Tag Archives: Black Tuesday

Microsoft Black Tuesday: Windows, IE, Lync, and .NET Patches

As you may know, today was Microsoft Patch Day. If you manage a Windows-based network, it’s time to get the latest updates.

According to Microsoft’s summary post, the Redmond-based software company released four security bulletins fixing 41 vulnerabilities in many of their popular products. The affected software includes, Windows, Internet Explorer (IE), Lync Server, and the .NET Framework. Microsoft rates the IE update as Critical, and the rest as Important.

As you might guess from the severity ratings, the IE update is the most important. It fixes over 37 security flaws in the popular browser, many of which attackers could use in drive-by download attacks (where just visiting a web site results in malware on your computer). Furthermore, one of the fixes closes a zero day vulnerability that attackers have exploited in the wild. If you use IE, I recommend you apply its update as quickly as your can. You should also install the other updates as well, however, their mitigating factors lessen their risk, so you can install them at your convenience.

In summary, if you use any of the affected products, download, test, and deploy these updates as quickly as you can or let Windows’ Automatic Update do it for you. For the server related updates, I highly recommend you test them before installing them on production servers, as Microsoft has released a few problem causing updates recently. You can find more information about these bulletins and updates in Microsoft’s September Summary advisory.

Also note today is Adobe’s Patch Day as well, and they released one security update fixing 12 vulnerabilities in Flash Player. If you use Flash, you should update it quickly. Adobe also pre-announced a Reader update earlier this month. However, it appears they have had to delay the update for some reason.

I’ll share more details about today’s patches on the blog throughout the day. However, I am traveling internationally, so the updates may not arrive as regularly as usual. If you are in a hurry to patch, I recommend you visit the links above, and start now.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Word 0day Fix & More

Microsoft’s monthly Patch Day went live earlier today. As expected they released four security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Office. Microsoft rates two of the bulletins as critical, one that fixes Word vulnerabilities (including a zero day one I warned about earlier) and another that fixes IE flaws.

If you use the affected Microsoft products, you should apply these patches as soon as you can. I’d apply the updates in the order Microsoft recommends; the Word update first, the IE one second, and the Windows and Publisher updates last.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day.  However, I am currently traveling in Asia, so my blog posts may be late due to timezone issues and travel. So I recommend you check out the April bulletin summary in the meantime, if you’d like an early peek. Also, keep in mind that Adobe released a Flash update today as well. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities

Microsoft’s March Patch Day is live, and looks to be by the numbers. As expected, they released five bulletins, including one that contains a fix for a zero day vulnerability in Internet Explorer. Their Patch Day summary highlights five security bulletins that fix 23 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, such as Silverlight. They rate two of these bulletins as Critical, and the rest as Important.

MS Patch Day: March 2014As I mentioned in my notification post, the most important update this month is the IE cumulative patch. Besides fixing 23 memory corruption flaws, many of which attackers could exploit to execute code, one specifically fixes a critical zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make sure to install the IE update on all your clients as soon as possible. Hopefully, you already have Automatic Updates set to do it for you. Of course, you should also install the Windows updates too, especially the DirectShow one. If an attacker can trick one of your users into viewing a malicious JPEG image, he could exploit it to gain control of that user’s computer, with their privileges. You don’t want that.

While we are talking about Windows updates, let me take this time to continue to remind you that these updates are among the last that Windows XP will receive. XP users will likely see a few more updates next month, but after than it goes End-of-Life. Hopefully, most of you are saying, “Why do I care? I’ve been using Windows 7 or above for years.” But for the stragglers out there, you might want to consider upgrading to a more recent version of Windows. While I don’t want to come off as promoting Microsofts “upgrade” sales message, I do believe XP will likely pose more risk once the official updates stop. It seems very likely that some cyber attacker (or nation-state groups) out there are sitting on a zero day XP exploit or two; saving them until after Microsoft’s fixes run out. You might want to get away from XP before that happens.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day. Meanwhile, check out the March  bulletin summary now, if you’d like an early peek. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: IE Fix Leads the List of Critical Updates

Today’s Microsoft Patch Day will probably be a bit busier than expected. It looks like Microsoft called a last minute audible, releasing seven security bulletins rather than the five I mention in last week’s security video. The good news is this last minute play change might help your security team win the game by providing your users with a more protected web browser.

