Don’t Get Taken on a Holiday Phishing Expedition

GettyImages-533726355Ah, the holidays. A time of joy, reflection, and often, missives expected and surprising, from locales far and near.

I have unexpectedly received just such a missive, and shared it below, with commentary I hope you will find helpful.

personal memo

  • Return address

For starters, the envelope containing this delightful letter said it was from Manulife Financial, a legitimate company. In Canada, not Hong Kong.

The address of Mr. Lee’s unnamed investment bank is 9 Wing Hong Street, Cheung Sha Wan, Kowloon, Hong Kong. A quick search of Google Maps reveals that this is the location of a building known as the Global Gateway Tower. This property is managed by Henderson Property Agency Limited, which has not updated the property’s Web site since 2014. Hmm.

  • Email address

Mr. Lee, the letter’s putative author, apparently has no work email, as the “private email address” he provided to me is andylee598@yahoo.com.

  • Logo

As for the letter itself, it never states the name of the investment bank that employs its author, Andy Lee. But it does have a logo—one that closely resembles an inverted version of the logo of Toronto Dominion Bank. Another Canadian institution not based in Hong Kong.

  • Incorrect name

Also, he was apparently too excited to get my name completely right. It’s correct on the envelope, but the letter’s header says that it’s a “personal memo for Michael Dalton.” Not quite my name, but close. And the inside salutation? “Dear Michael E.” Which is my correct middle initial, a matter of public record.

  • False information

According to the letter, my relative, James Dortch, was an engineer and co-owner of Jameson & Erikson Electric Inc., “a Hong Kong based [sic] Private Electricity Company,” before he “died intestate in a ghastly car crash.” There is no such company, according to Google Search. And while Mr. Lee writes that “[a]ll efforts made by our bank to locate his relatives have been unsuccessful,” my cousin James is very much alive—you can easily find him on Facebook.

  • The mega-rich relative I never knew about

Nonetheless, Mr. Lee claims that James Dortch left an account containing “sums up to USD$47.5 Million United States Dollars” with “an open beneficiary status.”

Further, Mr. Lee asserts that if I will simply contact him, he will set the wheels in motion to make it possible for me to claim my late relative’s multi-million-dollar legacy. For his work “from the inside to make sure all needed information and evidences are provided” to back up my claim, Mr. Lee would receive 50 percent of that $47.5 million, and I’d get the rest. All I have to do is email Mr. Lee with a number at which he can call me to initiate the claims process.

Upon reflection, I believe I will forego Mr. Lee’s generous offer. And if you or anyone you know gets a letter like this, during the holidays or at any other time, you should, too. It took me about seven minutes of cursory online research to confirm that this is a really badly done attempt at phishing. But I have no doubt at least someone reading this right now knows someone who has fallen or almost fallen for a similarly transparent scam.

Stay vigilant!

The holidays are a great time for giving, and receiving. Just make sure you investigate every invitation you receive, and only give what you want to those you know. And if someone sends you an invitation such as the one I received, keep your holidays happy. Tell them politely but firmly to “go phish”—elsewhere.

The Cybersecurity Skills Shortage: Threat AND Opportunity for IT?

RET_005To paraphrase iconic singer/songwriter Donovan Leitch, who borrowed the idea from a Buddhist saying, “First, there is a cybersecurity skills shortage, then there is no shortage, then there is.”

A recent Computerworld article highlighted a US Department of Homeland Security (DHS) blog post, in which a DHS official argued that the much-publicized cybersecurity skills shortage is a myth.

In that post, the DHS official offered as evidence the 14,000 applicants, including 2,000 walk-ins, who attended a DHS job fair last July. “[W]hile not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event. The amount of talent available to hire was so great, we stayed well into the night interviewing potential employees.”

Perhaps unsurprisingly, the Computerworld article contrasts DHS’s interpretation of its job fair experience with the findings of numerous others outside of government. “For instance, a report released one day before the government’s job fair in July, Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), pointed to a ‘talent shortage crisis’ of cybersecurity skills.”

Of course, the question isn’t whether there is or is not a cybersecurity skills shortage. The real question is, how can your company avoid the negative effects of such a shortage, now or in the future?

If skills are the question, technology is the answer

The right combination of skills, technologies, and processes can maximize the business value of the skills already in place at your organization. That combination can also help your organization to deal with any difficulties in expanding your cybersecurity team, by instead expanding the reach of the people you already have and the knowledge and experience they possess.

These benefits are equally applicable beyond cybersecurity. Technologies and processes that automate mundane tasks effectively and enable well-managed collection, sharing, and application of knowledge can aid your organization’s IT asset management (ITAM), IT service management (ITSM), and other efforts as well.

However, given the highly publicized challenges and risks associated with ransomware and other cybersecurity threats, cybersecurity may be the starting point that delivers the most benefits soonest.

LANDESK, AppSense, and Shavlik solutions—and the skills and experience of their developers, resellers, and partners—can help you to ensure that your business can do business safely and efficiently. No matter how the availability of skilled, experienced personnel may ebb and flow. Visit us online, or contact your representative, to begin implementing the solutions and processes that protect and enable your people and your business.

Cybersecurity: A Marketing Opportunity for IT

GettyImages-593296284The good folks at TechTarget operate multiple IT-related websites. One of these is the IT Knowledge Exchange, “a TechTarget Expert Community” that features questions and answers, discussions, and blogs posted by IT folks of various roles and levels of expertise.

Cybersecurity training

A recently posted discussion question asks this: “What systems and policies have you put in place to make business employees more IT proficient and self-sufficient?” I believe that cybersecurity training and outreach from IT can contribute greatly to making users “more IT proficient and self-sufficient,” and provide additional benefits to users, IT, and the business.

Most ransomware and other malware enters most enterprises via legitimate-looking but bogus phishing emails and website links. According to the Verizon 2016 Data Breach Investigations Report, more than 20 percent of phishing emails get opened. The report adds that more than 12 percent of those who open those emails click on the links to malware in the messages.

IT can and should provide training, content, and repeated contacts to help users to understand this and be more diligent in looking for, spotting, reporting, and not opening bogus emails. Doing so can help to transform those users from weakest links to first lines of enterprise cybersecurity defense.

Transforming the perception of IT

Such outreach can also help to transform the perception of IT by users and line-of-business leaders. These constituents often view IT as “the bad guys” who impose rules and tools that frustrate and annoy. Helping to make users more secure and more security-savvy can get more of them to see IT as enablers and accelerators of user productivity and business agility. Which can only be good for IT and the rest of the business.

If you’re in IT and already providing cybersecurity training and outreach, keep up the good work. Remember that cybersecurity is a marathon and not a sprint, and that repetition enhances retention and understanding. In other words, that one-time run-through of cybersecurity basics during employee onboarding and orientation is a beginning, not an end.

If you’re not already conducting coordinated, repeated cybersecurity training and outreach, start now. Share some of the resources in the LANDESK ransomware blog post archive with your users. Not all at once, of course. Maybe something new once a week or once a month, accompanied by any news you want to share about new cybersecurity-related applications, patches, processes, or tips. Maybe even content or inspiration you find at TechTarget’s IT Knowledge Exchange or other online discussion areas.

Of course, your training and outreach efforts can be made even more effective if you’re delivering the best possible cybersecurity protections behind the scenes. And of course, we can help you there as well. Check out our solutions online, or contact your LANDESK, AppSense, or Shavlik representative.

Blog-CTA-Whitepaper-527x150

‘What Device Is That?’ Visibility to See the Unseen

When I look at my home network, it isn’t easy to determine which device is which. So when I’m looking at the number of devices connected to the corporate network, I’m amazed.

The game of hide-and-seek to find a new device (or even an application) and determine its legitimacy can be painful.

This is why visibility is so important. Without it, consider the following challenges you face among IT priorities:

  • Security

The threats you don’t know about can be the scariest. Whether it’s a rogue device or malware brought in on through a new app, it doesn’t belong.

You need to know when a threat exists in order to ensure it’s removed.

  • Asset management

You don’t want to fail an audit, nor do you want to buy unnecessary licenses. You need visibility to know what software is running, when and where it’s being used—as well as the associated allocations—in order to maintain compliance.

  • Endpoint management

Users replace BYO devices all the time, but are you sure that new device you’re seeing belongs to one of your users? You need to know so you can take appropriate action.

  • Service management

Without visibility, it’s hard to deliver optimal experiences. Service management teams need to see and understand the impact changes have on services and processes in order to ensure quality.

That’s why we’re excited about our latest LANDESK product releases.

We’re delivering the tools you need so you can see what is entering your environment, be it new hardware or software, and the all the necessary information so you can take action.

We’re showing these new solutions and more at Gartner Symposium/ITxpo this week. Stop by booth #413 to learn more!

Windows 10 Security Mitigations When You Can’t Apply Cumulative Updates

Managing-Windows-10-Updates

The introduction of Windows 10 cumulative updates will force enterprises to make a difficult choice: security or availability. Security in the sense of eliminating the risk of known vulnerabilities through patching. Availability where an application or Windows 10 feature only works when an update isn’t applied. Enterprises will need to plan on Windows 10 security mitigations when applying cumulative updates isn’t an option.

Bad Patches

Bad patches are like any other software bugs: they happen. In speaking with many of our customers, we hear about them experiencing bad Windows patches a few times a year. When these patches are applied they break functionality in Windows or 3rd party applications. Sometimes Microsoft needs to fix something – sometimes a 3rd party vendor (see Windows 10 Cumulative Updates Overview for an example with Citrix XenDesktop). In the past, the solution was fairly straight forward: don’t apply the bad patch, address the security risk of the vulnerabilities in that patch, wait for a fixed patch or 3rd party software to be released, apply the improved patch or software and move forward.

Windows 10 Security Mitigations

With the cumulative updates, selectively applying patches is over. Rather that fretting over the situation, there are a number of mitigations that might be applied in place of the update when issues arise. In April 2014, Gartner’s Neil MacDonald, wrote a report on Best Practices for Secure Use of Windows XP After Support Ends to address the issues of not being able to patch vulnerabilities that would continue to be found. Many of these practices can be used with Windows 10 for these situations where a patch breaks functionality. These practices can also be used persistently, but are often seen as too restrictive. Consider these approaches as part of a flexible security strategy that goes along with your patch management program. I will highlight a few of the practices in that report that can be addressed with LANDESK solutions.

Restrict Network Connectivity to the Minimum Possible

This can be challenging for many client systems, but easier to achieve with fixed function devices like kiosks or POS systems. LANDESK Security Suite can limit network connectivity through Windows firewall management or the LANDESK firewall.

Whitelisting

Whitelisting is a very effective method of securing a system as it stops unauthorized applications from running. LANDESK Security Suite and our recently acquired AppSense Application Manager both provide industry leading whitelisting with plans to blend both capabilities in future product releases.

Remove Administrative Rights

Many Microsoft vulnerabilities can be mitigated if the user does not run with an administrator account. Removing administrative rights is easy, but the limitations from such an action often stop organizations from taking this step. Privilege management software, including AppSense Application Manager, can be used to grant privileges to applications that need them so users can use non-administrative accounts. On the reverse, privilege management software can also be used to remove administrative rights from an application that is vulnerable and cannot be patched.

Address the Most Common Attack Vectors — Web Browsing and Email

There are a number of things that go into securing web browsing and email. Neil mentions the following controls:

  • Patch Management: As discussed in my previous article, 3rd party patch management is a strength of LANDESK Patch Manager
  • Containerization: there are a number of solutions that use technology to isolate applications including our partner Bufferzone. With these solutions, attacks are contained to that application unable to spread to the operating system or other applications.

Keep the Rest of the Software Stack Updated Where Possible, Including Office

Can I get one more amen for patch management? Enough said.

Use an IPS to Shield Systems from Attack

LANDESK Security Suite includes a Host Intrusion Prevention component to address behavioral based attacks and apply file protection rules. Add to that, LANDESK Antivirus brings an industry leading antimalware engine.

Disable USB Ports and CD\DVD Drives

Often malware is introduced through removable media. LANDESK Security Suite provides device control to disable external media devices, make them read-only, and\or shadow copy files that move across those devices.

Key Takeaways

Here are some points to remember and share:

  • Expect Windows 10 cumulative updates to occasionally break features or 3rd party applications
  • Selective application of patches is no longer an option with Windows 10
  • Build out a strategy of security mitigations when applying the cumulative update isn’t feasible

The article marks a stopping point for this series. There will likely be updates and changes to this conversation as new branch upgrades are released, but this gives you a solid foundation. Hopefully this series has been helpful and I wish you great success with Managing Windows 10 updates.

Managing Windows 10 Cumulative Updates with LANDESK

Managing-Windows-10-Updates

Managing Windows 10 cumulative updates with LANDESK leverages years of features and expertise in patch management. LANDESK Patch Manager provides automated assessment and targeting, robust network-sensitive update distribution, third-party patching, and custom patch definitions all of which make a comprehensive solution for Windows 10 patch management. This article will explore the capabilities in LANDESK Patch Manager that address Windows 10 cumulative updates.

Automated Assessment and Targeting

LANDESK Patch Manager provides content to identify computers missing cumulative updates and then target those computers for automated or approved remediation. Content is specific to Windows 10 branches which enables proper targeting of cumulative updates to the appropriate computers.

16 - Windows 10 Update Definitions

Update Distribution

As detailed in my Windows 10 Cumulative Updates Overview, the large size of the updates is one of the biggest challenges that enterprises will need to address. The challenge of distributing these large packages, at least monthly, requires strong software distribution capabilities. LANDESK Patch Manager leverages best in industry distribution capabilities to quickly push packages while minimizing the impact on the network. Such capabilities include:

  • Targeted multicasting: efficiently distributes packages to multiple computers through network efficient communications.
  • Peer-to-peer downloading: peer-to-peer technology enables computers on the same subnet to share packages eliminating the need to communicate across slow links or overwhelming a single server.
  • Bandwidth throttling: throttling limits the amount of traffic a computer uses to preserve network capacity for other communications.
  • Distribution servers: Distribution servers can be designated to host packages in different locations so updates only need to be downloaded once across slow WAN links that connect remote sites to a central datacenter.
  • Checkpoint restart: nothing is more annoying than having to restart a download. With automated checkpoint restart, package downloads can continue where they left off if a system gets disconnected.

Third-Party Application Patching

I continue to be shocked when I speak with enterprises who are not patching their third-party applications. Some are painfully packaging applications for distribution one update at a time, while many others are doing nothing. If there is one thing to be learned from Windows 10 cumulative updates, it is that 3rd party application compatibility is at continuous risk and the need to update such applications rapidly is more important than ever. With LANDESK Patch Manager, thousands of common third-party applications are analyzed to create content that enables silent detection and update of such applications.

Custom Application Patching

For those applications not in our extensive catalog, there is also the option to create a custom definition to detect and update the application. This capability can be particularly beneficial for internally developed applications which will also be under compatibility pressure with Windows 10 updates.

Systematic Rollout of Cumulative Updates

In my previous article on using LANDESK for Branch Upgrades, I discussed the use of the feature, Rollout Projects, to systematically deploy branches. The same feature can be used to deploy Windows 10 Cumulative Updates (as well as any other update, branch, or software package). Rollout projects automates the assessment, distribution, and installation of updates to groups of computers in a predefined order.

16 - Patch Rollout Projects

Steps can be defined to sequence different rollout groups to have a measured approach to updates. Each step can have exit criteria before moving on to the next step. Exit criteria includes:

  • Minimum success rate of systems upgraded
  • Minimum duration of executing that step to give time to identify potential issues
  • Email approval if you need manual change control to proceed

These exit criteria enable the complex process of rolling out branch upgrades to proceed automatically, but with controls to stop rollout issues from spreading.

16 - Patch Exit Criteria

Key Takeaways

LANDESK Patch Manager solves the challenge of managing Windows 10 cumulative updates through:

  • Automated identification of vulnerable Windows 10 computers
  • Network-sensitive update distribution
  • Extensive catalog of third-party application patching
  • Custom patch definition
  • Systematic project-style roll out of patches

In the next and final article in this series, I will explore security mitigations for when you can’t apply Windows 10 cumulative updates.

Windows 10 Cumulative Updates and Branches

Managing-Windows-10-Updates

Windows 10 cumulative updates and branches have a critical relationship. Failing to understand the branch lifecycle can create risk for any patch management program. Much of this article will be a rehash of previous articles I’ve written on Windows 10 branch upgrade management, but it is so important to understand this relationship that I’m going to cover this topic again with an angle on the impact to cumulative updates.

