March Patch Tuesday
14 March 2018
Chris Goettl | Director, Product Management, Security | Ivanti
Todd Schell | Product Manager for Patch | Ivanti
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Chris: Good morning, everyone, and welcome to the March "Patch Tuesday Webinar." Today, I've got a few people joining me here, Todd Schell, who will be co-hosting this webinar with me, and behind the scenes, we've got Erica and Brian, who do a lot to support our webinar here. So Erica does a lot of the programming for this and makes sure that all of the logistics are in place, and notifications, and updating of the content and everything afterwards. And Brian is one of our content experts who joins us on these to help feed us answers and things as questions come up throughout. So a little bit of a housekeeping. If you do have any questions during the webinar, go ahead and use the chat feature and we'll try to get to as many of those questions as possible throughout the process. And yeah, I think that should cover everything. So, Todd, Happy Pi Day.
Todd: Hey, how are you doing, Chris?
Chris: It is Pi Day today, are you planning to enjoy some pie throughout the day somewhere?
Todd: Yeah, I think so. We're gonna fit one in there. And I often wonder, what kinda pie you're supposed to have on Pi Day, you know? In America, you go with the traditional, like, American, like apple pie or maybe a cream pie. But since pie came from Greece, right, that's where they first, you know, all the geometry and all that, I wonder if you should go with, like, a Greek spinach pie or something like that. You don't even think about that?
Chris: You know, I'm gonna stick with the more kind of typical American pie, like a, gimme a Boston cream pie, or an apple pie, or a French Silk Pie. That's more my taste. I don't know about a spinach pie.
Chris: Yeah. So, all right, well, Happy Pi Day, everyone. There is another sadder bit of news. Stephen Hawking passed away, unfortunately. He led a very interesting life, one that... You know, you see like all the technology that allowed him to interact with the world and share that beautiful mind in his head and all the things that he was able to bring to the world. That was an incredible life that he led. So that's definitely a passing that does suck. Oh, we got a lot of votes, Erica saying there's a lot of votes for blueberry pie, pecan pie, both good choices. And then chicken pot pie, I suppose chicken pot pie over lunch could fulfill the Pi Day requirement there. Good ones there.
All right, so we are gonna get into a few different things. We're gonna do a quick overview of Patch Tuesday, what came out at just a high level. We're gonna talk about some of the major news going by, some updates on some known issues and things like that will be coming through. And then we're gonna break down into the bulletin-by-bulletin blow of what released here yesterday and follow up at the end with some Q and A. We've got some great feedback coming in from the group already. There're a few known issues that others are feeding into here, as well, so thank you for that, guys, I appreciate it. So jumping into a quick overview of what we've got coming.
Patch Tuesday started out with... We had an Adobe release, obviously, Flash Player came out. They had just done Acrobat and a few others last month, but Flash Player is kinda the big one this month. Microsoft had, you know, kinda how we, you know, Microsoft has moved away from the bulletin model, but we still kind of talk about things in more of a bulletin or an update package model. So there's about 14 different packages that we're gonna talk about. Our bulletins we're gonna talk about today, six of those are "Critical." Mozilla did release updates for Firefox and Firefox ESR. And then we've got a couple of other releases that came out yesterday that are in our catalog, but they're not security-related.
There was actually a latecomer to the party. Google Chrome did release yesterday, as well, but they released much later in the day after we created most of this content. We looked into it further and found that there weren't any security updates, fixes resolved in yesterday's release. But they did release last week on the 7th, as well. So we're gonna talk about Chrome today a little bit in terms of if you didn't do last week's, you should be doing the Chrome update this week just to be on the safe side. Just make sure that you've got everything covered from a Chrome perspective. So a lot of browser updates, Flash Player and Microsoft to be concerned about this month and we'll go into more detail on each of those.
All right, so Meltdown and Spectre, you know, this is an ongoing issue that everybody should be very aware of right now. We just wanted to recap some of the current news that's going on there. So jumping in here real quick. There is some news going around now about how AMD, some researchers have found an additional 13 flaws in the AMD processor and they've kind of broken those down into 4 different categories of things that could be exploited. There's definitely, you know, in the initial Meltdown and Spectre announcements, there was a lot of less concern on the AMD platform. Things were kinda being downplayed a little bit there. There's probably a little bit more to worry about there in the AMD processor than initially found. This has been confirmed by a couple of sources now, so it's sounding like these are realistic, but they break these down into four classes of vulnerabilities, RyzenFall, MasterKey, Fallout, and Chimera. They always have these great names for all the different flaws that they find.
I'm just gonna go through kind of a high level of this just to give you guys an idea, but these vulnerabilities that they found would allow you to do things, like MasterKey allows you to basically bypass the secure boot portion of the boot process by installing malware on the computer's BIOS. So obviously, an attack that would likely require somebody to either get you a BIOS flash that would have something preloaded in it, so trust your, make sure you trust your sources for driver content or they would have to probably physical access to the system to be able to flash that BIOS. RyzenFall, this one sounds a little bit scary. These vulnerabilities affect the Ryzen chip, but basically would allow the attacker to completely take over the secure processor.
