Qualys Community

439 posts

Patch Tuesday February 2016

We are back to normal numbers on Patch Tuesday. After a light start with nine bulletins in January we are getting 12 bulletins (five critical) in February, which is in line with the average count for last year: 12.25/month:

Continue reading …

Newest Java Addresses Binary Planting Vulnerability

Oracle published a new version of Java 8, 7 and 6 to address a vulnerability in the installer. CVE-2016-0603 addresses a flaw where the attacker would seed the system with malicious DLLs that the installer would use instead of the DLLs included in the package itself. This type of vulnerability is generally known as binary planting.

As Oracle points out existing installations are not at risk. New installations should use the latest fixed packages to address the case where an end user might have visited a malicious site which could have prepared the machine for the attack by downloading altered versions of one of the DLLs involved. Fixed versions of Java are 6 update 113, 7 update 97 and 8 update 73.


What is the Apex Predator Doing to Get Your Information?

This week at the USENIX Enigma 2016 Security conference the final talk was given by Rob Joyce, Chief of the NSA’s Tailored Access Operations (TAO). TAO is the offensive unit of the NSA that got much coverage following the public disclosure of internal NSA documents by Edward Snowden, with some of their arsenal of exploitation tools documented.

Continue reading …

Oracle Critical Patch Update January 2016

Oracle has published their Critical Patch Update (CPU) for January 2016. The Oracle CPU is quarterly and addresses the flaws in large Oracle’s product line, including their core product the relational database, but also in a large number of acquisitions like Solaris, MySQL, Java and many of the end-user products, such as JDEdwards ERP, Peoplesoft and CRM.

Continue reading …

Update: Patch Tuesday January 2016

Update: Kaspersky who is credited with finding MS16-006,the critical Silverlight vulnerability just published their story on how the bug was found. Very interesting, has to do with the Hacking Team breach and coding "standards" – take a look at their blog post for more info. They also made clear that this vulnerability is under attack in the wild and that we are looking at a true 0-day here. This changes our priorities – we now put MS16-006 at the top of our list. Take a look at your installations, see if you have Silverlight installed and address the flaw as soon as possible.

Original: The first Patch Tuesday of 2016 turns out to be low in numbers, but broad and packing quite a punch: six of the nine bulletins are rated critical, including the Windows Kernel and Office bulletins. In addition some rather important products are going End-of-Life and get their last patch update today. Microsoft is retiring support for all older browsers on each platform and will from here on only maintain the newest browser on each version of the OS.

Continue reading …

Update: Last Adobe 0-day Patched for the Year

Update: Qualys QID is 124421: Adobe Flash Player and AIR Security Update (APSB16-01).

Original: Adobe issued today their last update for 2015 for its Flash player. It addresses nineteen vulnerabilities and was released out of band because one of them (CVE-2015-8651) is under attack in the wild. At this point attacks are limited to special targets. The update is numbered APSB16-01, not APSB15-33 as expected, most likely because it is basically the planned January 2016 update, anticipated due to the circumstances.

As with all 0-days fixes this one deserves special attention and a quick turnaround.

Patch Tuesday December 2015

There we are: the last Patch Tuesday of 2015. It turns out to be about average, with maybe a bit more severity in the bulletins than usually. We have eight critical bulletins in the total 12, including one that fixes a 0-day vulnerability, currently in use by attackers to escalate privileges in Windows. 0-days used to be very rare occasions, but this year they have become almost mainstream. After all the year started off with a string of 0-days in Adobe Flash and since then we have seen almost every month a patch for a vulnerability that is already under attack. Definitely a sign of the increasing technical capabilities that attackers are wielding and a reminder that IT Managers should not only patch their systems promptly, but also look for additional robustness. Your list of things to look at in 2016 should include investigation of minimal software installs with the least features enabled, plus an additional piece software such as EMET that enhances robustness.

Continue reading …