1 min
Microsoft
Patch Tuesday - April 2017
This month's updates deliver vital client-side fixes, resolving publicly
disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and
Microsoft Office that attackers are already exploiting in the wild. In
particular, they've patched the CVE-2017-0199
[https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199]
zero-day flaw in Office and WordPad, which could allow an attacker to run
arbitrary code on a victim's system if they are able to successfully soc
0 min
Microsoft
February 2017 Patch Tuesday: Delayed
Earlier today Microsoft announced
[https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/]
that they will be delaying this month's security updates due to finding a
last-minute issue that could "impact some customers." This may be due to a
glitch in their new process
[/2017/02/06/a-reminder-about-upcoming-microsoft-vulnerability-content-changes]
that they were not able to iron out in time for today's planned release.
We will be keeping an eye out for any up
3 min
Nexpose
Patch Tuesday, November 2016
November [https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx]
continues a long running trend with Microsoft's products where the majority of
bulletins (7) address remote code execution (RCE), closely followed by elevation
of privilege (6) and security feature bypass (1). All of this month's critical
bulletins are remote code execution vulnerabilities, affecting a variety of
products and platforms including Edge, Internet Explorer, Exchange, Microsoft
Office, Office Services and
2 min
Nexpose
Patch Tuesday, October 2016
October [https://technet.microsoft.com/library/security/ms16-oct] continues a
long running trend with Microsoft's products where the majority of bulletins (6)
address remote code execution (RCE) followed by elevation of privilege (3) and
information disclosure (1). All of this month's critical bulletins are remote
code execution vulnerabilities, affecting a variety of products and platforms
including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services
and Web Apps, Sharepoint as
2 min
Nexpose
Patch Tuesday, July 2016
July [https://technet.microsoft.com/en-us/library/security/ms16-jul.aspx]
continues an on-going trend with Microsoft's products where the majority of
bulletins (6) address remote code execution (RCE) followed by information
disclosure (2), security feature bypass (2) and elevation of privilege (1). All
of this month's 'critical' bulletins are remote code execution vulnerabilities,
affecting a variety of products and platforms including Edge, Internet Explorer,
Microsoft Office, Office Services
2 min
Microsoft
On Badlock for Samba (CVE-2016-2118) and Windows (CVE-2016-0128)
Today is Badlock Day
You may recall that the folks over at badlock.org [http://badlock.org/] stated
about 20 days ago that April 12 would see patches for "Badlock," a serious
vulnerability in the SMB/CIFS protocol that affects both Microsoft Windows and
any server running Samba, an open source workalike for SMB/CIFS services. We
talked about it back in our Getting Ahead of Badlock
[/2016/03/30/getting-ahead-of-badlock] post, and hopefully, IT administrators
have taken advantage of the pre-releas
2 min
Nexpose
Update Tuesday, November 2015
November sees a mix of remote code execution and elevation of privilege
vulnerabilities enabling an attacker to gain the same rights as the user when
the victim opens specially crafted content, such as a webpage, journal file or
document containing embedded fonts. These vulnerabilities affect Internet
Explorer (7 and onwards), Edge, and Windows (Vista and onwards). It is
advisable for users and administrators to patch the affected platforms.
Microsoft includes 12 security bulletins, a third of
1 min
Patch Tuesday
Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [https://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK p
2 min
Microsoft
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi
2 min
Patch Tuesday
Patch Tuesday, February 2015
For the second straight month Microsoft is holding fast to their blockade of
information. Customers with “Premier” support are getting a very sparse advance
notification 24 hours before the advisories drop, and “myBulletins” continues to
be useless because it is not updated until well after the patch Tuesday
release. Microsoft called this an evolution, and I can certainly see why – they
are applying a squeeze to security teams that will eliminate the weak members of
the herd.
This month we ar
2 min
Microsoft
Patch Tuesday, January 2015 - Dawn of a new era
Microsoft's January 2015 patch Tuesday marks the start of a new era. It seems
that Microsoft's trend towards openness in security has reversed and the company
that was formerly doing so much right, is taking a less open stance with patch
information. It is extremely hard to see how this benefits anyone, other than,
maybe who is responsible for support revenue targets for Microsoft.
What this means is that the world at large is getting their first look at
understandable information about this
2 min
Microsoft
Patch Tuesday - December 2014
December's advanced Patch Tuesday brings us seven advisories, three of which are
listed as Critical. Depending on how you want to count it, we see a total of 24
or 25 CVEs because one of the Internet Explorer CVEs in MS14-080 overlaps with
the VBScript CVE in MS14-084.
Of the critical issues, MS14-080 has the broadest scope, with 14 CVEs. None of
which are publically disclosed or known to be under active exploit. The shared
CVE with MS14-084 presents a patching and detection challenge becaus
1 min
Patch Tuesday
Patch Tuesday, November 2014
Patch Tuesday came in hot this month with 15 advisories, of which 4 are listed
as critical. Hate to point it out, but this was originally advertised as 16
with 5 critical, but the patch for MS14-068 apparently isn't ready for prime
time yet. Hopefully the decision to hold it back was based on both the testing
and an assessment of risk.
The top patching priority is definitely going to be MS14-064, which is under
active exploitation in the wild and may be related, at least superficially, to
las
2 min
Patch Tuesday
SChannel and MS14-066, another Red Alert?
This has been a busy Patch Tuesday for Microsoft. Of the fourteen bulletins,
four of which were deemed critical, MS14-066
[https://technet.microsoft.com/library/security/ms14-066] has been getting
significant attention. This vulnerability, CVE-2014-6321
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321], affects
Windows Secure Channel (SChannel)
[http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123(v=vs.85).aspx]
and was discovered privately by Microsoft through an in
2 min
Microsoft
October Patch Tuesday + Sandworm
Microsoft is back in fine form this month with eight upcoming advisories
affecting Internet Explorer, the entire Microsoft range of supported operating
systems, plus Office, Sharepoint Server and a very specific add on module to
their development tools called “ASP .NET MVC”. Originally nine advisories were
listed in the advance notice, but one of the vulnerabilities affecting Office
and the Japanese language IME was dropped for reasons unknown (the dropped
advisory was bulletin #4 in the advanc