This would basically mean that they can, you know, view encryption keys, they can see passwords, they can see everything that's normally defending, you know, those things. They can bypass all of those defense mechanisms there by being in the secure portion of the processor. So this could bypass the Windows Defender Credential Guard. They could steal data from there. This is the kind of stuff that you could easily see somebody getting, you know, some type of a rootkit on a machine and then gleaning information off of there on an ongoing basis. You know, and then just having those be available and, "Oh, hey, you know, we've got this treasure trove of things for sale. What would you like today?" Well, you know, this kinda goes back to a lot of the command and control systems that were sold to pull off that very large digital bank heist, you know, a few years back here. You know, where all the attacker did was collect systems for a long period of time and then somebody comes along and says, "Here's what I'd like to do," and they say, "Okay, well, here's all the systems I can give you today that would give you that." Well, this is the kind of stuff where if they...if enough of systems are giving an attacker this type of information, they start to build up a list of interesting things that they're going to be able to provide to somebody on the black market.
All right. Fallout, this one, you know, lets attackers access protected data sectors including Credential Guard and other areas there. So it's similar, but not quite the same as the RyzenFall class. And then Chimera, the... This is two different vulnerabilities, one in the firmware and the hardware, which allows malware to run on it. Basically, they can do things like the proof of concepts allow them to do things like install a keylogger, different things like that. So some pretty scary attacks there and specifically on the AMD processor. So, again, AMD is not out of the woods, they've got some vulnerabilities in there, as well. So if you were feeling like AMD wasn't affected, make sure that you're keeping tabs on these as they get identified and get firmware updates, as well.
Let me go over to our presentation again. Microsoft updated the original Meltdown advisory and they've got a couple of updates for today, specifically, that they've added updates to some of the older platforms. So if you look at the update for March 13th, the first one here, they added several KBs to cover Server 2008, 32- and 64-bit, Itanium, and then Monthly Rollup and security-only bundles for the Server 2012 platform. They also came back and added the x86 architecture and PowerShell verification output for the Windows 7 platform. So those are all updates that are now available and things like that. AV registry key would be required for those systems, as well, for the short term.
Now, let me go back here. I've got this in a certain order so we'll make sure to go through it in order as my slides have it. Some known issues, things to be aware of, again, for upcoming end-of-life. This is something that we wanna make sure that everybody is kinda taking a look at. We're coming around to springtime, let's, you know, take a look at and make sure that you've got any of the older Windows 10 branches identified and you're moving forward off of those. Now a couple of things that have changed here recently. Microsoft extended, you know, they had a fixed timeframe for this branch...the branch support, they extended that. They've also had this one-off where they supported Education and Enterprise editions for 1511. They extended those by an additional six months.
So they've actually gone and cleaned things up here and gotten a little more consistency. But in the life cycle document, they've updated all the dates to reflect the new end of service dates, so for Windows 10, version 1511, that date that it expired was October 10th, 2017, because, or if you're running Enterprise or Education editions, you get an additional six months after that so that puts it at April, that the 1511 edition is going to finally end of life for the Edu and Enterprise editions now. But they also updated to say that they're doing that same thing for Education and the Enterprise for each of the branches. So there is an additional six months of service after the end of service date here. This is end of service for, like, Home and Pro and then extended another six months for Edu and Enterprise. So that was a couple of changes there that we wanted to outline. Make sure that everybody, again, just keep an eye on those, make sure that you're moving up branches and that you won't get caught in a bad state or be unsupported at a period of time there when support ends for the platform you're on.
All right. This next set of items here that we're gonna go through or talking through a couple of different things. The first one is one of the vulnerabilities that was resolved today or yesterday, this CredSSP update. So after you patch several systems here, it's going to put the fix in place to resolve this issue. Now, what this vulnerability is, is there is, you know, any support provider protocol that...anything that's using the CredSSP protocol to authenticate has...it has a vulnerability that exists on it. If you've got an unpatched version of CredSSP, the attacker could exploit this vulnerability and basically relay user credentials to execute code on a target system. So it's a man-in-the-middle attack. With that, the attacker could basically intercept the credential and then use that to send bad requests, malicious requests to that target system.
So definitely concerning there. After you applied the update, there are a series of choices you have to pick from that will actually start to enforce the behavior you want. So when you apply the update, you're then going to have to make a choice on which one of these you're going to choose and push out a GPO to actually enforce this change. So you can do a Force Updated Clients, meaning client applications that use CredSSP will not be able to fall back in insecure...to insecure versions. Basically, it will force it and not accept unpatched clients. So, in that case, it's gonna say, "Oh, hey, yeah, no, you can't connect to me." The Mitigated option here, this is client applications that use CredSSP will not be able to fall back to insecure versions, but services that use CredSSP will accept unpatched clients.
So that one, you know, it's a question there, it's mitigating the fallback scenario, but still allowing other unpatched clients to connect. I'm not sure how much more secure that really is. The first one, obviously, you wanna make sure all remote hosts are updated before you do it, but I think you only get so much value out of the second option there. And then, obviously, the Vulnerable option, client applications will expose remote service to attack by supporting fallback to insecure versions, so it'll allow that fallback and, you know, make it so that somebody could force that fallback and using unsecure...insecure version to take advantage of the attack yet. So details on how to do all that are all in here, but that's one where after pushing the patch, there's still a choice that has to be made and you have to push that out.
All right, see here, going back. So regarding that AV registry key, if you guys remember as the Meltdown updates first started going out, Microsoft, you know, discovered very quickly that AV vendors were doing some unexpected things at the CPU level and this was ending up causing blue screens on several systems after the updates were applied. So the AV vendors and Microsoft worked together to figure out, "Okay, everybody's gotta get on the same page and actually apply these changes before, you know, we can push the update, otherwise, we're gonna blue screen people's systems." So they came up with this registry key that the AV vendors are supposed to put in place when the system is now at a version that supports these changes to make sure that the blue screen is not gonna happen. So Microsoft has been monitoring telemetry to see how many systems are still not compliant and not able to push updates, and what they found was that most systems are now up at a level where they should be patched up to date, they should be able to pull that restriction and start to move away from this AV registry key as a dependency.
