Transcript
Bring it on. No fears Uh, welcome everyone The controversy is starting chris Yeah. Yeah. Um, Nick nicks versus spurs. Come on, man. I'm from san antonio. You guys know that I mean, uh, you know Yeah, it's getting controversial already. Um I think the mythos topic is probably going to be less controversial than the next topic though. So um Cool. Well, I I think I might have you beat on humidity. Um, you know up here in minnesota We we got we got plenty of humidity as well. So Um, it's all those lakes. Um Okay, we're gonna go ahead. Oh, we got somebody uh going for the spurs now. Oh, we got the go Oh, no, it's it's on everybody's throwing their their teams out there now Okay, well welcome everyone we're going to go ahead and get started um Wow, um, yeah, so there's there's a couple of things that we're going to be talking about today and a lot of it comes down to um Really? how much the the acceleration of of Patches and cves being discovered is is already happening I've got some interesting data to show you guys here of a side project that i've been using to track How this has been progressing for the last couple of months that we're going to go through and I already saw that there were some conversations around that so we'll not only talk about that but Um, if you look in your docs tray uh today You're going to see a couple of things up there One of them is a white paper called the patch apocalypse and then other ones more of a use case kind of version of that so that's going to have kind of a The the high level of you know, how should organizations be thinking about how to Adjust to this because it's not going to be a a once and done This is going to be kind of the new normal. So we're going to definitely talk about that We're going to talk about some other news, uh related there because there were some um zero days within the past couple of weeks here that we just want to make sure everybody's aware of Um, and then we're going to get into the the bulletins that released for patch tuesday Um followed by the in-between patch tuesdays So this month I was I was kind of focusing on Uh a bit more of that between as well leading up to patch tuesday. You can see that june 3rd We had a notable Release from google for chrome 429 cves resolved in a single update microsoft yesterday Resolved 198 new cves, which is the new high watermark now. That's the new record october Last year was the previous largest patch tuesday by cve count with 175 So we're definitely seeing all of the vendors Are seeing more cves be resolved and several are on a much more aggressive Release schedule that's kind of moving things along at an interesting pace So we're definitely going to talk about some of those topics You can also grab the slides, um from that that docs tray as well So if you if you want to be able to follow along grab some of the links that we're talking about Um, you'll be able to get access to those from that So go ahead and grab that now that way you don't have to wait after the event until we get everything uploaded Um post event you can get access to those fairly quickly here then um, so right now I'm going to jump over to sharing my screen So i'm going to go away from the slides for a little bit here the next couple of slides i'll actually be doing in My browser, but you guys will be able to follow along and open those links If you want to take a look at any of the articles that we're sharing as well um So sharing my screen Go over here Yeah All right, so first topic we got a pair of links Covering some news from the end of may around Multiple defenders zero days that were being exploited in the wild Um, so the there's a bit of controversy about this one. So we actually grabbed two articles the first one um from bleeping computer is more of the Here's what you need to know um the the three zero days talking about those talking about the timeline of those uh, The names of them a little bit more detail even links over to uh the follow-ups for those um now based on you know, how defender works the majority of this, um, You know should already be resolved for most of you unless you're doing some standalone configuration or air gap configuration where you need to Take a step to push the next update But any of you who are running in a fully connected mode your defender instances should have just updated As these uh became available um So if you're uh, again, if you're you're going if you need to go through those steps You can go follow the steps here that they laid out or microsoft does have these documented elsewhere as well Um, also it's always good to be going back to that to make sure that machines are updating One of the tactics that threat actors always go to first Is how do we disable? The mechanisms that are going to be able to update to try to try to thwart their activities um, so a lot of times they will they will go in and uh subvert those uh update mechanisms to to make it so that You can't update get the new behaviors in place and try to stop what they're trying to do um, so you can go in and double check this and uh, You know look for ways to grab that anti-malware client version and verify that you're up to the latest. Um But that's that's kind of the high level there now the other article on dark reading Goes into more of the the drama behind it. So there is a um, a white hat who um has been kind of really Pushing microsoft very hard because they don't agree with microsoft's uh strategy around um security response disclosures other things like that and Um, there were there was a lot of controversy around this because this this researcher disclosed multiple cves that they had they had found and did so in a way where you know, arguably the the challenge here is That responsible disclosure is coordinated between the researcher and the vendor to try to reduce the risk to all of us right and the controversy here from microsoft's side is this person is is beyond that tipping point in their opinion of putting undue risk on Uh the wider world because of their disclosures of this the these, um, you know proof of concepts That they were pushing out And microsoft at one point apparently even threatened some legal action and that got a very big backlash Um, but you can if you want to take a look at some of that drama Um, you can definitely take a look at that. There was I I saw it pop up here There was another post from uh, brian, uh, brian