through this pretty quickly. But we've got a lot of what we call Between the Patch Tuesday. This is security updates that came out in between so you can see here Apple iCloud, VMware Workstation, Workstation again, Firefox ESR, regular Firefox, Google Chrome, and iTunes, all released security updates in between the last Patch Tuesday and this Patch Tuesday. So make sure to bring those all into your regular updates process this month, if you haven't already patched those. And that's also one thing that we often talk about in regards to patch frequency. So if you want to try to patch, especially the browsers, more frequently, that is a very good reason why you should do so. It's those...you know, Chrome and Firefox both had a number of vulnerabilities that were resolved outside of the regular Patch Tuesday release.

All right, Q&A. I'm gonna try to get through this as quickly as we can to answer everybody's questions.

Brian: Yeah, going through these as fast as I can right now. Have you just...because we did have one question, any issues reported on upgrading to Ivanti Security Controls from patch for Windows? And I was mentioning I hadn't read about too many. I know 2018.1.1 fixed one...one issue that we fixed real quick. But I haven't really read too many outside of that. Have you?

Chris: Yeah, no, not too much there. One thing that... I'm actually going to visit a customer here in about an hour to two to talk about a couple of things, but they actually just did the upgrade recently. So, one change that might affect some of you is if you're using agents on Server 2008. We did have a change there. So, if you're doing agent list, not a problem. But if you're doing an agent on Server 2008, you know, that's a case where right now the agent does not support that because of SHA-2 signing. Because Microsoft has since made some additional things available to make it so we can support that, we're going to look into that. But currently, it's not supported for Server 2008.

One of our other viewers, Ken, who's a long time customer here, he said that he has already upgraded and no problems there. Awesome to hear. Thanks, Ken. Yeah, but in general, we've got...probably getting close to the 30% mark now, at this point, for total customer base having moved up to the latest version with... I mean, when we do this, we keep in regular touch with our support teams, and we watch for any spikes in upgrades or anything like that. And it's basically been the typical stuff we would expect, you know, where do I get the installer? Hey, I've got this question about patch for Windows, where do I find that? Oh, it's Security Controls now. Most of what we've seen so far has not been too big of an impact.

Paul has a question, does Ivanti patch for Windows support .NET Core? So, Paul, this is where I was talking...very early in the presentation, when I was talking about development binaries, we support .NET Framework, .NET Core is a development binary. So, that's something that your DevOps team has to integrate directly into the application, or whatever vendor you're getting that application from, they have to do that work. You can't patch Core, it actually has to be like...a developer has to run a new build process after updating their their development environment. So they basically...

Brian: [inaudible 00:53:05]

Chris: Yup, they have to... They basically have to update the .net SDK. And then once that's updated, they rebuild...they basically run a new build of the application. And that integrates the updated components of .NET Core. So [crosstalk 00:53:24]

Brian: I'll just add one thing, Chris. Microsoft has done a good job with .NET Core as opposed to some libraries, kind of containing it in just a nice deployable PXE to update those libraries on development endpoints. That is something we are looking to support. It does look to be deployable, but [inaudible 00:53:43] to be deployable, I don't wanna make a promise until we have a look, right? It is in our queue, and we are going to have a serious look at it.

Chris: Yup. And the same thing for things like Java 11, we would be able to support the JDK environment. That's the developer side of it. Once that updated, the developer then just runs a new build and the new components of what used to be the JRE are baked into it so it can be redeployed. So that's something where I feel like there's there's probably a need to do maybe even a short webinar on this. So Brian [inaudible 00:54:19] that's something we should probably cue up for more discussion, possibly some blog posts, and, you know, do something more around that. Because I think it's...this is...it's a pretty significant change and it's a blind spot for most organizations. You know, most of you are not...you're not developers, you're not going in and, you know, dealing with these components.

So, understanding a change like this is something that most vendors have not done a very good job at communicating out. And most developers don't take those things...those type of things seriously. So, I think it's a blind spot at an industry level, and something that I think we need to, you know, do a little bit more messaging around to help people understand it better. All right, let's switch over to the Q&A. What else do we have, Brian? That's a good question that people are asking right now.

Brian: I'm just reading real quick. So what...one question I did have is, for the Office 365 update, is this strictly client endpoint patching or is this applicable to any of the hosted Office 365 instances? Just to give you guys clarity on that, that is just for the on-premise installs. So we...for your cloud instances you should be just fine. So, it's just for Word e.t.c, on those endpoints. One more question I had was around adding Lync Server and Skype for Business Server 2015 updates. Yes, we should be releasing those within today or tomorrow. They weren't available. Afternoon, the URL kept turning 404. Notice that it was available this morning. We should be running through that shortly. So thank you, Mike. We should be getting that out shortly. Awesome.

