March Patch Tuesday 2017
Chris Goettl | Director, Product Management, Security | Ivanti
Join us as we recap the Microsoft and third-party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure and test adequately, and which patches should be highest priority to roll out.
Good morning, everyone. My name is Chris Goettl, and welcome to the first Ivanti Patch Tuesday Webinar. We’ve had a little fun the past month or so here. In January, I was on vacation. You regulars who caught the webinar that month caught Sarah and Ryan filling in for me. From the sound of it, they did a good job. I received a lot of good feedback from our group, so that was nice. We did an impromptu webinar in February, but there were only a few third-party updates to talk about because Microsoft ended up not releasing updates. That means we have even more this month. It’s is a big one.
We're going to get started by going through a few things and talking about the release this month overall. We're going to:
- Give a quick overview
- Talk about some news
- Cover known issues
- Talk about how many bulletins we have, the breakdown of those bulletins, where to prioritize your efforts, and some of the nuances of those so you have better information going into your maintenance this month
The first thing I want to address, however, is what’s going around about the latest Wikileaks revelation, Vault 7. This is a huge number of documents that somebody leaked from the CIA. Included in that is a bit of a treasure trove of previously unknown DLL hijacking vulnerabilities, which we're going to talk about. We've created a tracker to watch after this to give people an idea of what to watch for. These DLL hijacks are not a normal vulnerability. Many times, a DLL hijack is taking advantage of a weakness in software to expose it to specially crafted DLL files to do something bad. Typically, these are used in an insider threat situation but can also be used if you have a persistent threat in your environment. They can be used there, as well.
This particular arsenal was developed to give an agent in the field access to a number of ways to hack into a system they're running on in the environment they're in. We created a spreadsheet of vendors that have known DLL hijacks, which are on this “fine-dining list.” We've noted which packages we support patch management for in our product catalog. As we get more information from these, we'll populate it with vulnerable versions and versions where they’ve fixed the vulnerabilities. This is saying the way to exploit this DLL hijack has been closed in these versions. In this case, VLC media player has announced in 2.2.5, which is a minor release they'll release shortly, that from that point forward, this type of DLL hijack should not be possible. That's what we're tracking here. It's not that these are remotely exploitable vulnerabilities, they're not. These are not vulnerabilities in which they'd be phishing the user with this type of attack method. This is something where the attacker is on the machine and using these tools to exploit that machine. It's different to a typical zero day or remote exploit.
There are a few of these I want to touch on to talk about some of the complexities. If you wanted to track all of these, many of them are installed products for which you can detect if a version is up-to-date. In fact, Notepad++ has already released version 7.3.3―on the 8th last week. That officially plugs that DLL hijack method so it's no longer viable if your Notepad++ versions are at this version or later. Once VLC media player releases, their fix will do the same. For many other vendors, take BabelPad for example, they released an announcement stating there's a lot of information going around about malware-laced versions, but those are unofficial versions you shouldn't be running anyway. That's the problem with DLL hijacks. You shouldn't be running them, but the people who do are most likely running them for a good reason―they want to take advantage of them.
This is the kind of thing that's going to be a bit of a risk. Some vendors aren't going back to do better coding practices and secure their applications so that if the application pulls in additional DLLs, they have to validate their authenticity. In the case of Notepad++, they've updated their product so that when a DLL is used by Notepad++, it has to validate the signing of that DLL to validate its authenticity. If you do that, the product will reject anything that's not a valid signature. At that point, an attacker would have to exploit that further, which would take a significantly higher amount of work, and which would effectively close the loop on that type of a DLL hijack.
Seeing a response like this from vendors is a little concerning. There are others on the list that are not installed programs, so how are you going to detect them? That's where you get into needing very robust discovery capabilities in solutions in your environment.
Right before the webinar, I was talking to a colleague on our discovery and asset management side. We talked about BabelPad and so forth. This is the WikiLeaks page, which talks about what's happening. You've probably seen headlines about iPhone, Android, Smart TVs, and things like WhatsApp being exploited. There's a lot of misinformation. There's some sensationalizing, making this out to be more than it is. Regarding WhatsApp, for example, I believe they alluded to hijackers, if they have access to the device where WhatsApp is running, may be able to access information going in and out, before and after. But they haven't broken the application and can't see everything going on there, and they would still need access to the device it's running on, so some of these things are being blown out of proportion. Nevertheless, it's one of those things where there's a lot of interesting information circulating right now about what types of things are being done.
Going back to these DLL hijacks, if you look at a lot of these, they have details in breakout pages down below. There are things like a 24GB portable app. For any of you who like to play the 2048 game on your phone, there's a portable app version of that, which allows the DLL hijack. Somebody could have that on their screen, and it looks like they're simply playing a game. Okay, so slap me on my hand for playing a game instead of working, but they didn't see the insider threat going on, which was this application can do a DLL hijack and allow them to do more.
Stinger, Kaspersky Killer Portable, There are many of these tools that aren't installed applications. To detect those, we have to be able to discover in other ways. Our text management solutions won’t be able to update a product like BabelPad because it’s a .zip file from which you extract an executable, run the executable, and it's simply a running process. It's not an installed application, and you can put it anywhere.
