May Patch Tuesday

May 15, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Staff Quality Assurance Engineer | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.


Chris: Hello, everyone. My name is Chris Goettl. And joining me today is Todd Schell. Hey, Todd, how are you doing?

Todd: I'm doing okay, Chris, just recovering from yesterday, man. It was crazy, huh?

Chris: Yeah, it was an interesting day. And we've got a lot to cover today. So a couple of things. Just housekeeping before we get started. Erica is not with us today. She's traveling. So we've been sorting out how to run the event on our own. So we should have everything set to go here. But if you guys do have any questions, please post those in the Q&A section. And I know Erica in normal webinars would be posting a lot of the links that we have directly in as we talked through them, we won't be able to do as much of that today because we don't have her to help us out. We apologize for that. But next week or next month, we'll have her back in and everything will be back to normal, but we'll make it through today without her somehow.

All right, so we're going to go ahead and cover a overview of what happened yesterday on Patch Tuesday. And then we're going to get into what is a long list of security related news relating to Patch Tuesday and some other vulnerabilities that you should be aware of. And then Todd is going to walk us through the bulletins for this month. All right, so going into just a high level overview, we did have two updates that we're going to be talking about today from Adobe. Both of those were rated as critical. There were 17 updates from Microsoft, 13 of which were critical, and there was one zero-day that we will discuss in detail. And VMware also released an update yesterday as well. There was a Chrome update that dropped as well, but that one did not seem to have any CVEs associated with it. So we're not going to talk too much about that one. Just know that it was unrelated to anything security related as far as we can tell.

All right, so getting into the news, the big one, the one that I think most of you may already know about or should be, you know, leaving today, this is the one takeaway that you should definitely be concerned about. There is a new vulnerability that was discovered in Remote Desktop Services. This is a wormable vulnerability. This means that it has the capability of potentially doing a global scale impact like WannaCry had done previously. It's a little bit different than the SMB V1 vulnerabilities that were just exploited before. This one is a vulnerability in Remote Desktop Services. But there's no real mitigation or workaround for this. You do have to patch the RDP services here.

So the biggest thing to take a look at is making sure that you know what systems in your environment are going to be affected. Server 2008 are two and Windows 7 and earlier are affected. So that also includes server 2008. And Microsoft was so kind to release these updates for both XP and Server 2003. There was a couple of really good articles floating around. The first one that I wanted to cover was the Microsoft tech net article. This talks about CVE-2019-0708 in detail. It is the Remote Desktop Services, what was formerly known as Terminal Services protocol on the legacy operating systems. Again, Windows 7, Server 2008 R2, 2008 and also the out of support 2003 and XP. So many of you are probably asking, "How do we get those patches?" Well, they do happen to be available. So I'm going to show you guys a couple of things about that our product coverage for it here in just a moment.

The other article that kind of goes into more of the ramifications of this vulnerability is a great article that Brian Krebs wrote up, you know, yesterday and released out, so kind of a refresher on this. It is a wormable flaw and it could fuel a very fast moving malware threat like WannaCry did. So it goes on to talk about the details from Simon Pope. You know, the fact that Microsoft has released updates for XP in 2003 indicates that they are very concerned about this. At this point, the clock is already ticking. So you are now in a race against whatever threat actors are going to take advantage of this. It's not an if, it's going to be a when. And you know, it could be anywhere between days, weeks. We're not, you know, sure of when, you know, something will happen, just expect that something will happen.

Just to give people an idea, we did pull some stats off of the market share worldwide statistics. Now, server versions are not as accessible. They're not typically web facing. So it's really hard to figure out, you know, Server 2003, 2008 and 2008 R2 distributions out there. But based on this, worldwide you can expect about 35% of Windows workstations are still running on a version of the OS that is vulnerable to this vulnerability.

So, yeah, it has a lot of potential to spread. If somebody were to take this and include it with additional capabilities. So think about the way that other variations worked last year or the other previously as well like NotPetya where it will use these wormable flaws to get into environments, try to spread itself to as many machines there and potentially be able to launch other variations of vulnerability exploits outside of the RDP vulnerability to spread to other systems. So it's definitely something where this is going to be a gateway for an attacker to get into many environments. So definitely take this one seriously.

We wanted to, because we've already had some calls coming in from our customer base, we wanted to hit on this topic right away and make sure that people are very aware of our coverage for this. We have already added content support for the XP and 2003 updates in our EPM platform. Now, for those of you on EPM, you probably recall that there was an end of support for the XP and 2003 client versions. One thing that is possible though, is even if you're running the latest 2019.1 edition of EPM, you can run a client in mixed mode. So basically the client can be the older version that still supported XP and 2003 from a while back, running on a 2019.1 console. So in a case like that there are KB articles on the community showing how to, you know, basically set up XP and 2003 clients. Those KB articles are still valid for that. You just need to follow those instructions and you'll be able to get those clients up and running if you don't have them already.

If you do still have those clients running the content for the patch engine will include the XP and 2003 variations of this patch. Security controls or what was formerly patched for Windows. Support as usual, contents already released and available. So again, if you have XP or 2003 systems, you'll be able to scan and deploy to those as normal. Patch for SCCM customers. For you guys, SCCM is probably not having those patches show up by default. So we've included this doc link here that walks you through how to import updates from the Microsoft update catalog. They are in the catalog there. We have confirmed that to get ahold of those. You just need to go through that synchronization process and pull in the XP and 2003 updates for the OS this month.

EMSS right now XP and 2003, are not currently supported. If you do have XP and 2003 systems, please contact our support team as quickly as possible to let us know and we will provide some additional support options. So those are the four product lines to be concerned about. And, you know, the awareness of if you've got immediate access to that, or how to get access to that, or in the case of EMSS to contact support so we can get visibility around that and get a solution in hand for you.

Okay, I think we are good on that topic. Again, if you do have more questions about that, please post those and we will respond back to those as quickly as we can throughout the webinar. Some additional news that came up. There are a variety of different things that we're going to cover here. The first one is called LightNeuron.

So LightNeuron is a backdoor that allows a threat actor to basically...I mean, it's probably one of the more sophisticated Microsoft Exchange backdoors that have ever been created. And it was purpose-built to target Microsoft Exchange. So this article kind of takes a very tongue in cheek approach to explaining it. But this is the first malware that's been detected that specifically is targeting Microsoft Exchange. The first time this came up was actually back in Q2 2018, where Symantec kind of did a light discussion around this but more details around this have been found since. So it's a much more sophisticated version now.

So this thing can monitor email activity on the server. It has the ability to actually block or intercept emails coming through. And it can also send emails out and it can infect those with steganography approaches to basically embed malicious content into images, attachments, things like that. So it's a pretty sophisticated backdoor here and one that you'll definitely want to be aware of. This is not patched yet so, you know, there's no details around a resolution for this yet. Just a matter of, you know, best thing to do at this point is to check with your AV or threat detection solutions to see if they can detect this yet. Some have been able to, others have not. Removing it has been quite problematic. In fact, ESET was saying that removing it may break your Exchange Server. So approach with caution. There are some removal instructions out here in the White Paper released by ESET but it's a difficult process. So make sure to if you do have that, that you take care with removal.

The next thing we wanted to touch on here is an update on the AV vendors who have been potentially hacked. So if you haven't heard the news about this yet, this came up recently and more details have actually been disclosed about who the vendors were. So Fxmsp chat logs revealed that, you know, the vendors that have been identified here were Symantec, McAfee, and Trend. The dialogue for that was talking about basically a back and forth between Fxmsp talking about how the tooling works that they have. They're basically trying to auction this source code off for $300,000. And with that, it would be, you know, able to provide a threat actor with a lot of details on how to interact with and, you know, potentially even stop AV from running on systems so that they can do their malicious things.

So, for more details on that, if you're running one of those three vendors, check out this article if you need to get updated on that. Microsoft SharePoint, this is something that came up just a couple months ago here back in March CVE-2019-0604 was resolved and then re-resolved back in April. This CVE is under attack. So Alien Labs discovered some exploits live in the wild that are taking advantage of this vulnerability. So if you have not patched your SharePoint servers up to the April patch release, it would be a very good idea to go back and do that. This is one of those testaments to how quickly exploits can occur. The release in March didn't fully resolve the issue. They had another release in April, somewhere between April and May, maybe even before that, it might have been even just after the March update was made available, threat actors have developed code to be able to start exploiting this and started using it in the wild.

So, just this is one of those examples that we'd like to bring up because, you know, there's always the challenge that people have of how do you get to that lower time to patch? Well, this is why, you know, we need to do that. And the recommendation, depending on you know, what source you go to, we recommend a 14-day time to patch for security vulnerabilities. The reason for that is at that point, statistically, exploits start to happen very rapidly. And if you haven't closed the gate at that point, then you're going to be a target for those types of exploits. And this is a good example of how quickly it can happen.

Oh, and this one is...So for those of you who are still running Server 2012 and Windows Embedded 8, they do now have a version of Internet Explorer available for that. So they've added this into test environments or pilot rings. So you can actually get access to and start testing IE 11 on Server 2012 for x64 based systems, and for Embedded 8 standard for x64 systems. Actually, looks like Windows Embedded 8 standard for x86 systems as well. So that update is available on there. You can now install and manage IE 11 on that platform. Click on the next link. There we go.

A little bit of an update here on...I'm actually...let me go back to my slides for a second. So, you know, it's inevitable that we were going to come back around to this again, but we do have a new family of microcode updates being made available here. So this is...there's three different code names for these specific vulnerabilities here, Fallout, ZombieLoad, and Rogue In-Flight Data Load. So they're targeting four specific vulnerabilities. These vulnerabilities are CVE-2018-12126, 12127, 12130, and 11091. And these are Microarchitectural Data Sampling vulnerabilities. So this could actually allow a guest VM to leak data off of other VMs in the same infrastructure. So across trust boundaries, they could actually gain access to privileged information.

Bleeping computer has a good article on this. And the resolution to this is going to be very similar to Specter and Meltdown. You got to do the software updates and microcode changes. So Microsoft has a summary of the Intel Microcode updates that have been released there. And then the advisory on how to turn on those microcode mitigation options. In this particular case, these four vulnerabilities are not vulnerable on AMD processors, just on the Intel processors.

All right. Let me go over to the article real quick here. So in this article the RIDL and Fallout attacks that are described in here. The speculative execution concerns around optimizing performance on CPUs is also discussed in here. In general, this is just the same drill over again. But they do a pretty good job of explaining what the data sampling attacks in this particular case could do. The fact that they can go across, you know, CPU boundaries in a virtual environment and allow, you know, a guest to be able to access data from another guest through this vulnerability. This is agnostic of operating system. So it doesn't matter if you're on Windows, Linux, Mac OS. The same vulnerability exists across all of those. So it's definitely a concern no matter which one. Other vendors are putting out additional OS or microcode updates for these vulnerabilities as well.

All right. Let's go back here. So Windows 10 lifecycle, if you guys are, if you've been keeping up, April was our end of support for 1709 if you're on Workstation edition. And if you're on Enterprise and Education editions you were...the last update for 1607 was last month in April as well. So do make sure that you've got those branches taken care of. Our next Window of end of support is going to be October 8th, 2019 for the 1703 branch, and then November 12th, towards the end of this year is going to be the next branch that's going to reach an end of life. So we got a few months here before those start to hit. But best to take a look at and start to plan for those if you do have any of those branches left in your environment as well.

All right, getting into the zero-day that we had this month. This is a vulnerability in Windows Error Reporting that could allow for an elevation of privilege vulnerability. In this case, an attacker could exploit this vulnerability by basically, you know, running a piece of code as an unprivileged user on that system. If they do that, they're able to elevate their privilege level to kernel mode. Basically, they'll have the equivalent of kernel mode, meaning they can do pretty much anything on that system.

So this vulnerability is what would be used as kind of a second stage. So after an attacker gains access to a system, they're going to then look around and figure out what privilege level they're at. If they're an unprivileged user but they can execute applications at this point, they would run some type of an application that would throw an error that's crafted specifically to exploit this vulnerability. And with that, they would be to gain kernel mode access to that system. From there, they would start to use additional tools to further compromise the system, start gathering credentials and other capabilities and spread throughout your environment.

So, in this case, you know, you do want to make sure and patch this vulnerability it is known to be exploited in the wild. Other things that can help mitigate this, obviously, if you're running least privilege in your environment, and your users are just regular users, that's a good start, but this lets the attacker get around that. So the next layer is having application control on there. Being able to block untrusted payloads would help block some forms of being able to trigger this. But if they have a fileless method of doing that, they could still get around that depending on your app control capabilities, they may still be able to use this. So patching ultimately is the best way to plug this vulnerability.

This one does affect all of the currently supported operating systems. No, Microsoft did not do an XP or 2003 for this one. Only for the Windows 7 and later platforms. But this is urgent. So between this and the RDS update for Windows 7 and 2008 R2 updates this month you want to make sure that all of the OS updates are applied as quickly as possible this month

Okay, we talked about this one a couple of months ago, Microsoft is finally switching over to SHA2. And this is I believe the month where they've started now enforcing this. Correct, Brian?

Brian: Sorry, just getting the mute working. What was the question again? I apologize.

Chris: The SHA2 code signing this month. They started enforcing it now, correct?

Brian: It's not being actively enforced right now. No. This is kind of a get these ahead of time if you don't have these on your end point. I believe, I don't know the exact date. The second link that you have should cover it. I'm not sure of the timeline, but later this summer, it'll be enforced.

Chris: Got it. And so this month they did release a updated version of that SHA2 update for 2008 SP2.

Brian: Last month they did Windows 7, this month they did 2008 SP2.

Chris: Okay. So yep, everybody, just make sure that if you are running some of the legacy operating systems, though, that you have applied these SHA2 updates so that come, I believe it's in September here, that's when they're going to switch over and start enforcing this. At that point, you won't get updates unless you've applied these updates to your environment. So do make sure that you've got those in place. All right, Java, this one has been coming up pretty regularly so we wanted to cover it again just to make sure everybody is aware. Java 8 211 and 212 did release in last month. But these are not publicly supported. So what does that mean exactly? Well, that means that Oracle changed their licensing model. They do not allow you to get access to these unless you are on a continued support contract now.

So the...Oracle has updated their Java 8 downloads landing page to talk about the license update. And they've even updated, you know, their page so that basically, if you go to, you know, try to download the Java runtime, you have to accept their license agreement. And then you have to go and find the update you want. So if I want the Windows SE, it's going to...oh, it wants me to accept that again, apparently. I'll go back to the radio button and check that again. There we go. So I've now accepted and I can go down here and try to download. And it is now gated. You cannot get public access to this. So you would need an account to be able to do this. And if you do sign up for that and get access to it and legally have the ability to do that, you would be able to download that patch. So in our Ivanti products, we can still support the Oracle Java 8 updates. The difference now is you need to provide the updates. So we call this drop-in support. The content is there but you need to go and download those updates. And in this particular article, you'll see that there's links on how to, you know, supply and deploy patches that cannot be downloaded by our product for both the patch for Windows or security controls product and for patch for SCCM. There's a similar article for EPM on how to do this as well. So that's how you would be able to do this drop-in support for Java 8 updates.

So just we wanted to make sure and cover that because we know there have been calls into the support team since the Java release this last month. And we wanted to make sure that we've been sharing that information adequately. All right. So other Patch Tuesday updates of interest. There is another servicing stack round of updates here. So you could see here there were multiple Windows 10 branches that released servicing stack updates in May. So for those of you who are not aware, servicing stack updates are basically...they're a separate update from the cumulative update each month.

They are required for, you know, not immediately but, you know, pretty much a few months down the road, there will be changes on the Microsoft side that may prevent future updates from being applicable if you have not done these servicing stack updates. They put these out in advance to basically allow you time to put it in place, make sure everything's good. And at some point, they've got a change coming that requires the changes they're making here to their updates services. Now, this is required if you're using WSUS, SCCM. If you're using Ivanti patching products, we don't directly have a dependency on the Microsoft update services, but the patches that we execute, basically have a manifest running in them.

And that manifest has to run through that update service locally on each system. So that's the piece that we can't get around in any way. If Microsoft makes a change that requires that part of the system to be updated, it could cause problems down the road. So it's best to be on the safe side and make sure that these are put in place in an adequate timeframe. All right. Some additional updates that came out. There were updates for Azure DevOps Server 2019. Azure Active Directory Connect, Team Foundation Server 2017 and 2018. You know, the additional development components that are listed here as well are also of note.

We talk about these specifically because most organizations tend to forget about components like this, your development platforms, cloud services, things like that don't normally come under the umbrella of normal patching teams like yourselves. Development components like ChakraCore, ASP.NET, Nuget, .NET. Even additional ones like struts, if you remember the Apache Struts vulnerabilities that were utilized in the Equifax breach. All of these are examples of development components that your DevOps teams may be using to build into applications to basically take advantage of all of those capabilities from a development platform.

Well, by taking those binaries directly in, you know, so, an example .NET Core versus .NET Framework. If your development team builds an application around .NET Framework, .NET Framework can still be updated as a regular update, which we do have a .NET Framework update this month. If they changed over to using .NET Core and built those capabilities directly into the application consumed that binary, so to speak, that means that you can't just apply a patch to that system anymore, you have to actually create basically do an updated build of that application with the new version of .NET Core. And that requires your DevOps team to get involved again.

So this is also the case with Java 11. So for those of you who know that your organizations are making the switch from Java 8 to Java 11, similar situation there. There is no longer a JRE. You don't have an endpoint component that you update separate from your application anymore. The JDK gets updated each quarter. When they build a new version of that application from the new version of the JDK, the updated binaries with any security vulnerabilities resolved are built into the application and redistributed. So if you have not already done so, you should be having conversations internally about how these types of updates are being detected and rolled out across your environment. So Ivanti, we just had our yearly interchange event just a little bit ago.

And over a breakfast roundtable discussion, this topic came up and a number of customers were kind of taken by surprise about these changes, specifically, for Java in their case. But it actually prompted a number of them to want to go back and have those discussions fairly immediately because they're concerned that their teams may not be aware of or as concerned about resolving these security vulnerabilities in their process. So make sure that your organizations have had those discussions. If not, if you need more details about it or anything like that, we do have some KBs specific to the Java 11 changes specifically. But if you have other concerns, do feel free to reach out to us and we can get myself or others from my team involved to give you more details about that or share information with your teams.

All right. This one's just kind of a little service announcement there. For those of you who are running on the patch for Windows product, do be aware that this is now called Security Controls. The reason for that is it's the same product you've been using for years. Just a matter of now it's under a new name because we're bringing additional security capabilities into it. With this latest release, we've added RedHat support, the CVE import feature for the patching feature set, but there is a new module available in here as well, around app control and privilege management. So talking about our privilege escalation vulnerability, we talked about just a little bit ago. Having a good privilege management solution and a good app control solution in place is essential to try to mitigate the impact of vulnerabilities like that that may be exploited before an update is available.

This component of security controls is capable of providing that level of protection, both from a privilege management and an app control standpoint. It's a module that is in addition to your current licensing. So after you upgrade to security controls, you can actually request a trial. From the website, you can go and choose the trial form, request a trial of that and start kicking the tires on that AC module, or reach out to your sales rep and they can help hook you up as well. So it's one of those things where we chose this module specifically because of the extremely high value around vulnerability mitigation. Patch management, app control and privilege management. Those are your three primary security controls that are gonna mitigate the majority of vulnerabilities on the market.

All right. We got our weekly patch blog. For those of you who do like our Patch Tuesday Webinar, you can get weekly digests of a similar sort. Brian, who is also on the call with us here today supporting us, he does these weekly blog posts. They're chock full of great information. Even details like some of the vulnerabilities we talked about today are things that he's been picking up and including in his weekly blog posts as well. So if you do like this information, and if it's a value to you, you can check out those weekly blogs to get more of it throughout the month.

And we've been talking about this for a while. The change has been made now. So if you do subscribe to our Patch Content Announcements, we have shifted over to the new community. And those four content streams are available there as well. If you were previously signed up, you should have been moved over without any disruption. If for any reason you do see a disruption in that, the link provided here gets you out to the portion, the group on the community where you can resign up for that. Again, we tested this, myself, Todd, our entire group, you know, we saw no impact to the migration of that before we did the transition. So we felt fairly confident that the majority of you, if not all, should be able to convert over without issue. So we should have no disruption there. All right. That was a lot of news, Todd.

Todd: I'm here.

Chris: Are you ready to go?

Todd: Ready to go Chris. Thanks.

Chris: I'm going to hand you a keyboard and mouse control. You should now have access.

Todd: All right. There we go.

Chris: Okay. Let me move that out of the way for you quick. Sorry. All right. It's all you.

Todd: All right. Are we moving here, Chris? There we go. All right, hopefully everybody can hear me okay. Can you hear me, Chris? Suddenly got silent.

Chris: Yep, you're good.

Todd: Okay, we're good. Okay. So let's talk about updates that came out on Patch Tuesday. We had a couple of big ones. There was an update for Adobe Acrobat & Reader this month. Just like there was last month. However, this month, they addressed 84 vulnerabilities, huge, huge number of vulnerabilities. If you want to go through and take a look at those, you can access the Adobe site at the link here. Primarily from an impact perspective, there were a lot around remote code execution and a few around information disclosure. So be aware of that. There were updates for both Windows and Mac OS as part of this.

Also this month as usual, we saw an update for Flash Player once again. Only one vulnerability this month. However, it was still rated critical because of that remote code execution. So be aware that it is Flash Player in a number of locations desktop runtime, Google Chrome, IE 11 and Edge. So a number of impacted applications there. And, of course, also related to this is Microsoft's integration into their update process. They rolled this out as a bulletin for Adobe Flash Player, which we call a 1905 AFP for Adobe Flash Player. You can see it affects a large number of their operating systems based on the previous slide where Adobe listed the applications. Same vulnerability, obviously, as part of this, but, you know, basically Microsoft's redistributing this as part of their packages. So be aware of that as usual.

Windows 10. We had a number of updates this month for Windows 10. I think Brian's going to talk a little bit more about 1903. But you'll notice that there actually was an update for 1903 this month, even though it has not officially been publicly released. It is available for download from MSDN. So there was an update. So be aware of that. This month, they did address 53 different vulnerabilities. Chris had talked about the zero-day, specifically, the 0863. You'll see this show up I've highlighted in red throughout the remaining slides here for all of the operating systems that it impacts. But this one is known to be exploited as well as publicly disclosed. There were a huge number of issues this month for Windows 10.

So I actually had to do a little bit of changes to the way I normally report these. And you'll see down here, for example, that I actually created a short name for some of these where they're repeated, but let's walk through all these. So even though, you know, 1607 has officially been end-of-lifed as far as support goes, it is still part of the long-term service branch. So we will continue to see updates for this for those particular machines. These first two issues that are listed here, the one around the Virtual Machine Manager and the one around the particular issue with cluster services failing. These issues have been around for many months now. Microsoft still says they're working on a resolution. We'll see. But we've talked about them in the past.

Most important thing here is go ahead for this first one on the Virtual Machine Manager. Go ahead and look at the KB itself because they talk about some workarounds and some best practices to deal with this. Enough said on that one. There is a new issue here around file rename that showed up, and you're going to see this across multiple Windows 10 operating systems here in a second. Talking about the fact that you will have problems renaming certain files. It's a permissions issue. They do give a workaround for it. Basically, you know, you have to login with administrator privileges or perform the operation from a node that doesn't have this cluster shared volume ownership.

Microsoft says they are working on a resolution for this one as well. And there is one final vulnerability for 1607 and Server 2016. This is one that's been repeated for multiple months as well. You'll see this one show up. I've called it the PXE Start particular issue here. It really has to do with identifying a startup device with Windows Deployment Services. And the problems that are there were its terminating prematurely. So be aware of that one. You know, Microsoft's current workaround is to disable the variable Window extension. And they also have three options on specific details there. So take a look at this KB if you're running into this issue.

For Windows 10, the 1700 version, 1703, and 1709, they were both reported with this file rename issue that I just talked about. So be aware of those issues if you're running those operating systems. Moving up to the newer ones for the 2018 releases. Version 1803 specifically, had the PXE Start and the file rename issue. Version 1809 and Server 2019 also had the PXE Start and file rename issues. But they had some additional problems as well. One where...having a problem printing. Where your printer is having a problem with a configuration issue, they're talking about printing from a browser. Microsoft, I love what they say here. Use another browser to print your documents. So that's kind of their workaround right now.

There is also an issue with Asian language packs in the 1809 release as well. So they want you to basically uninstall and reinstall or basically apply this cumulative update from 2019 from last month to see if that fixes your problem. They have some additional details in the KB article quite a few on recovery details. So if you run into this particular issue, take a look at the KB specifically for those because it was pretty extensive. And finally, like I said, they did release an update for 1903. So any of you who may be running it as part of the insider program or actually downloaded it from MSDN as an early download, there is an issue with regards to Defender Application Guard and Windows Sandbox.

So they provided a workaround right now and they are working on a resolution for that. So quite a few issues on Windows 10 this month when we do our updates, so kind of be aware of those. And these slides will be available for posting. So if you need a quick summary, you can always download them from our website and have a nice summary of those there. Moving on to some additional updates. Let's talk about Internet Explorer. They did fix eight vulnerabilities this month, again, rated critical. Number of impacts all the way from remote code execution through information disclosure.

There are actually quite a few issues also reported this month depending upon what you're updating to. These are primarily around Explorer 11. So if you notice here, all the different impacts here, Internet Explorer 11 on Windows Server 2012 R2, all the way through the older versions of Server 2008 Service Pack 2. So quite a few issues here on different configurations when you update with the cumulative update. They do give this first one here whereby there's an issue with custom URI schemes. And this has to do with opening trusted sites. So really what they want you to do is rather than just click on it, they're going to ask you to right click on the URL link itself and open it in a new tab. Or else go into the actual settings where you have the protected mode for Internet Explorer and set that up for local internet and Trusted Sites.

So more detail in that KB as well. So be aware of that particular issue. And there was also an issue here around Internet Explorer 10 when it gets downloaded on with WSUS, so be aware of this particular issue when you're installing on Server 2012, or Windows 8 standard. There's actually no issue around the fact when you download it, but they're actually not providing the latest version, and they want you to go back and install this KB and apply security fixes, making sure that you get the latest update for Internet Explorer 11.

Moving on to some of the legacy operating systems, we'll start with the oldest one, Server 2008, obviously, still under support. They did fix 22 vulnerabilities this month. So quite a few. This is the only one I'm going to list out the vulnerabilities because of some of the changes in the reporting information that I have here. So be aware of that. There is an update, obviously, this is the monthly roll up for Windows Server 2008. For those of you who are new on the call, the monthly roll up is kind of the cumulative update that we get for Windows 10 whereby they're rolling together all updates from back in, basically, October of 2016 into one update. So you're getting everything, security updates, as well as any improvements for almost, you know, over two years now in one update. That's the monthly roll up.

The other thing that's offered is a security only update. I'll show you that here in just a second. The security only update are just the security patches for this month. So obviously there's a different patching methodology or process you have to think about depending upon how you're patching. The monthly roll up each month will give you the latest of everything whereas if you're doing a security only update, you have to, you know, I'll say religiously, apply the security only update every month so that you make sure you get all the latest patches. The reasoning behind the two approaches has to do with, you know, your support of legacy applications really.

Applying all of the updates from the monthly roll up may break some things because you are applying so many updates in one swoop, whereby the security only update you can tactically go month-to-month and make sure that you're not breaking your applications and kind of figure out exactly what's causing the issue. So basically, two approaches to patching with those updates. There were some known issues this month with Server 2008. They weren't actually tied directly to the update itself, but they really are around the service stack update that Chris talked about earlier.

Sometimes as applying these, there's an issue where they get hung up when you're going from like stage two of two, or stage three of three. Basically, they're telling you if you experience this issue, issue a Ctrl+Alt+Delete to the endpoint, and it should restart and you should be in good shape there. So just be aware of this particular issue. It's around the service stack update for 2008. Like I said, there is a security only update this month for Server 2008, as well. It's addressing the same 22 vulnerabilities. And again, as a security only, it's only these 22 vulnerabilities that are in all the additional updates from the previous months.

Moving on to our next operating system group, we have a monthly roll up for Windows 7 and server 2008 R2. And as I kind of reiterate each month, the reason these two are grouped together is because they have the same operating system kernel. So basically the same patches apply to both of these, whether it's the Workstation, IE Windows 7, or the Server Side 2008 R2. You'll notice that in this update, I specifically included the notes here that in addition to the vulnerabilities that are associated with the key components here, whether it be from the app platform frameworks all the way through the Microsoft JET Database.

They did address protections for the vulnerabilities that we were just talking about with those new attacks. The Microarchitectural Data Sampling vulnerabilities. So the four that we talked about here, there are updates available this month within this particular update. And there's the way, you have to apply the microcode updates for the Intel processors as well. This does fix 24 vulnerabilities plus the 8 Internet Explorer vulnerabilities. Also be aware in this particular update, it's addressing that zero-day that we talked about earlier. There are some known issues for Windows 7 and Server 2008 R2 as part of these updates. This one's going to appear again.

So I gave the short name McAfee. Essentially, there is an impact when you update systems that are running these three particular versions of McAfee protection. So be aware of that. Microsoft says they are working closely with McAfee to get these resolved. McAfee has provided some workarounds. And I've included the list of the links of those here. So you can go off and take a look at those and if you run into this particular issue. There's also a security only update for Windows 7 and Server 2008. And notice that if you do the security only update, it doesn't impact running with those McAfee protection packages, so be aware of that.

Again, same set of vulnerabilities that are addressed this month in the security only update, also fixing those Microarchitectural Data Sampling vulnerabilities. Moving on to our next operating system. We have updates for Server 2012. Very similar set of vulnerabilities that were addressed in this particular update, again, 24 vulnerabilities addressing that zero-day, as well. So just be aware of this particular update this month on the monthly roll up side. There are some issues with this particular update. Both the monthly roll up and the security only update.

Interestingly, that PXE Start that we talked about back under with the Windows 10 issues, as well as the file rename issue both appear under this Server 2012 update as well. So if you run into those, go back and take a look at those particularly...You can look at these particular KBs, obviously, and the workarounds that Microsoft has given for those. These impact not only the monthly roll up to these operating systems, but the security only update as well. So moving on to our last set of operating systems, we have the monthly roll up for Windows 8.1 and Server 2012 R2.

Again, very similar set of vulnerabilities that were addressed including the ones for the new attacks under the Microarchitectural Data Sampling issues. Same zero-day. So make sure, you want to do these, again, it's rated critical to get in place. There are some known issues for this one as well in addition to the PXE Start and the file rename. When you do the update, you may run into those issues with the McAfee programs as well. So be aware of those. They are both for the monthly roll up as well as the security only update. So you might run into those under both of those updates. And, of course, there's the one for the security only update for these operating systems.

Moving on from the operating system side, let's talk about some of the application updates. There was an update this month for the regular Microsoft Office. It does apply to 2010, all versions of 2010 through 2016. There were updates for versions 2016 and 2019 for Mac. And there was a standalone update for Word 2016 as well. For the last couple of months, it's more like six to eight months, these have always been rated as important but not critical, but there were some important vulnerabilities that were addressed in this, then Microsoft has upped the severity level to a critical update. It has to do with remote code execution in these applications.

So if you are running them, make sure you prepare to apply this patch this month. Of course, there were the usual...I didn't update this here. There were the usual updates for Office 365 and Office 2019 under the click-to-run model. They addressed three vulnerabilities this month, fixing the same set of vulnerabilities that were addressed in the general Office Suite as well. Again, rated critical this month. Moving on to some of the important updates this month. There was an update for SharePoint Server. Chris talked a little bit about some of the exploits that are actually being run against SharePoint Server. So you might want to take a close look at this one.

They fixed eight vulnerabilities this month. Most of them around, you know, vulnerabilities in Office itself that would allow a remote code execution on the SharePoint Server. Rated important, like I said, it does address all releases from 2010 through 2019. So again, an important one. Another important update this month. You're going to see updates from Microsoft.NET. We had the last one in February. So we were due for an update. You'll notice also that they're now going up to version 4.8. So previously, the last update had been to 4.7.2 with the release or the pending release of 1903. They've now done an update on .NET to run it up to 4.8.

So kind of be aware of that. That's available in here. Fixed a number of vulnerabilities regarding use of memory, as well as the way it's processing RegEx strings. They did fix four vulnerabilities this month. Depending upon how you update your .NET, it doesn't necessarily always require a system restart. So you may be able to get by without a restart as long as, you know, applications aren't locked or are being used, the .NET files at the moment. .NET is released in both a monthly roll up and a security only version. So you can apply all the updates cumulatively with the monthly roll up or you can do tactically the security only updates depending upon what approach you'd like to take with your patching.

There was an update this month, it's been quite a while for SQL Server, specifically, they're looking at SQL Server 2017. They did address just one vulnerability this month, 0819. It has to do with an information disclosure leak. So if you are running this particular version of SQL Server, you might want to take a look at applying this update. And finally, moving outside the Microsoft realm, Chris did mention that there were additional updates for other applications. In particular there was a security update this month for VMware Workstation.

They did issue a bulletin. It's covered under VMSA-2019-0007. This is an elevation of privilege vulnerability that exists in the previous versions 15.X of VMware Workstation Pro and Player. The update, I believe, does take you to 15.1.0, and addresses this particular vulnerability. So there was a security update. Like I said, if you're running VMware Workstation, allowing for some escalation of privileges actually to administrator on a Windows host where workstation is installed. So be aware of that update as well this month. With that, Chris, do you want to talk a little bit about Between the Patch Tuesdays?

