July Patch Tuesday
12 July 2017
Chris Goettl | Director, Product Management, Security | Ivanti
May and June brought tornadoes of weaponized malware, but we appear to have blue skies in Kansas again for July Patch Tuesday. Don't get too comfortable, though. If history is any indication, we're in the eye of the cyber threat storm. So, use the downtime wisely: fewer updates today mean you can really focus on the public disclosures to get your house in order before the winds start picking up.
Find out more here
Chris: All right. Good morning everyone and welcome to the July installment of our Patch Tuesday Webinar. My name is Chris Goettl and with me today is Todd Schell, and we're gonna take you guys through everything that's released on July 11th here, from Microsoft and a few third-parties. We're gonna talk about a few things. We're gonna go through just a general overview of Patch Tuesday. We'll talk about some things in the news. We'll do a bulletin by bulletin blow of what released on Patch Tuesday, and then give some time in the end here for some Q&A. If you do have any questions, go ahead and post those into our Q&A section, and we will try to get to all questions possible here by the end of the call.
All right. So just a quick overview for those of you who haven't seen this before, we do have a lot of analysis that goes into this on the day of… We've got a creative team that puts together that analysis into a nice graphical poster representation. And we do kind of summary level and then a full poster. This is the summary level of that. It just gives you a nice consumable representation of what came out. So Microsoft had 12 updates released yesterday. Now, they've gotten away from their traditional bulletin model but they still do, you know, what we're...you know, we still contain these things into more or less a bulletin or an update. So they had 12 of these updates yesterday, between the OS rollups or security bundles, the IE updates, Office and things like that. 10 of these were rated as critical, one was important and one was a moderate. All 12 of these updates do include some form of user targeted vulnerability as part of the pictures that were put in place. So, you know, we'll talk about that as well.
Adobe had a release for Flash Player. They had a couple of other releases here as well that we'll talk about some things that kinda came out late last night as well. Oracle, while they haven't released yet, we put this on the chart here because this is the Oracle quarterly CPU update. And they will have, you know, the Java, JRE and JDK releasing. Under the other category, we've got two non-security updates that happened to drop yesterday as well. So we'll talk about those here as well.
Ransomware in the News
Getting through a little bit of some news this month, you know, for those of you who do follow us on regular basis, obviously, you probably called a lot of the continuing drama around, you know, what's being called now, "NotPetya," the attack that happens just a couple of weeks ago, which was basically kind of a resurgence of the techniques, exploits used in the WannaCry attack. But in this case was definitely more of...lots of ransomware for financial gain and more of ransomware as a weaponized attack vehicle. So if you haven't seen that already, we did a number of things around that. We got a blog post out here that goes into a lot of detail over, you know, specifically, what should you have already had in place? The biggest thing there is for all of your Windows systems, even for XP and 2003, you should make sure that you've got the March update that plug those SMB vulnerabilities in place. And just double-check that that's all good and taken care of.
There's an article that I found that I really think captures, you know, the...I've been of the question of why was WannaCry and Petya is so successful? And we talked about that a number of different ways but I think that this article from BT, it's got some quotes in there from their Technical Director of Cyber Security at KPMG and the CEO of Security at BT. These two guys had a few quotes in this article. But a couple of them that I captured here, just talking about, why did companies fall prey to this bad of an attack? Why was it so widespread? And they had a few interesting things that definitely stood out. Businesses definitely fall prey to cyber attacks because of a little bit of denial. Not everybody but there's companies out there where we still talk to, you know, companies where they're, like, "Oh, yeah, we really don't, we don't worry about, you know, non-Microsoft. Or we don't worry about getting the patches out there right away, because really, we're not a target." Well, that can be a challenge for a lot of companies there. And the reason why a lot of them, when these two types of attacks came around, were terribly exposed to that form of attack.
