November Patch Tuesday

14 November 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.


Chris: Good morning, everyone, and welcome to the "Patch Tuesday Webinar," for Wednesday, November 14th, 2018. This is Chris Goettl, and joining me today is Todd Schell. Hey, Todd, how is it going?

Todd: Morning Chris. I'm good. How about yourself?

Chris: Happy Reclamation day. For those of you who are big fallout fans, today's the day "Fallout 76" launched. I'm excited about that, I've been playing the beta, it's gonna be fun. So they were doing some patching recently too, but today, we're gonna talk about more of the mainstream Patch Tuesday events: Microsoft, Adobe, different things like that. All right, so we do have a quick update on Patch Tuesday overview, some news that we're gonna get into. Some bulletins that we're gonna go through. And then we're gonna get into some Q&A, which I already see a little bit of Q&A getting started with some servicing stack update questions. We're definitely gonna talk about that today because that's gonna be a fun one.

Yeah, so talking about what came out yesterday. The biggest news was Microsoft. Obviously, there were 15 updates that came out, we're gonna talk about a number of those. Nine of those were critical, six of those were important. There was a zero-day in there, so we'll talk about that guy a little bit as well. And there was also a public disclosure on the Microsoft side, and for Adobe, there was also a public disclosure there which we'll talk about. So those are the big ones that we're gonna to be focusing on, and then we'll get into a little bit more detail about a variety of different topics.

So starting with a little bit of news, this is...for those of you who might be new to the webinar series, we talk a little bit about some more recent incidents that might be happening out there. You know, and just make sure that people are aware of different issues that might be happening. Things you might be wanting to take a look at in more depth. And the first one of those is called PortSmash. So this is one where Brian who does our weekly updates series if you follow our blog. Brian was talking about this in the most recent weekly update. This is the latest side-channel attack that was disclosed.

So it's basically a method that takes advantage of hyper-threading. So the attacker, if they get onto a box and they start to, you know, run in a process on there, that malicious process, if it's running on the same physical core as the victim, could start to glean information across multiple threads there. So taking advantage of hyper-threading being all in the same core, they could start to look at and start to piece together data that they should not have access to in there.

So, you know, there's obviously a little bit of a challenge here, it's not an easy thing to be able to compromise. But if they do this right, they're gonna be able to run a hypervisor, and in that same processor core, that same physical core, they would be able to basically put together enough information to start to... you know, be able to glean real data out of what's running in those other threads.

So there is no existing mitigation in the Windows side yet, what's coming out today did not address this directly. What is being updated in... this was taken directly from the Windows 10 updates this month. The most recent is updating for the speculative store bypass in AMD processors. So this month's update does address some of these side-channel exploits. There's a new mitigation in there specifically for the AMD processors, but it does not mitigate PortSmash yet.

So what this means though is, yes, we've got another update that's going to update the, you know, meltdown specter family of exploits. That will come with the OS level, BIOS, or firmware updates, and also registry keys that need to be enabled to start to actually enforce the mitigations on those systems. This also means that we're nowhere near done with all of these, there will continue to be more of these being identified. In fact, there's probably two or three of them out there now that have been identified, but not yet addressed. So at a firmware level, things like PortSmash might be addressed sooner, but, you know, there's other vendors who are gonna be potentially releasing additional mitigations over time to address those.

All right, the next bit of news, for those of you who have used this service over the years, Microsoft is killing off the Hotfix service. If you go to that Hotfix page, they've got a message up there now saying the service is no longer available. Instead, you should find your fix in either a patch or by upgrading to the latest update available for your product. So this is... you know, for those of you familiar with this, these are not normal patches. A Hotfix is an engineering fix, it's very lightweight, has not gone through the same testing or quality assurance that a full-blown patch is done. It also typically addresses smaller more localized issues that don't affect large portions of the Windows customer base.

But, you know, stopping the service, you know, there's gonna be some open questions here for a while. So the reason we're bringing this up is more of a, hey, be aware you may not see any more of these coming out. But also be aware that some of those that you might have turned to a Hotfix over time, that Hotfix won't be available. So you may end up having to hold off until a fix is in place, or limp along with whatever, you know, limitation might be in there. So I included two examples, these actually came from last month, the October Patch Tuesday release. There was a Hotfix for this Intel Audio Driver if it stopped working. So that could basically download and run on those to fix that issue.

There was another on many HP devices where you could experience a blue screen error, WDF violation after installing the HP keyboard driver. So after the monthly updates, if either of those drivers were experiencing issues, you would have needed to turn to these hotfixes. Again going forward, they wouldn't have a hotfix like this available. So that will be an interesting change going forward, and one where it really does seem like they are pushing everybody from the older platforms up to, you know, the Windows 10 family. So that's something that we wanted to make people aware of that that service is going away.

