Sixteen fixes for browsers should be prioritized. Microsoft released 53 security patches for July, including 18 listed as Critical, 33 as Important, one rated as Moderate, and one considered Low in priority. According to researchers at SANS, three of these vulnerabilities have already been disclosed, but no exploits have been seen yet. The releases impact Internet Explorer (IE), Edge, ChakraCore, Windows, .NET Framework, ASP.NET, PowerShell, Visual Studio, and Microsoft Office and Office Services. Here are highlights from this month’s release with the information you need to prioritize your patching efforts. 16 Browser Vulnerabilities Of the more pressing concerns this month, Qualys director of product management, Jimmy Graham says admins should focus on the 16 common vulnerabilities and exposures (CVEs) covering browsers. This article is part of our premium content. Join Now.Already a paid subscriber? Click here to login.
Microsoft released 50 updates during its monthly Patch Tuesday release. Eleven are rated critical remote code execution vulnerabilities and 39 are listed as important. The most critical patches impact Microsoft OS and Internet Explorer and deploying the fixes for these vulnerabilities is recommended immediately. Also of note: one of the vulnerabilities, a remote code execution flaw (CVE-2018-8267) in the scripting engine, is listed as being publicly known, but not under active attack, at this time. Here are highlights from this month’s release with the information you need to prioritize your patching efforts. Most Critical Patches Analysis from researchers on this month’s release advises Windows admins to prioritize CVE-2018-8225, a remote code execution vulnerability that occurs when the Windows Domain Name System (DNS) component DNSAPI.dll fails to handle DNS responses properly. This article is part of our premium content. Join Now.Already a paid subscriber? Click here to login.
Two zero-day exploits need attention now, say analysts. Microsoft patched 68 vulnerabilities in its monthly Patch Tuesday release, including two zero-day exploits. Of the patches 21 are listed as critical, 45 rated important and two listed low in severity. Updates this month affect several products including Microsoft Windows, Internet Explorer, Edge, Office and Exchange Server. Obviously, the priority for deploying is for those are those under active attack. That includes are CVE-2018-8174, a Windows VBScript Engine Remote Code Execution Vulnerability. The flaw was discovered and reported by Kaspersky Lab researchers and impacts IE and other projects that embed the IE web rendering engine. “This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used — further increasing an already huge attack surface,” according to Anton Ivanov, security researcher at Kaspersky, in an email to Ars Technica. “We urge organizations and private users to install recent patches immediately, as it won’t be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors but also by standard cybercriminals.” The other bug to prioritize is CVE-2018-8120, a vulnerability in older Windows OS versions … Read More
Close to 70 vulnerabilities addressed in this month’s Patch Tuesday update from Microsoft Microsoft patched 67 different vulnerabilities in its monthly Patch Tuesday release. Of the common vulnerabilities and exposures (CVEs), 24 are considered Critical, 42 are rated Important, and one is characterized as Moderate in severity. There are no zero-day patches this month. Affected products include: Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Adobe Flash Player, Microsoft Malware Protection Engine, Microsoft Visual Studio, and the Microsoft Azure IoT SDK. Adobe also patched 6 vulnerabilities in Adobe Flash. The details on the releases can be found on the Microsoft site. While there were no zero-day releases, Microsoft had already released urgent fixes in weeks leading up to Tuesday, including one that addresses an exploit that was created in an attempt to correct earlier patch issues related the Meltdown chip vulnerability. Across industry blogs on this month’s patches, researchers noted several of the updates deserved attention. Also notable is Microsoft’s disclosure of a publicly known SharePoint elevation of privilege bug (CVE-2018-1034). “There is one public disclosure this month in SharePoint Server. The challenging aspect of this month is that there are enough … Read More
AMD Chips Now Cleared for Updating Microsoft has now prepared a fixed update that won’t BSOD computers running the AMD chip set and thus have begun to rerelease the update. If you were impacted by the AMD BSOD, hopefully you have a second computer handy as you need to download KB4073290 from the Microsoft catalog site and then … well I’m honestly not sure what you can do if the machine in question has a BSOD and won’t boot. The only way I’m aware to install a patch on an un-bootable machine is to use the DISM commands at a boot prompt to install the update. You would type in Dism /Add-Package /PackagePath: [/IgnoreCheck] [/PreventPending] and insert the location where you downloaded the windows10.0-kb4073290-x64_5119daced3c80d539e79cf52a5fb5bc9cea61eb8.msu. I honestly think it’s easier and safer to perform a system refresh whereby the Windows 10 reinstalls the operating system but does not damage any data files. I’d honestly recommend that you download and create a windows 10 bootable image flash drive so that should something happen — for any reason — you have the tools at hand to take care of your machine. I would suggest going to this link, and create a Windows installation … Read More
