Update: Microsoft has modified the bulletin MS14-045 for Windows and excluded the patch for the font handling vulnerability CVE-2014-1819. The patch can cause the system to lockup (BSOD) and present problems with fonts that are not installed in the default location. Microsoft recommends uninstalling KB2982791 at this time. For more information take a look at the KB article itself. We are interested to know how widespread these problems are. Were you affected? Do you install important level patches immediately or do you wait for a cool-off period? These questions are important especially when you consider the availability of 1-day exploits, where attackers reverse engineer patches to find new attack vectors:
This example is taken from the capability description of commercial exploit tool (Gamma’s FinFly) but it illustrates the capabilities that a good attack team has.
Original: It is August Patch Tuesday, the week after Black Hat and DEF CON and we are getting nine bulletins from Microsoft with a total of 41 vulnerabilities addressed plus a new version of Adobe Flash. In addition Microsoft is introducing some new capabilities for automatic ActiveX blocking and announced the phase out of old browsers. All in all, a pretty busy Patch Tuesday with 2 patches that address 0-day vulnerabilities that are seeing attacks in the wild – Internet Explorer and Adobe Flash.
While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published their Advance Notice for the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.
Today’s Microsoft Patch Tuesday for September 2013 brings us 13 bulletins fixing 47 distinct vulnerabilities. Thirteen bulletins is one less than originally announced last week, number fourteen, which applies to .NET and addresses a Denial-of-Service (DoS) vulnerability, is being held back for further testing. Adobe also announced new versions that fix critical vulnerabilities for Flash, Adobe Reader and Shockwave.
Microsoft announced its lineup for next week’s Patch Tuesday. We will get 14 bulletins, already bringing the number for this year to 80 in September. We are well on our way to get more than 100 bulletins this year compared to 83 in 2012 and exactly 100 in 2011, a good reflection of how challenging the computer security business continues to be.