October Patch Tuesday 2019
October 09, 2019
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Brian Secrist | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris Goettl: Hello everyone, this is Chris Goettl. Thank you for joining us for October's Patch Tuesday Webinar. With me today, we've got Todd Schell. Todd, how's it going?
Todd Schell: I'm good Chris. How are you doing today?
Chris Goettl: I'm good. Has the rain stopped down there in Texas?
Todd Schell: I haven't had a lot of rain here in San Antonio, but over on the East side of the state. Yes, it's over. Thank God.
Chris Goettl: Right. Okay, good. That's good. So, actually we've got some other supporting crew members here. We've got, Jared who is going to be handling the, any questions and things like that coming through the chat and making sure you guys get links for all the articles that we're doing it through the chat as well. And then also we've got Brian from our content team. Many of you know Brian, he often is handling a lot of the technical questions and getting us a lot of good feedback on how testing when things to know about as well.
Chris Goettl: So here's an interesting tidbit about Brian. Yesterday was his, 60th Patch Tuesday in a row working with our content team. So that, is five years of Patch Tuesdays without missing one. Congratulations Brian. That's a very long stint with us here without missing a single Patch Tuesday. Awesome. Well, so this may be a little bit more, may be a little bit different in the global market, but it was kind of funny as we were looking at the content for yesterday. We were really looking at 13 bulletins from Microsoft and somebody made a comment about, that being, bad luck or good luck or happening in the month of October with Halloween and everything. So we had a little bit of fun with that, decided to talk about breaking mirrors and walking under ladders while holding a black cat and dumping salt everywhere.
Chris Goettl: So, in general though, it actually looks like it was a pretty toned down Patch Tuesday. So we're hoping that this one will be fairly smooth for you guys. There are a couple of things that we're going to definitely want to talk about, make sure you're aware of some known issues to look out for. But overall, actually our content team wrapped up the testing and release pretty early in the day. So, alright, jumping in, we're going to go give a quick overview. We did have the 13 bulletins from Microsoft and two from Apple that actually released, late the day before but released into our content yesterday. So we're going to talk about those updates, and we'll talk about a little bit more news leading up to Patch Tuesday. So on the news front, we've got ... First thing I wanted to mention is we've got an upcoming cybersecurity virtual event, so being that this is October cybersecurity awareness month, we've got a lot of content and events and things lined up across our security organization here.
Chris Goettl: So you, may have seen a lot of content coming out of our blogs, and a series of Webinars that are already ongoing. But we're going to be cultivating or kind of cultivating, leading up to this cybersecurity event here on October 23rd. It's more of an industry level event. This is not just a set of commercials showing product. All of the sessions for this event are going to be, industry experts across a variety of different security vendors and partners, and it will be focused on industry topics. There will be a little bit of tie into what types of solutions you should be using to solve those challenges, but you will not like, product demonstrations or not what we're going to be showing during this event.
Chris Goettl: The event is a hundred percent free. It's 100% online. In fact, where our keynote for this is going to be Dr. Chase Cunningham from Forester. He is going to be doing a really cool conversation around Zero Trust Security. So he's done some great work around Zero Trust Security models. He's got a very interesting conversation around that. In fact, Jared was just working with Dr. Chase and the team yesterday at Forester to get that recording done. And again, right now rave reviews about the conversation that he's going to have with us. It's going to be some good stuff, but we'll have lineups sessions from CrowdStrike, from Kenna security, from Morphisec. There will be also a panel session that we'll go over risk based prioritization as well.
Chris Goettl: So, a really good lineup of topics and content that are coming your way. And again, it's all industry topics of how do we get better at securing our environment, not just a lineup of product demonstrations. All right, so getting into the rest of the news here, we had some interesting things happening from the last week of September through early October here, around an IE zero-day that released. So I wanted to start there. If you look at ... Let me jump over to this first article, which is on computer world, for those of you familiar with AskWoody. So, Woody on windows, Woody does a great job of capturing a lot of issues that happen, especially around those late month, feature previews and non-security releases that come out. But he did a great job of kind of capturing some of the events from that IE Zero-day first releasing, known issues and things that were happening.
Chris Goettl: So that's why I wanted to walk through this article real quick. So back on September 23rd, Microsoft released an IE out-of-band update for CVE 2019, 1367. This published as a Windows 10 cumulative update in the Microsoft catalog, for versions 1903 and earlier. It also released as an IE roll-up for Windows seven, 8.1 server 2012 and 2012 R2. But those you couldn't just get directly from the windows catalog. You had to manually download them. For our customers, they were available in our catalog within two hours of the release from Microsoft. So a lot of companies, depending on if you're using Ivanti technology or if you were going straight through Microsoft, you may have seen, that IE zero-day be a little bit difficult to get your hands on if you're using WSUS or SCCM or other technologies where Windows 10 was right away, it was available in other ones, you had to manually download it.
Chris Goettl: Or, on September 24th, when the non-security cumulative updates released the basically for the pre Windows 10 platforms, which referred to as the monthly roll up previews. When those released, the IE zero-day vulnerability was resolved as part of those. It wasn't well documented that, that happened. So again, there was a little bit of confusion there, and we wanted to kind of point out. There was the zero-day update that dropped on the 23rd. You could have installed that or if you did the monthly roll up previews for the pre Windows 10 systems, that also would have resolved the IE zero-day. Now, from that point on, there were a number of issues that started being reported around printing. So jumping down here, there's a little bit more discussion around October 3rd, additional sets of cumulative updates and monthly roll ups released again trying to resolve some note issues that were happening around printing.
Chris Goettl: So let's jump down to the kind of the area discussing that we've got. Here we go. So depending on your environment, this did not break printing at the print spooler level. This changed the interaction with some applications with how printing was working. So, in some of these reports there were things like LibreOffice or notepad stopped being able to print. Several people reporting, printing issues with certain, HP printers after installing the update. There were some cases where ... Oh, Adobe is working, their printer driver works fine, but other printer drivers weren't working with it. So it was very sporadic. It wasn't just everything printing was broken, it was kind of, a mix of different things in there. So, depending on what you encountered, if you tested the air of rollout, the IE zero-day as well.
Chris Goettl: Microsoft did talk about this in the release yesterday. Let me scroll down. Here we go. So this is the actual original IE zero-day CVE. So you can see here the original released on 923, there was an update on October 3rd, which tried to address some of those printing issues. There was still reports of continued printing issues and Microsoft stated here, that the security updates releasing yesterday include the, IE zero-day CBU fixed, but they also should resolve the known printing issues that were being experienced. Now from our standpoint, because there were so many various issues that were reported, it would still be good to, if you ran into any of those, double check all variations of that because it seemed like it was much more localized down at an individual company's applications or how interactions were between print drivers specifically.
Chris Goettl: So Microsoft may not have fixed them all yet. They believe they've got more of the issue resolved if not all, but please do double check that. That's probably around the, anything at the OS level, the IE level this month. This known issue is probably the one to kind of take a look out for, but Todd's going to go into some more depth around, the specific bulletins level known issues that have been reported so far in just a few minutes. So, that's the IE update. One thing that has already come up. There were some questions to our support team yesterday that I wanted to clarify real quick. This CVE, specifically released for all of the KBs that had originally released for. In Microsoft's update yesterday. The only reference to that zero-day CVE was, actually I'm not even sure if it's in here.
Chris Goettl: But yeah, they did not release that CVE as part of any of the bulletin updates yesterday. It supersedes those and includes it because of the cumulative model that we're in. But you won't see that CVE directly tied to yesterday's updates. It includes those fixes because all of those packages are cumulative, as long as you do either the IE cumulative or any of the monthly cumulative roll-ups. If you just do the OLS security, only bundle that does not include the, IE zero-day fix. That's the only case, and we'll talk about that a little bit more as we go through. But that's one thing if you're looking for that to be listed in the CVE for yesterday's patches. You won't see it there because it's actually still tied to the zero-day releases that happened, the two, three weeks leading up to yesterday's release. So I think that handles all of the questions around that.
Chris Goettl: Another area that has been coming up more and more recently is around servicing stack updates. Yesterday we had saw an update across all but a couple of the offices again and last month, Microsoft released servicing stack updates across the board. So I wanted to go through that, and I've got a couple of slides to talk about that here, next. But we're going to talk a little about what servicing stack updates are. What you should expect as far as, when you should be deploying those and so on. So I'll talk about that in more depth here in just a moment. Additional third party updates that you should be aware of. Adobe flash player did not drop yesterday, there was no release on Patch Tuesday for flash player. It did drop today, October nine, but does not include any security fixes.
Chris Goettl: So Microsoft won't be releasing an update for Adobe flash through their processes since it's not security related, most likely. So just, so you're aware, if you do see that, from what Microsoft, from what Adobe's documentation is reflecting, there are no security fixes in today's flash player release. Oracle is going to be having their quarterlies CPU, next Tuesday on October, 15th. So, they do the Tuesday closest to I think the 17th each month, which typically comes, the week after Patch Tuesday in two out of four of the cases each year. So look for Oracle's updates next Tuesday. All right, so getting into the servicing stack updates a little bit more in depth. First thing that comes up is, what exactly are they? It's an update or change to Microsoft's windows updates services.