Microsoft Patch Day: Feb, 2014

Microsoft Patch Day: Feb, 2014

February’s Patch Day summary highlights seven security bulletins that fix 32 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, and Forefront Protection for Exchange. They rate four of these bulletins as Critical, and the rest as Important.

This month, the most important updates are probably the most unexpected ones. Microsoft’s original advisory suggested they planned on releasing updates for Windows and one of their security products (which we now know is Forefront Protection), but they had not mentioned the IE or VBScript updates they released today. However, both these unexpected updates make great additions to this month’s Patch Day. The IE cumulative patch fixes 24 serious vulnerabilities, including one disclosed publicly; many of which attackers can leverage to execute code in drive-by download attacks. Though Microsoft hasn’t seen anyone exploiting these flaws in the wild yet, I expect attackers will surely reverse this update and start exploiting these flaws soon. The VBscript update is no slouch either, as it too fixes a code execution flaw. If bad guys can entice you to a web page with malicious code, they can use these flaws to”pwn” your computer.

Of course, you shouldn’t ignore the expected updates either. Two of them—the critical flaws in Direct2D and Forefront Protection for Exchange—also allow remote attackers to execute code on your systems. In short if you are a Microsoft administrator, you should apply today’s critical updates as soon as you can, and take care of the Important while you’re at it. In general, I recommend you test Microsoft updates before deploying them throughout your production network, especially server related updates that affect critical production servers. This is probably especially this month, for the two surprise updates. Since the IE and VBScript updates came out a bit earlier than expected, they may not have gone through as rigorous a QA process as usual. You might want to give them a whirl on non-production machines, or your virtual testing environment before sharing them with your users.

For more details on today’s Patch Day, check out the February bulletin summary now, or wait for our detailed, consolidated alerts which I’ll post on the blog through the day. — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Install the IE Update First

If you follow the blog, you’re surely aware that today’s Microsoft Patch Day; and it’s an especially important one. Though it doesn’t set any records, Microsoft has released an update to fix a fairly significant, zero day Internet Explorer (IE) vulnerability, which many attackers have exploited in the wild for the past few weeks. If you can only apply one patch today, I recommend the IE one.

In their summary post, Microsoft shares details about eight security bulletins that fix 27 vulnerabilities in many of their popular products. They rate half the bulletins as Critical, and the other half as Important. Here’s the breakdown of affected products:

  • Internet Explorer (IE) [10 issues fixed]
  • Windows and its components [12 issues fixed]
  • Office products [5 issues fixed]
    • SharePoint Server
    • Word
    • Excel

If you use any of these products, you should update as soon as possible. As mentioned earlier, I recommend you install the IE update first; and try to get to it as quickly as you can. Though Microsoft previously released a FixIt for this issue (which I hope you’re running), it’s better to be safe than sorry. That said, don’t discount the other Critical updates. In general, I recommend you download, test and deploy all of Microsofts patches as soon as you can. For more details on today’s Patch Day, check out the October bulletin summary, or wait for our detailed alerts.

On the subject of patching, today is also Adobe patch day too. They’ve released updates to fix Reader, Acrobat, and Robohelp. I’d also recommend you install those updates (the Reader one likely affects most people) as soon as you can. You can learn more about Adobe’s updates on their security page, but I’ll release an alert about them later today.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day Fixes 0day and Warning for Adobe Users

Download, test, patch, and repeat. That should be the mantra for Microsoft administrators every month.

By now, you’re likely quite used to Microsoft’s regular monthly patch cycle, so you’re already expecting next week’s updates. However, this month’s updates are especially important, since one fixes a fairly prevalent zero day flaw that attackers are exploiting in the wild. According to their advanced notification, Microsoft plans on releasing eight security bulletins next Tuesday to fix vulnerabilities in Windows, Internet Explorer (IE), Office, and the .NET and SilverLight frameworks. They rate half the bulletins as Critical, and the other half as Important.

This would all sound like business as usually for Microsoft Patch Day, except that one of the Critical updates fixes the very serious zero day IE flaw, which I warned you about a few weeks ago. Since that initial warning, more and more attackers have started exploiting this vulnerability. Worse yet, researchers have released a Metasploit exploit for the flaw, which means anyone can try it out. I expect every smart network attacker to start incorporating this flaw into their exploit kits, if they haven’t already. You should get this IE update as soon as it’s available next week.

Also, don’t forget that Adobe now shares Microsoft’s Patch Tuesday, and they too will release updates next week. According to a pre-notification post, they plan on releasing an Adobe Reader and Acrobat update on the 8th.

While I’m talking about Adobe, if you’re an Adobe customer, it’s time to change your user credentials on their site. Today, Adobe released an important announcement informing their customers that their network has been breached. Attackers made off with 2.9 million customer records, including email addresses and encrypted credit card numbers. They plan on emailing affected customers, so be sure to change your password if you get this email. As an aside, the attackers also seem to have acquired some Adobe source code. For more information on this attack, I recommend you read Brian Krebs’ blog post.

So to summarize:

  • Microsoft administrators should get ready for next Tuesday’s important Patch Day. Install the IE update first,
  • If you use Adobe product, get ready for the Reader updates too,
  • And if you have credentials on Adobe’s site, change them immediately.

I’ll share more details about all these updates next Tuesday. So stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: Sept. 2013

Microsoft Black Tuesday: The Largest Patch Day of 2013 (So Far)

Today’s Patch Day is the largest so far for 2013, with Microsoft releasing 13 security bulletins. While it doesn’t break any records (that Patch Day was probably the 17 bulletin one in April 2011), it’s still nothing to sneeze at. Here’s today’s patch break down.

Microsoft’s 13 bulletins fix around 47 security vulnerabilities affecting the following products:

  • Internet Explorer (IE)
  • Windows
  • many Office products
    • SharePoint Server
    • Outlook
    • Word
    • Excel
    • Access
    • FrontPage

Microsoft rates four of the bulletins as Critical, and the remaining ones Important. The impacts of these flaws range from remote code execution, elevation of privileges, information disclosure, and denial of service (DoS). For more details, check out the September bulletin summary, or wait for our detailed alerts.

At first glance, you might think the Critical Outlook bulletin is the most severe, and the first you should fix. I mean… gaining control of a user’s system simply by getting them to open an email sounds pretty horrible. However, Microsoft believes that this flaw is technically pretty difficult to exploit.

On the flip side, you might be less worried about the SharePoint issues, since you’d assume most organizations put SharePoint servers behind firewalls. Yet, as it turns out, many organizations provide public access to their SharePoint services allowing external employees easy access; some even disable authentication. My point being, I would apply the SharePoint patches first, assuming you manage SharePoint servers, but would still consider the Outlook update a close second (and don’t forget the Critical IE and Windows updates either).

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft’s update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: Sept. 2013

Microsoft Patch Tuesday: Critical Fixes for Exchange, IE, and Windows

It’s that time again… Microsoft Patch Day. Sometimes following Microsoft’s regular patch cycle can feel a lot like the movie, Groundhog Day. Yet—also like the movie—it’s well worth repeating regularly to make sure that you get it right.

According to their summary post, Microsoft released eight security bulletins today, three of which they rate as Critical. The bulletins include updates to fix at least 22 vulnerabilities in three popular Microsoft products, Windows, Internet Explorer (IE), and Exchange Server. Though attackers aren’t exploiting these issues in the wild yet, researchers have publicly disclosed a few of them, which makes them a bit more likely to be targeted.

In my opinion, you should apply the IE update first, as it fixes 11 serious vulnerabilities, many of which attackers could leverage in drive-by download attacks. Right now, booby-trapped web sites are one of the most common infection vectors. For that reason, I recommend you apply web browser updates, like this IE one, as quickly as possible. The Exchange update is a close second, as it also fixes a remotely exploitable flaw that could allow attackers to gain access to your Exchange server simply by tricking one of your users into previewing a specially crafted document. Finish up with the Windows updates, beginning with the Critical one.

As always, I still recommend you test Microsoft patches before deploying them to your critical production servers. While it might be okay to push client software updates without testing them, you should test server updates, like today’s Exchange one, before deploying them in order to avoid unexpected downtime. If you don’t already have a test environment that mimics your production environment, virtualization is a great way to create one.

I’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: August 2013

Follow

Get every new post delivered to your Inbox.

Join 7,680 other followers

%d bloggers like this: