Tag Archives: Black Tuesday

Microsoft Black Tuesday: The Largest Patch Day of 2013 (So Far)

Today’s Patch Day is the largest so far for 2013, with Microsoft releasing 13 security bulletins. While it doesn’t break any records (that Patch Day was probably the 17 bulletin one in April 2011), it’s still nothing to sneeze at. Here’s today’s patch break down.

Microsoft’s 13 bulletins fix around 47 security vulnerabilities affecting the following products:

  • Internet Explorer (IE)
  • Windows
  • many Office products
    • SharePoint Server
    • Outlook
    • Word
    • Excel
    • Access
    • FrontPage

Microsoft rates four of the bulletins as Critical, and the remaining ones Important. The impacts of these flaws range from remote code execution, elevation of privileges, information disclosure, and denial of service (DoS). For more details, check out the September bulletin summary, or wait for our detailed alerts.

At first glance, you might think the Critical Outlook bulletin is the most severe, and the first you should fix. I mean… gaining control of a user’s system simply by getting them to open an email sounds pretty horrible. However, Microsoft believes that this flaw is technically pretty difficult to exploit.

On the flip side, you might be less worried about the SharePoint issues, since you’d assume most organizations put SharePoint servers behind firewalls. Yet, as it turns out, many organizations provide public access to their SharePoint services allowing external employees easy access; some even disable authentication. My point being, I would apply the SharePoint patches first, assuming you manage SharePoint servers, but would still consider the Outlook update a close second (and don’t forget the Critical IE and Windows updates either).

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft’s update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: Sept. 2013

Microsoft Patch Tuesday: Critical Fixes for Exchange, IE, and Windows

It’s that time again… Microsoft Patch Day. Sometimes following Microsoft’s regular patch cycle can feel a lot like the movie, Groundhog Day. Yet—also like the movie—it’s well worth repeating regularly to make sure that you get it right.

According to their summary post, Microsoft released eight security bulletins today, three of which they rate as Critical. The bulletins include updates to fix at least 22 vulnerabilities in three popular Microsoft products, Windows, Internet Explorer (IE), and Exchange Server. Though attackers aren’t exploiting these issues in the wild yet, researchers have publicly disclosed a few of them, which makes them a bit more likely to be targeted.

In my opinion, you should apply the IE update first, as it fixes 11 serious vulnerabilities, many of which attackers could leverage in drive-by download attacks. Right now, booby-trapped web sites are one of the most common infection vectors. For that reason, I recommend you apply web browser updates, like this IE one, as quickly as possible. The Exchange update is a close second, as it also fixes a remotely exploitable flaw that could allow attackers to gain access to your Exchange server simply by tricking one of your users into previewing a specially crafted document. Finish up with the Windows updates, beginning with the Critical one.

As always, I still recommend you test Microsoft patches before deploying them to your critical production servers. While it might be okay to push client software updates without testing them, you should test server updates, like today’s Exchange one, before deploying them in order to avoid unexpected downtime. If you don’t already have a test environment that mimics your production environment, virtualization is a great way to create one.

I’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: August 2013

Microsoft Black Tuesday: Patch Windows Kernel-mode Driver and .NET First

Microsoft’s July Patch Day is live and ready for download, so go grab those updates. I recommend you work on the Windows Kernel-mode driver and .NET one’s first.

According to their summary post, Microsoft released seven security bulletins today, six of which they rate as Critical. The bulletins include updates to fix 36 vulnerabilities in many popular Microsoft products, including Windows, Internet Explorer (IE), Office, the .NET Framework, Silverlight, and Defender. Attackers are exploiting at least one of these flaws in the wild.

I always recommend you apply Microsoft’s Critical updates as soon as possible, but there are two in particular that you should jump on immediately. The first fixes vulnerabilities in Windows’ kernel-mode driver (MS13-053), which was disclosed awhile ago by a Google researcher. The researcher has already released proof of concept (PoC) code for this flaw, and Microsoft is aware of attackers leveraging it in targeted attacks. Next, you should also apply Microsoft’s .NET Framework and Silverlight patch quickly, since at least two of its flaws were disclosed in detail before today’s updates came out.

That’s not to say you should lax-off on the other updates. I think the IE patch is pretty important too; as are any updates Microsoft rates Critical. So I’d recommend you apply all six of the Critical updates today if you can. Of course, I still recommend you test Microsoft’s updates in a non-production  environment before pushing them to any critical production server. It may be ok to quickly patch client machines without testing, but you don’t want any surprises with your critical servers.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Summary of July 2013 Microsoft Updates

Summary of July 2013 Microsoft Updates

Microsoft Black Tuesday: Big IE Update Trumps Windows & Office Patches

If you manage Windows networks, you know what time it is… time for Microsoft’s monthly list of security updates.

Microsoft Patch day has gone live, and you can find a listing of today’s security bulletins in their June Patch Day summary page. As expected, they released five security bulletins, one for Internet Explorer (IE), three for Windows and its components, and one for Office. They only rate the IE bulletin as Critical.

I recommend you focus most your attention to the IE update. It corrects 19 vulnerabilities—the bulk of today’s flaw—and most of them could allow remote attackers to gain control of your users’ computers via drive-by download attacks. You should definitely patch it first. That said, the Windows and Office updates are still important. Even though the Windows flaws require local access, and the Office flaw requires a bit of user interaction, they still pose some risk. So patch them too, just start with IE.

