Qualys Blog

www.qualys.com
192 posts

January 2017 Patch Tuesday Video Highlights

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.

Microsoft Ends 2016 with 15% Increase in Bulletin Volume

Happy December! In this last Patch Tuesday installment for 2016, Microsoft released 12 security bulletins which brings the 2016 yearly count to 155. This is about 15% higher than last year. Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities. This increase can be attributed to an increase in the volume of scanning and to the 15% increase in number of Microsoft bulletins. But the year is not over and I will come up with the normalized number after the year ends.

Continue reading …

Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server

Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129 respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge). There is no indication yet that these three previously disclosed issues are being actively exploited.

Continue reading …

October Patch Tuesday 2016 Video Highlights

Today Microsoft started rolling out a new way to patch systems, and this video highlight covers the new patching mechanism, five 0-day vulnerabilities patched by today’s update as well as Adobe vulnerabilities that were fixed.

Microsoft October B week Patch Tuesday: Five 0-days Fixed

Today Microsoft started rolling out a new way to patch systems, and I explain the different components which are included and their timeline:

  1. Patch Tuesday (second Tuesday of every month or B week): Two main components will be released on Patch Tuesday:
    1. A security-only update: This is a single update containing all new security fixes for that month. It will be released on Windows Server Update Services (WSUS) where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog. This package will NOT be available for consumer PCs which get updated via Windows Update.
    2. A security monthly rollup: A single update containing all new security fixes for that month (same as the security-only update) as well as fixes from all previous monthly rollups. This will be available for consumer PCs which get updated via Windows Update.
  2. Third Tuesday of every month (C Week): This is a monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This is included for users to test their systems before next month. This will be available on WSUS, Windows update and Windows Update Catalog.

Internet Explorer updates are included in the security-only and monthly security rollup. .NET will follow a similar formula as monthly rollup and security-only updates. Continue reading …

Top 5 New Settings in Security Compliance Manager for Windows 10

Most organizations enforce system configuration policies to reduce the chance of misconfiguration and improve their overall security posture. For Microsoft Windows systems, many organizations rely on guidance from Microsoft Security Compliance Manager (SCM) for proper configuration. For organizations deploying Windows 10, this Top 5 list helps you understand and implement the new settings introduced in SCM for Windows 10.

As an engineer on the Qualys Policy Compliance product team, I routinely compare compliance benchmarks, and have compiled this list based on my work. If you are already familiar with previous version of Windows, this blog post can help you to quickly adopt the new changes.

Controls (represented by Control IDs or CIDs) are the building blocks of the policies in Qualys Policy Compliance used to measure and report compliance for a set of hosts. For each of the Top 5 in this article, we include the CID that allows you to build policies to measure and report compliance for that new setting.

Continue reading …

Patch Tuesday September 2016 Video Highlights

 

In one of the larger Patch Tuesdays in some time, Microsoft today released 14 security bulletins for desktop OSes, server OSes, browsers, Silverlight, SMBv1, Exchange Server and more. Watch this video to learn how security teams should prioritize patching based on the new bulletins.

Microsoft Patch Tuesday August 2016

Its August 2016 Patch Tuesday and Microsoft has released nine security bulletins that affect a host of components including desktop operating systems, browsers, fonts  and servers. Five updates are rated as critical while four are rated as important.

Continue reading …