Windows 10 Branch Lifecycle

From the time that a new branch is released, there is a minimum lifecycle of 18 months broken down in the following phases:

  • General Availability (GA) with Current Branch
  • Current Branch for Business declared at least 4 months after GA
  • Grace period begins at least 16 months after GA and lasts for 60 days
  • Once grace period is complete, new cumulative updates are not released for that branch

Let me repeat that last point: once a branch has finished the grace period, there will be no more patches. Here’s a visualization of this lifecycle:

Windows-10-Patch-Support-Life

An Update for Every Branch

As mentioned in my Windows 10 Cumulative Updates Overview, there are distinct update packages for each branch. To date, there is one for 1507, 1511, and 1607. Each package only installs on that specific branch – this is how support will likely be curtailed for older branches.

15 - Cumulative Update Does Not Apply

As to the size, cumulative updates are generally smaller for newer branches as fixes are rolled into the branch upgrade.

Triggering Events

Current Branch for Business

This milestone signifies that a branch is at a higher level of quality and begins with Microsoft declaring a cumulative update that distinguishes a branch to be Current Branch for Business. Only branch 1511 has gone through the Current Branch for Business declaration event. In that case, Current Branch for Business was simply a combination of the GA 1511 release and the March 2016 cumulative update meaning ongoing updates gives the same level of stability to Current Branch systems as those who waited and applied the Current Branch for Business upgrade.

Grace Period

Based on various articles and conversations with Microsoft, we believe the Grace Period for the oldest branch (latest branch – 2) will begin when the latest branch reaches Current Branch for Business. There is a lot of potential variability here as the declaration of Current Branch for Business for 1511 occurred in early April 2016, but didn’t reach Windows Update until late May.

End of Support

Once the Grace Period is complete, there are no more patches for that branch. With the exception of the Long-Term Servicing Branch version of Windows 10, this means systems will need to be upgraded as frequently as 18 months.

Deconstructing a Branch Lifecycle

To date, no branch (including the original 1507) has gone through the entire lifecycle that Microsoft has outlined. Here is a table outlining the three Windows 10 branches to date and their lifecycle milestones with some estimated dates for future milestones.

1507 1511 1607
Current Branch Availability July 29, 2015 November 12, 2015 August 2, 2016
Current Branch for Business July 29, 2015 April 8, 2016 December 2016*
Grace Period Begins December 2016* Unknown Unknown
Grace Period Ends February 2017* Unknown Unknown

* Estimated dates

Upgrade Your Branches or…

With this new continuous update model, businesses must have a plan to continuously update to newer versions of branches to be able to apply the latest security fixes. As I discussed in earlier articles, there is a whole strategy to this (see Windows 10 Branch Upgrade Strategy). If upgrading systems is an issue one option is to consider using Windows 10 Long-Term Servicing Branch (LTSB) which will have a patch support lifecycle of 10 years.

Key Takeaways

Here are the points to remember from this article:

  • Cumulative updates are specific to branch versions
  • Branches have a lifecycle as short as 18 months
  • If you can’t keep up with branch upgrades, consider Windows 10 LTSB version

With this discussion on the relationship between cumulative updates and branches finished, I will next discuss managing Windows 10 cumulative updates with LANDESK Patch Manager.

Windows Update for Business

Managing-Windows-10-Updates

When Windows 10 launched, there was talk of a new update mechanism known as Windows Update for Business (WUB). What sounded like a new platform ended up being a set of policy settings to configure Windows 10. Let’s explore some of these settings and how you can use them in your enterprise.

Windows Update for Business is…. Just a Bunch of New Policy Settings

Some of the initial press around Windows Update for Business could lead you to think that a new update platform or product was in the works. The reality is that Windows Update for Business is simply additional policy settings that you can configure with Group Policy Objects or any other comparable tool.

The other point, when you look closely, is that these settings are just an extension of those in previous versions of Windows found under the Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update.

Before diving into the new settings, look at one of the most important settings that has existed for previous versions of Windows.

Configure Automatic Updates via Policy Only

With Windows 10, you can no longer configure update settings in the Control Panel. These settings are available in the policy only – unless you are on Windows 10 Professional with the Anniversary Update branch (1607).

