Busy Day on the patch management news wires

This article is a replay of recent blog but it has a great quote, its part of a pretty busy day on the Google News for "patch management"

“Waves of targeted e-mail attacks, often called 'spear phishing,' are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office,” the report states. “This is currently the primary initial infection vector used to compromise computers that have Internet access.”

What floors me is that I wrote software to detect the first Microsoft patch about 12 years ago and people are still not getting patches out.  Proper patch management software is very difficult to do correctly so I know why most vendors such as Microsoft and Symantec do not bother to get it right, but there are other vendors who do it well. Not only us be clear.  Just go out and buy one that works for you, roll it out and use it.  It will take a few hours a month, the cost is reasonable and the problem solved.  Even if these articles are a bit of vendor hype, the risk is real and the solutions are there. 

End-point management

As noted by SANS end-point patch management lags: "New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors"

It’s safe to assume that most organizations that want run AV on their end-points do, but why not patch management?  Both are needed, so why not just deploy a solution and solve the problem?  Both patching and AV products have been around for years, right?

So why does the SANS study show end-points are not well patched?

A few thoughts -- WSUS is too hard to manage and if you get it right you only find out that is supports just some of Micorsoft products and no other products.  Strike one, it simply does not work.  And WSUS is also the engine for SCCM so that does not work either.  Strike two.

How about Altiris?  Great product, right?  Just not for patch management.  Foul Ball, but its still 0-2.

How about a security product like FoundScan or Qualsys?  no patch management, another foul ball and end-points are still not patched.

How about rolling out an integrated patching AV end-point product like ours at the same time as you rollout AV, all done in one shot? it solves both problems at one time.  its a base hit, or better maybe its a home-run.  Why are other major vendors not doing this?  Doing patching right is hard work to get right and keep right, and most vendors are not invested enough in it so they are not providing solutions their customers need, and machines are not kept patched.

The answer is there but Microsoft does not want you to know it, they have a big bet on you not knowing.  The same holds true for Symantec and other security vendors including McAfee.

 

 

Virtualization Updates

I was in San Francisco at the VMworld conference this week.  Lots of activity, good sessions, and many vendor announcements being made.    SF has a great downtown, and we had great weather there making it very enjoyable.

VMworld reminded me of the energy people using VMware products have, it was a great show this year as it was last year.  When I compare it to the 2009 RSA show, held at the same location, VMworld just felt much more active with people there to learn and create new solutions.  The VMworld show floor was always busy, even the last hour of the last day which is rare for a trade show.  

Check out the new video showcasing VMware Go, the new web-based service from VMware. VMware Go enables first-time virtualization users to fly through the ESXi setup process with just a few mouse clicks.  VMware Go was developed in partnership with VMware and Shavlik Technologies. http://www.youtube.com/watch?v=HQd6PM5TMDA  this is a new area for us as we extend our simplification models to new areas.  Go of course contains our patching technologies, for both ESXi itself and VMs running on it. Thank you to the VMware and Shavlik teams for working so hard on this release. It was a busy summer. This our 2nd partnership with VMware, the other one is with the UpdateManager with also uses our patching technology.

(infomercial)

The team at Shavlik has announced this week that we have added asset management capabilities in the Shavlik Security Suite, making it the only solution available that manages IT operations for both physical and virtual worlds, including offline virtual patches.   The Shavlik Security Suite allows organizations to apply a single process to ensure machines – physical or virtual -- are identified, secured, and managed across their lifecycle from a single viewpoint.  From patching, to AV, to VMware asset inventory to agent-less inventory scanning for physical computers.

The significant benefit of the new asset management capabilities in the Shavlik Security Suite is to leverage our agent less approach to thoroughly and dynamically discover and catalog IT assets including software assets, hardware assets, and virtual machine assets. Now organizations will be able to discover physical and virtual machines they didn’t know they had and uncover software applications they didn’t know were installed.  By consolidating this information in one Shavlik console, the organization has all the relevant information about its IT assets at its finger tips so they can make informed decisions with confidence and accuracy.  They can then take the information and filter their view in machine centric view and filter their reports using any of the collected inventory data, AV state, patch state, Compliance state and configuration state. the Suite also provide end-point security protection. All at great integrated prices. 

 The Shavlik Security Suite is in public beta today.   We encourage you to sign up for our beta program, give the products a test drive, and let us know what you think.  To join the beta program, sign up on our web site at www.shavlik.com/netchk-beta.aspx.    We look forward to your feedback. 

 The Security Suite will be generally available for public download and customer upgrades on September 29th.

Private vs Public Cloud Computing

 

Larger companies and government departments are likely to consider going to the Cloud but in a more controlled and secure fashion via a Private Cloud.  A Private Cloud has all the benefits of the Public Clouds but it is hosted inside the firewall of the company or department it is supporting.  Full control of who has access to data is maintained while all the benefits of the Cloud are realized. End-users simply buy their Cloud services from the Private Cloud and the Private Cloud treats the end-users in the same way a Cloud vendor treats its customers. An institution would need to be fairly large to get benefits from this model, however, and smaller groups that do not want to or cannot have their data leave their network can host virtualized environments that have many of the features of the Cloud without the benefits of sharing the expertise and access to scalable resources that a Cloud provider has.

 

This article features a great example of a hotel group that wants to receive the benefits of cloud computing but is not yet ready to commit to public cloud computing:

http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1364027,00.html

 

Here is a link around private clounds and AWS, a likely trend.

 

The Cloud Equalizes New Product Development

Another example of how the Cloud creates greater efficiency is a software development group that wants to create a new software application for either internal or external customers.  By leveraging a Cloud provider they immediately have access to a complete server development environment with no need for IT and with modern cloud database technologies the data is stored in efficient, redundant locations. Servers are tuned and kept up to date by the Cloud provider so no further resources need to be allocated.  During the load testing phase the group can use the Cloud to run hundreds of clients, and after  the testing is completed these servers are freed up to be used in other capacities. This model is financially efficient as servers are set up instantly without the need for the business to provide space, cooling and capital equipment.  Small start ups get all the benefits of the large software providers in an instant and for a low cost, creating a game changing equalizer.

 

As the newly developed software application is rolled out to end users the Cloud provider automatically scales out the backend databases, web servers, reporting and analysis tools based on customer demand.  Without access to a cloud based environment, the development team would have to work with IT to estimate and purchase the equipment needed to scale for demand increases whereas in a Cloud model the initial backend can remain small and grow automatically when demand creates a need.  Therefore the business only spends on what is needed at any given time and does not have to foot a bill up front for equipment in anticipation of how customer demand will scale.

Whether you are a Human Resources team or a software development group, after the product has been in its market for a while low use periods have automated server count reductions and during peak load server demand is increased, providing simplified cost saving optimizations in which costs scale only with demand.  In this way the Cloud reduces the total cost of IT expenses needed to get a product in the hands of an end-user. Also, if the business decides to move to a new cloud vendor or partner offering lower costs and better support levels, migration is simple with low initiation costs.  

These are big changes and they are creating new oppurtunities at a time when technology sales are slow.

Virtualization In The Cloud Provides Significant Advantages

Virtualization provides the foundation for servers on demand by implementing an on-line operating system that is required for all other operating systems to run on the Cloud. Virtualization also enables the Cloud to rapidly create server space based on end-user demand by simply running a new instance of an operating system on an existing server. Virtualization through the Cloud creates a model by which servers become services and the underlying operation system is no longer a factor in how quickly or easily a new server can be provisioned. Looking at the rapid growth of smart phones you see devices where the applications are not tied to the browser but instead are tied to the underlying operating system.  Netbooks will run a phone operating system or Windows® and virtualization is the key to managing all these mobile devices practically.  This would indicate in the future that there will be more operating systems not less, but they will allow the end-user to do more, increasing efficiency, productivity, and cost effectiveness via a virtual desktop.  All in need of management.

 

 

As organizations look to further GreenIT initiatives, another advantage of virtualization in the cloud is the fact that a virtual server can be running Microsoft®, Linux®, or another operating system on the same physical hardware enabling low utilization servers to be paired with high utilization servers allowing significant savings in energy costs.

 

 

Another benefit to virtualization in the Cloud is the ability to constantly rebalance servers as their usage spikes and drops and to do quick disaster recovery by moving images from one data center to another and quickly restoring the images on new hardware when current hardware fails. 

 

 

The Cloud is designed to support IT customers with a simple, flexible and scalable value proposition.  Virtualization provides additional benefits that allow IT organizations to truly leverage the level of optimization that Cloud computing promises.  

 

here is a related link.

 

Shavlik Cash For Clunkers

Douglas thanks for the nice note about our $4500 rebate program which we called Shavlik Cash For Clunkers for obvious reasons and it was too much fun to resist the name.  But the rebate is real, up to $4500 back until Sept 15th or the $1M we set aside in rebates is gone, so for smaller customers the product is in effect free if you turn in your clunker for destruction.  Given the value of this deal we will need to make sure its a trade-in, just like the Fed Gov is doing.

We do ask people pay for the maintenance as it covers our very frequent updates to our anti-virus, spyware and patch data as well as phone support.  And thanks to Sunbelt software for working with us to make this happen.  Since we license our software in a perpetual model the maintenance pricing is not full subscription pricing, make this a true high value deal.  Click here for details etc.

What is the future of Cloud Computing?

As the “End-User Computing Revolution” enters its 25^th year of empowering users, the next phase will be dominated by Cloud Computing (http://www.newsweek.com/id/166738/page/1) together with the “always available” clients such as the Netbook (http://www.wired.com/gadgetlab/2008/09/netbooks-evolvi/ )  and SmartPhones (http://www.informationweek.com/news/mobility/showArticle.jhtml?articleID=206800816) that are providing a world in which the end-user has complete control over their client-server, web based, and computing solutions - allowing them to choose what they use, where they use it, and where they get solutions from. Each phase of the end-user revolution has created terrific efficiency gains and cost reductions for businesses in rapid fashion, moving from the mainframe to the PC, from the PC to Client/Server, to the Web and now to the Cloud.  With this phase we are seeing the many year battle between the end-user and IT nearing an end and IT will either evolve by becoming a strategic partner with its customers or be relegated to the occasional helpdesk call.   As a professional life long IT peson this is a good wake up call for me.

 

The power and business benefits of Cloud Computing are very clear to me after observing the early days of the PC revolution during my stint at Microsoft® and running a business focused on operational simplification since then. The Cloud is the next natural step for the industry because it enables the end user to simplifiy the typically complex nature of working with IT.  The ability of the Cloud to solve the challenge of allowing end users to fully leverage the benefits of technology while lowering costs to the business is a game changer and one that all of IT needs to be aware of in order to not only prosper but to survive.

 

A Break From Dependence On IT To Solve a Business Problem

The biggest change the Cloud provides is that the end-user or the consumer can now simply select the type of IT service they want much in the same way you might purchase a book from Amazon.com.  Whether it is a wiki, e-mail, or custom program, the end-user does not have to worry about involving IT to scope the hardware and maintenance needs allowing for focus on the business problem being solved. 

 

The innovation of the Cloud opens a market where neither the end-user nor the business needs to be dependent on a specialized and trained IT department or a specific vendor.  Cloud services are easily outsourced to a Cloud provider reducing the business costs associated with maintenance, data centers, servers, compliance, backup and recovery, security, patching, virus protection, configuration management, bandwidth, and onsite support. Now instead of a business locally hosting servers in a controlled server room where their capacity is often not fully used, the Cloud provider can reduce the total server count, end users are always running the latest configuration and if something does break or the business wants to roll out a new version, the Cloud provider updates a desktop image for the end-users who need it.

 

By choosing a Cloud provider, the end-user no longer has to worry about lining up IT to scope the hardware needs, buy servers, set up a web server and database, and provide the on-going maintenance including patching, security, backup and recovery, and product upgrades.  In minutes the business can have their software running on all devices at the company without the need for a large capital expense. The business takes on a services contract but no longer has to worry about keeping IT staff expertise current or keeping multiple IT expertise in house for different systems, less is needed for budgeting for energy and hardware costs, and productivity is shorten when months are no longer needed spent scoping, purchasing and setting up equipment.

 

The Cloud can simplify legacy client server systems in stable production by consolidating the use of servers not operating to full capacity. It can help internal departments, like Human Resources (HR); roll out software tools such as employee review software, without the need for internal IT involvement and allows an HR team to own the entire process.  The only consideration for the business is to assure that the selected vendor has valid security processes and to keep an on-going watch to assure that the security is managed.

 

See Christina Torode’s latest article on this topic, Latest cloud computing trend: End users buying IT as a Service, at

 http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1363151,00.html?track=NL-981&ad=717499&asrc=EM_USC_8855174&uid=5982925#

Shavlik NetChk Protect 7 has been released

Shavlik NetChk Protect 7 has been released and is available for download from our web site.  I am personally very excited about this release as it fulfills the next phase of my vision of a high performance systems and security management solution built on a zero or one agent architecture.  This is critical to users who need that flexibility, which is everyone really, but what our customers need to know is the agent in NetChk Protect 7 is also one of the industry’s most flexible, high performing agents available.

 

As I spoke about in an earlier post, we have licensed Sunbelt’s VIPRE antivirus engine and integrated it with NetChk Protect 7, and it is a key component of the Shavlik Security Suite.  So now users can now setup one system and get patch management and end-point protection at the same time, without having to pay extra for AV.

Thanks to a great group of customers, we had a high participation in our beta program, and their positive feedback on the new and enhanced features and they are excited to upgrade to the new version.

And as always a ton of thanks to all our employee who made this product happen!

Why are we going with Sunbelt for our AV-Antispyware?

I went to lunch today with one of our top resellers and he asked me, "I like what you are doing in the AV space but why did you selected Sunbelt?" and I thought it would be a good idea to widely share my answer.

To start, we made our partnering decision over two years ago and we are happy with the results.

I have known the leadership at Sunbelt Software for many years and they are trustworthy and great people to work with, that was very important to me because like any relationship all parties need to work together well through thick and thin and over time.  (I also know the leadership at a number of other AV related companies and they are good, trustworthy people who make great products also so this was not the only reason to work with SB, but it was a required first step).

The next step was for us to find who had a great spyware engines as many modern attacks act like spyware even though they are often considered to be viruses and Sunbelt was at the top of the list from their work with Giant which was sold to Microsoft a few years ago.  My security team felt SB had great dedication to the industry and working with them was a no-brainer.  Then SB added their Viper AV engine and he picture was completed.  They have certifications from well known labs are more are on the way which is good, but their technology is new.  But not that new, it has been around for a while now and with the new-ness comes new ways of doing things, light, fast etc. as it does not need to carry the code that solves old problems.  These new ways create a great product.

The vendor we selected also needed to have a great SDK since we are doing a complete integration. So I had my engienering team visit with SB and review their engineering process along with their SDK and I got the thumbs up, so add another big green check box because of the integration fails we all fail.

We also needed to develop a business partnership in which we could add strong AV in to our existing products without a financal large impact to our end-users on pricing and SB was very creative in helping us create a win-win-win between our customers, SB and us.  Great news. 

I also wanted to create something new, not just a bolt on but a new way of managing computers for patch management and AV-Spyware. I wanted a new company to work with so we could work together more from the ground up which we have done, our UI and their AV and Spyware tools and data to create a new work and with 7.0 we have hit that goal as our upcoming release will show -- I hope everyone gives it a try and when your current AV subscription comes up you can just remove it from you budget as you will already have a new solution in place from us.