So, the first version to do that is Windows 10 and 1709, and they're gonna be most likely in the next month or two here backing down from the rest of the versions, as well. But we'll keep an eye on that and give you guys an update next month on "Patch Tuesday Webinar" to see how much they've backed down additionally, or if there are still several systems that are gonna require that. Now, the 2008, 2012 and Windows 7 x86 systems that were just added this month do require that key. So they are, since they, you know, didn't have any telemetry on those, they don't know what the state of those machines are and they're playing it cautious there yet. But that's just an update there that we might be seeing that AV key going away here in the next couple of releases.
All right, public disclosures. There are two public disclosures this month that we wanna worry about. The thing about public disclosures for those of you who watch our webinar regularly, you hear us talk about a few things like user targeted public disclosures and things like that. These are different risk indicators that help us to better prioritize things and give you a better indication of what you should focus on. A public disclosure means that enough information has been released to the public that could give an attacker a jumpstart on creating an attack that could exploit that vulnerability. So the race is on at that point. You know, a lot of the public disclosures are typically the types of vulnerabilities that get exploited in that first couple of weeks after release from the vendor. So this is one of those areas where, statistically, these two are at a higher risk of being exploited.
In this case, both of them are lower severity updates. The ASP.NET Core vulnerabilities are only rated as "important." The Exchange Server Elevation of Privilege Vulnerability is important if you're running on Exchange Server 2010 moderate. It goes down another level if you're on any of the later Exchange versions. So they are lower severity, but it's, you know, the Exchange... Well, we'll talk about the vulnerabilities here, as well, and specifically about ASP.NET Core because there're some differences there versus regular ASP.NET. So the Core Denial of Service Vulnerability, this one could allow an attacker to exploit the ASP.NET service and cause a denial of service attack. So that's a concern there. Now, the fact that this is ASP.NET Core means that there's not a regular patch package to update this.
The core versions of ASP.NET, .NET Framework, ChakraCore and PowerShell Core, these are, there are binaries that a developer will have to actually integrate into whatever platform they're built into. So if you're running the Core edition of some of these products, you don't get a patch that you just go and download. You've gotta actually have a developer download that and integrate that into your DevOps process in the next cycle and make sure that that gets rolled out. So like for those who are using our products, you won't see an ASP.NET Core patch in our product. This is more of just a friendly reminder, "Hey, these things need to be updated, as well."
The Exchange Elevation of Privilege Vulnerability, this is a vulnerability in OWA when it fails to properly send typed links. So an attacker in this case could actually set up a false OWA page and they could glean credentials from it. So this is a perfect kinda targeted attack where if somebody knows that they could exploit this, if they are able to, you know, put up that fake OWA web page, get the users to go to that instead and from there, be able to gain a few credentials, they would now have additional information and tools to be able to target an attack on a company. So definitely a vulnerability that should be patched in a reasonable timeframe. The fact that it's a lower severity down to "Important" means that it's got some complexities to setting it up, but this is something where if an attacker is looking at a targeted attack, this level of complexity won't be much of a deterrent for them. So it is something where, to be on the safe side, you will want to start testing this and roll it out in a reasonable timeframe.
All right, let me see, did I cover all of them, I think... Go through my pages here. Yep. So I had a couple other things that I was talking about here with, you know, Microsoft updating that it was going to pull the AV key from there. There's one additional update here that I do want to touch on, one that, I think, warrants a little bit of a heads up. There is going to be some additional microcode updates from Intel. So let me pull up. Brian was nice enough to send me one more link here. I'm gonna pull this up right now and go a little deeper into this. So these microcode updates are basically additional changes to resolve the Spectre Variant 2. So this is the vulnerability that Microsoft kinda backed down from because it was causing some issues and didn't fully resolve the vulnerability or fully mitigate the vulnerability. So this is the branch target injection attack.
There is some microcode updates that are gonna be coming for this. This update includes microcode updates from Intel for the following CPUs. This is for the Windows 10, version 1709 right now. So that's where Microsoft is starting, is on that Windows 10 branch. This is something that right now is available through the Windows catalog. In our catalog of software, you're going to see an update like this show up as a non-security update because it's something that, you know, would be something that we want people to opt into. That's why we didn't put it in the regular security patch bucket. So it is something you wanna opt into to take that additional change in right now. As Microsoft rolls this out and as they confirm that it's stable, I'm guessing they will make it a recommended patch at that point and we'll see it come into more of the mainstream.
But that's where you'll find it in our catalog, for the time being, just to be cautious. Similar to what Microsoft is doing, we're trying to make sure that we're giving people a little bit more flexibility to pull that in. You can see this is affecting a lot of the different processor families, and that microcode update is resolving that additional variant that had caused some problems back in February. All right, so I think that covers everything there. Todd?
Todd: Ready to go here, Chris?
Chris: All set. Bulletins, take it away.
Todd: All right. Yeah, let's go through the bulletins this month. A lot of usual ones and we have a couple of special ones, as well, and also there's a lot of issues to walk through. Let's start with Windows 10. You know, the big focus obviously by Microsoft is on the vulnerabilities in Windows 10 as being it's kind of flagship operating system right now. This month they fixed 49 different vulnerabilities. The list is a little too long to list here, so I recommend that you go to Microsoft's web page and pull up the security update guide for a complete list. It covers all versions, obviously, we're still covering 1511 on the Education and Enterprise editions, as Chris said. The final version that will be supported there is coming out next month on April 10th. So after that, you will see 1511 drop from the list of supported operating systems under the Windows 10 versions as they reach end of support there.