Windows 10, so this was some interesting news. So I missed last month, I was actually flying back from Australia on Patch Tuesday. So I was in the air somewhere over the ocean at the time when Brian and Todd ran the "Patch Tuesday Webinar" so I got to miss out on a lot of the fun, about, you know, the Windows 10 1809 server 2019, basically being pulled, you know, the fun around that. The Windows 10, version 1809, and server 2019, have rereleased. Availability seems to be limited right now, you won't find it on MSDN yet as of earlier this morning when Brian was poking around out there.

It sounds like, according to sys admin, it sounds like the only availability out there right now is for those of you who have a volume license agreement. So you may have access to it right now, but they have not extended it out to anybody more than that yet. All right, so the reasons for that rollback just to kinda recap some of the issues that happened before. There were a few known issues that have been fixed since then. There was deletion of files in the C:/Users/username/Documents folder, so people losing their files. That was the major issue that was addressed. There were compatibility issues with Intel display audio device drivers, similar to that hotfix that we talked about. Incorrect CPU usage being reported in Task Manager, issues opening compressed files.

There are still a couple of issues out there that are not clearly defined if they were fixed or not. One of which was this mapped network drives issue. So that's one that, you know, as you start to evaluate that, make sure that your map drives and everything are still working right. Because that's one that is out on Reddit right now that people are talking about quite a bit. We included the Microsoft page to be able to read up on that issue if you have come across it, or if you want to make sure you're not running into that.

One thing that we did wanna talk about with this latest branch. So over the years here since Windows 10 released, obviously, there's been a size difference. In the monthly updates, in the cumulative roll-up, that model where everything every month just keeps growing and growing and growing. Microsoft was introducing a component that would help to change the size of that that's being delivered to the end point called Express. Well, really what happened was they changed it from basically pushing the data all down to the endpoint, to doing a whole bunch of back-end calculations in WSUS to trade that off. So Express was a next attempt but kind of a failed one at trying to solve that problem of the continual growth of these updates.

So Microsoft took a third stab at this, and they've come out with this new latest cumulative update model. We've been testing that here, Brian has been taking a look at those and testing out any samples we can get our hands on. And the size of these, and the performance of them seems to be doing quite well. This is gonna be introduced in the latest branch, so Windows 10 1809 and server 2019 will be able to take advantage of these LCU updates. So the size issue actually goes down to smaller than the Express updates which is great.

So that's something to look out for as that new branch becomes available stabilizes. We do recommend taking a look at that for those of you especially who have had issues with trying to distribute the monthly updates based on that size, that growth over time, this is going to help resolve that. So that's a huge one to look for, and we're very excited about that feature in particular. So that is our Windows 10 update there.

All right, the servicing stack update. So for those of you familiar with servicing stack updates, this is something outside of the monthly patch this month, it's required to take additional changes into account. And there have been several of these so far this year. There was an earlier servicing stack updates in May, a few more came out in July. In the last month in October... and actually, a question that I already saw come by here. Last month, they released a servicing stack update for Windows 7 Server 2008 and Server 2008 R2. There was a known issue that several people encountered including a gentleman on the thread here this morning where you could run into an issue where it would halt that step two of two or step three of three. And somebody will have to actually hit CTRL+ALT+DEL to be able to progress further.

It wouldn't fail the update, but it would halt there, you know, and have to be interacted with before it would continue. So that's one to look out for if you have not done last month's servicing stack updates for the Windows 7 and Server 2008 platforms. This month, the November update was for Windows 10 and server 2016 and later. That one, they didn't have the step two of two or step three of three issue like last month. But, you know, there may be some nuances there that you wanna take a look at, some known issues to take a look at there. There may also be some dependencies between the servicing stack updates and cumulative updates.

So far this month, we haven't seen any of this month's roll-ups require... this month's servicing stack update before they'll be allowed to install, but that did happen earlier this year. So we do recommend taking a look at these service stack updates, making sure that you test them out and get them rolled out in a timely manner. Because down the road, there could be dependencies there. With the next section here looking at several of the updates that came out this month. Microsoft did release updates for many development tools.

So many of these, you have to actually get the binaries, and basically a developer has to take those and integrate them into whatever platform you're using there. So for those of you who are using Chakra Core, or Powershell Core, Azure App Services on Azure Stack, or .NET Core, those are all binary updates. You can't just install a patch, somebody actually has to take that binary and basically deploy it out so your DevOps flow has to go and roll that out to your organization.

The team foundation server, this one is actually a patch. We included it in here more because it's a development environment, it's not typically handled day to day like typical patching of systems. Usually, the development team will take those changes and roll those out. So we address it here just to talk about the fact that those teams should be aware of this, and be working to get that rolled out. But that's one of those that we wanted to talk about here.

Most of you probably don't deal with these on a monthly basis, but you interact with the teams that should be doing that. So this is more of a public service announcement, make sure these components get updated as well because they do have vulnerabilities being resolved. Now, one final note on the servicing stack update. The servicing stack update this month does include one of the disclosures we're going to be talking about in a minute here.