Conficker

Slowing or stopping the advance of the Conficker worm is a tremendous patch management and configuration management challenge.  The problem is that organizations have a hard time knowing what patches are really installed and how systems are actually configured.   Small organizations or individuals may be able to retain control, but most organizations are in  a constant state of flux: new  physical computers join the network, configuration settings change, and new software applications are added.  The problem has gotten even worse with the increased emphasis on virtualization.  Tools made by companies like Microsoft and Symantec require Agents – software for managing patches and configuration settings -- be installed on the systems they are trying to protect.  If companies can’t get an agent installed on a machine, they can’t find it, and therefore can’t fix it!  The only realistic approach is to have patch management and configuration management software that can work without the need to install agents and has the ability to assess and fix both physical and virtual machines.   The Conficker.C variant is particularly nasty in that it targets security software in an effort to disable or render it ineffective.  The worm actually blocks the Microsoft patch management agent.   At Shavlik we focus on making technology that is simple and does not require software (agents) on the target computer.  We have always done this, and at a time like this, our product is uniquely qualified to combat the threat of Conficker.C!

 

We can talk about our free assessment for the missing patch and misconfigurations.

 

More details at:

 

http://www.shavlik.com/landingpage/20090326-conficker.aspx

Conficker.C: Will this virus make us April fools?

From Jason Miller:

A new version of the Conficker virus is scheduled to become active on April 1^st.  In early March, security researchers discovered the third variant of this virus, called Conficker.C.  The first two variants of the Conficker virus gained a lot of attention from the media security experts since first discovered in October.  While these variants generated hype, infection rate was minimal.

 

How was the infection rate kept low?  Security researchers were able to thoroughly research and block the effects of the virus.   Domain names the virus used were identified and taken offline by security researchers, effectively reducing the functionality of the virus and preventing it from establishing a controlling server.

The Conficker.C variant has undergone a major transformation into a potentially more malicious virus.   The author of the Conficker virus has obviously been monitoring the activities of the security researchers and has made changes that could finally unleash the full potential of the virus.

 The Conficker author has added in functionality to reduce defense mechanisms against the virus.  The virus will monitor active processes on machines.  If the process is one of many security tools, such as MSRT, Microsoft Windows Update, or various antivirus programs, the Conficker worm will shutdown those processes.  By doing so, security tools could be rendered useless on an infected machine.  In addition to rendering security tools useless, the Conficker virus will kill any attempt to apply the MS08-067 patch.  This is considerably alarming to me.  We have stated many times the first line of defense is to patch any and all machines on your network.  After patching your machines, you can run security tools to remove the virus.  If your systems are patched, you prevent the systems from being infected.  Patching a system also reduces the chance of re-infection of this worm.

Conficker.C will attempt to kill any process associated with the MS08-067 patch.  If you’re not already patched and you become infected, you have to remove the virus before patching. This increases the window of opportunity for the virus to spread.

On April 1^st, 2009, the Conficker.C variant will become active.  It is unknown at this time what payload will be delivered from the controlling servers.  This could range from Botnets to SPAM to advertising servers for adware. It could do evil or it could do nothing.

To avoid becoming April fools, if not already patched take steps to deploy MS08-067. Administrators have about 10 days to scan for and deploy MS08-067 to ensure their systems are patched and ready for whatever this havoc virus will bring.

Emergency patch MS08-067

(thank you to Jason Miller for the information below)

Microsoft has released an "out of band" security bulletin, MS08-067.  Although Microsoft has not done this type of a release lately, this has been done before by Microsoft.  In "out of band" releases, Microsoft will abandon their monthly patch cycle to address critical issues that cannot wait for the normal cycle.  Microsoft has reported they have seen targeted attacks using this vulnerability in the wild.  A targeted attack is an attack aimed at a specific group or company from a specific group.  Since the release, our data research team has started seeing reports from security industry experts about viruses being found in the wild exploiting this vulnerability.

 

This bulletin affects all Microsoft Windows operating systems.  On earlier but the most widely used versions of Windows (2000, XP, 2003), an attack can anonymously breach a system with this exploit.  With this in mind, this vulnerability requires no user interaction to be exploited by an evil attacker.  Simply running Windows can make you vulnerable to this exploit.  For users running newer versions of Windows (Vista, 2008), the attack cannot be anonymous and must use authenticated user credentials to exploit the vulnerability.  This does not mean it is not possible to exploit the vulnerability; this means it will not be as easy as exploiting an earlier version of Windows, but it should be patched anyway.

 

So, why is everyone making such uproar over this bulletin?  This could lead to next big virus, and given that we are aware of the need to install the patch we do not have an excuse to not do so, and to do so right away.  Get it done before the weekend, then maybe do a few scans to make sure its installed.

Vista slowing Microsoft?

From MSNBC MSFT could be down graded due to slow Vista adaption, that is a pretty big thing.

I believe Microsoft focused heavily on the new security items in their marketing of Vista but the value there is not catching on.  To me, its the only real value of Vista.

The industry may be learning that security in new software products is now a given but unless you are marketing  security products security is not something that can be used as they key item to sell a new product. 

My guess is Windows 7 will have great security but it will be much less marketed -- and Windows 7 will be fast, with great new value.   If it does not what will people migrate to when their XP machines wear out?

Gartner note on high cost of WSUS

I’m sure you may have already seen this…but just in case. The following excerpt is from a Gartner white paper called; “The Patch Management Market: Collision or Coexistence?” dated March 3, 2008. There was a very interesting nugget in it regarding WSUS…

“Although Microsoft has improved WSUS, client feedback suggests that WSUS is not as rich in content (pre-req/co-req) and as robust in targeting and reporting as the focused patch solutions. Thus, organizations accepting WSUS as "good enough" have significantly higher labor costs for content analysis, testing and deployment. Although Microsoft is making improvements to WSUS, we do not believe it will be a best-of-breed solution for patch management. Through 2012, the most-effective Windows patch management capabilities will be provided by point-solution vendors.”

May "Jet" patch has exploits

According to InformationWeek and others, the latest Microsoft  patch for Jet (MS08-028) has exploits.

since Jet is so widely used this is a key one to scan for and patch (as are all patches of course) depending on your role in security or operations management. 

Large Exploit of MS07-004

It seems there is a widespread attack around s/w missing MS07-004

From WebSense:

"This mass injection is remarkably similar to the attack we saw earlier this month. ...  Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications"

From News.com "Javascript injection claims UN and UK government sites"

InfoSec Europe vs. RSA 2008

We just got back from a week in London to attend InfoSec Europe, the biggest computer security show in EMEA.  Much like RSA is in the States InfoSec Europe is the show of the year for security people.

The attendance at InfoSec Europe was strong, our 20x30 booth was full for 3 days straight and the show runs long hours, in short it was busy.  RSA has similar traffic but we all agreed that the crowd in the UK was much more buyer focused than the RSA crowd which was more people walking around the show floor vs. seeking products to use.  Thus I would rate InfoSec Europe as the stronger show  at least from a vendor perspective.

Its not clear what this exactly means other than the people at InfoSec were there to find solutions vs. maybe people at RSA attend to go to security training sessions and are not as much there to find products to use.

I am also finding that industry, not just the security industry, is starting to bring security into the fold much more than in the past. Its becoming part of the IT culture now, which leads to a maturing of products to meet the needs of the corporation vs. all of us ISVs trying to create the new cool thing to attract the attention of the security experts.  It is also becoming very clear that industry wants stand-alone security products instead of having security added to existing management products, security is not just milk & sugar with your tea and people are now realizing that having been burnt by making the assumption that it is.  Just as there is Web 2.0 we are now in Security 2.0 - security as a key and independent part of IT.

One other item that came out very clearly in both shows, and we talked to 1000s of people over them, is WSUS is just not cutting it.  Customers need patching beyond the basics, and the patches missed by WSUS are critical and plentiful. 