There's another challenge, which is, you know, having the ability to even compute effectively what is at risk within your environment. So this is a, you know, there's still a struggle to get operations teams, you know, fully converted over being security and operations together. And not every company has a large security team that they can fall back on when the operations team may not be geared up to be able to handle that yet. So, you know, that was another risk that...or another issue that they identified in their study here. And then there's, you know, other cases where companies may be taking what they think are the right steps but they may not have visibility to be able to ensure that what they're doing is actually being effective. So they end up getting a false sense of security. You know, an executive says, "Hey, are we PCI compliant?" The IT team responds, "Yes. Yes, we are." Well, that PCI compliance was only assessed in the areas where it would necessary. Outside of that, are all the rest of the environment at the same level of compliance as the PCI environment. Are there other things that are exposed to that environment that, you know, could be just as easily making additional risks there? But, you know, just saying, I'm PCI compliance isn't enough to confirm that as well. So it sounds like a couple of people are having problems with the call-in audio. If you're using the computer audio and it's breaking up a little bit, switch over to the dial in.
Sorry for that, sometimes the WebEx service, the computer audio can get overwhelmed and not be as clear as you'd like. But, you know, there's this last quote here, there's still an awful number of clients where they're just flat out saying, "Well, we're not being targeted so why should we care?" When you deal with something at the scope and size of WannaCry and NotPetya, it doesn't matter if you were part of the target. In this case, it was pretty clear that the Ukraine was probably the target of that attack, as a country in general. And the research that came out of groups Symantec showing how badly different regions of the world were hit, the Ukraine was a vast majority of that. But there was a global impact to all of that as well. Think about a company that might be based elsewhere and they've just might have happened to have a small office in the Ukraine, or they happened to be doing business with somebody in those areas. It's very easy for something to be able to hop through and to get to other parts of network that are globally spanning. And from there, again, it branches out even further. So these are some of the misconceptions that...if you have some of these troubles as well, these was a good article that brought together some very interesting perspectives from two very qualified security experts in the States that aren't vendors…they are, well, PC is a vendor but, in general, their companies securing for their customers.
The last bit of news here that I wanted to bring out was that Red Hat, for those of you on the Red Hat platform, they are retiring their Red Hat Network classic subscription by the end of July. So if you are on are on the classic subscription by the end of July, you need to switch over to the Red Hat subscription management model otherwise you won't be getting updates after this. So those are a couple of the things that you wanna be aware of there.
Todd: My point out, Chris, that that's for a Red Hat 5 and 6. Red Hat 7 is already using the new subscription model by default.
Chris: Right. Okay, yup, and thank you Todd. So the next area here, there were a lot of public disclosures this month. There were...and a few of these were even disclosed after the patch is released. So they weren't flagged as probably disclosed when Microsoft initially released the updates. So this is something that I wanted to bring up and point out and something that we in general, at Ivanti, we try to point these things out because these are risk indicators. You know, if you've got two critical patches, one of them carries a public disclosure, one of them does not. The one that has a public disclosure is instantly at a higher level of risk of being exploited because enough information has been given out for an attacker to start working on that. So they don't have to go and find it. They can actually just stand on the shoulders of people who uncovered that before. There's also the matter of when an attacker knows that information has been disclosed and an update is not yet available, those are ones that they'll often times move quickly to try to exploit, because they know that they've got a longer runtime than you do to try and use that against you. So public disclosures, obviously, if it's already being exploited, if it's a zero-day, it's a much higher concern. But a public disclosure is still a high level of risk indication for things that are gonna be needing to get attention more immediately. And we've got a lot of them this month.
The first one here was a vulnerability in HoloLens which could allow for remote code execution. It's the vulnerability affects Windows 10 1607 and Server 2016, those two specifically. And can allow an attacker to send a specially crafted Wi-Fi packet, which would allow them to take control of the affected system. At that point, they would own that system. They would have the ability to create account, change, add, delete data, you know, they literally own the box. So that one is definitely a concern and because it's been disclosed, gives an attacker a little bit of jumpstart to look at that.
The next one, which is a vulnerability in Windows Explorer, which could allow for a denial service attack. The vulnerability affects Windows 7 up through Windows 10 1511. So if you're on a branch later than that you're good but the earlier branches are definitely affected. And then Server 2008 all the way up through Server 2012 R2. So the way that Windows Explorer attempts to open a non-existent file could end in the system becoming unresponsive. So in this case, an attacker could host a specially crafted website or send a link that would, you know, be able to trigger this in a way where, when the user is tricked into clicking on that or going to that page the Windows Explorer basically chokes on that nonexistent file that it was duped into thinking was really there and the system would become unresponsive. So, you know, they wouldn't be able to own the box or, you know, get any additional information off of it but it could disrupt at a broad level systems within your environment.
The next one here 8602, this is a vulnerability in IE 11 and the Edge browser for how it parses HTTP content. And actually 8611 is a similar vulnerability but only on the web...the Edge browser. So there's two of them that are kind of the same here. But in this case how the browser is parsing that HTTP content could allow for a spoofing attack. The attacker could trick a user by redirecting them to a specially crafted site or could spoof content or serve as a pivot to chain an attack with other web service exploits. So this could be a way to trick a system into allowing the attacker to do other things. Like perform an additional attack that might let them own a system at that point. So it's definitely a couple of issues or concern there. It definitely could come up in the form of phishing or watering hole attacks to try to exploit users into allowing the attacker to gain a foothold in your environment.
The last disclosure here 2017-3080, this is a vulnerability in Adobe Flash Player that could allow for a security feature bypass leading to information disclosure. Now, that the information disclosure could give the attacker enough information about the system to be able to perform additional attacks. So Adobe was aware of details being disclosed about this update. I did a bit of poking around, it looks like wherever it was disclosed wasn't scraped by Google or publicly available at this point or broadly publicly available. But enough of that information is probably either on the dark web or was presented somewhere in a way that was public enough that it was definitely of concern. So those are the ones that were known to be disclosed there.
Now, this other company here Preempt, these guys have a bit of a behavioral and firewall technology here that can help secure environments. But they actually had a...they discovered a couple of vulnerabilities and after Microsoft released, they launched this page here, which goes through a video representation of how to exploit these vulnerabilities or showing how they could be exploited. Not, you know, enough detail was released there though that, you know, this is definitely of concern. So using our LDAP and RDP, each of these had a vulnerability with how NTLM was being handled there. So yeah, that's the list of disclosures there. Obviously, there's enough disclosures involved here that, you know, most of these are at the OS level. All your OS patches this month, as we're gonna go through here in just a second. Pretty much all of those are gonna be priority, get them onto the system to make sure that they're in place and you should be covered against those.
All right. Let me go on to a couple of known issues and things you wanna be aware of. We're gonna go through this in a little bit more detail in a little bit but there's an Exchange update this month that has some very specific situations where it's applicable. So for those of you who are gonna need the path exchange, just pay attention to those updates if you're on, you know, specifics to use, it will apply otherwise it will not. I will talk about that in a second. Office had a much more exhaustive list of those, which is gonna be a lot hard to get into. But for Office just be aware that as you rollup patches, not all of the Office versions are going to require those updates. It is on specific service pack levels and version. Adobe Flash, in last night's content release, we got everything up to the Windows 10 1703 release of Adobe Flash for IE. The reason for that is Microsoft actually didn't release that until after our content went out yesterday. And we were aware that they didn't have that one and we were looking to make sure that we had coverage for it. They released it shortly after and our guys got that out this morning here. So if you're on, particularly the Shavlik Protect catalog, that content release went out this morning. And the other content team should be providing that here shortly.
MS17-07-2K8, there is a PowerShell update that applies but only if you have installed PowerShell 3.0 on a Server 2008 system. If you're on 1.0 or 2.0, that patch would not apply on those cases. So that is another specific detection nuance of that one. Adobe did you another release late last night as well. This was for Acrobat and Reader DC. This was for the Continuous branch. Classic has not release yet. They talked about a bunch of new features especially with the sign-on capabilities there but they didn't have any security disclosures in the out of cycle announcement they did last night. We're keeping an eye on that. Now, the Continuous branch, we did released that content along with the Adobe Flash for Windows 10 1703 this morning. We're keeping an eye on and looking for a Classic branch update here shortly, which will potentially includes some additional security updates as well. The Continuous branch usually is a non-security track. Classic is where they do a lot of their security related things. So we're keeping an eye on that though and we'll release that content when and if it becomes available here.
