Qualys Blog

www.qualys.com
193 posts

Massive Microsoft Patch Tuesday Security Update for March

Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities.  Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here, allude that sometime in the future Microsoft will stop publishing security bulletins.

The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This gets highest priority as CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild. This issue could be incorporated soon by ExploitKits using Silverlight as the attack vector as we have seen that happen in the past.

Continue reading …

January 2017 Patch Tuesday Video Highlights

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.

Microsoft Ends 2016 with 15% Increase in Bulletin Volume

Happy December! In this last Patch Tuesday installment for 2016, Microsoft released 12 security bulletins which brings the 2016 yearly count to 155. This is about 15% higher than last year. Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities. This increase can be attributed to an increase in the volume of scanning and to the 15% increase in number of Microsoft bulletins. But the year is not over and I will come up with the normalized number after the year ends.

Continue reading …

Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server

Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129 respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge). There is no indication yet that these three previously disclosed issues are being actively exploited.

Continue reading …

October Patch Tuesday 2016 Video Highlights

Today Microsoft started rolling out a new way to patch systems, and this video highlight covers the new patching mechanism, five 0-day vulnerabilities patched by today’s update as well as Adobe vulnerabilities that were fixed.

Microsoft October B week Patch Tuesday: Five 0-days Fixed

Today Microsoft started rolling out a new way to patch systems, and I explain the different components which are included and their timeline:

  1. Patch Tuesday (second Tuesday of every month or B week): Two main components will be released on Patch Tuesday:
    1. A security-only update: This is a single update containing all new security fixes for that month. It will be released on Windows Server Update Services (WSUS) where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog. This package will NOT be available for consumer PCs which get updated via Windows Update.
    2. A security monthly rollup: A single update containing all new security fixes for that month (same as the security-only update) as well as fixes from all previous monthly rollups. This will be available for consumer PCs which get updated via Windows Update.
  2. Third Tuesday of every month (C Week): This is a monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This is included for users to test their systems before next month. This will be available on WSUS, Windows update and Windows Update Catalog.

Internet Explorer updates are included in the security-only and monthly security rollup. .NET will follow a similar formula as monthly rollup and security-only updates. Continue reading …

Top 5 New Settings in Security Compliance Manager for Windows 10

Most organizations enforce system configuration policies to reduce the chance of misconfiguration and improve their overall security posture. For Microsoft Windows systems, many organizations rely on guidance from Microsoft Security Compliance Manager (SCM) for proper configuration. For organizations deploying Windows 10, this Top 5 list helps you understand and implement the new settings introduced in SCM for Windows 10.

As an engineer on the Qualys Policy Compliance product team, I routinely compare compliance benchmarks, and have compiled this list based on my work. If you are already familiar with previous version of Windows, this blog post can help you to quickly adopt the new changes.

Controls (represented by Control IDs or CIDs) are the building blocks of the policies in Qualys Policy Compliance used to measure and report compliance for a set of hosts. For each of the Top 5 in this article, we include the CID that allows you to build policies to measure and report compliance for that new setting.

Continue reading …

Patch Tuesday September 2016 Video Highlights

 

In one of the larger Patch Tuesdays in some time, Microsoft today released 14 security bulletins for desktop OSes, server OSes, browsers, Silverlight, SMBv1, Exchange Server and more. Watch this video to learn how security teams should prioritize patching based on the new bulletins.

Microsoft Patch Tuesday August 2016

Its August 2016 Patch Tuesday and Microsoft has released nine security bulletins that affect a host of components including desktop operating systems, browsers, fonts  and servers. Five updates are rated as critical while four are rated as important.

Continue reading …