There has been a lot of activity since October’s Patch Tuesday. During that short period of time, Oracle released its quarterly CPU, including an update for Java JRE; Adobe resolved a zero-day in Flash Player; a security researcher identified a new form of attack called Atombombing, and there has been some rising discussion around the Server 2016 servicing model.
The week following Patch Tuesday, the week of October 17th, Oracle released its quarterly CPU, resolving 253 vulnerabilities across all of its products. Java JRE was included in this update and resolved seven vulnerabilities. All seven were remotely executable without the need for authentication, and three of them had a CVSS score of 9.6.
Still, Java was on the lower end of the total vulnerabilities addressed in Oracle’s CPU for individual products. Middleware, MySQL, and a few others had roughly 30 vulnerabilities resolved, and many of the products updated had 8.0+ CVSS scores, with some as high as 9.8. If you have not already started evaluating updates for Java and other Oracle products you’re running, be sure to include them in your November testing, as there are some fairly high risk vulnerabilities out there.
Later in the month, Adobe released a critical update for Flash Player, resolving a zero-day vulnerability (CVE-2016-7855). On top of that, on October 26th, Adobe released the update for Flash Player, (APSB16-36) which started the clock for all other vendors using the Adobe Flash Plug-In. Keep in mind, when a Flash update occurs, the plug-ins for Internet Explorer, Firefox and Chrome also need to be updated.
Firefox uses the NPAPI implementation of Flash, which was also made available on October 26th. The update for Flash for IE (MS16-128) released on October 27th, plugging the Flash vulnerability, but another related vulnerability still exists in Windows that apparently allowed the exploit in the wild. Google’s research team disclosed this additional vulnerability after their seven-day disclosure timeframe expired. Microsoft has acknowledged the vulnerability is being resolved and an update will be included on November 8th (Patch Tuesday).
Google Chrome has two options to implement Flash, one of which relies on Chrome being updated. Keep in mind, if you’re using the Pepper Plug-In, it was released on October 26th. However, if you’re using the traditional plug-in, this requires Google Chrome to be updated, which was made available on November 1st.
I know it’s a bit of a whirlwind. Long story short, make sure you’re updating all variations of Flash to ensure this zero-day vulnerability has been plugged up. The Microsoft vulnerability is exploitable as long as the Flash vulnerability is exposed, but once you update the Flash zero-day, you are effectively covered until the Microsoft update releases. That is, baring another Flash vulnerability that allows exploitation of the Microsoft vulnerability.
In October, Microsoft changed its servicing model for pre-Windows 10 systems. In a blog post the Microsoft team talks about offering the flexibility for you to choose a ‘Security Only’ and/or a ‘Security Quality’ option to build your patch management strategy around each month. Because of these statements, some people have questioned how Microsoft is handling updates on Server 2016.
The reality is, Server 2016 updates are exactly like Windows 10; they’re cumulative bundles that include all the same updates that came before. That said, it will be interesting to see if a ‘Security Only’ option does become available in November or sometime in the near future. I expect a number of Microsoft customers would appreciate the option for Server 2016.
We are less than a week away from November Patch Tuesday, and as you can see, there is already a significant buildup of issues to deal with. Knowing this, I would forecast the third party front is going to be lighter than normal, and would guess we’ll see an average workload from Microsoft – somewhere in the family of ten or so bulletins being released.