krebs krebs on security He talked about that a little bit in here as well But that's that's kind of the difference between those two articles. We just thought it was an interesting read and gives you more of that that kind of back channel view into some of the the risks that come from This type of ecosystem of researchers and vendors working together to try to reduce risk for all of us um So that's the first ones that was back in end of may Um that those came up most of you again already should be resolved Um, but it's always good to do that check of the the anti-malware version In defender to make sure that you don't have machines that are broken or lagging behind Um, not even just from threat actors. You could just have a broken state on that and it's not updating for some reason Um, so it's always good to check that The next one is the chrome zero day and this is the one that was resolved yesterday um in the Chrome release that released on patch tuesday. It resolved an additional 74. So this is in addition to The 429 cves resolved on june 3rd last week um The cve that's actively being exploited is 20 26 11 6 4 5 Um cbss score of 8.8. But again actively being exploited. This becomes our our biggest priority this month Both chrome and edge Have this exposure so you want to make sure that both of those are getting updated as quickly as possible Um, this is the fifth zero day for chrome so far this year And i'll talk about this in a minute here when we get into the patch apocalypse discussion um in in just a minute, but this really sets that tone for What are those things we need to consider to to actually, you know, whether this shift in um How fast how many how how much of a risk is coming at us? And how it's doing so in a much more continuous basis. I'll show you some tangible evidence of Why we need to rethink um How this is uh being approached? So that's the zero day. Um exploit from this month. The other three that are going on are They were just publicly disclosed. So microsoft had three public disclosed Vulnerabilities that were resolved in the os update yesterday. So the os update from the microsoft side is our top priority there Um, there was a big um office, uh update as well Probably more cves than we've seen resolved in an office update. Um in quite a while, right? That's correct. Yeah between that and share that there were 30 each. Yep Yeah, yeah, so both of those were rather large too So we definitely are seeing a a surge in the average number of cves being resolved across multiple microsoft products um so the three zero or the Sorry, not zero days. I I hate using that term when they're not actively being exploited. I try to specifically use publicly disclosed In some people's definitions they consider that a zero day, but they start defining things as zero Zero day versus zero day exploit. So in this case, these are not exploited The three of them are publicly disclosed It does increase the risk, but it doesn't uh mean that they're actively being exploited Uh, the first one, uh windows collaborative translation framework ctf-mon, it's a privilege of escalator elevation of privilege vulnerability the Exploit code is unproven meaning the disclosure did not include any publicly available code So that's a good thing. Um, but it doesn't uh, it potentially includes enough information That a threat actor could start to understand where it is now arguably Threat actors have gotten much better about being able to take last month's update this month's update do a diff And say okay. Here's roughly where I need to look at These are all the places microsoft changed code so they could reverse engineer where they're going to target to try to do exploits so Whether or not there was disclosure or disclosed code for that gives them maybe Days to hours worth of advantage, um, you know disadvantage of not having that code included So it's still a higher risk Um, but in this case this vulnerability if exploited could allow an attacker to gain system level privileges um, the next one Is the http sys denial of service vulnerability? Available to be targeted over the network with no privileges required. So that's where this one has gotten some concern um, you know by researchers is An uncontrolled resource in http Slash two could allow an unauthorized attacker To overwhelm a service and deny access and they can do that over a network um So again, no code was released in this disclosure But again a higher risk because there is a notable amount of information disclosed about that the third one windows bitlocker security feature bypass Um, so this for those of you who like to follow the the hardware level Um exploits this one did have proof of concept code available in this case The attacker does need physical access to the device, but this is all of our fears, right? This is if i've got a device with um, you know proprietary, uh data or customer data or you know, pii or something on it And that device gets lost This type of exploit is absolutely what a threat actor is going to use they're gonna, you know, take that device Um get it into a you know secluded area where they're isolating any any sort of uh network connectivity They're gonna boot that up and they're going to utilize a vulnerability like this To be able to circumvent bitlocker and gain access potentially to uh encrypted um or um You know Access to that device that should not have been authorized I think they actually specifically said yeah So here is where it was an attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data meaning The bypassing bitlocker they've got access to the file system on that device um So that's the risk of this one and this out of those three was the only one that had proof of concept code The good news here all three of these are included in the os updates this month Get your os update in place. These three get scrubbed. So um, that's the priorities for this month your browsers chrome and Edge and your os update become our top priority Um From the linux side the next couple of slides that you'll see if you're looking at the presentation And then we're going to come back around to that that deployment tracker that i'm sure a few of you have already Downloaded and started looking at my screenshot of um, they're one of the three Uh vulnerabilities has a link to a little bit more detail the other two um, probably a little bit less interesting this