One thing to note, this is Oracle's Quarterly CPU month. They do their Quarterly CPU on the first month of each quarter, that's their critical patch update. And that's falls on the Tuesday nearest to the 17th each month. So, on the 18th, right, it's the Tuesday…you know, it's the 15th maybe. Anyway, regardless, next week, Tuesday the 18th is when those patches will be dropping, so you can expect the JRE and the JDK critical patch next week on Tuesday. That just more of a, to make sure you're aware of it, you know, try to include it in your monthly maintenance just so you have it. And last one here...and then I got a couple of questions here, I'll get you before I leave this slide as well because very they're specific to the slide. But there was a release or an update for POSReady 2009. This was actually an update that released originally in June for Server 2008 systems. They actually just released a new variation of that particular patch that released in June. That specific KB applies to POSReady 2009. We released that in our content last night. So for those of you who are using POSReady 2009, don't be shocked when you see a new patch show up that was actually from June. That is correct, it was supposed to…you know, it applies to that same, you know, bulletin that released last month but Microsoft didn't actually release this patch until yesterday. So that one kinda snuck in as well, so we caught that and made sure to bring it up there.
All right. Before I move on past this slide, let me through a couple of questions that I see here. There was one that was a little bit more general, Microsoft has its Patch Tuesday. Do other vendors have certain dates they provide their updates and is there a list out there? No list Ron but Adobe is probably one of the best vendors at coordinating with Microsoft's release cadence. Oracle has their quarterly but it usually falls the week after Microsoft Patch Tuesday, Microsoft does the second Tuesday of every month. Oracle does the Tuesday nearest to the 15th every month. So I think it's like every, or twice a year it's on Patch Tuesday twice a year it's the week after Patch Tuesday. Most of the other vendors, you pretty much have to watch their release stream to know when that's coming. So that's why Ivanti has a notification system for our content releases that, you know, lists what we've released for that. It's a good thing to sign up for if you haven't done so. But yeah, I have a slide at the end of this presentation actually that goes through the in between the Patch Tuesdays is what we call it, and talks about how many security and non-security updates released in between Patch Tuesday every month.
The question was, "I'm wondering if there were issues with Firefox ESR Patch Failures, all other patch descriptions working well." I haven't heard of anything specific on that one, Jason. I would have to talk to our support team there. So like what should you…
Todd: So Chris, I can provide a little bit of flavor on that. You know, the former HE Team that was producing some of the Firefox ESR patches, they actually updated them yesterday to be applicable to versions earlier than they had been looking for prior to that. So if you were seeing problems with that, we did release a new set of ESR Firefox, ESR patches that should take care of that issue.
Chris: Okay, thank you. Yup, that's why I have Todd on here as well. He sees the other half of what I'm not seeing. All right. So, one more question on this slide, there was a question about MS17-07-2K8. Is that for Server 2008 only or also Server 2008 R2? So that would be 2008 only. So that the 2K8 R2 falls into the Windows 7 branch of Windows. So that would be...if you're looking at the way we've got our bulletin structured, that would be the MS17-07 either SO 7 or MR 7 bulletin, with capture anything for 2008 R2 as well. So, for that one Shaun [SP], the KB I was talking about there is specifically Server 2008, not 2008 R2, and only if you have PowerShell 3.0.
All right. Is the exchange update in addition to the update role of 18, Luis, actually we're gonna cover that on the slide there. It's CU 17 for 2013, but we'll talk about that in a second. So we'll answer that question here in a little bit.
All right. Let's move on here into the bulletins because I think we'll answers similar other questions that are being asked throughout those. Todd will talk to you about Microsoft's releases.
Todd: Okay. Sure. Let's talk about Windows 10 to start. Windows 10 had the largest number of vulnerabilities addressed this month, 43 of them, as you would expect for obviously their latest operating system. Chris talked about the public disclosures. You can see down below, I have those highlighted in red. One thing you'll notice on this slide, up under the affected product lists, you'll notice that 1507 is no longer listed. Microsoft released the latest patches for their 1507 RTM release back on May 9th, so that's no longer on the list. However, you should be aware that the long-term service branch, which is based on 1507 and also the Windows 10 Gold releases that they do are still…and their IoT version I should add, are still supported because those are all based on1507. Incidentally, if you're ever looking through the releases that, you know, Microsoft produces and you see a number of releases that do not have a version assigned to them, those are the ones that apply to the long-term service branch, the Gold and the IoT versions. So just kinda be aware of that.
Chris: Yeah, those...the way that all works is not confusing at all, is it?
Chris: Yes. So our content team even double-checked because even last month they were supposed to have cut-off the 1507 but the patch still, the patches for June still applied. Probably, a little bit around, you know, resolving some more of the exploits they had found in a while, but this month for sure 1507 no longer supported. Unless you're on the LTSB, make sure that you're upgrading the CB or CBBs that you're on. Make sure that you're upgrading to the later branches.
Todd: Thanks Chris. Last point down on the known issues list, down below I have two things listed. The iSCSI issue that we talked about last month is still an issue. It hasn't been cleared up yet and will appear on a couple of the bulletins here, you'll see. And also, if you look at KB 4034879, particularly with regards to the CVE-8563, this has to do with a fix that had to do with LDAP authentication over SSL and TLS. That KB article gives you some manual instructions on how to update the registry key for some additional security there. So, you should take to look at that one as well. It's not really a known issue but it does provide some instructions for additional security.
Next slide Chris. Windows Server 2008, Chris talked about this in quite a bit of detail. I have the PowerShell issue identified there up under the description. And Chris talked about the fact that it only applied for PowerShell 3.0. This month there were 21 vulnerabilities identified that were fixed for Server 2008. These are kind of the common across the rest of the operating systems by the way. Only one of these was publicly disclosed. Once again, 85, 87 that I have highlighted there. And the issue with the, you know, configuration of LDAP on your domain controller is addressed as a known issue here as well.
Getting into the monthly rollups now, monthly rollup for Win 7 and Server 2008 R2. You know, Chris had mentioned a minute ago. The reason these two things are lumped together is because they are running the same operating system kernel. So that's why, generally, you'll see that patches that are associated with Win 7 and 2008 R2 combined together. In this case, the monthly rollup includes Windows 7, the Server and Internet Explorer is rolled into this as well. So there are, in addition to you'll see down below, I have the 21 fixes that are shown here. It also includes the seven Internet Explorer vulnerabilities. So just kinda be aware of that. You don't have to apply those separately if you are using the monthly rollup. This does include the previous release from June. So I've identified that up there. You can look at the KB article 4022719 for additional details on that particular release. And obviously, since this is a rollup, there's a single bulletin that talks about everything associated with it which is listed there as well. And this, like the previous one, there is a known issue around that configuration on LDAP. So take a look at that as well.
Next slide Chris. On the rollup for Server 2012, Once again, we have the 23 fixes that are associated here, two more than the one for Windows 7. Once again, one's, you know, publicly disclosed vulnerabilities. This is very common. Once again, I said it was very similar, the same set of vulnerabilities are kind of addressed across all the operating systems. So there's a commonality on the CVEs that have been fixed here for Sever 2012 as well.
Next slide Chris. Windows 8.1 and 2012 R2, you know, kinda getting back to the...once again this is a different kernel release as Microsoft is evolving the operating system. So that's why these two are lumped together. Once again, this is a monthly rollup, so it includes everything from, you know, last October to date as well as the Internet Explorer fixes. A single bulletin here, 4025336 for all the details. You'll notice that as far as the impact goes, there's the full gambit of impacts as far as what can be exploited from code execution all the way through information disclosure. So depending upon the vulnerability that's being addressed. You know, there are different ways to get into your system and different ways that can it can be exploited. Each one of the underlying vulnerabilities and you can look into each one of these. We'll talk about specifically what can be done. We have the 23 vulnerabilities here. I've listed as well as the seven IE, ones which are included in this package. Because is this a more modern operating system similar to, you know, the Windows 10, the iSCSI, once again, becomes an issue for this release. And of course, the same vulnerability is being fixed for LDAP, so we'll take a look at that as well.
Getting into the security-only updates, once again, remember, this does include everything. This is the security-only released for this particular month. So if you are in your company using security-only updates, you have to apply every month the latest version of the security-only update. It covers a wide range of portions of the operating system. You can see I've listed them there. These are all identified in that bulletin 4025337 from Microsoft. Once again, common set of vulnerabilities again addressing, you know, all those particular impacts, and of course, the LDAP issue as well. But remember, once again, if you're applying security-only update and you are running Internet Explorer, you will have to apply the Internet Explorer update and I'll talk about that here in the next slide.
Security-only for Server 2012, very similar to the previous one. Adds two additional vulnerabilities from what you had seen for the Windows 7 release, same issue here with the LDAP problem, as far as reconfiguring the registered keys.
Finally, last Security Update for 8.1 and Server 2012 R2. Very common to what's you've seen previously. Again, this particular one still has the iSCSI issue as well, just be aware of that, and you can read about that in the KB article under known issues. And of course, the LDAP issue here again.
Security Updates for Internet Explorer. Like I said, if you are applying the security-only updates every month, you will have to apply this one as well. This is a compilation. This is a cumulative update. It includes all of the latest updates for Internet Explorer. I have quite a bit of detail here talking about the fact that it is cumulative and it is included in the security monthly rollups. Individually, if you look through here, there are 8 KB articles that address the different vulnerabilities that have been addressed in this release. A number of things here, the worst being, remote code execution. Chris talked about this earlier where if you go to a, you know, watering hole or things like that, and you get a specially crafted web page, you can be exploited. There is some security bypass capability and some spoofing here as well. There are seven vulnerabilities that were addressed with this release, one of which the 8602 is the one that was publicly disclosed. It's pretty straightforward.
Chris: That's a good spot to stop for one more question that just came up. This question is from Steve on the rollups. How far back to those go? So, that's a very good question for...and I'll answer it two different levels here. Windows 10 all the way back. For that branch, every one of those is accumulative on the last one. So if you put in this month's, you've got everything all the way back to the beginning of that branch. For Windows 7 through Server 2012 R2, when they implemented this model that's the point where that change started. So if you're on the monthly rollup of those, you're going all the way back to the starting point of that. So Steve, if you were concerned does the monthly rollup this month, include everything all the way back through March, all of those SMBv1 exploits, the answer to that is yes. That monthly rollup chain includes all of those. If you're on the security only branch, for the...basically, the ones that we were just talking about here, the SO 7881, the security-only each month, you would have had to do March and each of the other months to make sure that all those vulnerabilities were plugged. So I hope that answers your questions there. All right.
Todd: Yeah, one thing to add there Chris too, you know, when Microsoft started the updates for the, I call them the Legacy operating systems, not Windows 10, they started in October of last year. So everything is kinda rolled forward since then. But they have periodically gone in to each one of this cumulative updates and reach back even further than October of last year. For security fixes, as well as the stability fixes. You know, they've been spotty, but they're picking up the things that they think are the most important that need to be included in these cumulative updates. So, they actually did go back a little bit further than October of last year but it's been on a vulnerability by vulnerability KB by KB basis.
Chris: All right. Now, we're gonna be transitioning a little bit here into Flash Player. So now, there's a couple of slides we will cover on Flash Player here. The first one is just the Microsoft release of Adobe Flash for the Windows platforms. The plugin is available for IE and the Windows platform. So they do a release each month and back to, I believe, it was Steve's earlier question, about…no, Ron's earlier question about, you know, other vendors and if they've got a similar release cadence. This is one of the reasons why Microsoft and Adobe have saved up Adobe Flash. You pretty much, like, in 2016, 11 of 12 Patch Tuesdays, Flash Player released on Patch Tuesday. The one month that it didn't, there were at least two releases of Flash that month that happened outside of Patch Tuesday and they both included zero-days that they were responding to more quickly. So for the most part, Flash, you'll always see the Microsoft Flash update and you're gonna see the Adobe Flash update go on the same day. And it will be typically be on Patch Tuesday.
Now, critical, there's one…one of the three CVEs here is critical actually. I believe it's this one, 3099. 3080 was a public disclosure, which could lead to an information disclosure of the attacker, you know, uses its attack properly. They can gain enough information that do other bad things to the system. Learn enough about it to be able to identify more exploits that they can execute. So, this one is rated as Priority 1, Flash in general. There's typically, autobahns as well for it. In fact, I believe there was at least one in between June and July Patch Tuesday. So even with this one only plugin three vulnerabilities, there's one of them out of it that's critical, another one's been disclosed. And if you don't do it regularly enough, you're missing at least a couple of Flash updates that need to be pushed out. So do prioritize this one. All right. Todd?