Chris Goettl: So it's not WSUS, it's not SCCM. It's the actual update services on the end point that are being changed out here. They're doing this to prepare for some changes in their approach to applying updates to the windows platform down the road. They are separate from regular monthly patching. They're not included at this point in time in the normal monthly cumulative updates. There's some questions around whether they will include them at some point in the future, but at this point, the servicing stack updates is a separate standalone patch that needs to be applied independent of the normal update chain. So what's in an SSU, they're not security related, but they are classified as a critical update. Microsoft recommends getting these in place. They will at some point down the road, do some enforcement around requiring it to be able to continue patching platforms in the future.
Chris Goettl: They are not windows feature changes or bug fixes. They are specifically a change to the updates services on the endpoint. So typically, this is leading up to some change that Microsoft needs to do, a few more months down the road, and they're preparing the update service for that change and giving you time to test it out and make sure everything is working before they enforce it. So when should I expect an SSU to become a pre-requisite for continued patching? So, we've seen many SSUs release over the course of this year. If you go back to the SSU, that released back in March, several of those are now being enforced in a pre-requisite, for being able to continue patching certain platforms. We've seen that enforcement come as little as two months out from release of the SSU. So this isn't something that you can kind of just forget about and not worry about.
Chris Goettl: It's going to actually be enforced at some point. Microsoft is not typically very forthcoming about when, so our guidance around this is treat them more like the Windows 10 Branch Upgrades. Designate a pilot group that you're going to start to test these out as soon as they release. Try to get that pilot group started as soon as the SSU start coming out, but make sure that you're preparing for mass rollout, targeting around 60 days. So two patch cycles puts you in the realm of being safe about that, making sure that you're ahead of any point where enforcement would start to come into play.
Chris Goettl: Otherwise, what you'll find is Patch Tuesday comes around, the SSU is from a couple months back, suddenly are a pre-requisite to be able to install this month's patches, and you've got a much bigger problem on your hands. So definitely, dig in, don't delay too long on these, but do some testing around them, and make sure that they get rolled out and don't cause any issues for you before implementing in your environment.
Chris Goettl: All right, so this just goes into a little bit more depth on what released yesterday. We've got, the Microsoft just has a standing advisory 990001. Each time they release new servicing stack updates, all they do is update the SSU package, the KB article, and then the date that it released. So you see here, this is what you'll find at this link today, is windows server 2008 and Windows 7 in 2008 R2. Both have September, 2019, as the last time they had a servicing up, a stack update release. Now last month, the rest of these would have also read September, 2019. But this month they released the rest of the platforms again. So you see, we've got a new series of KBs and October, 2019 as the date released for those servicing stack updates.
Chris Goettl: Now, from what our team has already tested and validated, the October servicing stack update does not replace directly, or supersede the September servicing stack update for the platforms that got released in October here. So down the road, Microsoft has in the past done enforcement where they say, "Oh, hey, in this case, we'll take this version or this version of the servicing stack to allow continued patching." So I think it was Windows 7 and Server 2008 R2. There was a March and a May release earlier this year. Both of those were acceptable to keep patching around mid year when Microsoft started enforcing that. So that can happen. But it's not a guarantee. So best thing to do would be to take those October servicing stack updates and validate those in your environment and get them rolled out as well, to make sure that you're on a version that Microsoft will accept. Because again, they don't give much lead time around those pre-requisites until the day that they actually start enforcing it from what we've seen.
Chris Goettl: So, I don't know if that little kind of walkthrough and answering kind of the most common questions that we've been getting help clear things up. I think we're still probably in the state of as clear as mud here on servicing stack updates. We'll continue to try to give you guys as much information as possible as soon as we get it. But again, some of these things are inconsistent with this, and I think will, my hope is that Microsoft will have a cleaner perspective on how to approach SSU going into 2020, but that's something we'll try to keep abreast of and make sure that you guys are aware of as much detail as we have as we get that information. All right. Development tools and component updates this month, we've got some updates to Azure, to CharkaCore and Open Enclave SDK. And then the SQL Server Management Studio also received some updates this month.
Chris Goettl: The reason we talk about these is, these are not regular bulletins that most of you would be deploying. These are components of binaries that a development team, they would need to update their development environment and then push a new version of that. Or in some cases we've seen Azure changes where Microsoft does some of them and everybody gets them all at the same time. And then other ones where you need to push a new version of a container, or you need to turn on the new feature or the change in some way. So it's good to make sure that those teams are aware that they've got to go in and investigate when those tool sets change and make sure that there's nothing that they need to actually do on that part to resolve security vulnerabilities in those components.
Chris Goettl: Java 11 is kind of one of those again. So for those of you who know that your organizations have moved on to Java 11, next week when the Java 11 update comes out, in that case, a developer would have to update the version of the JDK running on their system and then they would have to go and run a new bill and push that application back out to your organization before those vulnerabilities are actually resolved in the application. If they don't do that, then you're still running the vulnerable version and there's no longer in Java 11 and later, there's no JRE anymore for you as the patch administrator to be able to update. So that's some of the challenges around those development components and why we typically match it to that to bring awareness around that. All right.
Chris Goettl: Windows 10, we do have, for those of you who were on the enterprise or EDU edition of 1703, this was it. October was the last patch cycle for that branch. So make sure that you've done your final cleanup. Make sure that you're 1703 branches are all getting upgraded to something newer because October 8th was the last security update for that platform. Now, for those of you on pro and workstation additions, November 12th, next Patch Tuesday 1803, we'll be reaching its end of service after that patch cycle. So just do a little double checking. Make sure that you've got a handle on if you've got some 1703 or some, in the case of a pro and a workstation additions 1803, that those are all cleaned up and out of your environment, so that you don't have any lingering systems that are no longer getting security updates.
Chris Goettl: Each week we do a weekly patch blog and talk about a number of issues that are happening out there. Brian, from our content team spearheads the effort around that. In fact, Brian did a great job of making sure that I'm trying to go through too many, nope, hold on. Here we go. No, that's the wrong one too. There we go. Back to my browser. So Brian did a great writeup of the IE out-of-band, at the end of week 40. So his blog posts that week was talking about the zero-day, talking about some of the issues around that, and the continued kind of, Microsoft had a few things that continued to happen over the course of a couple of weeks there.
Chris Goettl: So tuning into those weekly patch blogs, you're going to see a lot of those types of issues around zero-days, around additional security releases COC. Microsoft was not the only one that had some things going on. You've got all these applications that updated and if any of those included security vulnerabilities, we would be able to list those out for you too. So you're aware of that. So always keep an eye on and Foxit header CVEs relating to it, that released that week. Details like this are constantly, being released from our team. This gives you a source to be able to pull more of that in and stay up to date on those types of activities.
Chris Goettl: And for those of you who are new to the Webinar, we do also have our content notifications. If you're using any Ivanti Patch Solutions from our endpoint management suite, our endpoint security, former E product. Our security controls or what was formerly patched for windows or our patch for SCCM plugin. We've got different content notification feeds for each of those products. You could subscribe to any and all of those that apply to you. And each time we release content, which is practically on a daily basis nowadays, you will be able to stay in touch with what's being released and be able to receive that through either through the forum, through RSS feed, or through email by subscribing to those content notifications. All right, Todd.
Todd Schell: Hey, Chris.
Chris Goettl: I am going to hand you control here. You're now driving, take us away.
Todd Schell: Thank you very much. Okay everyone, let's walk through the bulletins this month. As far as what Microsoft released overall, as Chris said, it was kind of a light month. I didn't include the two, Apple updates here. So, you can see in particular around a iCloud, for example, there wasn't update for 7.14 and 10.7, which are the all of seven version, seven and eight as well as a Windows 10 updates included the links here as well. So you can read about those. They didn't fix as many vulnerabilities that they have in the past. Typically, they release updates once a quarter. In the past, I know back earlier this year, there were 20, some addressed a one quarter and in the high teens, but this month, they fixed eight vulnerabilities in iCloud. Apple doesn't give it a rating, but because of the remote code execution and some of the other issues surrounding this one, we gave it a maximum security rating of critical.
Todd Schell: So I'll include that on here. So definitely you want to update your iCloud. Same thing for iTunes. They did release an update to version 12, same vulnerabilities. Actually, there's one additional one version 8720 was also fixed in iTunes. So, same vulnerabilities as iCloud, obviously they share a common code base. So those were fixed as well. Moving on to the bulletin himself from Microsoft, we got our usual Windows 10 update for all the operating systems as well as the servers. There was an update for IE 11, and edge as well included in these updates. Not as many vulnerabilities addressed this month as in the past. They did cover 43. One of the things that you usually see from Chris and in the introductory section is the exploited vulnerabilities and the publicly disclosed vulnerabilities. There were none this month, so kind of, a quiet month from that perspective. And you'll see, I have this comment in here around these vulnerabilities for all of these particular bulletins.
Todd Schell: Microsoft did fix some of the known issues that we had from last month, but I carried forward some of these, that are still existing, and basically all versions except for 1903, there is this issue around file renaming. We've seen this carried forward now for six to eight months. So, Microsoft has not addressed this one, although they say they are working on a resolution for it. So be aware of that one. There is an additional issue here. This one's been carried forward for a long time too. This issue around having a minimum password length for certain systems. I'd you have to go back, and they do have a work around where you can set the policy to be less than equal to 14 characters to make it work. So just kind of be aware of that. This is once again on 1607 and server 2016 so some of the older versions there.
Todd Schell: It also has this file rename issue. So these are covered in the bulletins, the Kbs. Other additional ones in 1703 and 1709, they only just addressed or listed one issue around file rename, same particular problem that I just talked about earlier. 1803, they had an issue with this log on screen. When you would first restart the device, you'd have a black log on screen and there's a work around with the control out delete. So you can get in there and select restart, and it will come up cleanly. But be aware of that one. This one's also been around for a couple of months now. A new issue this month that we haven't seen before has to do with the mixed reality portal, and basically they were saying that you would see an error code and essentially all you really need to do is go in and log into the portal and on your operating system, and it will actually kind of reset the issue, so it'll go away. So, they know that this is an issue, it's avail, it's showing up on version 1803 only.
Todd Schell: Also, we have that file rename issue here. And then finally in 1809, this particular issue here around Asian language PAX has been around for quite a while as well. I keep carrying it forward month after month. And they keep including it in their bulletins. 1809 also has a number of additional issues, the file rename that problem with the black log on screen and that mixed reality issue as well. So for particular issues listed for 1809. Interestingly enough, nothing was listed for 1903. So if you are on the latest operating system, a latest Windows 10 release, hopefully everything is going well for you.
Todd Schell: Moving on to Internet Explorer, Chris talked about this quite a bit in that, the CVE zero-day was addressed earlier in late September, I should say. This particular update, this on a Patch Tuesday, address five different vulnerabilities. Interestingly enough, if you go into the release notes, that Microsoft includes with the updates, and you click on that known issues, they have this listed. However, there are no actual known issues specifically reported under the known issues section in there. But if you do look very closely, they talk very much, they quite a bit of detail around the SSUs, that Chris talked about. So obviously the SSUs are very tightly coupled to making sure that Internet Explorer applies properly on your systems. So, there was that printing issue associated with those earlier releases. So, I'm assuming that all this is tied together very closely. So once again, make sure that you apply those SSUs and then of course, go through your regular Internet Explorer update or your cumulative updates and you shouldn't have any issues.
Todd Schell: That's what Microsoft is saying and that's kind of what we've seen as well in testing on our side. Moving on to some of the older operating systems. Server 2008, had a monthly roll-up released this well, this month as well. They addressed 17 vulnerabilities plus a three IE nine vulnerabilities in this monthly roll up. You can see the bulletins information here, 452002, so if you were to look at that in more detail, you can see specifically what they've done there. I mentioned this every month, but for those of you who are new to the call, there are typically two releases done for each one of these older operating systems each month. There's a monthly roll up that includes basically, all the patches or all the updated patches since October of 2016 in one large update and includes some, in addition to the vulnerabilities that are addressed from a security standpoint, it includes a lot of enhancements, I in the operating system there.
Todd Schell: So basically, in a single pass you can do kind of everything and get your operating system all up to speed. They also release a security only version, which are just the security only updates for the operating system in a given month. Here's the one for windows server 2008. Again, it's just those 17 vulnerabilities. So, depending upon what approach you take to your patching, some people apply the cumulative update every month. If you have sensitive systems that you don't want to go through a large update each month, you can apply the security only just to make sure the security fixes are in place, and it may be less disruptive to possibly some legacy operating or less legacy applications that you have running on these older operating systems.
Todd Schell: Again, this month, the security only for server 2008, address 17 vulnerabilities, no known issues for either of those. Windows 7 and server 2008 R2, again, monthly roll up this month, addressing 20 vulnerabilities plus five different IE vulnerabilities. Down here at the bottom, you can see Chris talked a little bit about the SSU and they had quite a bit of detail in the bulletins associated for these, this monthly roll up in the security only under Windows 7 and server 2008 R2. So, basically what they wanted you to do is make sure you install the March servicing stack update. Basically what that was doing was getting the operating system ready for the latest shot to update. Those of you who have been on our Webinar for the last couple of months, you know that we had some slides in the introductory section talking about SHA-2 and how Microsoft was moving all of their updates from a SHA-1 signature to a SHA-2 signature.
Todd Schell: Well, Windows 7 and server 2008 originally did not support SHA-2. So there wasn't associated KB when they talk about this may update that Chris and Brian were talking about. Basically, this installed the latest SHA-2 update, to make sure that all of the latest patches release for these operating systems could be read and validated properly before they're installed. And then of course, they want you to install the latest SSU, which is that September release, prior to installing this monthly roll up. So if you're keeping up with your systems, and you've gone through this process in the past, it's not a big deal, but if you install perhaps an older version of Windows 7, you're starting up a new system and then you've got to go through the process. We're reported here to make sure that you have the system ready for the latest update.
Todd Schell: So just be aware of that, including the information here. You can go into the bulletins, specifically 4519976 and read more about this if you want, all the details that are included in there. And again, there's a security only update this month as well, addresses just those 20 vulnerabilities that were fixed this month. Moving on, there is a continuing update for server 2012 as well. There's a commonality obviously in the number of vulnerabilities that are addressed in each one of these. There was one additional one here for server 2012, so I did address 18 vulnerabilities this month. You'll notice that there is a known issue. That file rename issue that was identified under a Windows 10 that I showed you earlier is also an issue here with server 2012.
Todd Schell: So you can go back and read about that, if you go into the KB specifically 20007 one here listed, you will see that as well, with the same work around there. There was a security only update for server 2012 as well. Same, once again, 18 vulnerabilities, not the cumulative for all the last couple of months since October, 2016. Once again just those 18 and there is a file rename issue associated with this as well.
Todd Schell: And finally, the last of the legacy operating systems, here we're talking about, Windows 8.1 and server 2012 R2, address 20 different vulnerabilities. Again, we're seeing that same file rename issue. In case you're wondering why, and I mentioned this to every month, why it's Windows 8.1 and server 2012 R2. It's because they have the same operating system kernel and typically when they apply these updates, you need the same kernel, and the updates apply specifically to that operating system kernel. So they're lumped together under the same update. And finally there is a security only update for a Windows 8.1 and server 2012 R2 as well, addressing just those 20 vulnerable. So kind of, a light month, we had updates across the board on all the operating systems. There was a security update for Microsoft office. It was only rated as important this month.
Todd Schell: There was a memory issue addressed in Excel, so be aware of that one. It's a privilege escalation issue. There were updates for basically all versions of office from 2010 through 2016 and Mac updates as well. They only address two vulnerabilities, again only rated as important this month. So, we've kept it as a priority to, from Ivanti standpoint. And the same two vulnerabilities were also addressed in Office 365 and Office 2019. As far as updating these, once again, they're click to run model, online model to update these. And I've included the link here, so you can get the latest release notes on those. Again, only important this month. And finally the last update, there was an update for SharePoint Server, addressed five vulnerabilities, so be aware of those. I've put a little bit of information in here in the description about these different vulnerabilities.
Todd Schell: They were related to remote code execution, a possible spoofing on the SharePoint Server from a user perspective. And then there was an elevation of privilege of vulnerability that was addressed as well. No known issues around this, but be aware, there was an update this month for SharePoint Server. So again, a fairly light month, as far as the updates go with that, Chris, I'll turn it back over for between the Patch Tuesdays.
Chris Goettl: All right. Thanks Todd. And we've been getting a lot of really good questions in here along the way. It looks like Brian and Jared are answering most of them already, but we'll be recapping some of those here shortly as well. So, please stay tuned here for a couple more questions that we'll be going through. Oh, here we go. So do have, we cover these slides at the end here just to give you an idea of all the other things that happen in between, our weekly blog, our content notifications. All of this is used to help keep you in the know about additional updates that come out as well. But you could see there's a lot of security updates that happen, in between Patch Tuesdays. So things like, next week when Oracle releases their updates, when an office up or when a Foxit reader or any of the browser updates for Chrome and Firefox or other applications also released, many of these can be security related.
Chris Goettl: So, we try to give you guys as much information as possible. This helps you keep in the loop on those, but you've got Foxit reader had some releases with 10 vulnerabilities resolve. Chrome had one that included four vulnerabilities resolved, VMware workstation resolve two and when SCP fixed three vulnerabilities. So those were all security specific with vulnerabilities identified that released between the Patch Tuesday. So keep an eye out for those types of applications as well. All right, Q and A. So there were a few that I wanted to go back and touch on here that I saw and then Brian and Todd, if you guys see any others, let's go into those as well. But there was a question from Tracy, so she had seen before where you did not see updates showing up as applicable in WSF until you installed your SSU.
Chris Goettl: So yes, that can absolutely happen. Make sure that ... And that's where, when we talked about the enforcement not being available for that, there will come a point where Microsoft will not be able to install later updates if you haven't done that SSU. So that's the importance of that is, staying ahead of that point where enforcement happens because when it comes down to that, you may be blind to the fact that there's things that are applicable because that SSU is the thing blocking you from moving forward. So, that's why we recommend and want to put some more focus around that. So, Nathan had a question around those SSUs and if they're automatically included in Ivanti patch for windows or do we need to select a category to start scanning and patching for them?
Chris Goettl: So Brian, I'm actually going to have you jump in here real quick because, this I think applies to both the patch for Windows product and also the APM patch product. So we categorize those SSUs as a critical update. Are they security or are they non-security?
Brian Secrist: We do follow up Microsoft's, kind of, a categorization there. They are security.
Chris Goettl: Okay. So in most of our products, but if you take like in the patch for windows or security controls product, if I do the default security patch scan, I should see the SSU included in that assessment. Right?
Brian Secrist: Yes, that is correct.
Chris Goettl: Excellent. And for those of you on EPM, it's just a matter of depending on how you're doing your approval process, again with the newer way of filtering, if you did all security, again, you should be seeing those right off the bat as well. Otherwise, if you're on pre 2019-1, or if you do an explicit approve, you'll have to choose those to add them in. But that's how you approve them there as well. For those of you on the security control side, if you're using a Patch group, again, you'll just need to go through and select that patch to add it to your patch group, if you're doing a kind of that approved list approach to it rather than a filtering option to bring everything in. Are there any other questions that either of you guys are seeing around the SSU that we need to answer?
Brian Secrist: There was just kind of one question about kind of how SSUs affect detection in our content. So I can cover that real quick. Currently the only SSU, well the little gray area there, but the only SSU that is explicitly required for install, is the server 2016, 1607 SSU, I believe it's the April, 2019 one. However, Microsoft did change a little bit with Windows 7 in 2008, where the March and April ones do seem to be a bit required as well, but it is a little bit more gray about it. For our detection, we're only looking for the April server 2016 patch. Otherwise we should offer everything else. Everything else will deploy without an SSU. However, Microsoft does recommend that the SSU is installed alongside it. So, we only affect detection one when we see explicit failures.
Brian Secrist: So for other questions, some customers were having some issues with Server 2008, R2, specifically, on their servers that were running into blue screens, et cetera with August and September's updates. I've noticed just to kind of for some background if your category quarterly update. I've noticed that's only happening on EFI boot systems and ideally from what I've from what I've read, installing the latest V3.2 patch should fix EFI boot issue. So just deploy that one first and that should work. But of course, please run in your test group. That is something that we were hearing from customers, it was definitely on our, your mileage may vary environmental. I don't want to call it just environmental, but your mileage may vary on EFI setups.
Brian Secrist: To reiterate, we did have a few more questions about IE. If you haven't deployed the mid month IEs from the zero day, this latest one we'll include that CV by association. So, you doing the latest one will work just fine. Just discovering that. One other customer did mention that they were having issues in September installing the SSU with other updates. They have a case with Microsoft, but for those using SCCM, you may want to install the SSU first. What else? Getting a ton of stuff at the end. So I'm trying to read through those. Yes, SSU are cumulative. Sure SSUs being sold completely separately from other patches. I have that ASU installing along side. However, if you do want to be safe, that can help you if you do install it first. What am I missing? Anything else to add?
Chris Goettl: I didn't see anything else specific to SSUs. There was a question around not supporting of .Net Core
Brian Secrist: Yes. Oh, that is a great question. I was asked questions about that. So we've been doing some research about covering .Net Core and we've had no problems installing it. One core about installing it, is it does install side by side. So let's say we patch to 10 different versions. Through our products there'd be 10 versions on that end point. We've been attempting to look at uninstalling the old one, but it looks like the product .Net Core is not uninstalling outside of an interactive session. So we're doing it silently. So we're kind of looking into some options there whether opening the old ones is fine for those development environments or not. Because kind of, whatever you have uploaded at the time.
Brian Secrist: I'm going to probably be putting something in User Voice, [inaudible 00:48:21]. Anyone else on here that's kind of waiting for .Net Core? Kind of mentioning how they'd like it, please, write it in here. But kind of what we're looking at right now is we can't uninstall the old one. So we're trying to see if it's all right, if we installed the newest one, leave the old ones for the time being, if that's all right, if that's acceptable. We're just trying to find a way to make sure you guys are secure and get updates as soon possible.
Chris Goettl: So there was one more question specific to EPM around the SSU. Does that affect the endpoint manager detection as well? So the answer to that one, Charles is endpoint manager and the patch for windows or security controls product use the same engine and detection logic. So we're treating that the same between those two products. The potential requirement of saying you have to have a certain SSU in place in the future or you might not be able to install newer patches. That's actually at the windows update service level. So it doesn't matter whose product you use, you will not be able to run patch, Microsoft patch on that system if they require it, at the service level as a pre-requisite. So again, Brian said that 2016 is the only one that has a hard enforcement today. The rest of them, there've been a few others that are stating that it's required, but they don't, they aren't forcibly blocking you from being able to install yet.
Chris Goettl: But again, Microsoft is pushing those surfacing stack updates to the point where at some point you can expect many of them to become a pre-requisite to do that. So while it won't break our ability to scan, it may break the ability to actually install an update on that system down the road if you don't have them in place.
Todd Schell: First I saw quite a few questions around printing issues. And as you mentioned, most of those were associated with the IE update that came out in late September. Most of the bulletins that I've read through, and I think most of the testing that we've done shows that the latest updates across all the operating systems fixed most of the printing issues that people have seen. There are a few random ones still here and there, but for the most part, it appears that most of the printing issues have been fixed. So I saw a couple of questions about that in, I logged there.
Chris Goettl: Yep. And I've seen several threads from patchmanagement.org already since yesterday, that people talking about that, raising concerns about it. Only one or two actually are still kind of saying that they've got some intermittent print issues still remaining. But it's still rather early in the process. So again, if you were one of those that experienced some of those printing issues, when the first zero-day dropped, the patch drop for that or since then, it would be good to make sure and retest any of those cases that you saw printing issues because they all seem to be, there doesn't seem to be one fixed that resolved them all. Microsoft had to do a series of fixes here to resolve the majority of them. And there could still be some outliers. So approach with caution, especially if you're one of the environments that did see, some printing issues before, double check those before you go roll out in mass.
Chris Goettl: So there was a question about Java, and there's a couple of ways that that question could've gone, but Micro, Java Oracle has made a number of changes over the last year. We've got an article up on our communities around, Java 8 support, and so that goes into a lot of detail about how Java 8 support works going forward. What Oracle's requirements are from a licensing standpoint because they've changed that as well. Todd, we don't touch on Java 11 as much in this article, do we?
Todd Schell: No, I did not cover it in air, but Java 11, there is no longer a runtime environment. It's strictly a development tool. And it's compiled into the application, so significantly different.
Chris Goettl: Yeah. So now, if you are looking for Oracle's cadence of when they update, I usually just go out search for Oracle CPU and if you go to their critical patch update page, that kind of core landing page. Oh, that's the detailed page. If you go to this one, there we go. The alerts page, they actually show their cadence on here. So in this case, October 15th is when they're doing their next one. That's next Tuesday. And then in January on the 14th, April on the 14th and July on the 14th in 2020 will be the next three out after that. So, that's Oracle's release cadence, and they explained here that it's released on a Tuesday closest to the 17th of January, April, July and October. Those are the four release dates for their regular cadence. So for the person who asked that question of where, I think, where could you find that's specific to this article here. It tells you how to identify when those are going to come out. All right guys, what else do we have for questions out there? Anything else?
Brian Secrist: Not too much. There was a servicing stack one is definitely the bigger question on my, it was the one question ... Oh, if a servicing stacks is cumulative, why is the March servicing stack not superseded, especially for Windows 7? We've foreseen that in our content, actually because we found that the March update is required for the next servicing stack to install properly. So we're just giving that route up there. Even though I thought that supersedes, it seems like there's a few issues there, so we didn't want to hide it from our customers.
Chris Goettl: Yeah. Again, this servicing stack updates seem to be a little inconsistent, which is why you're going to see a few things like that. We'll try to explain whatever we have specifically taken an approach like that where, to install the next one of mine, you have to do the first one. But otherwise, we do try to treat them the same way Microsoft does. So yeah, they're getting better with their consistency on the SSUs, but still, there's a little bit of grayness in there that we've been seeing. So ...
Brian Secrist: Yeah. Well, we'll always mention stuff in our patch notes if you guys, kind of watch that and we'll try to communicate as much as possible, but anything that we find we'll try to communicate to you as much as we can. It definitely seems to always be a different thing every time.
Chris Goettl: That keeps life interesting. All right, everybody, thank you for joining us here in October for our Patch Tuesday Webinar and again, we'll be looking forward to seeing you in November. Thanks, Brian. Thanks Todd. And thanks Jared.
Brian Secrist: Thank you.
Todd Schell: Thanks Chris.
Chris Goettl: See you guys.