month, but this month, but basically this one, SIFT switch Linux kernel flaw. This is probably the most interesting out of the three that were included in this month's lineup from our partners over at TuxCare. Linux kernel update is going to be the way to resolve this. You can see the affected platforms across the Linux flavors that are affected by this. All right, let me jump back to a very interesting topic, which of course, I think we've all heard plenty in the last couple of months. This is about Mythos. This is about not just Mythos, but really the new generation of LLMs that are raising the bar on how easy it is to find and exploit flaws in software. Even prior to Mythos, there were already researchers utilizing security focused LLMs that were helping them to resolve security vulnerabilities. Avanti has been doing it for some time now. We, if you read our advisory page, you'll actually see our public statement about the fact that we do use AI tools to be able to research, find flaws, and resolve them within our own code. You can see here, this is one element that I'll show you a little bit more of here in a second, but this is showing the last 12 months of updates for just a handful of the most notable products that we all see on a daily basis. Windows OS, Acrobat, Chrome, Firefox, Edge. I've got a couple of other tools that I'm tracking as well that don't release as frequently, but give us visibility into another piece of this that I'll talk about in a minute. But these three dotted lines, before February, 2026, you pretty much have this blue line here was the most scary thing that we had to worry about each month, and that was the Windows OS. So whether it's Windows, Mac, Android, iOS, Linux, the OS updates, I mean, most of the Linux flaws that we talk about on here, almost all of them, probably a good 70 to 80% of them are kernel-level vulnerabilities. That's the scariest thing on a Linux platform, right? The scariest thing on the rest of the platforms was always just the OS updates that needed to be applied. That's changing. Previously, the OS update was the big thing, and that's why, traditionally, we've always had Patch Tuesday as the starting point. That's when all of our big maintenance occurs, and that was how we kind of just cycled through each month, starting on Patch Tuesday, whether it was a 30-day window, a 14-day window, whatever our timeframe was, it all started from Patch Tuesday. What's changed? Now, if we fast-forward to February, 2026, this first dotted line was the first vendor kind of publicly attributing AI augmented research into the release that they did to the market. Firefox 148 was the first kind of public crediting of the use of AI tools in a significant way to do this, and that resolved, I think it was like somewhere in the 30 to 40 range number of CVEs for that release. Two months later, this is when Glasswing launched. This is when Mythos was released to a number of vendors, and several of them were using it to find vulnerabilities in their products. This is where Firefox, the Mozilla team, had their public blog post talking about the fact that they found 271 CVEs. Now, only 41 of those actually documented as CVEs and got released formally, but there were actually more that got resolved as part of that. They were just lower severity, so they only published 41 of them, from what I understand. I haven't seen the rest of that list, but they've attributed 271 to that release. In that same month, we had the Windows OS pretty much was in competition with multiple other updates, especially from the browsers. The difference is the Windows OS released on Patch Tuesday. All of those browser updates released on multiple weeks over that time. So let me show you what I've been looking at for the last couple of months here. Now, this is not in an Advanti product anywhere. I used Claude to generate this tracker, and I've been updating it on a regular basis here since. This is actually version eight of that tracker, and I've been tracking just a handful, a little bit more than a handful, of applications. There's seven vendors, 11 products that I've been tracking right now. But really, it's to try to show exactly what some of you are feeling, like Abe's comments before. Like, is this a tsunami, or is it just me? No, it's not just you. It is a tsunami. Here's what it looks like. Just taking those samples, we can look back here again and see the Windows OS was the big scary thing each of those months. Like, we had a nice spike here, 103 vulnerabilities resolved in the Windows OS that month. Same thing here again, 120 CVEs. February comes around, and both Chrome and Firefox near doubled what the Windows OS resolved that month. And that was over the course of average of three releases from each of those browsers continuously over the course of that month. We look ahead to February, and you see that Chrome was definitely resolving quite a few. This is the 41 that were resolved by Mythos, but really that was 271. Now, Google is not using Mythos. They're using a Mandiant model that was created and competing with Mythos on that level of capability. And if we look ahead again to June, this is where suddenly that the realization of what these types of tools are capable of becomes a reality. We had 429 CVEs resolved in the June 3rd update for Chrome, and then another 74 a week later on Patch Tuesday, including a zero day. If that's going to be the norm, one, the number of CVEs resolved in a year are gonna go up significantly after this year, and we're gonna see a new threshold reached sometime in the future here. We don't know quite where it's gonna land yet, but that's significant. Now, the releases are the next part of this, not just the CVEs. The continuous release mode is another part. So if we look at Mozilla specifically, here's last year. Roughly one security update per month. Occasionally, like, I don't know why Cloud did this, but for some reason it had two for May, a little bit out of order there, and I could never get it to reconcile that discrepancy for some reason. I'm chalking that up to a little bit of AI hallucination, but on average, one to two security releases a month in 2025 starting in February. Well, actually starting even in January, two, two, two, three, multiple, and we already have their update in June here as well. So this is going to occur with multiple vendors. That's Firefox going from one