Microsoft’s March Patches Arrive

Microsoft’s batch of security patches for March is one of the largest ever and includes fixes for several vulnerabilities that are publicly known and actively exploited.

Microsoft published 17 security bulletins covering 135 vulnerabilities in its own products and one separate bulletin for Flash Player, which has its security patches distributed through Windows Update. Nine bulletins are rated critical and nine are rated as important.

The affected products include Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Exchange, Skype for Business, Microsoft Lync, and Silverlight.

The highest priority should be given to the MS17-013 security bulletin, which addresses remote code execution, privilege escalation, and information disclosure flaws in the Windows Graphics Component, Graphics Device Interface (GDI), and Color Management. These vulnerabilities affect Windows, Office, Skype, Lync, and Silverlight.

The remote code execution flaws can be exploited by tricking users into opening a specially crafted website or document. What’s worse is that one of the vulnerabilities is publicly known and another is already actively exploited.

Another important bulletin is MS17-012, which fixes a vulnerability in the Windows SMB network file-sharing protocol that was publicly disclosed over a month ago.

The MS17-006 and MS17-007 bulletins for Microsoft Edge and Internet Explorer also contain vulnerabilities that have been publicly disclosed, including a critical remote code execution one.

On the server side, the Microsoft Exchange and IIS bulletins, MS17-015 and MS17-016, should be prioritized because these systems are typically exposed to the internet. Server administrators should also direct their attention to the bulletins for Hyper-V virtualization (MS17-008) and Active Directory Federation Server (MS17-019).

The high number of patches in this release are because Microsoft decided to postpone by a month the security updates it had originally scheduled for February. This unprecedented decision was made due to an unspecified last-minute issue and especially since there were a number of publicly known flaws.

Also, it seems that Microsoft has backtracked on its plan to stop organizing patch information into security bulletins, at least for this month. The company had planned to stop using bulletins in favor of a new portal called the Security Updates Guide.

Share This:

Microsoft’s Patch Tuesday Hits a Snag

As far as I am aware this is a first from Microsoft.

Today Microsoft took the unprecedented step of postponing an entire month’s slate of security updates for Windows and its other products just hours before the patches were to begin rolling out to customers.

“We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today,” Microsoft said in a post to the MSRC (Microsoft Security Research Center) blog. “After considering all options, we made the decision to delay this month’s updates.”

Today was set as Patch Tuesday, the monthly release of security fixes from Microsoft. Normally, Microsoft issues the updates around 10 a.m. PT (1 p.m. ET). Although Microsoft did not time stamp its blog post, the SAN Institute’s Internet Storm Center (ISC) pointed out the delay at 8:22 a.m. PT (11:22 ET).

This past AUgust Microsoft announced that it would offer only cumulative security updates for Windows 7 and 8.1, ending the decades-old practice of letting customers choose which patches they applied. The new maintenance model for the older editions was a direct transplant from Windows 10, which has relied on cumulative updates since its mid-2015 launch.

By “cumulative,” Microsoft meant that each update included the contents of all previous releases, along with new fixes. But the label also referred to the structure of updates: They were unified entities that could not be broken into their parts.

Previously, Microsoft could delay a single patch – but not today.

Microsoft’s announcement of the delayed patches reads like this:

“We apologize for any inconvenience caused by this change to the existing plan,” Microsoft said on the MSRC blog. Microsoft did not say when it would issue February’s security updates.

I am guessing the new cumulative update will be held until next month.

Share This:

Microsoft’s August Patch Tuesday

August brings us another Patch Tuesday from Microsoft. This month brings a relatively light series of updates, with five rated as critical and the remaining four rated as important.

Aside from the relatively few updates from Microsoft, there are no zero-day or publicly disclosed vulnerabilities this month. Microsoft has also chosen to update a number of relatively minor components this month with the exception of MS16-098 (another kernel update).

Let’s take a look at the updates Microsoft has in store for all of our PCs.

MS16-095 — Critical

The first update rated as critical for this August Microsoft Patch Tuesday follows the standard release cycle pattern with an update to Microsoft Internet Explorer (IE). MS16-095 attempts to resolve nine privately reported memory corruption issues that if left un-patched could lead to a remote code execution scenario. This is a pretty standard “technical hygiene” update from Microsoft that does not have to address any urgent “zero-day” vulnerabilities. As is this case for these types of updates, a full application “binaries” refresh will be included in this update, which applies to all currently supported versions of IE. Add this update to your standard desktop deployment effort.

MS16-096 — Critical

Unusually, the update to Microsoft Edge is more serious than the patches to IE for this month. MS16-096 attempts to resolve 10 issues that could also lead to a remote code execution scenario. The more serious of these reported privately reported issues could lead to an attacker assuming the same security privileges as the logged in user by simply navigating to a specially crafted web page containing malicious JavaScript. Make this patch a priority for your Windows 10 deployment.