These two  shows are back to back now with just a week in between, and they are about 8 time zones apart, making it hard for companies like ours to attend both in full force but we did it and our crew did a great job.  I got the sense other vendors send separate teams as I did not see the sample people at both shows, other than us.  Next year they are moving the shows even closer which seems a bit unfair, but at the end of the day it gives us in the industry at release month to shoot for, to assure we have our latest ready to show, much like we used to do at Comdex a while back.

Cheers

Eric Schultze at RSA 2008 video

Eric talks Patch Smack at RSA video

A bit more on RSA 2008

This article in Baseline Mag notes that the security markets are mature, much like I noted in my previous entry.  They have a different take which is interesting in that they claim the maturity means we have a seat the the CEO table, which is of course something security folk have been pushing for over the years.

On part of the article that does not seem to be occurring is that the big platform companies are taking over security.  Far from it, the big platform security solutions are disasters, security is too hard to get right to make it an under-managed add-on from a large vendor.  The markets are more likely heading to the case where there are two solutions, that cooperate, one does full management and the other does great security.  Things should be shared around reporting and remediation possibly and standards like SCAP are driving that, but right now there are no signs that the security industry is being absorbed by the large system vendors (HP, IBM etc.) In fact, Microsoft continues to create security products vs. just adding security features to their management products (SCCM/MOM/SMS).

RSA show 2008

EMC's RSA security show was last week, I believe its the largest security trade show in the world.  From my perspective the show was massive based on the number of vendor booths, it was not possible to learn what each vendor did - there was just too many booths and many of the booth people were not technical so they just pointed me to their brochures (ouch). 

Vendors ranged from Microsoft and other general s/w vendors who provide security add-ons and solutions, to the traditional security vendors such as Symantec and of course us. I talked to a number of security industry veterans, some of have being in the industry for well over 10 years, I also talked with a number of large companies (ISVs) who are adding security to their current offerings - both groups are driving a very practical level of security innovation into products vs. creating new ideas.

If I had to pick one take away from the show was that all vendors were driving solid, practical, somewhat basic solutions to meet security needs vs. create new ways to do things. In the near term this is good as the industry needs such solutions, but in the longer term a lack of the more crazy innovation will start to hurt the industry.  Any industry needs new ideas to be put into it all the time, with most new ideas failing but key ones catch on and drive change. 

I recently read that Henry Ford did not work with finance people because he felt they were anti-innovation, and maybe what we are seeing occurring is heavily funded companies who at this time are looking for safe returns and large companies who need to take care of large customer bases are taking over the trade show floors, and possibly the industry which could limit innovation.

The included show photo is not a very good photo, but its the best I have.  The show floor was much larger than this picture shows. I also attached a shot of crowd waiting for the Olympic Torch which was supposed to travel very close to the RSA show, with the torch re-route I am not sure it did, I had to get back to work so I could not wait around for it...

Server 2008 patch

Coming on Patch Tuesday:  Fixes for critical vulnerabilities affecting Windows Vista and Windows Server 2008.

The most interesting thing, in fact the surprising thing to me, are the patches for both Vista and Server 2008.  I am not surprised that here are patches, but for Server 2008 its a pretty fast patch post release. 

Network Configuration

As well noted in this SearchSecurity article:

“There's a perpetual buzz around software flaws and exploits researchers disclose daily, but security experts say it often distracts IT pros from a growing and more serious problem -- networks so sloppily configured and maintained that the bad guys can drive a virtual bulldozer through them without attracting attention.”

Having systems properly configured is a tenant of good security, certainly as key as patching, AV and firewalls are when focused on securing systems from outside access.  But if a system is not properly configured and the network becomes infected by malware, these defenses become ineffective.  What good is a firewall once the malicious code is running on your network, due to an attacker gaining insider access to the network?  Basic things like easy passwords, unsecured shares, over-used administrator accounts and user rights are easy to fix and even more easy to break.  When there is a time crunch, or when someone just needs something to work, it’s convenient for users to turn off the desktop firewall to get a business critical application running, or to open the Share to everyone to distribute a report, making a software developer an admin so they can test their software – the list goes on, and it’s done by both administrators and end-users.  Of course, this is not the right thing to do from a security perspective because this is how malware finds its way onto the network, and unfortunately it happens all the time. 

GPO can help, but it lacks a double check and it’s not easy to tell if things were setup right.  Much like WSUS, GPO can help the problem, with a fair amount of effort applied by the IT staff, but it does not go far enough.  What is needed is something that automatically double checks (we all make mistakes so double checks are a good thing) and automatically enforces IT security settings in accordance with policies, which creates both a cost savings (automation equals saving money when properly done), and it gives all of us a much needed second pair of eyes.  An added plus is we can report to the C-level staff that things are being continually fixed if they fall out of compliance with company policy.  These are very practical solutions.

As technical people we all know things are continually being changed on the network, and we know exactly where on our own networks.  The problem that often arises in companies is that the boss also knows things are being continually broken, but may not know where on the network, and a lack of proper reporting can make his or her job very difficult – it’s impossible to manage what you do not know.  If automated security configuration tools that include reporting capabilities are used this will eliminate the information gap.  The boss can do his or her job, we can do our job, and our networks are secured.

As the article notes, as we start to run patching software we will soon learn that we also need to run automated security configuration software, it just makes sense.  This is something I myself have been working on in one way or another since 1983, 25 years already, and maybe soon the problem will start to be solved!

security problems on upswing?

Security is very much in the headlines this week, nothing new really but in the near past it seemed the IT industry was moving security down its priority list and when ever that happens security becomes the news pretty quickly it seems.

For example news.com has 3 articles today:

• Vista Flash Security Flaw - shows the clear need to patch not only the OS but applications such as Adobe, Apple etc
• Malware to Blame in Super Market Data Breach
• Attackers booby-trap searches at top Web sites

RedmondMag:

Microsoft Issues Critical Out-of-Cycle Patch for Word, Excel Flaws - Late Wednesday, Microsoft released an out-of-cycle critical patch revision in the form of Security Bulletin MSO7-025 in an effort to stave off a barrage of remote code execution (RCE) exploits that popped up less than two weeks after Redmond's March patch rollout.

InformationWeek's home page:

• CA Patch - "This vulnerability is a big deal by itself, first because of the huge install-base of the affected products, and second because of the nature of these applications. Being able to compromise one of these systems in a corporation could make a quick stepping-stone to more crucial servers – especially considering how mushy-gushy most corporate network security is deep behind the DMZ.
• MacBook Hacked in Two Minutes "Security researchers from Independent Security Evaluators managed to hack a MacBook Air using a zero-day vulnerability in Apple's Safari 3.1 Web browser."

RSA show

Just back from vacation in NYC, and its nice to not have to pay someone every time I step out of a car...

Please stop by and visit us at the RSA show this year, we will have presenters from VMware, Juniper and of course best of all Mike Rothman from Security Incite and our own Eric Schultze.  We will cover the latest in security from all of us and our customers, including our new work in the Federal areas with SCAP and FDCC, cool new VM security management, and Juniper's integration with our line.

On other notes it seems Apple is pushing a copy of its Safari browser out to Windows users of iTunes, and with missing patches no less.  We are working on removing and patching this s/w shortly via Protect. 

New Patches

Update:

Here is a good overview of patch day from Bill Sisk at SearchSecurity.  One very big key, and I noted this below in regards to MBSA already:  "Most of the affected products in this particular bulletin are not detected by Microsoft Baseline Security Analyzer (MBSA) 2.0.1. However, Microsoft has worked with Shavlik Technologies to provide support for legacy security update detection. Please refer to the main MBSA website for additional information."  Or you can just to go http://www.shavlik.com/pDownloadForm4.aspx and get trial of our s/w to scan for these patches (and buy our product of course)

Microsoft has released four critical security bulletins this month, all in Office.  Sometimes Office is hard to patch with Altirus and SMS so be sure to use patching products (!) and be aware that tools like MBSA do not even do remote scans for Office patches (MBSA is not really a scanner tany more anyway but that is a different topic)

MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx

MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-015.mspx

MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx

MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)

Severity: Critical

http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx

Brett Favre

Since I am from Green Bay, WI(i) it was nice to see the post from Mike about Brett Favre.  I was at Favre's first game in '91 (Bengals with Boomer at QB) which was shortly after my brother and I watched Favre in practice in summer camp, all we knew was Favre liked to drink, was like 3-5 passing in his 1st season in the NFL, plus we gave a 1st round pick to Atl (rolled our eyes) for the guy, then we saw his great arm and it made us think, or better said hope.

Of coursr I still do not believe the NYG championship game is over, and it took me this long to even write on note on Favre's leaving the game. Its all a healing process.

Cancel Patch Tuesday?

Modern patch management products can patch about 1000 computers per hour via one person without requiring setup such as an agent, or if you are already using an agent that works too.  Products like SMS, Altirus and others are likely to take longer when unsupported products need to be patched as packages will need to be hand built and detection does not work, but again focused patching products take care of all this so its not really a problem, at least for those using them.

So -- with the right products now available could Microsoft now release patches as they exit test to shrink the vuln. window? Is it worth it?  What about known vulns that MS does not patch for months, this problem would not go away.  Its an interesting thought.

Dennis Fisher mentions a new way to look at Patch Tuesday (actually the old way as he notes)

Instead of leaving flaws unpatched for weeks between cycles, Microsoft should use its resources to produce high-quality patches shortly after vulnerabilities are discovered.

...

Patch Tuesday is perhaps the most anticipated and feared day of the month for network administrators and security managers. They wait eagerly for the next batch of patches from Redmond, glad to have some protection against attacks on the vulnerabilities that have popped up since the previous month's release. But they dread it too, and with good reason, given the massive amount of work involved in rolling out a dozen or more patches to thousands of systems.

Security Research for VMs just getting started

With all the changes VM management is going to bring to data centers and IT ops in general we can surely expect to see a rapid increase is research being done around VM security.

This artice about Core Security's lastest work in researching VM security gives a great example, and the research will of course lead to the need for security configuration and patching for all the VMs on networks

Core Security co-founder and CTO Iván Arce, “it’s wrong to think that just by spreading virtualization all over your organization you will be more secure.”

VM's brave new world

The world of VM security is just getting started, some say it’s the next big wave of security and I tend to agree.  In the pre-VM days you had to get a fairly big budget to buy a new server which created a fair amount of resistance to adding servers, which in turn made it easier to manage the servers you had since their number was limited.  You also only brought a server on line after taking the time to stage it. And for the most part it was running 7x24 so you could check on it whenever you wanted.  At the time it seemed hard, and it was, but compared the VM-based world it was easy.

Fast forward to today. It’s now very easy to add a server. You do not need to buy nearly as much hardware, VMs are easy to setup, and guess what? Vendors will deliver software on a VM, all you need to do is install and start it and you have a new product running on your network.  No need for a vendor to ship you a blade, they just need to send you a VM to load.

One day you have 1,000 Servers and a few weeks later you have 5,000.  While that’s good for storage vendors, it’s not good for you as you try to keep them secured and stable.  Of these 5,000 VMs several hundred are probably offline…ticking security time bombs and a problem you never had to worry about before.

Never mind all the desktops and mobile devices out there in your wild wild wild west. Never mind the crazy end-users downloading and installing software from the Internet. You have bigger problems now. Your data center is exploding with new servers, and people are running  servers all over the place, off-line, on-line everywhere.  And each of those virtual servers needs to be secured.

This brave new world is an area where we are working hard to help customers. From us being integrated into VMware, to us adding the full stack of security management solutions to our products so you can manage all your new servers. Offline, online, VMs from Microsoft, from VMware it doesn’t matter. You push the big green button and you secure your virtual world  the same you way you secure your physical servers today.

New Shavlik NetChk 6.0 release

We have released our latest, version 6.0 (thanks to our team, our partners and the customers we worked with to create, market and sell this release)- here is some customer feed-back, http://www.shavlik.com/products/testimonials.aspx  this is a shameless plug bog and maybe I am feeling a bit feisty today, but I guess if I do not talk about our products in a positive light why would any one else?

a few key items are the additional agent features along with more on-going network management user interface feature-adds.  We still find most of our customers use our agent-less for most tasks, like pushing a key patch to 1,000 servers per hour, or scanning 8,000 computers in about 2 hours, all without need to manage an additional infrastructure, the same is true for our malware management.  So why do we continue to work on our agent management?  Good question, one is the market perception that an agent is required -- but once users start going with agent-less they do not bother with agents, however some customers want to run our product on traveling computers or in DMZs so we continue to blend both agent and agent-less support in all our products.

Our agent and UI is multi-purpose, doing both patch and malware management, but I also like to say we also require on ZERO agents and one UI, or if your imbed our technology like Dell, Symantec, VMware, Juniper, Microsoft, Quest Software, BMC and others (hey, it must work) do you can even go with no UI... this flexibility is key

Another key driver for us is very accurate product coverage, I still get a smile when a WSUS user says they are patched when they are just covering some of Microsoft products when things work out -- the best case is not secure.  WSUS of course misses out on Java, Adobe, Flash, Blackberry Servers and others.  Get a demo version of our product and scan your key servers and desktops, if you do not find any missing critical patches please let me know. Our use the demo to shed some light on products keeping you in the dark while claiming otherwise.

What's next? more VM support in the near and long term, more work around malware and unwanted software which continues to be a big area of growth for us, and a new release of Shavlik NetChk Compliance with new general features along with a number of Federal Government standards such as SCAP being supported.  Beyond that is a more security and network management, more ease of use in which the Big Green Button can be pushed to solve problems, all managed with one UI and zero or one agent.  And as always - the best Microsoft focused solutions available

Microsoft patch managment - missing key items

I noticed this article in eweek with summary of "Opinion: Old and insecure third-party applications are the vector in more and more compromised systems. Here are some radical ideas for addressing the problem. " and I thought great; people are realizing the security risks in using WSUS as your only patching solution. 

Then I read the "radical" (in the fingers of the writer only) posed question of "What if third-party application vendors could design their applications to update through Windows Update?" and I immediately thought of how out of touch the writer is with the industry because building a security system that depends on vendors adding their own patches to a 3rd party system such as WSUS on their own is never going to happen. 

There are far too many patches coming from too many vendors to depend on such a system, if just a few vendors do not add in their patches we do not gain anything in the way of security as the bad guys will just keep looking for the missing patches not provided.  Instead, the industry needs an active 3rd party ISV community like those from us and other companies like us.  We search out for and support patches from vendors, some of which are placed deeply on product support sites where they are hard to find, then our customers just push a button and they get the patches installed on a regular basis, much like AV and Spyware vendors update signatures on a frequent basis.  We do not need "radical" ideas, we just need writers to look a little bit beyond Microsoft to let their readers know they have options that are widely available today.

At least the article's point of "That's why it's increasingly likely these days that successful attacks happen through old third-party applications with old vulnerabilities in them." was presented and its great to see more writers creating awareness around this issue.  Now if we can just get them to talk about solutions available today.

short sample of what MBSA 1.2.1's death leaves behind

From Eric Schultze (aka mr. patch), below is just a short list of security patches not supported by people still using the now dead MBSA 1.2.1, we only went back a few patch days.  The complete list is much larger, so as I noted in a blog from an hour a so ago, do not use mbsa 1.2.1 any more.

MS07-061 is the Critical patch released today by Microsoft for the URI issue.  It is not supported by MBSA 1.2.1  (not supported because the mssecure.xml file is no longer being updated)

Other recent bulletins not supported by MBSA 1.2:

Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017): MS07-059

Security Update for Outlook Express and Windows Mail (941202): MS07-056

Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099): MS07-054

Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778): MS07-053

Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522): MS07-052

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986): MS07-049

Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123): MS07-048

Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782): MS07-047 (for WMP 10+11)

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227): MS07-042

Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212): MS07-040

Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807): MS07-038

For Internet Explorer patches, MBSA 1.2 only does Win2K and XP (not WS03 or Vista or IE7 flavors of IE)

thanks for the props to Doug Barney

http://redmondmag.com/reports/article.asp?EditorialsID=605

An Almost Patch-Free Patch Tuesday
Last week, a computer luminary (let's call him Mark Shavlik) asked me over a lunch of chowder and butterfish (we live well here at Redmond magazine) what was going on with security. I dabbed the cream and clam juice from my beard, which gave me time to think (I was stalling).

I know security is the biggest issue but, like with the 9/11 attackers, we just aren't afraid anymore. On the Microsoft side, the older products are becoming legacy and have been patched so many times they look like a Three Stooges car tire. The newer products, so far as I can see, are more secure out of the box.

MBSA 1.2.1 is now dead

As of this patch day (Nov 2007) the agent-less security patch scanner, basically hfnetchk under the name of MBSA 1.2.1 is now dead and there is no direct replacement from Microsoft, They do recommend one of our products to help out but its not a full solution by itself.  MBSA 1.2.1 was the most widely used agent-less patch scanner ever released, and for good reason - it quickly helped people secure networks.

(As a disclosure or marketing notification, depending on your perspective: Shavlik Tech continues to provide a state-of-the-art agent-less security patch command line scanner based on hfnetchk and mbsa 1.2.1, we wrote both of them with and for Microsoft. Be aware that this is the only one available in the security markets with current patch support and true agent-less support, many vendors are using the word agent-less when they require agents, or they only run locally meaning they cannot be used to scan networks -- possibly a slight failure in truth in advertising but that is for you to decide. More info is at http://www.shavlik.com/netchk_analyzer.aspx).

What does this mean? first - you need to stop using MBSA 1.2.1 at once, its dead, pull it from your scripts, remove it from your tool kits.  Use our products or other products but do not use MBSA 1.2.1.  If you go with just the free WSUS be aware that it does not even support all of Microsoft's products, much-less other products like itunes, real-player etc that have security patches, and WSUS only works on computers that are running WSUS, there is no more agent-less scanning from Microsoft unless you use the product Microsoft recommends, which is of course our product to close the gap.  You may be happy knowing WSUS says you are secure, but the bad guys are even more happy because they will use agent-less scanners to find the missing patches on your network, and finding a machine w/o a WSUS agent is easy to do, and finding one with a WSUS agent that is not doing full patching is also easy to do.

As a short history we wrote MBSA for Microsoft so many years ago now, with a core value of agent-less and deep, full product scanning, something now missing in the free products from Microsoft.  1000s of companies use (or used it) MBSA 1.2.1 to secure millions of computers. They did this because agent-less scanners find all the computers on your networks then do deep scans looking for all products, not just a few.

Why do I care so much about an old, somewhat out dated free product?  Of course my preference is people buy our products and the death of MBSA 1.2.1 helps us there, but for those that do not buy from us, or someone else, it was nice knowing MBSA 1.2.1 was out there working away. Another concern I have is that no one seems to realize what the death of MBSA 1.2.1 means, yes, you can buy our products and others, but it also means there is no more free agent-less patch scanners from Microsoft, a big reason companies are now able to patch, and to double check they are doing a good job at it.  It also may mean people will become less patched, and less secure and not know it because they do not have a way to double check things in a reliably way, and worse they will run MBSA 2.0 and get less information than MBSA 1.2.1 + MBSA 2.0  + Enterprise Update Scan Tool (the old way) gave.

MBSA 1.2.1 Obit examples: there are more examples, these are just two I quickly copied into this post

(http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx)

MBSA 1.2.1 does not support detection for this security update. The Enterprise Update Scan Tool does (MARK: I do not think this scans beyond the machine its running on so be ware), and is what customers can use instead of MBSA 1.2.1. For download links and more information about the version of EST that is being released this month, see Microsoft Knowledge Base Article 894193. SMS customers should also see the heading, Systems Management Server, for more information about SMS and EST.

The following table provides the MBSA and EST detection summary for this security update.

Software	MBSA 1.2.1	EST	MBSA 2.0.1
Microsoft Virtual PC 2004	No	Yes	Yes
Microsoft Virtual Server 2005	No	Yes	Yes
Microsoft Virtual Server 2005 R2	No	Yes	Yes
Microsoft Virtual PC for Mac Version 6.1	No	No	No
Microsoft Virtual PC for Mac Version 7	No	No	No

icrosoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA (MARK: no MBSA 1.2.1 support) detection summary for this security update.

Software	MBSA 2.0.1
Windows XP Service Pack 2	Yes
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2	Yes
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Yes
Windows Server 2003 x64 Edition and Windows 2003 Server x64 Edition Service Pack 2	Yes
Windows Server 2003 with SP1 for Itanium based systems and Windows Server 2003 with SP2 for Itanium based systems	Yes

new location for xml.shavlik.com - FYI

WHO MAY BE AFFECTED: Shavlik customers who have modified their firewalls for outbound access to xml.shavlik.com

Dear Shavlik Customers:

In order to continue to provide you with the highest service levels possible, Shavlik has upgraded its xml server web farm.  This upgrade will help ensure that Shavlik data files are always available to you when you need them.

As a result of this upgrade, the Internet Protocol (IP) address for xml.shavlik.com will be changing.  Beginning on Saturday, December 1st, the DNS entry for the xml.shavlik.com server farm will be changed to 66.179.200.146. 

For most customers, this change will not impact normal Shavlik product usage.  However, for customers who have modified their firewalls for outbound IP access to xml.shavlik.com, a change may be required on the firewall to enable connectivity to this new IP address.

To assist customers with this transition, the xml.shavlik.com servers at their current IP address (216.182.10.4) will be updated and available through December 31st, 2007.  From today through December 31st 2007, XML files will be available from both the new and the old IP addresses.

Shavlik encourages customers who have opened outbound firewall access to xml.shavlik.com to modify their firewalls to allow access to this new IP address before the DNS change is made on December 1st.

If you have any questions about the XML server farm move or the IP address switch, please contact Shavlik support at support@shavlik.com or 866-407-5279 (intl: +1-651-407-5279).

Linux and MS server markets

I thought this trend was interesting (assuming IDC got it right), I was not aware that Microsoft has 70% of the server markets and Linux markes may be shrinking

http://www.eweek.com/article2/0,1759,2207368,00.asp

"The annual rate at which Linux is growing in the x86 server space has fallen from around 53 percent in 2003, when Windows Server growth was in the mid-20 percent range, to a negative 4 percent growth in calendar year 2006, IDC Quarterly Server Tracker figures show."

“In 2000, Windows comprised about half of the server operating system market, followed by Unix and Netware at about 17 percent each and Linux reaching towards 10 percent, she said, noting that today Windows owns about 70 percent, Linux about 20 percent, with Unix below 10 percent and Netware barely registering.”

New patches and malware

From the Shavlik Data Team:

Shavlik Technologies has released updated patch and spyware XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

[Patch]
XML data version = 1.1.3.3804 Last modified on 9/20/2007

This update includes the following changes:

- Added security update FF07-006 (QFF2070, QFF2071). Mozilla has released Firefox version 2.0.0.7.

- Added security update AI07-001 (QAI0742). Apple has released iTunes version 7.4.2.

- Added security update TB07-001 (QTB2006). Mozilla has released Thunderbird 2.0.0.6 which fixes multiple security vulnerabilities.

- Modified MS07-052. Fixed an issue where MS07-052 may not be properly detected as installed if Visual Studio 2003 and Visual Studio are installed on the same system.

- Added support for Office 2003 Service Pack 3.

- Added support for Project 2003 Service Pack 3.

- Added support for Visio 2003 Service Pack 3.

