Home > Blogs > VMware Go Blog > Tag Archives: zero-day vulnerabilities

Tag Archives: zero-day vulnerabilities

This Week in Patching – 1/7/2013

By: Jason Miller, Manager of Research and Development at VMware

Patching came to a quiet end in 2012 and 2013 is starting off with a bang.  Here is a quick recap of the happenings in patch management this week:

On Wednesday, a new version of CDBurnerXP was released with version 4.5.0.3717.  This new version is a non-security update.  On Friday, Google released a non-security update for their Picasa program with version 3.9.136.120.

Microsoft announced their January 2013 Patch Tuesday Advance Notification.  You can read my write up here on the upcoming Patch Tuesday.  In addition to the seven Microsoft security bulletins being released next Tuesday, there are quite a few non-Microsoft patches being released on Patch Tuesday.

Adobe announced they will be releasing updates for their Adobe Reader and Adobe Acrobat programs (versions 9/10/11).  These updates are rated as critical and are part of their quarterly update for Adobe Acrobat and Reader.

In addition, Mozilla is lining up to release updates as well for their products.  You can expect updates for their Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey products.

On Microsoft’s preannouncement page for upcoming non-security updates, they have listed Adobe Flash Player for Internet Explorer 10.  With this in mind, expect updates from Adobe for Adobe Flash Player and Google Chrome on Patch Tuesday.  With every Adobe Flash Player release, Microsoft and Google update their browsers to supply the latest version of the Flash Player program.

On the Microsoft Security Advisory front, Microsoft released a new security advisory on Thursday.  Microsoft Security Advisory 2798897 addresses issues with fraudulent digital certificates.  This security advisory places the offending certificates in the untrusted certificate store on systems.  In June 2012, Microsoft released a tool that will run on systems and quickly moves revoked certificates to the untrusted certificate stores.  This tool aids administrators that want an easy and quick way to update certificate issues Microsoft finds.  This tool can be downloaded here.  For those that do not want to use the tool, Microsoft has provided patches for this certificate issue that can be applied to systems.

Until Patch Tuesday, Happy Patching!

– Jason Miller

Interested in a free 30 day trial of VMware Go Pro for patch management, IT management, virtualization and more? Click here.

This Week in Patching – 12/21/2012

By: Jason Miller, Manager of Research and Development at VMware

Here is a quick recap in the world of patch management.  This week was highlighted by security updates for RealPlayer and Opera.

Late last Friday, Real Networks released an update for the RealPlayer media player.  RealPlayer 16.0.0.282 is a security update addressing two vulnerabilities.

On Saturday, a new version of VLC Media player was made available.  VLC 2.0.5 is a non-security that now includes support for Microsoft Windows 8.

On Sunday, we saw two new patch releases.  CDBurnerXP 4.5.0.3685 and Notepad++ 6.2.3 are non-security updates.

On Monday, new updates were made available for the Mozy software backup program.  MozyHome / MozyPro 2.18.1.235 are both non-security updates.

On Tuesday, Opera released a new version of their Internet browser.  Opera 12.12 is a security update addressing two vulnerabilities on Windows that could lead to Remote Code Execution if exploited.

Happy Patching!

– Jason Miller

P.S. Click here to learn more about how VMware Go Pro can help you better manage your IT infrastructure.

This Week in Patching – 12/14/2012

By: Jason Miller, Manager of Research and Development at VMware

This week in patching was highlighted by Microsoft’s December 2012 Patch Tuesday.  Microsoft released seven security bulletins addressing 12 vulnerabilities.  You can read my full write up on Patch Tuesday here.

On the non-Microsoft front, Adobe released an update for their Adobe Flash Player and Air products.  Adobe Security Bulletin APSB12-27 addresses three vulnerabilities as is rated as Critical.  Adobe has started the trend of releasing security updates for Flash Player on Microsoft’s Patch Tuesday.  This trend will probably continue as Microsoft and Google both bundle Adobe Flash Player in their latest browsers.

On that note, Microsoft released an update for their security advisory (KB2755801) to include the latest version of Adobe Flash for Internet Explorer 10.  Google released an update on Patch Tuesday for their Chrome browser.  Google Chrome 23.0.1271.97 contains the latest version of Adobe Flash Player as well as addressing six Google Chrome vulnerabilities.

To wrap up Patch Tuesday, Apache released a new version of Tomcat for Windows with version 7.0.34.  This latest version of Tomcat is a non-security update.

On Thursday, Oracle provided updates for Java version 6 and 7.  Java 6 update 38 and Java 7 update 10 are non-security releases.  The next scheduled security update for Oracle Java is planned for February 19, 2013.  It is important to note that the next scheduled security update will be the last time Java version 6 will receive a security update.  At that time, Oracle will continue to provide security updates for Java version 7.  In the next few months, administrators should look at testing the upgrade for Java version 6 to version 7.  Java can be quite tricky to upgrade.  There are occasions where older software programs that rely on Java simply will not work with the latest version.  By June 18, 2013, administrators should be upgraded to Java 7.  That date will be the next scheduled security update after Java 6 has reached end of life for support.

On Friday, Apple provided updates for their iTunes product with version 11.01.  This update addresses non-security issues with their recent major upgrade in version 11.

Typically, the last two weeks of the year are very quiet for vendors releasing patches for their software.  If any vendor does release updates, I will be back next Friday with an update on the happenings in patch management.  If not, I will be getting a head start on ringing in the New Year.

Happy Patching and Happy Holidays!

– Jason Miller

Click here to learn more about how VMware Go Pro can help you better manage your IT infrastructure.

 

 

Weekly Links – December 10, 2012

Another day, another dollar… Here’s to another week of the daily grind. Looking for a silver lining? We’re only 11 days from the apocalypse, if you trust the “end of days” crowd, that is (no folks, the Mayans did NOT predict the end of the world on December 21, 2012).

Which sounds better to you: another 20-30 years of managing trouble tickets for clueless colleagues, or floating in purgatory for the rest of eternity (it’s a trick question… they’re one in the same!).

Your weekly links:

Your key technology decisions for 2013 (InfoWorld)

Google Apps No Longer Free For Businesses (InformationWeek)

Worst security snafus of 2012 (ITWorld)

Online job boards don’t work – how big data can fix the problem (GigaOM)

Everyone gets new Twitter pages December 12 (The Next Web)

Now, on to this week’s apropos of nothing images… It’s a bird! It’s a plane! It’s—oh wait, it is a plane! Cool shot all the same.

Who can tell us what city they’re flying over here?

You can read our previous links round-ups here. And be sure to visit us here for more information on how we can help you better manage your IT infrastructure.

 

Pssst… Looking for the Perfect Gift for Your IT Person This Year? Look No Further Than VMware Go Pro!

By Andy the Angry IT Guy

It’s clear that, once again, the holiday season is upon us.

Why is that, you’re asking? Am I delirious with the spirit of the season, hanging tinsel and mistletoe around my cubicle, organizing company caroling sessions and baking festive snickerdoodle cookies for the entire office?

Of course not! Bah humbug! (Come on… were you expecting anything less from your favorite angry IT guy).

No, I know that the holiday season is approaching because rabid sales executives keep accosting me to make sure their database stays up and running as they close quarter-end deals (it does, as usual…), the HR person keeps complaining to me about Outlook calendars not synching up for people’s PTO requests (you have to click “accept”) and our psychotic marketing director nearly compromised our entire network after clicking an email with a subject line of “Cute baby triplets sing ‘Jingle Bells’ while kittens wrestle in the background” (it was a malicious virus).

Yep, people get pretty irrational around the holidays.  Luckily for me, I know have VMware Go Pro – which definitely helps me deal with the crazy here to a certain degree. I may even go so far as to say I’m “thankful” for VMware Go Pro—truth be told, it’s the best thing to happen to me this year (after my endless flirtations with Liz from Accounting and the long-awaited release of Diablo 3, that is).

VMware Go Pro has allowed me to get our virtualization project up and running with minimal headaches, and has also allowed me to ensure that the company’s infrastructure is secure and appropriately patched (which really comes in handy when your brainiac colleague inadvertently looses a Trojan onto your network).

With that in mind, I offer this gift to you, dear readers: for the rest of today, VMware is running a serious discount on VMware Go Pro in the eStore. In fact, VMware is running a series of promotions in honor of Cyber Monday in the eStore all week (including 20% savings on an annual license for VMware Go Pro).

Trust me when I say, you do not want to miss out on this. If there’s an IT person in your life, get them this gift and know that they will be forever grateful. Really, the only thing better that I can think of is a Star Trek: Next Generation reunion – which sadly won’t be happening anytime soon.

In the meantime, there’s VMware Go Pro! Check it out here – http://store.vmware.com/promo/91614000

Want to learn more about VMware Go Pro? Click here.

This Week in Patching – 11/16/2012

By: Jason Miller, Manager, Research and Development

This week in patching was highlighted by Microsoft’s Patch Tuesday.  Microsoft released six new security bulletins addressing 13 vulnerabilities.  I have a full write up on Patch Tuesday here.

On the non-Microsoft front, I did not see any security updates released.  However, there were a few non-security updates released that you may want to get installed to fix various issues.

On Monday, two vendors released updates for their programs to fix crashing issues.  Notepad++ 6.2.1  and Filezilla 3.6.0 are non-security updates fixing crash issues.

On Tuesday, an update for AT&T Global Network Client was released with version 9.1.0.  The release notes have not been updated yet.  Without a published update, I am under the assumption at this point that the release is a non-security update.

VMware also released updates for MozyHome and MozyPro with version 2.18.0.227.  These updates are non-security updates fixing numerous issues and introducing new features.

On Thursday, Microsoft released a new version of Skype with version 6.0.0.126.  The highlight of this non-security update is a fix that addresses issues when upgrading to the latest version of Skype.

Due to the holiday week next week, I will not have a weekly write up for the week in patching next Friday.  I will provide an update in patching for the holiday week the following Monday.

Happy Patching!

– Jason

P.S. Want to learn more about VMware Go Pro? Click here. Also, check out  a 30-day free trial of VMware Go Pro!

This Week in Patching – 11/9/2012

By: Jason Miller, Manager, Research and Development

It has been a busy week for patch releases.  Here is a quick recap of the happenings in patch management.

Tuesday

Adobe released a new security bulletin for Adobe Flash Player and Adobe Air.  APSB12-24 addresses seven vulnerabilities and the following versions address these issues:

  • Adobe Flash Player 11.5.502.110
  • Adobe Flash Player 10.3.183.43
  • Adobe Air 3.4.0.600

It is important to note that the vulnerabilities also affect the Adobe Flash Player 10 product line as well.  In the ‘Priority and Ratings,’ ‘Affected Software Versions,’ and ‘ Summary’ on the Adobe security bulletin page do not list Adobe Flash Player 10 as an affected product.  The CVE filed on behalf of the vulnerabilities state that Adobe Flash Player 10 is indeed affected by the vulnerabilities.  In addition, the Adobe Security Bulletin page has Adobe Flash Player 10 affected in the ‘Solution’ area.

With the Adobe Flash Player release, I also saw a coordinated release effort from Google and Microsoft to address vulnerable Adobe Flash Player programs embedded in their browsers.  Google Chrome / Chrome Frame version 23.0.1271.64 fixes 14 vulnerabilities and includes the latest version of the Adobe Flash Player.  This new version of the Google browser includes a new ‘Do Not Track’ feature that sends a request to a website asking it to not track information.  On the Microsoft side, Microsoft Security Advisory 2755801 was updated to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.

Opera also released a new version of their browser for the first time since June of this year.  Opera 12.10 addresses six vulnerabilities.  In the release notes, you will need to scroll down to the beta section to see that this release actually fixed security vulnerabilities.  They are noted in the beta section for version 12.10.

Wednesday

HP released their first update since June of this year for their System Management Homepage product.  HP System Management Homepage 7.1.2 appears to be a security update and is rated as “Recommended” from HP.    The release notes for this newer version states “Improved security features.”  Vulnerability information for HP System Management Homepage releases typically take a few weeks after the product release, so I will be watching the national vulnerability database for more information.

Thursday

Apple joined the busy patching week with a new release of Apple QuickTime.  Apple QuickTime 7.7.3 is a security update addressing nine vulnerabilities. One of the vulnerabilities fixed with this release is remarkably from 2011 (CVE-2011-1374).

Friday

AOL Instant Messenger 1.2.0.2 has been released to the mainstream.  This product typically does not have release notes associated with each version.  I will be waiting to see if a CVE is released that would mark this release as a security bulletin.

Other News

Next Tuesday marks the November 2012 edition of Patch Tuesday.  Microsoft is set to release six bulletins addressing 13 vulnerabilities.  This Patch Tuesday will be highlighted by the first security bulletin releases for the new Microsoft Windows 8 and Server 2012 operating systems.

There are reports of a Zero-day vulnerability in Adobe Reader.  No confirmation or information has been released yet by Adobe.  There is a chance that Adobe could be releasing an update for Adobe Reader on Patch Tuesday.

I will be back next Tuesday to talk in detail on all of the activities for the November 2012 Patch Tuesday.

Happy Patching!

– Jason Miller

P.S. Also, check out  a 30-day free trial of VMware Go Pro!

This Week in Patching – 10/19/2012

By: Jason Miller, Manager, Research and Development

It is that time for a weekly recap of the happenings of patch management.

This week was highlighted by a critical security update from Oracle.  Oracle released updates for their Java programs with Java 7 update 9 and Java 6 update 37 during their quarterly update.  These updates address 28 vulnerabilities.  Some of the vulnerabilities addressed by this update were zero-day vulnerabilities.  With any patch addressing zero-day vulnerabilities, administrators will want to patch as soon as possible.  Apple also released an update for the newer version of Java.  This update release coincided with Oracle’s Java release.  The next scheduled update for Java is set for February 19, 2013.

On Wednesday, Adobe released new versions for their Adobe Acrobat and Reader product lines.  Adobe Acrobat / Reader 11 (or XI) does not contain any security fixes from the version 9 or 10 product lines.

On Thursday, VideoLAN released a new version for their VLC media player.  The release notes for VLC media player 2.0.4 state there are fixes for “security issues” but no CVE has been submitted for this version.

The Document Foundation released a new version of their LibreOffice product that prompted some confusion.  The release version for LibreOffice has steadily been increasing on a normal cadence.  LibreOffice 3.4.x was followed by 3.5.x.  On August 15th, LibreOffice had a new major version with 3.6.x and has since been followed up by minor version increases (3.6.1, 3.6.2).  Yesterday, LibreOffice 3.5.7 was released.  This version number is lower than the 3.6.x branch and has confused people.  From a LibreOffice blog posting, they have stated that the 3.5.x branch will continue to receive updates as will the 3.6.x branch.  The 3.5.x branch is intended to be a stable branch where the 3.6.x introduces new features to the LibreOffice program.  LibreOffice 3.5.7 (released yesterday) and LibreOffice 3.6.2 (released on October 4) both do not contain any security fixes.

Happy Patching!

– Jason Miller

Oh, and here’s a free 30 day trial of VMware Go Pro, just in case you need some help patching.

Weekly Links – October 12, 2012

Good afternoon to our favorite IT admins! Any fun plans in store for this weekend? Personally, we want to go see that Seven Psychopaths movie—how can you go wrong with Tom Waits, Christopher Walken and Sam Rockwell in the same movie?

Now for your weekly links:

Top 10 cloud jobs (InfoWorld)

Seven Reasons Why Companies Need to Automate Disaster Recovery (IT Business Edge)

BYOD: The New IT Management Headache (Network Computing)

10 technologies shaping the future of IT (IT World)

The IT Crowd (required viewing if you haven’t seen it yet) (Netflix)

This was too good to pass up – this week’s apropos of nothing image:

You can read our previous links round-ups here. And be sure to visit go.vmware.com for more information on how we can help you better manage your IT infrastructure.

Better yet, you can try it for yourself here – and it’s free!

 

The Meaning of Out-of-band Patches and Their Microsoft History

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Microsoft is planning to release an out-of-band patch for a zero-day vulnerability at noon CST today.

We can set our calendars to every second Tuesday of the month (known as Patch Tuesday) for new Microsoft security bulletins.  Microsoft Patch Tuesday has become a ritual for the IT security industry.  Today is a stark reminder that you must always be vigilant and informative on the happenings in the security industry.  At any time, a vendor may release a patch out-of-band to address a zero-day vulnerability.

When is an out-of-band patch warranted?

Only a software vendor can make the decision on when a patch for a vulnerability should be released out-of-band from its normal release cycle.  Typically, a vendor will release a patch out-of-band when there are active exploits against the vulnerability, the vulnerability details have been released publicly, and the software affected could present a major attack outbreak.  With today’s release, all three of these criteria have been met.