Typical patch detection won't find this, but if you're doing asset discovery, that gives you more details on how to get at this information. I was looking at one earlier. Which one was it we were looking at? I'm blanking. We were literally just looking at this. That's the one, I think we were looking at. Yes, here you see there's a running process. If you have discovery tools on your network that can track applications that are run, you could still detect this even though it's not an installed application. In that case, you can find these types of applications on your network. You can discover them and, knowing the list specifically of those that have this type of DLL hijack, you can search out and remove those, and look into the systems they’re on to see if there is anything more going on.
With something like this, it's not necessarily that you need to have an update from every one of these vendors to prevent this from happening. Some vendors will release updates. With others, there are other ways you can search out and detect these on your network and then take action. We'll be releasing additional updates about this. If you go to the Ivanti blog, go to blog.ivanti.com or to our main website, you can get to this, as well. Under security, you'll find the topic for this Vault 7 Tracker. We're going to release a series of articles and other information talking about the things I've just mentioned, things like being able to detect one of these applications on your network even if it's not an installed application, and how to determine if any of these hijacks are being used.
(Give me one second here. It looks like a few people were having some problems with the PC audio. I'm going to go back up to start my deck real quick here and get the phone number. Let's see. If you were having troubles on the PC audio, I’ve sent the dial-in number and the attendee code out to the Chat. Go ahead and use that to try and get in if you're having problems with the sound quality. Sorry about that. The PC quality sometimes works well, other times not so well.)
All right. That's what I wanted to touch on regarding Vault 7. Right now, we're focusing on some of the real threats, the more tangible ones. There are a lot of other things being discussed. It's not that they aren't interesting topics, but we're focusing on the ones that have tangible risks we can help you eliminate, so those are things to watch out for.
Patch Tuesday Overview
Let's go back over to the slide deck. Again, so you can see it, we'll have this presentation and the webinar recording available afterwards, as well. All right, let's get into the actual Patch Tuesday stuff. Here's our infographic, the summary of what released. We'll do a high-level recap. Microsoft released 18 bulletins. (Apparently I took a not very good high-res and dropped it in here, so it's a little bit grainy, sorry about that. We have a version on our blog that's much better quality.) Nine of those 18 updates are Critical, 9 are Important, and there are 13 user-targeted vulnerabilities on the Microsoft side. Adobe released two updates, one Critical, one Important, and two user-targeted vulnerabilities. There were two bulletins from VMWare yesterday. VMWare has had a string of updates since late last week through yesterday, and today I've seen a couple of announcements that came out during the night. It looks like they're doing updates for everything from Horizon to vSphere to Workstation and Player, which are the two I captured here, so there are a number of VMWare updates going on right now. There are three zero days on the Microsoft side, and we'll talk about the updates that take care of those vulnerabilities in a bit.
For those of you who haven't seen the full infographic, I've clipped that apart a bit here. This infographic is something we put on our Patch Tuesday page, so it will be up later today. That page brings together the infographic summary, which we just looked at, the full infographic, which is a PDF that breaks down, bulletin by bulletin, high-level, detailed information. You can see here MS17-006 for IE resolved 12 vulnerabilities. A remote code execution is the greatest impact there. It's a Critical.
We do give, right now it's still a Shavlik priority, but we give an Ivanti priority around that. We're identifying things that are higher risk and more likely to be exploited in a shorter period of time. The Priority Ones are updates we recommend trying to get in place within two weeks of release from the vendor. That's about the time frame in which you'll start to see exploits of those critical vulnerabilities. A lot of them will happen right away. Over time, others will, but that first hit comes quickly after the updates are available. Threat risk, this is another way of us saying, aside from the vendor severity, where we rate these things. You can see there are some Criticals in here that are slightly lower risk than others. A lot of what we're using to rate these are things like public disclosures. The IE patch this month resolves five publicly disclosed vulnerabilities and one that's already known to be exploited in the wild. Public disclosure means enough information has been revealed that an attacker can build out an exploit for that vulnerability, so a disclosure increases the risk of a vulnerability being exploited.
A notable disclosure happened the week before the February Patch Tuesday was supposed to run. A gentleman decided to release an SMB exploit to the public because he was not happy with Microsoft's delay in getting the fix he identified out to the market. He released that a week before February Patch Tuesday, and then we had the delay. It’s actually been right around five weeks since that vulnerability was disclosed. He had proof of concept, so somebody could have taken that and used it in an actual scenario. That's the risk of public disclosures and why we use them to help gauge importance.
A couple of other problems you can see on this document include “user targeted.” These attacks end up in phishing scams and things like that. They are vulnerabilities that can exploit a user. For an attacker, it's easier to have a user let you on the network than it is to try and break in yourself. They're going to use attacks like this as a first stepping-stone, a way to get a foothold. From there, they'll perform additional attacks to get further and further into the environment. Also, with many of these vulnerabilities, if the user is reduced in privileges to a regular user instead of a full admin, the attacker won’t get full access to the system if they exploit it. They get rights equal to the logged-in user and would have to take advantage of a privilege escalation exploit or other form of attack to gain access to the system in a way that allows them to do more. Reducing privileges is a way to slow attackers down and give you more time to discover them in your environment. The combination of patching, whitelisting, and privilege management layer together to make a more robust level of defense than patching alone.
We're going to go through many of these bulletins, but I like to show people that this information is available. We try hard to bring this information into an easily consumable format. I have a lot of webinar regulars on with us today, and a lot of them throw this up on a knock screen, an intranet site, or a security page in their organization and find it very helpful in educating people within their organization about what the risks of some of these vulnerabilities are.
This 17-022 is an information-disclosure vulnerability. It's only rated Important, but it's been exploited in the wild already, so we prioritize this to show that an attacker gains enough information about a system with this to do more harm to that system. It gives them a way to disclose presence of files on disc, so attackers can search for specific files on disc and find version information, etc., so they can identify additional vulnerabilities they can take advantage of. This might be a stepping-stone to doing something more. It's already being used, which is why we prioritize updates like this a little higher.
Switching to third parties now, we have Adobe Flash, which it’s very common to see on Patch Tuesday. In fact, I think in only one month of 2016 did Adobe not release a Flash update on Patch Tuesday. I think it was February. Adobe Shockwave had an update. There was only one CVE and only rated as Important, so it's a little lower priority. Workstation and Player had a single vulnerability resolved. It was rated Critical. I have the details in the bulletin, which we'll go through in a bit, so we'll talk more about that one when we get there.
Let’s get into specifics on the bulletins. When Microsoft released the cumulative model for Windows 10, we started tracking things differently to help people understand how these will behave in a real-world environment. This bulletin is the cumulative update for Windows 10 for March 2017. We've identified all of the bulletins that will be pushed when you push this package out. It includes several bulletins with a total of 132 vulnerabilities resolved, including many of the disclosures and zero days we have this month. This gives you an idea of how much gets pushed out with this single package for the Windows 10 cumulative. When Microsoft introduced bulletins for Windows 7, 8. 1, and the corresponding server platforms, which they moved to a cumulative model, they introduced two varieties: Security-only quality updates or the security bundle, and the security cumulative quality update, which we'll talk about in a second.
There are three variations for this next one, which you will find in our product catalog as SB17-002, 3, and 4, depending on which OS you're on. I'll show you this in product here in a second, but this includes all of the bulletins you see listed here. It's less than the Windows 10 bulletin. A specific difference I want to mention this month is a new change. Microsoft has broken out Internet Explorer from the security-only quality update. The monthly security quality rollup includes 006, which is the IE patch. The security-only does not. It's a separate update. This is something Microsoft did in response to customers demanding more flexibility around that. Many of you have applications in IE that break or are sensitive to patching. Microsoft broke this out so that you can control the IE updates and still deliver the security bundle. That's a change that was supposed to happen in February but didn't.
Another thing, if you haven't noticed already, Microsoft still has bulletins. This was another big change that was supposed to happen but didn't. I'm not really sure why they kept going with this. There haven’t been any announcements, but they've kept the bulletin model for the time being. They were planning on moving away from it in February when they had the outage that caused delays.
We’ll get into more detail about the individual bulletins, but there’s one thing I want to show you quickly. I'm running a Windows 7 system, and I want to show you what this looks like. I have all of the updates just released. I have Adobe Flash, Adobe Air, and IE. This is MS17-006, the individual update for Internet Explorer, which we'll talk about in more depth. I have a Silverlight update and an individual patch, which is not part of a rollup. Adobe Flash, Workstation, and here's my SB17-002. I'm doing the security-only bundle, which now has IE broken out of it. If I were doing the roll-up model, I wouldn't have seen Internet Explorer as an individual patch, I would have only seen the CR17-002, which included IE. That's a difference you’ll notice this month. You’ll have an IE patch to push and the security bundle, if you're using that model.
For those of you not using an Ivanti product using the Shavlik patch engine, you'll see some differences depending on which solution you're using. If you're using WSUS, SCCM, or another solution that uses that under the hood, you will see a little more obscurity about that. The cumulatives for Windows 7, 8.1, and corresponding OSs, anything pre-Windows 10, are marked as security. If you're doing it through WSUS and you don't manually tweak it to do only the security-only bundle, it will try to push both.
Depending on what order it goes in, if the cumulative goes in first, you would only see that and the other wouldn't show. If the security bundle goes in first, the cumulative would also apply, and it would end up pushing both. In our catalog, we separated the two. The version I pushed out today, SB17-002, we classify as a security update. We classify the CR17-002 as a non-security because it includes additional non-security updates, as well. That's how we separate them to give you more control. For those of you who are new to the product, or if you're using one of the other solutions, we show things differently for that reason.
Let's get into the details for specific bulletins. That's our cumulative quality rollup. Here's our first actual bulletin page―cumulative security updates for Internet Explorer, MS17-006. This is rated Critical. There are a few things to note here. We have several public disclosures that definitely make this a concern. We also have the exploit of CVE-2017-149. For those of you who haven't seen these presentations before, I have many of the details in the speakers' notes of the slide deck. When you download the deck later, you can access those, but I wanted to go through a couple and talk about them in more depth. We talked about many of these being user targeted but mitigated by having proper privilege management in place.
I want to talk about a specific set of vulnerabilities in here that involve browser memory corruption. One of these is the 037 public disclosure and the exploit fitted to this particular group. It has multiple remote code execution vulnerabilities existing in the Microsoft browser, which means there's improper access to objects in memory. It could corrupt the memory in such a way that an attacker could execute arbitrary code in the context of the current user. That means if I'm running as a full admin, the attacker can execute as full admin. If I'm running as a reduced user, the attacker can execute only as a reduced user, which limits what they can do. That's where privilege management will help reduce the impact if an attacker exploits this.
Let's talk about some of the attack methods. An attacker could host a specially crafted website designed to exploit this vulnerability through affected browsers and convince the user to view the website. There's a certain Dilbert comic I like to show because I think it does a very good job of explaining the problem exactly, so I'm going to show you that real quick. Where is it? This one right here. It's not a matter of how many people it won't affect, it's a matter of how many people you need to get through before you find somebody it can take advantage of. This is why user-targeted vulnerabilities are such a concern and why phishing is so effective. It's one of those things where it doesn't matter how many knowledgeable people spot one of these and don’t click or give information out, it always comes down to that one person who does click. That's where the foothold happens.
This next slide shows a stat from the Verizon Data Breach Investigation Report in 2015. It was pulled together from two security companies that did a large phishing campaign of 150,000 emails. They found that 23 percent of recipients will open a phishing message and 11 percent will click on it. Half of that 11 percent will do so within the first hour. Before IT even knows this phishing scam is running against people in their environment, half of that 11 percent have already clicked. That means the attacker only needs about 10 email addresses from your company before they're likely to get somebody to click, be exploited, and either let them in, let ransomware onto the system, or some other type of malicious activity. That's why we track these things so specifically. That type of attack is usually effective at getting into your environment. This has multiple disclosures and includes the exploit and those user-targeted attack methods.
Edge browser, fairly similar this month: Critical, 32 vulnerabilities resolved, several public disclosures, so it's definitely a higher risk and one you want to get out there very quickly. In particular, Edge is exposed to a PDF exploit that allows an attacker, if you have Edge as your default browser, (there's another bulletin this crosses over that we'll talk about it in a second) allows simply viewing a webpage to launch that PDF, exploit the vulnerability, and take advantage of that exploit. Even though Edge has a lot of security features that help protect it, it also has vulnerable points IE doesn't have. There's some risk there.
MS17-008: This is an update for Windows Hyper-V. Rated Critical. Eleven vulnerabilities resolved, one of which has been publicly disclosed. Let’s talk about the vulnerability that's been disclosed more in-depth. It's a denial-of-service vulnerability that exists in Hyper-V, in the Hyper-V network switch. On a host server, it fails to properly validate input from a privileged user on a guest operating system. To exploit this vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application that causes a host machine crash. In this case, they have a few hoops to jump through, but by exploiting something else and getting access as a privileged user, they’re able to do this. While this may be down the line, it could be used easily in a chain of actions to cause havoc on that Hyper-V server.
Here's MS17-009, that PDF library vulnerability I was talking about. One vulnerability resolved, rated Critical. To exploit this vulnerability on Windows 10 systems with Microsoft Edge set as the default browser, an attacker could host a specially crafted website that contains a malicious PDF and convince the user to view that website. If you have a group of people with Edge as their default browser, the attacker only has to create a watering-hole attack and draw those users into a website that's been crafted to exploit this to take advantage of this vulnerability. Microsoft goes on to say the attacker has no way to force the user to view the attacker-controlled content, but the term “clickbait” resonates very well with most people today. It means taking advantage of human nature, of being curious and wanting to click on things. It's not all that difficult to do―getting people to open and click on content. You can craft it to focus in on your audience. One thing hackers are nowadays, first and foremost, is social engineers.
MS17-010: This is an update for Windows SMB server. This is not the update that fixes the SMB disclosure. That's a separate one. This fixes six additional vulnerabilities that existed within SMB. An example of this is an attacker could exploit this vulnerability as an unauthenticated attacker sending a specially crafted packet to a targeted SMBv1 server. This update addresses how SMBv1 is handling these requests to prevent it from being exploited. Many of these were vulnerabilities that allowed for remote code execution if they found an SMBv1 server that had this vulnerability open.
MS17-011: Security update for Microsoft Uniscribe, 29 vulnerabilities resolved in this one, so a lot of vulnerabilities resolved. It is rated Critical. This one is a user-targeted vulnerability. There are multiple ways an attacker could exploit this in a Web-based scenario. They could host specially crafted websites designed to exploit these vulnerabilities, and convince the user to go there. File-sharing attack is another way. An attacker can provide a specially crafted document file designed to exploit these vulnerabilities and convince the user to open the document file. There are different ways attackers can exploit many of these. This is rated Critical. It’s definitely something you want to get rolled out as quickly as possible.
MS17-012: Security update for Microsoft Windows, six vulnerabilities addressed. This one has user-targeted vulnerabilities. This is the one that resolves our public disclosure from before, the one that was revealed right before February Patch Tuesday―CVE-2017-0016. I forgot to put that it’s a public disclosure, but it is. It’s a denial-of-service vulnerability existing in SMBv2 and v3 due to improper handling of certain requests sent by a malicious SMB server to the client. An attacker could successfully exploit this and cause the affected system to stop responding until it's manually restarted. That's an ugly situation where you can't do much more than manually restart those systems to get them out of the denial-of-service attack. This bulletin will resolve the SMB public disclosure that made the news so prominently.