- Added support for Apple iTunes. ***

- Added support for Mozilla Thunderbird. ***

*** Note: Support for iTunes and Thunderbird are in console version 5.9 only.

[Spyware]
Version 5.6/5.8.1/5.9
XML Date: 09/20/2007
XML Version: 1.0.2.1572
XML Object Count: 112,558

Version 5.5
XML Date: 09/20/2007
XML Version: 1.0.2.1573
XML Object Count: 112,201

-Added Ultimate Fixer

-Added ErrClean

-Added Antispy Storm

-Added Dio Cleaner

-Added MenanceRescue

-Added Antiworm2008

-Added GoldenAntiSpy

-Added AntiSpywareSuite

-Added TrojansFilter

-Added new version of Perfect Cleaner

-Updated AVSystemCare
- Certain registry keys from similar Nonbizware programs could have created false positives


How to obtain the new Shavlik XML files:
The new XML files will be automatically downloaded to your NetChk console the next time a scan is performed. Alternatively, you may initiate a refresh of all Shavlik files, including the XML files, by selecting 'Tools-Refresh Files' from the menu bar in the NetChk console. For additional information on Shavlik data files, please visit http://forum.shavlik.com/viewtopic.php?t=4923

- The Shavlik XML Team

Exploit for MS07-051

There is an exploit out for the Microsoft Agent, MS07-051, out apparently just a few days after the patch

http://www.eweek.com/article2/0,1895,2183048,00.asp

Good WU story

This seems to be getting lots of air time, much like the NE Pats camera:

http://www.eweek.com/article2/0,1895,2182967,00.asp

"What the Hell Is Microsoft Doing with My Computer? "

Shavlik NetChk Compliance 3.0 release

We have received a solid response from our customers about the product since the January 2006 launch of our compliance solution Shavlik NetChk Compliance, which automates the management of critical system and security configurations for both assessment and remediation, The feedback we are getting is how it helps them lower operational costs and reduce their risk of exposure by automating many of the tasks required to assess system health and prepare for IT audits. 

We have also learned a number of key things about where the industry is at in regards to security compliance enforcement - in short we are just getting started at automating this, or for some even doing it at all.  The industry needs to head in this direction because w/o a properly configured computer security is just not possible, and a lot of money is spent to prove its not possible.  Like Edison said when he worked to commercialize the light bulb - he learned 1000s of ways to not make a long lasting bulb, its the same for security - as an industry we are still learning what does not work, but I do believe a solid automation around compliance does work, assuming it includes Patch Management and the removal of unwanted s/w of course!

We  listened to our customers about some desired new features for NetChk Compliance, and we incorporated those into NetChk Compliance 3.0, our latest version, this release is mostly built around adding what our customers asked us for, so the markets are starting to mature for Compliance management - which is good news.  We will be announcing general availability soon but I wanted to put a note out now.

We are always committed to providing a simplified, automated and flexible approach to compliance and security management as we are in all our products. We are finding that while managing networks from a policy compliance is hard work and time consuming, products like ours do help and are a great foundation to build from.  One key item in our release is the ability of customers to add in their own low, and lower, level checks so its easy to make specific policies such as which AV is running, or having the desktop F/W enabled if that F/W is not the MS F/W which we have built in support for.  Every company seems to want to focus on different aspects to create and enforce policy for, so while we provide a large number of built in items, the ability to add more is key since no matter how many we add, someone will need the one we do not have.  There is something like 2,000 possible things to create a security policy for on the Microsoft platform, its best to pick the top 10 to start with, and once that is well underway go to your top 100 etc. 

If you find that you are facing similar challenges keeping your environment in compliance or have found solutions that work for you, I would really like to hear about it.  Click my email link on the right

patch day

Microsoft has released nine new security bulletins today, six of them critical.  Shavlik is currently testing these patches and will release updated XML files shortly.

MS07-042: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-042.mspx

MS07-043: Vulnerability in OLE Automation Could Allow Remote Code Execution (921503)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-043.mspx

MS07-044: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-044.mspx

MS07-045: Cumulative Security Update for Internet Explorer (937143)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx

MS07-046: Vulnerability in GDI Could Allow Remote Code Execution
(938829)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx

MS07-047: Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-047.mspx

MS07-048: Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx

MS07-049: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)
Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-049.mspx

MS07-050: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-050.mspx

Testing patches article

Here is an article we recently published on the importance of patch testing.

"Information technology personnel have grown accustomed to the virtual onslaught of security updates, or patches, released monthly, weekly and sometimes even daily for the key operating systems on their networks. With each of these security updates, a thousand questions need answering: “What does this patch fix?” “Does the risk actually impact my environment?” and more importantly “Will this update break my systems?”

It is inevitable — a security update will break something, or force network administrators to find a work-around to make a core application on their network function properly again. Knowing what security updates will affect the network is essential to ensure network uptime and minimize that technology demon known as “unscheduled downtime"

Patch, malware updates

Shavlik Technologies has released updated patch and spyware XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

[Patch]
XML data version = 1.1.3.3694  Last modified on 7/31/2007

This update includes the following changes:

- Added FF07-005 Firefox 2.0.0.6
- Added MSWU-145 Intel patch (already present for 5.9 customers, this patch has now been added for customers using NetChk version 5.8.1)
- Added MSWU-146 (KB936529) Some Interix-related functions do not work, and you cannot open a command shell after you upgrade computers to Windows Server 2003 with Service Pack 2 (versions 5.81 and 5.9 only)
- Added MSWU-149 Update for Windows XP (KB938828)
- Updated detection logic for Services for Unix

[Spyware]
Version 5.6/5.8.1/5.9
XML Date:  07/27/2007
XML Version:  1.0.2.1552
XML Object Count:  109,321

Version 5.5
XML Date:  07/27/2007
XML Version:  1.0.2.1553
XML Object Count:  108,964

Added ErrorProtector
Added LinkedIn Outlook Toolbar
Added LinkedIn Internet Explorer Toolbar Added ErrorSafe

Firefox 2.0.0.5

The Data team added security update FF07-004 (QFF2050, QFF2051): Added Firefox 2.0.0.5 as both a security update and software distribution.

From Shavlik data team

(From our security data team)

[Patch]

XML data version = 1.1.3.3654 Last modified on 7/13/2007

This update includes the following changes:

- Added update AQ07-702 (QAQ7200, QAQ7201) - Apple QuickTime 7.2 has been released. This fixes a number of security vulnerabilities.

- Added update APSB-0712 (QAF0947, QAF1947, QAF2947) - Flash Player update available to address security vulnerabilities.

- Modified MS06-078 - Modified downloads for x64 re-release.

- Modified MS07-040 - Added Tablet PC 2005 version of .NET Framework patch.

[Spyware]

Version 5.6/5.8.1/5.9

XML Date: 07/13/2007

XML Version: 1.0.2.1546

XML Object Count: 108,874

Version 5.5

XML Date: 07/13/2007

XML Version: 1.0.2.1547

XML Object Count: 108,517

Added Golden Eye

Added ADS Adware Remover

Added Antivirus Solution

Updated VirtualGirl2

- Certain registry keys were causing this signature to present false positive detections

Updated WebSnitch

- The file exeshl.dll was incorrectly being detected as Spyware when the Websnitch program was not installed

Updated Dr Antispy

- Certain registry keys were causing this signature to present false positive detections

July microsoft patches

Shavlik Technologies has released updated patch XML files for Shavlik HFNetChkPro and Shavlik NetChk Protect.

