Category: The Laws of Vulnerabilities

February 2019 Patch Tuesday – 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns

Posted by Jimmy Graham in The Laws of Vulnerabilities on February 12, 2019

This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, Coldfusion, and Creative Cloud.

No Comments
Permalink
Tags: 0 day, adobe, flash, microsoft, Patch Tuesday, security, vulnerabilities

January 2019 Patch Tuesday – 47 Vulns, 7 Critical, Adobe Vulns

Posted by Jimmy Graham in The Laws of Vulnerabilities on January 8, 2019

This month’s Patch Tuesday is medium in size, with 47 vulns covered and only 7 labeled as Critical. Twenty-six of the vulns apply to Windows Servers and Workstation operating systems. Two of the Criticals apply to Hyper-V and could lead to RCE on the host system. Microsoft also issued and out-of-band patch in December for Internet Explorer 9 through 11 due to active attacks in the wild. Last week, Adobe also released out-of-band patches for Acrobat and Reader covering two Critical vulns.

1 Comment
Permalink
Tags: adobe, microsoft, patch, Patch Tuesday, vulnerabilities, vulnerability management

December 2018 Patch Tuesday – 39 Vulns, Workstation Patches, Adobe Vulns

Posted by Animesh Jain in The Laws of Vulnerabilities on December 11, 2018

This month’s Patch Tuesday addresses 39 vulnerabilities, with 9 of them labeled as Critical. Out of the Criticals, most are browser-related, with the rest including Windows, and .net Framework. A Privilege Escalation vulnerability exists in Windows kernel which has been exploited in wild. Adobe also patched 9 Critical and Important vulnerabilities this month for Adobe Acrobat and Reader.

On the basis of volume and severity this Patch Tuesday is light in weight.

Workstation Patches

Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Out of the 9 vulnerabilities, 6 can be exploited through browsers.

Active Attacks on Win32k Privilege Escalation

Microsoft has reported that there are active attacks detected against CVE-2018-8611. Microsoft has ranked this patch as Important. It is important to prioritize Windows kernel patching.

Adobe Patches and Mitigations

Adobe released nine patches for Acrobat/Reader, with 6 rated as critical and 3 as important. In early December, Adobe also released out-of-band patches for Adobe Flash. CVE-2018-15982 is rated as critical and has been exploited in wild. CVE-2018-15983 is labeled as important.

November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC

Posted by Jimmy Graham in The Laws of Vulnerabilities on November 13, 2018

This month’s Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services’ TFTP server is also addressed in this release. Adobe also patched three Important vulnerabilities this month, although there is a PoC exploit available for Adobe Acrobat and Reader.

No Comments
Permalink
Tags: adobe, microsoft, patch, Patch Tuesday, security, vulnerabilities, vulnerability management

October 2018 Patch Tuesday – 49 Vulns, Critical browser patches, Hyper-V, Adobe vulns

Posted by Animesh Jain in The Laws of Vulnerabilities on October 9, 2018

In this month’s Patch Tuesday release there are 49 vulnerabilities patched with 12 Criticals. Out of the criticals, over half are browser-related, with the rest including Hyper-V and MSXML Parser. Microsoft Exchange covers CVE-2010-3190 which was not identified as in-scope product when originally published, per Microsoft. Microsoft Office covers 9 Important CVEs including Sharepoint and Graphics component.

No Comments
Permalink
Tags: adobe, microsoft, Patch Tuesday, security, vulnerabilities, vulnerability management

September 2018 Patch Tuesday – 61 Vulns, FragmentSmack, Hyper-V Escape

Posted by Jimmy Graham in The Laws of Vulnerabilities on September 11, 2018

In this month’s Patch Tuesday release there are 61 vulnerabilities patched with 17 Criticals. Out of the criticals, most are browser-related, with the rest including Windows, Hyper-V, and .net Framework. A vulnerability (CVE-2018-8475) in Windows’ image parsing has been publicly disclosed, in addition to a vulnerability (CVE-2018-8457) in the Scripting Engine.

No Comments
Permalink
Tags: adobe, flash, microsoft, patch, Patch Tuesday, security, vulnerabilities, vulnerability management

August Patch Tuesday – 63 Vulns, L1TF (Foreshadow), Exchange, SQL, Active Attacks on IE flaw

Posted by Jimmy Graham in The Laws of Vulnerabilities on August 14, 2018

In this month’s Patch Tuesday release there are 63 vulnerabilities patched with 20 Criticals. Out of the criticals, over half are browser-related, with the rest including Windows, SQL, and Exchange. Active exploits have been detected against CVE-2018-8373, one of the scripting engine vulnerabilities.

No Comments
Permalink
Tags: adobe, microsoft, Patch Tuesday, security, vulnerabilities, vulnerability management

July Patch Tuesday – Critical browser patches, Lazy FP, Exchange, Adobe vulns

Posted by Jimmy Graham in The Laws of Vulnerabilities on July 10, 2018

This month’s Patch Tuesday is medium in weight, with 54 CVEs containing 17 Criticals. All but two of the Critical vulnerabilities are in Microsoft’s browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple product each with multiple CVEs.

No Comments
Permalink
Tags: adobe, microsoft, oracle, patch, Patch Tuesday, security, vulnerabilities

June Patch Tuesday – New Speculative Store Bypass Fixes, Adobe Vulns

Posted by Jimmy Graham in The Laws of Vulnerabilities on June 12, 2018

June’s Patch Tuesday is lighter weight compared to previous months. In all, 51 unique CVEs are addressed, with 11 CVEs marked as Critical. Adobe also released an out-of-band update for a Flash Player vulnerability last week, which is being actively exploited.

No Comments
Permalink
Tags: adobe, microsoft, patch, Patch Tuesday, security, vulnerabilities

May 2018 Patch Tuesday – Medium Weight, However One Active Exploit Needs Attention

Posted by Gill Langston in The Laws of Vulnerabilities on May 8, 2018

This May’s Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers. In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical. 32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay attention to as well.