Looks like.... if everybody can just check your mute on there, it looks like Webex has been having some problems with the.... it's supposed to mute everybody when you come in. But we are getting a little bit of background noise. So please, double check your mute and thank you, whoever that was I think just captured that. Thank you.

All right, continuing on. All right, we're gonna talk about our one zero-day this month. This was detected in exploits in a while, it's an elevation of privilege vulnerability which an attacker who successfully exploits this could run arbitrary code in the security context of a local system, so they pretty much own the box at that point. To exploit this, the attacker would have to log on to the system, and then they would have to run an especially crafted application that could take advantage of this exploit. But once they do, they pretty much have local system access to that box.

The CVE was actually only rated as important, but that's one of the things that... this is a good example of why vendor severity and CVE severity can't always be taken at face value. You do need additional metadata to be able to make tough decisions at times like this. So while the CVE is only rated as an important, it is known to be explored in the wild. There are people taking advantage of this, so you don't wanna delay in getting this tested and rolled out.

And we'll talk about this a little more as we get into the bulletin by bulletin view. But this vulnerability was on earlier platforms: Windows 7 2008, 2008 R2. So that's the platforms that were affected by this Win32K Sys vulnerability. The next one we wanna talk about is a public disclosure on BitLocker security feature bypass. This is the one that's actually included in that servicing stack update as I mentioned. So to get this fix in place, you need to do the servicing stack update to be able to resolve that. The security feature bypass exists in Windows where it's improperly suspending BitLocker device encryption. The attacker would have to have physical access to the system before it boots up again. But when it powers on.... or they could exploit this vulnerability to gain access to encrypted data, you know, before it were powered on.

To exploit the vulnerability, it does need that physical access to the system prior to the next reboot. So that's, again, the CVE is rated only as important, you know. So when you look at a vulnerability like this, you might look at systems where physical access would be nigh on unattainable for an attacker, and say okay, it's not as big of a concern.

But if you look at a laptop, especially a laptop for somebody who has sensitive data on their system think about the situation there. If that laptop were to get lost in an airport, stolen from a hotel room, accidentally left behind somewhere, or nabbed by somebody, you know, in a smash and grab, you know, there's a lot of ways that a device like that could easily fall into an attacker's hands. And from there, they absolutely have physical access. So think about the location of devices, and take that as part of the context of who should be prioritized when you look at a vulnerability like this.

Because yeah, for a virtual system running in the data center, likely never gonna be an issue. But for a laptop, you know, that could leave the environment and goes into environments where there's a lot of physical access, you know, potentially available, that could definitely be an issue.

All right, the next disclosure down here is... actually, this is part of the Adobe Acrobat and Reader update this month. So this one is also rated just as important, all three of our high profile CVEs this month are only rating as an important severity. But this one is publicly disclosed, there is proof of concept code out and available showing how to take advantage of this NTLM SSO vulnerability. So to successfully exploit this, the exploit of this could lead inadvertently to the leak of user's hashed NTLM passwords. It's an issue that's been known for a few months now, earlier versions of this were identified, and mitigations were identified there.

There's actually an Adobe link off of their article that talks about this here, talking about mitigation of NTLM dictionary attacks. So this is one more variation of that form of attack. So you can see here that came out earlier in May 2018, this is just one more in that continuation of mitigations. So take a look at that in general, and make sure that you understand, you know, if there's any other things that you need to configure there. There's additional optional security enhancements from the Microsoft side that can reduce the potential for this type of exploit to occur as well.

All right, Windows 10 life cycle awareness, we talk about this each month, I'm not gonna go into too much detail this month. But if you see here, there were some updates to Microsoft's lifecycle. Most importantly, the fall release every year now, for those of you who are running on the enterprise or education licensing. The fall release goes onto a 30-month cycle instead of the shorter cycles that other branches would be on. So make sure and take a look at that.

And one thing to be aware of is if you want to get the most out of a branch, you know, switching over to... focusing on that fall release each year, will be the ideal release to get you the most runway off of the branches that you're on. So for Windows 10, and for server 2016, and later, the fall release is the one that will be on that 30-month cadence if you're on the enterprise or education license.

And just again for some awareness, we've been doing this for several weeks now, actually several months, we do offer a weekly patch blog. So we do this webinar once a month, but there's a constant stream of updates coming out. So we went and began doing this weekly patch blog, so that digest will go in and, you know, pull up all the details about what happened most recently. So if we go back and look at week 42 here, you can see here that Brian does a great job of identifying, you know, some of the different news that's come out, similar to how we do in the "Patch Tuesday Webinar." Advisories that may have come out, additional security updates that came out, in this case, the Java release.