Chris: There's some questions around 1903, Brian, that I think...you know, there's a question of public availability, which looks like you've already addressed. That came out on May 21st. There's also a question of some known issues and things like that, are people still having issues? So, you know, there are some things that were existing previously, some of those same known issues still are out there. The one that I've been seeing talked about on patch management.org and a few different news posts as well, is there's a change in behavior of the branch upgrade deferment, the settings around that have changed.

So, if you were used to being able to go into the deferral settings and being able to defer a branch upgrade for 365 days, that behavior has changed. And it's kind of unclear exactly, you know, what the behavior should be now, but there is a basic setting of up to 35 days that you can defer, at a user level. There is the ability to turn on some things through Group Policy and through registry keys to go back to a longer time period. But it's...that's probably the one thing that stands out in my mind right now as you're upgrading to that, those branch upgrade deferrals, that behavior has changed.

Brian: I'm getting one more link for a customer, but I'm not seeing too much outside of that. How about you, Chris?

Chris: Yeah, most of the rest of the questions are pretty standard. There's one question here about discrepancies between Patch Management Solutions and Vulnerability Management Solutions. You know, this is something where we...there's a million in one ways that this could differ. Now, vulnerability management and patch management assessments operate at different levels. A vulnerability management vendor, like in this case, the example that Ryan threw out was Rapid7. They are looking for different things than we look for when we're looking to patch something. When you're trying to patch an application, you need to look for existence of that application, find out what version it's at, even interrogate file and registry level details, which...those are many of the same things that a vulnerability vendor would do. But at the end of the day, it has to be a valid installed application, that's a...you know, fits a certain profile for detection and can be updated.

You know, there's...for vulnerability assessments, if an application doesn't do a very good job of cleaning up after itself, leaves like files and stuff on disk, it is possible for a vulnerability solution to still say, hey, looks like you're vulnerable to this, you know, legacy vulnerability." Well, there's no patch to apply for it because it's really just a bunch of loose files on disk. The OS will basically not even acknowledge that that application's there. We've seen that with things like Java, Java DLLs, where a developer baked in a Java DLL directly into an application, and that's just a loose file on disk that gets linked in when that application loads, but there's no JRE actually running on that system.

The same thing is going to be said for things like .NET Core applications and Java 11 applications and other things like that. A vulnerability assessment engine should be able to pick up that those development binaries DLLs are there and detect that there's a vulnerability. But a patch solution won't be able to see it because .net Core and, you know, Java 11, don't have an updatable...like a patchable component, it has to be something that gets deployed again. So there's...Ryan, there's some differences there that can be problematic at times. If it makes sense, you could reach out to us and we can get on a call with you and review results from both, and try to, you know...go through with both you and you know...depending on which side of the action you're on, security and operations, bring both groups of the table, and talk through differences and help people understand that.

So we talked about .NET Core already. So we're looking at supporting the SDK level. That's something that, again, until we validate, we can properly get access to it all, update it seamlessly and do it [inaudible 01:00:46], we can't commit that that will be in there. But we're looking at .NET Core SDK support. That way, you can update the SDK, and then the developer can deploy the updated application. But again, there's that...there is a step in there where the DevOps team has to do their part. All right, [inaudible 01:01:01].

Brian: Just to drive it off, we did have one question in at the end, asking, is Security Controls a separate product that needs buying or is it upgraded patch to be included with our plan?

Chris: Yeah. So it is an update or...for anybody who's a Patch for Windows current customer, the upgrade to Ivanti Security Controls is no additional cost. You'll have access to the patch module of Security Controls, just like you always would. It's just a name change for that. Now, there's new modules that'll be coming in there. So the first one is our app control and privilege management module. Purchasing that module is an additional purchase. Device control will be coming next and other things down the road. So there are...you know, the patch module is what you you're entitled to today. Now, things like Red Hat support and when we add CentOS, when we add Mac, those are just new flavors that are supported. So a workstation seat or a server seat is interchangeable between Windows and non-Windows platforms that we support within the product.

So, after you upgrade to the version of Security Controls, you can actually use a server seat to patch a Windows Server or a Red Hat server. When we add CentOS, same thing there, a server seat would be able to do both. When we add MacOS, a workstation will be able to do a Windows or MacOS workstation and so on.

Brian: All right. I don't see anything else, Chris.

Chris: All right. We made it through, perfect.

Brian: [inaudible 01:02:31].

Chris: Yup, was fairly smooth. All right. Well, thanks everyone for joining this month. Again, for our regulars, we're always glad to see you come back. For everybody new to the webinar series, thank you for joining us this month and we hope to see you again next month. Thanks.

Brian: Thank you.