Qualys Community

464 posts

Problem with OpenSSL Patches of September 22, 2016

Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.

The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.

The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.

Patch Tuesday September 2016 Video Highlights

 

In one of the larger Patch Tuesdays in some time, Microsoft today released 14 security bulletins for desktop OSes, server OSes, browsers, Silverlight, SMBv1, Exchange Server and more. Watch this video to learn how security teams should prioritize patching based on the new bulletins.

Adobe September 2016 Security Update

Today Adobe released three security updates that patched Adobe Flash, AIR and Adobe Digital Editions. Top priority goes to Adobe flash bulletin APSB16-29 which fixes a whopping 29 vulnerabilities. This update applies to Windows, Macintosh, Linux and ChromeOS platforms.

Continue reading …

Large Microsoft Patch Tuesday Update for September 2016

It’s September 2016 Patch Tuesday, and Microsoft has released 14 security bulletins that affect a host of components including desktop operating systems, servers, browsers , Exchange server, Silverlight, SMBv1 and several others. It’s a large update that will keep desktop as well as server administrators busy.  Seven updates are rated as critical, while the other seven are rated as important. One 0-day vulnerability CVE-2016-3352 which was publicly disclosed earlier is also patched in the MS16-110 bulletin.

Continue reading …

Equation Group Hack: Cisco ASA and FortiGate Vulnerabilities

cisco-asa-fortinet

By now you must have heard about the Equation group hack, Shadow Brokers, NSA ANT catalog and an entire gamut of information. Here I will update on what we have confirmed and how it affects your patching effort.

Continue reading …

Microsoft Patch Tuesday August 2016

Its August 2016 Patch Tuesday and Microsoft has released nine security bulletins that affect a host of components including desktop operating systems, browsers, fonts  and servers. Five updates are rated as critical while four are rated as important.

Continue reading …

Oracle July 2016 Critical Patch Update

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

Continue reading …

CGI application vulnerability httpoxy for PHP, Go, Python and others

httpoxy

A CGI application vulnerability called httpoxy was announced today with coordinated disclosure from many vendors. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences.

Continue reading …