Update2: MS14-021 has now been published. Note that differently from a normal update it is not cumulative (i.e. it only addresses this particular vulnerability CVE-2014-1776, which is common for an out-of-band update such as this one) and it is recommended to install the latest cumulative update before applying MS14-021, i.e. MS14-018 for most versions of Windows, but MS14-012 for IE11 on Windows 7 and Windows 8.

While attacks continue to be targeted, we recommend installing this update as soon as possible, rather than waiting 2 weeks for next Patch Tuesday.

Update: Microsoft will release an out-of-band patch for Internet Explorer later today, and it will include an update for Windows XP. Good news for users of the operating system that went EOL last month. Stay tuned for more news.

Original: Microsoft just published security advisory 2963983 which acknowledges limited exploits against a 0-day vulnerability in Internet Explorer (IE). The vulnerability CVE-2014-1776 affects all versions of IE starting with version 6 and including version 11, but the currently active attacks are targeting IE9, IE10 and IE11. The attack vector is a malicious web page that the targeted user has to access with one of the affected browsers.

Continue reading …

Tuesday, April 8, 2014 – today Microsoft came out with the bulletins for April Patch Tuesday.  It is a small release with only four bulletins, MS14-017 to MS14-020, a light patch Tuesday for the second month in a row.

But the Microsoft bulletin is not the most important item this month (even though MS14-017 fixes the current Word 0-day), but rather two other items:  the new HeartBleed bug that impacts OpenSSL, and the arrival of Windows XP end of life.  I will tackle each in turn:

Continue reading …

Tomorrow marks the end of support for Windows XP by Microsoft. There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP. There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft. 

Continue reading …

Next week, Microsoft will deliver its last set of public security patches for Windows XP.

The end-of-life for XP which has been announced for a number of years now, means that computers running XP will be very attackable in the near future. Over 70% Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change in the near future. XP will be affected by a large percentage of the problems exposed in May, June and July, but there will be no remedy (except for companies that pay for extended support – an option that is at least US$ 100,000/year).

Continue reading …

Today Microsoft released the bulletins for March Patch Tuesday. We have five bulletins, MS14-012 to MS14-016, a light patch tuesday by all comparisons, even with Adobe chiming in with an update that is non-critical.  If it wasn’t for the Internet Explorer (IE) patch that addresses the 0-day that was found during last month’s Patch Tuesday, one could call it almost uneventful.

Continue reading …

Microsoft just published security advisory 2914486 describing a new, local vulnerability in Windows XP and Windows 2003. It acknowledges a kernel vulnerability that can be used to gain administrator privileges. It is being abused in the wild in conjunction with a Adobe Reader vulnerability that had a fix published in August 2013. This post on the Fireeye blog has more technical details.

Users that have the latest version of Adobe Reader are immune to the attack, as well as users that are running on Windows Vista or later.

Stay tuned to this blog for updates on the issue.

Today’s Microsoft Patch Tuesday for September 2013 brings us 13 bulletins fixing 47 distinct vulnerabilities. Thirteen bulletins is one less than originally announced last week, number fourteen, which applies to .NET and addresses a Denial-of-Service (DoS) vulnerability, is being held back for further testing. Adobe also announced new versions that fix critical vulnerabilities for Flash, Adobe Reader and Shockwave.

Continue reading …

Update 2: Microsoft reissued MS13-061 today to include Exchange 2013 again. You should be able to install it now without issues, but it makes sense to test the installation in your environment and/or wait until your next downtime for the installation.

Update: Microsoft has pulled the MS13-061 update for Exchange 2013 because it causes a corruption of the index database. Hopefully you have not been impacted, because you do not install server patches on critical machines right away, which seems like a good cautious measure at the moment. Nevertheless If you have Exchange 2013 and have not installed MS13061 yet then wait. If you have installed it and your installation shows signs of the issue, please take a look a KB2879739 for a workaround involving the editing of registry keys.

Continue reading …