MS17-013: This is a GDI update. We've had a number of these. This is a shared component, which is why you see so many affected products. It's in the OS, Office applications, Skype, Lync, Silverlight, many applications could be affected by this. Going back to my system, which we looked at before, here's the variation that was in Silverlight, and there's a variation in the SR17-002 for the OS level. If I had other applications on here, those would be updated with the MS17-013 variation, also. If my Office version was exposed or something along those lines, you would potentially see multiple variations of MS17-013 being necessary on that system. This a case where, because it's a shared component, a shared library, you could expect to see this multiple times on a given system.
Here's another zero day. This was exploited in the wild. That particular vulnerability, GDI elevation-of-privilege vulnerability, where if an attacker exploits a system, but the exploit they use gives them only equal rights to a user, means they have to do something additional. This is one of those additionals. It has already been used, and it's been discovered as an attack in the wild. This is a vulnerability in the way GDI handles objects and memory. An attacker who successfully exploits this could run arbitrary code in Kernel mode, which means they have total control over the box. The public disclosure was another variation which, instead of an elevation of privilege, goes straight into remote-code execution. This one doesn't even allow privilege management to help it. If attackers exploit this, theyll get privileged access to the system. It could be used in a Web-based attack scenario, an attacker could host specially crafted Web content, or it could be used in a file-sharing scenario. For the Microsoft Office variations of this, the preview pane is an attack vector for this vulnerability. If it's a document in an email, and a user opens or clicks on the attachment in the preview pane, that's enough to exploit the vulnerability. The user doesn’t have to open the document itself, previewing it is enough to exploit it. This is a particularly ugly one you'll want to get resolved.
MS17-017: We jumped down a little here. We went from 14 to 17 because we're skipping down to the rest of the Priority Ones. We'll circle back and talk about the Priority Twos in a minute. This is a security update for Windows Kernel and resolves four vulnerabilities, one of which has been publicly disclosed. This is a vulnerability in how the Kernel API enforces permissions. An attacker who successfully exploits this could run processes in an elevated context. The attacker would have to be a locally authenticated user to run that type of exploit, but in this case, this may be the next piece in exploiting a system. An attacker may use this with other attacks that get the attacker onto the system.
MS17-022: This is the security update for Microsoft XML Core Services. This is our last zero day today, 022. This is an information-disclosure vulnerability. This is the one I talked about earlier where if an attacker successfully exploits this, it could allow the attacker to test for the presence of files on disc. You may ask what's so dangerous about that? If attackers know what to look for, they can identify additional vulnerabilities to go after. They could identify if there's something of interest on the system they want to procure. It's a way for them to do a little recon to figure out what they're going to do next. Having an important vulnerability that's already been exploited is a case where the attacker has found value in it and was able to glean more information to perform additional steps in an attack.
MS17-023: The last of the Criticals from Microsoft today is the Adobe Flash Player update. MS17-023 is updating Adobe Flash Player for IE, the ActiveX version of the Flash plug-ins. That's included in the cumulative for Windows 10 and available for Windows 7, 8.1, and all the other versions. Seven total vulnerabilities resolved and rated Critical.
From Adobe, APSB17-07: This is the Adobe Flash Player update. Seven vulnerabilities. This is definitely one you want to roll out sooner rather than later. The one thing to keep in mind when you need to update Adobe Flash is you have to do more than Flash Player. There's Flash, Flash for IE, Flash for Chrome, Flash for Firefox. There are many plug-ins and variations that need to be updated. That's why, when we looked at my system earlier, you would have seen Adobe Flash and...I don't have the Flash plug-in for IE, so we're not seeing that one, but I have it for Chrome and Flash on the operating system level. You can have three, four different variations very commonly on a system. That’s something to keep in mind when you're updating Flash Player.
VMWare: There are two product variations of this. It's one VMWare bulletin that applies to two distinct products, Workstation Pro and VMWare Player. Fusion, as well, for the Mac. For those of you running our Mac solutions, you'll have Fusion support, as well. It fixes one vulnerability, and that vulnerability is rated Critical.
Priority Two Updates
Now we’re getting into the Priority Twos. There is an Exchange Server update this month with one vulnerability resolved. It is rated Important. There are no disclosures or exploits on this one. The one thing to note is, for this vulnerability to be exploited, the user must click on a maliciously crafted link from an attacker. This is one where it's a little harder to do. The complexity of the exploit is likely at a level where they're not expecting an attacker to go through the pain and effort when there are easier things to do, but it's one that you don't want to leave open too long. Priority Two in our terms, this is something you want to try to target ideally within 30 days of release from the vendor.
MS17-016: This is an update for Windows IIS, one vulnerability resolved. It's a server cross-site scripting, elevation-of-privilege vulnerability. For this vulnerability to be exploited, the user must click a specially crafted URL. It's pretty easy to convince a user to click on something. All you have to do is entice them with a strong enough teaser, subject line, or something that makes them want to click on it.
MS17-018: Update for Windows Kernel-mode Drivers, eight vulnerabilities resolved in this one. Several elevation-of-privilege vulnerabilities exploitable here that would allow an attacker, if they only have user rights, to gain more access to the system and take further control.
Security update for Active Directory Federation Services: One vulnerability resolved and that is an information disclosure. To exploit this, an authenticated attacker would need to send a specially crafted request to ADFS. The attacker has to be authenticated, and needs to send a specially crafted request to the ADFS server. It needs a lot of forethought, intelligence about the environment, and already be authenticated in the environment. This may be something an attacker uses once they've established a foothold, but it's not how they're going to get into the environment.
Security update for Windows DVD Maker: One information-disclosure vulnerability resolved. With this, an attacker could gain enough information to further compromise the targeted system, but the attacker would either have to log on locally or convince a locally authenticated user to execute a specially crafted application. The latter of the two is probably the more likely to happen. From there, the attacker can glean more information to be able to do additional things.
Security update for Windows DirectShow: One vulnerability resolved. This one is user targeted. There are Web-based attack scenarios that allow the attacker to target the user using hosted Web content. This addresses how DirectShow handles objects in memory to prevent that.
This is the other Adobe update this month, the update for Shockwave Player: One vulnerability resolved, and it was a lower priority.
That’s it for the bulletins this month. I know there were a couple of questions. Let me see if I can scroll back through here and answer a few of those quickly. "Please display the link for the Vault 7 Tracker again." I think we showed that a couple of times, but as we're answering some other questions, I'll go ahead and pull it back up. You can see the link for it up here. You can also go to blog.ivanti.com, click on Security, and you'll get to that topic.
Jeffery was asking for the dial-in code, got that one. Okay, I answered all of those, so let's go over to the Q&A section.
"Will there be a link provided to the recording afterwards?" Yes, there will. For those of you who are not familiar with us and may have found us through one of our sources (we put various advertisements about the webinars out there), Shavlik is part of a larger company that is now rebranding itself as Ivanti. Right now, shavlik.com is where we have our Patch Tuesday Central page. This includes playbacks of the webinars. There's a link to view a previous webinar. Click that and you can watch a previously recorded version. For example, this is the January webinar. There's the infographic link, which gives you the full infographic. January was a light month, so it was pretty small. The presentation comes up in SlideShare. There's also our webinars page where we have a direct download link for the PowerPoint. You can get the speaker notes, as well, and the link to the blog. This Patch Tuesday Central page is a great place to post all of that.
We are working on migrating that page to ivanti.com. Between now and April, we hope to transition everything over. During that time, the website will go through a bit of influx. I'm working with the Web team to make sure this is updated as quickly as possible. There's this page, and if you want the full slide deck with the speaker notes on our webinars page, you can do that. You can see any of the on-demand webinars, as well, the same Watch Now we had on the other page, but this one has the downloadable version of the presentation. Marketing wanted to have the slide deck in SlideShare because we get more SEO coverage when it's in a place where it's being scraped by Google and others. This one is downloadable straight from one of our resource servers. You can grab the PowerPoint for that, as well. Both options will be available later today, hopefully. You'll all get a follow-up email from our nurture campaign about Patch Tuesday in which we'll send you the link when it's available so you can watch the recording or grab any of the content.
"Could you please send those images to attendees, it would be very helpful.” Yes, we will get that content uploaded as quickly as possible, and you'll get a follow-up link for that.
"Ivanti Patches cover all Windows 10 versions?" A question from Andrea. Hopefully I got the pronunciation right. As clarification, Ivanti patches cover all Windows 10 versions: 1507, 1511, 1607. Yes, we support the latest as each comes out, so not a problem there.
"Would the following updates resolve all of Microsoft's Critical, Important… KB292664?” Let’s take a look at that list. The question is―there's a specific list of bulletins Sam is asking about, and he wants to know if all of them are in place, are all of the Critical updates taken care of? Let's check everything to make sure we're looking at it correctly―292664. When you start talking about KBs, KBs are a little ugly to track down. Microsoft likes to have blank KBs and KBs that are much deeper down. The question is, which KB does that apply to? Let’s see if I can find this quickly. Searching for KB. All right… Apparently some people are already getting failures with that one. You’d think it would come up with that one first, but apparently they don't have the best SEO on that. This might take an offline discussion to make sure we track down everything you're looking for, but this particular update is… There we go, compatibility update for keeping Windows up-to-date. Okay, this is the compatibility update. The question is, is this version 12? If they updated this to include everything before, the goal of the compatibility updates is to get you up to a certain threshold. From there, if we got these others, 401, 2215, yup, so that's the cumulative from March. For Windows 7, I'm guessing the other ones here are…yup, that one's going to be including several of those, and then 04, that's the IE patch. With that you should get most but, as I said, you could end up with a few one-offs for say Silverlight, Office, Flash Player. There may be a couple of other things out there you'll need to install, too, Sam. You had a follow-up statement saying “not including Office.” Okay, Silverlight is another one-off you might get, so if you're ignoring Silverlight, Office, and Flash Player, yes, those should get the OS and IE up to compliant with the latest Microsoft Critical updates.
Next question is from Sayid. The VMWare patches we talked about are probably not in the catalog for the LB patch side, yet. We're in the process of switching over to the Windows catalog as we speak. In the next month or two (and it won't require a code update or anything like that, it will be all engine and content level), we're switching over to the Shavlik Windows engine, which will get it to where you have parity with the full catalog we're talking about here. Until that transition, the catalog has some minor differences, VMWare being one of them. That's why you're not seeing that yet, Sayid, but it will be coming.
Henry had a question: "We're looking at Nuance Power PDF and notice Nuance was not one of the vendors you support." That's a good question, Henry. Going back to the Vault 7 stuff, and I like where you're going, because switching to an alternative for a common product doesn't necessarily make you more secure. On that fine-dining list, you have things like Foxit and LibreOffice, so you do have to be concerned about that. Very good question Henry. We can definitely look into that. We have several PDF alternatives, but Nuance is not one of them, yet. What we ask our customers to do, our Protect customers especially, is submit a feature request. This form takes you out here. If you're not a Protect user, you can go to shavlik.featureidea.com, which gives you the same form. Fill that out with what piece of software you're looking for, and we can look at researching and getting that supported. In 2016, we added two or three alternative PDF products.
The next question was from Julie, and I apologize to anybody who's still with us, we’ll try to work through the rest of the questions quickly. If you need to run, there should be a follow-up email shortly with the webinar playback, PowerPoint, infographics, and everything else.
The question from Julie: "Would you suggest to the Ivanti marketing team that they stick to plain text with their update notifications rather than including a huge graphic picture?" Got it. Marketing loves infographics, but I'll point out to them that we definitely need a plain text backup version of that type of information, because you're right, Julie. A lot of our federal customers, highly regulated customers, don't allow HTML emails, so you would miss out on a lot of good information.
From Getty: "Do you support Windows Server 2016?" I use this product to show many of these examples, but this is the same catalog any of our products already on the Shavlik Windows engine would have, all the same content. As we transition other products, LD patch being the next one, they will all get the same catalog. This has the full list of operating systems, and yes, 2016 is supported in there. As OSs release, typically our catalog has them. We're evaluating while they're still in preview, and when they launch, we go live the same day or within a day or so of that.
From Andrea: “Protect standard and client currently running in an environment should be reinstalled to get the Ivanti Protect standard layout?” The version you're looking at with Ivanti on a few things here, this is Protect 93. We're going into beta next week. March 20 is when we plan to launch our beta of 93. We should have a release of that to early access and GA in mid-April for early access, late April for GA. To get that, simply upgrade when it's available, and you should all be set. When you upgrade to 93, Andrea, the branding will change over then.
Sam had a follow-up: "That's one you might have been saying could be rolled up into one of the update packages, depending on the order it was pushed out." Yes. You were saying Windows update, so yes that could be one of those cases where the security-only, depending on what order it gets on there, the cumulative rollup for the month takes care of everything. The security-only is a subset of only the security bulletins for that month. The cumulative includes all of those plus additional non-security items.
Let's see, Alan had a question: "Have you heard of any issues with access to the 006? After installing it on my system, all browsers: Edge, IE, Chrome, and Firefox do not work." I'm guessing you were talking about CSW-006. That was the Windows 1607, January update. All of your browsers stopped working after that one. I hadn't heard anything specifically about that. I apologize, but I was on vacation in January so wasn’t tapped into a lot of what was happening. Let’s see if we can do a quick hit on something and maybe find something. That was the anniversary update. Nothing specifically for January made it big enough to hit the news. That doesn't mean there weren't some issues with it. The other thing I typically do as time goes by is go back to the bulletin page. This is why I was a bit leery of Microsoft walking away from the security bulletin models, because they give you some decent information when they keep them up-to-date. Usually what I do, a few days to a couple of weeks after, is come back and check the Known Issue list. If there's something that’s a big enough issue, it gets populated here. I'm not seeing it here either, so the situation you hit, I'm not sure what happened on that one.
Dana had a question: "MS17-019 is an ADFF update. The update concerns me the most of all of them. The vulnerability has not been publicly disclosed. The actual change this update is making does not seem clear." It looks like some kind of bot is in our webinar and passing junk through. Haven't seen that before. So 019―let's go down here and see if we can get more details about what's changing. The update addresses the vulnerability by causing ADFS to ignore these malicious entities, so the change will take this type of request and literally ignore it. This is the danger of those bundles and cumulative rollups. You can't pick and choose which updates to apply. The best advice I can give you is to try and test this out on any ADFF server before rolling it out to all of them. It's one where it should be minimal. This particular type of request should be ignored and the rest of it should all behave correctly, but it depends on whether that type of request looks like anything else your ADFF server gets in your environment. They don't always give great information beyond this, but this wording sounds pretty minimal to me regarding what they've done to eliminate this vulnerability. They're only saying that if something comes in that looks like this, don't acknowledge it.
"Do I have to uninstall my Shavlik and install the Ivanti version?" No. Actually, Getty, this is a good question. I did this, this morning. I ran our Ivanti-branded version over the top of the existing version and it upgrades just as it always has. Our product is designed to be easily rebrandable. We learned this very quickly. We OEM'd our products to a third party for a while. When we were acquired by VMWare, we reskinned the product in a day. When LANDESK acquired us, we reskinned it again in a day, and we're reskinning it again now. We can rebrand very quickly and easily. It's the same product with light cosmetic changes, so it should be a simple update when you transition.