to two up to three to four per month. You've got Oracle. I believe I shared the link to that article last month or maybe the month before, but their announcement of a critical security product update on a monthly basis. So they do their CPU quarterly, which will be next month, but the two in between months, they've got a CSPU window where any of those products that have security issues that need to be resolved could release as well. That doesn't mean we're going to see Java every month, but it means that we could see Java more than just once a quarter going forward, right? So if we've got critical applications like that that we rely on, Oracle just threw down and said, we might have as much as 4X the number of releases every year for you, depending on where the security issues need to be resolved. A number of vendors are going to be looking at this. Todd and I always cover the in between the patch Tuesdays to try to put this into a frame of reference as well. So Abe, the question of, what are we seeing? Now, you guys may have seen as well, especially if you're running Cloud, it's talking about this new thing called Fable now. Well, Fable is a between step. It's not Mythos, it's a slimmed down version of Mythos. What the drivers are for why there's some controversy over whether it's a, hey, we just released the ultimate weapon on the world and we're going to pull back from that so we don't destroy everything. That's not quite it because by the way, there's like six major models now that are up in that caliber of Mythos, including there's the ones that we've heard about, you know, OpenAI, the Mandiant model, I forget the name of offhand, and Mythos, a couple others. Kyho 360 has a model that has been, in, you know, from some researchers, they're saying it is right up there with, maybe not equivalent to yet, but up there with Mythos level caliber capabilities. So these are popping up in multiple places. That's, you can't put that, you know, we can't close Pandora's box, right? It's here, even dumbing Mythos down to Fable, well, okay, well, we're going to trade off a little bit more capability for distributing it to hundreds of organizations instead of 20. So still, we're going to see this compounding effect of what's going on. This doesn't go away because, you know, Anthropic said, instead of Mythos, we're going to release a tamer version called Fable. This is definitely going to be a new normal. We're going to see a more continuous release model resolving more CVEs. You can already see the spike here for most of these vendors that we were tracking. And you're going to start to see this as well. So this is looking at known exploits. Last year in the first half, this group of applications had 22 applications that exploited CVEs in the first half of the year. Right now we're up at 25. The expectation is we're going to see more of this as well, not nearly as much of a spike, but we will see an uptick in the exploits. So that's going to be a combination of zero days and what are referred to, less commonly heard, but end-day vulnerabilities, meaning after a patch is released, an exploit occurred. If we look back at, I think, which one was it? There was, last year there was a vulnerability that Mozilla had released the fix for, and then shortly after it started being exploited, like two or three days after. And this is a pattern that you can find in a number of places. It's always hard to find those specifically, like when did it release versus when did it get exploited? But each of these vendors have cases like that as well. Some of the cases could be more extreme, like a vulnerability that was resolved two years ago is now starting to be exploited now, right? Well, why did they wait two years? Well, they just happened to find that flaw in code and a number of people who still hadn't patched it and took advantage of it, right? Opportunistic. But more of these will be within days of release from the vendor, they reverse engineer, exploit the code, and target that exploit. So that's what we're looking at. That's the behaviors going on across the industry. Now, what are people doing about it? The two articles that I referred to in the doc section there, you can take a look at those. It's giving some basic guidance there, but Abe, one of the things that we've talked about a number of times on here is, I know not all of you are using Ivanti products or some of you might be using the Microsoft platform augmented with our third-party content, but we've designed our neurons patch experience exactly for this purpose. It was meant to let you define the criteria you want and really automate that. A number of you are probably still in the mode of saying, oh, security does their scans, they do some approvals, that goes through some ITIL workflow and gets down to telling us what we need to do. Well, by that time, the five-day window on average that exploits are occurring in is already exceeded and you're into the red on that risk window. We need to get to a point where many of these vulnerabilities are being resolved in a more timely fashion. And to do that, we have to change the model of how we approach things. And in the documentation that you're going to see that I shared there, you're going to see this referred to as risk appetite. You need to define that upfront, configure for it and then monitor for how you're doing against that. And some of you are even playing around with a new exposure model or an exposure experience within our neurons platform that brings all of that together. And one of the features that we're releasing for that And one of the features in our upcoming July release is looking at a feature called predictive patch. It's trying to take a finding as it comes in, as soon as the scanner knows about it. We reconcile that data so we've got the scanner data alongside asset visibility from our discovery and the patch remediation data all side by side. As soon as a finding comes in, if I've got a vulnerability coming in from Mozilla resolved in this version, as soon as the scanner knows about that and knows that I've got a thousand machines affected, I should be able to look at my configuration. I know the inventory of the devices because they've been in the system for a while. I know who's running Mozilla. I know who's configured with the agent managing the machine with the configuration on there that knows how to patch Mozilla. I even know the schedule that it's on. We need to be able to look at that data and say, from the point where the finding comes in, what are my odds of actually getting to compliance? Am I going to hit my 90, 92, 95, 98% compliance goal? And how do I start to fill in those gaps? This is, so Abe, this is the thinking that we've been going through for some time, but it's now accelerated. We want to be able to provide you that visibility to say, oh, this particular finding, we should be on track to meet a 95% compliance goal because we know the thousand machines that the scanner confirmed. We've got 950 of them configured with the agent, a patch configuration, and it definitely is configured to be able to deploy the Mozilla update. So with that information, we can now look ahead. And this is where you'll be able to start to now flush out those issues. So prioritize the things that are exploitable and the things that are not meeting those compliance goals, drill in, find the gaps in configuration, in management, in understanding of that environment, and start to fill in those gaps. And what's going to happen is you're going to proactively solve for one finding and a whole bunch of others will get resolved at the same time. Through fixing one machine's issue, you fix that not just for the one CVE, but for the dozens or potentially hundreds of CVEs that the scanner is throwing at you. So it's cutting through the noise, getting down to the things that are actually going to continue to put you at risk and flushing out the gaps so you can go solve them. But ultimately, it's not waiting on an approval process anymore. How many of you yesterday had to go sit down in a room with a bunch of people and say, hey, by the way, do we think we're going to deploy the OS update this month or the Google Chrome update or the Mozilla update? No, you knew you were going to do that. I've asked IT folks, I've asked CISOs, I've asked small, large companies. I have yet to have somebody say, oh no, we actually still sit down and actually talk through whether or not we're going to approve that this month. No, I had a very large customer of ours using our risk-based vulnerability management platform answer that question. And he's like, no, I know exactly what, where, on what schedule. I'm sure we've got a spreadsheet that lays it all out. I can tell you the answer right now. And it's, yes, we're going to do it. It's more of a matter of when we're talking about these things in silos, the different teams are doing it in different ways. We need to get this all streamlined, decide those outcomes in advance and monitor for those gaps so we can flush that out and increase those compliance goals. But the other part of it, Abe, is getting beyond once a month maintenance. Again, back to the out-of-the-box design of the neurons patch experience. Again, if you're using one of our on-prem Ivanti products like EPM or security controls, you can actually do this with those products as well. Multiple tasks, each configured for different purposes. The difference is the neurons experience is driving this mentality in its design. So people don't have to think about, figure out how to configure and kind of manually do it themselves to get to that configuration. It's designed out-of-the-box to do this, but it has a regular maintenance window. It has a priority updates track that can do specific things that you've told it to on a more aggressive schedule, whether it's weekly or twice a week or daily even. It's got a way to pre-configure for zero-day response that all I have to do is say, if I approve something to be deployed out-of-band, all I have to do is add the CVE or the specific patch to a patch group, what we use to track that, but that is the approval to do that out-of-band approach. So once we approve that, we add that in, and now the system was already configured to go and do it based on the agreed upon approach that we set when we configured the platform. All of those decisions are made in advance. You define that risk appetite, you configure for it, and you execute continuously. Now, you're not gonna do this across every single system the same way. Your end-user environments, you're gonna get more aggressive. You're gonna do those continuous release products for like the browsers and other tools like that more continuously. For critical infrastructure, you're still going to have very specific windows where you can do things, and there you're gonna be using compensating controls to try to mitigate things further where needed, but also have that ability to do that more urgent cycle when needed. So that's kind of the approach that we've taken there to design for exactly this scenario. But that's the kind of thinking that, again, if you're interested in talking through that more and getting into more detail specific to your environment, reach out. We're more than happy to have that conversation. In fact, I think I'm having that conversation an average of five times a week right now with companies like yourselves who are asking those same questions. So that's kind of the high level of what I wanted to touch on there. Again, we're going deep into the weeds on what this all means, but I think several people were interested in that topic. So hopefully that was helpful. And whether it's looking at some of this data or having that deeper conversation about risk appetite and how to try to get ahead in whether this increase in vulnerabilities and exploits and release cadence, reach out. We're more than happy to have that conversation and talk to you about how others are approaching this today. Whether it's with our product or how you're doing things, we'll give you that kind of high level guidance of where we see this going and how you need to keep up with it to help you along that path. All right, so. Hey, Chris. Yeah. Quick question. There were a few people who were asking like, when are we going to start introducing predictive compliance? It's supposed to, I think there's some basic functionality in July, but it really starts in earnest in October, right? Yeah, so the first we've got, we've got kind of the basic implementation is going to be able to get that visibility and show the basic configuration being in place. And we're going to be adding more and more checks to it to make that confidence score higher, right? So if we have a, again, if we have an OS finding come in, I want to be able