Posts tagged Patch Tuesday

2 min Microsoft

Patch Tuesday - December 2014

December's advanced Patch Tuesday brings us seven advisories, three of which are listed as Critical.  Depending on how you want to count it, we see a total of 24 or 25 CVEs because one of the Internet Explorer CVEs in MS14-080 overlaps with the VBScript CVE in MS14-084. Of the critical issues, MS14-080 has the broadest scope, with 14 CVEs.  None of which are publically disclosed or known to be under active exploit.  The shared CVE with MS14-084 presents a patching and detection challenge becaus

1 min Patch Tuesday

Patch Tuesday, November 2014

Patch Tuesday came in hot this month with 15 advisories, of which 4 are listed as critical.  Hate to point it out, but this was originally advertised as 16 with 5 critical, but the patch for MS14-068 apparently isn't ready for prime time yet.  Hopefully the decision to hold it back was based on both the testing and an assessment of risk. The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to las

2 min Patch Tuesday

SChannel and MS14-066, another Red Alert?

This has been a busy Patch Tuesday for Microsoft. Of the fourteen bulletins, four of which were deemed critical, MS14-066 [https://technet.microsoft.com/library/security/ms14-066] has been getting significant attention. This vulnerability, CVE-2014-6321 [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321], affects Windows Secure Channel (SChannel) [http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123(v=vs.85).aspx] and was discovered privately by Microsoft through an in

2 min Microsoft

October Patch Tuesday + Sandworm

Microsoft is back in fine form this month with eight upcoming advisories affecting Internet Explorer, the entire Microsoft range of supported operating systems, plus Office, Sharepoint Server and a very specific add on module to their development tools called “ASP .NET MVC”.  Originally nine advisories were listed in the advance notice, but one of the vulnerabilities affecting Office and the Japanese language IME was dropped for reasons unknown (the dropped advisory was bulletin #4 in the advanc

2 min Microsoft

Patch Tuesday - September 2014

It's a light round of Microsoft Patching this month.  Only four advisories, of which only one is critical.  The sole critical issue this month is the expected Internet Explorer roll up affecting all supported (and likely some unsupported) versions.  This IE roll up addresses 36 privately disclosed Remote Code Execution issues and 1 publically disclosed Information Disclosure issue which is under limited attack in the wild. This will be the top patching priority for this month. Of the three no

1 min Microsoft

Patch Tuesday - August 2014

Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching.  This month's advance notice contains nine advisories spanning a range of MSFT products.  We have the ubiquitous Internet Explorer all supported versions patch (MS14-051), with the same likely caveat that this would apply to Windows XP too, if Microsoft still supported it.  This patch addresses the sole vulnerability to be actively exploited in the wild from in this month's crop of issues, CVE-201

2 min Microsoft

Patch Tuesday - June 2014

Patch Tuesday, June 2014 delivers seven advisories, of them, two critical, five important – one of which is the seldom seen “tampering” type. The remarkable item in this month's advisories is MS14-035, the Internet Explorer patch affecting all supported versions.  That in itself is not unique, we see one of these almost every month, but this time the patch addresses 59 CVEs, that is 59 distinct vulnerabilities in one patch! Microsoft asserts that while two of the vulnerabilities (CVE-2014-1770

3 min Microsoft

Patch Tuesday - May 2014 - Lots going on

There is a lot going on in the updates from Microsoft this month, including some very interesting and long time coming changes. Also, it's the highest volume of advisories so far this year, with eight dropping on us, two of which are labelled as critical. How to describe the patching priority is going to be very subjective.  Microsoft has identified three of these advisories: MS14-024, MS14-025, & MS14-029, the IE patch as priority 1 patching concerns. Interestingly MS14-029 which is the update

3 min Microsoft

It's the end of XP as we know it, April Patch Tuesday 2014, and, oh yeah... heartbleed.

So this is it, the last hurrah for the once beloved XP, the last kick at the can for patching up the old boat.  Sure, by today's standards it's a leaky, indefensible, liability, but… hey, do you even remember Windows 98?  Or (*gasp*) ME?  At least we can all finally put IE 6 to rest, once and for all, the final excuse for corporate life-support has been pulled… except for legacy apps built so poorly that they depend on IE 6 and are “too costly” to replace. As everyone should know by now, ther

1 min Microsoft

Patch Tuesday - March 2014

Microsoft's March Patch Tuesday again came in on the lighter side of some months.  This continues the 2014 trend of smaller Patch Tuesdays.  We only see 2 issues that are critical/remote code execution, one of which is the usual IE (MS14-012), the other is an an issue in the DirectShow libraries (MS14-013) which affects most versions of Windows from XP up to 8.1/2012r2.  These two are where we should focus our patching efforts. Of the 18 CVEs addressed in MS14-012, one is known to be in limit

3 min Microsoft

Patch Tuesday - February 2014, also, say "buh-bye" to MD5

This was a fairly novel Patch Tuesday (calling it interesting might be too strong a word for Patch Tuesday, unless you work in vulnerability management and geek out on these things - in which case, I thought it was interesting). At first take, it looked like Microsoft would continue the 2014 trend of keeping patch Tuesday relatively light.  There were only 5 advisories this month, two critical, three important.  Emphasis is on the past tense. Monday morning, Microsoft updated the advance no

2 min Microsoft

December 2013 Patch Tuesday

One more go around the block for 2013 and like the last, late tropical storm of the season, Microsoft is taking one last swipe and security and IT teams alike. This Patch Tuesday features a solid 11 advisories affecting 6 different product types.  All supported versions of Windows, Office, Sharepoint, Exchange, Lync and a mixed bag of developer tools are affected.  5 of the advisories are rated critical, including one affecting Exchange and one affecting Sharepoint and Lync, not to mention th

3 min Microsoft

Patch Tuesday, Sept 2013

September's Patch Tuesday is live! The 14 bulletins predicted were cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after the advance notice is up usually indicates that late testing revealed an undesired interaction with another product or component. Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwiths

2 min Microsoft

August Patch Tuesday

Oh noes! Fire! Look out! Run in circles, scream and shout! There's a remotely exploitable, publicly disclosed, critical remote code execution vulnerability in Microsoft Exchange (MS13-061)! Prepare for the end of teh interwebs. But wait, is it really remotely exploitable? Well, not in the sense that user interaction is not required, it's a parser issue that is only triggered by a user opening a malicious message in Outlook Web Access (OWA). Okay, but it's still publicly disclosed right? I mean

2 min Microsoft

Patch Tuesday - July Edition!

This month's patch Tuesday the polar opposite of last month's ho-hum, here-we-go-again-with-the-patches exercise. There are 7 advisories and 6 of those are critical issues allowing remote code execution. Basically everything in the core Microsoft world is affected by one or more of these, every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET.  It's going to be a busy time for security teams everywhere. For the first time ever Microsoft is addressing a singl