Qualys Blog

www.qualys.com
199 posts

September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches

Today Microsoft released a fairly large batch of patches covering 81 vulnerabilities as part of September’s Patch Tuesday update, with 38 of them impacting Windows. Patches covering 27 of these vulnerabilities are labeled as Critical, and 39 can result in Remote Code Execution (RCE).  According to Microsoft, one critical vulnerability impacting HoloLens has a public exploit, and there are active malware campaigns exploiting a .NET vulnerability. Microsoft has also patched the BlueBorne vulnerability that could allow an attacker to perform a man-in-the-middle attack against a Windows system.

Continue reading …

Microsoft Fixes Malware Protection Engine and Several 0-Day Vulnerabilities, and Deprecates SHA-1

Hours before today’s Patch Tuesday release on the eve of May 8, Microsoft released an emergency updated to fix a vulnerability in their Malware Protection Engine. This critical vulnerability allows an attacker to take complete control of the victim’s machine by just sending an e-mail attachment. When the malware protection engine scans the attachment the malicious code in the file gets executed, allowing the attacker complete and full access to the computer. The attack can also be carried out by sending the file via an instant message or having the victim download the file from a website. It is absolutely essential that organizations using Microsoft Malware Protection Engine make sure that they are at version Version 1.1.13704.0 or later. Users should also check if they are patched for CVE-2017-0290, which was released for the same issue today.

In today’s Patch Tuesday update Microsoft released a total of 57 vulnerability fixes. Highest priority should go to patching 0-day issues which are actively exploited.  On top of our list is the Office patch for CVE-2017-0261 which is triggered when a victim opens an Office file containing a malformed graphics image.  The file could be delivered via email or any other means. As this is actively exploited in the wild and attackers can take complete control of the victim system, this should be treated with priority.

Continue reading …

The Shadow Brokers Release Zero Day Exploit Tools

On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.

Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.

For zero-day vulnerabilities in Operating Systems, you can use your existing asset inventory information from Qualys AssetView, and search for any OS to determine how many vulnerable assets are deployed. This can be done without additional scanning if the data is relatively fresh.

Continue reading …

April 2017 Patch Tuesday Video Highlights

Microsoft Fixes 45 Vulnerabilities with new Security Update Guide and says goodbye to Security Bulletins. Adobe Fixes Flash, PDF reader and Photoshop.

Microsoft Fixes 45 Vulnerabilities with new Security Update Guide – says goodbye to Security Bulletins

Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide. We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.

In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Office or WordPad. Attacker could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file. We recommend administrators patch this as soon as possible.

Continue reading …

Microsoft IIS 6.0 Buffer Overflow Zero Day

A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.

The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.

Continue reading …

Massive Microsoft Patch Tuesday Security Update for March

Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities.  Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here, allude that sometime in the future Microsoft will stop publishing security bulletins.

The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This gets highest priority as CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild. This issue could be incorporated soon by ExploitKits using Silverlight as the attack vector as we have seen that happen in the past.

Continue reading …

January 2017 Patch Tuesday Video Highlights

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.

Microsoft Ends 2016 with 15% Increase in Bulletin Volume

Happy December! In this last Patch Tuesday installment for 2016, Microsoft released 12 security bulletins which brings the 2016 yearly count to 155. This is about 15% higher than last year. Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities. This increase can be attributed to an increase in the volume of scanning and to the 15% increase in number of Microsoft bulletins. But the year is not over and I will come up with the normalized number after the year ends.

Continue reading …

Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server

Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129 respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge). There is no indication yet that these three previously disclosed issues are being actively exploited.

Continue reading …