Qualys Blog

www.qualys.com
480 posts

Microsoft February Patch Tuesday Cliffhanger and Adobe Fix for Flash

UPDATE: Microsoft has announced that all updates will be delivered in the March 14 patch cycle.

As covered in our January blog, today Microsoft was supposed to scrap the existing system in which users used to get a bulletin like MS17-001 in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. But as per Microsoft’s blog, February’s Patch Tuesday has been delayed as Microsoft discovered a last minute issue that could impact some customers and could not resolve it in time for the planned update. This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together. A zero day SMB vulnerability was expected to be patched today and as of this writing there is no official statement on the new release date.

On the Adobe front, three security updated were released and the most important one is for Flash APSB17-04 which affects Windows, Mac, Linux and ChromeOS. If left un-patched this allows attackers to take complete control of the system. An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.

Continue reading …

Oracle January 2017 CPU Fixes 270 Vulnerabilities

Oracle kicked off the New Year with its first installment of the quarterly CPU (critical patch update) for 2017. The update contains fix for 270 security issues across wide range of products. The graph below shows distribution of the update. More than 100 vulnerabilities that were fixed could be compromised by a remote attacker without requiring any credentials. Most remote vulnerabilities could be exploited over the HTTP protocol.

Continue reading …

January 2017 Patch Tuesday Video Highlights

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.

Adobe Security Update for January: Flash and Acrobat Fixed

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Since Flash vulnerabilities have a high potential of being weaponized in exploit kits, organizations should apply both the updates as soon as possible. A total of 13 vulnerabilities were fixed in the Flash update, while 29 were fixed in the Acrobat and Reader. If unpatched, flaws in both the bulletins can potentially allow attackers to take complete control of the affected system.

Continue reading …

Microsoft Starts 2017 with Record Low Security Updates

Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS.  It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.

Continue reading …

2016 Year-End Summary for Adobe and Another 0-day Fix in December

Adobe released nine security bulletins today in the December Security updates. The most notable update was APSB16-39 for Flash which fixed a 0-day vulnerability with exploits in the wild that is being used in targeted attacks. Adobe products including Flash and Acrobat PDF reader have long being targeted by exploit kits. In addition to the 0-day (CVE-2016-7892), 17 other vulnerabilities were fixed in Flash. This update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  Other updates included in today’s release fixed Coldfusion (APSB16-44) , Robohelp (APSB16-46), Adobe Digital Editions (APSB16-45), InDesign (APSB16-43) , Experience Manager (APSB16-42) , DNG Converter (APSB16-41) and Animate (APSB16-38).

Continue reading …

Microsoft Ends 2016 with 15% Increase in Bulletin Volume

Happy December! In this last Patch Tuesday installment for 2016, Microsoft released 12 security bulletins which brings the 2016 yearly count to 155. This is about 15% higher than last year. Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities. This increase can be attributed to an increase in the volume of scanning and to the 15% increase in number of Microsoft bulletins. But the year is not over and I will come up with the normalized number after the year ends.

Continue reading …

November 2016 Patch Tuesday Video Highlights

Today Microsoft fixed two zero-day vulnerabilities and a total of 6 critical and 8 important updates which are covered in this video highlight. It also covers Adobe security updates released today.

Adobe Releases Flash Player and Adobe Connect Vulnerability Fix

Adobe released APSB16-37 today which is an update to its Flash Player. APSB16-37 fixes nine privately disclosed vulnerabilities. Flash Player runtime for Windows, Mac, Linux as well as Chrome OS and browsers like Microsoft Edge and Google Chrome are affected. This patch comes two weeks after an emergency release on October 26 which fixed an actively attacked Flash Player issue.

Continue reading …

Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server

Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129 respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge). There is no indication yet that these three previously disclosed issues are being actively exploited.

Continue reading …