September Patch Tuesday
September 11, 2019
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Brian Secrist | Staff Quality Assurance Engineer | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris Goettl: We've got an interesting Patch Tuesday on the way for you here. We're going to jump into that here pretty quick. A couple of housekeeping on this before we get into it. If you do have any questions, go ahead and post those into the Q&A question. On the call with us today are Jared and Brian, who are going to be able to answer a bunch of the questions. Jared will be popping URLs into the chat links as well, so that everybody gets the links up to the articles and things that we're going to be talking through. Brian, as always, is going to be bringing his expert advice and guidance around a lot of the things that we found during testing or known issues or information about products and updates that we're talking through.
Chris Goettl: So, as you go through, just go ahead and post things into the Q&A or the chat, and we'll respond to as many of those as possible throughout. We will have some time at the end for some additional Q&A, and we'll try to rehash some of the more common questions that I think everybody will be interested in at that time as well.
Chris Goettl: So, without further ado, let's go ahead and move on through to our overview. We'll talk a little bit about what all released, and then we're going to through some recent news, vulnerabilities you should be concerned about, some update issues that were being seen, and so on. Then Todd is going to bring us through the bulletin, the actual updates themselves, talk about specific known issues and details about those updates. All right.
Chris Goettl: So, just a quick overview of everything that released yesterday. On the graphic here, you do only see actually Adobe and Microsoft, but Google Chrome, as anticipated, did release yesterday, just really late in the day. So, all of this was done and out the door before they released that, but we did bring the Chrome update into our content release, and we will be talking about that here today because it is a big one, and there are a lot of critical vulnerabilities as part of that. So, Google Chrome, even though it's not in the graphic, is definitely out, available, and you should be concerned about it because it's got a lot of vulnerabilities. All right.
Chris Goettl: Going through a little bit of the recent news. We're going to give you guys an update on BlueKeep here. So, BlueKeep, for those of you who ... I'm pretty sure most everybody knows what BlueKeep is, but, in general, what the update is right now is that Metasploit has now added a module to, basically, to probe and test machines and exploit the BlueKeep vulnerability to show that it's vulnerable on those systems.
Chris Goettl: What this means is yet another example of how to use this exploit is now publicly available in a framework that's available for sale. The purpose of Metasploit is, obviously, to focus on penetration testing and proving whether a system is or is not vulnerable to different exploits, but because of its nature, that information is now readily available to thread actors that might have had to wait for somebody else with more sophisticated coding capabilities to build an exploit.
Chris Goettl: Well, now, we've got at least two different pen testing software suites that have proof of concept code in their repositories. We've now seen, if you guys caught some of our earlier updates around this, we have seen malware frameworks also adding modules to be able to detect if a system is vulnerable to BlueKeep.
Chris Goettl: So, one of those that we just talked about, I think it was end of July. So, we talked about it last month or last month in the August Patch Tuesday Webinar, but Watchdog, which is a crypto mining platform. So, basically, crypto mining as a service, you can buy into this platform. You can launch crypto mining malware campaigns with that. Well, they've added a module to detect systems that are vulnerable to it. So, there's obviously both white hats and black hats actively pushing out modules to detect and to be able to probe and exploit that BlueKeep vulnerability.
Chris Goettl: So, the biggest risk with this is the fact that, again, this is a wormable vulnerability. It has the capacity, the potential to reach as big of an impact globally as we saw with WannaCry back in 2017.
Chris Goettl: So, if you have not already, again, this is just adding more urgency onto making sure that you've got your updates in place. There was still a lot of the global landscape that was publicly making available RDP on a public IP address and was still vulnerable to this last month as we talked about it. I think the count was down to 800,000. Hopefully, it's declined more since then, but that means that 800,000 public facing systems were vulnerable to it. There's even more behind those firewalls that are exposed to this.
Chris Goettl: So, if somebody were to launch a very bad campaign around this, not something that was well-thought out and well-executed and very stealthy, but just somebody who decided to try to exploit this in a way that they think they can make a quick buck, we could see a very large scale, a very impactful attack from this.
Chris Goettl: Most likely, the people who are going to take advantage of this are building out a much more well-thought out plan, and it's not going to be like WannaCry, where they're just spamming out and ransoming a bunch of systems. If somebody is doing it this time around, more than likely, they're doing something more stealthy, but this is just, again, more evidence that you should make sure those updates are in place. All right.
Chris Goettl: Let's see. Switching back over to ... At the end of last month, Microsoft does their preview. That's the feature preview released at the end of each month, and at the end of August, the Win 10 1903 branch preview caused some high CPU utilization after it was pushed out. It wasn't extremely widespread. There was some details around exactly what caused it, and the good news is that Microsoft seemed to have resolved this issue in yesterday's Patch Tuesday update, but let's go take a look at the article on that real quick, and talk through that just to make sure everybody's aware of what was going on.
Chris Goettl: So, this was the followup article. If you pushed the preview at the end of last month, what a number of companies were seeing was Cortana suddenly chewing 40% or better CPU utilization on boxes. Ultimately, the root cause of this was that if your systems were configured to block the search UI, the Windows desktop search would be trying to do a search, and it would be blocked from doing so, and it would crank up the CPU utilization.
Chris Goettl: What they figured out was if you enabled Bing searching in Windows search again or if you went and did the much more painful work around, which was grabbing all the old Cortana folders and putting them over the new ones, you could have resolved the issue short-term.
Chris Goettl: Now, in the latest update, again, they seemed to have resolved the issue. So, you should not be seeing those CPU issues. If you were one of those affected by that at the end of last month, we do recommend pushing out this latest update, making sure that you don't see that, and then rolling it out to your entire environment, but that's just one thing to watch out for there that was definitely causing some heartache for some people at the end of this last cycle.
Chris Goettl: Let's see. Flash Player, we are on the road towards end of life for Flash Player, and we wanted to give you guys an update on some of the more recent news around that, and some of the trend that we've been seeing here.
Chris Goettl: So, for the last couple of months, you actually didn't have a security update for Flash. We saw no security fixes in July or August. Now, September did release an update and resolved two vulnerabilities, but this is a very different trend than what we've seen previously, historically, for Flash Player.
Chris Goettl: So, chances are, Adobe is backing down and not putting as much time or effort into Flash. That doesn't mean that thread actors won't, though. So, you should definitely be aware of and working Flash out of your environments, but just so you're aware, Microsoft has posted this update talking about how this is how going to transition out in 2020.
Chris Goettl: At the start of 2020, Edge and Internet Explorer are going to, by default, disable Flash Player. So, starting in 2020, they will begin to disable that by default. You'll have to choose to turn it on if you want to keep it running. They plan to fully remove Flash by December 2020. So, next year, there will be Flash updates yet, just a matter of they'll be winding down and you can expect more and more of the browser vendors to disable Flash by default. So, that's the trend that we should be seeing going forward.
Chris Goettl: Again, the fact that we had two non-security releases in a row for Flash, and then a very light September release for Flash, I think it's safe to say the same emphasis on Flash is not being made as it was previously. That could mean that thread actors may have a lot more low-hanging fruit in the software than previously. So, if you do still run Flash Player, identify where it is, figure out what's your plan to phase it out, and start working towards that as quickly as possible because the risk is going to increase for Flash in your environment. All right.
Chris Goettl: The next thing we wanted to talk about was, right now, there's been a steady stream of ransomware attacks in the public sector. So, we, actually, did a couple of things over the last few weeks here on this. I wanted to share some of those because I think there's some good information coming that a lot of people will find interesting.
Chris Goettl: The first thing here is a blog post that Phil Richards, our CISO here at Ivanti, that he wrote up on the running history around the recent ransomware tax that are hitting the public sector. Now, this is not the normal phishing scam came, ransomed one system here, one system there. These are focused, targeted attacks that are ransoming at a large scale.
Chris Goettl: So, the attackers in this case is similar to what you may have seen in previous commentary that we've done around SamSam. This was a thread actor group that would target a ... A lot of times, they were doing public sector or healthcare as well. They would target an organization. They would penetrate it similar to how an advanced persistent threat or a data breach would be operating, where they get in, get a foothold, start spreading around through the environment, but instead of looking for some data that they want to exfiltrate, they would spread themselves out, and then simultaneously launch a large-scale ransomware attack across the entire environment trying to maximize the impact. Their goal would be to extort a large-scale ransomware.
Chris Goettl: Now, you could see here if you look back through 2018 up through August 19th, and there's even been a few more recent events since then, there've been some large payouts like the Jackson County, Georgia back in March. There was a $400,000 payout that happened there. The city of Tallahassee, nearly half a million dollar payout there. There was another one shortly after in Florida that paid out 600,000. I believe that was the Lake City one. Then this more recent one here in Texas, they didn't pay it out, but the ransom they tried to extort for the attack on these government agencies in Texas, there were five of those that got hit by it, they were trying to extort a 2.5 million ransom on that.
Chris Goettl: So, we've been looking at this trend and talking about a lot of the behavior with that, and more importantly, looking for patterns and how you can combat that.
Chris Goettl: So, we actually did a webinar last week. Phil Richards and myself, we talked about a few of those different attacks, and we talked about the ... So, you could see here there's a bit of the transcript of the webinar. You could see the webinar playback from here. This is the start of a new series that we're going to be doing that we're calling Threat Thursday. So, towards the end of each month, we want to recap some more recent threats, profile them, diagnose what was done, and deconstruct it to the point where you see motives, you see how they're doing the attack, you see what could combat that.
Chris Goettl: So, I wanted to show you a couple of quick excerpts of that to show you what you can find for details there that I think a lot of you may find interesting.
Chris Goettl: So, I want to show you two of the slides for that. I'm not going to into the same level of depth we did on the webinar, but this is going to show you that this was the attack. There will be an icon here, but, basically, we'll be doing this across multiple verticals, not just public sector. So, there will be healthcare, there will be public sector, finance, different verticals.
Chris Goettl: There will be a situation analysis, the type of attack it was, the impact, what was exposed the attack vectors that were used, and recommendations on how you could have prevented a similar attack from being successful.
Chris Goettl: So, this is a profile card of this particular attack. So, this one was using a trusted vendor, in this case, the MSP that was a trusted vendor throughout these five different agencies there. They were exploiting known vulnerabilities in that environment. From there, there were other things like exploiting of admin privileges. Other technologies could have helped you remove the way that the attackers got in and the way that they spread around. Also, just the recovery method, like good backup and recovery capabilities could have gotten them up and running much more quickly. So, that's one example.
Chris Goettl: The other one, the state of Louisiana, this is one where multiple school districts got hit in close succession. They were using known exploit kits to get on the systems, and then putting a remote access Trojan in place. From there, they were spreading out again using common vulnerabilities that were available, and also exploiting privileges on different systems so they could move throughout the environment, and then, again, launched that simultaneous ransomware attack.
Chris Goettl: So, those were two examples that we went through on that webinar, but this is something that we're going to start to do on a monthly basis. Again, by looking at behaviors, attack patterns, by looking at and deconstructing those and figuring out what could have slowed or stopped that or helped recover from an incident, this is going to help you to understand what you could be doing to improve your ability to be resilient to cyber threats.
Chris Goettl: So, again, that's just something additional we're doing from an outreach respect. We're trying to help people to wrap their hands around the overall how do you defend against all the different cyber threats today. All right.
Chris Goettl: Switching into the vulnerabilities from this month. We do have two public exploits or two zero-days that were being exploited in the wild and, also, three public disclosures. So, I want to go through these next.