Priority 2 Updates
Chris: Down to Priority 2 updates.
Todd: Right. So, Microsoft released a number of updates for Office this month. You know, the highest rated was important in the list, so be aware of that. It does cover all versions of Office from 2007 through 2016 for both Windows and Mac. They did provide some updates on SharePoint Server as well, and a number of separate fixes were addressed in here for Excel 2007 through 2016. A thing to be aware of, as Chris talked about in the introduction earlier, a number of these patches only apply to the latest Service Packs. So, for example, for Microsoft Office 2007, the patches that they've released are only applicable for Service Pack 3, which was obviously the last and the latest version that they released. So you need to make sure that if you're running these Office applications, you are running the later Service Packs, and then you of course get these patches on top of those.
Number of things, you know, they didn't rate any...even though there is a remote execution possibility here, they still listed it as important in their opinion. A lot of had to do with the level of access that they can get into your operating system. The issue around the SharePoint Server had to do with elevation of privilege. And actually this was related to when you do upgrades from previous versions to 2016, it's possible that's, when some of those settings come over, they would be given admin access on the SharePoint Server. So be aware of that. You can read through the associated KB articles in detail. There were actually only five vulnerabilities that were addressed with all these releases but once again they're common across all those Office applications. So that's why there are so many of them that were released this month. And again, it's just the important ones, so we rated it a criticality of two.
Chris: Jose had a good question here about the Office patches. There were supposed to be plans of making Office patches cumulative as well. So that has not happened yet, and you know, they haven't...other than saying that, you know, more of the Microsoft products were going to move to the cumulative model, they had not yet moved the Legacy Office editions over to that. Now, Office 365, you know, if you're using that one, it's a little bit more of a cumulative model where you're just taking the latest each month. It's not patch by patch. But I don't know of a date yet that they've identified when they will actually move any of the older Office editions over. So…but good question. All right, Exchange.
Todd: Yeah, Chris, you talked about this earlier. The known issues, once again, down below there, this only applies to specific CUs that were released. So be aware that these patches and there are only three vulnerabilities that were addressed. You only have to be worried about these if they apply it to the 2013 SP1, the CU 16 for 2013, and CU 5 for 2013 as well. Specifically, this has to do with the vulnerability in the Microsoft Exchange Outlook Web Access, which is, you know, fairly common for a lot of us, obviously that use this and it's setup that way for internet access. And there's a very detailed bulletin around this covering it, 4018588.
Chris: Yup, and so back to Luis's question earlier, if the latest CU for Exchange 2013 is the CU 17 that just released not a couple a weeks ago here, if you already implemented CU 17, you do not have to push the security update. It was already included in that CU. If you're on CU 15, it's also not applicable to that. It's only if you've got 16. So, that's specifically on there. And then, again, for Exchange 2016, if you're on CU 5 it applies, if you went to six, which released in the same timeframe that 17 or 2013 release, it doesn't apply to the newest one. And if you're on 4, it also doesn't apply. So it is very specifically, the specific CUs that you will see this on. So for those of you who have already moved over to the latest CU, you should be covered.
All right. So, last, there were a couple of the non-security updates that did happen to drop yesterday, Opera and CClearner. So, these...there is oftentimes other vendors will release. If we support those, we're going to add those in, you know, as quickly as we can. And if they happen to drop on Patch Tuesdays, they'll get roped in as well, just because our teams are able to bring those in without much additional effort. So Opera and CCleaner are in the Patch Tuesday concept release but do not have any security bulletins or security vulnerabilities associated with them, so.
So, back to the question of, you know, when do other vendors release? The answer to that is, all over the place. So this slide helps kinda portray that. The first section here, what New Product support, Like, net new products did we add to our catalog in the last cycle here? We added BlueJeans, which...Todd, do you know what BlueJeans is? I don't even know what that one is.
Todd: No, I'm not familiar with that one, actually.
Chris: All right. Some customer somewhere must have requested that so we gotta add it. Camtasia, I'm very familiar with that, you know, video capture software. Actually that's supposed to be Sublime. I must have transposed an N instead of an M there, but Sublime Text, a text editor. System Center Operations Manager 2016, we can actually apply the update for the SCCM plugin or as a manager itself. Exchange Server 2016 CU 6 and 2013 CU 17, were both added as well between June and July.