Chris: All right. Yeah. And so we're going to be going through and answering some questions from you guys as well here as we wrap up the webinar. So go ahead and take a moment here and fill out any more Q&A items that you'd like us to try to touch on. This slide here goes through and talks a little bit about what we call the Between the Patch Tuesdays. This is what updates come up in between patch cycles and gives people an idea of all the other security vulnerabilities that should be being resolved in their environments. We use it as a tool to make sure that people are aware of, you know, the fact that not all vendors release in the same cycle.

And you can see here, there's a whole lot of updates that happen between Patch Tuesdays. Our content team, you know, the team that Brian is part of, these guys are releasing content nearly every day of every week of the month. It's pretty rare that we don't have something going out. On average, all of our products receive at least two content updates every week. And many of them include security updates. So recapping some of the ones that came out this last month, we had a Citrix Receiver 4.9 update that resolved one vulnerability. Camtasia, couple of versions here that resolved 6 and 12 vulnerabilities. We did a virtual box update that resolved 12 security vulnerabilities.

Google Chrome update that was resolving 23 vulnerabilities. One of the reasons that we were surprised to see it dropped from Google yesterday was the fact that we had seen, you know, not one but I believe...oh, maybe it just was the one for this last between these last two cycles, but 23 vulnerabilities resolved not too long ago. So we weren't expecting another release yesterday. But Foxit Reader, a couple of different releases there and also for PhantomPDF, fixed eight vulnerabilities there on the reader and seven on the PDF Creator. VirtualBox, again, with 19 more vulnerabilities.

The Java JDK 8 and Java 8 did resolve five vulnerabilities each. Again, we talked about this before. This is available from a content perspective. If you do an assessment with our products, you may see this as a missing update if you still have Java 8 running. To deploy it though, you will need to make sure you have a continued support contract with Oracle and get access to that patch and follow those drop-in instructions that we discussed before. Apache Tomcat, three versions all getting a security update this month and one vulnerability being resolved, 0324 there.

All right. So that wraps up our security related updates for the month. There is one more thing here that Eric asked me to make sure and remind everybody of. We do have a great virtual event coming up here. This is a free event. It'll be put on by Ivanti in partnership with multiple other organizations including Microsoft. So Microsoft and several other partners of ours are getting together and we're providing a series of virtual sessions all focusing on Windows 10.

From environment management to, you know, making sure that your systems are prepped and ready to upgrade to Windows 10, you know, a variety of different topics. So if this is of interest, it's a free event, you know, coming your way on May 30th so go to our site and check around for that. It'll be a very good event, you know, especially if you're trying to wrap up your Windows 10 migrations before the end of the year here. All right. Diving into the Q&A. Guys, what do we have for a couple of common questions here? Anything that stands out?

Brian: Yes. Can you hear me?

Chris: Yep.

Brian: All right. Just making sure. Let me just go down the list real quick. There was one heads up that the Chrome that did release today, it doesn't have a CVE but Google did say it did include one security fix. So, a heads up to everyone. So many from...Oh, yes. Scott did mention. He's an SCCM user and the default import for the updates for the RDP vulnerability for XP and 2K3, it had a five minute timeout which caused a lot of issues for him. So heads up to those that are using SCCM to patch this RDP vulnerability.

Chris: Got it. Good heads up, Scott. Thanks.

Brian: For the 1903 release, I know we didn't have it in our slides. But currently there's no known release date for the public for 1903. However, the ISOs were released on MSDN. As a consequence, we did release the upgrade, the feature upgrade in our content. So those that do see it as missing but don't currently have access to that, just hold on tight. Hopefully, it'll be soon. One of our members, Luna, mentioned that it might be 25th of May is what the rumor mill's saying, but there's still no reference. In my experience it was a pretty, pretty smooth upgrade. Definitely didn't have the issues I had with 1809, but I'd still wait until 1903 kind of gets approved for business. Covering a few more things. Did I hear you, Todd?

Todd: Yeah. I was just going to say. Another quick comment, Brian, is that these microcode updates aren't available for all versions of Windows 10 just yet. That's correct, right?

Brian: Yes, that's correct. For the microcode vulnerabilities, currently 1809, 1803, and the new 1903 do not have a microcode vulnerability, microcode updates available for those. Since they had a question for it, there's another question about it. What are the microcode vulnerabilities or, sorry...Patches, not the vulnerabilities, the patches? These are firmware updates, actually, very similar to the BIOS updates that are approved by Microsoft. Microsoft kind of worked with Intel to have a quicker, quicker upgrade process instead of relying on the vendor.

You shouldn't need the additional BIOS or firmware updates that the vendor supplies later. However, I still might recommend that if you do have that ability to do so. Around the latest speculative execution patch, you are not vulnerable if you do disable hyper threading. But you also eat that...that performance decrease. What else? What else are you reading, Todd?

Chris: Brian, there was a question coming in about how, and I'm assuming it was the microcode patches affect Macs as well. And you responded back that you were gonna talk about that?

Brian: Yeah. Absolutely. Thank you. Thank you, Chris. So the latest speculative execution patch vulnerability does affect Linux, Mac, and Windows. For Mac, the latest update, which I believe was just released 10.14.5 will take care of that for you. Fortunately, you don't have the additional microcode update for Macs because the hardware support is limited. One question I did get that I did want to bring up. The Kerberos authentication issue that was plaguing March and April did get fixed in May. If you look back to the known issues for March and April, it did a reference to May patches, so that they get fixed, of course, test that through, make sure that's correct.

Chris: Yep. That is a good point. I didn't include that in my updates because I was running out of room on my slides.

Brian: Yeah, we definitely ran out of a little bit of issues on the slides. There was one question about the speculative execution vulnerability and whether it can be exploited remotely. Within the researchers landing page, they did attempt it. Yeah, you can definitely pull some data out remotely, but it's pretty, pretty limited. Not a ton. There wasn't much. They kind of hit an SSH session for about 24 hours and pulled out little bits. But you are definitely vulnerable at that level so definitely heads up. There was a question about upgrading for Java 8. Can you speak to what the current versions of Java for people for upgrading from Java 8 to a new version? That's a great question.