XML data version = 1.1.3.3638 Last modified on 7/10/2007

This update includes the following additions:

Microsoft Security Bulletin  MS07-036
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-036.mspx

Microsoft Security Bulletin MS07-037
Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548)                  
Max Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx
*** Note: Office 2007 is only supported in Shavlik HFNetchkPro 5.8.1 and 5.9

Microsoft Security Bulletin MS07-038
Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)                  
Max Severity: Moderate
http://www.microsoft.com/technet/security/Bulletin/MS07-038.mspx

Microsoft Security Bulletin MS07-039
Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-039.mspx

Microsoft Security Bulletin MS07-040
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx

Microsoft Security Bulletin MS07-041
Important Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)                  
Max Severity: Important
http://www.microsoft.com/technet/security/Bulletin/MS07-041.mspx

Re-Released:
Microsoft Security Bulletin MS06-078
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)                  
Max Severity: Critical
http://www.microsoft.com/technet/security/Bulletin/MS06-078.mspx

Added Update AQ07-006 (QAQ7006) - Security Update (QuickTime 7.1.6)
*** Note: Update AQ07-006 is only supported in Shavlik HFNetchkPro 5.9 only

How to obtain the new Shavlik XML files:
The new XML files will be automatically downloaded to your NetChk console the next time a scan is performed.  Alternatively, you may initiate a refresh of all Shavlik files, including the XML files, by selecting 'Tools-Refresh Files' from the menu bar in the NetChk console.  For additional information on Shavlik data files, please visit http://forum.shavlik.com/viewtopic.php?t=4923

- The Shavlik XML Team

UpdateExpert

UpdateEXPERT Database Notification from Shavlik Technologies's data team:

Shavlik Technologies has released updated files for the UpdateEXPERT patch database.

Database version = 2323 Last modified on 7/5/2007

This update includes the following changes:

New components (English):

- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

New components (German):

- Image Mastering API v2.0 (IMAPIv2.0) for Windows Server 2003 x64 Edition (KB932716)

- Windows Server 2003 may not start when the Volume Shadow Copy Service is enabled (KB931312)

- Background Intelligent Transfer Service (BITS) 2.5 for Windows Server 2003 (KB923845)

- The JScript version 5.6 Date object reports time in standard time instead of in daylight saving time after you apply the updates in Microsoft Knowledge Base articles 928388 and 932590 on a computer that is running Windows XP or Windows Server 2003 (KB933811)

- An update is available that improves the stability of the Windows Management Instrumentation repository in Windows XP (KB933062)

Please contact Shavlik Technologies Technical Support at support@shavlik.com if additional information is needed regarding updates to the UpdateEXPERT Database.

Thank you for using UpdateEXPERT as your patch management tool.

Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth’s other products. It’s tedious work.

MS' Security Response Center is one of the top Worst Jobs according to Popular Science

Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations).

More June Patch information

June 13, 2007 • Microsoft Patch Day Information
	Microsoft Releases Six New Security Bulletins Microsoft released 6 new security bulletins in June and updated 2 prior security bulletins. Of the 6 June bulletins, 4 are rated Critical on Microsoft's severity rating system, though Shavlik believes that another bulletin (MS07-032) should also be rated Critical.  Five of the six bulletins deal with client side vulnerabilities, meaning the end user would need to initiate an action on their computer such as visiting a malicious website, opening malformed files, or reading evil emails in order for an exploit to occur.  For customers running Windows XP, Shavlik recommends patching MS07-031 first. This is a flaw in the Operating System that can allow an attacker to execute code on an XP system when a user visits an evil website using https (SSL). Hours after release of the security bulletin, exploit code for this vulnerability was released to the Internet. For customers running Windows Vista, Shavlik recommends patching MS07-032 (Vista) and MS07-034 (Outlook Express) as soon as possible, followed closely by MS07-033 (Internet Explorer). Shavlik believes that MS07-032 should be rated Critical as it could allow unprivileged Vista users to obtain the administrative username and password for the Vista administrator. Contrary to Microsoft's bulletin, Shavlik also believes that this data can be retrieved remotely when combined with another Vista exploit (such as 07-033 or 07-044). The following patches have been added to the Shavlik XML file: Critical MS07-031 Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840) MS07-033 Cumulative Security Update for Internet Explorer (933566) MS07-034 Cumulative Security Update for Outlook Express and Windows Mail (929123) MS07-035 Vulnerability in Win 32 API Could Allow Remote Code Execution (935839) Important MS07-030 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051) Moderate MS07-032 Vulnerability in Windows Vista Could Allow Information Disclosure (931213)   Re-Released: MS07-018 Patch for Content Management Server 2002 SP2 has been updated to address problems with the original patch. MS07-012 Patches for Windows XP (x64) and Windows Server 2003 (all) have been updated to include Windows Server 2003 SP2 as an affected product. Additional information about these new security bulletins can be found on Microsoft’s TechNet Web site. Shavlik's Bulletin Analysis MS07-030: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051) http://www.microsoft.com/technet/security/Bulletin/MS07-030.mspx Severity: Important This is a client side vulnerability that impacts users running Visio 2002 and Visio 2003. If the user opens an attacker's evil Visio file, an attacker can take control of the user's computer. However, the attacker will only have the same level of permissions on the system as the currently logged on user. MS07-031: Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840) http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx Severity: Critical If a user visits an evil website using https (SSL), the evil website may be able to crash the browser, crash the computer, or execute code on the system. Windows 2000 and Windows Server 2003 systems are less vulnerable as the attack would not be able to execute code on these systems. Windows XP systems, however, are more vulnerable as the attacker would be able to execute code. Shavlik recommends patching Windows XP systems as soon as possible. MS07-032: Vulnerability in Windows Vista Could Allow Information Disclosure (931213) http://www.microsoft.com/technet/security/Bulletin/MS07-032.mspx Severity: Moderate A logged on user on a Vista system may be able to access sensitive information on the Vista system, including the administrator's username and password or password equivalent. Microsoft states that systems which have been upgraded from Windows XP may offer more sensitive information than systems that performed fresh installations of Vista. The patch secures the 'information store' so that lower privileged users won't have access to this data. While Microsoft claims this is of Moderate severity, Shavlik believes this should be rated Critical for Vista systems. Further, Shavlik believes it may be possible for attackers to retrieve this information remotely when combined with another Vista exploit. Shavlik recommends installing this patch immediately to all Vista systems. MS07-033: Cumulative Security Update for Internet Explorer (933566) http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx Severity: Critical This Internet Explorer patch impacts all Operating Systems (Windows 2000 through Vista) and addresses 6 flaws in the browser. The patch is applicable to all current browser releases, including Internet Explorer 7. Of the 6 vulnerabilities, one of these vulnerabilities was publicly known prior to the patch release. Like prior IE vulnerabilities, if a user visits an attacker's web page, the attacker may execute evil code on the user's computer. Shavlik recommends installing this patch as soon as possible on client systems. MS07-034: Cumulative Security Update for Outlook Express and Windows Mail (929123) http://www.microsoft.com/technet/security/Bulletin/MS07-034.mspx Severity: Critical This patch corrects several vulnerabilities in Outlook Express (part of Internet Explorer) that could allow an attacker complete control of ther user's system. Users running Vista are at greatest risk - clicking on a received email in Outlook Express could allow the attacker to execute code on the Vista system. Users on earlier Operating Systems that click on a malicious email may allow an attacker to access information from their system, but are safe from evil code execution. MS07-035: Vulnerability in Win 32 API Could Allow Remote Code Execution (935839) http://www.microsoft.com/technet/security/Bulletin/MS07-035.mspx Severity: Critical An Operating System vulnerability exists on Windows 2000, XP, and Windows Server 2003 systems that would allow an attacker to execute code on a user's system. In this instance, the user would need to either visit the attacker's website or execute a custom (evil) application on their local system. Microsoft is not aware of any public exploits for this vulnerability. How to Obtain the New Shavlik XML File The new XML file will be automatically downloaded to your NetChk console the next time a scan is performed. Alternatively, you may initiate a refresh of all Shavlik files, including the XML files, by selecting 'Tools-Refresh Files' from the menu bar in the NetChk console.  For additional information on Shavlik data files, please visit http://forum.shavlik.com/viewtopic.php?t=4923 Shavlik Resources Receive an email each time Shavlik releases updated patch and/or spyware data files. Also receive an immediate notification when Microsoft releases new patches.  Subscribe to http://www.shavlik.com/support/xmlsubscribe.aspx Stay up to date with patch management topics. Subscribe to http://www.patchmanagement.org