to give you that, yeah, this is going to be on track to hit your 95% compliance with confidence. So even like the first cut won't be able to do this yet, but even getting down to estimating the timeframe of when we predict that it's going to be resolved by. All of that, we just need to be able to interpret policy and a whole bunch of other criteria and back that out into kind of predicting roughly when it should happen. So getting down to, are you configured for it? That's going to be kind of phase one. Trying to estimate the timeframe, trying to connect that to an SLA that you've defined, each of those will be progressions after that to get that score more and more refined and get it to a more and more solidified confidence level. So that's what to expect. The July release, it is going to be a new module. It's going to be specifically augmenting that patch experience to drive an exposure level of visibility on this. So those of you who are using our RBVM solution, it is a crossover, not yet a replacement for RBVM, but really bridges the gap with asset visibility, exposure, prioritization, and that remediation piece all coming together ultimately to help you understand how do I cut through this noise down to exactly what I need to understand and ultimately what do I need to fix to improve my compliance metrics? So it's really driving that ROI. Never let a serious Chris go to waste or crisis go to waste. Yeah, Churchill, that's an excellent quote there. We've kind of been in the middle of this for a while, but that quote definitely is fitting here. Yeah, Dan, hot patching. So I know a couple of people have asked about this, but we can touch on this real quick as well. Microsoft has been very guarded about that. It really only exists within the Intune or the Azure stack right now, but we definitely are pushing on them and keeping track of that. So if it opens up to be able to do that, we would definitely want to take advantage of it as well. So a couple of good points there. If for those of you who are interested in that predictive patching piece, again, right now, we're going to be releasing that for July. We do have an early access going on for that exposure experience. Some of you are already in there. If you're already a Neurons user and you'd like access to that exposure management experience, reach out to me and we can get you added to the early access list for that. We're taking on additional people into that right now. We've got over, I think over 30 customers in the early access today, along with all of our field teams. So the more the merrier, we're getting into that hardening level push towards the July release. So, cool. All right, Todd, I think we are ready to stop my screen share and... Yeah, one kind of quick closing comment, Chris, taking a step back on the patch apocalypse. Chris and I were talking about this before we actually jumped on the call today. It's like, where is this all going? One thing to keep in mind is that these vendors are reporting all these vulnerabilities because they're actually in fielded software. So as they run these tools and they find the vulnerabilities and they know that they're out there in the public and they're fixing them, of course, but they're still obligated to report them. Last month, when Chris and I talked about the initial Mozilla release, one of the things that Mozilla predicted is that as they're developing new features and functionality they'll be running these tools against unreleased software. And hopefully they're feeling that they will get ahead of the vulnerability curve so that they're releasing much more secure software and that these vulnerabilities won't be popping up after it's been fielded. So it's gonna be kind of interesting to watch. We're of the opinion that there's gonna be, as it was mentioned there, the tsunami of CVEs right now. There's a lot of them, but we predict that they will eventually top out and start to maybe drop back down to kind of normal levels and our software is gonna get better, we hope. It depends upon what the learning models show and basically what we find in the software itself over time. So it'll be an interesting ride here. It's a good crisis to be in right now, I think. Yes, indeed. All right, so jumping back in where we left off, we're down to the Ivanti security updates. So if you didn't see it, for those of you running on the Ivanti Endpoint Manager Mobile or Ivanti Sentry, there were security advisories for those. Both of them resolved a pair of CVEs. Nothing exploited the wild or anything there, but a couple of updates security-wise for those of you using those products to take a look at. And then we've got no new kind of notifications around this, but for Windows 11 editions, you can see the highlighted there are the editions that are approaching an end of support date. Todd, while we're on that topic, one of the things we talked about a couple of months back was the extended support that some people were looking at there. Since then, we've gotten the packaging together. So for those of you who are getting ready for the 2016 ESU, we've now got everything ready so you can reach out and start planning for budgeting for that ESU content to be turned on in your case. So again, Neuron's EPM and security controls customers who are expecting to run 2016 past its end-of-life date and are signing up for Microsoft ESU coverage, you'll be able to reach out and get that ESU coverage from Ivanti products as well. Yeah, the date's on the next slide. I think it's January. Yeah, you're right. So this has the, yep, January 27 is when that'll go into effect. So that wraps up. We did have a number of tools updates this month, but only one servicing stack update on the Windows 10 side. So that is the only servicing stack update that released this month. And on that then, Todd, why don't you go ahead and take over? Okay. Thanks, Chris. Moving into the bulletins and releases from yesterday. Chris did touch on Chrome Desktop came out yesterday. Actually, it was released on Monday. We released it yesterday as part of our content for 74 vulnerabilities. There is one that is known exploited in the wild, 11645, as they released their last zero day there. Again, as Chris said, these are cumulative, so this does include all the 429 from the previous release as well. So you want to make sure you keep up with your browser there on the Chrome Desktop side. A