April Patch Tuesday 2017
11 April 2017
Chris Goettl | Director, Product Management, Security | Ivanti
Join us as we recap the Microsoft and third-party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure and test adequately, and which patches should be highest priority to roll out.
Hello, and welcome to the Ivanti Patch Tuesday webinar for Wednesday, April 12, 2017. My name is Chris Goettl. We had an interesting Patch Tuesday. There was a lot that happened, a lot of changes. We had to relearn how to walk, run, ride our bikes. It was a very interesting day, to say the least.
We're going to go through a number of things, talk about changes on the Microsoft side and how those changes will trickle down into our products. Whether you're using the Ivanti brand of products or non-Ivanti brand of products, we’ll have things to talk about.
For our specific product lines, we'll talk a little about some of the added value of our content and what things we're doing to compensate for some of the changes Microsoft made recently.
We’ll do an overview of what happened on Patch Tuesday, industry news, known issues, things to look out for, and get into the bulletin pages. Well, they’re not called bulletins anymore so we'll get to that too, and then go through the Q&A at the end.
In the News
Industry news: For those of you on Windows 10, 1703 released and with it, its first round of patches. I actually had a joking moment with the content team about the fact that it's not a zero day, it's a day zero patch product released, and on the same day it releases, updates were made available. It's kind of funny.
For those of you on Windows 10 1507, the initial Windows 10 release, that end-of-life is coming up May 2017. If you haven’t started yet, make sure you start migrating all of those up to the 1511 or later branches unless you're running on LTSB. If you're on Long-term Service Branch, you don't have to worry yet. If you don't know what that means, you're probably not on LTSB. It's a special edition you can stay on much longer.
There's a known zero day for IS 6.0 that definitely made some news this past month. I have an article here titled "Actively exploited zero day in IS 6 affecting tens of thousands." Actually, it was not 60,000. In the article it says, "600,000 publicly accessible IS 6 servers on the Internet." That means that of all the 2003 web servers still running IS 6, 600,000 of those have this WebDAV component enabled, meaning they are open to exploit of that vulnerability. That's CVE-2017-7269. If you know you're running server 2003 with public-facing web servers, you may want to disable that WebDAV component or make sure you get that out of production as quickly as possible.
One thing we strongly recommend, end-of-life software is a huge risk to any environment. This is a very good example of that. There's a Metasploit exploit available for this. There are known ways to exploit this, so it’s definitely not going to go untouched for very long.
Microsoft also had a couple of zero days this month. One in particular is the Microsoft Word zero day, which was talked about quite a bit. That was released in this month's Patch Tuesday update. We'll talk about that in a moment. There was also an IE zero day identified. Those two zero days are definitely concerning this month.
Shavlik.com Goes Offline
For those of you who have been long-time Shavlik customers or have attended these webinars for a long time, we had a moment of passing last Friday when Shavlik.com went offline officially. Up here in Minnesota, we held a funeral for shavlik.com and reminisced about all the good times we've had over the years. This site started up in 1993 and ran until 2017, so it was a long-running site. It's now finally merging into the Ivanti brand completely, which brings me to the next point and which most of you will care about, and that is how to get continuation of all your Patch Tuesday content. Our blogs, the Patch Tuesday page, our webinars have all merged into ivanti.com.
Very quickly, let’s show you what that looks like. There are redirects on the Shavlik site that will bring you over here. This brings you to the Ivanti Patch Tuesday page. Under Resources on ivanti.com, you can find the blog, webinars, and Patch Tuesday all very closely linked. It's easy to find, and we've made a couple of improvements. Previously, the infographics and other components couldn't be posted until after the Patch Tuesday recording was finished and we could post everything at once. We’ve fine-tuned it so that on Patch Tuesday, we can post the infographic summaries, links to the full infographic, and the blog. On Patch Wednesday, when we do the webinar, we convert everything over. Later today, I'll convert the webinar and load the presentation. Those links will then pop in here, as well, so you get things a day earlier.