You know, a number of impacts this month, all the way from remote code execution through information disclosure, depending upon the particular vulnerabilities that they're addressing. And you could look up each one of those and pull up the CVEs once again from that security update guide and link back to the Microsoft page and take a look at those. There are a number of issues this month. Chris, you wanna roll over to the next slide? This is primarily around Windows 10, the 1709 release, which is the latest version that they have released, of course. The issue, the first one here is actually a carry-over from last month. Haven't fixed this particular one yet where, you know, the update will show as incorrectly installed whereas it actually has installed properly so they still have that error coming up.
The second issue here is a little more interesting. This has to do with the delta updates that were applied. Apparently, they had a bad delta update back in February that's causing issues. So they provided some recommended procedures here for basically backing that out, going back, installing the January update and then the March update. And they say here that everything should be cleaned up so that when you go back to April or when April comes up here, I should say, that the delta update packages will apply properly on the 1709 release coming up again, like I said, in April. So just be aware of that one if you do run into any issues there. Microsoft has called that out as a particular issue.
And those are the only two that actually showed up this month under Windows 10 and once again specific to version 1709. Next slide, Chris? Moving on, a little bit about Internet Explorer. You know, they continue to support 9, 10 and 11. We've rolled all the updates, whether they're cumulative, security-only or Monthly Rollup for the Internet Explorer under this particular bulletin. There were seven vulnerabilities fixed this month. You know, they gave them a rating of "Critical" so we're carrying that forward, as well. So just be aware of that. Also be aware that you know, when you go to apply these on an endpoint, that the ALLOW REGKEY has to be properly set, as Chris covered in the introduction. He talked about, you know, how that has to be set. Except on Windows 10 because for IE on Windows 10 because as I said...as Chris said there, you know, they've relaxed the REGKEY requirement on Windows 10. So if you do install IE, you will be able to install the IE 11 update as part of the Windows 10 update here so you don't have to worry about that particular problem.
Next slide, Chris. Moving onto Adobe Flash Player. As Chris said, they released one from Microsoft and, of course, Adobe released their own version, as well, applies to all the different operating systems you see here all the way from 1709 back to 8.1, the RT version. Those address two vulnerabilities, doesn't allow for remote code execution. Adobe Flash Player continues to be kind of a hot topic and, you know, has a lot of issues so it is being supported regularly. You could see on the next slide, Chris, they show that this is the particular update from Adobe itself, APSA18-05, that they released in conjunction with the Microsoft update. This one does update version 126.96.36.199 and earlier versions, so be aware of that. Same two vulnerabilities, obviously, it's the same patch that Microsoft is kinda integrating into their patch process.
Next slide, Chris? Moving onto Exchange Server. Chris talked a little bit about this in his introduction. You know, the fact that for a particular public disclosure this month, I've highlighted there in red, it's the 2018-0940 problem that Chris talked about in detail. And it revolves around the Microsoft Outlook Web Access interface and in this case, there were three vulnerabilities that were fixed for Exchange Server this month. It does cover a couple of different versions and one thing that we've done here is because it is a public disclosure, Microsoft rated the patches here as "Important" as Chris was talking about earlier. We've elevated them to "Critical," just because there's public disclosures out there, it's our general standard process that, you know, we expect that an exploit is gonna be showing up soon. So we've elevated to "Critical" here from Ivanti.
On the next slide...
Chris: Yeah, so the...
Todd: Sorry, Chris.
Chris: The severity you'll see in the... The vendor severity will still be important where, but we've put it as a priority one in, like, the content that we put out like our infographic and everything to say it may be an "important," but we're bumping it up in priority because of the disclosure. Yep.
Todd: Yeah, a couple of issues here around Exchange Server. So you'll see the first one, so the first KB there, 4073392. This is for versions 2013 and 2016 of the Enterprise Server. The first issue is that you know, after applying the update it may come up in a disabled state where you have to go through and automatically start the Services Manager once again, so they know that this is an issue. They haven't really said anywhere that they're gonna fix this. It must be just part of the update process that they're...where they're running into this particular issue. So just be aware of that. You may need to restart the service once you've applied the update.
The second one here I found rather interesting. They provide all this detail about, you know, things that will happen, there'll be a silent fail, there's gonna be a problem. And on the last line for this particular issue, they've said, "Oh, by the way, make sure you run this update as administrator." I'm like, "Okay." So after all that, they wanna make sure that you run this particular KB update as an administrator to make sure it applies properly on these Exchange servers. Separate bulletin here for Exchange Server 2010 Service Pack 3. This has the same disabled state that I talk about or that Microsoft mentioned earlier with the first bullet up above there. In addition, there's another known issue related to EWS Impersonation, may no longer work and this once again comes back to the configuration that you have for this particular version of Exchange Server. So just be aware of this. Microsoft is looking at it and they've said that they're gonna issue a fix in a future version. So those are the known issues for Exchange Server this month. Just be aware of those.
Moving on to our regular operating systems or our regular legacy operating systems. Let's talk about Windows 7 and Server 2008 R2. For those of you who aren't regular attendees for our patch webinars here, there are two versions of the updates that are released every month from Microsoft. There's what they call the "Monthly Rollup," which is basically including all the updates from basically October of 2016, rolling them up into one cumulative update and we call it the "Monthly Rollup" as does Microsoft. In this particular month, they've included 22 new fixes. This Monthly Rollup also includes the number of IE vulnerabilities that I talked about earlier.
I've listed the 22 vulnerabilities here. Once again, none of these are publicly disclosed or, you know, are known to be exploited, but just be aware that there are, you know, a large number of vulnerabilities that are fixed this month. There are some known issues, I'll show you that here in just a second, but Chris, go to the next slide. In addition to the Monthly Rollup, which is a cumulative, like I said, going back to October of 2016, Microsoft also issues a security-only update and these are the security issues for the past month. And so depending upon the way you do your update process, you can do the cumulative where you'll get everything, once again, back to October of 2016, or you can apply the security-only update every month where you're only applying those patches specifically for the security fixes for that given month.
This month, you can see in the description there, they've included fixes for the Microsoft graphics component, a number of Kernel fixes, Windows Shell, the XML portion, Windows installer, and Windows Hyper-V. Once again, this is based on Bulletin 4088878. Again, the same 22 vulnerabilities are addressed once again. This one's rated as "Important" because it does not include any of those "Critical" fixes that were included with Internet Explorer that's bundled into the Monthly Rollup. On the next slide, I have a list of issues for Windows 7 this month and there are quite a few. One of them I thought was interesting is that they show that SMB servers may experience a memory leak. Microsoft is investigating this. I had a couple of questions in the chat I saw, "Is there any workaround for this?" We haven't seen anything being reported yet from either Microsoft or other sources on a way to fix that. So as of right now, the answer is no.
There were two stop errors that are occurring. One of them is related to Physical Address Extensions and the other one is related to the Streaming Single Instructions Multiple Data Extensions. Both of those, Microsoft is investigating. So be aware that there could be an issue when applying this patch for this particular KB. And as Chris mentioned earlier, these patches, unlike the Windows 10 where Microsoft has changed the requirements for the ALLOW REGKEY, the ALLOW REGKEY has to be set properly for these Windows 7, both the Monthly Rollup as well as the security-only patches to be applied. So kinda be aware of that, as well. And that applies to both like I said, the Monthly Rollup and the security-only as I've shown in the second KB issue there.
Chris: Yeah. So, Michael shared a comment here that those NIC issues that were being seen were on the security-only version, as well. So a Reddit post was going around about the VMXNET3 issues that were being reported there.
Todd: Right. Yeah, we've been tracking... There also have been some driver issues, as well, where when certain patches are applied, people are having trouble with drivers for USB devices and other things. So we're tracking that, as well, but there hasn't been anything officially released there. Monthly Rollup for Server 2012, once again, this includes all the updates for that particular server as well as Internet Explorer. Again, one fewer vulnerability than was fixed for the Windows 7 and that we saw earlier, basically they're addressing most of the same issues for these particular operating systems. And again, these fixes can only be applied on systems where the ALLOW REGKEY is properly set. So this is the Monthly Rollup bulletin.
And going to the next one, you'll see the security-only for this particular month is only rated as "Important" because it does not include the IE, but once again, it's addressing those same components. So generally, what you'll see is when Microsoft takes a look at the vulnerabilities and they report the CVEs, they generally are looking at the same CVEs across the three sets of operating systems, the Windows 7, the Server 2012, and then the Windows 8.1 and 2012 R2 systems. So they're generally fairly close in nature, but there are subtle differences that are reported. Again, for the security-only here, these fixes are only...will be...will only show up as applicable when that REGKEY is properly set. And this is something we've seen now for three months, so just be aware of that.
Next slide, Chris. Moving onto the update for Windows 8.1 and Server 2012 R2. Again, for those of you that aren't regular participants on our "Patch Tuesday Webinar" here, the reason these particular operating systems are combined together with the same set of vulnerabilities is because they're running the same operating system kernel. So generally, the patches that apply are grouped together by CVE and KB just because they are, you know, basically the same operating system kernel. So this is the Monthly Rollup for 8.1 and Server 2012 R2. Again, the same, pretty much same list of 21 vulnerabilities are addressed as in the previous version that I showed you there. So this is the Monthly Rollup. Again, the REGKEY must be properly set. As once again, Chris said, maybe we'll see something next month where they'll relax this requirement and we won't have to deal with this every month.
Next one, Chris, is the security-only for Windows 8.1, Server 2012 R2. Basically identical, same vulnerabilities being patched as in the Monthly Rollup again. And this one's only rated as "Important" because it doesn't have the "Critical" fixes that were identified, once again, with Internet Explorer. Moving onto something new. Next slide, Chris? We'll talk about Microsoft Office. There were 13 vulnerabilities that were addressed in Microsoft Office this week. The affected products include Office 2007 through 2016, so the full bundle there. There is a separate release this month for version 2016 on Mac and you'll see there's a separate release note for that, for those of you that are interested. There are also individual application updates for Access, Excel, and Word, and there's also an update for the Web Apps Server and Project Server this month, as well.
A number of KB articles covering this that we've bundled together or grouped together here under Microsoft Office, they're 18 of them in all. You can see that a number of things were addressed here including remote...a number of possible ways to execute including remote code execution, security feature bypass, elevation of privilege and information disclosure. Again, kind of as I say every month, make sure that your operating system is up to having the latest service packs or else these, you know, these updates will not be properly applied. So I show an example there, you know, 2010, make sure you're up to Service Pack 2 before you attempt to apply these updates or they'll show up as non-applicable.
This month, next slide, Chris, we've broken out a separate bulletin on Office 365. We've actually had a lot of requests to say, you know, there are some significant differences in what Microsoft's doing with general Office versus Office 365, so we've broken it out separately here. This month, the Microsoft Office 365 update is addressing Semi-Annual Channel 1705, which came out in, I believe, September of last year and 1708, which was released just recently, earlier this year. So they're updating Access, Excel, and Word in those channels, specifically. If you're looking for more information about the way Office 365 updates under "Click-to-Run," you can take a look at this TechNet article that I've referenced here. You can select, you know, any given month and it will show you particularly, you know, which updates are being applied. This month, they're addressing three particular vulnerabilities that I've listed here across those three products in those two different channels, so be aware of that.
Microsoft did change their nomenclature, they used to use the term "Deferred Channel," they're now using the term "Semi-Annual Channel." As you know, Microsoft plans on releasing two updates a year which will include new features. So like right now, as I said in the introduction, their 1705 and 1708 are the current active channels that are being updated. Those were both released, you know, as part of this Semi-Annual Channel release and we will see updates against each of those. The 1705 one should be ending here in a month or two, whereas 1708 will continue on and then there'll be another Semi-Annual Channel release. So once again, this is in keeping with Microsoft's, you know, Software-as-a-Service model, especially under here, under Microsoft Office 365. Again, if you have any questions on this, take a look at that TechNet page and you can... It's very clearly laid out as to how the updates are being applied for particular releases.
Next slide, Chris? Microsoft continues to support Server 2008. Again, 21 vulnerabilities, very similar to what we saw earlier. So be aware of that the updates are available for Server 2008. One of the things I wanna point out is we have not specifically called out updates for XP Embedded in our monthly "Patch Tuesday Webinar" recently. A lot of times, Microsoft will bundle information about, like, point of sales terminals running XP Embedded and other things related to the XP Embedded operating system under the Server 2008 KB articles. So, as you're, you know, if you're running those operating systems and you need to patch those, keep an eye on the KB articles under, like I said, Server 2008.
There are a couple of known issues and this surfaced... You won't find these in the Microsoft list. These surfaced as a result of our content team doing testing yesterday. The first two issues there for those two particular KBs really only apply to 2008 systems running Hyper-V hosts. On your third KB article there, make sure that the remote assistance role is up and running before you attempt to apply them to this particular KB patch or, you know, it will show up as a non-applicable. So just kinda be aware of those. Those are known issues that we found in our direct testing yesterday.
Next slide? There was a separate release for SharePoint Server. As I said, starting last month, we decided to break SharePoint out of the general Office updates. We had enough requests from our customers saying that, "You know, we have different desktop and server patch teams and, you know, we really would like to be able to have the different teams handle these separately," so we've broken this out as a separate set of bulletins. There were 15 vulnerabilities fixed this month for SharePoint Server. It is rated as "Important." You know, it wasn't a "Critical" update this month, so just be aware of that, as well.
Next one, Chris? Getting down towards the end here. Yeah, there we go. It's Chrome. Chris, you wanna talk about the Chrome?
Chris: Yeah. So, Chrome, as I said, yesterday, they released an update late in the day. Now, there were no CVEs reported resolved in that release yesterday. I even posted a question out to them just to confirm that because it was kinda odd coming, you know, two weeks back-to-back, but, you know, they...so far, no vulnerabilities reported in the release yesterday. Now, in last week's release, on 3/7, they resolved 27 vulnerabilities. So, you know, this is one of those times when it's, you know, even though yesterday's update for Google Chrome did not include any security updates, to...if you're not updating Chrome as it comes out each time, this is a good opportunity to go and update Chrome within your regular maintenance because they did just resolve a number of vulnerabilities. So, definitely wanna take note of that one.
This month, a lot of what we're seeing that was "Critical" was at the browser level. So, you know, you saw as we went through each of the bulletins, the Monthly Rollup was rated as "Critical," but when you looked at the security-onlys for the operating system, those were only rated as "important." There was definitely more vulnerabilities, critical vulnerabilities resolved in the browsers. Firefox, Chrome, and IE are all in need of some updating. So, that's our recommendation there, is the browsers, Flash Player. Those are obviously the number one priority and then the operating system updates followed by, probably, the Exchange update is the next one that really carries, warrants some attention. But that's one of the things we wanted to point out here.
Mozilla did release yesterday. They released two different things. They released their Firefox and their Firefox ESR edition. These both included several security fixes. They were both rated as "Critical." The Firefox 59 update included 18 vulnerabilities resolved and this is for a variety of different types of attacks from remote code execution to spoofing, denial of service, elevation of privileged, information disclosure, there was a variety in there. So definitely want to get that updated. The ESR edition was slightly less in vulnerabilities, only seven, but again, several of those were "Critical," so definitely warrants attention for both of those.
Other non-security updates that came out yesterday, there were updates from CCleaner, TeamViewer and Prezzi Desktop. Those were not security-related, so we've put these in as they're recommended to be updated. In fact, I had interview with a writer earlier this week and he was writing on a topic of undisclosed or unknown vulnerabilities. So this is something that, you know, when you see other products like this that update on a regular basis, there's a lot of vendors out there that may not do a very diligent job of notifying or submitting CVEs, tracking them, making sure that people are aware that their products are vulnerable. A lot of times, things like that may get fixed without you knowing.
So leaving outdated software around the network is definitely a problem. A lot of these products may have had one or two vulnerabilities over the years. Like, CCleaner has had some that, you know, have been found over the years, TeamViewer and so on. But it's good to keep these products up to date to make sure that, you know, anything that is being fixed, even if silently, those vulnerabilities are being resolved. So that's something to definitely keep an eye on.
