Qualys Blog

Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide. We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.

In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Office or WordPad. Attacker could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file. We recommend administrators patch this as soon as possible.

Continue reading …

Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS.  It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.

Continue reading …

Today is Patch Tuesday May 2015, and it is coming on strong. Microsoft released 13 bulletins bringing the count for this year to 53. 53 is quite a bit higher than in any of the last five years, in fact I cannot remember a similar active year. Our internal tracking of vulnerability numbers now projects north of 140 advisories for this year, certainly also new record:

Continue reading …

April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities.The vulnerabilities affect Windows and Office on both servers and workstations. In addition, Oracle is publishing their quarterly Critical Patch Update fixing 98 vulnerabilities in over 25 software categories, including Java, Oracle RDBMS and MySQL.

Add to that the fixes in Adobe, Mozilla and Google Chrome software that were initiated by the results of the PWN2OWN competition in Vancouver, and every defensive IT security professional will have their work doubled this month.

Continue reading …

Watch Qualys coverage of Microsoft, Adobe and POODLE on Patch Tuesday December 2014

This month Microsoft is publishing 14 bulletins with new versions and patches for its software, operating systems and applications. This is one fewer bulletin than Microsoft had announced last week.

Continue reading …

Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

• The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
• This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.

Continue reading …

Today is the year’s first Patch Tuesday, and while Microsoft is only releasing four updates, there is plenty of work for IT administrators due to releases by Adobe and Oracle.

Continue reading …

Today Microsoft released 11 security bulletins that address 24 vulnerabilities in the last Patch Tuesday of 2013. This month’s patches takes the total number of bulletins to 106 and the distinct vulnerability count to just over 330 for the year. 

Continue reading …

Microsoft today published eight security bulletins for the November 2013 Patch Tuesday, addressing 19 distinct vulnerabilities.

At the top of our priority list of patches and workarounds are the two open 0-day vulnerabilities:

• The Internet Explorer 0-day disclosed last week (see the blogpost by FireEye) can be addressed with a real patch, MS13-090, which implements a simple killbit setting that disables the affected ActiveX control “Information Card Signin Helper.” The attack vector here is a malicious webpage configured for a drive-by-download attack. More information in Microsoft’s SRD blog post.
• The TIFF graphic format vulnerability in the GDI+ library, also disclosed last week, which continues with no patch this month. However, there is an easy-to-implement workaround — a registry setting disabling the rendering of TIFF files — detailed in security advisory KB2896666 and made available as an MSI file. The attack vector seen in the wild is a malicious Word document.

Continue reading …