Chris Goettl: The first one here is a vulnerability in Windows common log file system driver. It's an elevation of privilege vulnerability, and this does affect all of the currently supported Windows operating systems. So, in this case, a couple of things to note about this one. This is a privileged escalation. So, it's not the first line of attack. It's not what an attacker is going to use to get onto your systems, but it is what they're going to use to persist and get more access to that system.
Chris Goettl: So, in this case, when the notes say that an attacker would first have to log on to the system, well, yeah. So, this isn't going to be the first thing that they do to attack your environment. They're going to get on to the system through a phishing scam or a remote code execution exploit like BlueKeep. If they got on to that system and found they didn't have the right level of permissions to let them proceed further, this is the type of attack they use as a second stage to be able to get further access to the system. Now, they can do things like put in a backdoor, and run different tools out of their toolkit like mimic ads and other things to gather more credentials, and find out more about your environment, and start to spread out.
Chris Goettl: This is definitely a concerning vulnerability, and one that you do want to take a quick approach to getting results mostly because, again, it's being exploited in the wild. It's already actively being exploited.
Chris Goettl: Now, a couple of things to note about this one. If you look at the vulnerability itself, let's take a look at the ... So, the rating on this particular update, it's only rated as important. If you look at the CVSS score, it was rated as a 7.8 vulnerability. So, depending on how you are prioritizing, which, actually, this one, for some reason, the severity wasn't populated there. There we go. So, you could see here if your policy within your organization is only to push critical updates, you'd miss this update. .
Chris Goettl: Now, because it's part of the Windows cumulative or security-only bundle, there's others in there that are critical that would have also made it so this would have been included, but the fact remains that depending on how you're prioritizing updates, vulnerabilities that can be exploited today are already actively being exploited, and somebody can use them against you. You may overlook those on how you're prioritizing things.
Chris Goettl: So, make sure to evaluate your criteria for prioritization. Make sure that you're not just going based off of vendor severity that you take other things like CVSS score into account, and also other indicators like known exploits or public disclosures because that will help you to make sure that you're addressing all the right vulnerabilities. So, again, this vulnerability is affecting all of the current Windows operating system, Server, and Workstation, Windows 7 all the way up to Windows 10, and the Server equivalent.
Chris Goettl: The second known exploit this month, this one is another elevation of privilege. You're going to see a lot of elevation of privilege this month. This one exists in Winsock, so how it's handling objects in memory. Again, the attacker would have to be locally authenticated, and then they could run a specially crafted application to take advantage of this. Now, again, this won't be the first vulnerability they run against you. They've already exploited something else to get on to a system. This is how they're going to elevate themselves around any privileged management capabilities you've got in place to try to get further access to the environment.
Chris Goettl: So, even if you're running a good least privilege policy in your environment, this could let them get around that. So, you want to have a good app control policy to block untrusted applications like they could run here to elevate that privilege level, and you want to plug the vulnerabilities through patching to make sure you plug vulnerabilities like this from being used. So, that defense in-depth strategy, patch, app control privilege management, those three things combined will manage most of the threats to your environment.
Chris Goettl: Again, one more thing to note here. This one only rated as an important and, again, only a 7.8 base score for a CVSS score. So, again, look at all the indicators that you guys are using to assess today, and make sure that you're going deeper than just vendor severity or even vendor severity with CVSS score.
Chris Goettl: Switching gears, we're going to talk a little bit about the three public disclosures. In this case, the public disclosures are not being exploited actively today, but a researcher or someone has publicly made available enough information about the exploit to give thread actors an advanced start on this. So, there's three of these that we want to talk about.
Chris Goettl: The first one is a vulnerability in Windows text service framework that also could allow for an elevation of privilege attack. So, similarly to the others, an attacker would first have to get on to the system, and then they could run a specially crafted application that could exploit and take control of the affected system.
Chris Goettl: This one, again, is affecting all of the currently supported Windows operating systems. The severity on this one is rated as important. The CVSS score for this one, 7.8, again, for the vulnerability rating there. So, again, it could be easily overlooked if you weren't rating this with other risk characteristics.
Chris Goettl: The next one, again, Windows elevation of privilege vulnerability. This one is in Windows AppX deployment server. Now, this one only affects the later operating system. So, Windows 10, Server 2019, and the latest operating systems are what are affected. Again, rated as important, and the CVSS score, again, was a 7.8. So, all four of the ones we've talked about so far, very similar ratings there. So, again, the fact that this is publicly disclosed, though, means that a thread actor doesn't have to work as hard to try to figure out how to exploit this. Enough information about it has been given to them where they know roughly where to look and, potentially, even have code snippets available on how to take advantage of it. So, taking this to the point where it's weaponized is a lot shorter of a timeframe for a thread actor.
Chris Goettl: The last vulnerability that as publicly disclosed this month is actually in the Windows secure boot. It's a security feature bypass that could allow an attacker to bypass that secure boot feature by utilizing a flaw in the debugging functionality of secure boot.
Chris Goettl: So, in this case, an attacker must gain physical access to the target system prior to next system reboot. Okay. So, think about if I've got a Workstation in my company or if I've got a Server in the data center. Yeah. It's going to be a lot harder for a thread actor to get a hold of that, but what about a laptop, a laptop that gets stolen or lost outside of the environment? Now, this thread actor has physical access to my device, and they can exploit this with a lot more time available to them. So, a vulnerability like this, again, it may not be something that somebody is going to use to instigate a full-on data breach within your organization, but if you've got a lost device, this could absolutely be used to get access to the data within that device.
Chris Goettl: So, not only will patching help here, but good device encryption policies, making sure that you are running BitLocker on that system with pre-boot encryption, not post-boot encryption because at this point, if you do post-boot, well, then they can boot it up and try to take advantage of that secure boot flaw, but if you do pre-boot authentication for that encryption, then they would be blocked before getting to secure boot, and they would have to try to defeat the encryption first.
Chris Goettl: So, again, looking at this, this is definitely something of concern, but also take a look at your encryption strategy and make sure that you're encrypting your devices with prioritization around devices that could be lost or stolen that are no longer within your control. All right.
Chris Goettl: So, that's the exploited and publicly disclosed vulnerabilities for this month. I'm going to go through a little bit more housekeeping news, and then we're going to jump in to the bulletins for the month. So, bear with me for just a couple more minutes. For those of you on Windows 10, just keeping you aware of the life cycles coming up here.
Chris Goettl: If you're on the branch 1703 edition and running on the Enterprise or EDU editions, October 8th is your final update for the 1703 branch. So, we're getting very close to that. You've got one more month here, and then those systems will no longer be getting updates. So, make sure that you've identified all 1703 branch systems, and you've got an action plan in place to get those upgraded before November. October will be your last update for Patch Tuesday.
Chris Goettl: For those of you on 1803 running the ... well, probably not Home, but the Pro and Workstation editions of 1803, make sure that you've got your upgrade plan in place and ready to go before November 12th because that's when the end-of-life is going to hit for those editions.
Chris Goettl: For those of you on the Enterprise and EDU editions, if you're on 1803, you get until November 10th 2020. So, you get another year of runway there before that will be enforced. So, just keep an eye on those end-of-life dates, and make sure that you're planning accordingly to make sure that those systems get updated, and you won't be blocked from being able to do your monthly updates. All right.
Chris Goettl: This next one we've been talking about for a little while. Microsoft had a staged approached to phase out the dual signing of updates, SHA1/SHA2. So, as everybody is probably aware, SHA1 is going away for digital signatures, and this is the endpoint for Microsoft. They've now stopped dual signing their updates with this last Patch Tuesday. So, now, last month, there were some issues that came up around this. There were some questions around impacts that this was having with Symantec Endpoint Protection. There was a little bit more hype than actual impact from that, but if you were having some issues last month with this, there were different things going on where they were anticipating a bigger impact. They made it so that the Windows updates, services, and things were not going to allow patches to be installed on systems, Windows patches. If it detected that SCP version, specific versions were running.
Chris Goettl: Now, since then, they've done multiple releases of that last SHA2 patch, and it looks like most of the issues have been resolved. If you're running SCP, do some adequate testing, but chances are, we're out of the woods on that one now, and there should be no issues going forward. This should be the last month that we talk about this patch, and then we'll make sure to or this will probably get pulled from here going forward.
Chris Goettl: A couple of things to note. If your build process requires you to go and update your build images with base updates that you want to make sure are in place, this should be one of those that you make sure is on every one of your builds going forward. That way, you don't put a system out into production that can't be updated because it can't validate the signature of those SHA2 signed updates. So, just make sure that you've done your due diligence on your provisioning, so that new systems going out won't run into an issue with a lack of this patch going forward. All right.
Chris Goettl: A couple other updates of interest this month. We do have a large servicing stack update this month. Every operating system currently supported for Windows did receive a servicing stack update for September. A couple of things to note about this. Servicing stack updates, in general, what this is, is an update to Microsoft's update infrastructure. It is separate from the security-only bundles or the cumulative roll-ups that you normally apply. So, there is a separate update that you have to apply in addition to the September updates.
Chris Goettl: This is not resolving any security vulnerabilities, but it is rated as critical. The reason for that is Microsoft, at some point, will start to enforce whatever change it is that they're staging for. That means that within a few months here, we could see that, if you don't have this patch in place, it will become a prerequisite for new updates coming out.
Chris Goettl: So, the shortest we've seen for servicing stack update being made available to patches blocking, if you don't have it in place, has been two months. I don't think we've seen a one-month span for that. So, our guidance here is get these tested, and make sure you've got a plan to have them in place no later than November to make sure that you don't run into some impact down the road.
Chris Goettl: Now, if you go out to Microsoft's advisory page, this tells you when updates were released, when servicing stack updates shift. You'll see that date released was September 2019. It doesn't tell you when they'll start enforcing it. You don't see that until a patch comes up that has it in the release notes with the known issues saying, "You need to have the servicing stack update in there."
Chris Goettl: So, again, if you don't prepare for this in advance, and if you don't put these in place, chances are, a couple of months down the road, you're going to hit this situation where you won't be able to apply updates unless these servicing stack updates are in place.
Chris Goettl: Now, I'm going to pause here for a second, and I want Brian to chime in some more because he found some even more fun known issues with a couple of the older servicing stack updates that are actually prerequisites to the new servicing stack update. Brian, you want to give us an update on that?
Brian Secrist: Yeah, because we need more servicing stack update. That's exactly what we need in our life. The two ones are on Server 2008 and 2008 R2. I'm going to post this in the chat after I mention this.
Brian Secrist: For Server 2008, the April servicing stack update. I'll post that KB. It's actually required before the next servicing stack update can even apply successfully. We started with some very, very unpatched machines. We're having some failures on the September servicing stack. We found that the April servicing stack allowed it to install it. Interestingly enough, it's still applied if you mainly run it. It just failed during the install for Server 2008.
Brian Secrist: So, for Windows 7 and 2008 R2, the March servicing stack update 2019 is required for this September update to be installed either. So, again, I'll post both of those in the chat there, but definitely interesting behavior there.
Brian Secrist: On top of that, the Windows 7 and 2008 R2 patch, they mentioned it's supersedes the March servicing stack update in Windows update data. We've kept them separate at the moment just because it's a prerequisite. We want to make sure our customers don't miss it. So, just a heads up.
Chris Goettl: Yup. Thanks, Brian. So, yeah, if you're running Windows 7, Server 2008 R2 or Server 2008, make sure you've got those previous servicing stack updates in place. Again, like Brian said, we actually broke the supersedence chain between the March and September servicing stack updates for the Windows 7 and 2008 R2 branch, so that both will show up for you. That should make it so that you won't miss one because if you didn't deploy the first one and it superseded, it would only show the latest one as being needed. Those are a couple of nuances there that you want to understand.
Chris Goettl: Now, if you've been patching systems month-to-month, chances are, you've already got all of the previous servicing stack updates in place for these because, typically, within two to three months, they start enforcing those before you can update the latest monthly update.
Chris Goettl: So, most of you probably have these in place. Again, one thing that we would suggest is when you're looking at how you're building systems, make sure that these servicing stack updates are updated in your base images for your provisioning process. If you don't do that, and you roll out a new build and try to patch it and the patches aren't applying, it's a good chance that servicing stack update could be the root cause for it. So, if you only periodically go back and update those base templates, this is another one that we suggest making sure is in place.
Chris Goettl: Again, timeframe for this, chances are, Microsoft won't enforce any sooner than two months out. That's been the track record before. Two months to a few more beyond that is usually when they start being enforced, but they haven't really given much notice on that.
Chris Goettl: So, our guidance is make sure it's in place before November to be on the safe side. If you're able to get it out sooner, if you can get it by October, we do recommend trying to do that just in case for some reason they happen to enforce it sooner.
Chris Goettl: The fact that this rolled out across all of the OSs for this month means that there's a big change coming that they want to roll out. I would guarantee it's going to come before end of year. So, whether that's November or December or whether it happens for October, you want to make sure to get these tested, get them rolled out, and make sure that they're in place or you could be blocked from doing future updates. All right.
Chris Goettl: Development tools. So, we talked about this before several Patch Tuesdays before as well, but these are tools that have security vulnerabilities relating to them, but they don't have a traditional patch. CharkaCore, ASP.NET Core, .NET Core, the Rome SDK, not sure what that one does yet, that's a new one on the list, but those are all development binaries. This means that you've got a developer within your organization or you're trusting a vendor who's got a developer in their organization to make sure that those components within your application are updated. They've got to take the new version of those binaries, implement them, and push a new build.
Chris Goettl: So, from that perspective, you want to make sure to take a look at your update process, what people are assessing and be able to make sure that when updates like this come out, you're development teams are taking a diligent stance on integrating the updated binaries, and pushing updated builds that plug those vulnerabilities.
Chris Goettl: Again, with Team Foundation Server, a lot of times, you're development team will be responsible for actually doing the platform upgrade to that. Those patches can be pushed a little bit more traditionally, but a lot of times, the development team wants to take control over doing that themselves. Just make sure that they're doing that.
Chris Goettl: Azure for the DevOps Server side, a lot of times, these are things that, well, we looked at a couple of these a month or two back, some of them, Microsoft is going to implement. Others, Microsoft may have to do one part, you have to do another, and other ones, your team will have to do the full change over like pulling in a new binary or making a config change or something along those lines.
Chris Goettl: So, again, awareness-wise, make sure you're development teams are paying attention to these development tools because a lot of them are getting updated on a monthly basis and resolving security vulnerabilities. All right.
Chris Goettl: A couple of final things to wrap up. We've got a couple of other streams of content that are similar to what we do here for Patch Tuesday. Our Weekly Patch BLOG, which Brian post each week, this is going to do a summary of what updates came out both Microsoft and third-party outside of Patch Tuesday. It's going to talk about security and non-security updates. It's also going to do an analysis of any vulnerabilities that are released in there, too. If there's a zero-day, if there's a public disclosure, we try to notify you of those things, similar to what we do in the news section here.
Chris Goettl: Brian also talks a little bit about the latest news on what's being exploited, different attacks going on, so you can keep that awareness up and use it to better understand how attackers are behaving, and what best you can do to thwart their attacks. So, that's a weekly blog that we put out. You could find that on our Patch Tuesday Blog up on the Ivanti website.
Chris Goettl: For those of you using an Ivanti Patch Solution for patching your environments, we do have regular content notifications that go out that tell you when we release new content. Patch Tuesday is not the only time we do that. In fact, most days or most of the time, we release content at least once a day across all of our different products. So, one of our product catalogs might get updates three out of five days that week. The next week, it will be four days. The next week, it will be two days. There could be a steady stream of constant releases for our different content streams.
Chris Goettl: So, do sign up for it and stay up-to-date on the content stream that you're utilizing. You can find those out on our community. There's a section for content notifications that have all four of those content streams that you can sign up for depending on which products you're using. Okay.
Chris Goettl: I have talked long enough. Todd?
Todd Schell: Hey, Chris.
Chris Goettl: I am going to give you control here, and you now have control, sir. Take it away.
Todd Schell: Okay. Hopefully, we can walk through the bulletins here, and let everybody know what happened this month from Microsoft and other third-party vendors.
Todd Schell: Chris did talk at the top of the presentation that an update was released for Chrome. In particular, this one had 52 vulnerabilities, which is one of the largest updates we've seen in a long, long time. Usually, the major updates have around 20. We've seen that twice this year so far, but this one has 52 vulnerabilities. There are some critical vulnerabilities in this one. You can see that there are large number of impacts here from remote code execution all the way through information disclosure. So, make sure that you do get this update downloaded and applied across your organization quickly. This is a critical one.
Todd Schell: I'm not going to spend a lot of time on Flash Player. Chris pretty much covered this. Obviously, Adobe releases their separate version here, addressing two vulnerabilities, 8069 and 8070. These both have to do with remote code execution. So, be aware of that one, and this is available for Desktop Runtime, Google Chrome, IE 11 and Edge. So, it does apply to multiple different browser types.
Todd Schell: Of course, Microsoft's been bundling the Flash Player updates in with their releases as well. This particular one is covered under the KB you see down here 4516115, and I have the link in here for the advisory as well, 190022. Same two vulnerabilities. Basically, it's the same update. Microsoft just wants to make sure that you get that out there into your environment through their distribution methods as well.
Todd Schell: Moving on to Windows 10. A lot of activity this month with Windows 10. Chris talked quite a bit about the public disclosures, as well as the known exploited vulnerabilities. I have listed them here in red.
Todd Schell: I want to talk through some of the known issues this month. Last couple of months, the number of known issues have been climbing, but, actually, Microsoft's done a pretty good job of cleaning a lot of things up. So, you won't see nearly as many this month.
Todd Schell: On the Windows 10, they actually released a general KB. I haven't seen one of these in a while talking about an issue that applies across almost every version of this. We've seen this vulnerability, I mean, we've seen this known issue quite a while. It has to do with file renaming, and not having the proper permissions for this. Microsoft does provide a little bit of a work around here, and making sure that you have administrator privileges when you have to go through and change the CSV ownership. They say they are working on a resolution, but they don't have one just yet. This has been carried forward multiple months now, but it's gotten to the point where they're now carrying in a general KB.
Todd Schell: Under 1607 in 2016, basically, the oldest version here that they're still supporting as far as longterm service branch, there is a lot known issue here that they've been carrying forward as well about this minimum password length. So, those would be aware of that. Microsoft's working on a resolution for that and, basically, they're saying, "If you run into this problem, just shrink your password down to less than 14 characters. That's their work around for right now.
Todd Schell: Notice that I've provided a general description up here under the first around file rename, and I'm going to include the short name here for the rest of these, so we're not duplicating all these texts. Again, that file rename issue does apply across multiple versions of Windows 10.
Todd Schell: We see 1703, 1709. With regards to version 1803 in addition to the file rename issue, we've seen this log on, this black screen log on issue for a few months now. They fixed it in a few versions. It wasn't in other versions of Windows 10 for a while, but now, it's appearing only in the 1803 as we see here. So, be aware of that particular issue.
Todd Schell: Finally, 1809, a couple of issues. They've had issue with language packs for a couple of months now. I've talked about that one, so be aware of that one.
Todd Schell: This NetQuery API issue did appear last month in multiple versions of Windows 10, but it's down to only the 1809 and the Server 2019 versions now, so if you run into that. Unfortunately, there is no work around, but be aware that they are working on this. They also have the file rename issue here, as well as that black screen during a log on issue as well.
Todd Schell: Interestingly enough, notice that I don't have any known issues for 1903, the latest operating system that's out there, but Brian was pointing out to me during the presentation so far, a lot of you are pointing out issues that are showing up with other products looking at these updates. In particular, Dell's endpoint products are showing that there is an issue with some of these products or these updates during install. Even though they're applying properly, it is showing that there's a possible problem. So, be aware of that if you want to go in and look at the Dell tools. There are some other things in Reddit as well that have been popping up. So, we'll keep an eye on those, and if they become major issues, we'll talk about them next month.
Brian Secrist: Hey, Todd. There's one more I'm going to add.
Todd Schell: Sure. Go ahead. Go ahead.
Brian Secrist: I had a few reports of this in the chat, and I noticed that yesterday. The Windows 10 1809 and the Server 2019, so the 64-bit patch, it looks like a lot of customers are having issues downloading it. We actually noticed midday yesterday that depending on the Microsoft CDN we were hitting, we were downloading a partial version of that patch, which failed the validation because it doesn't have a signature, a lot of other things.
Brian Secrist: So, just a heads up for everyone. If you're having issues with the 1809 or Server 2019 64-bit patch, really, just try to redownload it at a later time depending on what kind of server roulette you're hitting. Hopefully, they'll resolve it sooner than later, but just a heads up for everyone.
Todd Schell: Yeah. Thanks, Brian. Appreciate that. Moving on to the updates for Internet Explorer this month. They do continue really seeing updates for 9, 10, and 11, various versions there. Obviously, for Server 2008, only Explorer 9 is supported. So, be aware of that one as well.
Todd Schell: They did fix four vulnerabilities this month. There's a known issue. They did fix one issue that I've talked about the past couple of months. Just want to touch on that because you'll actually see that if you go in and look at the cumulative update bullets and for IE. There was a problem in the past where after you've updated IE 11, it was showing that there were some updates for IE 10 that were still applicable, which is strange, but they've fixed all of those problems now.
Todd Schell: There's a known issue right now on Windows 7 and Server 2008, where after the latest cumulative update here that I've listed, it actually turns back on the ability to use VBScript. So, be aware of that. The work around currently is to go back in, obviously, and reconfigure the settings under the security tab, which I have listed here. You'd just basically go back and you choose the internet icon and choose default level, click OK, and it will reapply locking VBScript, but be aware of that. Microsoft is working on a resolution for this, and we'll see this problem again. I have it listed under Windows 7 and Server 2008, too.
Todd Schell: Moving on to the legacy operating systems, Microsoft did release a monthly roll up for Windows Server 2008. Normally, I can squeeze all this stuff onto a single slide, but you're going to see two slides for all of these updates.
Todd Schell: What's interesting is last month, we talked about these new vulnerabilities called micro architectural data sampling vulnerabilities. We talked about them with respect to Windows 10, but now, Microsoft has updated and released updates for all of these across, I'm going to call them the legacy operating systems.
Todd Schell: The slight difference between the other speckle of execution update and these updates is that under the previous specter and meltdown vulnerabilities, you can actually execute a task through the CPU. The difference here is that with these data sampling vulnerabilities, you can actually grab information out of the buffers of the CPU. So, it's a slight difference in the way the vulnerability manifests itself.
Todd Schell: Some people view these as possibly more serious, but be aware that there have been updates issued now. They're part of the general packages for all the cumulative updates across these operating systems. I'll list them all here. Here are the CVEs. There are actually four CVEs associated with this. So, be aware of that.
Todd Schell: There is a monthly roll up this month for Server 2008 addressing all of those. It did address 26 vulnerabilities, plus the three IE 9 vulnerabilities. Chris talked about the two exploited, known exploited vulnerabilities 1214, 1215, as well as 1235, which was publicly disclosed.
Todd Schell: There's no known issues associated with Server 2008. There was also a security-only update issued for Windows Server 2008. For those who maybe new to the call and I talk a little bit about this every month, the fact that Microsoft does release two versions of these updates for each one of these legacy operating systems. The monthly-only cumulative roll up is essentially a roll up of all patches that have come out, I should say select patches that have come out since October of 2016 that addressed both feature enhancements, as well vulnerabilities.
Todd Schell: So, by applying the monthly roll up, you get all of these things in one package. That one package is quite large sometime, but they also released a security-only update, which only includes the security updates for a given month. So, the difference, obviously, is that if you are going down the security-only route, you want to apply just the security-only each month, and you have to do it, I'll say, religiously to make sure that you get all the latest updates.
Todd Schell: The question comes out, "Why do you want to do this?" Well, a lot of times for these older operating systems, some of the applications you may be running may be very sensitive to the monthly roll up, to those cumulative patches. So, you want to very tactically apply just a few security updates each month, and that's why you would use the security-only patch.
Todd Schell: Moving on. Again, for the security-only, you'll notice that there are only the 26 vulnerabilities updated. You would need to apply the Internet Explorer updates for IE 9 separately when you're running an update under the security-only model.
Todd Schell: There was a monthly roll up for Windows 7 and Server 2008 R2 as well. Again, it includes those micro architectural data sampling updates. Large number of vulnerabilities addressed. There were 32, plus the four IE vulnerabilities as well. There is a known issue this month with the Toshiba, I don't know how to pronounce it, Qosmio, possibly. Obviously, it's a play on QOS, so the quality of service aspects of this, but there is an issue with this, and it just says that Microsoft is working with Toshiba to resolve this issue. If you have anyone out there running this particular application, Qosmio AV Center, be aware of that.
Todd Schell: We talked about that issue with VBScript being enabled by default with the IE update under the monthly roll up. So, be aware of that one. Of course, there was a security-only update that addresses the same set of vulnerabilities, 32 again, and it also has this Toshiba issue as well. So, be aware of that one.
Todd Schell: Moving on. We did get a set of updates for Server 2012. The monthly roll up here includes the same set of vulnerabilities, essentially, as the earlier ones I talked about. In this case, there were 29 that applied to Server 2012, plus those four IE vulnerabilities.
Todd Schell: Interestingly enough, this is the first time we're seeing that issue we talked about under Windows 10 around that file rename. So, you can go back and take a look at that one that I included under the Windows 10 slide, but that issue is also appearing here under Server 2012 for both the monthly roll up. I believe it also appears here under the security-only update for Server 2012 as well.
Todd Schell: Finally, the last of our legacy roll ups, we have the roll up for Windows 8.1 and Server 2012 R2 and, as I mentioned, every month as well. Just so you're aware why are these two things grouped together, basically, they have the same Windows operating system Kernel. So, the updates that apply to Windows 8.1 also apply to Server 2012 R2, and they lumped together under the same set of binaries, essentially.
Todd Schell: Again, dealing with the micro architectural data sampling issue, those were fixed this month. You can see here that that file rename issue also applies as a known issue for this monthly roll up for 8.1, Server 2012 R2. There was a security-only, of course, for the same set of operating systems as well. You can have these information. This information will be included will be included in the slide deck for you to look at.
Todd Schell: Moving on. There was a critical update this month for SharePoint Server. It did address seven different vulnerabilities. I listed them here. Obviously, I didn't highlight any of these, so they're not showing up on the publicly disclosed or known exploited. Those are all related to the operating systems themselves, but this one is rated critical. You can notice that it also applies for all versions of SharePoint Server 2010 to 2019. So, make sure you include this one as part of your critical update this month.
Todd Schell: Moving down a little bit in terms of importance, the following updates we'll talk about here are all rated as important by Microsoft, and also by us as well. There were updates for the standalone versions of Office this month. In particular, there were updates for Excel. Interestingly enough, there were only updates for Office 2010 and 2013, not all versions. There's a 2016 Office as well. They did update Office 2016 for Mac, and there was a major update for all versions of Project this month. We haven't seen that one for a while. There were four vulnerabilities addressed. Again, this one is all rated important.
Todd Schell: Of course, we get the usual software as the service updates for Office 365 ProPlus and Office 2019. They actually updated the same set of vulnerabilities here as they did for the regular on-premise version of Office. Again, rated important. No known reported issues around this.
Todd Schell: There was an update for Exchange Server this month, so versions 2016 and 2019. Two vulnerabilities, one related to spoofing, one related to denial of service. The only known issue they had, and this is interesting, and I don't know why most patches aren't this way, but they said you must install this with administrator privileges. So, make sure you don't just roll the patch out manually. Double click on it if you don't have the proper privileges on your Exchange Server. So, I just included that there, but you'll see that one listed on the KB article for Exchange Server.
Todd Schell: Following with Microsoft's regular releases of .Net, which is bimonthly, by the way, every other month, we did see a release of .Net this month, but interesting, they didn't go very far back. Usually, it goes back to 2.0, which supports Server 2008. This month, they released 3.5 through 4.8. So, those versions of .Net framework, which really only applies to Server 2012 and newer. So, be aware of that one. It's rated important. It only addressed one vulnerability. There is both a monthly roll up version, as well as a security-only version of the .Net update as well.
Todd Schell: So, that addresses all of the bulletins this month. With that, Chris, I'll turn it back over to you for a quick update between the Patch Tuesdays.
Chris Goettl: All right. So, there are a number of security updates that came out this month. We had SeaMonkey resolving 10 vulnerabilities. Google Chrome resolved one. Azure DevOps had two vulnerabilities resolved later in the month. Firefox did have both ESR and right under Firefox update with many vulnerabilities for each of them. Again, ESR updated again later in the month with another eight. VLC Media Player resolved 12 vulnerabilities. Node.JS had updates for multiple of their branches that resolved eight vulnerabilities each.
Chris Goettl: So, that's the line up of third-party updates. Now, the biggest thing to keep in mind is there's always a steady stream of security-related updates coming out for the vendors that you manage in your environment. So, it's always good to keep an eye on the other vendors and watch between the Patch Tuesdays and see what's going on. All right.
Chris Goettl: We're going to target a few specific questions here. I think most of them have been answered already, but there's a couple that would be interesting to share with the whole group here. So, first one on that, there was a question back to the secure boot bypass and encryption, "What is a good encryption option?"
Chris Goettl: More and more, the native encryption tools, so BitLocker on the Windows platform, FileVault on the Mac platform. A lot of times, those are doing an adequate job of encrypting the device. The challenge with most of those is management. So, we do have a partner within our Ivanti 1 program called WinMagic. These guys can both offer their own proprietary encryption capabilities, and also management, better management of encryption than using the native encryption tools. So, that's a good option there.
Chris Goettl: Let's see. What other ones do we have? There were a couple of questions, guys, about some of the servicing stack updates, but I think we rehashed most of those. The one that came up was for those of you who are using SCCM or WSUS to push out your Windows patches, the question came around that, "Well, if Microsoft is counting the Windows 7 servicing stack update as superseding the previous March one, how do you solve for that?"
Chris Goettl: Well, the one way we know of that you'd be able to do that is don't publish the new one until you make sure the old one is in place, then publish the new one and push it out. Other than that, I don't know of a way off hand where you can force it to go and push both an older and a newer update in the same supersedence chain through the Microsoft platforms. So, that would be the one question there. Otherwise, again, if you're on our security controls or what used to be patch for Windows or the EPM platform from Ivanti, we've broken that supersedence chain for the time being. So, you can have both of them approved. You'll see both of them get rolled out, and both of them will get installed. That's the behavior that we've implemented currently to make sure that if you didn't have the older patch in place, that you would make sure it's there before doing the new one.
Chris Goettl: So, that's the best we can offer on that one off hand. Brian, Todd, did you see any others that really do apply to the whole audience or do we pretty much hit all the rest of them?
Brian Secrist: Yeah. There were a few questions that I've saved for you. "Do we have any whitepapers around patching standards or best practices?"
Chris Goettl: Yeah. We've got some patch best practices that we've done on webinars and at different events like our interchange event. Actually, this next month, October is going to be ... It's cybersecurity awareness month. So, we have a series of blogs that are going to be coming out around that. One of them is around some patch best practices that Eran Livne, one of our product managers, has written as well.
Chris Goettl: So, we do have some material around that. Where that is, is probably the question. So, one thing you could do is reach out to us and we can get you some details about that. If you've been to our interchange events, you would have seen that we do a patch best practices session at that event each year. Typically, we run a live version, a webinar version of that shortly after. So, if you go to, I think, it's out on the community. Let me see if it is right now. What's the next question while I do this?
Brian Secrist: Okay. The next question was what the extended support options are going to be like for Windows 7.
Chris Goettl: Todd, go ahead and answer that real quick.
Todd Schell: Yeah. You guys still hear me okay?
Brian Secrist: Yup.
Chris Goettl: Yup.
Todd Schell: Okay. Yeah, sure. So, the way it's going to work and we're currently working through this internal in the company now as well is, obviously, as these operating systems go into extended support, you will be required to set up a separate subscription with Microsoft to download both the Windows 7 and the Server 2008 updates. That's just something that's required, and they'll have to be set up separately.
Todd Schell: However, we will be providing content that will work within some of our products, that will allow the detection for these updates, as well as once you've downloaded them to distribution of these updates through our product infrastructure. So, for Ivanti security controls and patch for Windows, as well as for the endpoint manager product, we will provide support for those.
Todd Schell: Now, you have to contact sales because there is a separate charge for this content. It's not going to be released directly into the general public stream of content for those products.
Chris Goettl: All right. Thanks, Todd. Oh, here we go. So, yeah, if you go out to our recorded webinars link, our recorded webinars page, we did a live webinar version of that patch best practices webinar, the 2019 edition, back in May. So, if you go out there, just go down to the recorded webinars. Search for patch. You'll have to go back a page. It's on the two tiers back right now, but get into ... You'll have to just fill out the form there to do that, but you'll be able to get not only the recorded version of the webinar, but you'll be able to look at the presentation, and see a lot of the transcript of the webinar as well. So, that's the most recent best practices webinar that we've done. So, it's pretty up-to-date there. All right?
Chris Goettl: Brian, any others?
Brian Secrist: I think it covers it pretty well.
Chris Goettl: Got it.
Brian Secrist: There was one about just EPM specific about agent health patch definitions for 2019.1. I know that our EPM team is working on that actively. I don't have an ETA on that, but I do know they do know about it, and they're working on it.
Chris Goettl: Yeah. So, somebody caught my form that I've filled out for ... Whenever I have to test any of our internal forms, I always put a little bit of comedy in there. So, somebody saw that I put a still king of the world comment on that one. Yeah. So, go and catch it there, but, yeah. So, that's just me messing around with our marketing and field guys.
Chris Goettl: So, yeah, I think that covers most of the questions that we had this month. Okay.
Brian Secrist: You're busy, guys. You're busy. I appreciate all the questions.
Chris Goettl: Yeah, absolutely. Again, we always try to bring the best content together for you guys on short notice. So, thank you all. We had a huge crowd today as usual. Appreciate you guys coming back and joining us month after month. All right.
Todd Schell: Thanks, everybody.
Chris Goettl: Have a great month, and we'll talk to you in October.