Adobe released APSB16-36 today to fix one 0-day vulnerability in Flash. The vulnerability is currently being used in active attacks and therefore Adobe released this emergency fix. If left un-patched, attackers can remotely take complete control of the machine. The vulnerability (CVE-2016-7855) is triggered when the victim views malicious Adobe flash content. Usually innocent users end up with malicious flash content by clicking on bad links from e-mails, blogs, bulletin boards and other sources.
Oracle released another massive patch update today which fixed 253 security flaws across hundreds of Oracle products. This year we have seen the updates getting bigger as compared to an average of 161 vulnerabilities 2015 and 128 vulnerabilities in 2014. Many components fixed in today’s release are remotely exploitable. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories. Other than the exception of Java there are no consumer products and administrators should focus on their individual patching domains.
Today Microsoft started rolling out a new way to patch systems, and this video highlight covers the new patching mechanism, five 0-day vulnerabilities patched by today’s update as well as Adobe vulnerabilities that were fixed.
Adobe released three security advisories today fixing 84 security issues in total. This is a big number but the silver lining is that none of the patches released today were for 0-day vulnerabilities. All vulnerabilities were privately reported to Adobe and so far none seem to be exploited before the release of their respective patch.
APSB16-32 patches 12 vulnerabilities in Flash player and gets a priority rating of 1. Flash has been targets by Exploit Kits like Rig, Neutrino and Angler and we agree that it should be patched as soon as possible. If left un-patched the vulnerability has a potential to allow attackers to take control of the affected system. It affects the Windows, Mac and Linux runtime as well as flash player for Internet Explorer, Edge and Chrome.
Today Microsoft started rolling out a new way to patch systems, and I explain the different components which are included and their timeline:
- Patch Tuesday (second Tuesday of every month or B week): Two main components will be released on Patch Tuesday:
- A security-only update: This is a single update containing all new security fixes for that month. It will be released on Windows Server Update Services (WSUS) where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog. This package will NOT be available for consumer PCs which get updated via Windows Update.
- A security monthly rollup: A single update containing all new security fixes for that month (same as the security-only update) as well as fixes from all previous monthly rollups. This will be available for consumer PCs which get updated via Windows Update.
- Third Tuesday of every month (C Week): This is a monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup. This is included for users to test their systems before next month. This will be available on WSUS, Windows update and Windows Update Catalog.
Internet Explorer updates are included in the security-only and monthly security rollup. .NET will follow a similar formula as monthly rollup and security-only updates. Continue reading …
Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.
The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.
The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.
It’s September 2016 Patch Tuesday, and Microsoft has released 14 security bulletins that affect a host of components including desktop operating systems, servers, browsers , Exchange server, Silverlight, SMBv1 and several others. It’s a large update that will keep desktop as well as server administrators busy. Seven updates are rated as critical, while the other seven are rated as important. One 0-day vulnerability CVE-2016-3352 which was publicly disclosed earlier is also patched in the MS16-110 bulletin.
By now you must have heard about the Equation group hack, Shadow Brokers, NSA ANT catalog and an entire gamut of information. Here I will update on what we have confirmed and how it affects your patching effort.