Posts by Richard Tsang

7 min Vulnerability Management

Patch Tuesday - January 2021

We arrive at the first Patch Tuesday of 2021 (2021-Jan [https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan]) with 83 vulnerabilities across our standard spread of products.  Windows Operating System vulnerabilities dominated this month's advisories, followed by Microsoft Office (which includes the SharePoint family of products), and lastly some from less frequent products such as Microsoft System Center and Microsoft SQL Server. Vulnerability Breakdown by Software Family FamilyVulnera

6 min Vulnerability Management

Patch Tuesday - December 2020

We close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it's a higher count than our typical December months (high thirties), it's still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft. In terms of actionables, stan

3 min Vulnerability Management

Patch Tuesday - November 2020

Jumping right back to a triple digit volume of vulnerabilities resolved, Microsoft covers 112 CVEs this November affecting products ranging from our standard Windows Operating Systems and Microsoft Office products to some new entries such as Azure Sphere. Microsoft CVE-2020-17087: Windows Kernel Local Elevation of Privilege Vulnerability [https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087] Coming as no surprise to anyone, the previously disclosed CVE-2020-17087 zero-day

4 min Vulnerability Management

Patch Tuesday - October 2020

Microsoft brings us an October's Update Tuesday with 87 vulnerabilities, a sub-100 number we haven't experienced in quite some time. To further add to this oddity, there are no Browser-based vulnerabilities to mention and the arrival of a new Adobe Flash vulnerability CVE-2020-9746 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200012]. Despite this month's lower numbers, there are some precautions we should all take to remediate our environments quickly and effectively.

3 min Vulnerability Management

Patch Tuesday - September 2020

129 Vulnerabilities Patched in Microsoft's September 2020 Update Tuesday (2020-Sep Patch Tuesday) Despite maintaining the continued high volume of vulnerabilities disclosed and patched this month, Microsoft's 129-Vulnerability September 2020 Update Tuesday is seemingly calm from an operations perspective -- at first glance. While following standard procedures of scheduling the patching for Windows OSes up front immediately closes the door against 60%+ of the vulnerabilities being disclosed this

4 min Vulnerability Management

Patch Tuesday - August 2020

120 Vulnerabilities Patched in Microsoft's August 2020 Update Tuesday (2020-Aug Patch Tuesday) August 2020 brings along patches for 120 vulnerabilities within the standard set of Microsoft products (Windows, Office, Browsers, and Developer Tools such as .NET Framework, ASP.NET, and Visual Studio).  Among the crowd are two vulnerabilities: CVE-2020-1464 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464] , and CVE-2020-1380 [https://portal.msrc.microsoft.com/en-US/s

3 min Vulnerability Management

Patch Tuesday - July 2020

100+ vulnerabilities patched during Patch Tuesdays the new norm Another 123 CVEs are covered this month from Microsoft for the 2020-Jul Patch Tuesday [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jul] .  In addition to our usual suspects like Windows, Internet Explorer/Microsoft Edge, and Microsoft Office this Patch Tuesday addresses several developer-type tools such as .NET Framework, Visual Studio Code ESLint extension along with various Open Source Software

3 min Vulnerability Management

Patch Tuesday - June 2020

June 2020's Microsoft Patch Tuesday [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jun] gives us a whopping 129 CVEs patched (excluding Adobe Flash which addresses CVE-2020-9633 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200010] -- a high severity remote code execution vulnerability).  While the consistently high volume of vulnerabilities being addressed each month is alarming at times, there is a sense of peace in the steps Micros

2 min Vulnerability Management

Patch Tuesday - April 2020

Global working-from-home routines haven't slowed down Microsoft and its ability to help close up vulnerabilities in their products. This April Patch Tuesday [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Apr] (WFH-edition), Microsoft has knocked 113 vulnerabilities out of the park. It's not the highest we've seen, but it is still an impressive spread of fixes coming in this month with a fair number resolving SharePoint and Office vulnerabilities along with the

2 min Vulnerability Management

Patch Tuesday - March 2020

Let's start off talking about CVE-2020-0688 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688] from last month -- the Microsoft Exchange Validation Key RCE vulnerability. At the time it was published February 11, 2020, the vulnerability had not seen active exploitation. As of March 9, 2020, there were increasing reports of activity [https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/] happening on unpatched Exchange

3 min Patch Tuesday

Patch Tuesday - February 2020

A relatively modest 99-vulnerability February Patch Tuesday [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Feb] has arrived with a fix for the Internet Explorer 0-day CVE-2020-0674 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674] (originally ADV200001 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001]) announced back on January 17.  Fortunately, that is the only vulnerability reported this month th

2 min Patch Tuesday

Patch Tuesday - December 2019

Today we come to the end of 2019's monthly Microsoft Patch Tuesday [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec] (also known as Update Tuesday). This Christmas, Microsoft presents us with 36 vulnerabilities (that's two less than this time last year!) and no new vulnerabilities from Adobe for Adobe Flash. Unfortunately, despite a light month, there's still action to be taken. CVE-2019-1458 [https://portal.msrc.microsoft.com/en-US/security-guidance/advis

3 min Patch Tuesday

Patch Tuesday - November 2019

November's Patch Tuesday is upon us and, this month, Microsoft addressed 74 vulnerabilities of which one Internet Explorer vulnerability (CVE-2019-1429 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429] ) has been seen under active exploitation. By prioritizing the released Microsoft Windows and Internet Explorer patches, the door to 58 of the 74 vulnerabilities will be closed off. Also, for the second month in a row, this Patch Tuesday sees an absent security upd