Posts tagged Patch Tuesday

3 min Patch Tuesday

Patch Tuesday - April 2018

Over 70 vulnerabilities have been fixed this month [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/abf77563-8612-e811-a966-000d3a33a34d] , including 6 in Adobe Flash [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180007] ( APSB18-08 [https://helpx.adobe.com/security/products/flash-player/apsb18-08.html]). At a high level, there's nothing too out of the ordinary. Unfortunately, that means the majority of the patched vulnerabilities are once ag

2 min Patch Tuesday

Patch Tuesday - March 2018

There are a lot of fixes this month [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/6c8fa125-28f6-e711-a963-000d3a33a34d] : Microsoft's updates include patches for 76 separate vulnerabilities, including two critical Adobe Flash Player remote code execution (RCE) vulnerabilities [https://helpx.adobe.com/security/products/flash-player/apsb18-05.html]. In fact all of this month's critical vulnerabilities are browser-related. This is not surprising considering web brows

2 min Patch Tuesday

Patch Tuesday - February 2018

It's a run-of-the-mill month as far as Patch Tuesdays go. Even so, 50 individual CVEs have been fixed [https://helpx.adobe.com/security/products/acrobat/apsb18-02.html] by Microsoft, most of which (34) are rated "Important". As usual, most of the 14 considered "Critical" are web browser vulnerabilities that could lead to remote code execution (RCE). The most concerning non-browser issue is CVE-2018-0825 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0825] , an RCE i

3 min Patch Tuesday

Patch Tuesday - January 2018

The first Microsoft patches of 2018 came early, with new updates released late Wednesday, January 3rd. Although this was due to the (somewhat [https://www.freebsd.org/news/newsflash.html#event20180104:01]) coordinated disclosure of the Meltdown and Spectre [/2018/01/04/meltdown-and-spectre-what-you-need-to-know-cve-2017-5715-cve-2017-5753-cve-2017-5754/] vulnerabilities, last week’s updates also contained fixes for 33 additional CVEs. These days, Microsoft releases their OS updates as monolithi

6 min Haxmas

HaXmas Review: A Year of Patch Tuesdays

Today’s installment of the 12 Days of HaXmas [/tag/haxmas] is about 2017’s 12 months of Patch Tuesdays [/tag/patch-tuesday/]. Never mind that there were only eleven months this year, thanks to Microsoft canceling [https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/] most of February’s planned fixes. This coincided with when they’d planned to [https://blogs.technet.microsoft.com/msrc/2016/11/08/furthering-our-commitment-to-security-updates/] roll out their

2 min Patch Tuesday

Patch Tuesday - December 2017

No big surprises from Microsoft this month [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/c383fa60-b852-e711-80dd-000d3a32f9b6] , with 70% of the 34 vulnerabilities addressed being web browser defects. Most of these are Critical Remote Code Execution (RCE) vulnerabilities, so administrators should prioritize patching client workstations. It doesn't take sophisticated social engineering tactics to convince most users to visit a malicious web page, or a legitimate but

1 min Patch Tuesday

Patch Tuesday - November 2017

Web browser issues account for two thirds of this month's patched vulnerabilities [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/bae9d0d8-e497-e711-80e5-000d3a32fc99] , with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are typically well represented on Patch Tuesdays. On top of this are five Adobe Flash Player vulnerabilitie

2 min Patch Tuesday

Patch Tuesday - October 2017

Patch Tuesday round-up for October 2017

1 min Patch Tuesday

Patch Tuesday - September 2017

It's a big month, with Microsoft patching [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99] 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170013] (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE,

1 min Patch Tuesday

Patch Tuesday - August 2017

It was a busy month this month with a total of 48 security issues fixed. All of these have a severity of Critical or Important with Remote Code Execution vulnerabilities again figuring highly, particularly for Microsoft Edge. There were also a few publicly disclosed vulnerabilities that were fixed, including CVE-2017-8633 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8633] (Privilege Escalation with Windows Error Reporting). None of the disclosed vulnerabilities

2 min Microsoft

Patch Tuesday - June 2017

This month sees another spate of critical fixes [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/40969d56-1b2a-e711-80db-000d3a32fc99] from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild ( CVE-2017-8543 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543] and CVE-2017-8464 [https://portal.msrc.microsoft.com/en-US/security-guidance/advis

2 min Microsoft

Patch Tuesday - May 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0290] ) that had some of the security community buzzing over the weekend was also addressed [https://technet.microsoft.com/en-us/library/security/4022344] late Monday evening. A flaw in the

4 min Microsoft

Simple Vulnerability Remediation Collaboration with InsightVM

Many security groups today use ticketing systems that were originally designed for IT or developers, and are usually ill-suited to their vulnerability management [https://rapid7.com/solutions/vulnerability-management/] needs. Even more commonly, teams simply rely on spreadsheets and unwieldy reports. On the other end of the spectrum, some security teams build a self-service workflow for their remediators and run into lack of user adoption – remediators just are not logging in to the security con

5 min Microsoft

Actionable Vulnerability Remediation Projects in InsightVM

Security practitioners and the remediating teams they collaborate with are increasingly asked to do more with less. They simply cannot remediate everything; it has never been more important to prioritize and drive remediations from start to finish. The Remediation Workflow capability in InsightVM [https://rapid7.com/products/insightvm/] was designed to drive more effective remediation efforts by allowing users to project manage efforts both large and small. Remediation Workflow is designed for

1 min Microsoft

Patch Tuesday - April 2017

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199] zero-day flaw in Office and WordPad, which could allow an attacker to run arbitrary code on a victim's system if they are able to successfully soc