Tuesday Fun With Microsoft

The new patches are here, the new patches are here!

Microsoft Patches 17 Bugs in December Patch Tuesday

Microsoft fixed 17 bugs in the Windows operating system, Microsoft Office, Windows Media Player and Internet Explorer. The fixes also cover a zero-day flaw exploited by the Duqu Trojan.

Microsoft released 13 security bulletins to fix 17 different vulnerabilities as part of its December Patch Tuesday update, according to the advisory released Dec. 8. Three bulletins were marked critical and the remaining 10 were rated important.

See also:
Microsoft Security Bulletin Summary for December 2011
Merry Christmas! Microsoft Plans Massive Patch Tuesday to Close 2011
Last Patch Tuesday of 2011 Secures Windows XP, Vista, Windows 7
December 2011 Patch Tuesday sees 13 Microsoft bulletins, Duqu patch
Microsoft fixes 20 bugs in year’s last ‘Patch Tuesday’
Microsoft to patch three critical holes
Microsoft slims final patch Tuesday of 2011 to 13 patches from proposed 14
No BEAST fix from Microsoft in December patch batch
Microsoft fixes Duqu hole, but not BEAST problem
Microsoft scratches BEAST patch at last minute, but fixes Duqu bug
December Patch Tuesday Fixes Duqu Worm
‘Duqu’ zero-day Windows flaw patched this week
Microsoft: Duqu patched, bringing years total to 99 corrections

Well, it’s a good thing that Microsoft finally patched against the Duqu virus, better late than never, as they say. What are you waiting for? Start installing your gifts!

/at least you can’t say Microsoft didn’t get you anything for the Holidays

Tuesday Fun With Microsoft

Windows, the software of perpetual patching. This installment is fairly large.

Microsoft Fixes Internet Explorer, Windows Flaws in October Patch Tuesday

Microsoft fixed 23 vulnerabilities across eight security bulletins as part of its October Patch Tuesday release.

October’s Patch Tuesday release resolved issues in Internet Explorer versions 6 through 9, all versions of Microsoft Windows from XP through 7, .NET and Silverlight, Microsoft Forefront Unified Access Gateway and Host Integration Server, Microsoft said Oct. 11. Two of the patches are rated “critical,” and six are rated “important,” Microsoft said.

See also:
Microsoft Security Bulletin MS11-082 – Important
Microsoft Security Bulletin MS11-081 – Critical
Microsoft Security Bulletin MS11-080 – Important
Microsoft Security Bulletin MS11-079 – Important
Microsoft Security Bulletin MS11-078 – Critical
Microsoft Security Bulletin MS11-077 – Important
Microsoft Security Bulletin MS11-076 – Important
Microsoft Security Bulletin MS11-075 – Important
Microsoft’s October 2011 Patch Tuesday fixes 23 flaws, releases SIRv11
MS wipes out 23 flaws in October’s Patch Tuesday
Patch Internet Explorer Now
23 vulnerabilities squashed by Microsoft’s Patch Tuesday effort
Microsoft Update

So, get busy and happy patching!

/until the next time Microsoft releases patches to make its software suck less . . .

Tuesday Is The Time At Microsoft When We Patch

It’s a relatively small one this time, but critical.

Microsoft Fixes 22 Bugs in July Patch Tuesday

Microsoft addressed 22 security vulnerabilities across four security bulletins in July’s Patch Tuesday update. Three of the patches fix issues in the Windows operating system.

The four bulletins patched issues in all versions of the Windows operating system and in Microsoft Visio 2003 Service Pack 3, Microsoft said in its Patch Tuesday advisory, released July 12. Of the patches, only one has been rated “critical.” The remaining three are rated “important,” according to Microsoft.

“Today’s Patch Tuesday, though light, should not be ignored, as these patches address vulnerabilities that allow attackers to remotely execute arbitrary code on systems and use privilege escalation exploits,” said Dave Marcus, director of security research and communications at McAfee Labs.

Security experts ranked Microsoft bulletin MS11-053, which addressed a critical vulnerability in the Windows Bluetooth stack on Windows Vista and Windows 7, as the highest priority. Attackers could exploit the vulnerability by crafting and sending specially crafted Bluetooth packets to the target system to remotely take control, Microsoft said in its bulletin advisory.

