This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, Coldfusion, and Creative Cloud.
Days ago, a mysterious online group called Shadow Brokers claims to have stolen US “cyber weapons” from a hacking team called Equation Group. These “cyber weapons” contain about a dozen vulnerabilities which are believed to be exploits used by the National Security Agency (NSA). In this blog, I will analyze the shellcode from the Cisco exploit and show its behind-the-scenes behavior.
It is Patch Tuesday June 2016, and Microsoft is coming out with 16 bulletins bringing fixing over 40 distinct vulnerabilities (CVEs). It brings up the half-year total to 81 which projects to a total of over 160 bulletins for 2016, a new record in terms of patches for the last decade.
Update: Qualys QID is 124421: Adobe Flash Player and AIR Security Update (APSB16-01).
Original: Adobe issued today their last update for 2015 for its Flash player. It addresses nineteen vulnerabilities and was released out of band because one of them (CVE-2015-8651) is under attack in the wild. At this point attacks are limited to special targets. The update is numbered APSB16-01, not APSB15-33 as expected, most likely because it is basically the planned January 2016 update, anticipated due to the circumstances.
As with all 0-days fixes this one deserves special attention and a quick turnaround.
Just three days after Trend Micro had notified Adobe of a 0-day vulnerability in their Flash player, Adobe addressed the flaw with a patch. APSB15-27 provides fixes for three vulnerabilities, and one of them, CVE-2015-7645, is currently being used in attacks in the wild. You should apply the update as quickly as possible as we expect the exploit to show up in ExploitKits soon, which will greatly increase the number of attacked machines.
Hello to Patch Tuesday September 2015: We are ¾ through the year and have broken the 100 bulletin mark with this months 12 additions. We are now projecting over a 145 bulletins until the end of the year, a bit higher than our initial projection from May when said we would be seeing just over 140 bulletins this year.
Today Microsoft addressed a 0-day vulnerability in Internet Explorer in an out-of-band update described MS15-093. The vulnerability CVE-2015-2502 is actively being exploited in the wild. The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected. Attackers use a number of mechanisms to increase their target reach and lure users to the webpage including:
It is Windows 10 first Patch Tuesday and 40% of the August bulletins for generic Windows apply to the newest version of the operating system: Windows 10. In addition there is an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities. Windows 10 fares a bit better than WIndows 8, which had 60% in its first two months, where three out of five bulletins were applicable. From a security perspective Windows 10 brings much improvement and we are curious to see how the acceptance of Windows 10 will play out, especially comparing the enterprise side and consumer side. On the Enterprise level we think the Virtual Secure Mode that takes credential hashes out of the Windows kernel the biggest advance, while for the consumer it is the new patching schedule, which basically keeps Windows always updated with the latest updates.
Update: HP clarified that the vulnerabilities apply only to Internet Explorer Mobile for the Windows phone.
Original: HP’s Zero Day Initiative (ZDI) just published four critical 0-day vulnerabilities in Internet Explorer: ZDI-15-359, 360, 361 and 362. All of them can result in Remote Code Execution. Microsoft overstayed the 120 day fix limit that ZDI enforces on such vulnerability disclosures.
It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities as details are sparse. There is not much you can do at the moment, except refrain from using Internet Explorer. Stay tuned for updates.
Update2: Microsoft released a critical bulletin MS15-078 for a font problem that affects all versions of Windows and allows Remote Code Execution. Microsoft credits Google’s Project Zero, Fireeye and TrendMicro. TrendMicro indicates that the vulnerability came out of the HackingTeam data breach. Google’s entry for the bug indicates that they are aware of exploit code avaliable in the wild, which explains Microsoft’s out-of-band release. Patch as quickly as possible.
Update: Oracle’s CPU July 2015 fixes the 0-day vulnerability CVE-2015-2590 in Java reported by Trend Micro. We recommend treating this patch with high priority. Note: if you think you cannot use new Java due to requirements for old versions, have you looked at Oracle’s deployment rulesets?
Original: When we started preparing internally for July’s Patch Tuesday, we debated what the biggest issue of the month would be. Two parties emerged, we were split in the middle between end-of-life of Windows Server 2003, and the mystery vulnerability MS15-058 that Microsoft did not release last month. Well, it turns out both parties were wrong: the biggest issues this month are the multiple 0-days in Adobe Flash.