In this month’s Patch Tuesday release there are 63 vulnerabilities patched with 20 Criticals. Out of the criticals, over half are browser-related, with the rest including Windows, SQL, and Exchange. Active exploits have been detected against CVE-2018-8373, one of the scripting engine vulnerabilities.
This month’s Patch Tuesday is medium in weight, with 54 CVEs containing 17 Criticals. All but two of the Critical vulnerabilities are in Microsoft’s browsers or browser-related technologies. An additional speculative execution vulnerability announced in June was patched as well. Adobe has also released patches covering multiple product each with multiple CVEs.
June’s Patch Tuesday is lighter weight compared to previous months. In all, 51 unique CVEs are addressed, with 11 CVEs marked as Critical. Adobe also released an out-of-band update for a Flash Player vulnerability last week, which is being actively exploited.
This May’s Patch Tuesday has quite a few Microsoft fixes for both the OS and browsers. In all, 67 unique CVEs are addressed in 17 KB articles, with 21 CVEs marked Critical. 32 of these CVEs reference Remote Code Execution, 19 of which are Critical. Those who use Hyper-V have some updates to pay attention to as well.
Today’s Patch Tuesday is smaller than last month, but there are more critical updates this time. Out of the 63 vulnerabilities covered by the Microsoft patches, 22 of them are critical. Adobe has released 6 bulletins covering 19 vulnerabilities. According to Microsoft and Adobe, there are no active attacks against these vulnerabilities.
The majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
Today’s Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities.
All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics’ hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to significantly boost DDoS attacks, as GitHub became a victim of this new tactic.
Apple under siege
The second half of February was intense for Apple on the security front. A digital forensics vendor claimed having the ability to unlock all iPhone models, including the X, while a researcher warned about a Trojan targeting MacOs computers that’s not detected by anti-virus products. Oh, and Apple had to squash another one of those pesky bugs that let people crash iPhones via texting.
Forbes dropped a news bomb on Monday when it reported that Cellebrite recently started telling its customers — which are primarily government, military and corporate investigative teams — that it’s able to unlock and extract data from devices running iOS 11, such the iPhone X, as well as other iPhones, iPads and iPods.
While Cellebrite isn’t publicly trumpeting this capability, anonymous sources told Forbes that in recent months the company “has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe.”
As Forbes noted, Cellebrite has posted a brochure on its website where it details its ability to unlock these Apple products as well as several Android devices, and extract data from them. The way it works is that customers ship the devices to Cellebrite, where its engineers work their magic. Cellebrite can’t (or won’t) crack devices remotely.
For this month’s Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week.
From this list, there are patches for a vulnerability (CVE-2018-0825) that impacts StructuredQuery in Windows servers and workstations. Exploitation of this vulnerability would be through a malicious file and would lead to remote code execution. This patch should be at the top of the priority list, aside from the Adobe Flash patches mentioned below.
UPDATE 1/4/2018: Qualys has released several QIDs for detecting missing patches for these vulnerabilities.
UPDATE 1/5/2018: Pre-built AssetView dashboards to visualize impact and remediation progress.
Vulnerabilities potentially impacting all major processor vendors were disclosed today by Google Project Zero. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). Organizations should inventory their systems by processor type, apply vendor patches as they become available, and track their progress. This article describes how Qualys can help in all three areas.
This November Patch Tuesday is moderate in volume and severity. Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.