See also:
Microsoft Security Bulletin Summary for July 2011
Microsoft fixes 22 security holes
Microsoft issues critical patch for Windows 7, Vista users
Microsoft Releases 4 Updates for Windows and Office
Microsoft warns of critical security hole in Bluetooth stack
Security Experts Warn of Microsoft Bluetooth Vulnerability
Patch Tuesday Fixes Critical Bluetooth Flaw in Windows 7
‘Bluetooth sniper’ Windows vuln fix in light Patch Tuesday
Microsoft Squashes Bluetooth Bug
Microsoft patches ‘sexy’ Bluetooth bug in Vista, Windows 7
Microsoft Fixes 22 Bugs in July Patch Tuesday
Businesses should not ignore critical Microsoft Patch Tuesday update, say experts
Microsoft Patch Tuesday: four security bulletins
Microsoft Patch Tuesday – 12th July 2011
Windows Update

This isn’t the first time you’ve had to update Windows, you know what to do, so get busy.

/until next time, same patch time, same patch channel

It Came From Central Asia

How it got here or why it’s suddenly all over the news this week, well, your guess is as good as mine. But apparently, whatever you do, if you see one, don’t touch it and run for your lives!

Giant Weed Can Cause Blisters, Even Blindness

Call it the import that nobody wants.

Experts are urging residents of several states to beware of the “giant hogweed,” a tall plant native to Central Asia with umbrella-size flowers containing toxic sap that can cause burns, blisters and, in some cases, even blindness.

“Avoid it at all cost,” Jodi Holt, a professor of plant physiology at University of California, Riverside, told ABC News.

“The sap causes something called phytophotodermatitis when it touches humans,” causing scars and potentially blindness if it comes into contact with the eyes, Holt said. Some cases of blindness occurred after children used the hollow stalks as telescopes.

Heracleum Mantegazzianum, as hogweed is botanically known, is already a concern in the Northeast and spreading fast. Patches of giant hogweed have also been sighted in the Pacific Northwest.

See also:
Summer Plant from Hell: Giant Hogweed Can Burn, Scar and Blind You
Look out for Giant Hogweed
Giant worries over hogweed
Avoid Giant Hogweed: Noxious plant can cause blindness
Blistering, blinding weed creeps toward a city near you
Beware giant hogweed and its burning, blinding sap
Hogweed poses serious threat to New York citizens
Giant Hogweed Invades NY! This Weed Can Burn You, But Probably Won’t Eat You
What’s going on here? DEC to address hogweed problem in Springwater
Giant hogweed gone wild along Thames
Giant hogweed: 8 facts you must know about the toxic plant

I must confess, up until this week’s out of nowhere media blitz, despite years of extensive Boy Scout training, I’d never even heard of this marauding botanical menace.

/except as an early Genesis song

Tuesday Fun With Microsoft

It’s another big one and the flaws are serious.

Microsoft Fixes 24 Bugs in June Patch Tuesday

Microsoft addressed 24 security vulnerabilities across 16 security bulletins in June’s Patch Tuesday update. This will be Microsoft’s second-largest Patch Tuesday in 2011 after April’s gargantuan release.

Microsoft patched the Windows operating system, all supported versions of Internet Explorer, Microsoft Office, SQL Server, Forefront, .NET/Silverlight, Active Directory and Hyper-V, the company said in its Patch Tuesday advisory released June 14. Of the patches, nine have been rated as “critical,” and seven have been ranked as important, according to Microsoft.

Microsoft called out four critical updates as top priorities on the Microsoft Security Response Center blog. They include a fix for all versions of the SMB Client on Windows (MS11-043), 11 bugs in all versions of Internet Explorer (MS11-050), another Windows flaw (MS11-052) and two issues in the DFS client for all versions of Windows (MS11-042), according to Trustworthy Computing’s Angela Gunn.

See also:
Microsoft Security Bulletin Summary for June 2011
Microsoft ‘Patch Tuesday’ Fixes 24 Flaws In 16 Updates
MS Patch Tuesday: Gaping holes haunt Internet Explorer browser
Patch Tuesday Fixes Dangerous Flaws with Exploits Imminent
Microsoft plugs 34 holes; Adobe fixes Flash Player bug
Microsoft patches critical IE9, Windows bugs
Patch Tuesday heralds a busy spell for admins
Microsoft Puts Out 16 Patches, 9 Critical, for June
Microsoft issues 16 bulletins, 9 critical including SMB, IE fixes
June Gloom: Microsoft Releases 16 Bulletins for Patch Tuesday
Windows Update

Damn, if Windows was a car that had been “repaired” this many times, it wouldn’t have any original parts left.

/anyway, get busy with the updating, don’t let the bad guys in, at least until they find new holes in Widows that Microsoft will have to patch next month

Tuesdays With Microsoft

Thankfully, it’s a relatively wee one.

Microsoft Unleashes Critical Update for Windows Server

Today is Patch Tuesday, and Microsoft is taking it easy on IT admins with a meager two security bulletins this month. But, don’t let the small number of updates lull you into a false sense of security. They may be few, but the patches this month are still crucial for network and computer security.

MS11-035 is rated as Critical and affects the WINS component of Windows Server 2003 and 2008, and MS11-036 is an Important security bulletins related to flaws in Microsoft PowerPoint.

See also:
Microsoft Security Bulletin Summary for May 2011
Microsoft plugs critical hole in Windows
Microsoft Releases Patch Tuesday Fixes for Windows Server and PowerPoint
Microsoft Releases Critical Patch for Windows Servers
Microsoft distributes Windows, PowerPoint patches
Patch Tuesday updates fix a trio of Windows 7 SP1 glitches
Microsoft Fixes Critical Windows Internet Name Service Flaw In Two-Patch Release
Microsoft fixes critical worm hole in Windows Server
Microsoft downplays Server bug threat, say researchers
Windows Update

Now get off your ass and do the Microsoft patch dance!

/so, until next time, stay updated, same patch day, same patch channel

It Must Be Tuesday Again

Because Microsoft comes bearing gifts.

Patch Tuesday: Critical security holes in Microsoft Office

Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.

The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.

It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.

The update also patches the DLL load hijacking attack vector that haunted multiple Windows applications, including Microsoft’ own Office software.

Microsoft urges Office users to consider this a “top priority bulletin” and warned that reliable exploit code is likely within the next 30 days.

As part of the November Patch Tuesday release, the company also patched a pair of security flaws in Microsoft PowerPoint and four documented flaws in Unified Access Gateway (UAG), which is a component of Microsoft Forefront.

See also:
Microsoft Security Bulletin MS10-087 – Critical
Microsoft Office Takes Center Stage for Patch Tuesday
Small, But Serious Patch Tuesday
Microsoft Patch Tuesday: Updates for Office and Forefront
Microsoft patches critical Outlook drive-by bug
Microsoft plugs hole related to Word-launched e-mails
Microsoft Patch Tuesday Update Will Not Fix IE Flaw
IE zero-day vulnerability not part of light Patch Tuesday
Microsoft tiny Patch Tuesday has no IE fix
Microsoft’s Patch Tuesday for November does not include a fix for a zero-day flaw in Internet Explorer
Windows Update

Well, apparently Microsoft didn’t quite get to fixing everything that’s wrong with their software this time around, but you had better install the patch anyway.

/so, until next time, and you know there will be a next time . . .

It’s Another New Record And For All The Wrong Reasons

It’s Tuesday, and we all know what fun event happens on Tuesdays.

Patch Tuesday brings record harvest of security fixes

Run Windows? Notice a little icon toward the bottom right of the screen that wasn’t there last night? Please don’t ignore it. That icon is your cue to take part in the monthly Microsoft ritual called Patch Tuesday.

For this month, Microsoft shipped a set of 16 patches that close a record 49 vulnerabilities in such software as Internet Explorer, Word and Windows Media Player.

Many of these holes allow a remote takeover of your computer, in some cases after you do nothing wrong beside visit the wrong Web page. One such opening has frequently been exploited by the Stuxnet worm that’s been running around the world.

Your computer should at least download, if not download and install, these updates for you. But if not, don’t reject Windows’ attempt to help you out. Click that icon, look over the resulting list of security updates, and install them.

See also:
Microsoft security updates for October 2010
Microsoft Plugs a Record 49 Security Holes
It’s Microsoft Patch Tuesday: October 2010
Microsoft Unleashes Massive Security Patch
Microsoft fixes record 49 holes, including Stuxnet flaw
Microsoft Releases Biggest-ever Security Update
Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
Microsoft Patches Stuxnet Vulnerability in Massive Security Update
Microsoft releases fixes for record number of vulns
Microsoft aims barrage of fixes at Stuxnet and more

So, you know what to do, clean up after Microsoft’s crappy software before someone remotely takes over your computer with a worm and you become part of the problem.

/unless you’re Iranian, in which case there’s a special set of patches coming out for your computers and they download and install themselves so you don’t even need to worry about this latest bulletin

Pushing The Cyberwarfare Envelope

A computer worm so sophisticated that it attacks specific targets in specific countries, gee I wonder who would be capable of developing something that advanced?

Stuxnet Compromise at Iranian Nuclear Plant May Be By Design

Iran has confirmed that more than 30,000 PCs have been infected by the Stuxnet worm in that country, including some at the Bushehr nuclear power plant. The nature of the Stuxnet worm and the infiltration of Iranian nuclear facilities has led to speculation about whether the worm was developed by the United States or its allies expressly for that purpose.

The Pentagon response to the implication is the standard cagey reply given for just about anything related to national security or military engagements. Fox News reports that, “Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.”

McAfee AVERT Labs has a thorough analysis of the Stuxnet worm which explains the threat in detail. “Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729). It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.”

Another interesting tidbit from McAfee supporting the speculation that Iran may have been the intended target of Stuxnet is that the initial discovery seemed to be primarily focused in the Middle East.

Speaking on the subject of whether the threat may have been specifically crafted for Iran, Randy Abrams, director of technical education at ESET said, “It appears that it is possible that Stuxnet may have been responsible for problems in Iran’s nuclear program over the past year, however that is speculation and it is unlikely that the Iranian government is going to say if that was the case. It is even possible that it was the case and they don’t know it.”

Abrams added, “It is entirely possible that Stuxnet was created by the United States working alone or in conjunction with allies. The fact that it is possible does not indicate it is true however. There have been a number of recent defections in Iran. It is also possible that this was an internal attack. There is still a legitimate question as to whether or not Iran was actually the target.”

See also:
Stuxnet Update
Iranian power plant infected by Stuxnet, allegedly undamaged
Iran admits Stuxnet worm infected PCs at nuclear reactor
Pentagon Silent on Iranian Nuke Virus
Stuxnet Worm Affects 30,000 Computers in Iran
Stuxnet worm assault on Iranian nuclear facilities’ computers may be Western cyber attack: experts
Computer worm infects Iran’s nuclear station
Stuxnet: Future of warfare? Or just lax security?
Stuxnet – a new age in cyber warfare says Eugene Kaspersky
Has the West declared cyber war on Iran?
Web virus aimed at nuclear work, says Tehran
Report: Stuxnet Worm Attacks Iran, Who is Behind It?
US, Israel behind cyber-attack on Iran?

Well, diplomacy sure as hell isn’t working and no one really wants to launch airstrikes against the Iranian nuclear facilities, especially fraidy cat Obama. So, maybe this is a third option, use the Iranians’ own computers to remotely destroy their nuclear related equipment, perfect, if it actually works. I know I’ve got my fingers crossed. Go U.S. or go Israel or go whoever is responsible for this brilliant plan!

/all your nuclear related computers are belong to us!

It’s A Record Patchapalooza Tuesday!

Does Microsoft Windows suck? Um, why do you ask?

Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

It’s a very busy Patch Tuesday for Windows users: 14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

As previously reported, eight of the bulletins are rated “critical” because of the risk of remote code execution attacks. The other six are rated “important.”

The company also released a security advisory to warn of a new elevation of privilege issue in the Windows Service Isolation feature.

Windows users are urged to pay special attention to these four bulletins:

MS10-052 resolves a privately reported vulnerability in Microsoft’s MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

MS10-055 resolves a privately reported vulnerability in the Cinepak codec that could allow remote code execution if a user opens a specially crafted media file, or receives specially crafted streaming content from a Web. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

MS10-056 resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Windows Vista and Windows 7 are less exploitable due to additional heap mitigation mechanisms in those operating systems.

MS10-060 resolves two privately reported vulnerabilities, both of which could allow remote code execution, in Microsoft .NET Framework and Microsoft Silverlight.

As Computerworld’s Gregg Keizer points out, the August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches.

See also:
Microsoft Security Bulletin Summary for August 2010
MS10-052
MS10-055
MS10-056
MS10-060
Windows Update Home
Record Patch Tuesday yields critical Windows, IE fixes
Record Patch Tuesday: Where to Begin
It’s Microsoft Patch Tuesday: August 2010
Microsoft: Big Patch Tuesday for IT Administrators
Microsoft releases record number of security patches
Microsoft issues patches for a record 35 fresh security holes
Microsoft Issues Biggest Security Patch Yet

What the hell is Bill Gates selling anyway, a computer operating system or Swiss cheese?

/you’d better get busy downloading, this one takes a while, sucks if you have dial up