So you can see here the vulnerabilities that were released there, the CVSS scores on them. Some other.... actually, this one was an update that had some interesting stuff in it as well. This virtual box had 14 vulnerabilities resolved in that one, with the highest CVSS score being a 9.0 as well. Google Chrome, so here, as you can see, all the third-party updates that were released additionally this month as well. So that's a good way to pull in and make sure to get this same level of detail, but on a weekly basis as well.

Let's see here, get back to my presentation, if I can get back to the right presentation. There we go. Yeah, that's right. For those of you who are subscribing to our patch content announcements, we've been transitioned over for a little while here. But just to make sure you've seen this, and for those of you who might not have been subscribed. If you're using any of our patching solutions, you can go out to the community, and you can subscribe to these patch content notifications. So Patch for Endpoint Manager, Endpoint Security and Patch for Linux, UNIX, Mac, Patch for SCCM, Patch for Windows. Each of these will subscribe you to that particular products content announcement, so you get a constant update as new content becomes available.

And one more thing here announcement wise, we do have the patch for Windows 9.2 version, final update for that from a code perspective was 2017. The final content release was provided yesterday. November's Patch Tuesday was the final patch content update for that version. So do upgrade to 9.3 build 4510. That's the latest one out there that is available now. And we are about to release an early access release, so you'll be hearing more details about this, we'll probably do a little bit more about this in December as well.

But this one is going to release for the Patch for Windows product. The name is gonna change to Ivanti Security Controls. It's gonna include new features like being able to patch Redhat, and then new flavors going into 2019, we'll be releasing new flavor support for different platforms throughout the entire year. And also there's some cool new features coming, one of which is one that we've talked about a little bit here in the past. But being able to import a list of CVEs and map that directly to the patches you need to approve to resolve those.

So this is an experience that we first released on our Patch for SCCM plugin for those of you using that. Patch for Windows, we'll be getting that in this Ivanti Security Controls release coming out here. And for those of you on the EPM platform, that feature will be made available in the 2019.1 release coming up early this next year. So that's a great one. For those of you who are used to this experience, it should some very familiar. But basically, every time your security team does a vulnerability assessment, doesn't matter what the vendor is, whether it's Rapid 7, or Tenable, or Qualys, doesn't matter, you get a list of all the vulnerabilities, and you then have to go and research all that and figure out what to do.

So in that case, being able to take that report, import it, and get the full list of here's all the patch packages we found a hit on with those CVEs, you can eliminate hours to days' worth of research time, every time you get one of those reports. So good stuff coming there, be on the lookout for that. But for those you on 9.2, make sure that you get upgraded, this was the last content release. All right. Todd.

Todd: Hey, Chris.

Chris: All right, I'm done talking for a little while here. I'm gonna hand it over to you. Let's see here. For some reason I gotta the participants' screen up here and hand you keyboard, mouse control. You should now have the cursor.

Todd: Let's see if it works here, here we go. All right, let's go into a little more detail on each of the releases that came out this month, and we'll walk through these. Starting with the update that Chris talked about for Adobe Acrobat and Reader, rated as critical this month due to the vulnerability that Chris talked about from a public disclosure perspective. That was this important fix in here for the NTLM password release, so just to be aware of that. And actually was light in terms of CVEs fix, they only addressed this one, but again an important one because, you know, you could lose your password information there.

Moving on to Windows 10 this month, lots of information about Windows 10. Obviously, their most active operating system and current operating system, of course. Updates for all versions from 1607 through the latest, server 2019, as well as version 1809 that Chris talked about. So there were updates for all of those. Includes the full spectrum of impacts, there were 33 vulnerabilities fixed this month. Chris talked about the 2018 8566 vulnerability which was publicly disclosed. This particular vulnerability was addressed in the servicing stack update, which I listed down below here.

Be aware that if you take a look at the advisory, the 99001 that was rereleased this month, talking about all the servicing stack updates, there are seven separate updates for Windows 10, and each one of those is based on the version of the release, of course. Like I said, from 1607 all the way through 2019. So be aware of those, there are 10 different servicing stack updates, and this particular vulnerability that publicly disclosed, 8566 was addressed.

We have a lot of issues this month across all of Windows 10 that were introduced with the updates. The first one is here under... I've listed them kind of in order from the latest release through the older releases. Update this month KB 4467708 for version 1809, you'll see this one showing up in a couple different updates that I'll list here in just a second. They're saying that some users cannot set Win 32 programs default for certain apps and file type combinations. So when you go through and open up a particular application, you're not getting the defaults that you would expect.

In particular, they talked about Microsoft Notepad not being able to be set. This is a known issue that right now Microsoft is still working on a resolution. They didn't have any workarounds for this particular one. Stepping back to the previous release, 1803, there is an issue here around SqlConnection throwing an exception. They do provide a KB article that I have listed here, you can go in and look for more information on this. The same problem obviously I just talked about in 1809 as well with the Win 32 program. So both of these issues appear in the 1803 release, in the case for both of these, there is no workaround, Microsoft is working on a resolution.

Moving back a little bit further 1709, 1703, and 1607 all have this problem with the SqlConnection, so I've kind of list them this way here, so that you're aware that all of these have the same problem. So just be aware that Microsoft still working on that one as well. And of course, 1607, the oldest one, this first issue here around the LTSC Key Management Service. I've been carrying this particular known issue forward now for four or five months. So looks like Microsoft probably is not gonna fix this one in this older operating system, so just be aware of this. It has to do with key activations when you're running from 1607 to the newer versions of server 2019 or 1809. So just kind of be aware of that.

Apparently, it's pretty much an edge case, not a major issue but is a known issue, and like I said, it appears since it's being carried so much that it's not going to be addressed. Just be aware of that one. Some other problems here, another one that has to do with server 2016 promotions and non-root domains. You're getting an error where the replication operation encountered a database error. So this is a known issue, this is kind of unique to 1607, I haven't seen this one for the other releases of Window 10.

They give an interesting workaround talking about promoting an older version of Server 2012 R2 to non-root domain. So they do give that workaround. However, they did say that they are working on this one and they expect to have possibly an update to this by the end of November. So we may see this one pop out before the next Patch Tuesday, so be aware of that. So those are the known issues for Windows 10, again, appears that quite a few have been introduced this month. So track those in your environment and if you have any questions, you can go back and reference those KB articles.

So with that, let's go back and start looking at the legacy operating systems. Three months ago Microsoft started doing a monthly rollup and a security-only release for Server 2008. Prior to that, they had just been doing a security update. So we're now carrying these forward as both the monthly rollup and the security-only releases. This particular release did fix 10 vulnerabilities. Chris talked about the exploited 8589 vulnerability. I have it highlighted in red here so you're aware of it, so just be aware of that.

A number of fixes that went into these regarding fixes for remote code execution around code execution, elevation of privilege, and public disclosure. I did include the specific servicing stack KB for this one, so if you are referencing this for 2008, it's 3020369. Again, this monthly rollup includes updates for the last three months, plus a few prior to that. So this one does not go back nearly as far as the other rollups that have been done for the other operating systems I'll talk about here in a minute.

The security-only update for this month obviously just addresses these particular vulnerabilities. For those of you who are new to this webinar, I talk a little bit about every month the difference between the monthly rollups and the security-only updates. The monthly rollups have been in effect basically since August of 2016, for most of the older operating systems. Essentially what Microsoft is doing is providing one cumulative update that will address all the vulnerabilities from the last basically two years now. As well as these monthly rollups include some performance enhancement, some other stability fixes as well, so it's not just security. It is a very large file that's growing all the time, and so that's the monthly rollup.

The security-only update includes just the vulnerability fixes for that particular month, and they are really security targeted for the most part. Occasionally, they'll slip in a stability fix or a performance enhancement. But for the most part, they are security-only, they're much smaller. If you are running a patch program with security-only updates, you have to patch every month using the security-only updates. They're not cumulative, so month after month, you have to apply them. There is supersedence obviously, some of the newer patches will replace older ones. But for the most part, you need to just be rigorous in your approach with this. If you do need to catch up, obviously, you can apply the monthly rollup.

Moving on to the other legacy operating systems, Windows 7 and Server 2008 R2. The cumulative or monthly rollup this month addresses 14 vulnerabilities, it does include 2 Internet Explorer vulnerabilities, I'll talk about those later on since that one for Internet Explorer is only rated important, and it's not included just yet in the list here. This particular rollup is critical though because it does address the zero-day vulnerability for 8589.

Again, the servicing stack update for Windows 7, and Server 2008 R2 is 3177467. There are some known issues for this particular monthly rollup, this problem like the one I mentioned for Windows 1607 earlier, this one's been carried around now for four or five months at least. Appears that there's probably not gonna be a fix for this. So it's just reported continuously as a known issue on this older operating system. This one has to do with the network interface controller may stop working, they do give a workaround, so they walk you through the process here, where you scan for hardware and reapply the driver. So just be aware of that.

Interestingly enough, this problem does not exist for the security-only update for Windows 7. Again, addressing the same 14 vulnerabilities for this month, and again, that publicly disclosed one as well. Same service stack update included with this, because it is just for Windows 7 and Server 2008 R2. Next in the group is our monthly rollup for Server 2012, a few more vulnerabilities fixed. We have 15 this month plus the two IE vulnerabilities. Notice that there were no publicly disclosed or exploited vulnerabilities in this one as Chris mentioned in his introduction, those just applied to the 2008 and the Windows 7 releases. Servicing stack update here is 3173426, and this is for Server 2012.

Security only update, once again, exact same vulnerabilities included with this one. Same obviously service stack update as well. And finally, in our last group of legacy operating systems, we have the roll up for 8.1 and Server 2012 R2. As I mentioned every month as well, the reason that these two particular operating systems are grouped together, or the other ones that you saw earlier for like Windows 7 and 2008, for example, R2, is because of the similarity in operating system kernel. The patches that apply to one are also applied to the server version.

So you'll see that these two are grouped together in the same monthly update. Anyway, monthly update or the monthly rollup for this one addresses 17 vulnerabilities. Also listed here, again, no publicly disclosed or exploited vulnerabilities. No known reported issues around this particular monthly rollup so that's good to hear. And of course, the security-only update includes same information.

Moving on to the important vulnerabilities, there was an update for Internet Explorer. They are still updating 9, 10 and 11. Version 9 is running on Server 2008, 10 and 11 on some of the newer operating systems as well. Be aware that there are cumulative updates as well as security-only updates for Internet Explorer as well. We tend to just put them and include them here together. There were 11 different KB articles around the different updates for Internet Explorer. This month, they fixed two vulnerabilities, 8552 and 8570. These were all around remote code execution and information disclosure. Does require a browser restart. And again, these are included in the monthly rollups for each one of the operating systems as I've listed earlier.

There was an Office 365 update, I mentioned this last month, they've changed the name, they've done some rebranding. So Office 365 is now Office 365 ProPlus. You'll also notice here that this update also addresses Office 2019. So what we're seeing right now is that there is only one channel of updates, and it's under Office 365. So you won't actually see patches that say Office 2019 updates at this point. We're gonna keep an eye on this and see if Microsoft breaks those out separately. But right now, just be aware that Office 365 updates are also being applied to Office 2019. So I want you guys to be aware of that.

There were 11 vulnerabilities fixed this month under the click to run updates, no known issues. And as I said, just be aware of the naming change, it's now 365 ProPlus. Normal Office, of course, received its share of updates this month, huge number of updates that were released. There were 20 KB articles, as well as a set of release notes around the Mac 2016 update. Each of the individual applications: Excel, Office, Outlook, etc., were updated, as well as the Office Suite itself. Skype for Business was included, Skype for Business 2016 was also updated this month. Ten vulnerabilities, some overlap with the Office 365 we talked about earlier, but there were some different vulnerabilities fixed here as well. No known issues around these, nothing critical, still rated as important from an update perspective.

There was an update for SharePoint server once again, we've seen this the last few months continuing to update. Different versions, you'll notice here that there is now an update available for 2019. So SharePoint Server 2019 has been released, and there's an update for that as well. Four vulnerabilities were fixed this month, no known reported issues around this.

And finally, I've included Exchange Server here. There is an update address for this with one vulnerability. We have not seen the actual update just yet, a security update, nor the KB article. It does say that CVE 2018 8581 is being addressed, it was an elevation of privilege vulnerability. However, no additional information still available for this, but it is showing up in the Update Catalog, so be aware of that. And again, server 2019 was included there as well.

Adobe Flash Player, didn't see one last month, but we did get an Adobe Flash Player update this month. Addresses one CVE 15978. Interestingly enough, you know, Microsoft says the impact of this is remote code execution. But you'll see when we actually go to Adobe, Adobe says this is an information disclosure vulnerability. So I think it has to just do with the interpretation of the way the vulnerability manifests itself. But be aware that there is an update this month for Adobe Flash Player, both direct from Adobe under APSB 1839 as shown here. And of course, you know, the update that's included in the normal Microsoft releases for the month. So with that, Chris, if you're still there, I'll turn it back over to you to talk about the last few slides.

Chris: Yeah, thanks, Todd. So one thing that we talk about a lot and one of the reasons why we started that weekly blog series, which I see a number of you are interested in, which, you know, we figured, and that's why we created that content. A lot happens between Patch Tuesdays, there's always a lot of visibility around the large scale Patch Tuesday event. Excuse me, but there's a lot of things that happen in between. So you can see a number of security updates happened in between... Todd, you're holding out the control to me. There we go. Got it. All right, I got control back.

Todd: You grabbed it back? You're good?

Chris: I grabbed it back, yeah. All right. So security update...

Todd: Sorry, about that.

Chris: No, not a problem. There's a lot of security updates that come up in between Patch Tuesdays, and many of those could be critical security vulnerabilities that you want to address in a timely manner. This is where we... you know, when we talk best practices, you know, Todd and I often focus a lot around, okay, so if you've got, you know, your end users, if they're constantly under attack from phishing. In fact, on Twitter just today, I've seen a number of different security vendors talking about the fact that phishing is still on the rise. There's still increases in that, it's still a commonly used way to target people.

And a lot of those vulnerabilities are resolved on a regular basis in Chrome, in Firefox, in Adobe products, in many of these different products. And most of these are not releasing on Patch Tuesday. So a lot of times we recommend that, you know, your users should get into a more frequent update routine than just one once a month even.

So it's something that we do, you know, encourage people to strive for, getting down to the point where no update lingers out there for more than 14 days, if it can be helped, that includes security vulnerabilities. So this is information that helps you to make the case as to why that's important. Take the information from those different posts that we create weekly, the information from our content notifications, show people this is why there's a concern to try to get to the point where certain systems can be patched more frequently, or at least certain applications.

So that's what this slide is all about. Here's a breakdown of several of the third- party updates that had vulnerabilities being resolved this month. You can see here some workstation updates that had two CVEs resolved, we had Chrome, Evernote, Thunderbird, Webex productivity tools. Yes, even Webex has vulnerabilities that are being resolved. Apple, iCloud, iTunes, Firefox, and it goes on. Even tools like Wireshark that you're using on network to do diagnostics and things like that could be turned against you, they often have a lot of vulnerabilities. Think about the power of Wireshark and why you like to utilize it so much, and think about that tool in the hands of an attacker, with a privileged level of access can definitely be used to great effect against you.

So those are some of the details that we talk about here between the Patch Tuesdays segment there. We do wanna get into some Q&A here real quick. I think one of the ones that I'm seeing here... and this is where I'd like to... for those of you who might be new to the series or don't catch it very frequently, we've got a third member of our team here that often helps us with this portion of it. You may have already seen him responding to questions in there. But Brian is here with us to help us with a lot of the detailed content questions. So Brian, this question came from Jared, to get the latest servicing stack update, do we need to update to the latest SU for Windows 10? In this case, no, it's actually a separate patch, right?

Brian: Yes, it is a completely separate patch. So little caveat there, the only other caveat is for 1607 Server 2016. The main servicing stack is actually required to install the most recent servicing stack. That main servicing stack is also required to get really any of the latest cumulative. So you should already have installed, but just a heads up there. But most cases, you shouldn't require any previous servicing stacks, or any additional prerequisites to get that installed.

Chris: Okay, and I think... you've been answering several questions around the servicing stacks, any additional ones that came up here that you think we need to readdress, sort of we cover most of?

Brian: Yeah, I do wanna elaborate a little bit on the servicing stack. Windows 10 1607 is the... to review, is the only OS that requires the main servicing stack to be installed for additional patches to be installed. In every other scenario, Microsoft does recommend that servicing stacks are installed before rollups, any of the latest security updates. I do wanna emphasize that they do not require it however, the patches will install, in most cases, they will install successfully.

Microsoft does recommend, however, installing main servicing stack ahead of time for stability. And customers have mentioned within this Q&As;, and previous ones, that they have noticed that specifically on 2008 R2 and Windows 7. Within our content, we do not require that service stacks are there as a prerequisite, but if you do run to any stability issues or rollbacks, again, that servicing stack should help.

Chris: Right. Another one here on the exchange update from Margi. In the FAQ, there is a registry key to remove, and that would basically make it so that the CVE that's being resolved is not exploitable. So that is a way to resolve the issue directly. You know, there's still an open question of this is kind of an odd situation where Microsoft created, you know, a CVE here, and there's not really a patch here yet. So usually, if it's that something like that, it would have had an advisory that it would have been tied to, or a specific KB that would've been posted. So that's why we're wondering will there still be a patch coming, or will it just be... you know, should it be an advisory, or how are they gonna capture this, and better inform people of what's going on?

So to the question that you have, Margi, yes, the registry key being removed will resolve the vulnerability. There is still an open question of is Microsoft going to release a patch for that? Or, you know, is this the only guidance, and in that case, you know, there really should have been an advisory or something. So this one looks like it's a little bit of an odd CVE kind of out there on its own right now. So that's why we're saying, you know, keep an eye on it, it may still crop up. Let's see, what other... Brian, why don't we go through and see what other of the questions that you've responded to so far really warrant full audience awareness?

Brian: There's just a couple that I actually want to bounce off of you, Chris, they're more process related. So I wanted to just see what your answers were of these. Can you suggest anything to help IT management and executives on board with server maintenance Windows? Is it bad to insult patches on servers and let them sit for a week? Personally, for the letting them sit, I would definitely not recommend them sit. You're gonna be in a half installed state, some files get up to date, some others that can affect stability. Regarding getting everyone on the same server maintenance window, I wonder if you have any recommendations around that.

Chris: Yes, so this is one... and this is an area where there's always a million and one ways to answer this type of question. So I'll give you the best general answer that I would give anyone. So totally agree that, you know, in a case where you've got patches that have been installed, if they're pending a reboot, you wanna try to reboot as soon as possible. There's a question of what state is the system in, and could certain things, you know, behave incorrectly or, you know, could issues arise because the components are in a half installed state?

The way that most of those things work, it shouldn't be a problem, but, you know, it's a grey area where Microsoft would say, yes, sorry, you're in an unsupported state right now, you need to reboot that system now. So if you're gonna apply the patches, a reboot should follow as soon as possible on that scenario.

As far as server maintenance windows, I've seen all sorts. I've seen environments where they've got, you know, 5 9s pf availability they've gotta stick to. So there, you've gotta have... you know, we try to make things like APIs available so you can build us in more detailed automation workflow. And that's something where an orchestrator, or an automation platform, could then, you know, patch, you know, different nodes in a cluster, or tiers of an application very quickly and do so in a certain order. And then get them back into the pool so that there is little downtime as possible.

So, you know, we've got online casinos and, you know, other hosting environments and groups like that that use our technology. And they literally have, you know, minutes of downtime that that might actually happen. So a lot of what they're doing is pre-stage everything, execute at a very specific time, reboot as quickly as possible after.

So as far as trying to do everything all at once, that will depend on, you know, what type of a window can you get there? So on a question like that, always feel free to reach out to us, we can have a more detailed conversation around your specific requirements, and try to help you build a better workflow that works well for your organization. But this is probably one of the biggest contention issues that cause patch management to be so difficult.

Especially if you're dealing with people who, you know, they're the business line owner or, you know, whatever service needs to be patched, they're just saying, "No, no, you can't take it down, it has to be up, it has to always be up to." Remind those people that security of that environment is paramount. If that gets exploited, that is a pretty big issue from a compliance standpoint. You know, think about the big name breaches that have occurred. And a lot of times, those are the reasons why things didn't get deployed. You can bet that Equifax, it wasn't one guy who just didn't do his job, there was a series of events likely that prevented that update from being applied. And, you know, there's always political challenges like that, but that's kind of my best general answer to that question.

Brian: Perfect. Just a bunch of specific task things, but the last very specific question was... actually, I think we're good. Let me just run down the list real quick, I'll be real fast. So one question was around if you do disable hyper-threading, are you still vulnerable to PortSmash? No, you do need to save a lot on the BIOS levels, so just a heads up there. Of course, that can effect specific workloads especially those that do media encoding, etc., that's why hyper-threading is awesome. But for virtualization, you can afford to turn that off in my experience.

What else? You covered the blog post. I think we should be good... oh, one question was any reason why server 2016 patches seem to take way longer than 2012 and 2008? That's a really good example of Windows 10 cumulative model. That's gonna kind of be the case for 2016, I don't think they'll be moving away from that, 2008 and 2012, those monthly rollups are a lot smaller, so they should be good. But in the near future, unless Microsoft comes up with a new solution, really prepare for that window to kind of grow larger and larger. I hate to be the bringer of bad news there, but I've noticed in our testing, and it's definitely the machines that are lagging behind the most.

Another great question, a customer had IE 9 on some computers, will the Windows 7 monthly rollup update those to IE 11? No, they will not. It will only update it if you have IE 11 on there. So you'll need to install an IE 11... kind of the IE 11 installer for that'll happen. The IE 11 installer ideally should be... it's on the latest updates, so you should get in line at that moment. But you will still be vulnerable until you do update to the IE 11, that was a great question. Other than that, I think we should be good.

Chris: All right. Thanks, Brian. And I've been looking through here too, I think we again we've gotten kind of the general questions everybody would probably be interested out of the way. Yeah, I think that's where we'll wrap this month. There's only a couple other things that I will mention here. We've got... for those of you familiar with our Interchange event, you know, this is something that we do have coming up here very soon. For those of you in Europe, we did our first full Interchange event in Europe, in Madrid last year. And this year, we have moved up the timeframe for that to the week of March 11th. So that's coming up here pretty quick, early bird availability is already live there. So you can take a look at that.

It's a great event. We do a lot of product deep dives, and industry sessions, and, you know, everything you can think of. In fact, I did the "Patch Tuesday Webinar" live from Madrid when we were out there earlier this year. For those of you who are in the U.S. market, we are gonna be in Nashville this year. So, you know, that's definitely gonna to be an interesting change in venue, a lot of great, you know, opportunities to go catch the music and everything down on little Broadway after the events during the day. You know, just an all-around good opportunity to get out and interact with, you know, the product managers, we'll have designers, we'll have tech leads. You'll have more direct access to the people working behind these products than at any other time. And a lot of good sneak peeks, direct access to updates on the products.

So one more question came in here that we probably wanna talk about. Andrew had a question here about providing patch content for Citrix workspace, which is replacing Citrix receiver. Brian, we started investigating that one yet?

Brian: I don't believe we have. I'm definitely noting it, we'll put it in a queue, just to keep track of it. I'd happily recommend putting it in our user voice area. And we'll get on that as soon as we can.

Chris: Great, okay. Cool, well, thanks everyone, and we look forward to seeing you again for December's "Patch Tuesday Webinar." Thank you.

Todd: Thanks, everybody.