Do The Microsoft Patch Dance

The dance that never ends.

Microsoft Patch

Microsoft released 13 security bulletins, patching 22 vulnerabilities across its product line, including two critical updates affecting Internet Explorer and the Windows DNS Server.

While Microsoft issued fewer updates this month, August was still marked as a busy month for system administrators. Adobe Systems Inc., which issues fixes on a quarterly cycle, issued a critical security update late Tuesday, repairing seven flaws in its Shockwave Player, more than a dozen holes in its Flash Player and an error in its Flash Media Server.

Microsoft addressed seven vulnerabilities in Internet Explorer including two zero-day flaws. According to MS11-057, Microsoft said an attacker who successfully exploited any of the vulnerabilities could gain the same user rights as the local user. Microsoft said the most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer

. . .

Another noteworthy bulletin is MS11-065, which resolves a vulnerability in the Remote Desktop Protocol. Although the security bulletin is rated important for users of Windows Server 2003, Miller said Microsoft has seen attacks targeting the flaw in the wild. The flaw can be targeted if an attacker sends a malicious remote desktop protocol connection request to the victim’s computer which could cause the system to crash.

See also:
Microsoft Security Bulletin Summary for August 2011
Microsoft Fixes IE, Windows DNS Server Flaws In Patch Tuesday Update
Microsoft Patches 22 Security Holes
Microsoft Security Patch Fixes 20-Year-Old Flaw
Microsoft fixes 22 security bugs
Microsoft’s August Patch Tuesday security update to tackle critical flaws in IE and Windows Server
Your Microsoft Patch Tuesday update for August 2011
Microsoft to Fix 22 Software Flaws in Its August Patch Tuesday Update
Hefty Microsoft August Patch Delivers 13 Security Fixes
IE, Windows server bugs likely to be exploited soon
Microsoft expecting exploits for critical IE vulnerabilities
Microsoft Update

Get busy downloading.

/so, until the next Patch Tuesday . . .

It’s Tuesday, Time To Download Microsoft Patches

And this Tuesday, there’s an extra big heapin’ helpin’ of downloadin’ fun!

Microsoft Issues Huge Patch Tuesday Fix for Windows, IE

Microsoft today released a batch of 17 security updates for a Patch Tuesday that cover 64 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Visual Studio, .NET Framework and GDI+.

Nine of the bugs are rated critical, while eight are important. One of the “important” bulletins includes 30 vulnerabilities in one bug, MS11-034, and they all share the same couple of root causes, Microsoft said.

Microsoft identified three vulnerabilities as its top priority bulletins for the month: MS11-020, which resolves a problem with Windows that could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system; MS11-019, another Windows bug that could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request; and MS11-018, which could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

See also:
Microsoft Security Bulletin Summary for April 2011
Tackling the Massive Microsoft Patch Tuesday
Microsoft fixes IE, SMB bugs in big Patch Tuesday
Researcher confirms kernel bugs will dominate Patch Tuesday
Microsoft Smashes Patch Tuesday Record With Massive Update
Another Microsoft Patch Tuesday, 64 New Flaws To Fix
Microsoft Pushes Giant Security Patch
Microsoft delivers monster security update for Windows, IE
Microsoft Releases Torrent of Security Updates
Windows Update

It’s another record! Will Windows software ever be fully patched?

/probably not, so see ya next time, and have a good time downloading, this one takes quite a while!

Tuesday Fun With Microsoft

Give it up for Patch Tuesday, everyone’s favorite day of the month. Try and contain your excitement.

Microsoft Patch Tuesday Targets Four Bugs, One Critical

Microsoft on Tuesday issued three security bulletins that tackle four vulnerabilites. Just one of the vulnerabilities is rated critical. The other three are essentially the same bug, despite the fact that they affect three different products.

The first bug, MS11-015, describes two vulnerabilities in Windows Media. One, the only rated critical in this group, is a bug in Windows Media Center and Windows Media Player related to the handling of .dvr-ms files. It can lead to remote code execution in the context of user.

The other Windows Media bug, specifically in Microsoft DirectShow, is another instance of the insecure DLL loading bug that Microsoft and other vendors have been fixing for months. MS11-016 describes this bug in Microsoft Groove 2007 and MS11-017 describes it in the Windows Remote Desktop client.

Microsoft also released non-security updates today, including the monthly Windows Malicious Software Removal Tool, the update for the Windows Mail Junk E-mail Filter, and an update “to resolve issues” in Windows 7 and Windows Server 2008 R2.

See also:
Microsoft Security Bulletin Summary for March 2011
Microsoft Fixes Four Flaws
Microsoft patches critical Windows drive-by bug
Microsoft fixes critical Windows hole, others
Microsoft Patch Tuesday – three fixes for March, one critical, all ring coding alarms
Patch Tuesday: Gaping security hole in Windows Media Player
Critical Patch Tuesday Flaw Easy to Exploit
Go Plug Your Critical Hole
Microsoft Patch Tuesday leaves MHTML bug unchecked
Zero-day IE flaw not in Microsoft Patch Tuesday
Patch Tuesday Will Skip IE Before PWN2OWN Contest
March Patch Tuesday leaves IE unpatched for Pwn2Own hackers
Microsoft Releases Zero IE8 Security Updates Before “Pwn2Own” Browser Hacking Contest
Windows fix on Patch Tuesday ‘breaks’ VMware software
Microsoft Windows 7 Patches Wreak Havoc With VMware View
Windows 7 Update Breaks VMware Connection
Windows Update

As usual, Microsoft releases a patch that doesn’t even fix all the known issues and doesn’t play well with third party software. Particularly amusing is the fact that Microsoft is waiting to issue further patches until after a hacker contest is over fearing, with good reason, that the hackers will find even more Windows vulnerabilities.

/Microsoft Windows and Swiss cheese, what’s the difference?

Just Another Jumbo Sized, Incomplete Microsoft Patch Tuesday

Microsoft should just hire some of these hackers to code their software in the first place so they wouldn’t have to try and fix it every few weeks. It’d be cheaper and less of a hassle for everyone involved. Here’s the latest futile attempt at patching Windows.

Microsoft Patch Tuesday Bulletins Fix 11 Vulnerabilities

Microsoft has released nine security bulletins as part of its Patch Tuesday software update scheme.

The nine bulletins fix 11 security vulnerabilities found on Microsoft software.

According to the advisory, four security bulletins were marked as critical, out which, MS10-061 and MS10-062 ran the greatest risk of being exploited in the wild.

MS10-061 addressed a vulnerability in the Printer Spooler service, which could allow remote code execution from a malicious print request, tech news site eWeek reports.

The other critical vulnerability most likely to be exploited in the wild, MS10-062, could allow remote code execution by exploiting a vulnerability found in the way in which MPEG-4 codec dealt with media files.

See also:
Microsoft Security Bulletin Summary for September 2010
Microsoft Patch Tuesday for September 2010: nine bulletins
It’s Microsoft Patch Tuesday: September 2010
Large Patch Tuesday from Microsoft this month
Microsoft Patch Tuesday includes protection against Stuxnet worm
Patch Tuesday Fixes Another Stuxnet Vulnerability
Microsoft overlooks four Stuxnet zero-day bugs in Patch Tuesday
Microsoft Patch Tuesday halts two live attacks but offers no help for others
Microsoft Windows Update

Well, what are you waiting for? Get on with it, those updates aren’t going to install themselves!

/so, until the next Patch Tuesday . . .

It’s A Record Patchapalooza Tuesday!

Does Microsoft Windows suck? Um, why do you ask?

Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

It’s a very busy Patch Tuesday for Windows users: 14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

As previously reported, eight of the bulletins are rated “critical” because of the risk of remote code execution attacks. The other six are rated “important.”

The company also released a security advisory to warn of a new elevation of privilege issue in the Windows Service Isolation feature.

Windows users are urged to pay special attention to these four bulletins:

MS10-052 resolves a privately reported vulnerability in Microsoft’s MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

MS10-055 resolves a privately reported vulnerability in the Cinepak codec that could allow remote code execution if a user opens a specially crafted media file, or receives specially crafted streaming content from a Web. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

MS10-056 resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Windows Vista and Windows 7 are less exploitable due to additional heap mitigation mechanisms in those operating systems.

MS10-060 resolves two privately reported vulnerabilities, both of which could allow remote code execution, in Microsoft .NET Framework and Microsoft Silverlight.

As Computerworld’s Gregg Keizer points out, the August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches.

See also:
Microsoft Security Bulletin Summary for August 2010
MS10-052
MS10-055
MS10-056
MS10-060
Windows Update Home
Record Patch Tuesday yields critical Windows, IE fixes
Record Patch Tuesday: Where to Begin
It’s Microsoft Patch Tuesday: August 2010
Microsoft: Big Patch Tuesday for IT Administrators
Microsoft releases record number of security patches
Microsoft issues patches for a record 35 fresh security holes
Microsoft Issues Biggest Security Patch Yet

What the hell is Bill Gates selling anyway, a computer operating system or Swiss cheese?

/you’d better get busy downloading, this one takes a while, sucks if you have dial up

Okay Kids, It’s Tuesday, Remember What We Do On Tuesdays?

Why, we patch Windows on Tuesdays!

Microsoft Issues Four Patches, Fixes Critical Help Center Flaw

Microsoft (NSDQ:MSFT) released a mild bulletin for its July Patch Tuesday, repairing a total of five vulnerabilities with four security updates in Windows and Office, including a critical Help and Support Center flaw already exploited in the wild.

Of the four patches Microsoft released, three are considered critical, indicating that they can enable hackers to launch malicious attacks via remote code execution. The three critical flaws occur in both Microsoft Windows and Office, which included flaws in the Microsoft Help and Support Center, ActiveX and Canonical Display Driver. The fourth patch, ranked with the slightly less severe rating of “important,” occurs in Microsoft Outlook.

Hands down, security experts recommend that users apply a patch repairing a critical Help and Support Center flaw in Windows XP and supported editions of Windows Server 2003, which is currently being exploited in active attacks.

See also:
Microsoft security updates for July 2010
It’s Microsoft Patch Tuesday: July 2010
Microsoft Patch Tuesday for July 2010: four bulletins
Microsoft Issues Four Security Bulletins
Microsoft patches critical bugs in Windows, Office
Microsoft Patches Critical Security Holes, Ends Windows XP SP2 Support
One final patch for Windows XP Service Pack 2 before it reaches end-of-life
Microsoft Patches Windows, Office Bugs

You all know the drill for fixing this magnificent Bill Gates software.

/so, load ’em down, patch ’em up, patch ’em up, shut ’em down, boot ’em up, ride ’em on, Windows!

Patchapalooza Tuesday

It’s a triple witching day for computer patches.

Microsoft, Adobe, and Oracle Patch Nearly 100 Vulnerabilities

It’s a busy day for IT administrators and information security professionals. Not only is today Microsoft’s Patch Tuesday for the month of April, it is also the day of Adobe’s quarterly security updates. In total, there are 40 vulnerabilities being addressed today–many of them rated as critical and exposing systems to potential remote exploits.

Microsoft Patch Tuesday

A Microsoft spokesperson e-mailed the following “Today, as part of its routine monthly security update cycle, Microsoft is releasing 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania.”

Qualys CTO Wolfgang Kandek noted in his blog post “Microsoft’s patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time to evaluating which machines need patches.”

“The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts,” said Joshua Talbot, security intelligence manager, Symantec Security Response in an e-mailed statement. “Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability.”

Talbot continued “It allows an attacker to fool Windows into thinking that a malicious program was created by a legitimate vendor. If a user begins to download an application and they see the Windows’ notification telling them who created it, they might think twice before proceeding if it’s from an unfamiliar source. This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate.”

Andrew Storms, director of security operations for nCircle offered this analysis “More movies and more malware: that’s what we’ve got to look forward to on the Internet. Microsoft is patching critical bugs in Windows Media Player and Direct Show this month–both of these bugs lend themselves to online video malware. If you put these fixes together with Apple’s recent patch of Quicktime, it’s pretty obvious that attackers are finding a lot of victims through video.”

nCircle’s Tyler Reguly points out that there is also a greater message to be learned from the patches. “As an avid Windows XP user, I’m leaning more and more towards making the jump to Windows 7; with the added security it just makes sense. Looking at the top two vulnerabilities (MS10-027 and MS10-026), my Windows XP systems are vulnerable to both, yet my Windows 7 laptop isn’t affected by either of them. The newer operating system just makes sense.”

Adobe Quarterly Update

As if eleven security bulletins fixing 25 different vulnerabilities wasn’t enough, IT administrators must also address the critical updates released today from Adobe. nCircle’s Storms points out that “Every one of the 15 bugs can be used for remote code execution. Given the increase in the number of attacks that use Adobe PDF files, all users are strongly urged to upgrade immediately.”

Storms added “In stark contrast to Microsoft’s patch process, Adobe’s security bulletin information lacks details, especially critical information about potential workarounds. For enterprises that have a long test cycle, it can take weeks or even months to roll out updates. With no workaround information, Adobe leaves their enterprise customers vulnerable and security teams everywhere frustrated and annoyed.”

Andrew Brandt, lead threat research analyst with Webroot, warns “What’s more, they should be aware that Foxit Reader–which also reads PDFs–is actually more vulnerable.”

It is also worth noting that Adobe has rolled out its new update system which it has been beta testing over the past couple of months. Users can now configure Adobe software to automatically install updates, enabling security patches to be applied without requiring any user intervention.

Don’t Forget Oracle

Wait, there’s more! Not wanting to be left out of the patch day festivities, Oracle has also unleashed its own deluge of updates–more than Microsoft and Adobe combined.

There is a little bit of good news, though. Very few organizations will actually be impacted by every single one of the disclosed vulnerabilities. Qualys’ Kandek points out “This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.”

The same logic holds true for Oracle and, to a lesser extent Adobe–although Adobe Reader is fairly ubiquitous. Have fun!

See also:
Microsoft, Adobe, Oracle offer fixes in big Patch Tuesday
Patch Tuesday: Microsoft safeguards video, Adobe secures PDFs
Microsoft Patch Tuesday Fixes 5 Critical Flaws
Microsoft Targets Media Flaws In April Patches
Microsoft blocks ‘movies-to-malware’ attacks
Microsoft Releases Multiple Updates; Vista SP0 Support Ends
Microsoft Security Bulletin Summary for April 2010
New Adobe Auto-Updater Debuts On Super (Patch) Tuesday
Adobe Patches Acrobat/Reader Vulnerabilities, Updates on Updating
Security update available for Adobe Reader and Acrobat

/so, you know the drill people, get busy downloading those patches, hope you’re not on dial up!