2 min
Patch Tuesday
Patch Tuesday, February 2015
For the second straight month Microsoft is holding fast to their blockade of
information. Customers with “Premier” support are getting a very sparse advance
notification 24 hours before the advisories drop, and “myBulletins” continues to
be useless because it is not updated until well after the patch Tuesday
release. Microsoft called this an evolution, and I can certainly see why – they
are applying a squeeze to security teams that will eliminate the weak members of
the herd.
This month we ar
2 min
Microsoft
Patch Tuesday, January 2015 - Dawn of a new era
Microsoft's January 2015 patch Tuesday marks the start of a new era. It seems
that Microsoft's trend towards openness in security has reversed and the company
that was formerly doing so much right, is taking a less open stance with patch
information. It is extremely hard to see how this benefits anyone, other than,
maybe who is responsible for support revenue targets for Microsoft.
What this means is that the world at large is getting their first look at
understandable information about this
2 min
Microsoft
Patch Tuesday - December 2014
December's advanced Patch Tuesday brings us seven advisories, three of which are
listed as Critical. Depending on how you want to count it, we see a total of 24
or 25 CVEs because one of the Internet Explorer CVEs in MS14-080 overlaps with
the VBScript CVE in MS14-084.
Of the critical issues, MS14-080 has the broadest scope, with 14 CVEs. None of
which are publically disclosed or known to be under active exploit. The shared
CVE with MS14-084 presents a patching and detection challenge becaus
1 min
Patch Tuesday
Patch Tuesday, November 2014
Patch Tuesday came in hot this month with 15 advisories, of which 4 are listed
as critical. Hate to point it out, but this was originally advertised as 16
with 5 critical, but the patch for MS14-068 apparently isn't ready for prime
time yet. Hopefully the decision to hold it back was based on both the testing
and an assessment of risk.
The top patching priority is definitely going to be MS14-064, which is under
active exploitation in the wild and may be related, at least superficially, to
las
2 min
Microsoft
October Patch Tuesday + Sandworm
Microsoft is back in fine form this month with eight upcoming advisories
affecting Internet Explorer, the entire Microsoft range of supported operating
systems, plus Office, Sharepoint Server and a very specific add on module to
their development tools called “ASP .NET MVC”. Originally nine advisories were
listed in the advance notice, but one of the vulnerabilities affecting Office
and the Japanese language IME was dropped for reasons unknown (the dropped
advisory was bulletin #4 in the advanc
1 min
Sandworm aka CVE-2014-4114
UPDATED: 2.30pm, ET, Tuesday, Oct 14.
There's another vulnerability with a clever name getting a lot of attention:
Sandworm [http://www.isightpartners.com/2014/10/cve-2014-4114/] aka
CVE-2014-4114.
This is not a cause for panic for the average system administrator or home
users, but you should take it seriously and patch any vulnerable systems ASAP.
While the reach is pretty broad because the vulnerability in question affects
all versions of the Windows operating system from Vista SP2 to Win
2 min
Microsoft
Patch Tuesday - September 2014
It's a light round of Microsoft Patching this month. Only four advisories, of
which only one is critical. The sole critical issue this month is the expected
Internet Explorer roll up affecting all supported (and likely some unsupported)
versions. This IE roll up addresses 36 privately disclosed Remote Code
Execution issues and 1 publically disclosed Information Disclosure issue which
is under limited attack in the wild. This will be the top patching priority for
this month.
Of the three no
1 min
Microsoft
Patch Tuesday - August 2014
Microsoft clearly wants everyone to shake off the dog days of summer and pay
attention to patching. This month's advance notice contains nine advisories
spanning a range of MSFT products. We have the ubiquitous Internet Explorer all
supported versions patch (MS14-051), with the same likely caveat that this would
apply to Windows XP too, if Microsoft still supported it. This patch addresses
the sole vulnerability to be actively exploited in the wild from in this month's
crop of issues, CVE-201
2 min
Microsoft
Patch Tuesday - June 2014
Patch Tuesday, June 2014 delivers seven advisories, of them, two critical, five
important – one of which is the seldom seen “tampering” type.
The remarkable item in this month's advisories is MS14-035, the Internet
Explorer patch affecting all supported versions. That in itself is not unique,
we see one of these almost every month, but this time the patch addresses 59
CVEs, that is 59 distinct vulnerabilities in one patch! Microsoft asserts that
while two of the vulnerabilities (CVE-2014-1770
3 min
Microsoft
Patch Tuesday - May 2014 - Lots going on
There is a lot going on in the updates from Microsoft this month, including some
very interesting and long time coming changes. Also, it's the highest volume of
advisories so far this year, with eight dropping on us, two of which are
labelled as critical.
How to describe the patching priority is going to be very subjective. Microsoft
has identified three of these advisories: MS14-024, MS14-025, & MS14-029, the IE
patch as priority 1 patching concerns. Interestingly MS14-029 which is the
update
3 min
Microsoft
It's the end of XP as we know it, April Patch Tuesday 2014, and, oh yeah... heartbleed.
So this is it, the last hurrah for the once beloved XP, the last kick at the can
for patching up the old boat. Sure, by today's standards it's a leaky,
indefensible, liability, but… hey, do you even remember Windows 98? Or (*gasp*)
ME? At least we can all finally put IE 6 to rest, once and for all, the final
excuse for corporate life-support has been pulled… except for legacy apps built
so poorly that they depend on IE 6 and are “too costly” to replace.
As everyone should know by now, ther
1 min
Microsoft
Patch Tuesday - March 2014
Microsoft's March Patch Tuesday again came in on the lighter side of some
months. This continues the 2014 trend of smaller Patch Tuesdays. We only see 2
issues that are critical/remote code execution, one of which is the usual IE
(MS14-012), the other is an an issue in the DirectShow libraries (MS14-013)
which affects most versions of Windows from XP up to 8.1/2012r2. These two are
where we should focus our patching efforts.
Of the 18 CVEs addressed in MS14-012, one is known to be in limit
3 min
Microsoft
Patch Tuesday - February 2014, also, say "buh-bye" to MD5
This was a fairly novel Patch Tuesday (calling it interesting might be too
strong a word for Patch Tuesday, unless you work in vulnerability management and
geek out on these things - in which case, I thought it was interesting).
At first take, it looked like Microsoft would continue the 2014 trend of keeping
patch Tuesday relatively light. There were only 5 advisories this month, two
critical, three important. Emphasis is on the past tense.
Monday morning, Microsoft updated the advance no
1 min
January 2014 Patch Tuesday
2014 is off to a light start with Microsoft, as January was a very quiet month
for patches. There were only four advisories released this afternoon.
For the first time in quite a while, there is not a cumulative IE roll up patch.
I believe that this means the IE team was finally allowed to take a vacation
after the grueling year they had in 2013. However, I certainly expect them back
in February.
The second bulletin, MS14-002, addresses the somewhat awaited kernel elevation
of privilege
2 min
Microsoft
December 2013 Patch Tuesday
One more go around the block for 2013 and like the last, late tropical storm of
the season, Microsoft is taking one last swipe and security and IT teams alike.
This Patch Tuesday features a solid 11 advisories affecting 6 different product
types. All supported versions of Windows, Office, Sharepoint, Exchange, Lync
and a mixed bag of developer tools are affected. 5 of the advisories are rated
critical, including one affecting Exchange and one affecting Sharepoint and
Lync, not to mention th