Home > Blogs > VMware Go Blog > Tag Archives: vulnerability

Tag Archives: vulnerability

VMware Go Pro – Now with Migration Features!

Heads up – VMware Go Pro has a cool new feature as of today!

What’s new?

VMware Go Pro now has a migration feature. What does that mean for you, you may ask? You can now easily and seamlessly move virtual machines from one hypervisor or server to another, and shift it back again as needed.

All IT admins have had to deal with a faulty server at one point or another—and they likely know what a painful process migration can be. VMware Go Pro’s new migration feature takes the pain out of this process and allows you to smoothly manage the migration process.

And one more thing…

As if migration functionality wasn’t enough, VMware Go Pro now supports Windows 8 and Windows 2012 as well! This means that, among other things, you can now access VMware Go Pro and manage your IT assets from Internet Explorer 10 (assuming you’re not a Chrome of Firefox user, that is…) and better manage patching updates for Microsoft assets.

VMware Go Pro helps you better manage your IT assets and patching updates (including third-party apps) from a simple web-based interface—what’s not to love?

Want to learn more about VMware Go Pro? Click here.

Ready to try it out for yourself? Register here for a free trial!

This Week in Patching – 11/9/2012

By: Jason Miller, Manager, Research and Development

It has been a busy week for patch releases.  Here is a quick recap of the happenings in patch management.

Tuesday

Adobe released a new security bulletin for Adobe Flash Player and Adobe Air.  APSB12-24 addresses seven vulnerabilities and the following versions address these issues:

  • Adobe Flash Player 11.5.502.110
  • Adobe Flash Player 10.3.183.43
  • Adobe Air 3.4.0.600

It is important to note that the vulnerabilities also affect the Adobe Flash Player 10 product line as well.  In the ‘Priority and Ratings,’ ‘Affected Software Versions,’ and ‘ Summary’ on the Adobe security bulletin page do not list Adobe Flash Player 10 as an affected product.  The CVE filed on behalf of the vulnerabilities state that Adobe Flash Player 10 is indeed affected by the vulnerabilities.  In addition, the Adobe Security Bulletin page has Adobe Flash Player 10 affected in the ‘Solution’ area.

With the Adobe Flash Player release, I also saw a coordinated release effort from Google and Microsoft to address vulnerable Adobe Flash Player programs embedded in their browsers.  Google Chrome / Chrome Frame version 23.0.1271.64 fixes 14 vulnerabilities and includes the latest version of the Adobe Flash Player.  This new version of the Google browser includes a new ‘Do Not Track’ feature that sends a request to a website asking it to not track information.  On the Microsoft side, Microsoft Security Advisory 2755801 was updated to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.

Opera also released a new version of their browser for the first time since June of this year.  Opera 12.10 addresses six vulnerabilities.  In the release notes, you will need to scroll down to the beta section to see that this release actually fixed security vulnerabilities.  They are noted in the beta section for version 12.10.

Wednesday

HP released their first update since June of this year for their System Management Homepage product.  HP System Management Homepage 7.1.2 appears to be a security update and is rated as “Recommended” from HP.    The release notes for this newer version states “Improved security features.”  Vulnerability information for HP System Management Homepage releases typically take a few weeks after the product release, so I will be watching the national vulnerability database for more information.

Thursday

Apple joined the busy patching week with a new release of Apple QuickTime.  Apple QuickTime 7.7.3 is a security update addressing nine vulnerabilities. One of the vulnerabilities fixed with this release is remarkably from 2011 (CVE-2011-1374).

Friday

AOL Instant Messenger 1.2.0.2 has been released to the mainstream.  This product typically does not have release notes associated with each version.  I will be waiting to see if a CVE is released that would mark this release as a security bulletin.

Other News

Next Tuesday marks the November 2012 edition of Patch Tuesday.  Microsoft is set to release six bulletins addressing 13 vulnerabilities.  This Patch Tuesday will be highlighted by the first security bulletin releases for the new Microsoft Windows 8 and Server 2012 operating systems.

There are reports of a Zero-day vulnerability in Adobe Reader.  No confirmation or information has been released yet by Adobe.  There is a chance that Adobe could be releasing an update for Adobe Reader on Patch Tuesday.

I will be back next Tuesday to talk in detail on all of the activities for the November 2012 Patch Tuesday.

Happy Patching!

– Jason Miller

P.S. Also, check out  a 30-day free trial of VMware Go Pro!

This Week in Patching – 10/19/2012

By: Jason Miller, Manager, Research and Development

It is that time for a weekly recap of the happenings of patch management.

This week was highlighted by a critical security update from Oracle.  Oracle released updates for their Java programs with Java 7 update 9 and Java 6 update 37 during their quarterly update.  These updates address 28 vulnerabilities.  Some of the vulnerabilities addressed by this update were zero-day vulnerabilities.  With any patch addressing zero-day vulnerabilities, administrators will want to patch as soon as possible.  Apple also released an update for the newer version of Java.  This update release coincided with Oracle’s Java release.  The next scheduled update for Java is set for February 19, 2013.

On Wednesday, Adobe released new versions for their Adobe Acrobat and Reader product lines.  Adobe Acrobat / Reader 11 (or XI) does not contain any security fixes from the version 9 or 10 product lines.

On Thursday, VideoLAN released a new version for their VLC media player.  The release notes for VLC media player 2.0.4 state there are fixes for “security issues” but no CVE has been submitted for this version.

The Document Foundation released a new version of their LibreOffice product that prompted some confusion.  The release version for LibreOffice has steadily been increasing on a normal cadence.  LibreOffice 3.4.x was followed by 3.5.x.  On August 15th, LibreOffice had a new major version with 3.6.x and has since been followed up by minor version increases (3.6.1, 3.6.2).  Yesterday, LibreOffice 3.5.7 was released.  This version number is lower than the 3.6.x branch and has confused people.  From a LibreOffice blog posting, they have stated that the 3.5.x branch will continue to receive updates as will the 3.6.x branch.  The 3.5.x branch is intended to be a stable branch where the 3.6.x introduces new features to the LibreOffice program.  LibreOffice 3.5.7 (released yesterday) and LibreOffice 3.6.2 (released on October 4) both do not contain any security fixes.

Happy Patching!

– Jason Miller

Oh, and here’s a free 30 day trial of VMware Go Pro, just in case you need some help patching.

Weekly Links – October 12, 2012

Good afternoon to our favorite IT admins! Any fun plans in store for this weekend? Personally, we want to go see that Seven Psychopaths movie—how can you go wrong with Tom Waits, Christopher Walken and Sam Rockwell in the same movie?

Now for your weekly links:

Top 10 cloud jobs (InfoWorld)

Seven Reasons Why Companies Need to Automate Disaster Recovery (IT Business Edge)

BYOD: The New IT Management Headache (Network Computing)

10 technologies shaping the future of IT (IT World)

The IT Crowd (required viewing if you haven’t seen it yet) (Netflix)

This was too good to pass up – this week’s apropos of nothing image:

You can read our previous links round-ups here. And be sure to visit go.vmware.com for more information on how we can help you better manage your IT infrastructure.

Better yet, you can try it for yourself here – and it’s free!

 

VMware Go Pro Presenting at VMworld Barcelona!

Exciting news for VMworld Barcelona attendees: VMware Go Pro will be presenting not once, but twice, at VMworld this week! Our own Manoj Jayadevan and Arun Lal will be delivering two separate presentations on the advantages of VMware Go Pro.

Check out the abstracts for each presentation below. Definitely worth checking out if you’re at the show today:

Creating a Highly Profitable Virtualization Practice with VMware Go Pro

Tuesday, October 9 at 2:00 PM CET – Hall 8, lower level | Room E3

In this session, we will provide an overview of the business opportunities, and profitability models that will help you grow a sustainable virtualization business with VMware Go Pro. VMware Go Pro is a software-as-a-service (SaaS) offering hosted by VMware designed for partners and IT admins of companies with less than 1000 employees that makes it easy to adopt and manage a virtualized environment, protect and secure IT assets and increase reliability of SMB IT infrastructures. In this session, attendees will learn how to provide a wide array of virtualization and IT management services leveraging VMware Go Pro cloud service and in the process tap new cloud-based recurring revenue opportunities.

VMware Go: The Zen for Small and Midsized Business IT Management

Tuesday, October 9 at 3:30 PM CET – Hall 8, lower level | Room B1

Cloud computing is transforming the way small and midsized business IT infrastructure is being managed. In this session, we’ll take a deep-dive exploration into the cloud-based VMware Go physical and virtual IT infrastructure management solution from a business value perspective. We will explore all the virtualization and security features, how to manage updates, along with how to create policies, and how to upload and deploy software, all from a single, Web-based management console.

