• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

April Patch Day 2016 – Daily Security Byte EP. 247

April 12, 2016 By Corey Nachreiner

Microsoft and Adobe have delivered a fresh batch of security updates for April. If you use products from either vendor, watch today’s short Security Byte to get a summary of the updates, and more importantly, follow the links below to get your patches.

(Episode Runtime: 2:00)

Direct YouTube Link: https://www.youtube.com/watch?v=r95SPareQU4

EPISODE REFERENCES:

  • Microsoft Patch Day summary for April 2016 – Microsoft
  • Adobe’s April Security updates – Adobe

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Hacking, Infosec news, Internet Explorer, Microsoft, Software vulnerabilities, Updates and patches

Comments

  1. Chris says

    April 14, 2016 at 1:11 am

    @Corey – you should have a word with your team – I just noticed that my Watchguard device does not update itself, and does not even tell me that an update exists, not even when I log in to the admin panel – I have to manually go and check for updates in the control panel for every device to see if there’s something I need to update to.

    Not the best idea for a security focused product!

    Reply
  2. Corey Nachreiner says

    April 14, 2016 at 9:44 am

    Chris,

    Thanks for sharing the feedback. I’ll share it with the Product Managers here, although know we already have some of the features you describe.

    First, as far as fully automated updates, I wouldn’t expect those soon… but for good reason. We are a hardware gateway device that is critical to production networks, and our updates require re-uploading firmware, and rebooting the device between you and the Internet. It’s a more involved process that just updating a Windows desktop, many of which aren’t critical to everyday business. Because our device is critical to your Internet connect, I doubt we’ll ever take a purely automated update approach, since administrators would not want to disrupt their production network during an unscheduled period.

    It’s like Windows desktop updates vs Server updates. You probably have all your desktops set to automatically take updates and install them at the next reboot. That’s not too disruptive for user desktops. However, you probably don’t have server updates set to automatic, because these are mission critical machines, and you want to at least test and decide when to push those update so you don’t disrupt business. The Firebox falls in the server class of things (especially as your Internet gateway), so automatic updates are undesirable to most people.

    That said, Our product and UI should absolutely TELL you when an update is available, and it does. If you have the latest version of Fireware, in the web UI you can go to:

    System => Upgrade OS

    And it will tell you if there is a newer version available. We do have some feature requests that take this further, perhaps automatically downloading the latest Fireware to the box, but not applying it unless the admin presses button. However, our storage limitation make this hard. We may also be more aggressive about alerting about updates in the main WebUI dashboard, but in either case, our WebUI will tell you if there’s an update you are missing.

    You might also notice, when we release an update with a big security fix, I inform customers about it on this blog as well.

    Thanks again, for the feedback.

    Reply
  3. Chris says

    April 14, 2016 at 4:01 pm

    Please ask your team to make a self-auto-update *option* available. I know better than you when/if my internet is needed, and also when/if it’s OK to be running an outdated unpatched O/S 🙂

    I forgot to note what fireware version I was on, but it didn’t “tell” me until I logged in and looked under “system”. Maybe the latest version will? Either way – asking humans to regularly poll for all their firmware patches is unsustainable. For the handful of clients you have who might be unable to “suffer” 5 minutes of downtime at 2am on sundays (or whatever) for automatic updating, you should “push” a notice to them so they know what to do. (I don’t know when your last blog message mentioned this – I don’t recall seeing it, but I’ve only been subscribed a few months – either way – notice in a blog is not what I mean; direct message to a nominated patch admin is needed)

    is this important?

    My HP proliant’s iLo did not auto-update – hackers got in, screwed with my firmware, and exfiltrated my admin credentials. It has only rudimentary logging; so we have no idea what else they did. What do I now do with that $12,000 server with a questionable BIOS running? Will I ever get back (or paid for) all the subsequent weeks of cleanup? Who’s fault was it?

    Answer = mine = for not telling HP to take security seriously and allow important patches to be auto-updated.

    I don’t make mistakes a second time.

    Reply
    • Corey Nachreiner says

      April 15, 2016 at 4:56 am

      Chris,

      I will pass it on. I guess there is no reason not to have an “optional” auto-update mechanism. I think we’d still have it disabled by default. In any case, I think we both agree that aggressively keeping your software and hardware up-to-date, especially for the latest security fixes, is a very important thing to do. I’ll share your requests with PM. Thanks for giving us the feedback.

      Oh yeah, and if you want an example of some of the posts that tell you to patch our products, this is the last one I remember:

      https://watchguardsecuritycenter.com/2016/02/16/dimension-2-0-1-update-1-fixes-openssl-flaw/

      I didn’t have to tell you to Patch Fireware since the flaw wasn’t exposed there. I do also mention it in videos when I talk about updates to something like OpenSSL, which affect our products too.

      Cheers,
      Corey

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use