couple of other Adobe apps, they did release 11 updates yesterday. I have three of them here that we include in our releases. We don't update all the Adobe products with our patch products. But an important one was Adobe InDesign. They fixed 12 vulnerabilities. This was rated critical. They had nine critical vulnerabilities that could result in remote code execution. Three of them were rated as important for those vulnerabilities. So in the latest two versions of InDesign. Similarly, InCopy, which is also a related product, three vulnerabilities there. Again, arbitrary code execution, so you want to keep these up-to-date as well. Probably the biggest one, most of us are big users of Adobe Reader, and some of us on the Acrobat side if we're creating PDFs. Twenty vulnerabilities reported there, 15 critical, five important. So you do want to use an update there across Adobe Acrobat and Reader because it is so commonly used in the field today. So definitely a big update there this month from Adobe. Moving on to the Windows side, we saw all the typical updates from Windows 11 in particular. We saw 23H2 through 26H1, as well as a Server 2025 update. Again, large number of CVEs addressed in the release, 116. Chris did touch on the three that were publicly disclosed. I have them highlighted in red here. If you want to look at all of the vulnerabilities, you can of course go to the security update guide and read in detail about each one of those. As far as known issues, the only one that's open right now that they reported is around Server 2025, and this is one that's been open for a long time based on a change they made around the particular CVE here back in 2025, 59287. This is really just the reporting error detail, so it's not necessarily a big issue, but they're carrying it along every month so that we are aware of it. Moving on to the Windows 10 long-term service branch. These are the ones that are continuing to get updates outside of ESU. Of course, there is a Windows 10 ESU going on as well, if you're running that particular version, but anyway, these updates for the long-term service branch, 104 vulnerabilities addressed in these updates. Again, the same three publicly disclosed issues included in here as well. There is still a known BitLocker issue in Server 2022. Basically, it depends upon the policy that you have in place, the configuration, whether you'll have to re-enter your recovery key after your first restart. Same issue for Windows 10 22H2, which is the ESU version, or if you're running the enterprise long-term service channel, which are the fully supported ones, you might run into this BitLocker version issue as well, so be aware of that. Moving on from the operating systems, also as Chris touched on, seems like Microsoft had a focus on CVEs in Office this month. There were 26 addressed in the standard Office version. It's interesting, the end-of-life 2016, and here they are back in October, and they're still carrying it forward with regular monthly updates. Technically, the only thing that should be supported long-term here is online server. It's covered for another two or three years yet, and the LTSC versions of Mac, but they're still updating 2016 because so many people are using it in standalone configurations and otherwise. But again, 26 vulnerabilities addressed in the Office suite. For the online versions, which includes Microsoft 365 apps, the long-term service channel versions 2021 and 2024, and the end-of-life to Office 2019, they continue to update as well. They address 32 vulnerabilities there. So again, for those of you that are working with the online versions and the remote updates on these, definitely want to make sure you get them updated this month. 32 vulnerabilities, a lot of them are rated critical as far as those CVEs go. SharePoint server, obviously, it's closely related. 30 vulnerabilities addressed here. Again, critical fixes in here as well. All three versions that they support, subscription enterprise 2016 and server version 2019, all got updates as well as usual. We did see a rare update for Exchange Server. It's been quite a few months. I had to go back to August since they did the last update on Exchange Server. One vulnerability here, I'm sorry, seven vulnerabilities addressed here with this update. They're only running one active version, which is the subscription edition. There are several under ESU coverage, and there were some updates released for those as well. So you might want to be aware of that in case you're running some older versions of Exchange Server. One thing of note, if you look at my article that I wrote on the forecast coming into Patch Tuesday, and also if you look it up on the webpage, there is an open known exploited vulnerability on Exchange Server that did not get addressed this month in any kind of an update. There is a workaround configuration for that, but it's something that you might want to look into if you need to make some configuration changes on your Exchange Server. Okay, between the Patch Tuesdays, as Chris was mentioning, there was a lot of activity this month as well. We break it into three groups. If for those of you who haven't been on here before, we talk about releases with CVEs, releases, security releases without CVEs, and finally non-security releases. Again, these are basically the content that we're releasing for our products, but obviously we know a lot of you that aren't using our products still are interested in this information. So on the third-party side, we had a couple of Chrome updates, 75 vulnerabilities addressed there. Docker for Windows, it got an update as well. Firefox updates, 151. ESR versions got an update. The Go language program actually had a couple of updates this month, but one of them addressed three vulnerabilities. IntelliJ IDEA here fixed the vulnerability this month. And then finally, Notepad++. And I should make a few comments about this. We've had some issues with Notepad++. You might remember that last month, we talked about the updates being hacked by supply chain issues where the downloads were coming from an alternate source, not from the Notepad sites. They got that resolved. And then Notepad turned around and made some changes to their installer. And as a result, we had to respond, and we were a little slow in getting some updates out in case you might've noticed that because of the way they changed their installer. In the past, we could run the installer, and the next time you restarted the application, it would automatically update the product. What we're finding now is that we have to actually shut down Notepad and do an installation and then restart it before it will work properly. We were running into some problems with the way they changed their installer. Be aware of that. If you see any issues or have any problems, definitely let us know and generate a support case so we can follow up on that because it's been a challenge to work through the way they've changed the installers and updaters on Notepad++. PyCharm Professional got an update for one vulnerability, and of course, you see the Thunderbird updates that track basically the same vulnerabilities that you see in Firefox as well. On the Apple side, similarly, we saw some Chrome updates, Firefox obviously getting its updates as well. A lot of overlap in the vulnerabilities between the Windows and the Mac versions as well. Obviously, Microsoft Edge running on top of Apple Platform gets its update as well. And then PyCharm Professional, we saw that on the Windows side, also got a Mac update, and of course, Thunderbird. And I have the links in here for the vulnerabilities. You can go take a look at those on their website rather than kind of re-copy it down here. So with that, Chris, let's get back to the questions. How are we doing? Oh, fairly good. We had a couple of comments about the Edge hijacking the default PDF viewing again recently for some. And then there was a good point made about the fact that Microsoft has kind of taken the same approach they did with the browser side and defaulted to Chromium there as just a wrapped version, which is a little bit more complicated. Microsoft Edge is the Edge browser now, but they're using the Adobe PDF rendering in Edge as well. So depending on your preference, whether you continue to use Adobe Acrobat Reader or if you just switch over to using Edge for that, it probably comes down to how's your browser policy within your organization. If you're forcing Edge anyway, then just having the PDF rendering directly from there might be a simple way to remove that headache. But if you're gonna keep kind of a multi-browser and you wanna give the user the ability to specify the experience they want, then yeah, it's kind of a headache there. I think we had all the questions answered for, I guess the one thing that I'll follow up on for that dashboard that I showed you guys, because it is a set of prompts that were created by me using an AI tool, and I even showed you that there was at least one discrepancy in there that I couldn't get the AI to fully solve. It's hard for me to share content like that and make it easily consumable by the masses. I can definitely, at least for the next little while here until we get bored with it, I can touch on that tracker and we can see how things are evolving each month on here. And I'll at least give you guys a point in time kind of view of what that's showing in the presentation. But I think trying to make that distributable is gonna be a little bit difficult. There was a question on the plain text password in Edge. I have not seen any other news about that one, but it could have easily been missed with everything else going on right now. Let's see if... I just dropped a link in the chat. There's some recent news. The vulnerability I talked about in Exchange Server that is not patched is the one I put in there. Sorry, Chris, didn't mean to interrupt you there. Nope, that's fine. Yeah, so Microsoft is still, the latest news as of mid-May was that Microsoft has not changed their stance on that. They had an article about the password manager vault in plain text RAM at startup. So that looks like they've not changed their stance on that. Okay, so it looks like the only thing they did was they deployed a defense-in-depth update preventing Edge from loading your entire password manager vault into plain text RAM at startup. But they still had their stance of by design. Let's see what the, it's always hard to capture this with the AI summary at the beginning. So it looks like they, and this article's from May 15th, but they were addressing the originally reported issue immediately, no longer loading passwords into memory on startup. But the default behavior of when a password gets loaded up, it will still be in plain text. So the issue they resolved was the loading everything at the startup, but as you're using them, the, it looks like once it's loaded into memory, it is in plain text while it's there. So that looks like the difference on that. But other than that, it looks like no news since roughly mid-May on that front. New Windows Zero-Day exploit Rogue Planet released. Oh. Okay, so another defender vulnerability that proof of concept was disclosed. Not seeing if it's exploited in the wild though. And there's some limitations to how to do it because there's some, like if you're on a server instance in its current form, a standard user can't mount an ISO image, so you wouldn't be able to exploit it. So there's some mitigating circumstances, but it's reportedly not 100% reliable, but it definitely can work. And this looks like it kind of continues that back and forth with that researcher of disclosing things without coordinating very effectively with Microsoft. So more drama there. But yes, good call. That looks like articles on that one were just cropping up as of this morning. Oh, the mitigation. Oh, thanks, Dan, for that. Microsoft Exchange blog, their current recommendation is still to keep the mitigations in place for 2026-42897. for 2026.428.97. So for those of you who are looking to that, Dan had mentioned the Microsoft Exchange blog is still their latest guidance was to keep it in place. All right, cool. Well, we are right at time. I know there was a lot this month, but thank you everyone. And we will talk to you in July. Patch Tuesday's here, the updates are dropping. Hundreds of fixes, there's just no stopping. CBEs and zero days piling up fast. How long will this patch process last? Reboots and rollbacks, tickets and more. Screams and frustrations and coffee galore. Manual Windows updates just don't play. There has to be a much smarter way. Ivanti Neurons is here to say. Patch smarter, patch faster, patch the right way. Risk-based, automated, no sweat, no tears. Patch Tuesday, bring it on, no fears.