Not in Barcelona this week? No worries! You can visit go.vmware.com for more information on how we can help you meet the specific needs of your IT environment.

Better yet, you can try it for yourself here – and it’s free!

The Meaning of Out-of-band Patches and Their Microsoft History

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.

We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins.  Microsoft Patch Tuesday has become a ritual for the IT security industry.  Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry.  At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.

When is an out-of-band patch warranted?

Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle.  Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak.  With today’s release, all three of these criteria have been met.

Out-of-band patch releases are risky for the software vendor

When a patch is deemed necessary to be released out of band, the software vendor creating the patch is taking on risk.  In my previous post, I talked about the risk that IT administrators may take when implementing workarounds.  With software vendors, the risk of incorrect patch creation and testing is greatly increased.  The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program.   For example: a patch fixes a vulnerability but the program now crashes when printing or saving.

Pay attention to all patches after applying, especially out-of-band patches

There is a chance with any patch that functionality could be broken.  With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken.  If you find some functionality is broken, do not simply remove the patch.  Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.

Out-of-band patch releases, not as common as we think

Since January 2010, Microsoft has released 269 security bulletins.  Only six of these bulletins (including today’s release) have been release out-of-band.  In fact, the last out-of-band patch release from Microsoft came nine months ago.

Year

Total Bulletins

Out-of-Band

% Out-of-band

2010

106

4

~4%

2011

100

1

~1%

2012

63*

1

~2%

(Note: 2012 includes today’s security bulletin release)

Security advisories do not mean out-of-band

Previously, I talked about zero-day vulnerabilities and security advisories.  Microsoft quite often will release security advisories throughout any given month.  The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday.  Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability.  As you can see, active exploits happen quite often and do not warrant an out-of-band patch.

Advisory Release Date

Advisory #

Vulnerable MS Product

Fixed In

Fixed Date

Out-of-band

Days Between Advisory/Release

1/14/2010

979352

Internet Explorer

MS10-002

1/21/2010

Yes

7

11/13/2009

977544

OS – SMB

MS10-020

4/13/2010

No

150

1/20/2010

979682

OS – Kernel

MS10-015

2/9/2010

No

19

2/3/2010

980088

Internet Explorer

MS10-035

6/8/2010

No

125

2/9/2010

977377

OS – SChannel

MS10-049

8/10/2010

No

181

3/1/2010

981169

OS – VBscript

MS10-022

4/13/2010

No

42

3/9/2010

981374

Internet Explorer

MS10-018

3/30/2010

Yes

21

4/29/2010

983438

Sharepoint

MS10-039

6/8/2010

No

39

5/18/2010

2028859

OS – Canonical Display Driver

MS10-043

7/13/2010

No

55

6/10/2010

2219475

OS – Help

MS10-042

7/13/2010

No

33

7/16/2010

2286198

OS – Windows Shell

MS10-046

8/2/2010

Yes

16

9/17/2010

2416728

.NET Framework

MS10-070

9/27/2010

Yes

10

11/3/2010

2458511

Internet Explorer

MS10-090

12/14/2010

No

41

12/22/2010

2488013

Internet Explorer

MS11-003

2/8/2011

No

46

1/4/2011

2490606

OS – Windows Shell Graphics

MS11-006

2/8/2011

No

34

1/28/2011

2501696

OS – MHTML

MS11-026

4/12/2011

No

74

9/26/2011

2588513

OS – SSL/TLS

MS12-006

1/10/2012

No

104

11/3/2011

2639658

OS – Kernel-Mode Drivers

MS11-087

12/13/2011

No

40

12/28/2011

2659883

.NET Framework

MS11-100

12/29/2011

Yes

1

6/12/2012

2719615

MS XML Core Services

MS12-043

7/11/2012

No

29

7/24/2012

273711

Exchange Server

MS12-058

8/15/2012

No

21

9/17/2012

2757760

Internet Explorer

MS12-063

9/21/2012

Yes

4

(Note:  Not all security advisories from Microsoft have a bulletin associated.  Some security advisories have workarounds, information only or non-security patches associated.  These security advisories are not included in this list.)

Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend.  With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

Zero-Day Vulnerabilities and What it Means to Your Organization

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Note:  This is not an attack on Microsoft’s security process or vulnerabilities in their products.  Microsoft has one of the best information sharing policies that allows us to look deep into each security patch and software vulnerability.  In comparison, other vendors such as Apple and Oracle , typically only disclose very basic information on their process, vulnerabilities and patches.