Now that everything has moved over, we're working to expand our webinar build-out so we have three to six months of Patch Tuesday webinars prescheduled. We hope to be there very soon. We should have May up in about a week. Shortly after that, we're integrating this into a system where we can more effectively generate all of those landing pages automatically. Once we get fully assimilated, we'll be able to start leading these out, so there are several more of them prescheduled. That will make everything a little more convenient. That’s the Patch Tuesday page.
Those of you who have been long-time customers of LANDESK are probably familiar with Interchange. For those of you from the Shavlik and HEAT side or those of you who are interested in our product lines, our company show, Ivanti Interchange 2017, is coming up May 8 through 11 in Las Vegas at the Mirage Resort. This is a great opportunity to get exposure to all of the Ivanti brands, get hands-on with our product lines, even those you aren’t licensed for today, take things for a test drive through our boot camps and training sessions, get face time with product managers, security specialists, sales engineers, and developers. We're bringing a mix of technical experts to the show, and they’ll be accessible to you. You can pick their brains in all sorts of different ways.
Last year, in our labs, we had everything from brand new people who had never tried a product before to people who have been on the product line for as long as I can remember. Half of the people were talking to an SE about how the SE would recommend configuring their environment, while a developer talked to another customer and actually remoted into that customer's console to talk through an experience they were having. It's a great way to talk directly with the product people involved in the creation of our products. It's a great way to influence those people, get to know them, understand where the product lines are going, and get roadmap information. In general, it's a great opportunity to get up close with our experts.
If you are thinking of attending that, it happens to fall on Patch week, as well, so I will be doing Patch Tuesday live from the Mirage Resort. They're talking about trying to set it up as a live presentation right before our keynote of the morning. We'll also be doing the live webinar, so it’s a great opportunity. If you go to ivanti.com, you can take a look at that and get signed up, or talk to your territory manager, and he or she can help you, as well.
Microsoft Discontinues Bulletins
Now to the big news this month, which is Microsoft finally got rid of bulletins. Finally, as in they've been talking about it for six months. They were supposed to do it in February, which didn't happen. One wonders if something went wrong specific to this and that's why February didn't happen because when March came around, the old bulletin system was still there. Now we’ve come around to April, and it’s finally gone.
For those of you who like to go and look at the bulletin summaries, do a bit of research on your own, you now need to go to portal.msrc.microsoft.com and go to the Security Guidance tab. From there, you have access to a portal. This portal gives you a lot of cool options for filtering, sorting, viewing things the way you want to.
There is a bit of a disconnect, however, because the way everything is structured now, you have to poke around in so many individual pages to find all of the information that it gets tedious. I tell you that from experience. In March, it took me about two hours to do across 136 vulnerabilities. In April, it took me nearly four hours to do across 46 vulnerabilities―a third of the vulnerabilities to research, and it took me nearly twice the time as the previous month. I'm a little unhappy with the experience so far.
When you get into this, please feel free to send us some feedback about what you think of the experience, and we'll be more than happy to take that feedback, along with our own, and share it with Microsoft. We also encourage you to reach out to Microsoft and let them know how this changes things for you personally.
Now on to the real guts of the presentation: Patch Tuesday, high-level summary. It says bulletins there, but we'll change some labels over time, and we’ll refer to these more as updates. The way we're counting things now, there were 13 distinct updates. There may be many KBs related to many of those, but there were 13 updates you really want to worry about. We'll talk about those and how we are organizing them in the Shavlik legacy catalog.
For those of you across the brands today, this got into the Shavlik catalog. Very shortly, we should be getting this into the LANDESK and HEAT catalogs, as well, so that we're all using this new model we're putting in place. We basically created our artificial bulletin system to keep the user experience level of this down to a level where you get the experience you’ve come to expect. In our products, it should be as if the bulletins never really went away. The naming for it will be a little different, and I'll show you that. There are some advantages to how we've done it in the new model that makes it even easier, but for those of you who are using WSUS or SCCM for the Microsoft updates, youll see a few things here that are specific to our product catalogs. The guts of what we're talking about in each of these, however, is still roughly the same.
Priority One Updates
Starting off: Windows 10 and server 2016. This first one is the cumulative rollup. This includes the OS, IE, and Edge for Windows 10 and server 2016. There are a total of 15 unique KBs that make up that particular update package, fixing 32 vulnerabilities. Of those, there is also a disclosed and exploited vulnerability here in IE. This is the Internet Explorer vulnerability. Microsoft said the flaw exists due to a lack of proper enforcement of cross-domain policies.
An attacker could exploit the user by tricking them into accessing a specially crafted webpage. They didn't share any information about exactly what attack was performed or how it worked, but they did give enough information on how an attacker would go about this. User-targeted vulnerability, craft a website, convince that user to go there. These are things that are not difficult to do, phishing etc. Most attackers now are social engineers before being real hackers. They can buy off-the-shelf toolkits that do everything they need. They can buy ransomware as a service and sit there and say, "Give me a randomly generated payload that will do crypt32 or whatever variation," and there it is ready to go for them. They go off running, convince a user to click on their content, deliver payload, and get payout. It's that simple for an attacker now. They're very good at socially engineering their way into these environments.
If you don't have vulnerabilities like this plugged, hackers have easy access to it. It's to the point where phishing stats show that if I get 10 email addresses from your company, I have almost a 90 percent chance of getting onto at least one of those. It's to the point where 30 percent of people will open an attachment or open the email, and 10 percent to 11 percent will open the attachments. It’s pretty easy to find their way in. That's why a vulnerability like this is very important to resolve.
We give priorities around this in the Ivanti catalogs. This one would receive a Priority One, meaning the vulnerabilities are at a risk level where an attacker could exploit these in as little as two weeks from the vendor update or, in the case of a zero day, even before a patch was available. This is an update you want to get in place within two weeks of release, ideally, to reduce your risk significantly. If you go too far beyond that, your risk of being exploited on any of these vulnerabilities starts to increase.
Let me cover one more point before we move on. For this MS17-W10-04 update, instead of listing out the 15 unique KBs and trying to see where all of those are two months from now―“Hey, remember we had that problem with KB 4070, what was it again?”―we've continued a bulletin-like model with an artificial naming structure. You're going to see these on each of the slides coming up, but we gave this particular one MS17, Microsoft and the year, W10, Windows 10, the Windows 10 platform, meaning Windows 10 in server 2016, and 04 meaning the update that came out in April. With this, I could say, "Remember back in April, the Windows 10 update that came out? That was MS17-W10-04, right? Yeah, that was the one. We have this issue with that." I have an easily understandable way to reference these things. It’s an artificial one created within our catalogs, so if you're on the WSUS side or SCCM side, you wouldn't see this.
For those of you using products like Shavlik Protect or the LANDESK or HEAT products, you will see these bulletins starting to appear very shortly. We used yesterday and we’ll use probably the next week, at least, to try to sort things out on the Shavlik catalog, make sure we're confident with this approach, and then we’ll deliver it to our other software catalogs, so bear with us. You're going to see where we're trying to keep this level of value. I'll show you a few examples in a bit of how this makes it so much easier to sort things out.
All right, pre-Windows 10 platforms: We have two models. There's the security only and the monthly rollup. You'll see a breakdown of three variations. There's MS17-SO7-04, SO8, and SO81. Those are the three architectures or platforms that there are packages for. That's three update packages, basically.
The security-only update is what Microsoft created to deliver only the security updates for Patch Tuesday. This is not a rollup. Next month, it will not include nonsecurity fixes. These are security only. In March, Microsoft went a step further and allowed people to break out IE. In a second, we'll talk about the IE patch that goes alongside the security-only update. We'll get into the monthly rollup, which is the same. It's MR7, 8, and 81. That includes IE, as well. We'll talk about those two variations.
Windows 7, Server 2008 R2: There were a number of updates in here. One thing that stood out to me right away was this CVE-2013-6629. I was like, "Wait a second. Was that a typo? What the heck?" We started looking into it, and this libjpeg image processing is an open-source library they updated and replaced. It's resolving a very old vulnerability. The rest of them are critical updates that have a number of vulnerabilities.
There is a known issue on this, which carries through the six updates we're about to talk about. The known issue is specifically on PCs using the AMD Carrizo DDR4 processor. Installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution. We'll provide an update in an upcoming release. If you know you run AMD processors, you may want to take a close look and find out if you have any of these Carrizo DDR4 processors and possibly look at holding off on that for a while until the rerelease comes out to resolve that issue.
