Qualys Community

457 posts

Oracle July 2016 Critical Patch Update

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

Continue reading …

CGI application vulnerability httpoxy for PHP, Go, Python and others

httpoxy

A CGI application vulnerability called httpoxy was announced today with coordinated disclosure from many vendors. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences.

Continue reading …

Patch Tuesday July 2016: Microsoft and Adobe

Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.

Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.

Continue reading …

Patch Tuesday June 2016

It is Patch Tuesday June 2016, and Microsoft is coming out with 16 bulletins bringing fixing over 40 distinct vulnerabilities (CVEs). It brings up the half-year total to 81 which projects to a total of over 160 bulletins for 2016, a new record in terms of patches for the last decade.

Continue reading …

Update: Patch Tuesday May 2016

Update: Adobe released the patch for Adobe Flash that addresses the current 0-day CVE-2016-4117 in APSB16-15. It also patches another 24 vulnerabilities that are mostly rated critical. Patch as quickly as possible. Chrome and Internet Explorer 11/Edge users will get their patches from Google and Microsoft automatically.

Original: Today is the second Tuesday of the month, when both Microsoft and Adobe publish the security updates to their products – the so-called Patch Tuesday.

But before we get into the details of their updates for the month (17 in all) let’s reiterate the urgency of another vulnerability that might have slipped by you. The popular open source program ImageMagick is currently under active attack on the Internet. Vulnerability CVE-2016-3714 (called ImageTragick in the associated vulnerability branding campaign) allows for remote code execution (RCE) through image uploads. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file. I did this immediately on my sites, even though I use ImageMagick only in commandline mode for thumbnail creation. BTW, the workaround has become more complete over the last 2 weeks, so it is worth taking another look even if you have applied it already…

Continue reading …

Oracle Critical Patch Update April 2016

This week Oracle released their quarterly Critical Patch Update (CPU) for April 2016. The CPU addresses 136 vulnerabilities in 49 products, including Java, Solaris, several middleware products, VirtualBox, the MySQL database and the original Oracle database.

Continue reading …