Out-of-band patch releases are risky for the software vendor

When a patch is deemed necessary to be released out of band, the software vendor creating the patch is taking on risk.  In my previous post, I talked about the risk that IT administrators may take when implementing workarounds.  With software vendors, the risk of incorrect patch creation and testing is greatly increased.  The patch may fix the vulnerability, but there is always the possibility that a software patch will break normal functionality of a program.   For example: a patch fixes a vulnerability but the program now crashes when printing or saving.

Pay attention to all patches after applying, especially out-of-band patches

There is a chance with any patch that functionality could be broken.  With out-of-band patches, pay attention to the product patched to ensure other functionality is not broken.  If you find some functionality is broken, do not simply remove the patch.  Contact the software vendor and to determine if restoring the functionality but re-introducing the vulnerability is work the risk.

Out-of-band patch releases, not as common as we think

Since January 2010, Microsoft has released 269 security bulletins.  Only six of these bulletins (including today’s release) have been release out-of-band.  In fact, the last out-of-band patch release from Microsoft came nine months ago.

Year

Total Bulletins

Out-of-Band

% Out-of-band

2010

106

4

~4%

2011

100

1

~1%

2012

63*

1

~2%

(Note: 2012 includes today’s security bulletin release)

Security advisories do not mean out-of-band

Previously, I talked about zero-day vulnerabilities and security advisories.  Microsoft quite often will release security advisories throughout any given month.  The majority of these security advisories (pertaining to zero-day vulnerabilities) are fixed during a scheduled Patch Tuesday.  Below, you can see all of the security advisories Microsoft has released and the date they have released a patch to fix the vulnerability.  As you can see, active exploits happen quite often and do not warrant an out-of-band patch.

Advisory Release Date

Advisory #

Vulnerable MS Product

Fixed In

Fixed Date

Out-of-band

Days Between Advisory/Release

1/14/2010

979352

Internet Explorer

MS10-002

1/21/2010

Yes

7

11/13/2009

977544

OS – SMB

MS10-020

4/13/2010

No

150

1/20/2010

979682

OS – Kernel

MS10-015

2/9/2010

No

19

2/3/2010

980088

Internet Explorer

MS10-035

6/8/2010

No

125

2/9/2010

977377

OS – SChannel

MS10-049

8/10/2010

No

181

3/1/2010

981169

OS – VBscript

MS10-022

4/13/2010

No

42

3/9/2010

981374

Internet Explorer

MS10-018

3/30/2010

Yes

21

4/29/2010

983438

Sharepoint

MS10-039

6/8/2010

No

39

5/18/2010

2028859

OS – Canonical Display Driver

MS10-043

7/13/2010

No

55

6/10/2010

2219475

OS – Help

MS10-042

7/13/2010

No

33

7/16/2010

2286198

OS – Windows Shell

MS10-046

8/2/2010

Yes

16

9/17/2010

2416728

.NET Framework

MS10-070

9/27/2010

Yes

10

11/3/2010

2458511

Internet Explorer

MS10-090

12/14/2010

No

41

12/22/2010

2488013

Internet Explorer

MS11-003

2/8/2011

No

46

1/4/2011

2490606

OS – Windows Shell Graphics

MS11-006

2/8/2011

No

34

1/28/2011

2501696

OS – MHTML

MS11-026

4/12/2011

No

74

9/26/2011

2588513

OS – SSL/TLS

MS12-006

1/10/2012

No

104

11/3/2011

2639658

OS – Kernel-Mode Drivers

MS11-087

12/13/2011

No

40

12/28/2011

2659883

.NET Framework

MS11-100

12/29/2011

Yes

1

6/12/2012

2719615

MS XML Core Services

MS12-043

7/11/2012

No

29

7/24/2012

273711

Exchange Server

MS12-058

8/15/2012

No

21

9/17/2012

2757760

Internet Explorer

MS12-063

9/21/2012

Yes

4

(Note:  Not all security advisories from Microsoft have a bulletin associated.  Some security advisories have workarounds, information only or non-security patches associated.  These security advisories are not included in this list.)

Today’s scheduled security bulletin affects an Internet browser, so this should be high on your priority list for patch deployment today or this weekend.  With any out-of-band release, you should deploy the patch as soon as possible to prevent any attackers from taking advantage of the vulnerability on your network.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.