"Any features in 93 to look forward to?" Vince, excellent question. Yes, there are a lot of good things coming in 93. I can show you a couple on screen. If you look over here, we can go into a machine group, and there's this thing called a path that allows me to create folder structures. I can drag and drop machines into different groups. I can make and nest additional groups in there so I can edit the path to go even deeper. Now I have nested folders. I can have them not be nested, as well; I can have them be peers. There are a lot of new organizational features. You can see here that I've applied a filter to my results that shows the patches installed and patches missing. It's ignoring the informational and certain missing service packs.
A lot of people hate having to click, scan, and sort through everything with those mixed in. They want to get rid of that. With these new filtering features, you can. I can also say, "Show me only security patches." I already had that, so the scan is already doing that, but maybe I want to say, "Grab only the Adobe stuff." There are a lot of new filtering options, and they are in every grid on every column and give you a lot of powerful filtering capabilities. You can see, down here, the filters that have been applied. I can even go in and switch between filters. I can edit that filter at a more detailed level. You have a wealth of additional options.
You'll notice here in our scheduler, there's a new feature that allows you to do the staging step as a discreet point in the schedule. There's a new feature set where we're extending the product with an API feature set. It’s based in PowerShell today, but we'll be expanding it into things like REST. From PowerShell, I can script out populating machine groups and credentials, scan, and deployment of specific machines or groups of machines. If I want to integrate with a DevOps workflow or pull CVE data in from a vulnerability scanner like Rapid7 or Tenable, etc., I can populate a patch group with vulnerabilities from my vulnerability scanner, and deploy those right away. All these things will open up possibilities with the API feature set. Those are some of the things that are coming. Beta is starting shortly. If you're interested, email [email protected] and we can add you to the beta list. I have about 250 people on the list, and we're always happy to take more. We'll be sending invites out this week.
I know we're going over time a bit. Getty had another question: "Experiencing an issue where, after pushing Windows updates to a server or workstation, I have to log in to each machine to install manually." Interesting. I'm assuming you're using Protect. Yes, that was you we were talking to earlier. Contact support about that. It shouldn’t be happening. There's an option in there to copy patches but not install. You may be hitting that feature. If you are, that's exactly what would happen. It would push the whole package down and let somebody manually execute it. That’s why we now have the staging option. People were prestaging using that feature and coming back to execute it later. You may have been using the “do not install” option accidentally.
All right, do we have everybody's questions? Phil had a question: "Will the Ivanti Protect standard take the place of HEAT EMSS. If so, do you have an estimated time frame?" Also a very good question, and sorry to anybody who's not using either of those products. We have a number of changes coming regarding how we're doing things. We can definitely have more in-depth roadmap discussions, but the immediate change around what Phil's asking is, we have our Protect product, we have our HEAT EMSS product, that's our Endpoint Management Security Suite. Both product lines will remain, and we’ll be working on integrating those two solutions in the not-too-distant future. We will continue to develop the HEAT EMSS product, continue to develop the Protect product, and at some point, those interfaces and services will come together so you get the best of both feature sets. That's something we plan to move forward with.
"A question regarding the HEAT EMSS software I currently use. Will there be an upgrade update to get to the Ivanti version?" Yes, in the next minor release, which is coming very shortly, they'll do the same type of cosmetic rebrand. It will switch over to Ivanti and the EMSS name will change to Ivanti Endpoint Security. Protect will become Ivanti Patch for Windows Servers. For those of you on the Protect side, don't think that means the endpoint side goes away, it doesn't. It will continue to manage endpoints as it does today, but our focus is to bring those two product lines together. The Protect feature set will focus on continuing development around agent list, virtual integration, server, the base features, things like that. EMSS will focus more on the endpoint side and building out additional security features, but the two feature sets will come together. For both customer bases, both product bases, don't feel like the product is going away. Both products will remain.
All right. Jim had a question about the API feature set. If you're already on my beta list, Jim, I can't recall if you are or not, yes, we should be going into beta March 20. I'm a little behind on getting those invites out. We've been a bit strapped for time, but we will get that beta announcement out shortly. Hopefully the beta will start next week. We're planning to run that March 20 to April 10, and go to early access shortly after, so watch for that. If you have not requested already, shoot me an email at [email protected] and we'll get you on the beta list.
"I don't see MS17-009." Jim is looking for MS17-009. That one is more than likely part of one of the bundles. We should be able to see that down here. One thing we try to do is include all the bulletins that are included in each of these. The reason you're not seeing that, Jim, is because it's part of the security-only bundle or the cumulative bundle, whichever one you're using. That's why you don't see it as an individual patch. It's part of either the CR or the SR bundles that would be applied to the OS. That's why you're not seeing it specifically.
All right, I think I got to everybody's questions. The rest of it seems to be garbage from this bot, whatever that is, that got into the webinar, which is annoying. Thank you everybody for joining us today. We will get this webinar converted and uploaded to our website as soon as possible. Watch for a follow-up email, or if you go to shavlik.com, you can go to our webinars page and get the video playback with the download of the PowerPoint, or you can go to the Patch Tuesday page and that will have a March tile like this with the four links. That should happen later today, depending on how quickly I get everything converted and over to the web team to upload.
Thank you for joining us today, and we hope to see you back here next month. Thanks.