We’ll share more details about Microsoft’s bulletins in three upcoming alerts, posted throughout the day. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)MS Patch Day June 2013

Next Week’s Patch Tuesday Focuses on IE

I’m sure you’re used to the Microsoft Patch drill by now, so let’s jump right in…

According to their advanced notification post, Microsoft plans to release five security bulletins next Tuesday, which is a rather small number compared to Patch Days of recent past. Their notice warns that the bulletins will include security updates for Windows, Office, and Internet Explorer (IE), and will fix a total of 23 vulnerabilities. The IE patch alone  fixes 19 of those 23 issues, and it’s the only update Microsoft rates as Critical (the rest are rated Important).

Based on past experience, I’d bet that the majority of the IE fixes correct memory related vulnerabilities that attackers could leverage in drive-by download attacks.So when Patch Day comes around next week, I recommend you get your IT staff to put precedence on the IE update, then take care of the other four.

As an aside, there is no word whether or not Microsoft’s upcoming Windows updates will fix the zero day kernel-mode driver vulnerability that I mentioned the Google researcher disclosed last week. I’ll let you know once I know this flaw is patched and I’ll share more details about Patch Day next Tuesday.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Remote Desktop and IE Updates Top April’s Patch Day List

Unless you’re new to IT, you’re probably aware that todaythe second Tuesday of the monthis Microsoft Patch Day.

As expected, Microsoft released nine security bulletins today, fixing 13 vulnerabilities across products like Internet Explorer (IE), Windows and its components, Sharepoint Server, and a few other Office server products. The worst two, Critical-rated updates fix security problems in IE and the Remote Desktop Client (RDC) that ships with Windows (specifically, its ActiveX control). The vulnerabilities in both these products could help remote attackers launch drive-by download attacks. If an attacker can get your IE or RDC users to visit a specially crafted web site (or a legitimate, hijacked web site), they could leverage these flaws to execute arbitrary code with those users’ privileges. You should download, test, and apply these Critical updates as soon as you can, or let Windows’ automatic updater do it for you.

As an aside, some experts had expected today’s IE update to fix some publicly disclosed vulnerabilities from the recent Pwn2Own contest at a Canadian security conference. In their IE alert, Microsoft credits two Google security researchers for discovering the flaws they fixed today. However, the Pwn2Own IE 10 flaws were disclosed by different researchers from VUPEN. So it appears the Pwn2Own IE flaws are still open issues.

Microsoft also released seven other updates, which they rate as Important. While not as serious as the ones mentioned above, they all fix some relatively risky issues too. In general, I recommend you always install all of Microsoft’s monthly patches as quickly as you can. That said, be sure to at least try and test the server updates before deploying them to your production network.

I’ll post more detailed alerts about these security bulletins as the day progresses. Stay tuned. — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Kicks Off Spring with Nine Security Bulletins

The advanced notification results are in, and it’s looking good for Patch Day.

Next Tuesday, Microsoft will release nine security bulletins, two of which the Redmond-based software company rates as Critical. The bulletins will fix flaws in Windows, Internet Explorer (IE), Office, and some of Microsoft’s server and security software. As usual, they haven’t shared many details yet, but some experts expect the critical IE update to fix the zero day vulnerabilities disclosed at CanSecWest’s recent Pwn2Own contest. Either way, I expect the IE flaws to pose the greatest risk to most users, so you should plan on applying that patch as quickly as possible.

While nine bulletins may sound like a lot, it’s pretty average for Patch Day lately. Nonetheless, you should prepare your IT staff for a busy day of testing and patching next Tuesday. We’ll know more about these bulletins next week, and will publish alerts about them here. — Corey Nachreiner, CISSP (@SecAdept)

Screen Shot 2013-04-04 at 10.01.09 PM

Microsoft Black Tuesday: Security Flaws in a Menagerie of Products

Though today’s Patch Day might seem pretty average as far as the number of security bulletins released, it does cover a rather eclectic range of Microsoft products. In fact, a few of the updates affect Mac users as well, and one is even exclusive to Mac.

During today’s Patch Day, Microsoft released seven security bulletins fixing  20 vulnerabilities in the following products:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Office Suite updates
    • Visio Viewer 2010
    • SharePoint Server 2010
    • OneNote 2010
    • Office Outlook for Mac
  • Silverlight 5 (For PC and Mac)

They rate four of the bulletins as Critical, and three as Important. Many of the Critical issues can allow remote attackers to execute code on affected systems. So we highly recommend you patch them quickly.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s March bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Leprechaun Leaves a Pot Full of Patches

We’re coming upon that time of the month again for Microsoft administrators; patch time.

According to the latest Advanced Notification page, our Microsoft friends plan on releasing seven security bulletins next Tuesday. The bulletins will including updates to fix security vulnerabilities in Windows, Office, Internet Explorer (IE), Silverlight, and some of their Server Software. They rate more than half (4/7) of the bulletins as Critical, which typically means remote attackers can likely exploit them to gain control of vulnerable computers.

MS Notification 3/13At this point you’re probably quite familiar with the monthly update routine, and know you should prepare your IT team for Patch Day so that they can apply Microsoft’s fixes as soon as possible; especially the Critical ones.

As always, I highly recommend you take some extra time to test the updates before applying them. Lately, there have been a few more reported incidents of Microsoft patches causing issues. You should at least take the time to test the server related updates before deploying them to production machines.

I’ll know more about these bulletins next Tuesday, and will publish alerts about them then.

In an unrelated aside, some business travel has delay production of my weekly security news video. For those waiting, it will come out today, but it may be later in the afternoon. — Corey Nachreiner, CISSP


Get every new post delivered to your Inbox.

Join 8,088 other followers

%d bloggers like this: