Qualys Blog

www.qualys.com
163 posts

Massive Microsoft Patch Tuesday Security Update for March

Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities.  Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here, allude that sometime in the future Microsoft will stop publishing security bulletins.

The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This gets highest priority as CVE-2017-0005 is a zero day issue which is currently being exploited actively in the wild. This issue could be incorporated soon by ExploitKits using Silverlight as the attack vector as we have seen that happen in the past.

Continue reading …

Microsoft February Patch Tuesday Cliffhanger and Adobe Fix for Flash

UPDATE: Microsoft has announced that all updates will be delivered in the March 14 patch cycle.

As covered in our January blog, today Microsoft was supposed to scrap the existing system in which users used to get a bulletin like MS17-001 in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. But as per Microsoft’s blog, February’s Patch Tuesday has been delayed as Microsoft discovered a last minute issue that could impact some customers and could not resolve it in time for the planned update. This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together. A zero day SMB vulnerability was expected to be patched today and as of this writing there is no official statement on the new release date.

On the Adobe front, three security updated were released and the most important one is for Flash APSB17-04 which affects Windows, Mac, Linux and ChromeOS. If left un-patched this allows attackers to take complete control of the system. An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.

Continue reading …

Oracle January 2017 CPU Fixes 270 Vulnerabilities

Oracle kicked off the New Year with its first installment of the quarterly CPU (critical patch update) for 2017. The update contains fix for 270 security issues across wide range of products. The graph below shows distribution of the update. More than 100 vulnerabilities that were fixed could be compromised by a remote attacker without requiring any credentials. Most remote vulnerabilities could be exploited over the HTTP protocol.

Continue reading …

January 2017 Patch Tuesday Video Highlights

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.

2016 Year-End Summary for Adobe and Another 0-day Fix in December

Adobe released nine security bulletins today in the December Security updates. The most notable update was APSB16-39 for Flash which fixed a 0-day vulnerability with exploits in the wild that is being used in targeted attacks. Adobe products including Flash and Acrobat PDF reader have long being targeted by exploit kits. In addition to the 0-day (CVE-2016-7892), 17 other vulnerabilities were fixed in Flash. This update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  Other updates included in today’s release fixed Coldfusion (APSB16-44) , Robohelp (APSB16-46), Adobe Digital Editions (APSB16-45), InDesign (APSB16-43) , Experience Manager (APSB16-42) , DNG Converter (APSB16-41) and Animate (APSB16-38).

Continue reading …

Microsoft Ends 2016 with 15% Increase in Bulletin Volume

Happy December! In this last Patch Tuesday installment for 2016, Microsoft released 12 security bulletins which brings the 2016 yearly count to 155. This is about 15% higher than last year. Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities. This increase can be attributed to an increase in the volume of scanning and to the 15% increase in number of Microsoft bulletins. But the year is not over and I will come up with the normalized number after the year ends.

Continue reading …

November 2016 Patch Tuesday Video Highlights

Today Microsoft fixed two zero-day vulnerabilities and a total of 6 critical and 8 important updates which are covered in this video highlight. It also covers Adobe security updates released today.

Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server

Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129 respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge). There is no indication yet that these three previously disclosed issues are being actively exploited.

Continue reading …

Microsoft October B week Patch Tuesday: Five 0-days Fixed

Today Microsoft started rolling out a new way to patch systems, and I explain the different components which are included and their timeline:

  1. Patch Tuesday (second Tuesday of every month or B week): Two main components will be released on Patch Tuesday:
    1. A security-only update: This is a single update containing all new security fixes for that month. It will be released on Windows Server Update Services (WSUS) where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog. This package will NOT be available for consumer PCs which get updated via Windows Update.
    2. A security monthly rollup: A single update containing all new security fixes for that month (same as the security-only update) as well as fixes from all previous monthly rollups. This will be available for consumer PCs which get updated via Windows Update.
  2. Third Tuesday of every month (C Week): This is a monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This is included for users to test their systems before next month. This will be available on WSUS, Windows update and Windows Update Catalog.

Internet Explorer updates are included in the security-only and monthly security rollup. .NET will follow a similar formula as monthly rollup and security-only updates. Continue reading …

Patch Tuesday September 2016 Video Highlights

 

In one of the larger Patch Tuesdays in some time, Microsoft today released 14 security bulletins for desktop OSes, server OSes, browsers, Silverlight, SMBv1, Exchange Server and more. Watch this video to learn how security teams should prioritize patching based on the new bulletins.