Between the Patch Tuesdays, we did not add any net new product support this month, but we do have additional security releases from the Adobe Creative Cloud, Acrobat. Chrome had a couple, including last week's update that had a lot of security fixes. Mozilla had a couple updates. Notepad++, Opera, Real Times, SeaMonkey, Slack, TortoiseGit, Apache Tomcat, VLC Media Player, and Wireshark, all with updates there. A lot of non-securities, as well. So this is, again, these products all get updated outside of Patch Tuesday between each month. It's just a good idea to make sure to track and update these as frequently as possible to make sure that you don't have old software running on your network.
Now, several of those that had vulnerabilities resolved, we do break down some of the additional third-party vulnerability information. That Tomcat release had two vulnerabilities fixed. The Wireshark release had nine. SeaMonkey had 11, and that was it for the specific vulnerabilities that are being tracked there. We did wanna make a couple of updates here and actually had a question in the chat about this. Mahesh, I'll have an answer for you here in just a second.
Interchange and Game Show
Chris: But we did wanna talk about the fact that we do have our Interchange show coming up here in May from the 14th through the 17th down in Dallas. So this is Ivanti's corporate show. We have a combination of sessions with our product experts. We do a series of labs, boot camps, and other things there, as well. It's a great event to be able to get a lot of in-depth knowledge on the products that you're using and also things that are coming.
So we'll showcase some new product integrations, other technologies that are being integrated, new opportunities that you may wanna take advantage of. So there's an Early Bird promotion. You can see that promotional code right here, IMT18WEB100. So that'll get you $100 off of that basically for signing up for that using that promo code. And if you do the Early Bird, that gets you an even bigger discount off, the Early Bird then. So good things to do there. So, Mahesh, your question about...you were looking at the session list and not seeing anything specific to patch for Windows. The reason for that is at Interchange, we're going to be talking about the next evolution of that product, which is actually going to be called Essential Security Controls. So going back to that session list, if you look at any of the ones that are talking about Essential Security Controls, that is the product that you're on today.
The Essentials release, we're gonna be showcasing the progress of that release by the Interchange show and that's gonna focus on looking at some of the app control and privilege management capabilities that are being integrated there. Later this year, probably end of Q3, early Q4, we're gonna have a release of that product that's going to focus on application control and privilege management. Our AppSense engine will be integrated in there along with cross-platform support for Mac and specifically Red Hat first, but the Linux platforms, as well, will be coming into there. So that release is coming out later this year and that...what we're gonna be going through at Interchange is gonna focus a lot around that.
You'll see a few labs in there, as well, talking about the API and automation. But, Mahesh, send me an email, I can actually specifically outline all of the sessions that are gonna be specific to that product line so that you can use that to fuel your conversation with your manager. All right, so that is Interchange coming up.
Now Erica wanted me to talk about this next one here. Next week, we are having a cybersecurity game show, it's gonna be a live webinar where I'm going to be pitted against my boss and my boss's boss. And I'm a little afraid of what Erica and our product marketing manager for security have in store for me. I'm guessing it's gonna be a lot harder for me than my management chain who I'll be competing against.
So, there will be some...live attendees are gonna get to play along, as well, for some chances to win prizes and, you know, it's gonna be kind of a lighthearted cybersecurity webinar first. So for those of you who are interested, that webinar, you can sign up for it right now at the Ivanti webinars page. It is gonna be next week, 3/21 at 8 a.m., Pacific time, 11 a.m., Eastern time. So if you wanna see Chris get embarrassed in a head-to-head competition with his boss, that's the place to view it.
All right, so into the Q and A. Erica and Brian have been doing a great job of responding to a bunch of the questions here, so we're gonna go through and see if we can respond to any others. We have populated the links from several of the topics that we were talking about into the Q and A.
So actually, let's tackle this one first. There was a question from Ken, "What is KB4088876D?" This is actually a good time to talk about the detection-only versus the actual patch. Let me pull. So this is showing our patch view from the Patch for Windows product, just so you guys are aware of which product we're looking at. What I'm gonna do right now is pull up that particular patch and we'll talk through what this means. Make sure to pull it. Okay. So, because Microsoft added that dependency for the registry key to be able to deploy the OS updates that were causing blue screens if the AV wasn't up to date, we had to do a little bit of creative work here to make it so that depending on how you're scanning for updates in our products, you know, we wanted to make sure that you weren't left looking at a system that showed something as neither missing or installed. You know, and also that you weren't seeing something that was missing, but not deployable. So to do that, we created two variations of each of these updates, one that had just the KB, the other one that had the "D" at the end of it denoting that it was the detection-only patch.
So what this would do is in the case where the registry key was not yet present, you would still see a missing patch, but it would clearly denote that it was the not-deployable version of that so that you would be able to see that. So if you're seeing this comment down here, if you're being offered this patch, please refer to this KB article, and that KB article goes into the details about that registry key and everything. So, Ken, for your question, if you've already got that registry key in place, that "D" variation of those patches is less of a concern for you. It is really there for making sure that customers who may have some systems that if your AV vendor did not apply the key or if your AV was out of date or if there's no AV running, the patches would not be applicable because the Microsoft patch would not allow you to install unless that registry key is in place.
So to make sure that we can clearly show that, we made sure that that variation was clearly denoted with that "D" on the end because we had several customers who were trying to figure out which one they were looking at and without any subtle difference there, they thought they would be able to deploy it and there was a lot of confusion. So, that was trying to mitigate that confusion. And it did help quite a bit, but there's still obviously a little bit of, you know, some questions around that just because it's such a new thing and such a one-off behavior that we've never had before. So this was focused on a mitigation for that confusion around the not-deployable variations of that patch.
Let's see here. "The following patch will only deploy if acquire-,...if you've acquired them outside of Ivanti Patch for Windows Server." Okay, so, Devon had a good question here. There are some updates that we support that the vendor only supports the latest update for it or, I mean, our catalog goes back many years. You know, we still have the ability to push production updates for things like Windows XP Service Pack 3. Anything that was publicly released for that platform up until then, we still have the ability to detect and if the patch is still available, push it out. Now, Microsoft may have pulled patches for many products, and if they're not maintaining that up in the download center anymore, our product could still detect it as missing, but unless you've downloaded it somewhere, you may not be able to deploy it.
We don't remove those patches from our catalog because that's a defense in depth strategy here, you want to know that those things are still missing and vulnerable even though they may not be deployable. So, Devon, depending on which patch you're talking about, there are some third-party updates, as well, where they only support the latest update that they've got available. And I'm trying to think of a specific example of that right now. Brian, do you know of one off the top of your head? I'm trying to think of one that was doing that. But basically...
Chris: ...if we... Chrome does that?
Brian: Yep, Chrome has a static URL, just as an example.
Chris: Okay, so Chrome will have a static URL that's the same every month, so when they push a new version out, that's the one that's downloadable. So basically, if you're trying to push out, you know, a couple versions ago, you're going to...that update will no longer be downloadable, you're gonna be getting the latest update. So that's an example of that. So in the case that you're looking at, if it's a third-party vendor, make sure that you're deploying the latest in that chain and you should be able to get that or if you set up a...depending on which product you're on, if you're on Patch for Windows or you are, in that case, I see the message in there, you can do the Predictive Patch download. That way, as new things are coming out, it downloads them right away, that way, if you don't get to it before the next update comes out, your console would have already downloaded it and you should see those types of things less. So depending on your situation, that may help you out there.
All right. So, Brian, were there any other questions that you've already responded to that we should bring up for the whole group here that's worth mentioning?
Brian: Not particularly, I think you've covered most of them.
Chris: Okay, got it. Let's go through here, and Microsoft provided a fix or is it... So KB408878.
Brian: That was the ESXi issue, if it's VMnet. Currently, there's no fix for that. Actually, that's the...
Chris: That Reddit post?
Brian: ...post, yep.
Chris: Got it, yeah. So, Joe, the answer to that one is, obviously, the way...there is no fix yet. So, I would say yeah, don't deploy at this point. Hold off on that one for a little while. Watch that Reddit post that we shared out in the links there or contact Microsoft to see when they are gonna provide a fix there. That's the best solution for that one, for the time being, unfortunately. All right. There is a couple of questions from customers on the Endpoint Manager side regarding, you know, so you guys should be aware by now that there were some engine changes and content changes that occurred. Some of you that are seeing that certain patches are showing as an "NA" for the severity, there's actually two different values in there. There's a vendor severity, which should be accurate with what the vendor sent, and then there's another variable there that should be getting updated based on things you've done prior, configurations that you've set.
There is a known issue there right now, one that's being worked on. So what I would do in that case, for those of you who are seeing that, open a support case, make sure that you've opened that up and that we're tracking that, you're experiencing that. When we get that resolved, we should be able to communicate out better to the people that need to know that that fix is in place. This is just the way that the engine and content work in what's called the "Timber Integration." There was an unforeseen circumstance here which was wiping some values. And I think that's the issue you guys are seeing, open a support case, though, and we can track that better for you and get you a better answer.
All right, Todd, are we... Are there any other questions here that I've missed?
Todd: No, I think we did pretty well. There was a question about EMSS update. It's scheduled for April right now. It's been final testing.
Chris: Yep, and, you know, for those of you on the EMSS product, we, you know, we do...we're trying to get that release out right now. It is in our final release regression test right now, so that will be coming as soon as we can get it out to you guys. But, if you're wanting to get more information about what we're working on there, one thing you can do, as well, is reach out to us through either your rep or contact me or Todd directly and we'd be more than happy to get one of our product managers to schedule a roadmap conversation with you, as well. We wanna make sure that you guys understand that there's, you know, things coming, there's new capabilities that will be available to you guys soon here, too, and we've got some good things that we're working on right now that you'll be interested in.
So, let's see. I'm looking to make sure we got most things answered. It looks like a lot of the ones we did answer throughout the process.
Todd: I think Brian and Erica had handled most of them.
Chris: Yep. I think we did cover most everything here. So, you know, again, we're over a little bit on time here. I do appreciate, especially those of you who hung around to get some questions answered here. You guys coming back every month is definitely why we keep doing this. So, appreciate you guys all coming today. Oh, Michael had a question here. "EMSS is ES powered by HEAT now?" So, Michael, the answer to that may vary depending on what you're talking about. So the HEAT products had, the EMSS was the Endpoint Management Security Suite. ES, if you're talking in the class like we mentioned naming, was their Endpoint Security product that just did application control and DC.
Because of marketing naming changes and other things like that, right now, EMSS is called Ivanti Endpoint Security. So that is the HEAT product just rebranded to the new Ivanti name for it. So hopefully that answers your question there. If it doesn't, again, you may do well with a roadmap update talking with myself or Todd or one of the team, as well. Reach out to us and we'll be happy to go through more detail there. I think that should cover everything else that we have for major questions there. So thanks, everyone for joining us this month. Happy Pi Day and we will talk to you in April.
Todd: See you next month.