Home > Blogs > VMware Go Blog > Tag Archives: jason miller

Tag Archives: jason miller

This Week in Patching – 1/25/2013

By: Jason Miller, Manager of Research and Development at VMware

After an eventful past couple of weeks in patch management, this week was relatively quiet.  Here is a quick recap in the happenings of patch management this week.

On Monday, a new version of Audacity was released.  Audacity 2.0.3 is a non-security update fixing numerous issues.

On Tuesday, Google released new security updates for their Chrome and Chrome Frame browsers.  Google Chrome / Chrome Frame version 24.0.1312.56 fixes three high, and two medium vulnerabilities.

On Wednesday, Core FTP released a new version with version 2.2.  This version was originally released on January 17th, but the details were provided on Wednesday.  This new version is a non-security update.

Last up for this week are new versions of MozyHome and MozyPro released today.  MozyHome and MozyPro version 2.18.3.247 are both non-security updates.

Happy Patching!

– Jason Miller

Interested in a free 30 day trial of VMware Go Pro for patch management, IT management, virtualization and more? Click here.

This Week in Patching – 1/14/2013

By: Jason Miller, Manager of Research and Development at VMware

Happy New Year.  I hope IT administrators got some much needed patching rest over the past couple of weeks.  2013 is started out quite heavy in the world of patching.

This week was highlighted by a busy Patch Tuesday.  You can read my write up on the January 2013 edition of Patch Tuesday here.

There were also other vendors releasing critical security bulletins on Patch Tuesday.  Adobe released two security bulletins.  APSB13-02 was pre-announced last Thursday as a part of their quarterly update for Adobe Acrobat and Adobe Reader.  Adobe Acrobat / Reader versions 9.5.3 / 10.1.5 / 11.0.1 address 27 vulnerabilities and are rate Critical.  Adobe security bulletin APSB13-01 was not pre-announced by Adobe, but I expected this bulletin to be released after Microsoft announced an update for Adobe Flash Player in Microsoft Internet Explorer 10 last Thursday was set to be released on Patch Tuesday.  APSB13-01 addresses 1 vulnerability in Adobe Flash Player versions 10 and 11 (as well as Adobe Air 3.5).

Mozilla also released security updates to coincide with Microsoft’s Patch Tuesday.  The most notable of the releases by Mozilla was the major update for Firefox.  Mozilla Firefox 18 contains new features as well as security updates.  For those organizations that do not want to roll out new features in their Mozilla products due to concerns of the new features breaking functionality, Mozilla is continuing their effort with the Mozilla ESR products.  These product updates contain new security fixes but do not contain new features.

Here is the details list of Mozilla updates released on Patch Tuesday:

  • Mozilla Firefox 18
    • Security update addressing 12 Critical, 8 High and 1 Moderate Mozilla Security Advisories (30 vulnerabilities)
  • Mozilla SeaMonkey 2.15
    • Security update addressing 12 Critical, 7 High and 1 Moderate Mozilla Security Advisories (26 vulnerabilities)

The other notable updates this week were released on Thursday.  Google updated their Chrome and Chrome Frame browser with version 24.0.1312.52.  This new version fixes 24 vulnerabilities and includes an updated version of Adobe Flash Player that was released by Adobe on Patch Tuesday.  In the past year, Google has been in sync with Adobe on Adobe Flash Player releases.  Interestingly, Google’s release came two days after the Adobe Flash Player release.

There were also some non-security updates released on Thursday.  MozyHome and MozyPro updated their programs with version 2.18.2.244.  Microsoft released a new version of Skype with 6.1.0.129.  This version now integrates with Microsoft Office Outlook contact.

Happy Patching!

– Jason Miller

Interested in a free 30 day trial of VMware Go Pro for patch management, IT management, virtualization and more? Click here.

 

This Week in Patching – 1/7/2013

By: Jason Miller, Manager of Research and Development at VMware

Patching came to a quiet end in 2012 and 2013 is starting off with a bang.  Here is a quick recap of the happenings in patch management this week:

On Wednesday, a new version of CDBurnerXP was released with version 4.5.0.3717.  This new version is a non-security update.  On Friday, Google released a non-security update for their Picasa program with version 3.9.136.120.

Microsoft announced their January 2013 Patch Tuesday Advance Notification.  You can read my write up here on the upcoming Patch Tuesday.  In addition to the seven Microsoft security bulletins being released next Tuesday, there are quite a few non-Microsoft patches being released on Patch Tuesday.

Adobe announced they will be releasing updates for their Adobe Reader and Adobe Acrobat programs (versions 9/10/11).  These updates are rated as critical and are part of their quarterly update for Adobe Acrobat and Reader.

In addition, Mozilla is lining up to release updates as well for their products.  You can expect updates for their Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey products.

On Microsoft’s preannouncement page for upcoming non-security updates, they have listed Adobe Flash Player for Internet Explorer 10.  With this in mind, expect updates from Adobe for Adobe Flash Player and Google Chrome on Patch Tuesday.  With every Adobe Flash Player release, Microsoft and Google update their browsers to supply the latest version of the Flash Player program.

On the Microsoft Security Advisory front, Microsoft released a new security advisory on Thursday.  Microsoft Security Advisory 2798897 addresses issues with fraudulent digital certificates.  This security advisory places the offending certificates in the untrusted certificate store on systems.  In June 2012, Microsoft released a tool that will run on systems and quickly moves revoked certificates to the untrusted certificate stores.  This tool aids administrators that want an easy and quick way to update certificate issues Microsoft finds.  This tool can be downloaded here.  For those that do not want to use the tool, Microsoft has provided patches for this certificate issue that can be applied to systems.

Until Patch Tuesday, Happy Patching!

– Jason Miller

Interested in a free 30 day trial of VMware Go Pro for patch management, IT management, virtualization and more? Click here.

This Week in Patching – 12/21/2012

By: Jason Miller, Manager of Research and Development at VMware

Here is a quick recap in the world of patch management.  This week was highlighted by security updates for RealPlayer and Opera.

Late last Friday, Real Networks released an update for the RealPlayer media player.  RealPlayer 16.0.0.282 is a security update addressing two vulnerabilities.

On Saturday, a new version of VLC Media player was made available.  VLC 2.0.5 is a non-security that now includes support for Microsoft Windows 8.

On Sunday, we saw two new patch releases.  CDBurnerXP 4.5.0.3685 and Notepad++ 6.2.3 are non-security updates.

On Monday, new updates were made available for the Mozy software backup program.  MozyHome / MozyPro 2.18.1.235 are both non-security updates.

On Tuesday, Opera released a new version of their Internet browser.  Opera 12.12 is a security update addressing two vulnerabilities on Windows that could lead to Remote Code Execution if exploited.

Happy Patching!

– Jason Miller

P.S. Click here to learn more about how VMware Go Pro can help you better manage your IT infrastructure.

This Week in Patching – 12/14/2012

By: Jason Miller, Manager of Research and Development at VMware

This week in patching was highlighted by Microsoft’s December 2012 Patch Tuesday.  Microsoft released seven security bulletins addressing 12 vulnerabilities.  You can read my full write up on Patch Tuesday here.

On the non-Microsoft front, Adobe released an update for their Adobe Flash Player and Air products.  Adobe Security Bulletin APSB12-27 addresses three vulnerabilities as is rated as Critical.  Adobe has started the trend of releasing security updates for Flash Player on Microsoft’s Patch Tuesday.  This trend will probably continue as Microsoft and Google both bundle Adobe Flash Player in their latest browsers.

On that note, Microsoft released an update for their security advisory (KB2755801) to include the latest version of Adobe Flash for Internet Explorer 10.  Google released an update on Patch Tuesday for their Chrome browser.  Google Chrome 23.0.1271.97 contains the latest version of Adobe Flash Player as well as addressing six Google Chrome vulnerabilities.

To wrap up Patch Tuesday, Apache released a new version of Tomcat for Windows with version 7.0.34.  This latest version of Tomcat is a non-security update.

On Thursday, Oracle provided updates for Java version 6 and 7.  Java 6 update 38 and Java 7 update 10 are non-security releases.  The next scheduled security update for Oracle Java is planned for February 19, 2013.  It is important to note that the next scheduled security update will be the last time Java version 6 will receive a security update.  At that time, Oracle will continue to provide security updates for Java version 7.  In the next few months, administrators should look at testing the upgrade for Java version 6 to version 7.  Java can be quite tricky to upgrade.  There are occasions where older software programs that rely on Java simply will not work with the latest version.  By June 18, 2013, administrators should be upgraded to Java 7.  That date will be the next scheduled security update after Java 6 has reached end of life for support.

On Friday, Apple provided updates for their iTunes product with version 11.01.  This update addresses non-security issues with their recent major upgrade in version 11.

Typically, the last two weeks of the year are very quiet for vendors releasing patches for their software.  If any vendor does release updates, I will be back next Friday with an update on the happenings in patch management.  If not, I will be getting a head start on ringing in the New Year.

Happy Patching and Happy Holidays!

– Jason Miller

Click here to learn more about how VMware Go Pro can help you better manage your IT infrastructure.

 

 

This Week in Patching – 12/7/2012

By: Jason Miller, Manager, Research and Development at VMware

This week in patching was a very light week with very few releases.  This is not unusual for this time of the year.  In the past few years, I typically see a lighter number of releases from software vendors during the month of December.  Here is a quick recap on the happenings in patching this week:

On Monday, Foxit released a new version of Foxit Reader with version 5.4.4.11281.  This update is a non-security update.

On Wednesday, The Document Foundation released an update for their 3.6.x LibreOffice program with LibreOffice 3.6.4.  This release is also a non-security update.

Next Tuesday marks the December 2012 edition of Patch Tuesday.  I will be going into detail on all of the happenings here next Tuesday.

Happy Patching!

– Jason Miller

Want to learn more about VMware Go Pro? Click here.

Better yet, you can try it for yourself here – for free!

This Week in Patching – 11/30/2012

By: Jason Miller, Manager, Research and Development

This week was highlighted yet again by browser updates addressing security vulnerabilities.  Google released updates for their Chrome and Chrome Frame browsers addressing multiple vulnerabilities.  On Monday, Google Chrome 23.0.1271.91 was released and it addresses seven vulnerabilities.  On Thursday, a second update was provided with Google Chrome version 23.0.1271.95.  The latest version addresses two security vulnerabilities.

A little background and history on Google’s responsible vulnerability initiative:

In November 2010 Google implemented a vulnerability reward program to enable security researchers the ability to gain financial rewards for responsibly disclosing vulnerability information to Google.  A responsible vulnerability disclosure is when a vulnerability is submitted to the vendor and the source code is not made publicly available until a fix has been made in the affected software.

One of the vulnerabilities fixed in the latest version of Google Chrome is credited to the hacker known as “Pinkie Pie.”  This vulnerability netted Pinkie Pie a cool $7,331.  This is not the first time Pinkie Pie has received a reward in the vulnerability reward program.  Back in March, Pinkie Pie received $60,000 for a vulnerability in Google Chrome during the Pwnium contest.  In October, the Pwnium 2 contest was held and Pinkie Pie received another $60,000 for winning the contest.  I would say netting $127,331 on vulnerabilities found and responsibly disclosed makes 2012 a great year for both Google and Pinkie Pie!

Back to this week’s patches:

On Wednesday, the Wireshark Foundation released a security update for their Wireshark product.  Wireshark 1.8.4 addresses 11 vulnerabilities and Wireshark 1.6.12 addresses six vulnerabilities.

On Thursday, Apple released a new version of their iTunes software with version 11.  This new version includes many new features and possibly addresses vulnerabilities.  The product release notes contains a link to their security updates section but no vulnerabilities have been announced.  Apple can be a bit slow on releasing vulnerability information, so I will be watching out during the next week for any announcements.

Today, FileZilla has released yet another update for the FileZilla Client.  FileZilla Client 3.6.0.2 is a non-security update addressing two issues.

Happy Patching!

– Jason Miller

P.S. Want to learn more about VMware Go Pro? Click here.

Also, check out  a 30-day free trial of VMware Go Pro!

This Week in Patching – 11/16/2012

By: Jason Miller, Manager, Research and Development

This week in patching was highlighted by Microsoft’s Patch Tuesday.  Microsoft released six new security bulletins addressing 13 vulnerabilities.  I have a full write up on Patch Tuesday here.

On the non-Microsoft front, I did not see any security updates released.  However, there were a few non-security updates released that you may want to get installed to fix various issues.

On Monday, two vendors released updates for their programs to fix crashing issues.  Notepad++ 6.2.1  and Filezilla 3.6.0 are non-security updates fixing crash issues.

On Tuesday, an update for AT&T Global Network Client was released with version 9.1.0.  The release notes have not been updated yet.  Without a published update, I am under the assumption at this point that the release is a non-security update.

VMware also released updates for MozyHome and MozyPro with version 2.18.0.227.  These updates are non-security updates fixing numerous issues and introducing new features.

On Thursday, Microsoft released a new version of Skype with version 6.0.0.126.  The highlight of this non-security update is a fix that addresses issues when upgrading to the latest version of Skype.

Due to the holiday week next week, I will not have a weekly write up for the week in patching next Friday.  I will provide an update in patching for the holiday week the following Monday.

Happy Patching!

– Jason

P.S. Want to learn more about VMware Go Pro? Click here. Also, check out  a 30-day free trial of VMware Go Pro!

This Week in Patching – 10/19/2012

By: Jason Miller, Manager, Research and Development

It is that time for a weekly recap of the happenings of patch management.

This week was highlighted by a critical security update from Oracle.  Oracle released updates for their Java programs with Java 7 update 9 and Java 6 update 37 during their quarterly update.  These updates address 28 vulnerabilities.  Some of the vulnerabilities addressed by this update were zero-day vulnerabilities.  With any patch addressing zero-day vulnerabilities, administrators will want to patch as soon as possible.  Apple also released an update for the newer version of Java.  This update release coincided with Oracle’s Java release.  The next scheduled update for Java is set for February 19, 2013.

On Wednesday, Adobe released new versions for their Adobe Acrobat and Reader product lines.  Adobe Acrobat / Reader 11 (or XI) does not contain any security fixes from the version 9 or 10 product lines.

On Thursday, VideoLAN released a new version for their VLC media player.  The release notes for VLC media player 2.0.4 state there are fixes for “security issues” but no CVE has been submitted for this version.

The Document Foundation released a new version of their LibreOffice product that prompted some confusion.  The release version for LibreOffice has steadily been increasing on a normal cadence.  LibreOffice 3.4.x was followed by 3.5.x.  On August 15th, LibreOffice had a new major version with 3.6.x and has since been followed up by minor version increases (3.6.1, 3.6.2).  Yesterday, LibreOffice 3.5.7 was released.  This version number is lower than the 3.6.x branch and has confused people.  From a LibreOffice blog posting, they have stated that the 3.5.x branch will continue to receive updates as will the 3.6.x branch.  The 3.5.x branch is intended to be a stable branch where the 3.6.x introduces new features to the LibreOffice program.  LibreOffice 3.5.7 (released yesterday) and LibreOffice 3.6.2 (released on October 4) both do not contain any security fixes.

Happy Patching!

– Jason Miller

Oh, and here’s a free 30 day trial of VMware Go Pro, just in case you need some help patching.

The Meaning of Out-of-band Patches and Their Microsoft History

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.

We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins.  Microsoft Patch Tuesday has become a ritual for the IT security industry.  Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry.  At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.

When is an out-of-band patch warranted?

Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle.  Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak.  With today’s release, all three of these criteria have been met.

Out-of-band patch releases are risky for the software vendor

When a patch is deemed necessary to be released out of band, the software vendor creating the patch is taking on risk.  In my previous post, I talked about the risk that IT administrators may take when implementing workarounds.  With software vendors, the risk of incorrect patch creation and testing is greatly increased.  The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program.   For example: a patch fixes a vulnerability but the program now crashes when printing or saving.

Pay attention to all patches after applying, especially out-of-band patches

There is a chance with any patch that functionality could be broken.  With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken.  If you find some functionality is broken, do not simply remove the patch.  Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.

Out-of-band patch releases, not as common as we think

Since January 2010, Microsoft has released 269 security bulletins.  Only six of these bulletins (including today’s release) have been release out-of-band.  In fact, the last out-of-band patch release from Microsoft came nine months ago.

Year

Total Bulletins

Out-of-Band

% Out-of-band

2010

106

4

~4%

2011

100

1

~1%

2012

63*

1

~2%

(Note: 2012 includes today’s security bulletin release)

Security advisories do not mean out-of-band

Previously, I talked about zero-day vulnerabilities and security advisories.  Microsoft quite often will release security advisories throughout any given month.  The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday.  Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability.  As you can see, active exploits happen quite often and do not warrant an out-of-band patch.

Advisory Release Date

Advisory #

Vulnerable MS Product

Fixed In

Fixed Date

Out-of-band

Days Between Advisory/Release

1/14/2010

979352

Internet Explorer

MS10-002

1/21/2010

Yes

7

11/13/2009

977544

OS – SMB

MS10-020

4/13/2010

No

150

1/20/2010

979682

OS – Kernel

MS10-015

2/9/2010

No

19

2/3/2010

980088

Internet Explorer

MS10-035

6/8/2010

No

125

2/9/2010

977377

OS – SChannel

MS10-049

8/10/2010

No

181

3/1/2010

981169

OS – VBscript

MS10-022

4/13/2010

No

42

3/9/2010

981374

Internet Explorer

MS10-018

3/30/2010

Yes

21

4/29/2010

983438

Sharepoint

MS10-039

6/8/2010

No

39

5/18/2010

2028859

OS – Canonical Display Driver

MS10-043

7/13/2010

No

55

6/10/2010

2219475

OS – Help

MS10-042

7/13/2010

No

33

7/16/2010

2286198

OS – Windows Shell

MS10-046

8/2/2010

Yes

16

9/17/2010

2416728

.NET Framework

MS10-070

9/27/2010

Yes

10

11/3/2010

2458511

Internet Explorer

MS10-090

12/14/2010

No

41

12/22/2010

2488013

Internet Explorer

MS11-003

2/8/2011

No

46

1/4/2011

2490606

OS – Windows Shell Graphics

MS11-006

2/8/2011

No

34

1/28/2011

2501696

OS – MHTML

MS11-026

4/12/2011

No

74

9/26/2011

2588513

OS – SSL/TLS

MS12-006

1/10/2012

No

104

11/3/2011

2639658

OS – Kernel-Mode Drivers

MS11-087

12/13/2011

No

40

12/28/2011

2659883

.NET Framework

MS11-100

12/29/2011

Yes

1

6/12/2012

2719615

MS XML Core Services

MS12-043

7/11/2012

No

29

7/24/2012

273711

Exchange Server

MS12-058

8/15/2012

No

21

9/17/2012

2757760

Internet Explorer

MS12-063

9/21/2012

Yes

4

(Note:  Not all security advisories from Microsoft have a bulletin associated.  Some security advisories have workarounds, information only or non-security patches associated.  These security advisories are not included in this list.)

Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend.  With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.