Tuesdays With Microsoft

Tuesdays are the day when we patch the holey Microsoft products.

Patch Tuesday leaves Duqu 0-day for another day

November marked a light Patch Tuesday with just four bulletins, only one of which tackles a critical flaw.

All four advisories relate to problems in Windows. None is related to the zero-day vulnerability related to Duqu, the highly sophisticated worm reckoned to be related to the infamous Stuxnet pathogen.

See also:
Microsoft Security Bulletin Summary for November 2011
Microsoft Patch Tuesday Fixes Critical Windows 7 Bug, Leaves Out Duqu Zero-Day
Microsoft Fixes Four Bugs for November Patch Tuesday
Microsoft offers simple patch Tuesday for election day
Microsoft fails to patch Duqu, but fixes critical hole in Windows TCP/IP stack
One critical bulletin, no Duqu patch, in November 2011 Patch Tuesday updates
A mild November Patch Tuesday from Microsoft
Light Patch Tuesday May Lead To Out-of-Band Patch
Microsoft fixes gaping hole in Windows TCP/IP stack
Microsoft patches critical Windows bug, but not Duqu flaw
Microsoft patches critical Windows 7 bug, downplays exploit threat
Microsoft Leaves Duqu Worm Exploit Unpatched
Windows Update

I find it more than interesting that Microsoft is unable or unwilling to patch for the Duqu Virus. Is it intentional?

/anyway, you know the drill, get on with it

Do The Microsoft Patch Dance

The dance that never ends.

Microsoft Patch

Microsoft released 13 security bulletins, patching 22 vulnerabilities across its product line, including two critical updates affecting Internet Explorer and the Windows DNS Server.

While Microsoft issued fewer updates this month, August was still marked as a busy month for system administrators. Adobe Systems Inc., which issues fixes on a quarterly cycle, issued a critical security update late Tuesday, repairing seven flaws in its Shockwave Player, more than a dozen holes in its Flash Player and an error in its Flash Media Server.

Microsoft addressed seven vulnerabilities in Internet Explorer including two zero-day flaws. According to MS11-057, Microsoft said an attacker who successfully exploited any of the vulnerabilities could gain the same user rights as the local user. Microsoft said the most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer

. . .

Another noteworthy bulletin is MS11-065, which resolves a vulnerability in the Remote Desktop Protocol. Although the security bulletin is rated important for users of Windows Server 2003, Miller said Microsoft has seen attacks targeting the flaw in the wild. The flaw can be targeted if an attacker sends a malicious remote desktop protocol connection request to the victim’s computer which could cause the system to crash.

See also:
Microsoft Security Bulletin Summary for August 2011
Microsoft Fixes IE, Windows DNS Server Flaws In Patch Tuesday Update
Microsoft Patches 22 Security Holes
Microsoft Security Patch Fixes 20-Year-Old Flaw
Microsoft fixes 22 security bugs
Microsoft’s August Patch Tuesday security update to tackle critical flaws in IE and Windows Server
Your Microsoft Patch Tuesday update for August 2011
Microsoft to Fix 22 Software Flaws in Its August Patch Tuesday Update
Hefty Microsoft August Patch Delivers 13 Security Fixes
IE, Windows server bugs likely to be exploited soon
Microsoft expecting exploits for critical IE vulnerabilities
Microsoft Update

Get busy downloading.

/so, until the next Patch Tuesday . . .

Tuesday Is The Time At Microsoft When We Patch

It’s a relatively small one this time, but critical.

Microsoft Fixes 22 Bugs in July Patch Tuesday

Microsoft addressed 22 security vulnerabilities across four security bulletins in July’s Patch Tuesday update. Three of the patches fix issues in the Windows operating system.

The four bulletins patched issues in all versions of the Windows operating system and in Microsoft Visio 2003 Service Pack 3, Microsoft said in its Patch Tuesday advisory, released July 12. Of the patches, only one has been rated “critical.” The remaining three are rated “important,” according to Microsoft.

“Today’s Patch Tuesday, though light, should not be ignored, as these patches address vulnerabilities that allow attackers to remotely execute arbitrary code on systems and use privilege escalation exploits,” said Dave Marcus, director of security research and communications at McAfee Labs.

Security experts ranked Microsoft bulletin MS11-053, which addressed a critical vulnerability in the Windows Bluetooth stack on Windows Vista and Windows 7, as the highest priority. Attackers could exploit the vulnerability by crafting and sending specially crafted Bluetooth packets to the target system to remotely take control, Microsoft said in its bulletin advisory.

See also:
Microsoft Security Bulletin Summary for July 2011
Microsoft fixes 22 security holes
Microsoft issues critical patch for Windows 7, Vista users
Microsoft Releases 4 Updates for Windows and Office
Microsoft warns of critical security hole in Bluetooth stack
Security Experts Warn of Microsoft Bluetooth Vulnerability
Patch Tuesday Fixes Critical Bluetooth Flaw in Windows 7
‘Bluetooth sniper’ Windows vuln fix in light Patch Tuesday
Microsoft Squashes Bluetooth Bug
Microsoft patches ‘sexy’ Bluetooth bug in Vista, Windows 7
Microsoft Fixes 22 Bugs in July Patch Tuesday
Businesses should not ignore critical Microsoft Patch Tuesday update, say experts
Microsoft Patch Tuesday: four security bulletins
Microsoft Patch Tuesday – 12th July 2011
Windows Update

This isn’t the first time you’ve had to update Windows, you know what to do, so get busy.

/until next time, same patch time, same patch channel

It Must Be Tuesday Again

Because Microsoft comes bearing gifts.

Patch Tuesday: Critical security holes in Microsoft Office

Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.

The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.

It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.

The update also patches the DLL load hijacking attack vector that haunted multiple Windows applications, including Microsoft’ own Office software.

Microsoft urges Office users to consider this a “top priority bulletin” and warned that reliable exploit code is likely within the next 30 days.

As part of the November Patch Tuesday release, the company also patched a pair of security flaws in Microsoft PowerPoint and four documented flaws in Unified Access Gateway (UAG), which is a component of Microsoft Forefront.

See also:
Microsoft Security Bulletin MS10-087 – Critical
Microsoft Office Takes Center Stage for Patch Tuesday
Small, But Serious Patch Tuesday
Microsoft Patch Tuesday: Updates for Office and Forefront
Microsoft patches critical Outlook drive-by bug
Microsoft plugs hole related to Word-launched e-mails
Microsoft Patch Tuesday Update Will Not Fix IE Flaw
IE zero-day vulnerability not part of light Patch Tuesday
Microsoft tiny Patch Tuesday has no IE fix
Microsoft’s Patch Tuesday for November does not include a fix for a zero-day flaw in Internet Explorer
Windows Update

Well, apparently Microsoft didn’t quite get to fixing everything that’s wrong with their software this time around, but you had better install the patch anyway.

/so, until next time, and you know there will be a next time . . .

It’s Official, Sharia Law Is A Threat To American Democracy

Muslims are trying to subvert America from within under the guise of creeping Sharia law? Tell me something I don’t already know.

America Exposed to ‘Stealth Jihad’ Threat, Security Report Warns

America is “under attack” by a non-violent “stealth jihad,” a panel of national security analysts warned in a new report that claimed fundamentalists are trying to bring Islamic law known as “Shariah” to the United States.

The report, sponsored by the Center for Security Policy and touted by a handful of conservative lawmakers on Capitol Hill Wednesday, said that the violent threat posed by Al Qaeda and other terror groups is outmatched by the threat from jihadists allegedly trying to change American society from within.

“This form of warfare includes multi-layered cultural subversion, the co-opting of senior leaders, influence operations and propaganda and other means of insinuating Shariah into Western societies,” the study said.

The report cited the Muslim Brotherhood as the most influential organization trying to achieve that goal, but expressed concern more about America’s vulnerability than any marquee successes by the so-called “stealth” jihadists.

“Just as we cannot say all Muslims hold a certain view based on the actions of a radical fringe … it would be unwise to discount the malicious intentions of those that wish to subvert American law,” Rep. Trent Franks, R-Ariz., said at a press conference Wednesday.

Read the report:

Shariah: The Threat to America

 

See also:
Shariah: The Threat to America
Shariah a danger to U.S., security pros say
Security panel links radical Islam, terror
Al-Qaeda on Capitol Hill
Shariah Threat Report Annoying All the Right People
Al-Awlaki Led Prayer Services for Congressional Muslim Staffers Association After 9/11
The Shariah Threat to America
The Shariah Threat
That Sharia Report
Shariah Law Exposed as Threat
Shariah, the Threat to America
Center for Security Policy
My Brush With Sharia

Wake up America, before it’s too late. Don’t be the proverbial frog in the slowly warming pot of water. This report spells the threat of creeping Sharia out clearly. If you’re still unable to understand what the threat is and how it works, either you can’t read or you’re in denial.

/just don’t say you haven’t been clearly and explicitly warned

It’s A Record Patchapalooza Tuesday!

Does Microsoft Windows suck? Um, why do you ask?

Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

It’s a very busy Patch Tuesday for Windows users: 14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

As previously reported, eight of the bulletins are rated “critical” because of the risk of remote code execution attacks. The other six are rated “important.”

The company also released a security advisory to warn of a new elevation of privilege issue in the Windows Service Isolation feature.

Windows users are urged to pay special attention to these four bulletins:

MS10-052 resolves a privately reported vulnerability in Microsoft’s MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

MS10-055 resolves a privately reported vulnerability in the Cinepak codec that could allow remote code execution if a user opens a specially crafted media file, or receives specially crafted streaming content from a Web. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

MS10-056 resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Windows Vista and Windows 7 are less exploitable due to additional heap mitigation mechanisms in those operating systems.

MS10-060 resolves two privately reported vulnerabilities, both of which could allow remote code execution, in Microsoft .NET Framework and Microsoft Silverlight.

As Computerworld’s Gregg Keizer points out, the August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches.

See also:
Microsoft Security Bulletin Summary for August 2010
MS10-052
MS10-055
MS10-056
MS10-060
Windows Update Home
Record Patch Tuesday yields critical Windows, IE fixes
Record Patch Tuesday: Where to Begin
It’s Microsoft Patch Tuesday: August 2010
Microsoft: Big Patch Tuesday for IT Administrators
Microsoft releases record number of security patches
Microsoft issues patches for a record 35 fresh security holes
Microsoft Issues Biggest Security Patch Yet

What the hell is Bill Gates selling anyway, a computer operating system or Swiss cheese?

/you’d better get busy downloading, this one takes a while, sucks if you have dial up

It’s Extra Special Patch Tuesday!

Yep, this gaping hole in Windows is so bad that Microsoft couldn’t even wait until next week’s regularly scheduled Patch Tuesday to try and fix it.

Microsoft issues emergency security patch for million dollar Windows flaw

Microsoft today rushed out an emergency patch for Windows Vista and Windows 7 PCs just eight days before its next Patch Tuesday.

The software giant issues security patches on the second Tuesday of each month, and only rarely issues so-called out-of-band patches. The company has never issued an emergency patch this close to Patch Tuesday, says Jason Miller, data and security team leader at patch management firm, Shavlik Technologies.

“Coming out with this patch this close to a Patch Tuesday is severe,” says Miller. “People should be paying attention to this one, and patch as soon as possible.”

Importantly, the emergency patch does nothing for hundreds of millions of PCs running Windows XP Service Pack 2 and Windows Server 2000, since Microsoft last month stopped issuing security updates for those older versions of its flagship operating system. The company continues to urge Windows XP SP2 users, in particular, to upgrade to Windows XP SP3, which will continue to get security updates, or to buy new Windows 7 PCs.

Update: To be clear, this patch will work on Windows XP SP3, Windows Server 2003 SP2; Windows Vista, Window Server 2008, Windows 7, Windows Server 2008 R2. It will not work on Windows XP SP2 or Windows Server 2000.

At the Black Hat and Def Con security conferences in Las Vegas last week, attendees referred to this Windows flaw as a $1 million vulnerability. Savvy hackers can tweak a basic component of all versions of Windows, called LNK. This is the simple coding that enables shortcut program icons to appear on your desktop.

No one in the legit world knew the LNK flaw existed until mid July, when security blogger Brian Krebs began reporting on a sophisticated worm spreading via USB thumb drives. That worm, known has Stuxnet, took advantage of the newly-discovered flaw to run a malicious program designed specifically to breach Siemens SCADA (supervisory control and data acquisition) software systems. Over a period of months the attackers had infected Siemens SCADA controls in power plants and factories in Iran, Indonesia, India and some Middle East nations, according to antivirus firm Symantec.

See also:
Microsoft Security Bulletin MS10-046 – Critical
Microsoft ships rush patch for Windows shortcut bug
Microsoft issues emergency patch for Windows shortcut link vulnerability
Microsoft Patches Windows Shell Vulnerability
Microsoft’s New Patch for Windows Shortcut Exploit
Emergency patch closes LNK hole in Windows
Microsoft sticks to plan, denies emergency patch for XP SP2

The new emergency patch is here, the new emergency patch is here!

/so, if your Windows didn’t automatically update, you’d better do it now

Follow

Get every new post delivered to your Inbox.

Join 26 other followers