Security Update… Three for Google Chrome. Thunderbird had two. Microsoft had four, which were, in those cases, there was additional variation of patches released for either June or prior updates that had already released. So they released another platform, the same security patch that released in an earlier month. But those flipped out so we got those supported as quickly as possible. You know, somebody's, like, Notepad++, UltraVNC, Apache, Skype, Firefox, Foxit, many of these have releases throughout the month there as well that, you know, there may have been security updates in these releases, specifically. Sometimes if there isn't a security update available in that, it might have been a prior one. But when a third-party update, like a lot of these, starts to include security updates, we move it into our security branch because the point you're coming from and the point you're going to, if there's multiple hops in between there, there could be many points where security updates are being applied. So, we end up associating several of these, like I'd had people say, "Well, Notepad++ didn't have any security vulnerabilities resolved in the last month or so." Well, no, but they did in, you know, actually about month and half ago and then a couple of the times earlier this year. And that's why a product like that would be still sitting in the security branch. We, in those cases, air on the side of defense in depth. It's best to ensure that a product with known security vulnerabilities is at the latest version to make sure that it's preventing those from being exploited.
Now, if it were like a major new version of a product, like a new major release of that, those typically would be, you know, applied in a way where you won't automatically be upgraded to that. So that's why some of those are in that list. Now, now non-securities, Microsoft always had a lot, there's 28 there. And [inaudible 00:45:58], GoodSync, Citrix Receiver, GoToMeeting and a couple WinSCP, Dropbox, BlueJeans, PDF Creator, Camtasia, Plex, Sublime. You've got those [inaudible 00:46:08] right down here but apparently not up there. I can't type well. GOM Player, PDF-Xchange, WebEx Productivity Tools, and Box Sync. So those are all of the updates. If you look at all of our content releases between June Patch Tuesday and July, these are all the things that released in between there.
So, one of those things that often comes up with the topic here is, you know, for those of you trying to get towards a more frequent patching of, especially, end-user systems, and even more importantly, end-user systems that can go off premises, this is a very good reason why. All of these security updates. You know, there were the Flash update that came out between June and July. There are some months where there might be two or three of those. Three Google Chrome updates. Even with some of these things having their own autoupdater, you still want to be able to ensure that those get on there and be able to report accurately that those got on there. So a lot of companies...you know, our recommendation at Ivanti is for, especially laptops and the user, end user machines in general, for updates like this, getting on to a weekly patch regimen is ideal. Microsoft may release once a month but all of these other vendors typically release more frequently.
Now, Microsoft's patch release, you're most likely gonna need an OS reboot. It's very rare that Microsoft Security Updates be applied and not require an OS reboot. Most of these other products only require an application reboot. So you can have your one patch cycle each month where a reboot is required, go ahead and do it, but you could set the rest of those cycles to not reboot if you wanted to. And you're being more effective and more efficient at getting those things plugged more quickly, especially for the notables, like a Chrome or a Flash Player or different things like that. So that's one of the reasons why we put this slide together and one of the recommendations we have on a regular basis.
All right, I think we got to most of the questions already, but let's go to through that real quick just to make sure we've got everybody covered. There were a few questions about the download of the presentation, that as well as the recording. And it looks like Erica responded to most of you who had that question already. But if you're curious, the Patch Tuesday page on Ivanti will have all of that here later today. So the video playback, the presentation, links to tour blog, and our Patch Tuesday poster, are all gonna be available out there. Actually the poster and the blog are already available. Just the other editions will be added here shortly. Todd, do you see any additional questions we haven't answered yet?
Todd: No. I think a number of people chimed in on the BlueJeans, it's a video teleconferencing program.
Chris: Ah, okay. I got it, I got it.
Todd: And there's a question here about releasing a fix for the HP key logger audio driver. I'll have to check on that one. I'm not sure what the team is doing about that.
Chris: Okay. Yup and Todd, Todd does manage the relationship between all of our products and the content teams relating to those. So, yeah, we'll definitely look into that and make sure that something is being look into there.
All right. It looks like we did get to everybody else's questions. Thanks everybody for joining us today and we'll just talk to you again next month.
Todd: Bye everyone.