March Patch Tuesday

March 13, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.


Chris: Hello everyone and welcome to the March Patch Tuesday webinar. My name's Chris Goettl and I'm actually live in Madrid with a room full of attendees at our Ivanti interchange show here on the line. I've also got Todd Schell. Todd, how are you doing today?

Todd: Doing great, Chris. Thank you very much.

Chris: Excellent. And also joining us here as usual, we've got Erica and Brian who are always supporting the call here and making sure that everything is running smoothly. Thanks for joining. Okay, so let's go ahead and get started. We're gonna start off with a quick overview of what released on Patch Tuesday. We'll talk a little bit about some recent news and things going on, a few things to look for on the horizon as well. There's a couple of changes coming down the road that you'll want to be aware of and then we'll jump in and Todd's gonna walk us through this month's bulletins and throughout we will have time to do some question and answer. So if you do have any questions, go ahead and start posting those into the Q&A section. And we'll be responding to those throughout. And at the end we will go in and reveal a bunch of the common questions that everyone's gonna want to hear answers to. All right, on that note, let's go ahead and get started.

So this month we did have 16 total updates that we're really tracking. 12 of those have vulnerabilities that are user-targeted. We do have two zero day vulnerabilities that we're gonna talk about today. These were actively being exploited. And there was actually another Google update that happened at the start of the month that included a third zero day that's related to those two. So we'll talk about that and some of the things that happened around that. Adobe, surprisingly the Flash Player update this month did not have any security vulnerabilities in it. This is a pretty rare occurrence that we don't have anything security related in Flash Player. So best to make sure it's up to date because they have had regular security updates. So if you're not sure of the state of that, best to just approve it and make sure that all your environment is up to date. But that one is vulnerability-free for this particular update.

Google Chrome did drop late yesterday 16 vulnerabilities resolved in that release. We'll talk about that a little bit more. And then we've got our normal lineup of Microsoft updates for the OS browsers and Office and SharePoint. Most of those are rated critical. There's a couple of them that are not...or rated as a low, they don't have much of a security related update in them either. So that's the quick review. Talk a little bit about some of the news that came around. So the first one I did wanna talk about is this Google vulnerability that was discovered. So this was, an attack that happened in the wild. Chrome zero-day that was used together with Windows 7 vulnerability as well. The two of these together allowed an attacker to be able to bypass this sandbox functionality that's supposed to be built into the operating system to keep browsers from being able to access system level files, which resulted in...see if they got the full details in here, otherwise I know they've got it in the Microsoft post, but the Google CVE is posted here, this CVE-2019-5786.

There's two Microsoft vulnerabilities also relating to this, which are the zero days on the Microsoft side, which I'll show you guys in just a second here. But the two of those together where what they used, so if you just did Chrome, you still have to do the OS level vulnerabilities in the Microsoft updates this month. Biggest thing there is, you know, if somebody works or takes another browser that hasn't fixed potentially a flaw in their browser level that they exploit that, if the OS level of vulnerability is not in place, it's possible. So best to get them both in place and quickly. that nobody can take advantage of this. They originally thought that it was only affecting Windows 7 and Server 2008, but the second zero day that Microsoft posted actually affects Win 10 and later systems as well. So it does look like all operating systems were affected prior to earlier information, which thought that Windows 10 was unaffected. So at this point best to do everything and make sure those OS updates are in place and be sure you've got that plugged. The misinformation seems like somebody didn't have all the facts yet. They found later that yes, there wasn't variation that could be exploited in Windows 10.

So let's go into the next article I wanted to talk about. I think it is. Yeah. So if you guys remember Meltdown and Spectre. So Sun hardware vulnerabilities that we've been dealing with for so long. Google has actually been working on a new way to mitigate Variant 2 of the Spectre vulnerability. And if you guys remember, after putting that update in place, if you turned on the mitigation, there were certain workloads that saw a performance impact after turning on the mitigation. So Google has actually developed a way to implement that mitigation without taking the performance impact. So Microsoft and several other vendors have now gone back and updated the mitigation around that so that they can take those they do impact as well. So this ZDNet article talks a lot about more, you know, so as you could see here, several other platforms have also been adopting this Retpoline fix that Google has developed. So this is also in this month's release here so that the Microsoft platforms and take that change into effect.

Now, one thing to note is for all you gamers out there, the patch is not without some other issue. Let me see if that actually can come on. Hold up page, didn't have this page loaded for some reason. There we go. So the update when you apply was the same article. I didn't have that link. There was another link in here where, if you're running this on a system where you're doing a video game or other things, there's a series of other known issues with this update that includes that Retpoline performance increase. That's posted here somewhere. We'll find it at some point. It is in one of these tabs up here,

It has several known issues. One of them is it can impact graphics and mouse performance, it also has an audio driver incompatibility. There's a few things in this Retpoline KB that you'll want to test out and make sure are in place. So what I would recommend for right now is if you had systems that you know were impacted by that Spectre 2 Variant mitigation, test this update out with those, you're most likely not going to be playing Destiny 2 on those systems. So probably not gonna run into the types of performance issues that people are seeing with that KB article. If you're looking at other systems where audio drivers, mouse and graphics drivers could impact that could be bad, it may be best to hold off on this until those performance issues, those known issues are taken care of. So that's the news around that Retpoline update. But the good news is there's people still actively trying to make sure that as we put all these mitigations in place, we're not impacting and causing performance issues on our systems. So, going back to here.