This one is a variation of that last one, 18 vulnerabilities being resolved across several KB articles. We're grouping it in a way where only one update gets pushed. We've provided a level of detail so you can organize it so you know SO8-04 was the security-only update for server 2012 because Windows 8 has end of life. That gives you an easy way to reference that.
MS17-SO81, the security-only update for the 8.1 and server 2012 R2 platform: This is the third variation of the update for the security-only bundle this month. Twenty-four vulnerabilities. It still has the same known issue for that AMD processor.
The next one goes into the IE update that goes along with the security-only update. MS17-IE-04, this is the cumulative update for Internet Explorer, critical, updates the latest version of IE for whatever platform you're delivering it to, 7, 8.1, etc. Three specific vulnerabilities are resolved, including the IE vulnerability we talked about with Windows 10 that's been exploited in the wild. To resolve that IE update, if you're using the security-only, you must do the security-only and the IE. I'll show you this.
For those of you who may not be familiar with this product, this is the Shavlik Protect product line. You can see the updates I pushed to my machine this morning. I have .NET, IE, Silverlight, the SO7, which is the security-only for the Windows 7 platforms, another .NET flash player. It was very easy for me to identify exactly what each of those were as soon as I knew what those stood for. IE and .NET, obviously dead giveaways. Silverlight, once you've seen that a couple of times, you're going to recognize it. SQL is a small enough acronym you can easily remember what it is. The SO7, I know that was the security-only update for the Windows 7 and 2008 R2 platform. I was able to push out the SO7 and the IE update, and I've now plugged all of the OS and IE vulnerabilities for this month.
If we go on to the next set, we're talking about the same KBs, the same vulnerabilities, actually the same vulnerabilities being resolved. There are different KBs because they're for the monthly rollup instead of the security-only update. There were 18 different KBs referencing everything that was updated in this one update. This is the monthly rollup for Windows 7 and server 2008 R2 and has the Windows 7, 2008 R2, and IE updates all being resolved. Here's the IE vulnerability that's being resolved. That's the "disclosed exploited" IE vulnerability. We have the same three variations of that. This is the Windows 7 update, the Windows 8 update, the Windows 8.1 update. Whichever platform you're on and it’s corresponding server platform, that is the package that would get installed to that system.
By the way, for the MR package, the same known issue applied across the board to all six of those. For each of those updates, if you have PC running that AMD Carrizo DDR4 processor, you may want to hold off a little while because it could break the ability to deploy future updates.
Switching over to .NET: Our artificial designation, MS17-NET-04, makes it easy to understand which one we're talking about. I'll show you in the product here in a second. It makes it extremely easy to look something up. It supports .NET 2.0 through 4.7 all in a single package. This is a new model Microsoft implemented. We haven't had too many of these yet, so I'll explain how this one works. With this, .NET will have the same installer that gets pushed to the machine. When that runs, it will detect all existing installs and will update each one. It will not install new versions that are not there. Don't think it's going to do that. It's not supposed to.
In this case, it goes .NET 2.0 through 4.7. On my machine, I had two .NET versions. You can see here, I had two variations that got installed. If we look here, we can see this one was for .NET 2.0, and this one was .NET 4.6. Those are the two versions I have on my machine. Both of them were updated. You can see I don't have all of the versions. If I had three or four more versions, you would see that many variations of the MS17-NET-04 update because those are KBs that need to be applied to that system. We can group them in a way where I could say, "Remember the .NET update from April? I think my machine had two variations of it." I know exactly what that update was. I can find it quickly and easily and reference that. In our product catalog, that's why you'll see these artificial designations.
Office Zero Day
Moving on, Office: This is where we had the other notable zero day this month. Eight total vulnerabilities resolved across pretty much every component. Every edition of Office or Office component was included in this. Office 2007 up to 2016, Excel, Outlook, OneNote, pretty much everything out there. The vulnerability was the vulnerability in Word. The CVE for that was CVE-2017-0199. Word had a vulnerability that could be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors, which have delivered varieties of malware, including Dridex, WingBird, Latentbot, and Godzilla. This is being exploited very actively, so this is definitely a high priority. You’ll want to update this as quickly as possible.