The new settings specific to Windows 10 include:

  • Turn off auto-restart for updates during active hours
  • Do not include drivers with Windows Updates
  • Defer Upgrades and Updates (only with 1507 and 1511 branches)
  • Select when Feature Updates are received (new with the Anniversary Update)
  • Select when Quality Updates are received (new with the Anniversary Update)

Turn off auto-restart for updates during active hours

This setting prevents Windows from restarting for up to 12 hours. Good for the grumpy business user who hates restarting during work.

Do not include drivers with Windows Updates

Fairly self-explanatory, this setting prevents Windows Update from applying driver updates with monthly patches, also known as cumulative updates, also known at quality updates.

Defer Upgrades and Updates (Windows 10 1507 and 1511)

In the first two branches of Windows 10, this setting lets you defer branch upgrades for up to 8 months. With the Anniversary Upgrade, this feature disappeared and was replaced by the following two below.

14 - Windows Update for Business - Windows 10 Anniversary Update

Select when Feature Updates are received

Feature Updates are Microsoft speak for branch upgrades (one wonders why they didn’t just call this setting Branch Upgrades). With this setting, the computer can be configured to use Current Branch or Current Branch for Business with a deferral up to 180 days.

Select when Quality Updates are received

Quality Updates refer to the monthly (sometimes more) cumulative updates, also known as patches, that are typically released on Patch Tuesday, the second Tuesday of the month. Again, it’s surprising why they used a name that isn’t well understood. With this configuration, updates can be deferred for up to 35 days.

Sorry Windows 10 Professional

One of the changes in the Anniversary Update is the loss of the policy settings for Windows 10 Professional. Such settings that can no longer be managed by Windows 10 Professional include:

  • Turning off Microsoft consumer experiences
  • Do not show Windows Tips
  • Not showing the Lock Screen
  • Disabling apps from Windows Store

See the ghacks.net article and the Microsoft TechNet article for details.

Summary

Far from a replacement for patch management, Windows Update for Business offers new settings that complement a comprehensive patch management strategy. You should leverage these settings to keep enterprise deployments of Windows 10 consistent as the default is always “update”. As a best practice, use these settings to configure systems on Current Branch or Current Branch for Business to prevent the end user from doing whatever they want.

Key Takeaways

Here are the key points to share with your boss and peers:

  • Windows Update for Business (WUB) is simply a few additional update settings
  • Settings are very basic and do not replace a robust patch management solution
  • Some settings have gone away for Windows 10 Professional with the Anniversary Update

With this discussion on Windows Update for Business complete, I will next explore the relationship between cumulative updates (patches) and branches.

Windows 10 Cumulative Updates Overview

Managing-Windows-10-Updates

With my previous article finishing the discussion on Windows 10 branch upgrades, I will now tackle Windows 10 cumulative updates or patching. Windows 10 patching is one of the biggest changes and challenges for enterprises as they roll out this operating system. Unlike older versions, Windows 10 has a new approach to patching with cumulative updates where granularity and size will have impacts on 3rd party application compatibility and general operating stability. This article will explore the changes and what to expect.

Cumulative Updates Versus Single Patches

The first thing to notice is the cumulative nature of the updates. Unlike previous versions of Windows, there are no individual patches. This is changing somewhat in October 2016 with Windows 7, 8.1, and Server 2012, but still not the same thing. Windows 10 cumulative updates have all fix types and are additive from release to release meaning each update has all previous updates.

Security and Non-Security

Somewhat obscured is the fact that Windows 10 cumulative updates include both security and non-security patches. This may account for the size (see below). Documentation for the security fixes can still be found on the TechNet Security Bulletin webpage, while non-security fix documentation is less detailed in nature found on the Window 10 Update History webpage.

3rd Party Application Impact

With the cumulative nature of Windows 10 updates, there will be 3rd party application compatibility issues. Most customers we speak with encounter issues with a patch a few times a year. Now with the cumulative updates, customers who encounter issues will need to make the difficult decision between application availability and security. This is because unlike the granular patches of the past, one must choose to apply or not apply an entire update. Should one choose to not apply one month’s update, the problem compounds as the next month’s update also cannot be applied. So instead of being exposed to one or two vulnerabilities fixed by a single patch, not applying a cumulative update would expose that system to a dozen or more vulnerabilities.

A recent example was the incompatibility of the Windows 10 January update with Citrix XenDesktop. In that case, the update would not even install if an incompatible version of XenDesktop was detected (for details see my article from our Shavlik blog). In this case, Citrix was able to create a fix in a few days and then update could then be applied.

Big and Growing

With Windows 10 cumulative updates comes size. As you can see from the tables below, updates are specific to a branch, grow massively over time, but do reset in size with the release of a new branch.

Windows 1507 Cumulative Update Sizes

Update x86 Size (MB) x64 Size (MB)
13-Sep-16 459.9 1020.7
9-Aug-16 367.0 776.0
12-Jul-16 330.2 699.6
14-Jun-16 320.7 680.1
10-May-16 315.8 664.4
12-Apr-16 314.0 661.1
8-Mar-16 292.1 624.3
9-Feb-16 286.6 612.4
12-Jan-16 278.5 596.5
8-Dec-15 270.1 580.0
10-Nov-05 234.8 515.2
13-Oct-15 223.2 496.6
18-Aug-15 184.4 367.7

Windows 1511 Cumulative Update Sizes

Update x86 Size (MB) x64 Size (MB)
13-Sep-16 550.5 1054.2
9-Aug-16 502.3 916.9
12-Jul-16 501.0 914.9
14-Jun-16 402.4 713.3
10-May-16 390.8 677.3
12-Apr-16 383.6 645.1
8-Mar-16 327.9 573.2
9-Feb-16 270.3 489.3
12-Jan-16 184.0 325.6
11-Dec-15 137.5 240.2
10-Nov-15 24.6 48.6

Windows 1607 Cumulative Update Sizes

Update

x86 Size (MB)

x64 Size (MB)

13-Sep-16

255.4

431.1

9-Aug-16

63.7

113.0

To help comprehend the size of the updates, here are a couple of stats for consideration:

  • The 1507 x64 cumulative update on September 13, 2016 is 177% larger than the first update released on August 18, 2015
  • The 1511 x64 cumulative update on September 13, 2016 is 2069% larger than the first update released on November 15, 2015
  • The total size of individual patches for Windows 8.1 x64 on September 13, 2016 was 84.3 MB. The corresponding sizes of Windows 10 x64 cumulative updates for 1507, 1511, and 1607 were 12.1, 12.5, and 5.1 times larger respectively
  • At the current growth rate, the 1511 x64 cumulative update could top 2 GB in size in early 2017

Key Takeaways

As with previous articles, here are some key takeaways on Windows 10 Cumulative Updates:

  • Updates are cumulative making it near impossible to not apply a patch without creating significant risk
  • Updates include security and non-security fixes
  • 3rd party application compatibility will be a bigger issue in Windows 10 than previous versions of Windows
  • Cumulative updates start out big and become enormous over time

No before you panic, be aware that I will cover how to address these challenges with process and LANDESK solutions. Before going down that path, let’s take a quick detour to discuss Windows Update for Business.

macOS Sierra and Safari 10 Security Updates

AppleBuilding(own)(editorialuseonly)

Today brings a new version of macOS (formerly known as Mac OS X formerly known as Mac OS) with macOS Sierra 10.12. It also includes a new version of Safari with the release of version 10. While many will write about the cool new features such as Siri on the Mac or Apple Pay via the web, let’s talk about the vulnerabilities fixed and why enterprises should care.

macOS Sierra

macOS Sierra 10.12 fixed 65 vulnerabilities. Many of the vulnerabilities relate to escalation of privilege, denial of service, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4702: an Audio component vulnerability where a remote attacker may be able to execute a malicious program.
  • CVE-2016-4738: an libxslt component vulnerability where malicious web content could lead to executing a malicious program

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10

Today also marks the release of Safari 10 which is embedded with macOS Sierra and available as an update for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. This update fixed a total of 21 vulnerabilities, 16 for which processing malicious web content may lead to arbitrary code execution. This is Apple speak for visiting bad websites or web ads may result in running malware. Needless to say, this update should be applied on all systems. If you still have systems on OS X Mavericks v10.9.x, time to upgrade.

Summary

With 60 vulnerabilities fixed in macOS Sierra and 21 in Safari 10, there are many reasons to upgrade. Based on the nature of the vulnerabilities, upgrading all systems to Safari should take priority as many of those vulnerabilities could be used in phishing and other web exploits. Finally, this release effectively ends support for OS X Mavericks.