MS16-097 — Critical

MS16-097 follows a long pedigree of Microsoft updates that attempt to resolve issues in how Windows platforms handle embedded fonts. This month’s update attempts to resolve three vulnerabilities that following successful web-page for file-based attacks could lead to the execution of arbitrary code on a non-patched or compromised system. As this patch affects all Windows (desktop and server) platform, Microsoft Office and Lync, please add this update to your prioritised patch deployment effort.

MS16-099 — Critical

MS16-099 is a huge update for Microsoft that attempts to resolve seven high risk exploits that at worst could lead to a remote code execution scenario. In addition to numerous security patches, this update also includes a significant feature level update to several versions of Microsoft Outlook (Outlook 2007, 2013, 2106 – both 32 and 64-bit editions). It also looks like attackers could use three approaches to compromise a system including: specially crafted web pages, special files and emails. Make this update a priority for your patch deployment effort.

MS16-102 — Critical

MS16-0102 addresses a single (as of yet, unrated by Microsoft and privately reported) vulnerability in the built-in PDF viewer in Windows 8.x and Windows 10 systems. This update is linked to the July cumulative update for Windows 10 that included an update to the PDF handler as well. If a user opens a specially crafted PDF file, it appears that with deploying this update or employing several registry related security restrictions, a remote code execution scenario will occur on the compromised system. Add this update to your priority patch deployment effort.

MS16-098 — Important

MS16-098 attempts to address four serious (but privately reported) vulnerabilities in the Windows kernel mode drivers that if left unpatched could lead to an elevation of privilege scenario. This is a tricky update with a long history of past issues and problems with these types of patches. I would deploy this update to IT first, and then wait a little while.

MS16-100 — Important

MS16-100 represents the perfect summer update. It’s a simple, single fix to a low profile Windows component, with low deployment risk. Add this update to your standard patch deployment effort.

MS16-101 — Important

MS16-101 addresses two privately reported vulnerabilities in the Windows authentication engine. Both vulnerabilities are relatively tough to exploit and require physical access to domain-joined systems. However, as this update affects all currently supported versions of both desktop and server systems from Microsoft, it needs to be added to your standard update deployment effort.

MS16-103 — Important

MS16-103 is the final update for this August that attempts to address a difficult to exploit, privately reported vulnerability in a relatively minor component of Windows 10 desktop systems. Add to your standard Windows 10 deployment effort.

Share This:

Microsoft’s Patch Tuesday “Fixes” 40 Vulnerabilities

Microsoft fixed more than 40 vulnerabilities in its products Tuesday, including critical ones in Windows, Internet Explorer, Edge and Office.

The vulnerabilities are covered in 16 security bulletins, six of which are marked as critical and the rest as important. This puts the total number of Microsoft security bulletins for the past six months to more than 160, a six-month record for the past decade.

Attackers can exploit this vulnerability by sending specifically crafted DNS requests to a Windows Server 2012 or a Windows Server 2012 R2 deployment configured as a DNS server.

The critical bulletins for Internet Explorer and Edge, namely MS16-063 and MS16-068, should also be high on the priority list because they cover remote code execution flaws that can be exploited by simply browsing to a specially crafted website.

Next on the list should be the Microsoft Office security bulletin, MS16-070, because the applications in the Office suite are a common target for attackers, particularly through malicious email attachments.

The most important vulnerability in the Microsoft Office bulletin is a remote code execution flaw tracked as CVE-2016-0025 that stems from the Microsoft Word RTF format. Since RTF can be used to attack through Outlook’s preview pane, the flaw can be triggered with a simple e-mail without user interaction.

To check for Windows updates

  1. Open Windows Update by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Update.

  2. In the left pane, click Check for updates, and then wait while Windows looks for the latest updates for your computer.

  3. If any updates are found, click Install updates. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Share This:

Microsoft Seeks to Log It’s Update History for Everyone

This latest news from Microsoft really does show off the “new Microsoft”. In the past Windows updates have been forgotten – almost as soon as they were released and applied. However the problem is that actually knowing what updates were applied – and when can go along way in respect to troubleshooting Windows issues.

464768-windows-10-ditches-patch-tuesday-for-security-s-sake

During Windows 10’s relatively short life, updates have been steady and regular. What they haven’t been is transparent. Until now.

To coincide with Patch Tuesday, the day Microsoft’s monthly security patches are released Microsoft is also creating a Windows 10 update history site.

The site will include detailed logs to every Windows 10 update in an effort to improve transparency, starting today.

We’re committed to our customers and strive to incorporate their feedback, both in how we deliver Windows as a service and the info we provide about Windows 10. In response to this feedback, we’re providing more details about the Windows 10 updates we deliver through Windows Update. You’ll see a summary of important product developments included in each update, with links to more details. This page will be regularly refreshed, as new updates are released.

Windows 10’s update history went live earlier today, and should be updated with each system patch.

Good move Microsoft.

Share This:

Microsoft Releases Critical Patches for All Windows Verisons

Microsoft has reported in its latest monthly security bulletin, otherwise known as “Patch Tuesday”  that users of Windows Vista and later, including Windows 10, should patch immediately to prevent a serious flaw in how the operating system handles certain files.

Windows security patches

The serious vulnerability (MS16-013) could allow an attacker to run arbitrary code as the logged-in user. Administrator accounts are at the greatest risk. An attacker would have to trick a user into opening a specially-crafted Journal file, which would let the attacker run programs, delete data, and create new accounts with full user rights.

Windows Server 2016 Tech Preview 4 is also affected by the vulnerability, and requires patching. The good news is that Microsoft said it was not aware of an attacker actually exploiting the flaw.

Microsoft also released three other critical flaws affecting Windows and Office.

Additional Patches Released This Month by Microsoft

MS16-012 addresses a vulnerabilities which could allow an attacker to run code on an affected system by tricking a user into opening a specially-crafted PDF file. Users on Windows 8.1 and Windows 10 are mostly affected. The flaw was privately reported to Microsoft, and is not thought to have been exploited by attackers.

MS16-015 fixes a number of memory corruption flaws in Microsoft Office, which could let an attacker to remotely execute code if a user opens a specially-crafted Office file. An attacker would have the same access to the system as the logged-in user. The flaws were privately reported, except a separate SharePoint cross-site scripting flaw, which was publicly disclosed.

MS16-022 patches more than two-dozen separate vulnerabilities with Adobe Flash Player on all Windows 8.1 and higher.

Microsoft  also rolled out a cumulative patch to Internet Explorer (MS16-009) and its newer browser, Microsoft Edge for Windows 10 (MS16-011).

Of the most serious flaws, an attacker could exploit flaws in how Internet Explorer and the Edge browser handles objects in memory and parse HTTP responses.

All of the vulnerabilities were privately reported to Microsoft, and are not thought to have been exploited by attackers.

Microsoft also released four other patches — MS16-014, MS16-016, MS16-017, MS16-018, MS16-019, MS16-020, and MS16-021— for “important” issues, such as address elevation of privileges and denial-of-service issues.

These patches are of course available as critical updates through Windows Update.

Share This:

Microsoft Issues for Fixes of 2016

Microsoft has released the first batch of security updates for 2016 and which include critical fixes for remote code execution flaws in Windows, Office, Edge, Internet Explorer, Silverlight and Visual Basic.

 

Microsoft has also fixed remote code execution and elevation of privilege vulnerabilities in Windows and an address spoofing flaw in Exchange Server, that were rated important, not critical, due to various mitigating factors.

In total, Microsoft issued nine security bulletins covering patches for 24 vulnerabilities.

Administrators should prioritize the MS16-005 security bulletin, especially for systems running Windows Vista, 7 and Server 2008.

This patch addresses a remote code execution vulnerability tracked as CVE-2016-0009 that has been publicly disclosed, making attacks more likely.

The second most important bulletin, according to Qualys, is MS16-004, which addresses six vulnerabilities in Microsoft Office. This bulletin is rated critical, which has been unusual for Microsoft Office in the recent past.

The culprit for this severity rating is one particular remote code execution vulnerability tracked as CVE-2016-0010 that’s present in all versions of Office from 2007 to 2016, even those running on Mac and Windows RT.

Additional patches are covered in the MS16-001 and MS16-002 security bulletins and will be the last ones that Internet Explorer versions 8 and 10 will ever receive. IE 9 will continue to be supported on Windows Vista and Windows Server 2008 SP2.

If you are in an organization that uses Outlook Web Access (OWA) you should also take a look at MS16-010. Even though this bulletin is rated by Microsoft only as important, the vulnerability it covers can allow attackers to launch so-called business e-mail compromise (BEC) attacks.

Such attacks have cost companies around the world $1.2 billion. This type of attack involves cyber-criminals compromising business emails, or spoofing email addresses, to instruct employees and business partners to initiate unauthorized wire transfers.

Finally, the MS16-006 bulletin, which addresses a vulnerability in Silverlight, should be on the priority list as well because the flaw could enable remote code execution attacks through the browser plug-in. Attackers are known to have used Silverlight exploits in the past.

This month’s updates were also the last ones for Windows 8, which Microsoft will no longer support going forward. Windows 8 users will have to upgrade to Windows 8.1 or 10 in order to continue receiving security patches.

Share This:

Patch Tuesday Is Here

Yesterday Microsoft issued three new security advisories and a dozen new patches in the their monthly round of security updates. Surprisingly one of the advisories was apparently the result of a security fumble by Microsoft’s own internal IT team, the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.

The certificate, which was used for Microsoft’s xboxlive.com domain, has been revoked on Microsoft’s Certificate Trust list, but it could potentially be used to attack systems that haven’t been updated in man-in-the-middle attacks that “spoof” the Xbox Live network. Microsoft isn’t saying how the certificate was “inadvertently disclosed,” but it’s likely that the “wildcard” certificate was accidentally shared with a partner. It’s unlikely that the certificate will be used for an attack now that it’s been revoked, but systems that don’t regularly get their certificate trust lists updated might still be vulnerable.

System administrators have a bigger headache to deal with: an update issued yesterday for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated “critical” by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a “specially-crafted” Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.

The DNS fix is one of eight critical fixes included in this “Patch Tuesday” including huge roll-up patches for Internet Explorer, Edge, Jscript, and VBScript—all of which fix holes that could potentially be used for remote code execution by malicious websites. There’s also a remote code execution fix for a graphics component used by Skype, Lync, Office, Silverlight, Windows itself and the .NET framework that could be exploited by a malicious document or Web page, and a totally separate remote execution bug in Silverlight and Office themselves. And there’s a patch for the Uniscribe text API that fixes a vulnerability that would allow malicious fonts to execute code.

Share This:

Windows 10’s First Patch Tuesday

Only two weeks after Windows 10 was launched Microsoft has issued a cumulative pack of important updates and patches.

In all Microsoft released 14 security bulletins for this month’s Patch Tuesday,  which occurs on the second Tuesday of each month.

Three of the bulletins were marked as critical, meaning that they should be patched as quickly as possible. A bulletin typically contains a set of patches for a single set of software products, such as all the supported versions of Windows.

Most agree that Windows 10 is off to a strong start as far as being engineered for security. It has been noted that 40 percent of the generic Windows patches this month apply to Windows 10. By comparison, Windows 8 generated 60 percent of all the generic Windows patches then being issued in the first two months after that OS was released.

The three critical bulletins this month, MS15-079, MS15-80, and MS15-81, cover vulnerabilities in Windows, Internet Explorer, and Microsoft Office.

The critical bulletin for Office, MS15-081, is a rarity, in that critical bulletins are not usually issued for that software suite. The bulletin addresses a flaw that could allow an attacker to gain control of the machine by tricking the user into opening a maliciously crafted Word document.

Microsoft has noticed that this flaw is already being exploited by attackers.

There are a number of other bulletins that, though not marked as critical, these appear to be very important as well.

One is MS15-085, which would allow an attacker to use a USB drive to gain entry to a system. The attacker could plant code on the drive that would activate when the drive is inserted into a computer. This vulnerability is also already being exploited by attackers.

Another bulletin, MS15-083, might be of critical importance for those still running Windows 2008 or Windows Vista.

Share This:

Patch Tuesday Lives!

Patch Tuesday is not dead! 

That is what many experts have now concluded.

With Windows 10’s launch only 4 days away, the new operating system will debut July 29 on previewers’ PCs,  the question of whether Patch Tuesday lives and breathes, or will die, maybe quickly, maybe slowly, still remains officially unanswered. However many security professionals and industry analysts have come to the conclusion that Patch Tuesday will continue, possibly in the same form it has since 2003.

“Patch Tuesday is not going away any time soon,” said Chris Goettl, product manager for patch management vendor Shavlik. “It’s been blown out of proportion.”

“Patch Tuesday” is the label that’s been stuck to the second Tuesday of each month, the day Microsoft has issued its security updates since 2003. Microsoft of course prefers the more upbeat “Update Tuesday.” which I kind of prefer as well. Iwas really hoping that this practice would no go away because it really does make patching more predictable, especially for information technology staffs who manage networks and large numbers of computers.

Two months ago, Patch Tuesday’s future seemed in doubt after Windows chief Terry Myerson said, “We’re not going to be delivering all of the updates to all of these consumers on one day of the month,” when talking about changes to Windows Update under Windows 10.

Many in the technology sector used that comment to conclude that Microsoft was killing Patch Tuesday and would instead roll out security fixes as soon as they were ready, returning to its pre-2003 practice. Two weeks ago, when Microsoft shipped its July batch, some marked it as the last-ever Patch Tuesday. I was indeed saddened by this possibility.

Not so fast! While observers agreed that Patch Tuesday would be moot for consumers on Windows 10, even in May they were certain it would remain a factor for businesses, which again I believe is a critically important tool for IT departments.

So Patch Tuesday may have a heartbeat after all. I for one hope so.

Share This:

1 2 3