Qualys Blog

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Since Flash vulnerabilities have a high potential of being weaponized in exploit kits, organizations should apply both the updates as soon as possible. A total of 13 vulnerabilities were fixed in the Flash update, while 29 were fixed in the Acrobat and Reader. If unpatched, flaws in both the bulletins can potentially allow attackers to take complete control of the affected system.

Continue reading …

Adobe released three security advisories today fixing 84 security issues in total. This is a big number but the silver lining is that none of the patches released today were for 0-day vulnerabilities.  All vulnerabilities were privately reported to Adobe and so far none seem to be exploited before the release of their respective patch.

APSB16-32 patches 12 vulnerabilities in Flash player and gets a priority rating of 1. Flash has been targets by Exploit Kits like Rig, Neutrino and Angler and we agree that it should be patched as soon as possible. If left un-patched the vulnerability has a potential to allow attackers to take control of the affected system. It affects the Windows, Mac and Linux runtime as well as flash player for Internet Explorer, Edge and Chrome.

Continue reading …

Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.

Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.

Continue reading …

Update5: Adobe has added a second vulnerability to APSA15-04, CVE-2015-5123, which TrendMicro has found. PoC code is available but not integrated into ExploitKits yet.

Update4: Adobe has acknowledged in APSA15-04 another 0-day for Flash originating in the data dump from HackingTeam. Security researcher Webdevil documents his finding in a tweet. Adobe credits Dhanesh Kizhakkian from FireEye who documented the PoC found in the datadump and notified Adobe (first?). Adobe expects to address the vulnerability next week (during normal Patch Tuesday maybe?). According to @Kafeine the vulnerability is already in use in the Angler Exploit Kit.

Update3: Adobe has released the patch for the HackingTeam 0-day, CVE-2015-5119. Beyond that vulnerability the update APSB15-16 also addresses 42 other vulnerabilities of which 27 can be used to reach remote code execution. Users of Google Chrome get their Flash update automatically, as are users of IE11 and IE11 from Microsoft. Users of other browsers needs to install patch manually, i.e. for Firefox, Opera and Safari. Install as quickly as possible to neutralize the exploits that are available in the major ExploitKits already.

In addition Adobe has pre-announced a new version of Adobe Reader (APSB15-15) for next Tuesday that will address critical vulnerabilities as well.

Update2: Adobe acknowledged the bug in APSA15-03 and will make an update available on Wednesday, July 8th. Excellent, quick reaction. Google is credited for reporting the bug now called CVE-2015-5119. Security researcher @kafeine reports that the Angler, Fiddler, Nuclear and Neutrino ExploitsKIts have added CVE-2015-5119 to their lineup. Patch as quickly as possible or think about adding EMET to your workstations.

Update: EMET 4.1 (last available version for XP) in its default configuration takes care of the attack on Windows XP. EMET is a good additional security tool to install once you are fully patched. It monitors for certain attack patterns and neutralizes them – if the exploit uses any of the common ways to execute shellcode EMET users have a good chance to get away unharmed.

Continue reading …

Today is Patch Tuesday May 2015, and it is coming on strong. Microsoft released 13 bulletins bringing the count for this year to 53. 53 is quite a bit higher than in any of the last five years, in fact I cannot remember a similar active year. Our internal tracking of vulnerability numbers now projects north of 140 advisories for this year, certainly also new record:

Continue reading …

It is December, time for our last Patch Tuesday of the year. Microsoft is publishing seven bulletins this month bringing the total count for the year to 85. Compared to 2013 with 106 and 2011 with 100 bulletins, 85 bulletins is not particularly high.

Continue reading …

While most of the IT world is waiting for more news around the Sony data breach (we know very little for sure see Kim Zettner’s piece in Wired for a good and level headed overview), things are continuing to move in our information security realm. More specifically Patch Tuesday for December is coming along with seven patches from Microsoft and probably two from Adobe.

Continue reading …

Update: Microsoft has modified the bulletin MS14-045 for Windows and excluded the patch for the font handling vulnerability CVE-2014-1819. The patch can cause the system to lockup (BSOD) and present problems with fonts that are not installed in the default location. Microsoft recommends uninstalling KB2982791 at this time. For more information take a look at the KB article itself. We are interested to know how widespread these problems are. Were you affected? Do you install important level patches immediately or do you wait for a cool-off period? These questions are important especially when you consider the availability of 1-day exploits, where attackers reverse engineer patches to find new attack vectors:

This example is taken from the capability description of commercial exploit tool (Gamma’s FinFly) but it illustrates the capabilities that a good attack team has.

Original: It is August Patch Tuesday, the week after Black Hat and DEF CON and we are getting nine bulletins from Microsoft with a total of 41 vulnerabilities addressed plus a new version of Adobe Flash. In addition Microsoft is introducing some new capabilities for automatic ActiveX blocking and announced the phase out of old browsers. All in all, a pretty busy Patch Tuesday with 2 patches that address 0-day vulnerabilities that are seeing attacks in the wild – Internet Explorer and Adobe Flash.

Continue reading …

It’s May 2014 and time for the first Microsoft Patch Tuesday after the end-of-life of Windows XP and Office 2003. Microsoft is publishing eight bulletins, and Adobe is publishing two software updates. The majority of the vulnerabilities addressed in the updates probably affect Windows XP/Office 2003 (our guess internally is eight out of the lineup of 10), but only users who have Microsoft’s extended support agreement can get the patches. Fortunately, the XP user base continues to shrink. In our enterprise user statistics we are now looking at under 10% (close to 8%) installed:

Continue reading …

Microsoft updated today the security advisory page for May and we are expecting eight security bulletins next Tuesday. Three of the bulletins address vulnerabilities that can be used by the attacker for Remote Code Execution (RCE) which are the highest priority type vulnerabilities.

Bulletin #1 is rated critical, addresses Internet Explorer (IE) and affects all currently supported versions from IE6-IE11. IE6, IE7 and IE8 are being patched for Windows Server 2003, but not for Windows XP, which had its End-of-Life date last month in April 2014 and will not receive any more regular updates. The Internet Explorer update should contain the cumulative fix for last months 0-day, already addressed by Microsoft in an out-of-band fashion last week in MS14-021 and the vulnerabilities disclosed during the year’s PWN2OWN competition at CanSecWest. This update should be high on your list, especially if you have not applied MS14-021 yet.

Bulletin #2 addresses critical vulnerabilities that also allow for RCE in Sharepoint server 2007, 2010 and 2013, plus a number of other server platforms. This should be high on your list, especially if you expose any of the listed platforms on the Internet.

Bulletin #3 is an update for Office 2007, 2010 and 2013. It is rated important and provides RCE to the attacker, indicating that the attacker vector is a malicious document that the target has to open in order to trigger the attack. Attackers would use a document like that in a social engineering attack, which aims at convincing the user to open the document, for example by making it appear as coming from the user’s HR department or promising information about a subject of interest to the user.

The remaining bulletins are fixes for Windows, .Net and Office that address local vulnerabilities, with the exception of Bulletins #7 that addresses a Denial-of-Service condition in Server 2008 R2 and 2012 R2.

In addition to Microsoft, Adobe has announced that they will publish a new version of Adobe Reader. Since the PDF format is frequently abused by attackers, you should include Adobe Reader on your priority list.