So any of you who are members, if you're not aware of this, this was originally posted by Shavlik many, many years ago and it's still being hosted by Ivanti. We are going to be moving away from the old listserv technology that we're on right now.. It has some limitations, it's not well supported anymore. One of the biggest ones that we're running into is as companies start to implement better and better security features around email, things like DMARC, listserv does not support that. So we started to get a lot of feedback from our members that they were no longer able to receive updates through their work emails and some of them, even their home emails as other vendors like Gmail and others will be starting to enforce DMARC and other security features. So we are making an active move to switch that. You guys will be seeing some notifications coming through soon. You'll find you have the switch. We're actually gonna move over to Google Groups and uh, you'll be able to subscribe there again and we'll have a transition period where we should have uninterrupted continuation of service there before we turn off the listserv. But this is just a heads up that those notifications should be coming soon.

All Right. Okay, let's start talking about the Microsoft zero-days. So these are the two, OS level vulnerabilities that Microsoft identified and has resolved relating to that Google exploit that was done in the wild. So the CVE 2019-0797 and 0808. So let me pull up those pages quick and we'll read through. They're pretty identical, so I'm just gonna read through one of them and we should be covered there. But basically this is a flaw in win32k that could allow an elevation of privilege. So a vulnerability exists in Wndows win32k when, basically there's improper handling of objects in memory. If exploited, the attacker could run arbitrary code in kernel mode. So yeah, they [crosstalk 00:10:08] system at that point. So the OS level of vulnerabilities, to exploit those without a browser in play, the attacker does have to log onto the system and then run a specially crafted application to do that.

Now, the way that the Google Chrome combination works is they were able to use the browsing experience there to have the user execute the malicious code for them to exploit the vulnerability. So that's why getting the OS level of vulnerabilities is very important. That way you plug any other browser from being able to potentially open another avenue to exploit this. On their own, these two don't look that frightening unless there's an attacker in the environment. So an advanced persistent threat, somebody in your environment could take advantage of these if you didn't do that. But in that browser combination, it becomes a lot more deadly because they can exploit it just by getting a user to click on specially crafted content.

So the 0797 is the one that actually lists that it affects all Windows 10, 8.1, Server 2012, 2012 R2 all the way up through the server 2019 family as well. So again, the early news show that the Google exploit was only on Windows 7, but both Windows 7, 2008 R2 and the later Windows families all have the OS level vulnerability. So best to get all the OS updates in place and make sure that that's plugged this month. And like I said, the 0808, the same vulnerability, just a matter of the platforms affected. All right.

Okay. Going on to the next, we've got a few public disclosures to cover this month as well. There were four of them in total. This first one is fairly similar to one we've seen before. It's a vulnerability in Active Directory that could allow an elevation of privilege attack as well. Basically, this is trusts across Forest. You can basically from one Forest request an identity from a trusted Forest and be granted that identity and in a way where you should never have had permission to do so. The version or the variation we saw earlier was a service in the trusted Forest to be requested for some action and it would grant that action to somebody who should not have been trusted. So it looks like they've got a few things that they're still cleaning out in this type of cross Forest exploit. But this is, you know, want to make sure to get resolved in your environment in a reasonable time. No Active exploits right now, but there is a public disclosure so people know about it and could start the development of that.

The next one here is Windows Denial of Service Vulnerability. This is in how Windows is improperly handling memory and could cause a target system to stop responding. They would have to log on to an affected system and run a specially crafted application. So in this case, if they've got access to that system, they've logged on, they've got the ability to do other things, the circumstances to want to do a DoS attack at that box at that point have to be pretty specific. So again, probably not one to urgently go get it in place right now, but you know, best to just make sure it gets...resolve that in a reasonable time frame. Now since it's at the Wndows level, the OS update you're already worried about for the zero days is the same one. So we'll be resolving it all at the same time.

But this next one is actually in NuGet. This vulnerability allows an attacker to tamper with a NuGet package before it's packaged up and then delivered back into the ecosystem to be used by whoever is subscribing to it. So this could affect NuGet package manager for Linux and Mac. It allows an authenticated attacker to modify a NuGet package's folder structure at that point. They can change it in a way where when it executes later, it could do unexpected things that the designer of that package didn't intend. So again, probably it's very difficult to do. It's a type of exploit that would take some well calculated forethought on the side of the attacker. But attacks like, not in NuGet, but attacks like this have happened before.

If you guys attended our webinar about Petya a while back, one of the things that that threat actor did when they launched their initial attack is they actually targeted one of the two tax vendors for the country of the Ukraine. They broke into their environment and they actually preloaded malware onto a software update that then got distributed to a wide number of businesses throughout the Ukraine. So that type of premeditated attack could, you know...if somebody were to look around and say, "Okay, my target audience is this," and there is a NuGet package that, you know, a lot of these companies are gonna be using. That could be a way for them to pre-stage a very broad spectrum type of attack like that again. It doesn't happen often, but it's an interesting and kind of sneaky way to do a very large, broadly spread attack very quickly. Again, very hard to execute, but something you wanna look out for and get that resolved.

The next one is a publicly disclosed vulnerability in Visual Studio. This is in how the Visual Studio C++ redistributable installer improperly validates input. So you could introduce a malicious DLL and the redistributable would accept that and the attacker would then be able to do additional things that they should not be allowed to do. If you guys remember, there was a huge leak of information called Vault 7. You guys remember that one? This had a number of tools that were created for agents in the field, NSA agents in the field. And what they gave the attacker the ability to do was basically introducing malicious files, like a DLL into applications that could be exploited like this. So tools like that can be used by an insider to gain levels of access to the system and be able to do bad things in there where they should not have been able to do that. So that's what this type of vulnerability is really concerning about is that type of insider threat. If there's a threat actor in your environment, they could also take advantage of this if they happen to find the right combination of applications in there as well. But that's how this could be taken advantage of.

All right, so this is one to watch out for. This is a bit of news that you'll need to worry about towards the middle of the year. For those of you running Windows 7 or server 2008 R2, Microsoft is gonna start signing their updates. They're gonna dual sign for a period of time here, SHA1 and SHA2. By June they're going to stop dual signing and they're going to only be signing with SHA2. So for any of you who are using, especially WSUS or Windows Update, those systems would basically stop being able to update if you have not done this additional KB, this 4472027. So this month you have to do your Windows 7 updates and you want to do this KB to make sure that you've enabled Windows 7, Server 2008 R2 to accept SHA2 updates as well.

We are already going through and validating all Ivanti patching technologies as well to make sure that we should have no issues with that change over one of the curves, but best to get that update in place. So that when June comes around and they dropp the SHA1 signing, you're in place and ready to go so you don't have any disruption in patching. They do talk about this in this advisory 0190009 they talk about the advisory there and then the KB download is here. We will be adding this into our Ivanti Patch Catalog as a security update. So you guys will see it as part of the regular security channel updates. We've made that decision because, you know, this could disrupt the ability to get security updates. In itself, it doesn't apply any security, it doesn't plug any security vulnerability, but it could down the road prevent you from getting security updates. So that's why we classified it that way.

All right. We do have another servicing stack update. So if you guys remember the servicing stack updates are another one where you do need to get those in place. Microsoft basically introduces these two updates to their update infrastructure, how the update services on the box work. Even though Ivanti products don't utilize, you know, Windows or WSUS or you know, their update services other than to execute, the execution of a patch does still go through those services to basically read the manifest and do all the right things. So this is something you wanna do. Make sure to get the, if you're on Windows 7 and Server 2008 R2, get this KB in place so you've got the latest servicing staff update for that. The page there, the advisory does go through the details of what the latest servicing stack update is for each of the OSs, this has kind of been spread across the last six to eight months with different OSs releasing newer service stack updates throughout that time period. So if you haven't checked up on those, go take a look at that article and see what level you should be at for each OS. All the way up to the latest Windows 10 versions. There are servicing stack updates for pretty much all of the operating systems. So this is just the latest in that line of servicing stack updates.

All right. So this next one, you know, for those of you on the phone, we actually had a session here at Interchange round patch management best practices. And one thing that we stress in there is you've got a lot more of your organization embracing dev-ops integrating with development binaries and these, you know, can't be patched through normal means. There's not just, I can't go and download .NET Core and just double click it and it's going to update on that system. You actually need a developer to take that new version of the binary and integrate it into your application and push a new version of it. So these types of vulnerabilities can come up pretty frequently. I would say that more than half of the Patch Tuesdays in 2018 saw at least one of these types of binaries get updated, you know, .NET Core, ChakraCore. Java is moving to this model as well with Java 11. There's no longer a JRE independent of your Java developed applications. Now you build the Java application in the JDK. When you build that application, all of the pieces that you need are included in it. So you don't update the JRE separately anymore. But that means that when the new version of Java comes out, the same deal, you have to go and push that new version of the JDK. The developer then has to build the new package with those security vulnerabilities plugged and redistribute that to the environment.

If you guys remember the Equifax breach, there was that nasty Struts 2.0 vulnerability, same deal. It was not something that a regular patch program could have just patched. It would've required developers and QA people, a much larger team of people to go and validate everything was still working to roll that type of update out. So that's where this could bite you as it could be a vulnerability that allows a threat actor to get access to that critical system. So do make sure that if you guys are using these types of components, somebody in the organization is keeping track of the vulnerabilities on those and making sure that they get addressed in a reasonable manner.

All right. You guys have probably seen this many times before. If you've been on any of our Patch Tuesday webinars, it's just a matter of keeping you all up to date on the branches when they're coming around on their end of life. We've got Windows 10 version 1709 coming up on in April will be the last update for Home Pro and a Workstation additions. So if you are on a Pro-license, be prepared to make sure that all of your branch 1709 systems are upgraded in the next month. For those of you on the 1607 branch, you get a little bit longer lifespan if you're on the Enterprise or Education edition. But that is also coming around on April 9th.

One thing to note, the branch that comes out later in the year every year is one that Microsoft gives a longer lifespan to. So if you're on the Education or Enterprise edition that gives you a 30 month life cycle, which gives you a little bit more time to stay on that branch. So always try to get the bulk of your populace onto that later branch in the year. So that 1809 branch would be the next one that is getting that 30 month life cycle. The other nice thing about the 1809 branches, this is the branch that Microsoft introduced their LCU updates, which shrink, drastically shrink the size of those updates each month. They don't grow month over month into these huge monstrous 1.5 GB size files. So as you get up to 1809, you're not only gonna be on the 31th branch for those of you on the Enterprise or Edu edition, but you're also gonna get that smaller update size each month. So that's already supported by Ivanti patching products.

So we do have our Weekly Patch blog as well. This type of information that we've put out in the Patch Tuesday Webinar, we get a lot of those types of detail. I don't need to see it in Spanish, thank you. If you go to those weekly updates, you will see details in there. Thank you for asking again. There you go. So you would've seen the Google Chrome updates that would have come out that fixed that zero-day vulnerability that we just talked about earlier. You will also have seen the Retpoline changes that were coming. So you get a lot of good information in advance of, you know, Patch Tuesday even. So that's a good one to take a look at and watch out for those weekly blog posts are done by Brian on our content team. And he also summarizes a lot of the updates that come out. If there's any security vulnerabilities resolved, he breaks those down as well. So it's a good way to identify and pull in a lot of those additional security releases in between Patch Tuesdays.

All right. There we go. Patch content announcements. You know, we've got all of these standardized and all in one place and, you know, got everybody, you know, the ability to subscribe to and, you know, for each of the products that we support. Unfortunately we're about to move support portals here pretty shortly. So you guys are going to see that these are gonna move to a new support platform. It'll be a slightly different way that you subscribe to it. We are working to see if we can do that without you guys having to re-subscribe. So stay tuned for an announcement around that. You'll start to see that. For those of you subscribed to one of these, you'll get a note in the content announcements here pretty soon talking about that transition. And it will warn you if you do have to take any action, but the team is looking into how to do that and make that transition transparent to you guys. So just a matter of when that moves. If you do like to go out and actually look at the pages once in a while and see older posts that will be moving shortly as well. So that's the only thing to update about that this month. All right, Todd.

Todd: I am here, Chris.

Chris: Excellent. I am going to give you control.

Todd: Okay. Perfect.

Chris: Looking at my screen from England, normally don't, so here we go. You should now have control.

Todd: All right, let me see how long this takes to change slides here. All right, there we go. Hopefully everybody can hear me okay. We're gonna start off with that Chrome patch that Chris talked about as opposed to just jumping immediately into the Microsoft patches. You can see that there was a release that addressed 60 different vulnerabilities this month sign. And as Chris mentioned, it dropped late yesterday. We were able to include it in the patches that were released yesterday as well. This was a major upgrade for Chrome. It went to version 73 for Windows, Mac and Linux. So be aware of that. There were a number of impacts I wrote down remote code execution, but if you read through the list of vulnerabilities, you know, Google doesn't go through and call things out specifically the way Microsoft does. So there are probably elevation of privilege and a number of other type vulnerabilities that were addressed in here as well. But be aware of this one. As Chris mentioned, there was a zero-day in Chrome earlier in the month, so you wanna make sure that you install this one right away on systems that are using Chrome.

Moving onto the Windows updates. We'll start with Windows 10, flagship for Microsoft these days obviously. They did address 55 vulnerabilities in Windows 10 across all the Windows 10 operating systems this month. There was the 797 CVE that Chris talked about that it's known to be exploited in the wild as well as the publicly disclosed CVE 754 as well. So those were the two that were addressed in the Windows 10 this month. Going through, there are a number of issues that I wanna bring up. Let's start wit, the 1607 release and Server 2016. As Chris mentioned, and we saw in that slide earlier, this particular version will be coming to end of life next month in April. So there will be one more update for 1607 in Server 2016. For those of you that are on the Enterprise version. The first two issues here have been carried forward for multiple months now by Microsoft. And I suspect maybe these will not be addressed by the time this product reaches end of life. So we'll see, if they do actually release an update next month. And as I said, it would be the last update for this particular operating system.

The first one has to do with a vert one with you're running a virtual machine manager. They do continuously talk here about using best practices to as a workaround. They want you to go in and run a couple of different utilities to fix this problem. So be aware of that. You can dig into the particular details in this bulletin. It will actually branch you off to multiple places to fix this. So just kind of be aware of that one. Actually we had kind of a long discussion last month around this next issue, which has to do with minimum password length and this has to do, this is related to the domain tree issue that Chris was talking about earlier as far as sharing passwords between different devices. So in here they really want you to go down and the workaround is to set the password length down to 14 characters. In that way it will allow it to share that password throughout the domain tree. So just kind of be aware of that one as well.

The third issue here is a new issue. You'll see this also in another version of Windows 10 here in just a second. This particular utility MSXML 6 causes applications to stop responding. There is no work around for this right now. It does give you some of the error conditions here. You can take a look at this in more detail. Does say that Microsoft is working on a resolution for this one as well.

The next issue is one that you're going to see across almost every operating system this month. And this has to do with different versions of Internet Explorer working on these operating systems. It wasn't clear whether the issue was in Internet Explorer itself or in the operating system and the way IE is interacting with it. But basically there is a problem with authentication when there are a concurrent login sessions running. This is actually kind of an edge case because it has to do with people logging in with the same credentials multiple times on the same machine. So you can see that their workaround for this right now is to create unique user accounts so that two people don't share the same user account when logging into the server machine. You know, obviously good practices there, but if you have, for example, an admin account and everybody's logging in...I say everybody, multiple people are logging in to that account, that's when this particular issue is surfacing. So just be aware of that. There is a workaround, Microsoft is working on a resolution for this one. I'm sure we'll see this one fairly quick because like I said, this does appear, you'll see multiple times across all of the operating systems, not just Windows 10.

Moving on from the 1607 version and the latest version 1809, there are a couple of issues as well. Like I said, here's this repeat issue involving authentication and Internet Explorer 11. I won't spend any more time on that, be aware that it does exist in the 1809 version as well as Server 2019. They also have an issue with audio devices this month. This is new. Surfacing here, they say that, you know, there are problems around Media Player, Realtek Audio Manager and the Sound Blaster Control Panel. That's where there they had reported issues. They do have a work around, you can go in and reset back to the default audio device options and you can take a look at that. There are some additional directions actually in the KB that I did not include here. So if you are seeing this issue, definitely dig into KB 4489899 and you can get more details on this. And the issue that I talked about earlier here for 1607 around applications that are stopping to respond here, this one also is an issue in 1809 and Microsoft says they're working on a resolution for that.

So there are three issues in 1809. Nothing else was called out for the other versions of Windows 10. So those are all the known issues there. Internet Explorer, of course, had its usual update for versions 9, 10, and 11 this month. There were large number of vulnerabilities address this month. The last couple of months, they ranged between one and three vulnerabilities so they haven't actually seen a lot of problems with IE, but this month you can see we went up to 12 vulnerabilities that were addressed, none of which were exploited or publicly disclosed. As you can see, I don't have anything highlighted in red here in the list. But be aware of this. There is, you know, there are various forms of Internet Explorer updates. There is a cumulative security update if you want to apply that. The monthly roll up patches do include the IE updates, be aware of that as well. And of course there are as usual standalone updates for every version on every operating system. So you can go through that process as well. I didn't call out the known IE issues here. You can see that I've included them with all the OS updates. That's what we were just talking about where, I mean, multiple people are logged in using the same account credentials.

Moving onto the Legacy operating systems, there was a monthly roll up this month for server 2008. One thing that was interesting this month that I have not seen in the past monthly rollup issues is they did provide an update for Internet Explorer 9 this month in this Server 2008 roll up. Historically they have not included IE updates in this particular Server 2008 monthly roll up. So be aware of that. A little bit of a change this month. So you will see an update, an IE 9. That's actually 9.1 that was updated when I look through the files. They did fix 21 different vulnerabilities this month. Chris talked about the various public disclosures and known exploited as well. This 808 is the Win 32K exploit that's been publicly disclosed as well as exploited. So be aware of that. The other two are the, of course, the publicly disclosed information. So that's the monthly roll up.

There's also the security-only patch this month. Notice that particular security-only does not include the IE update although it does still address the same 21 vulnerabilities, which I thought was interesting. For those of you who are new on the call and I actually did see quite a few people in our Q&A session say that they were new, be aware that Microsoft does release both a monthly roll up as well as a security-only update for all of the Legacy operating systems.

So what that means is that, you know, basically going back many, many months, it gets over 18 months now. Microsoft has been doing cumulative updates under the title of monthly roll up where they're basically including all the patches, all the security updates and as well as performance enhancements and things like that. And just in one big ball or one big update. And that will actually bring you from, you know, basically any status of those Legacy operating systems up to the current patched version. So the downside obviously is it's updating more than just security updates. It's actually updating everything in the operating system. The good thing is that it's bringing everything up to the same point. For those of you who have older systems that are maybe let's say a little more sensitive, you're running older applications, you don't wanna take the chance of doing a huge update, you can go month by month, and apply the security-only updates. You're not getting all the performance enhancements and things like that, but they are targeting only security issues each month. The thing about that is you have to be, you know, very dedicated and make sure that you do apply the security-only updates every month because they are not cumulative.

So basically two kinds of thought processes around the patch process, depends upon what you're running on those operating systems. Like I said, some of the older applications, for example running on Server 2008, like we're showing here are very sensitive to updates. So you'd wanna be very tactical and make sure that you test ahead of time. I'm sure Chris covered this in great detail in the best practices session he did there at Interchange. But you wanna make sure that you do test, you know, these updates as you're applying them, that they don't break some of your Legacy applications.

Moving on, monthly roll up this month for Windows 7 and Server 2008 R2, same vulnerabilities, actually, that were addressed in Server 2008, the base version earlier, 21 vulnerabilities. The monthly Rollup does include the 12 IE vulnerabilities as well. Chris talked about the Advisory 19009, which...there was a servicing stack update this month for Windows 7 as well, the separate patch. So be aware of that. So lots of stuff going on around Windows 7. Don't forget that Windows 7 and Server 2008 R2 as well as Server 2008 is actually going into extended support with Microsoft starting in January 2020. So we're kind getting short. These things have been around for 10 years now. These operating systems have been around for 10 years. Actually have been reading that Microsoft is going to start a couple of pop-ups in some of these operating systems warning you that the end of life is coming and getting you to upgrade. So be prepared to see some of that as well in the upcoming months. They said they're not gonna nag us as much as they did with XP, but, you know, we'll see how that goes.

There are some known issues this month for the Windows 7 and server 2008 R2. Notice that this is the same issue that we showed earlier for Windows 10. In this case, however, it's related to Internet Explorer 10. They didn't call out the other versions. They just called out specifically Internet 10, IE 10 rather. So be aware that this does exist as a known issue in Windows 7. There is also of course a security-only update for Windows 7 and Server 2008 R2. Again, just the security fixes for this month.

Moving on to Server 2012, you can see that there is a monthly roll up. One fewer vulnerabilities that were addressed here. So they only did 20. Compared to the previous list, there are publicly disclosed as well as the exploited vulnerability here, which I've highlighted in red. So be aware of that. There are some known issues around this one as well. Should look very familiar. It's the same thing around that authentication issue, again, Internet Explorer 10. And of course there's a security-only update for Server 2012 this month as well. Same vulnerabilities addressed, does not include the IE updates, just those tactical 20 vulnerabilities.

And finally on the Legacy operating dystems, we have the monthly roll up for Windows 8.1 and Server 2012 R2. These are actually the same 20 vulnerabilities that were addressed previously for Server 2012, the base model. Again, for those of you who are new on the call, you may wonder why these are lumped together Windows 8.1 and Server 2012 R2 and some of the previous Legacy operating systems I talked about as well, that's because they're using the same operating system kernel. So at the time these operating systems were released, they were using the same kernel, as a result the patches are specifically targeted around the kernels themselves. And so you can update both of these at the same time using the, you know, the patches that are released for these. So that's why there are lumped together in the same bulletin addressing the same vulnerabilities.

And finally, again, we have the same known issue, this time for IE 11 on these particular operating systems. So be aware of that one. Like I said, we would see that multiple times this month. That's probably the last time. I'm gonna show it to you. And of course we have the security only update for these same Windows 8.1 and Server 2012 R. Okay. Moving on. there were some updates for SharePoint Server this month. Only two versions, 2013 and 2016. There was a just one vulnerability addressed, 20190778 has to do around tampering and this particular vulnerability was around cross site scripting. So they did go in and resolve this particular vulnerability. So be aware that this update is available. It was rated as important by Microsoft. So you'll notice that we have it as a priority too as well because there's no known exploited or, you know, publicly disclosed vulnerabilities there. There are no known issues around this one, so go through and update your SharePoint server when you get a chance.

There were very limited updates for Office this month. We were kind of surprised what we saw out there. There was an update for Office 2010 for Link Server 2013 and Skype Business Server 2015 so we didn't get the full spectrum of, you know, individual office applications and all the different variations on all the different releases of Office all the way up through 2019. So just a handful this month. They only fixed to vulnerabilities revolving around remote code execution and spoofing. Again, nothing publicly disclosed or exploited this month. So we just rated it it as priority two and keeping it in line with what Microsoft rated it as was important.

There was a non-security update for Office 365 this month, which was surprising when there are no vulnerabilities addressed. They did say that it was a defense in depth released, so there might've been something in there. They just didn't have anything that was, that called out specifically from a CVE standpoint. So be aware of that. So there is an update, like I said, for Office 365 and Office 2019. So those were released later in the day as well.

Chris talked about the fact that Adobe Flash Player was released this month as well. Again with no known vulnerabilities reported. So Microsoft of course bundles this into their software updates and have a, has a specific release for Flash Player. No vulnerabilities reported there, and of course, you know, Adobe released theirs as well. There were quite a few non-security updates released yesterday, which is not uncommon, but we saw quite a few. So we've listed them all here. Obviously Adobe Flash Player as I just mentioned came out, but there were also releases for CCleaner Skype, Go To Meeting and Zoom. And like I said, these were non-security releases. We rate them at a lower priority three. You never know what might be bundled in these, although they didn't call out any CVEs or say anything specifically around security. It's always a good idea to keep your applications up to date. So with that, Chris, I'll turn it back over to you. You there in the audience?

Chris: Yeah. Yes. Hey guys.

Todd: All right.

Chros: All right. So just to give everybody an idea, we, we'd like to give everybody an update on this to make sure you're on the stand how many updates do come out in between Patch Tuesdays. So a lot of what we recommend now is especially for your end user environments that you're patching more frequently for those environments because there can be security updates on a regular basis. So I actually went back through and looked at, you know, the first 10 weeks of patching for 2019 and the majority of those did have security related updates in them, browsers, any of the media player products. A lot of other vendors, they're in a continuous delivery mode. So as soon as they get something resolved, they're going to release as soon as they're ready. Most of them do not synchronize on a set team. There's only a few that do that. Microsoft, obviously, Adobe tries to sync with Microsoft on that. So they've been pretty consistent there. For the most part. We said we did see a few non-Patch Tuesday releases from Adobe this year already though. You know, Java, Oracle releases on a regular cadence, but it usually falls a week after Microsoft's Patch Tuesday. So just keep that in mind. This gives you a quick summary of some of the other ones that came out.

Here was that zero-day, again, like we've talked about, that Chrome released earlier this month. WinRAR resolve for vulnerabilities in a release earlier and Webex Productivity Tools did resolve the vulnerability. Thunderbird had an update and resolving four.NodeJS, three vulnerabilities resolved. And in version 10, which only had one resolved version 8 two results. So different branches there had different vulnerabilities that they resolved there, but quite a few updates, Acrobat Reader had one vulnerability resolve outside of the February updates that we saw. This was after that. So there was an additional Acrobat and Acrobat Reader update. If you haven't done that one already, probably make sure to pick it up, Adobe Acrobat and Reader again this month just to be safe. Wireshark, another updates there.

So that just gives you an idea of how frequently those types of updates come out. We actually at our keynote, you know, those in the room here got to hear from one of our customers. These guys were patching 60,000 endpoints globally and they patch the majority of those systems on a weekly basis. So, you know, companies are able to do this. They're doing it for large scales of machines as well. It is possible to do and you know, it can take some discipline. It can take some hard political conversations at first to get everybody on board with it. But the best way to combat most threats we face today is around the time element. Threat actors are creatures of habit. They're gonna go after the low-hanging fruit. They're gonna try to exploit the things that they don't think you've plugged yet. If we can beat them, you know, by getting those vulnerabilities plugged faster, it reduces the amount of time that you're exposed. And that's the majority of the ways that they get into an environment are still through targeting a user and exploiting software vulnerabilities. So it's a great way to try to reduce that down, explore your time and reduce that risk that you're always under.

All right, we're gonna go ahead and get into some Q&A. There's a few questions that have already come in that I think several people will be interested in the answers for. Thank you Brian, once again, for responding to many of those as we've been going through. Let's start with, so Brian, it looks like we had a few questions around the Office updates, one in particular about those potentially showing multiple times on a system. You want to start with that one?

Brian: Yeah, absolutely. That was absolutely what I was gonna start with. Kind of the question was, are the Office 2010 patches, are they cumulative? Can you just install one patch and you're good to go? With the Office MSI install, which exists for 2010 and 2013, 2016, there's a whole bunch of different components and patch chains. So you're gonna probably see on a standard Office suite install a whole bunch of different patches applied to it. Kind of the followup question was, "Hey, if I have an Office suite and I disable Word, Power Point and a whole bunch of other components, am I still gonna expect a lot of those patches? Like why am I being offered a Word patch where I don't have Word on there?" We kind of had a similar issue where we turned to look into that detection and we really found that the components were really blurred between all the different products. So even if you don't have Word on there and let's say you only have Project, there's still Word components that still needed to be patched. So for any of the office MSI installs, you're gonna have a whole bunch of different piecemeal patches. It's only with O 365 that you'll have that single update.

Chris: All right, great. Thank you. Let's see. I think the question around IE included with the monthly roll ups, we did touch on that in what Todd was updating. But yeah, so if you're on the Legay platforms the monthly roll up will include the IE updates. The security-only IE would be a separate updates. The other thing to note is if you're on endpoints that have IE 10 or IE 9, those often do not get any updates anymore. Only IE 11 is getting updated. So when Todd noted that there was actually an update for IE 9, that is pretty rare nowadays, they're not really supporting the older versions of IE. So with that, just wanted to make sure that was clear for everybody.

Todd: Chris, there are a couple of questions around Windows 10 as well and I really didn't cover that. So with Windows 10, you don't get a choice. Windows 10 is a cumulative update only every month. And actually, you know, it includes IE 11 updates as well as Microsoft Edge updates as well. So you don't get a choice to call those out and update those separately. When Microsoft went to their Windows as a service model under Windows 10, you basically get one cumulative update every month for your particular version that you're running, whether it be the Server version or of course, the individual endpoint version. And basically you get everything in one big package. So just wanna make that clear.

Chris: Great. Let's see, there's the question around the ZDNet article regarding Intel graphics driver updates for Windows. Are these included in this much patched downloads for Protect? So the Retpoline update was a separate KB from the monthly updates. So the one that we were talking about where there could be audio driver or a mouse and keyboard or mouse and graphics card driver impacts for performance, that one is a separate KB. It will be made available through our Windows patch catalog, but it's one that will fall under non-security updates that you would choose separately from the regular monthly cumulative. Brian, am I accurate on that?

Brian: Actually he was referring to ZDNet article. It was today or yesterday where Intel graphics drivers have some pretty substantial vulnerabilities within them.

Chris: Oh, okay. So this is a different article than I was just looking at before. Okay. Got it. Okay. Yeah. So yeah, we don't support the answer to that question then is for that particular vulnerability, we don't support driver updates within our patch catalog today. So that's something where on the EPM side you guys do have an ability to support drivers and for our patch for that SCCM catalog, we can integrate with like HP and Dell driver catalogs as well, but we don't support driver updates in general. Okay. Let's see what other, Brian, what else do we have? Is there anything else that...

Brian: Yeah. So we had a few more, we had a large discussion on here, which the viewers were helping a lot of around a customer's having issues running cumulative updates on Windows 10 when they have encryption enabled. It's definitely something that's quite a bit more widespread than I expected. I actually haven't read much on forums, but users here, they've been having a lot of issues. So just a heads up for those that do run in corruption aside from BitLocker. You may want to consider building some workflows where you disable that third party encryption before you install. Even just cumulative, not just feature update where customers had booting issues after that point.

Chris: Got it. It looks like a few that were called out were Surfaces and Rugged laptops specifically. But yeah. Okay. That's good to know.

Brian: Couple of other ones that I'll add is, a known issue for Windows 10 1809 has been the disabling of the administrator account, the local administrator account. It is something I've seen on earlier versions, but it does seem to be a bit more widespread for 1809. So heads up for those that do upgrade 1809. For those that do use EPM and AISEC because of what we saw even on the initial 1507 to 1511, we built some automation within our deployment where we actually check to see if local admin's enabled and then we re-enable it post upgrade. So give that a try if you guys are concerned around that or if you run into that issue on some of your test groups.

Chris: Yeah. So that's using a piece of technology that we're not modifying the vendor's installer. What we do is we wrap additional actions around it, which we refer to as defendant actions. We actually do this for, I think 20 plus products that are in our catalog require us to do some form of defendant action. But this is one of those things that happens more transparent to you guys, we can work around some known issues and limitations of some installers by doing things like that. So all right.

Brian: So for a few more was a question that we do get kind of every Patch Tuesday. So I wanted to hit that. A frequent one is, if I have Windows 8.1 ne Windows 7, will the latest monthly roll up, just get me patched up, if it's a fully unpatched box? No it will not. There's usually, it's still another good handful of patches that we'll still have to apply that have existed before the roll up method applied. So just a heads up that you're definitely gonna be fully remediated, especially on those Legacy OSs if you just apply the monthly roll up.

Chris: Great. So there was a question around 1809 and the reliability of it at this point. So it seems Microsoft rereleased that 1809 branch and did a few more updates and things are looking much better. So it is far more stable than it was. So to answer the question that Carlos had, it is far more stable than it was when it initially released. We would still recommend that, you know, making sure it's tested a little bit just because it had a rocky start, but it is looking much better. It also does support that LTU packaging of the Microsoft updates, so there's pretty good reasons to move to it. You need a lot of, reduction in that bandwidth usage when distributing package across the organization. So yes. At this point it is looking much better and it would now be the time to start rolling that one out so you can start to take advantage of those additional benefits.

All right. Todd, Brian, any others that you guys are seeing that we think we need to go through with the whole group or are we looking pretty good?

Brian: Well, one customer did ask if the, well I don't wanna call it non-security. The SHA2 patch for Windows 7 is within our content. Yes, it did get released yesterday. So just a heads up for everyone that, that is in our content, we do classify it as a critical security, which is actually in line with Microsoft, but we definitely wanna make it a security. So you guys can get that pushed out as fast as possible to be ready.

Chris: Yes. All right. Any questions from inside the room here? Good. Great. Thanks everybody for joining us this month and I'm looking forward to seeing you guys next month. Thank you very much.

Todd: Thanks everyone.