There are many factors that go into classifying a zero-day vulnerability that will require an out-of-band patch release.  A zero-day vulnerability is described as a vulnerability that is actively being exploited by attackers where the vendor does not have a patch to fix the vulnerability. Understanding the types of vulnerabilities that may put your environment at risk will help you determine the level of protection that is needed across your environment.

Types of attacks
There are two different types of attacks that are factored into zero-day exploits.  The first classification is a targeted attack.  A targeted attack is a scenario where an attacker is targeting a specific company or group type.  These attacks are commonly dubbed with terms such as ‘limited’ and ‘targeted.’  A targeted attack does not affect the majority of users and the victim company typically works closely with the software vendor for investigation and a solution.

The second classification of an attack is a wide spread attack.  These attacks do not discriminate against specific companies or groups as the attack is aimed at the general public.  An example of this type of an attack is a malicious website preying on unpatched browsers or a worm attempting to exploit vulnerabilities on operating systems to create a bot network.

Targeted attacks usually do not prompt a software vendor to offer an out-of-band fix for the vulnerability as the vendor will work directly with the victim company to provide a workaround just for that company until the fix is made public.  Wide spread attacks usually prompt a software vendor to offer an out-of-band fix for the vulnerability as the general population is at risk for becoming attacked.

Understanding the type of zero-day vulnerability
There are two words that can distinguish the severity of a zero-day vulnerability that administrators should pay particular attention to – authenticated versus unauthenticated.  An authenticated attack requires an attacker to know information about the target to pull off an exploit of the vulnerability.  An example of this is a password to an account to gain access to the target system.  On the other hand, an unauthenticated attack requires no knowledge about a target system.  An example of this is a worm that exploits an operating system service without needed any information.

Is the vulnerability publicly disclosed?

A vulnerability has two ways of being disclosed, or known.  The first type is a privately disclosed vulnerability (also known as responsible disclosure).  A researcher that finds a vulnerability in a software program and only informs the software vendor about the vulnerability is a privately disclosed vulnerability.  This type of vulnerability is not widely known where attackers can research and implement attacks upon it.

The second type is a publicly disclosed vulnerability.  This type of disclosure can happen through two methods.  First, a security researcher can release the research done on a zero-day vulnerability to the public.  Second, an attacker can release the research of a zero-day vulnerability to a hacker community to share resources.  In the case of publicly disclosed vulnerabilities, the severity of the vulnerability is extreme.

Type of software or service
This is one of the most important factors of a zero-day vulnerability.  I like to make the analogy of typical attackers are a lot like sales people.  A sales person wants to find the widest range of an audience to sell to.  With this, a sales person is more likely to sell more than concentrating on a single prospect.  A typical attacker is similar in the fact that he or she wants to attack as many machines as possible to maximize results.  Today’s attacking method is looking for a result of gaining information for financial gain.  In the past, attackers typically could be seen as looking for notoriety.

Internet Browsers are the most commonly attacked software.  If an attacker can identify a zero-day vulnerability in any browser, Microsoft or non-Microsoft, the attacker can simply erect websites in hopes he/she can entice (social engineer) a person to visit the site with unpatched software to exploit their machine.

Attackers will also target any commonly used service on an operating system to carry out an attack.  Any service that has an unauthenticated vulnerability is a prime candidate for an attack.

Dealing with zero-day vulnerabilities

Monitor Vendors
Microsoft has a good track record in the software industry in regards to disclosing information around their patches and vulnerabilities.  With a Microsoft zero-day vulnerability, they will announce information when they are aware of publicly disclosed vulnerabilities and vulnerabilities that are being actively exploited.  Microsoft will publish a security advisory with the affected products, details on the effects of the vulnerability and any workarounds to help mitigate some of the risk with the vulnerability.

Other Resources
With a zero-day vulnerability, the information is spreading through many channels.  Using a resource such as the patchmanagement.org mailing list will help keep an eye on all of these active channels.  These channels are independent groups from the affected software vendor and typically provide information on how to implement workarounds provided by IT administrators that are researching the vulnerability, and any information antivirus vendors publicly release on the vulnerabilities.

Implement workarounds
At times, software vendors will supply workarounds to help mitigate the risk with vulnerabilities.  It is important to read all documentation thoroughly.  Typically, workarounds will reduce functionality on systems.  The decision on whether to implement a workaround is a risk decision that each administrator must decide.  For example, is the risk great enough to implement the workaround?  If this workaround will reduce functionality on my systems, in turn increasing the volume of support calls, but preventing a vulnerability from being exploited, is it worth implementing?  This decision is a delicate balance and there is no one answer that applies to each organization.

Antivirus
Antivirus programs are a reactionary security method.  This means, an antivirus program reacts to a virus on a system and subsequently prevents the malicious program from running.  The virus has already exploited the system and resides on the system.  Fully patching a system prevents an attacker from exploiting a vulnerability and running a malicious program (virus).  With the case of a zero-day vulnerability, a patch is not available from the vendor.  Therefore, it is absolutely critical to have an antivirus program that is up to date with the latest definition files.  Vendors, as in the case with Microsoft, work very closely with antivirus vendors to help combat the viruses and malware that target zero-day vulnerabilities.

Not all zero-day vulnerabilities have out-of-band patches
An out-of-band patch is quite rare when it comes to patching vulnerabilities.  Some of the vulnerabilities on a given Patch Tuesday could already have active attacks against them.  A decision on whether or not to release an out-of-band patch is completely in the hands of the software vendor. Some of the determining factors software vendors will take into account when determining to release an out-of-band patch include:
Is it close enough to our normal release cycle to wait on the patch release?
Are the attacks limited or targeting?
Are there more and more malware samples being created each day?
Will the quality of the accelerated patch break functionality?

Microsoft Vulnerability History
Since January 2010 through this September Patch Tuesday release, Microsoft has addressed 606 vulnerabilities in their products.

~15% of these vulnerabilities were publicly known
~4% of these vulnerabilities were actively exploited

As you can see below, the number of known and actively exploited has remained constant since 2010.  (Note:  2012 is an incomplete year with only partial data)

Year

Total Vulnerabilities

Publicly Known Vulnerabilities

Actively Exploited Vulnerabilities

% Known

% Exploited

2010

93

16

3

~17%

~3%

2011

212

35

7

~17%

~3%

2012

125

19

8

~15%

~6%

Today, we will see an out-of-band patch release from Microsoft.  I will be talking in detail about Microsoft’s history of out-of-band patch releases as well as the new out-of-band patch and how it could protect your network environment.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

Microsoft Security Advisory 2757760 Released

This blog post is a re-post from the Shavlik blog. You can view the original post here.

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

There has been some chatter in the past few days regarding a zero-day vulnerability in Internet Explorer that is currently being exploited.  Microsoft released a new security advisory (2757760)for this vulnerability.  Internet Explorer versions 6, 7, 8 and 9 are affected by this vulnerability.  Internet Explorer 10, which is bundled with Microsoft Windows 8 and Server 2012, is not affected by this vulnerability.

Microsoft has a few suggested actions to mitigate against attacks on the vulnerability.  First, administrators can deploy the Enhanced Mitigation Experience Toolkit (EMET).  This workaround cannot guarantee an attacker will not be successful on attacking this vulnerability, but EMET will make attempts difficult for attackers.

You can also set your Internet Explorer security settings for AcitveX Controls and Active Scripting to ‘High.’  This will help protect against attacks, but this setting will present many issues for users.  Many web pages will not properly display information due to the restricted security settings.

The next Patch Tuesday is still 21 days away and I am expecting a bi-monthly cumulative update for Internet Explorer during the October 2012 Patch Tuesday.  That is quite a bit of time between a potential security bulletin release and a zero-day vulnerability that has attacks against it.

In the meantime, there are a couple of other steps you can protect against exploitation on your network.  First, ensure you have an anti-virus program with up to date definition files on all of your servers and workstations.  Many anti-virus vendors have this current threat in their detection logic.  Other viruses could be coming in the near future, but anti-virus vendors are aware of the situation and keeping an eye on the threat landscape.

Another step you can take is to use a different browser in the meantime.  This is going to be very difficult for organizations.  First, administrators will need to deploy a non-Microsoft browser to all of their users.  Second, administrators must find a way to enforce the use of the non-Microsoft browser on all workstations.  This in itself is almost impossible.  Using a non-Microsoft browser in the meantime will be easier for home users.

Stay tuned to Microsoft and here for any new information coming forth on this newest threat.

– Jason Miller

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.