2 min
November 2013 Patch Tuesday Summary
The November Patch Tuesday advisories are out, and across the board mixed
feelings own the day. Relief and frustration must be present for Windows and
Security administrators alike.
Relief because for the first time in a few months, this is a relatively
straightforward Patch Tuesday, with fixes for most Windows versions, the
ever-present IE roll up patch (MS13-088), and some Office components, but
nothing esoteric or difficult to patch. No SharePoint plugins, no complicated
.NET patching, no
2 min
Internet Explorer
IE 0-day: exploit code is now widely available (CVE-2013-3893)
Any newly discovered Internet Explorer zero day vulnerability is bad for users.
But once the exploit code gets around to public disclosure sites, it's so much
worse. In the past day or so exploit code has been submitted to virustotal.com
and scumware.org.
Users and administrators should take immediate action to mitigate the risk posed
by CVE-2013-3893. Considering the timing, I personally expect to see an out of
band patch from Microsoft before October's patch Tuesday, but that is just
specu
3 min
Microsoft
Patch Tuesday, Sept 2013
September's Patch Tuesday is live! The 14 bulletins predicted were cut to 13,
with the .NET patch landing on the cutting room floor. A patch getting pulled
after the advance notice is up usually indicates that late testing revealed an
undesired interaction with another product or component.
Of the 13 bulletins remaining they are split 7/6 between the MS Office family
and Windows OS patches, if we are counting the Internet Explorer patch as part
of the OS patching, anti-trust lawsuits notwiths
2 min
Microsoft
August Patch Tuesday
Oh noes! Fire! Look out! Run in circles, scream and shout! There's a remotely
exploitable, publicly disclosed, critical remote code execution vulnerability in
Microsoft Exchange (MS13-061)! Prepare for the end of teh interwebs.
But wait, is it really remotely exploitable? Well, not in the sense that user
interaction is not required, it's a parser issue that is only triggered by a
user opening a malicious message in Outlook Web Access (OWA).
Okay, but it's still publicly disclosed right? I mean
2 min
Microsoft
Patch Tuesday - July Edition!
This month's patch Tuesday the polar opposite of last month's ho-hum,
here-we-go-again-with-the-patches exercise. There are 7 advisories and 6 of
those are critical issues allowing remote code execution. Basically everything
in the core Microsoft world is affected by one or more of these, every supported
OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET. It's
going to be a busy time for security teams everywhere.
For the first time ever Microsoft is addressing a singl
1 min
Patch Tuesday - June Edition
The top patching priority in this month's MS Tuesday is MS13-051 which is a
vulnerability affecting Office 2003 for PCs and Office 2011 for Mac. This issue
is seeing limited, targeted exploitation in the wild and the only reason
Microsoft hasn't tagged it as a “Critical” issue is the limited number of
affected platforms. Exploitation of this issue requires the user to interact
with a malicious document.
The kernel elevation of privilege issue disclosed by Google researcher Tavis
Ormandy bug i
2 min
May 2013 - Patch Tuesday, the "yet another IE 0-day edition"
Going into this patch Tuesday the big question was: will MS13-038 address the “
Department of Labor IE 0-day (CVE-2013-1347)
[/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit]”?
Microsoft had hinted strongly that a patch was on the way, with the unspoken
caveat that there is always a risk of a it getting pulled at the last minute for
quality issues. As it turns out, MS13-038 is what was expected and should
address the “Department of Labor IE 0-day,” which is great. So hooray f
2 min
Microsoft
Patch Tuesday - April 2013 Edition!
The April 2013 MS Tuesday advisories are is out and it forecasts an interesting
patching session for Microsoft administrators. There are 9 advisories, for 14
CVEs, affecting 16 distinct platforms in 5 categories of Microsoft products,
including the not-often-seen patching of “Microsoft Office Web Apps” and
“Microsoft Security Software”.
Once again there is an IE patch (MS13-028) which is rated critical, but this one
differs from last month's incarnation by applying to all supported versions
3 min
Patch Tuesday - March 2013 Edition!
Microsoft March 2013 security bulletins are bringing us a slightly
lighter-than-usual patching load and, perhaps, a slightly muted patching urgency
compared to recent months. There are seven advisories, though they cover 20
unique vulnerabilities. Four of the advisories are listed as “Critical”, but
only the first one which applies to all supported versions of Internet Explorer
(6-10) seems likely to be an immediate threat to the average user.
The IE advisory (MS13-021) contains 9 distinct CV
3 min
Patch Tuesday - February 2013 Edition!
It's another busy month of patching for Microsoft administrators with a number
of high priority fixes getting out. On the plus side, none of the issues
patched this month are known to be actively being exploited "in the wild".
The highest risk vulnerabilities, and thus the most important to patch are
MS13-009, MS13-010, MS13-011, & MS13-020.
MS13-009 is a cumulative patch addressing 12 CVEs for Internet Explorer.
MS13-010 was indicated as an Internet Explorer patch in the advance
notificati