Home > Blogs > VMware Go Blog > Monthly Archives: September 2012

Monthly Archives: September 2012

Weekly Links – September 28, 2012

Hello again, friends—we’re back after a one-week hiatus! Hope you didn’t miss us too much. We could tell you where we were—but then we’d have to kill you. In lieu of that, how about we regale you with a series of links that you can scan as you eat lunch today?

8 IT careers that won’t leave you begging (InfoWorld)

CEO Tim Cook apologizes for “falling short” on Apple Maps (GigaOM)

Is Windows 8 Too Risky For IT? (InformationWeek)

Top 10 Most In-Demand Job Titles (IT Business Edge)

In California, It’s Now Illegal for Employers and Universities to Ask for Your Social Media Passwords (The Atlantic)

And now for this week’s apropos of nothing image. We’ve heard from some of you recently that the beautiful landscapes we’ve recently been posting here have been “boring” and “not up to par.”

The fact that the likes of Teddy Roosevelt and John Muir are currently rolling over in their graves upon hearing that aside, we get it. So this week, we present you with this—no explanation needed:

You can read our previous links round-ups here. And be sure to visit go.vmware.com for more information on how we can help you better manage your IT infrastructure.

Better yet, you can try it for yourself here – and it’s free!

VMware Go Pro Will Set You Free

By: Matt Sarrel, CISSP, Founder and Executive Director of Sarrel Group

For a free 30 day trial of VMware Go Pro, click here.

The life of a small business IT person is not an easy one.  While big businesses have entire IT shops staffed by people with titles such as “network administrator,” “support tech level 1,” and “SQL developer,” small businesses typically have one to three IT people with titles such as “IT jack-of-all-trades,” “computer guy” and, my all-time favorite, “Hey you, fix this!”  Days are filled with development of detailed plans that may or may not ever be implemented because you’re too busy putting out fires.  The boss won’t hire additional staff, yet expects that her question about how to bold something in Word be given greater priority than securing the company’s web site.  It’s enough to make you pull your hair out (if you still have it).

And it doesn’t stop at the end of the day.  Many small business IT administrators use evenings and weekends to work on long-term projects without interruption.  But what happens when something goes wrong and you’re not there?  If you’ve had the foresight to build remote administration services (and the luck to have them funded), then you just might be able to save yourself a trip to the office.   I remember back to the days of my first network: when a certain device would go down on the weekends my pager would go off and I’d have to drive to work just to cycle power on that device.  My boss knew the device was essential, but wouldn’t allocate funds for a new one or for an acceptable remote administration solution.

If this scenario sounds familiar to you, then VMware Go Pro is definitely something you need to check out.  The combination of proactive and reactive measures available via a web interface eases the burden of installing and configuring not only virtual machines but also physical ones.  Imagine how much time you’d save if you could automate patch scanning, application, and remediation.  And now imagine how much more comfortable you could be if you could do this from anywhere.

For example, this has been a hectic few weeks for me.  I’ve got test projects going on in the lab plus I’ve been flying all over the country for meetings and trade shows.  I need test systems to be up and running for my employees, but I’m not even in the same half of the country as my lab.  The whole business can’t grind to a halt because I’m not there to patch operating systems, applications, and hypervisors, but the business will grind to a halt if I stop flying around and bringing in new clients.

With VMware Go Pro I can simply log in over the web, immediately see the status of my test machines, and fix whatever software issues have arisen.  The dashboard shows me the following:

And when I click “take action,” VMware Go Pro begins to walk me through remediating any active issues.

It’s only a matter of minutes for me to walk through scanning for and deploying missing patches.  Sure, I’ll sit outside in the sun 2000 miles away from the lab and let VMware Go Pro do the work for me.

Hey, while I’m here in the VMware Go Pro interface I can schedule scanning and deployment to take place without my intervention.  Hmmm.  A self-maintaining lab sounds pretty good to me – I can import existing ESXi and vCenter Servers so they can be managed by VMware Go Pro, increasing my operating efficiency by placing all of my virtualized resources under a common management platform.  And then with all of my newly found free time I can use VMware Go Pro to deploy more hypervisors and VMs.  It’s  so easy to manage them all under  a single console that I might as well.

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

 

 

The Meaning of Out-of-band Patches and Their Microsoft History

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.

We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins.  Microsoft Patch Tuesday has become a ritual for the IT security industry.  Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry.  At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.

When is an out-of-band patch warranted?

Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle.  Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak.  With today’s release, all three of these criteria have been met.

Out-of-band patch releases are risky for the software vendor

When a patch is deemed necessary to be released out of band, the software vendor creating the patch is taking on risk.  In my previous post, I talked about the risk that IT administrators may take when implementing workarounds.  With software vendors, the risk of incorrect patch creation and testing is greatly increased.  The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program.   For example: a patch fixes a vulnerability but the program now crashes when printing or saving.

Pay attention to all patches after applying, especially out-of-band patches

There is a chance with any patch that functionality could be broken.  With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken.  If you find some functionality is broken, do not simply remove the patch.  Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.

Out-of-band patch releases, not as common as we think

Since January 2010, Microsoft has released 269 security bulletins.  Only six of these bulletins (including today’s release) have been release out-of-band.  In fact, the last out-of-band patch release from Microsoft came nine months ago.

Year

Total Bulletins

Out-of-Band

% Out-of-band

2010

106

4

~4%

2011

100

1

~1%

2012

63*

1

~2%

(Note: 2012 includes today’s security bulletin release)

Security advisories do not mean out-of-band

Previously, I talked about zero-day vulnerabilities and security advisories.  Microsoft quite often will release security advisories throughout any given month.  The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday.  Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability.  As you can see, active exploits happen quite often and do not warrant an out-of-band patch.

Advisory Release Date

Advisory #

Vulnerable MS Product

Fixed In

Fixed Date

Out-of-band

Days Between Advisory/Release

1/14/2010

979352

Internet Explorer

MS10-002

1/21/2010

Yes

7

11/13/2009

977544

OS – SMB

MS10-020

4/13/2010

No

150

1/20/2010

979682

OS – Kernel

MS10-015

2/9/2010

No

19

2/3/2010

980088

Internet Explorer

MS10-035

6/8/2010

No

125

2/9/2010

977377

OS – SChannel

MS10-049

8/10/2010

No

181

3/1/2010

981169

OS – VBscript

MS10-022

4/13/2010

No

42

3/9/2010

981374

Internet Explorer

MS10-018

3/30/2010

Yes

21

4/29/2010

983438

Sharepoint

MS10-039

6/8/2010

No

39

5/18/2010

2028859

OS – Canonical Display Driver

MS10-043

7/13/2010

No

55

6/10/2010

2219475

OS – Help

MS10-042

7/13/2010

No

33

7/16/2010

2286198

OS – Windows Shell

MS10-046

8/2/2010

Yes

16

9/17/2010

2416728

.NET Framework

MS10-070

9/27/2010

Yes

10

11/3/2010

2458511

Internet Explorer

MS10-090

12/14/2010

No

41

12/22/2010

2488013

Internet Explorer

MS11-003

2/8/2011

No

46

1/4/2011

2490606

OS – Windows Shell Graphics

MS11-006

2/8/2011

No

34

1/28/2011

2501696

OS – MHTML

MS11-026

4/12/2011

No

74

9/26/2011

2588513

OS – SSL/TLS

MS12-006

1/10/2012

No

104

11/3/2011

2639658

OS – Kernel-Mode Drivers

MS11-087

12/13/2011

No

40

12/28/2011

2659883

.NET Framework

MS11-100

12/29/2011

Yes

1

6/12/2012

2719615

MS XML Core Services

MS12-043

7/11/2012

No

29

7/24/2012

273711

Exchange Server

MS12-058

8/15/2012

No

21

9/17/2012

2757760

Internet Explorer

MS12-063

9/21/2012

Yes

4

(Note:  Not all security advisories from Microsoft have a bulletin associated.  Some security advisories have workarounds, information only or non-security patches associated.  These security advisories are not included in this list.)

Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend.  With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

Zero-Day Vulnerabilities and What it Means to Your Organization

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Note:  This is not an attack on Microsoft’s security process or vulnerabilities in their products.  Microsoft has one of the best information sharing policies that allows us to look deep into each security patch and software vulnerability.  In comparison, other vendors such as Apple and Oracle , typically only disclose very basic information on their process, vulnerabilities and patches.

There are many factors that go into classifying a zero-day vulnerability that will require an out-of-band patch release.  A zero-day vulnerability is described as a vulnerability that is actively being exploited by attackers where the vendor does not have a patch to fix the vulnerability. Understanding the types of vulnerabilities that may put your environment at risk will help you determine the level of protection that is needed across your environment.

Types of attacks
There are two different types of attacks that are factored into zero-day exploits.  The first classification is a targeted attack.  A targeted attack is a scenario where an attacker is targeting a specific company or group type.  These attacks are commonly dubbed with terms such as ‘limited’ and ‘targeted.’  A targeted attack does not affect the majority of users and the victim company typically works closely with the software vendor for investigation and a solution.

The second classification of an attack is a wide spread attack.  These attacks do not discriminate against specific companies or groups as the attack is aimed at the general public.  An example of this type of an attack is a malicious website preying on unpatched browsers or a worm attempting to exploit vulnerabilities on operating systems to create a bot network.

Targeted attacks usually do not prompt a software vendor to offer an out-of-band fix for the vulnerability as the vendor will work directly with the victim company to provide a workaround just for that company until the fix is made public.  Wide spread attacks usually prompt a software vendor to offer an out-of-band fix for the vulnerability as the general population is at risk for becoming attacked.

Understanding the type of zero-day vulnerability
There are two words that can distinguish the severity of a zero-day vulnerability that administrators should pay particular attention to – authenticated versus unauthenticated.  An authenticated attack requires an attacker to know information about the target to pull off an exploit of the vulnerability.  An example of this is a password to an account to gain access to the target system.  On the other hand, an unauthenticated attack requires no knowledge about a target system.  An example of this is a worm that exploits an operating system service without needed any information.

Is the vulnerability publicly disclosed?

A vulnerability has two ways of being disclosed, or known.  The first type is a privately disclosed vulnerability (also known as responsible disclosure).  A researcher that finds a vulnerability in a software program and only informs the software vendor about the vulnerability is a privately disclosed vulnerability.  This type of vulnerability is not widely known where attackers can research and implement attacks upon it.

The second type is a publicly disclosed vulnerability.  This type of disclosure can happen through two methods.  First, a security researcher can release the research done on a zero-day vulnerability to the public.  Second, an attacker can release the research of a zero-day vulnerability to a hacker community to share resources.  In the case of publicly disclosed vulnerabilities, the severity of the vulnerability is extreme.

Type of software or service
This is one of the most important factors of a zero-day vulnerability.  I like to make the analogy of typical attackers are a lot like sales people.  A sales person wants to find the widest range of an audience to sell to.  With this, a sales person is more likely to sell more than concentrating on a single prospect.  A typical attacker is similar in the fact that he or she wants to attack as many machines as possible to maximize results.  Today’s attacking method is looking for a result of gaining information for financial gain.  In the past, attackers typically could be seen as looking for notoriety.

Internet Browsers are the most commonly attacked software.  If an attacker can identify a zero-day vulnerability in any browser, Microsoft or non-Microsoft, the attacker can simply erect websites in hopes he/she can entice (social engineer) a person to visit the site with unpatched software to exploit their machine.

Attackers will also target any commonly used service on an operating system to carry out an attack.  Any service that has an unauthenticated vulnerability is a prime candidate for an attack.

Dealing with zero-day vulnerabilities

Monitor Vendors
Microsoft has a good track record in the software industry in regards to disclosing information around their patches and vulnerabilities.  With a Microsoft zero-day vulnerability, they will announce information when they are aware of publicly disclosed vulnerabilities and vulnerabilities that are being actively exploited.  Microsoft will publish a security advisory with the affected products, details on the effects of the vulnerability and any workarounds to help mitigate some of the risk with the vulnerability.

Other Resources
With a zero-day vulnerability, the information is spreading through many channels.  Using a resource such as the patchmanagement.org mailing list will help keep an eye on all of these active channels.  These channels are independent groups from the affected software vendor and typically provide information on how to implement workarounds provided by IT administrators that are researching the vulnerability, and any information antivirus vendors publicly release on the vulnerabilities.

Implement workarounds
At times, software vendors will supply workarounds to help mitigate the risk with vulnerabilities.  It is important to read all documentation thoroughly.  Typically, workarounds will reduce functionality on systems.  The decision on whether to implement a workaround is a risk decision that each administrator must decide.  For example, is the risk great enough to implement the workaround?  If this workaround will reduce functionality on my systems, in turn increasing the volume of support calls, but preventing a vulnerability from being exploited, is it worth implementing?  This decision is a delicate balance and there is no one answer that applies to each organization.

Antivirus
Antivirus programs are a reactionary security method.  This means, an antivirus program reacts to a virus on a system and subsequently prevents the malicious program from running.  The virus has already exploited the system and resides on the system.  Fully patching a system prevents an attacker from exploiting a vulnerability and running a malicious program (virus).  With the case of a zero-day vulnerability, a patch is not available from the vendor.  Therefore, it is absolutely critical to have an antivirus program that is up to date with the latest definition files.  Vendors, as in the case with Microsoft, work very closely with antivirus vendors to help combat the viruses and malware that target zero-day vulnerabilities.

Not all zero-day vulnerabilities have out-of-band patches
An out-of-band patch is quite rare when it comes to patching vulnerabilities.  Some of the vulnerabilities on a given Patch Tuesday could already have active attacks against them.  A decision on whether or not to release an out-of-band patch is completely in the hands of the software vendor. Some of the determining factors software vendors will take into account when determining to release an out-of-band patch include:
Is it close enough to our normal release cycle to wait on the patch release?
Are the attacks limited or targeting?
Are there more and more malware samples being created each day?
Will the quality of the accelerated patch break functionality?

Microsoft Vulnerability History
Since January 2010 through this September Patch Tuesday release, Microsoft has addressed 606 vulnerabilities in their products.

~15% of these vulnerabilities were publicly known
~4% of these vulnerabilities were actively exploited

As you can see below, the number of known and actively exploited has remained constant since 2010.  (Note:  2012 is an incomplete year with only partial data)

Year

Total Vulnerabilities

Publicly Known Vulnerabilities

Actively Exploited Vulnerabilities

% Known

% Exploited

2010

93

16

3

~17%

~3%

2011

212

35

7

~17%

~3%

2012

125

19

8

~15%

~6%

Today, we will see an out-of-band patch release from Microsoft.  I will be talking in detail about Microsoft’s history of out-of-band patch releases as well as the new out-of-band patch and how it could protect your network environment.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

Get a Free Year of VMware Go Pro with Your Purchase of vSphere Essentials and Essentials Plus Kits!

Did you know that you can get a year’s free subscription to VMware Go Pro included in your purchase of vSphere Essentials and Essentials Plus? Now you do!

If you’re looking to break into virtualization, this is a no-brainer. Not only do you receive the industry’s leading and most reliable virtualization platform in vSphere, but you also get the perfect on-ramp to virtualization in VMware Go Pro. Using just your browser, VMware Go Pro helps ease novice users into virtualization via a series of proactive tips and wizards that help walk individuals through the entire onboarding process.

What does this all mean? You can now deploy, manage and monitor your infrastructure via a single pane, VMware Go Pro. You’ll get a free subscription for VMware Go Pro that covers up to 30 seats of patch management.

This deal is valid through December 15. You don’t want to miss out on this one –
learn more here!

Not quite ready? Try a free 30-day trial of VMware Go Pro.

Microsoft Security Advisory 2757760 Released

This blog post is a re-post from the Shavlik blog. You can view the original post here.

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

There has been some chatter in the past few days regarding a zero-day vulnerability in Internet Explorer that is currently being exploited.  Microsoft released a new security advisory (2757760)for this vulnerability.  Internet Explorer versions 6, 7, 8 and 9 are affected by this vulnerability.  Internet Explorer 10, which is bundled with Microsoft Windows 8 and Server 2012, is not affected by this vulnerability.

Microsoft has a few suggested actions to mitigate against attacks on the vulnerability.  First, administrators can deploy the Enhanced Mitigation Experience Toolkit (EMET).  This workaround cannot guarantee an attacker will not be successful on attacking this vulnerability, but EMET will make attempts difficult for attackers.

You can also set your Internet Explorer security settings for AcitveX Controls and Active Scripting to ‘High.’  This will help protect against attacks, but this setting will present many issues for users.  Many web pages will not properly display information due to the restricted security settings.

The next Patch Tuesday is still 21 days away and I am expecting a bi-monthly cumulative update for Internet Explorer during the October 2012 Patch Tuesday.  That is quite a bit of time between a potential security bulletin release and a zero-day vulnerability that has attacks against it.

In the meantime, there are a couple of other steps you can protect against exploitation on your network.  First, ensure you have an anti-virus program with up to date definition files on all of your servers and workstations.  Many anti-virus vendors have this current threat in their detection logic.  Other viruses could be coming in the near future, but anti-virus vendors are aware of the situation and keeping an eye on the threat landscape.

Another step you can take is to use a different browser in the meantime.  This is going to be very difficult for organizations.  First, administrators will need to deploy a non-Microsoft browser to all of their users.  Second, administrators must find a way to enforce the use of the non-Microsoft browser on all workstations.  This in itself is almost impossible.  Using a non-Microsoft browser in the meantime will be easier for home users.

Stay tuned to Microsoft and here for any new information coming forth on this newest threat.

– Jason Miller

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

Weekly Links – September 14, 2012

Just when we thought we didn’t need to buy a new smartphone, the iPhone 5 happens… Curse you, Apple!

