Tag Archives: Black Tuesday

Microsoft Black Tuesday: Patch Before the Holidays

December 11, 2012 by Corey Nachreiner 0 Comments

If you’re anything like me, your late December schedule is quickly filling with holiday parties, family activities, and seasonal days off. This means if you want to secure your Microsoft environment before the end of the year, you better get started earlier rather than later.

Today, Microsoft released seven security bulletins fixing at least 11 vulnerabilities in many of their products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Word (part of Office)
  • and Exchange Server

They rate five of the bulletins as Critical, and the rest as Important. For more details, check out their December bulletin summary, or wait for our detailed alerts.

If I were to pick the order you patched, I’d start with the Exchange update since you need to protect your public servers, follow with the IE patch since attackers like drive-by downloads, fix the Word flaw to avoid targeted phishing attacks, and end with the Windows updates in order of severity… but that’s just me.

In any case, you should download, test, and deploy Microsoft’s updates as soon as possible. If you don’t have time to test everything, at least take the time to test the Exchange update, as you don’t want your production email server suffering any downtime.

I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s December bulletin matrix below.  — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: December 2012

Editorial Articles
, , , , , , , , , , , , ,

Microsoft Stuffs Our Stockings With Seven Security Updates

December 7, 2012 by Corey Nachreiner 1 Comment

Before you get too much into holiday cheer, you have some patching to do.

Like clockwork, Microsoft released their Advanced Notification post on Thursday, warning the world that they will release seven security bulletins for December. Next Tuesday’s bulletins will fix flaws in Windows, Office, and some of Microsoft’s Server Software. They rate five of the seven bulletins as Critical. According to their MSRC blog post, the bulletins will fix 11 vulnerabilities overall, with the two most critical updates affecting Windows.

MS Patch Day, Dec. 2012Before letting your IT staff drink too much spiked eggnog at the good ‘ole holiday party, you might want to prepare them for these upcoming Microsoft patches. That way they can download, test, and install them as soon as possible—especially the Critical ones.

I’ll release more details about next Tuesday’s updates on the 11th. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , ,

Microsoft Black Tuesday: Critical Updates Affect Windows 8 and More

November 13, 2012 by Corey Nachreiner 2 Comments

It’s Microsoft Patch Day and I have a question for you. How quick are you at applying software updates? Do you jump on them within the day; a week, or are you months behind?

If you are one of the many who fall behind, know that patching is one of the practices that can most improve your security posture. I recommend you take this opportunity to improve your patching practices with a small challenge. Try to test and deploy all of today’s patches before Turkey Day (Thanksgiving, Nov. 22). That way you can enjoy a guilt-free feast, knowing your network is relatively safe and secure. If you accept this challenge, here’s what you are in for…

Today, Microsoft released six security bulletins fixing 19 vulnerabilities in many of their popular products, including:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Excel (part of Office)
  • .NET Framework
  • IIS Server

They rate four of the bulletins as Critical, one as Important, and one as Moderate. For more details, check out this November bulletin summary, or wait for our detailed alerts.

With so many critically rated issues, it’s hard to recommend a patch order. I would personally apply the IE update first, since attackers often exploit web browser issues in drive-by download attacks. Follow that with the Critical Windows updates, but don’t forget the Important Excel vulnerability.  While this sort of document handling vulnerability requires a little user interaction to succeed, spear-phishers often leverage it in their email-based attacks. Whatever order you choose, I recommend you apply all of today’s update as quickly as you can.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , ,

November Patch Day Light in Number, Heavy in Severity

November 8, 2012 by Corey Nachreiner 1 Comment

Those hip to the patch cycle know the first Thursday of the month means an early peek at Microsoft’s plans for Patch Tuesday.

According to this Month’s Advanced Notification post, Microsoft will release six security bulletins next Tuesday, and rates four of those bulletins as Critical. According to their corresponding blog post, the six bulletins will fix 19 actual vulnerabilities. The affected products include Windows, Internet Explorer (IE), Office, and the .NET Framework.

It’s hard to say more about these updates without any other details. However, I can say it looks like a pretty important Patch Day. Though six bulletins sounds low compared to some previous Patch Days, at least 13 of the vulnerabilities are serious,  and likely could result in remote code execution. I recommend you get your IT staff prepared to jump on these updates as soon as they come out.

I’ll release a more details about next Tuesday’s updates on the 13th. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , ,

Microsoft Black Tuesday: Office, Windows, and SQL Server Updates

October 9, 2012 by Corey Nachreiner 0 Comments

Like clockwork, Microsoft’s Patch Tuesday has gone live. This month Microsoft seems to be focusing on Office and their Server Software, with the Windows updates posing only a  moderate risk.

As promised, Microsoft released seven bulletins fixing vulnerabilities in several of their products. The affected software includes:

  •  Word and the Word Viewer
  • Works 9
  • SQL Server
  • Windows (all current versions except Windows 8)
  • Sharepoint Server
  • Communicator & Lync
  • InfoPath
  • Groove
  • Fast Search Server
  • Office Web Apps

They only rate the Word update as Critical, and the rest as important. If you’d like more information about these alerts before we release our detailed alerts, check out Microsoft’s summary post for October.

Usually, I tend to recommend you patch Windows (and related products like Internet Explorer) first, since all your users have them, and security flaws in popular products pose a high risk. However, in this case the Windows updates seem the least worrisome of the bunch. Today, I recommend you apply the Office, and related Server Software updates first, the SQL Server update second, and save the Windows updates for last. Of course, I still recommend you test the updates before deploying them; especially the server ones.

We’ll share more details about Microsoft’s bulletins in three upcoming alerts, posted throughout the day. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , ,

Seven Bulletins Planned for October Patch Tuesday

October 5, 2012 by Corey Nachreiner 3 Comments

After a very light Patch Tuesday in September, Microsoft returns to more typical patch levels this month. According to their October advanced notification, Microsoft plans to release seven security bulletins next week, fixing around 20 vulnerabilities in some of their most popular products. The affect products include Windows, Office, SQL Server, Microsoft Server Software, and a few other products. Microsoft only rated one of the bulletins as Critical, and the rest as Important.

Despite the return to more typical patch numbers, next Tuesday’s Patch Day doesn’t appear too substantial. With only one Office update rated Critical, this upcoming Patch Day seems less severe than many we’ve had in the past. That said, remote attackers will probably be able to leverage that critical Office issue to execute code on your computer. So it’s still important that you download, test and deploy next week’s updates as quickly as you can.

Also, don’t forget Microsoft’s planned certificate handling update. As I mentioned in previous posts, Microsoft plans to push an update that forces Windows computers to only accepts 1024 bit (and higher) RSA certificates. Be sure you’ve checked the certificates in your PKI infrastructure before next Tuesday.

I’ll release a more details about Microsoft’s updates next week. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , ,

Light Patch Tuesday Brings Two XSS Fixes

September 11, 2012 by Corey Nachreiner 0 Comments

As I mentioned in last week’s early warning, today’s Patch Day is extremely light with only two updates. According to their September bulletin summary, Microsoft has only released updates for Visual Studio Foundation Server and System Center Configuration Manager. Both updates fix cross-site scripting (XSS) vulnerabilities that Microsoft rates as Important.

If you have either of these products, you should apply today’s patches at your earliest convenience, despite their low severity. If you don’t use either of these products, you’re off the hook this month (whoohoo).  However, don’t forget to check your certificate infrastructure to make sure you are using 1024  bit certificates by October.

Also,  if you use any Cisco products, Microsoft also released a Cisco-related Security Advisory today. The advisory includes a roll-up patch that sets the Killbit for a few different Cisco ActiveX controls. This prevents the 3rd party controls from working in IE, due to vulnerabilities in them. Microsoft administrators should probably apply this update as well.

Finally, Adobe holds their Patch Day today. They only released one security bulletin for ColdFusion. The update fixes a denial of service (DoS) vulnerability in ColdFusion 10 and earlier, running on any platform. If you use ColdFusion, make sure to apply that patch, too.

I’ll release a more detailed alert about the Microsoft issues here shortly — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , ,

September’s Patch Day Looks Tame (But Watch Out for October)

September 7, 2012 by Corey Nachreiner 3 Comments

Yay! After months of relatively busy Microsoft Patch Days, we finally get a light one. This month, you can expect only two bulletins from Microsoft, and neither of them is Critical.

According to the September advanced notification post, Microsoft plans to release two security bulletins next Tuesday, affecting Visual FoxPro and Microsoft System Center Configuration Manager. Microsoft only rates the bulletins as Important.

While this month’s Patch Day looks a breeze, you need to be aware of the upcoming Patch Day in October. According to a Microsoft Trustworthy Computing (TWC) blog post, October’s Patch Day will include a significant change in the way Microsoft software handles digital certificates. In a June Security Advisory, Microsoft released an optional update that forces Windows platforms to only use digital certificates with keys of 1024 bits or higher; thereby increasing the security strength of their PKI. They plan to push this update out to all customers in October.

During the time you save updating this month, I recommend you review your certificate infrastructure to ensure you are using certificates with 1024 bits or more. If you find any certificates that don’t qualify, you can reissue them before October. Otherwise, you may want to use Microsoft’s patch management software to block one of their October updates, and prevent any certificate problems.

Despite the light September Patch Day, I still recommend you download and install any patches that apply to you.  I’ll know more about Microsoft’s updates on Tuesday the 11th, and will post detailed information about them here. — Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , , , , , ,

Microsoft Black Tuesday: Patch Critical IE, RDP, and RAP Vulnerabilities

August 14, 2012 by Corey Nachreiner 0 Comments

It’s that time of the month again… By which I mean, time for Microsoft administrators to download, test, and deploy a bunch of Microsoft security patches.

This morning, Microsoft posted their security bulletins for August. You can find a condensed version of their bulletins in the August bulletin summary.

By the numbers, today’s Patch Day looks similar to the last month, with exactly nine security bulletins. However, this time Microsoft rates five of the bulletins as critical, and overall today’s updates fix some pretty serious issues.

The affected products include:

  •  Internet Explorer (IE)
  • Windows
  • Office
  • SQL Server
  • Microsoft Developer Tools
  • Microsoft Server Software
  • and Exchange Server

With so many Critical issues, it’s hard to say which you should handle first. In this case, I’d just follow the order presented in Microsoft’s summary post. Of course, remember to test the updates before deploying them in production environments — especially the server related updates.

I mainly post this early announcement to give you a heads-up that the MS updates are ready, so you can get an early start to patching if you like. However, I’ll release more details about these issues, and how to fix them, as the day progresses. So stay tuned for more.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , ,

Expect a Microsoft and Adobe Patch Bonanza Next Tuesday

August 9, 2012 by Corey Nachreiner 1 Comment

Microsoft and Adobe plan a tag team assault on computer administrators and users next Tuesday, when they intend to release a pile of Critical security updates. If you manage Windows PCs, you use at least two of the vulnerable products, and likely many more. So I recommend you gear up for a day of software updates next week.

Let’s start with Microsoft’s Patch Day.

According to their August Advanced Notification, Microsoft intends to post nine security bulletins on August 14, five of which they rate as Critical. The updates fix vulnerabilities in Windows, Internet Explorer, Office, SQL Server, Exchange, and a few other products (see the image on the right for the full list).

Microsoft hasn’t shared the details about these flaws with the public yet, but it is safe to say you should apply the Critical updates as soon as possible — especially the server related ones. Critical vulnerabilities tend to allow remote attackers to gain full control of your computer, which is bad, to say the least.

Also, during last week’s WatchGuard Security Week in Review episode I mentioned an unpatched vulnerability in Microsoft Exchange, related to its use of Oracle’s Outside In technology. I’d guess next Tuesday’s Exchange patch will probably fix this vulnerability. In short, if you manage a Windows network, prepare your team for a busy day of patching next week.

But that’s not all folks…

Adobe also likes to share Microsoft’s Black Tuesday, and have announced their upcoming patch day as well. Their post warns that they plan to release Adobe Reader and Acrobat X updates to fix vulnerabilities that affect both Windows and Macintosh platforms. They haven’t shared any details about the vulnerabilities in question yet, but I’m pretty sure I can accurately predict the general gist of their upcoming advisory. I’m pretty sure it will come down to, “if you open a specially crafted PDF document, attackers can leverage some flaw to execute code on your system with your privileges.”

Since most computer users (Mac and PC users alike) install Reader, these issues will probably affect many people. Furthermore, attackers have been leveraging flaws in PDF documents in many of their spear phishing attacks lately, since many users still consider these documents as benign. If you use these popular Adobe products, plan to patch post haste.

I’ll know more about these bulletins on Tuesday, and will publish alerts about them here. — Corey Nachreiner, CISSP

Editorial Articles
, , , , , , , , , , , ,
Newer Entries
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: