The first bulletin administrators should address immediately is the mammoth security bulletin MS12-034.  The sheer size of this security bulletin will undoubtedly affect the majority of your network when patching this month.

This bulletin covers: 72 Microsoft operating systems / service pack combinations 31 Microsoft .NET installation versions and types 9 Microsoft Office installation versions and types 6 Microsoft Silverlight installation versions and types

This is by far one of the largest security bulletins Microsoft has ever released.  This bulletin will address seven vulnerabilities with …]]> Marking the May 2012 edition of Patch Tuesday, Microsoft has released seven new security bulletins addressing 23 vulnerabilities.

The first bulletin administrators should address immediately is the mammoth security bulletin MS12-034.  The sheer size of this security bulletin will undoubtedly affect the majority of your network when patching this month.

This bulletin covers:
72 Microsoft operating systems / service pack combinations
31 Microsoft .NET installation versions and types
9 Microsoft Office installation versions and types
6 Microsoft Silverlight installation versions and types

This is by far one of the largest security bulletins Microsoft has ever released.  This bulletin will address seven vulnerabilities with three of the vulnerabilities already publicly disclosed.  There are quite a few scenarios an attacker could exploit the vulnerabilities, but the most tempting attack scenario will involve a user visiting a malicious website.  With an unpatched system, the user will be subject to an attack that will result in Remote Code Execution.  MS12-035 is a second security bulletin that addresses vulnerabilities in the Microsoft .NET application.  Both MS12-034 and MS12-035 will need to be applied to applicable systems with .NET installed.  As most administrators are already aware of, patching Microsoft .NET can be extremely time-consuming.  Administrators should plan for a longer than usual patch cycle for their machines with .NET installed with two security bulletins affection the Microsoft .NET product.

Next up on the priority list for patching this month is MS12-029.  This security bulletin addresses one vulnerability in older versions of Microsoft Word (pre Microsoft Word 2010).  An attacker can gain Remote Code Execution if a user opens a malicious RTF type document with Microsoft Word.  RTF documents are very common documents that are typically allowed through email systems as attachments.

Microsoft also released a new security advisory for their ActiveX Kill Bits with Microsoft Security Advisory (2695962).  In the past, Microsoft released ActiveX Kill Bit updates in a security bulletin format.  With the change to a security advisory format, it is important to not forget about these patches during your normal patch Tuesday cycle.

On the non-Microsoft front, Adobe has joined patch Tuesday with a security bulletin release of their own.  The 4 new Adobe Security bulletins affect a variety of products:
APSB12-10 – Adobe Illustrator:  5 vulnerabilities fixed, can lead to Remote Code Execution
APSB12-11 – Adobe Photoshop:  2 vulnerabilities fixed, can lead to Remote Code Execution
APSB12-12 – Adobe Flash Professional:  1 vulnerability fixed, can lead to Remote Code Execution
APSB12-13 – Adobe Shockwave Player:  5 vulnerabilities fixed, can lead to Remote Code Execution

Last Friday, Adobe released an update for their Adobe Flash Player with APSB12-09.  This security bulletin addresses a zero-day vulnerability that is currently being exploited in the wild.  Adobe Flash is a widely used program and often targeted by attackers, so this bulletin should be deployed as soon as possible with your Microsoft security bulletins.

In all, this typically light patching month will feature quite a few security bulletins to address on networks (7 Microsoft security bulletins, 1 Microsoft security advisory, 5 Adobe bulletins).

I will be going over the May Patch Tuesday in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our Monthly Patch Tuesday webinar. This webinar is scheduled for next Wednesday, May 9th at 11:00am CST. You can register for this webinar here.

- Jason Miller

Security Bulletin Breakdown:

“In November of 2012, Shavlik, a VMware Company, will End-of-Life (EOL) the following NetChk Protect versions by disabling the ability to update the XML data. As of November 1, 2012, the ability to update XML data on Protect 7.5, 7.6 and 7.8 versions of the product will be disabled. Please refer to VMware’s Life Cycle Policies page under VMware vCenter Protect Essentials/Essentials Plus for further information at https://www.vmware.com/support/policies/lifecycle/ & VMware customers using the Shavlik branded versions of Protect please note that we are announcing the end-of-life for versions 7.5, 7.6, and 7.8.  You will see the following message when contacting support.

“In November of 2012, Shavlik, a VMware Company, will End-of-Life (EOL) the following NetChk Protect versions by disabling the ability to update the XML data. As of November 1, 2012, the ability to update XML data on Protect 7.5, 7.6 and 7.8 versions of the product will be disabled. Please refer to VMware’s Life Cycle Policies page under VMware vCenter Protect Essentials/Essentials Plus for further information at https://www.vmware.com/support/policies/lifecycle/ &https://www.vmware.com/files/pdf/support/Shavlik-Legacy-EOL-Information.pdf.

To upgrade to the latest version of vCenter (NetChk) Protect Essentials, please visit:  http://www.shavlik.com/downloads.aspx.”

The vCenter Protect support team will also be directly contacting customers who are last known to be on these versions.  As always we will do everything we can to ensure Protect customers have been notified of the versions that will no longer be supported.

Regards,

Chris Goettl
Product Owner
SMB Management Solutions
VMware

Microsoft Management Summit 2012 begins today in Las Vegas and if you are attending the show, we invite you to stop by VMware booth #621.  We’ll be demonstrating the latest releases of our VMware …]]> Keeping up to date with patches historically meant operating systems and applications from Microsoft.  In today’s threat landscape, however, third-party applications have become the leading cause of most vulnerabilities on the network.  Many companies around the world rely on Microsoft System Configuration Manager (SCCM) for patch management.  That simply is not enough to bolster network security, however, because Microsoft applications are not the only ones at risk.

Microsoft Management Summit 2012 begins today in Las Vegas and if you are attending the show, we invite you to stop by VMware booth #621.  We’ll be demonstrating the latest releases of our VMware vCenter Protect Update Catalog and VMware vCenter Protect Essentials at the booth.  These solutions simplify and automate patch management for Microsoft and third-party applications.

About VMware’s solutions for patch management

VMware vCenter Protect Update Catalog extends SCCM beyond Microsoft products to solve critical third-party patch management needs.  vCenter Protect Update Catalog plugs into SCCM as a simple data service that requires no additional agents, console or management to learn.  Just import the third-party patch catalog for Adobe, Google, Java Firefox, iTunes, etc. into SCCM and you’ll be patching vulnerabilities on your servers and workstations in minutes.  Click here to learn more about vCenter Protect Update Catalog.

VMware vCenter Protect Essentials reduces the cost and complexity of IT management with an integrated approach to IT security and compliance.  vCenter Protect Essentials provides centralized Windows patch management and asset inventory management for both virtual and physical machines.  This includes centralized management for Windows operating systems and the most widely used Windows-hosted applications running on both virtual and physical servers and workstations.  Click here to learn more about vCenter Protect Essentials.

Hope to see you in Las Vegas this week, and don’t forget to enter your name to win an Xbox 360 with Kinect at booth #621.

- Mike Bleakmore

Marking the fourth Patch Tuesday of the year, Microsoft and non-Microsoft vendors are making this quite an interesting month with critical security bulletins and new products to consider in your monthly Patch Tuesday.

There are many products that are affected by the new security bulletins. This means you will be seeing quite a few patches missing on a single machine.  For example, MS12-027 affects 29 different products and service pack levels.  For those administrators responsible for reporting their patch compliance, this can …]]> Microsoft has released six bulletins addressing 11 vulnerabilities in the April 2012 version of Patch Tuesday.

Marking the fourth Patch Tuesday of the year, Microsoft and non-Microsoft vendors are making this quite an interesting month with critical security bulletins and new products to consider in your monthly Patch Tuesday.

There are many products that are affected by the new security bulletins. This means you will be seeing quite a few patches missing on a single machine.  For example, MS12-027 affects 29 different products and service pack levels.  For those administrators responsible for reporting their patch compliance, this can be quite a headache.

As scheduled, Microsoft has released their bi-monthly update for Internet Explorer.  With any browser (Microsoft or non-Microsoft), patching is always on the top of the priority list as Internet browsers are one of the most targeted pieces of software for exploitation.  With Internet Explorer 10 (bundled with Windows 8), Microsoft is turning on automatic updates in the background.  We will have to wait and see if Microsoft increases their patch releases for their browser like Google Chrome and Mozilla Firefox.  Since the last time Microsoft has patched Internet Explorer (February 2012 Patch Tuesday), Google released new updates to their browser seven times.  Five of these releases were security releases. 

Speaking of browsing threats, MS12-027 is a bulletin that can be attacked via browsing.  MS12-027 fixes one vulnerability that Microsoft has received limited attacks against.  Browsing to a malicious website with Internet Explorer will result in remote code execution.  An attacker could also try sending a RTF file with embedded malicious ActiveX controls.  If the user opens the file on an unpatched system, the attacker can gain full access to the system.  As Microsoft has already seen active exploits against this vulnerability and it contains a web browsing scenario, it will be critical to push this patch out to your desktop systems as soon as possible. 

On a different front for this security bulletin, software developers will need to pay particular attention to the information inside of this bulletin.  Any developer that has released an ActiveX control should review the information for this security bulletin.  These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.

With this Patch Tuesday we are also seeing the first security bulletin affecting the Windows 8 Consumer Preview.  Anyone using this operating system will want to apply MS12-024.  It is good to see that Microsoft is not forgetting about their widely available (and used) preview operating system.

There are a few non-Microsoft vendors joining the Patch Tuesday security bulletin party with their own releases.  Adobe is releasing updates for their Acrobat and Reader product lines during their own quarterly security bulletin update (APSB12-08).  This security update addresses four vulnerabilities.

Google has released an update for their Chrome browser with version 18.0.1025.152.  This latest version of the Google Chrome browser is a non-security update.

I will be talking about the April Patch Tuesday as well as any other non-Microsoft patches that have been recently released tomorrow, April 11^th at 11:00am CT in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

- Jason Miller

 Security Bulletin Breakdown:

 Affected Products:

The primary bulletin administrators should look to address first is MS12-020.  This bulletin addresses two privately reported vulnerabilities to Microsoft affecting the Remote Desktop Protocol on all supported versions of the Microsoft operating system.

If an attacker sends a specially crafted packet to a machine with RDP enabled, the attack could result in Remote Code Execution on the target machine.  Although Microsoft is stating that most machines do not have RDP enabled by default, I know of many organizations …]]> Microsoft has released six bulletins for the March 2012 Patch Tuesday.  With this release, Microsoft is addressing seven vulnerabilities.

The primary bulletin administrators should look to address first is MS12-020.  This bulletin addresses two privately reported vulnerabilities to Microsoft affecting the Remote Desktop Protocol on all supported versions of the Microsoft operating system.

If an attacker sends a specially crafted packet to a machine with RDP enabled, the attack could result in Remote Code Execution on the target machine.  Although Microsoft is stating that most machines do not have RDP enabled by default, I know of many organizations that use RDP to troubleshoot machines.  This Windows component comes even more into play with machines that are not physically located next to users such as virtualized machines.  Using RDP is a common technique used to connect to virtualized machines.

There are a couple of varying factors with this vulnerability that could help or increase the risk of attack on a network.  First, older operating systems (Windows XP, 2003) can potentially have an unauthenticated attack vector on this vulnerability.  With these systems, an attacker can simply send specially crafted RDP network packets to the target system and gain full system level access.  Newer versions of the Microsoft operating system (Windows Vista, 2008, 7, 2008 R2) have a security feature that can be turned on to prevent unauthenticated access.  This technology, Network Level Authentication, will force an attacker to provide valid credentials to gain access to the system.

This bulletin simply scares me when it comes to protecting an environment from future attacks.  This vulnerability has the real potential to become victim to a worm outbreak if this vulnerability is not patched.  Although this vulnerability may be difficult to exploit, I can assure you attackers will be working hard to create a valid attack against the vulnerability.  With that said, administrators should patch this bulletin immediately.

A lot of organizations have patch maintenance windows that only allow patching at certain times.  If an administrator has a maintenance window later this month but wants to help mitigate the risk of this vulnerability, Microsoft has supplied a FixIt tool to enable NLA on newer operating systems.  In addition, they have provided a FixIt tool to enable support for NLA on Windows XP SP3.  Windows XP does not have this technology as it is an older operating system.

On the non-Microsoft front, Adobe has released an update for their ColdFusion program with security bulletin APSB12-06.  This security bulletin is rated as important and addresses one vulnerability.  Mozilla is hinting at releasing security updates for Thunderbird and SeaMonkey later today.  So far, they have released new versions of Firefox with 10.0.3 and 3.6.28.  Both of the Firefox updates are security updates.

As with any Patch Tuesday, keep your eyes and ears open for any other vendors potentially sneaking in a security update.

There have been some non-Microsoft security updates released since the February Patch Tuesday including:

Adobe Flash
Apple iTunes
Google Chrome
Mozilla Firefox
Mozilla Thunderbird
Mozilla SeaMonkey
Oracle Java

With the RDP bulletin released today along with all of the other non-Microsoft security bulletins released today and during this month, administrators will have their own March Madness to deal with patching their networks.

I will be talking about the March Patch Tuesday as well as any other non-Microsoft patches that have been recently released next Wednesday, March 14th at 11:00am CST in part of our monthly Patch Tuesday webinar. Click here to register for the webinar.

- Jason Miller

 Security Bulletin Breakdown:

 Affected Products:

I will be talking about the March Patch Tuesday as well as any other non-Microsoft patches that have been recently released next …]]> Microsoft has released their advanced notification for the March 2012 edition of Patch Tuesday.  Microsoft is planning to release six bulletins addressing seven vulnerabilities.

 Security Bulletin Breakdown:

• 1 bulletin is rated as Critical
• 4 bulletins are rated as Important
• 1 bulletin is rated as Moderate
• 2 vulnerabilities could lead to Remote Code Execution
• 2 vulnerabilities could lead to Elevation of Privilege
• 2 vulnerabilities could lead to Denial of Service

 Affected Products:

• All supported Microsoft Operating Systems
• Microsoft Visual Studio 2008, 2010
• Microsoft Expression Design 1, 2, 3, 4

I will be talking about the March Patch Tuesday as well as any other non-Microsoft patches that have been recently released next Wednesday, March 14th at 11:00am CST in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

 - Jason Miller

There are two bulletins that administrators should look to patch immediately.  Both of these bulletins address vulnerabilties that have the potential for drive-by attack scenarios from websites.

First up is Microsoft security bulletin MS12-010.  This bulletin affects all supported Microsoft Internet Explorer browsers and addresses four vulnerabilities in the browser.  As is the case with most, if not all Internet Browsers, it is …]]> Microsoft has released nine new security bulletins for the February 2012 edition of Patch Tuesday.  This Patch Tuesday is typically marked as a ‘heavy’ release month and includes nine new security bulletins addressing 21 vulnerabilities.

There are two bulletins that administrators should look to patch immediately.  Both of these bulletins address vulnerabilties that have the potential for drive-by attack scenarios from websites.

First up is Microsoft security bulletin MS12-010.  This bulletin affects all supported Microsoft Internet Explorer browsers and addresses four vulnerabilities in the browser.  As is the case with most, if not all Internet Browsers, it is extremely important to patch as soon as possible as browsers are one of the most attacked pieces of software.  The vulnerabilities addressed in this patch could allow an attacker to exploit the browser through malicious websites.

Similarly, MS12-013 also has a possible drive-by attack vector.  This bulletin addresses one vulnerability in the C Run-Time Library.  If an attacker can entice a user to open a malicious media file, the attacker can gain full access to a system.  In this new media and social media age, media file attack vectors are just as important as browser attack vectors when it comes to patching security vulnerabilities.

Our old friend, the DLL preload vulnerability, is making a return after a one-month hiatus.  Two bulletins this month fix the DLL preload vulnerability in Microsoft applications.

MS12-012 – Color Control Panel
MS12-014 – Indeo Codec

Since releasing the Security Advisory for this issue in November 2010, Microsoft has patched different programs affected by this vulnerability 22 times.  It is safe to say we will continue to see the DLL preload vulnerability being addressed by Microsoft in the coming months.

On the non-Microsoft front, there is already one vendor joining Patch Tuesday.  Adobe released two new security bulletins today affecting two Adobe products.  Security bulletin APSB12-02 affects Adobe Shockwave and fixes nine vulnerabilities.  Adobe Security bulletin APSB12-04 affects Adobe RoboHelp for Word and fixes one vulnerability.

This has been quite a busy month with multiple non-Microsoft vendors releasing security updates for their software.  After a very quiet December and January, it appears the non-Microsoft vendors are getting back to a normal cadence for releasing security updates for their software application.  The following vendors have released security updates since January 2012 Patch Tuesday:

Opera
Google Chrome (twice)
Yahoo Messenger
Mozilla Firefox (twice)
Mozilla Thunderbird (twice)
Mozilla SeaMonkey (twice)
Real Player
Skype

For those administrators who wait for a monthly maintenance window for their patching needs, this month is going to be quite a large month combining all of the Microsoft and non-Microsoft security bulletins released since the last Patch Tuesday.

I will be talking about these patches along with the latest non-Microsoft patches that have been recently released tomorrow, February 15th at 11:00am CT as part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

- Jason Miller

Security Bulletin Breakdown:

Affected Products:

There has been no word of other vendors planning to release new security bulletins, but we are constantly monitoring to find any other vendors planning on joining Microsoft’s Patch Tuesday.

I will be talking …]]> Microsoft has announced their February 2012 Advanced Notification for the upcoming Patch Tuesday.  Microsoft is planning to release nine security bulletins fixing 21 vulnerabilities.

Security Bulletin Breakdown:

• 4 bulletins are rated as Critical
• 5 bulletins are rated as Important
• 7 vulnerabilities could lead to Remote Code Execution
• 2 vulnerabilities could lead to Elevation of Privilege

Affected Products:

• All supported Microsoft Operating systems
• All supported Internet Explorer browsers
• Visio Viewer 2010
• SharePoint Server 2010
• SharePoint Foundation 2010
• Silverlight 4

There has been no word of other vendors planning to release new security bulletins, but we are constantly monitoring to find any other vendors planning on joining Microsoft’s Patch Tuesday.

I will be talking about these patches along with the latest non-Microsoft patches that have been recently released next Wednesday, February 15th at 11:00am CST in part of our monthly Patch Tuesday webinar.  Click here to register for the webinar.

- Jason Miller