I have a question from a customer already I can see. "Which Office KBs include the CVE we're looking for?" Let's take a look at that. If we look at the way we have it grouped, we can type in "off," and that pulls up our MS17-OFF-04 list. Here you can see all the KBs. There are a lot of them. For each one of these, you can see the affected products on the right. This one is for Excel Web Apps. This is for Office 2010 and Service Pack 2. This one is for Professional 2007. Out of all of these, how many are affected by that vulnerability? The Importants probably not, but Criticals? No, 199 is not there. If you look down on the bottom right, you can see the CVEs. No. Okay, this one is, KB 3141529, KB 3141538, going down further, KB 3178703. For me to figure out what all of those were, approve them, and get them out there would have taken a lot longer, but with the product here, I was able to say, "Give me everything Office for April," and then I can quickly find the ones I'm going to want, select those, add them to my approved patch list, and I'm off and running. This is why we've kept this type of bulletin-level identifier on the updates.
That's our Critical. Again, it's the 199 update. This is that vulnerability. I had that press link up at the top that talked about it, and this is the update that needs to apply that.
On to the next one, MS17-AFP: Adobe Flash Player, something we expect every month, pretty much. Critical. Adobe Flash. This one includes seven vulnerabilities to be plugged.
MS17-2K8-04: For those of you on Vista, I'm guessing there are still a few of you out there. I skipped over that one pretty quickly, but there were some holdouts who stuck around in Vista for awhile. That is officially end-of-life now. This was the final security patch update for Windows Vista. Server 2008 is carrying on until 2020, but Vista is no more. If you have any, those are no longer getting updates as of May.
APSB17-10: This is the Adobe Flash bulletin. This the bulletin directly from Adobe, so you can look that one up and find their page directly. Seven total vulnerabilities, things ranging from a little code execution down to memory leaks and other things like that. This falls into our Priority One categorization.
Priority Two Updates
Dropping down into Priority Two: For those of you new to our webinar series, Priority Two, in our terms, is an update that's warranting an update, but it's not as high a risk. Our target recommendation is within 30 days, as soon as possible is recommended. That makes it so it's not hanging out there for a long time.
The Verizon breach report back in 2015 did an analysis of observed exploits. For the 2015 year, there were a number of vulnerabilities that were exploited in two weeks or less from vendor release, a high number that were exploited very quickly. There was an even higher number of vulnerabilities that were exploited years after. All the way up to 10-plus years after an update was made available, vulnerabilities continued to be exploited, so we can't let these things rest.
An attacker might go after one of those high-risk ones we talked about earlier, but a couple of months later, they may come back around to something like this because they know these are things that a lot of people neglect. They'll come back around and exploit lower-importance vulnerabilities further down the road. Even years later, you'll see exploits of lower-severity vulnerabilities happening. There’s one total CVE and we do recommend getting this resolved within a 30-day time span, if possible, but within a reasonable timeframe.
APSB17-09: This is the update for Adobe Campaign. It could be exploited to do read, write, or delete, but it's mostly targeted at information disclosure. It can do modification in some cases. The severity of this should probably go up if your content within the Campaign database is sensitive. What's in there, what information you have, how sensitive it is, risk of exposure, and who you might have to notify, things like that will determine the severity of this. You should assess that and determine if it should be higher.
APSB17-11: This is the update for Adobe Acrobat and Adobe Reader. At forty-seven vulnerabilities, this was the lion share of the vulnerabilities from Adobe this month. A lot of vulnerabilities, but apparently none of them too significant in risk so categorized as Priority Two in their terms, Important in Microsoft terms, and we put it at Priority Two, as well.
APSB17-12 and AP17-13: These are two Adobe updates that are rated as Priority Threes, recommended updates more or less. These are vulnerabilities that are much lower risk. Test it out, roll it out sometime, but it doesn't have to be immediate. It's a lower-risk priority.
All right, there are a couple more questions here. This one I've heard a number of times between yesterday and today. “Why? Why, Microsoft? Why did you get rid of bulletins?” I have no idea why they did it. I'm questioning the same thing myself. If you follow some of our other feeds like Twitter, etc., you know I often have writers reach out to me. In fact, I had an interview with one writer earlier today, and he asked the same question. Honestly, I don't know why Microsoft chose to do this. I can tell you that from things I've seen on patchmanagement.org, my own experience, the experience of our content team, questions I've received from customers, even since yesterday, it really doesn't make sense why they did this. I’ve even had a couple of thank-yous, already, for keeping the artificial type of label we have so there's a way to group and coordinate things. I'd love to tell you a reason why, but I really don't know what it is.
An interesting question here: “Windows 7, the new branch, what's the size of the Windows 10?” Let's use our new artificial labels to our advantage here. W10 brings up all my MS17 Windows 10 for April updates. There are four variations, one for each branch. This is 1607.
Next one down is 1511. This was 1507, the gold release, and then 1703. The question here is 1703 just released, and really, it's a patch. How big is that patch? Let's take a look.
You can see here that I've started downloading these to take a look at this myself. The new branch is 114MB if you're on the 64-bit architecture, 51MB, 52-ish if you're on the 86 architecture, and looking at the TH2, the 1511 branch, you can see that’s significantly larger, 1GB or 570MB, respectively, to architectures. As these grow, they get significantly larger, which actually brings up a very good point.
Some of you may have heard this already, but Microsoft released a Delta update. This Delta update is supposed to allow you to say, "I pushed last month's patch out, so this month I should be able to push out a smaller update, right?" Well, yes and no. If you only installed the update from Patch Tuesday and you do the Delta next month, you would be able to do the Delta. We recently found out, however, that if you do the Preview in between, which means doing all the nonsecurities at the end of the month (Microsoft released the Preview at the end of the month for Windows 10), Delta wouldn't apply. It only applies to the Windows 10 Patch Tuesday release, for some reason.
There's a little bit of an oddity there, but we're trying to make it easy to find out which was the security release, and then you could skip over to each Patch Tuesday release only. For Windows 10, when you do that one, it will include the nonsecurities that released in between the Patch Tuesdays because it's cumulative and it's a rollup, but you can then use the Delta update, which is not as large as the full one. If the Delta update is 500 or 600MB versus the 1GB, I save myself 400MB, which is a significant cost saving. The Delta is something everybody will want to use. We're going to keep trying to refine it and make it a little easier to work with and get full advantage of it.
Microsoft is working on this Express platform or what's called the Unified Update Platform. We've had some interesting conversations with them. We’re trying to get access to it as a preview to evaluate it early on. We'll see if they can get us an early copy to start playing with. As soon as it's available, we plan to incorporate that Express platform, which is supposed to allow better integration and make it so the Delta patches are more of if you meet the right criteria, you can push down the smaller bits. The Express platform is supposed to allow multiple points where you can say, "If I'm here, I can assemble these pieces, and that's what I need. If I'm here, I can assemble these pieces, which may be smaller, and that's what I need." We're looking at that, and we're looking to get it in as quickly as we can.
It looks like a lot of the other questions, I covered during the conversation about why we have these additional bulletins, our official bulletins. It’s for the ease of use and the organizational aspects. There were a couple of questions asking, "I'm on the LANDESK side, and I'm not seeing those in our catalog yet. Why?" We only did this yesterday in the Shavlik catalog. We communicated that out to the LANDESK and HEAT teams, and I believe we're going to be integrating those shortly. We're working on that. We wanted to fine-tune it and get confidence in it first. From the early feedback I have, it's sounding good, so hopefully we'll have it in all of our catalogs shortly.
If you're on WSUS side or the SCCM side, you won't see those in the Microsoft catalog because it’s an artificial designation that we give them. What you would see in the Microsoft catalog is all the KBs.
It looks like the rest of the questions are variations of what we just talked about, so we're going to wrap up now. Thank you for joining us today, and we'll see you next month for the Patch Tuesday webinar. The recording and slideware should be available later today. It depends on how long it takes me to convert it and get it updated to the website, but we'll get it up there as quickly as we can and out to you. Thank you, and have a nice day.