Archive | Editorial Articles RSS feed for this section

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

World Password Day – WSWiR Episode 106

MS Patch Day, 4chan Hacked, and Password Security

If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.

Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 7:32)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

IE & Flash 0day – WSWiR Episode 105

White House Cyber Disclosure, Traffic Light Hacking, and Zero Day Exploits

There was a ton of Information Security news this week. More than most people can keep up with; especially busy IT administrators who are already putting out other fires. If you have little time to read the latest news, but want a quick recap of the most important infosec stories each week, this is the vlog for you.

In this episode, I react to the White House talking about their zero day disclosure policy, I share news about a researcher hijacking traffic lights across the US, and I warn you about two critical zero day flaws in very popular software products. If you want to stay informed and get the latest security advice, watch the video below. You can also explore the Reference section for links to more stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 8:04)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Winter is Coming… But These Cyber Tips Can Help You Prepare

Last month, I shared a Help Net Security article I wrote combining two things I love; Information Security (InfoSec) and The Walking Dead. If you haven’t read that yet, feel free to check it out. This month, I continue my pop culture series by mashing up InfoSec with another admired book and TV series; Game of Thrones.

The fictional world of Westeros is an unforgiving land, where inhabitants must quickly learn to defend themselves if they have any hope of survival. Unfortunately, the Internet also seems to be evolving into a fairly dangerous landscape, where just visiting the wrong web site might infect your computer. Is there anything a network security professional can learn from the medieval warriors of Westeros?

That’s exactly what my latest article explores. If you’re interested in the Six InfoSec Tips I Learned from Game of Thrones, check out my article below, and join me for A Song of Ice and Firewalls:

If you enjoy the article, and want to share your own pop culture security tips, I’d love to hear from you! Unfortunately, Help Net Security doesn’t have commenting in their articles, but if you want to share some Game of Thrones tips of your own, please feel free to comment below. — Corey Nachreiner, CISSP (@SecAdept)

iOS Malware- WSWiR Episode 104

Apple Updates, Reappearing Backdoors, and iOS Malware

If you looking for a quick security news round up, subscribe to this weekly Infosec vlog. Today, I cover a number of Apple stories, from the latests patches to iOS malware; I warn about a supposedly fixed router backdoor that has re-appeared; and I talk about the trend of governments withholding zero day exploits. Watch the video below for the details, and check out the References for more information and news. Here’s a bonus security tip;  If you jump out a plane (like I did), take a parachute! Have a great weekend. (Episode Runtime: 7:38) Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Oracle CPU – WSWiR Episode 103

Oracle Patches, Heartbleed Update, and Cool Gaming Hacks

Information security has become a hot topic, with tens of new infosec articles and issues showing up each week. Perhaps you’re concerned with the latest security news, but don’t have to time to keep up with it among your other administrative tasks. If that sounds like you, check out my weekly infosec news video for a quick summary of the week’s most interesting stories.

Today’s episode is quite simple. I quickly cover Oracle’s April Critical Patch Update (CPU), share some interesting Heartbleed vulnerability updates, and end with a fun, gaming-related hack to cap off the week. Watch the video below, and browse the Reference section for links to more stories and details.

Have a great Easter weekend.

(Episode Runtime: 6:42)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

You Got Your Walking Dead in My Cyber Security

Keep Calm and Eat Pudding

Sometimes two things that don’t seem to go together, make the most magical combinations; things like peanut butter and chocolate, maple and bacon, and even Jon Snow and Ygritte. In hopes of adding to such delightful duos, I have started a new series of security articles trying to uncover another unexpected pairing—information security and pop culture.

What can popular movies, TV shows, books, or video games teach us about cyber security? Maybe nothing, maybe everything. In my new Help Net Security series, I plan to see if your favorite guilty pleasures can uncover any cyber security insights you’d never have expected. Join me for my first article at Help Net Security, where I share eight information security tips I learned from The Walking Dead (TWD).