Beware, AMD chip owners. For you Windows Secrets readers who have computers with AMD inside, these Spectre/Meltdown patches are causing more issues than they are preventing. So much so that Microsoft has halted release of the updates on machines that have AMD chipsets. Some of the relevant security posts include the following: Microsoft’s KB4073707 on the issues with AMD chip sets and how Microsoft is blocking the patches until the issue is resolved. Microsoft’s KB4073757 recapping the overall guidance Let’s recap the big picture: Intel CPU chips have a bug in their very architecture. Researchers found a way for attackers to possibly steal passwords and other confidential information from our machines. As of publication, the attack has not been used in the wild. However, the potential is there and it’sreally concerning up in cloud servers as it could mean that fellow virtual servers could read information from a tenant next door. It won’t be enough to patch for the Windows operating system, you’ll need to patch the firmware on your computer as well. It’s not a Microsoft bug, but because everything uses CPUs, pretty much everything needs to be patched ranging from phones to firewalls. So after you get your … Read More
We’re starting off 2018 with a bang — a big patching bang. All supported versions of Windows are getting an emergency patch to fix flaws in Intel CPU chips that could lead to attackers gaining more information about your systems including passwords and other confidential information. You’ll have read about this — the press have already labeled the flaws as the Meltdown and Spectre bugs. As Microsoft said in “ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities:” Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems including Intel, AMD, and ARM. Note: this issue will affect other systems such as Android, Chrome, iOS, MacOS, so we advise customers to seek out guidance from those vendors. Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are … Read More
For those running the Windows 10, version 1709 release, it appears that the unusual use of AMD in the naming of the updates has been fixed and they are now listed again as X64 in the naming. It also appears that the Feature update deferral bug has been fixed as noted in the MSpoweruser site, but I’ve not seen authoritative release notes posted to know whether the issue was fixed on Microsoft’s side or if it was fixed in the November patch of KB4051963. But you can now safely defer feature updates without impacting security updates as well. What to do: Be assured that version 1709 now properly defers feature updates. Adobe Released Updates to Flash Player For Windows 10, and 8.1, expect to see KB4053577 that should be installed as soon as possible. For Windows 7 machines, if you have flash installed, expect to see a standalone update offered from Adobe Flash addressing this Adobe issue. What to do: Check your Flash and expect an update for Windows 7 machines. Got an HP? Got a keylogger? This article is part of our premium content. Join Now.Already a paid subscriber? Click here to login.
I’m still tracking issues with the Windows 10, version 1709 release, and thus I’m not ready to install it to my office systems, nor on my home systems. Some small business admins had 1709 installed on systems where they thought they had pushed off the update for several months. Microsoft acknowledged that the 1703 version may receive the 1709 feature update when you are not expecting it. They promised to fix the issue in an upcoming update. I personally think the issue is selecting to defer the feature update in the GUI is not “sticking.” If you use the local group policy to push off the feature update that seems to be sticking. Finally on November 30, the 1709 release received the fix for remote printing and RDP whereby certain PDF printers would cause RDP to crash upon launch. As noted in the forums it is now fixed in KB4051963, but not listed in the documentation notes. What to do: I’m still recommending to push off the 1709 update at this time, but I’m getting closer to recommending its install. Dot Matrix Printer Fixes Microsoft inconvenienced dot matrix print owners with several November updates. Fortunately, they’ve already released fixes. For … Read More
Office has long been used as a means to infiltrate our systems a means by which attackers get into our systems. Every month Office is patched for remote code execution attacks. Microsoft patches what vulnerabilities it can. Take the November Office updates that fixed issues with older obsolete components in Office 2016 that impacted ODBC drivers. But as pointed out in this research blog post, mitigation in addition to patching is probably wise. The view that mitigation may be better than patching is reinforced with the disclosure of another Office vulnerability that won’t be patched. It can’t be patched, as it impacts functionality of your system. You have to make the determination of how much at risk you want to be. Called the DDEAuto attacks allows the execution of malicious code on an email without the use of attachments or macros. These macro-less attacks have been used in various attacks such as malware campaigns such as Vortex ransomware and Hancitor. In the example noted in the Sophos blog, an attack can come from in the form of a calendar invite instead of an email. The attachment is in the form of a RTF – or rich text format – and … Read More