Anyway, happy Friday folks! Anybody have any fun plans this weekend? And no, “cleaning out my gutters while my wife glares at me from between the closed blinds” does NOT constitute “fun plans.”

Your links of the week:

Apple devices only? That’s not BYOD (InfoWorld)

6 Uncomfortable Questions IT Teams Should Ask (InformationWeek)

QR Codes Offer Bad Guys Yet Another Opening for Malware (IT Business Edge)

From Pioneer to Curiosity: The IT inside NASA’s spacecraft (ZDNet)

Watch Jimmy Kimmel fool people into thinking the iPhone 4s is actually an iPhone (YouTube)

This week’s apropos of nothing image comes to us from Denali National Park in Alaska. I want to go to there:

You can read our previous links round-ups here. And be sure to visit go.vmware.com for more information on how we can help you better manage your IT infrastructure.

Better yet, you can try it for yourself here – and it’s free!

Happy Patch Tuesday (unless you’re GoDaddy, that is…)

Happy Patch Tuesday, everybody! Like you, we’ve been following the ongoing saga with GoDaddy for the better part of the past day-plus now. Was it or was it not a hacker? Was said hacker actually tied to Anonymous, or just a glory hog? Time will tell… Maybe.

In any event, it’s a shame to see so many small and mid-sized businesses that host their domain on GoDaddy affected by this – and a stark reminder to always keep your patches up to date to minimize vulnerabilities to external attacks.

Here’s a quick recap of how this ongoing saga has unfolded over the past 24 hours:

If you’d like to learn more about how VMware Go Pro can help you better manage your patch updates (as well as your wider IT infrastructure), be sure to visit go.vmware.com for more information.

Better yet, you can try it for yourself here – and it’s free!

Weekly Links – September 7, 2012

Summer, we hardly knew ye…unless you’re in the Bay Area, that is. If so, woohoo for Indian Summer!

In any event, it’s that time of year again, when the vacations trickle to a lull and we all slog through the daily grind with no hope whatsoever until the holiday season. But take heart, friends. We come bearing links!

10 tech expenses your business can do without (InfoWorld)

September’s Patch Tuesday is a lightweight (Infosecurity Magazine)

Chinese company uses leaked photos to copy, patent iPhone 5 design (bgr.com)

Most IT admins considered switching careers due to stress (Help Net Security)

How to Succeed with Big Data (IT Business Edge)

And now for this week’s apropos of nothing image, which is dedicated to all of you Tesla lovers out there:

You can read our previous links round-ups here. And be sure to visit go.vmware.com for more information on how we can help you better manage your IT infrastructure.

Better yet, you can try it for yourself here – and it’s free!

Survey: VMware Go Pro Helps SMBs Accelerate Virtualization Projects, Reduce Overall IT Costs

We recently wrapped up a survey of our customer base and gleaned some interesting facts about specific ways in which VMware Go Pro is supporting virtualization projects and streamlining overall operations for small and mid-sized IT departments.

Here’s a sampling of some of our major findings:

Virtualization and VMware Go Pro: A Match Made in Heaven

Based on this research, it’s abundantly clear that virtualization deployment and management is one of, if not the, major functions for VMware Go Pro in nearly every deployment. According to a pool of over 100 respondents, enabling single point management to view, monitor and modify virtual environments (53%) and quickly installing a vSphere Hypervisor (51%) were the two most common virtualization-centric use cases for VMware Go Pro. An additional 36% reported using VMware Go Pro to effortlessly deploy virtual machines.

Monitor and Manage Physical and Virtual Infrastructure From a Single View

In addition to being a reliable onramp for virtualization projects, VMware Go Pro provides a universal management console for physical and virtual machines alike. In a separate survey of 132 users, VMware Go Pro was cited for its ability to secure both physical and virtual infrastructures (40%), track and manage hardware assets (27%), control software inventory and licenses (26%) and streamline trouble ticket management (6%).Reduce IT Costs with VMware Go Pro

VMware Go Pro is built for cost-conscious IT departments and aims to automate (and in some cases, eliminate) tedious, time-consuming tasks. Users cited the following as major areas in which VMware Go Pro has helped reduce IT costs: reducing downtime via patching for Windows/non-Windows applications (32%), reducing administrative tasks via wizards and web-based tools (32%), eliminating the need for other IT management solutions (27%).

Check back here soon for some additional data around specific customer use cases with VMware Go Pro.

Interested in learning more about VMware Go Pro? Register here for a FREE trial today!