So Java 8 is the last long-term supported version of Java runtime. So Java 11, or I don't wanna even call Java 11. Java SE 11 only includes JDK 11. Kind of what that means to you as an end user is it's more dependent on the developer where they have to update their JDK library and then run and release that product with that newer library. So you're covered for those vulnerabilities. In terms of when Java Runtime Environment 8 effectively gets end-of-lifed, you'll be more dependent on the developers for that and it won't require those additional runtimes, which is great. But from a vulnerability standpoint you'll be more dependent on them releasing newer updates.

Chris: So do we want to...I think there were a couple of additional questions about the RDP vulnerability. So they didn't have specific exploit code samples, or anything available. But they talked a little bit about if you read the Brian Krebs article, it is the vulnerability is exposed pre-authentication. So an attacker can remotely speak to that RDP service without having to authenticate. And the code complexity to do so is simpler than what was previously used in the Eternal family of exploits. So it's believed very strongly that an attacker will be able to take advantage of this.

The classification of this being wormable is...basically puts it in that class of no authentication required. Any exposed RDP service if it's, you know, actually there was...let me see if I could pull up the stat real quick. One of our other SEs was doing a little bit of research on this as well and sent this over to me this morning. BinaryEdge is a scanning engine that Rapid7 was using to identify public-facing RDP services. And they found globally, 16 million endpoints publicly available on ports 3389 and 3388, which are typically reserved for RDP.

So all of those in essence would be exposed to a threat actor doing this. And this is how WannaCry and NotPetya and other variants that used those previous SMB exploits started their attack as well. It was a combination of remote exploits targeting any public-facing ports that would normally be broadcast or, you know, reserved for RDP, and also phishing scams to get on one system. And from there, try to go out and grab anything with RDP on it as well to spread itself further. So definitely, a high concern and one where it does not require exploits, or the exploit does not require authentication to be executed. All right. Do we have any others right now? I think we caught most of them, 1903 we did talk a little bit about the fact that rumors are saying May 25th, but right now it's still only available on MSDN. Go ahead, Brian.

Brian: Yeah. The one, just to elaborate on what you just said, James is asking, "Is it only web-facing RDP that is vulnerable?" No, no, no. Absolutely not. Basically it's one of those ideas that once they get into one point, they can attack via your network after that point. So it's definitely not just your web-facing RDP. Once they get the first place and it could be, heck, it could be just a phishing attack. And you interacting with a virus may kick that off. I mean, there could be many, many ways to get in initially. But it can replicate after that.

Chris: Right. So, James, to kind of put this in reference, any publicly-facing RDP services would be potentially exposed to this, the infected operating systems if the attacker is able to phish a user and get inside your network, they could look at any RDP services available within the network. And even if you're running an air-gapped environment, you do need to be concerned about this. So if you recall back to, you know, a couple of late incidents that happened around the SMB exploits, there were multiple large car manufacturers that had sites taken down completely months after the initial WannaCry incident occurred.

And the reason that they got taken down is they felt they were safe, they were air-gapped. What would possibly be able to get in there? Well, the malware was introduced via USB, or external drive devices that were brought into the environment by their own IT department and they didn't know it. So once in the environment, that malware kicked off, broadcasted around, looked for anything listening on RDP, and just started spreading itself, and did so very effectively. So, again, this is wormable. Any of those five operating systems that are in your environment are exposed to this right now. And it could allow an attacker to spread very, very quickly.

So if, you know, again, with the sophistication of malware we're seeing now, if I were a threat actor, I would be developing a piece of malware to do a variety of things. I would have one that's set up more as an external attempt to go and, you know, strike at any external facing RDP services. I would also have some phishing campaigns set up to try to get into environments and be able to spread that way. And with every system that gets compromised, I would actually hold off from doing anything like an immediate ransom. And I would next try to make it spread to additional systems that could possibly use other exploits.

So, you know, basically if I were in an environment already that I got in through RDP and I spread around to as many as I can get there, all of those systems then can turn around and look at using other exploits to get onto non-affected systems by the RDP vulnerability. So, again, this makes it so it can spread very rapidly, very effectively. But it won't be the end of what an attacker would do. They're going to...if somebody really is planning to maximize this, they're going to look for additional vectors that they can attack aside from just the RDP vulnerability.

I mean, malware like that like Emotet and others are getting more and more sophisticated, and are able to use a variety of different attack methods based on what they find in their environment. This is just going to make it extremely easy to get that initial spread for an attacker. So hopefully that helps answer your question. I know it's the long way but Martin had a question about the VMware vulnerability. Yep, we did cover that towards the end here. It was a lower impact vulnerability. So, hopefully, I passed it here. Yep, there it is. VMware workstation severity was a medium. It's an elevation of privilege vulnerability that was being resolved there.

Yep. And, Carlos, to answer your question, "Basic security hygiene will assist in reducing the likelihood of exploitation?" Yes, absolutely. For that RDP vulnerability, patching is going to plug it. That will mitigate the vulnerability altogether. But having, you know, systems running least privilege and also having good application control capabilities in your environment. If an attack does, you know, get onto a system, those are the primary ways that you mitigate, or slow down their ability to spread. All right. I think we have exhausted the questions so far. Do you guys see anything else?

Brian: I think we're great. This was one heck of a Patch Tuesday.

Chris: Yes, it was.

Todd: Yeah, Brian was typing like a madman there.

Chris: All right everyone. Well, thank you for joining us this month. Again, it was a big one. We apologize we ran a little bit long here with some of the explanations. But we hope this was helpful. And we'll see you again in June.