By the way, if you like the article, or you love The Walking Dead, feel to share some TWD cyber security tips of your own? Come back here and add your own interesting infosec parallels to the comments section below. Feel free to draw parallels to other pop culture media too! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities

Microsoft’s March Patch Day is live, and looks to be by the numbers. As expected, they released five bulletins, including one that contains a fix for a zero day vulnerability in Internet Explorer. Their Patch Day summary highlights five security bulletins that fix 23 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, such as Silverlight. They rate two of these bulletins as Critical, and the rest as Important.

MS Patch Day: March 2014As I mentioned in my notification post, the most important update this month is the IE cumulative patch. Besides fixing 23 memory corruption flaws, many of which attackers could exploit to execute code, one specifically fixes a critical zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make sure to install the IE update on all your clients as soon as possible. Hopefully, you already have Automatic Updates set to do it for you. Of course, you should also install the Windows updates too, especially the DirectShow one. If an attacker can trick one of your users into viewing a malicious JPEG image, he could exploit it to gain control of that user’s computer, with their privileges. You don’t want that.

While we are talking about Windows updates, let me take this time to continue to remind you that these updates are among the last that Windows XP will receive. XP users will likely see a few more updates next month, but after than it goes End-of-Life. Hopefully, most of you are saying, “Why do I care? I’ve been using Windows 7 or above for years.” But for the stragglers out there, you might want to consider upgrading to a more recent version of Windows. While I don’t want to come off as promoting Microsofts “upgrade” sales message, I do believe XP will likely pose more risk once the official updates stop. It seems very likely that some cyber attacker (or nation-state groups) out there are sitting on a zero day XP exploit or two; saving them until after Microsoft’s fixes run out. You might want to get away from XP before that happens.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day. Meanwhile, check out the March  bulletin summary now, if you’d like an early peek. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: IE Fix Leads the List of Critical Updates

Today’s Microsoft Patch Day will probably be a bit busier than expected. It looks like Microsoft called a last minute audible, releasing seven security bulletins rather than the five I mention in last week’s security video. The good news is this last minute play change might help your security team win the game by providing your users with a more protected web browser.

Microsoft Patch Day: Feb, 2014

Microsoft Patch Day: Feb, 2014

February’s Patch Day summary highlights seven security bulletins that fix 32 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, and Forefront Protection for Exchange. They rate four of these bulletins as Critical, and the rest as Important.

This month, the most important updates are probably the most unexpected ones. Microsoft’s original advisory suggested they planned on releasing updates for Windows and one of their security products (which we now know is Forefront Protection), but they had not mentioned the IE or VBScript updates they released today. However, both these unexpected updates make great additions to this month’s Patch Day. The IE cumulative patch fixes 24 serious vulnerabilities, including one disclosed publicly; many of which attackers can leverage to execute code in drive-by download attacks. Though Microsoft hasn’t seen anyone exploiting these flaws in the wild yet, I expect attackers will surely reverse this update and start exploiting these flaws soon. The VBscript update is no slouch either, as it too fixes a code execution flaw. If bad guys can entice you to a web page with malicious code, they can use these flaws to”pwn” your computer.

Of course, you shouldn’t ignore the expected updates either. Two of them—the critical flaws in Direct2D and Forefront Protection for Exchange—also allow remote attackers to execute code on your systems. In short if you are a Microsoft administrator, you should apply today’s critical updates as soon as you can, and take care of the Important while you’re at it. In general, I recommend you test Microsoft updates before deploying them throughout your production network, especially server related updates that affect critical production servers. This is probably especially this month, for the two surprise updates. Since the IE and VBScript updates came out a bit earlier than expected, they may not have gone through as rigorous a QA process as usual. You might want to give them a whirl on non-production machines, or your virtual testing environment before sharing them with your users.

For more details on today’s Patch Day, check out the February bulletin summary now, or wait for our detailed, consolidated alerts which I’ll post on the blog through the day. — Corey Nachreiner, CISSP (@SecAdept).


Get every new post delivered to your Inbox.

Join 7,524 other followers

%d bloggers like this: