Tuesday Fun With Microsoft

It’s another big one and the flaws are serious.

Microsoft Fixes 24 Bugs in June Patch Tuesday

Microsoft addressed 24 security vulnerabilities across 16 security bulletins in June’s Patch Tuesday update. This will be Microsoft’s second-largest Patch Tuesday in 2011 after April’s gargantuan release.

Microsoft patched the Windows operating system, all supported versions of Internet Explorer, Microsoft Office, SQL Server, Forefront, .NET/Silverlight, Active Directory and Hyper-V, the company said in its Patch Tuesday advisory released June 14. Of the patches, nine have been rated as “critical,” and seven have been ranked as important, according to Microsoft.

Microsoft called out four critical updates as top priorities on the Microsoft Security Response Center blog. They include a fix for all versions of the SMB Client on Windows (MS11-043), 11 bugs in all versions of Internet Explorer (MS11-050), another Windows flaw (MS11-052) and two issues in the DFS client for all versions of Windows (MS11-042), according to Trustworthy Computing’s Angela Gunn.

See also:
Microsoft Security Bulletin Summary for June 2011
Microsoft ‘Patch Tuesday’ Fixes 24 Flaws In 16 Updates
MS Patch Tuesday: Gaping holes haunt Internet Explorer browser
Patch Tuesday Fixes Dangerous Flaws with Exploits Imminent
Microsoft plugs 34 holes; Adobe fixes Flash Player bug
Microsoft patches critical IE9, Windows bugs
Patch Tuesday heralds a busy spell for admins
Microsoft Puts Out 16 Patches, 9 Critical, for June
Microsoft issues 16 bulletins, 9 critical including SMB, IE fixes
June Gloom: Microsoft Releases 16 Bulletins for Patch Tuesday
Windows Update

Damn, if Windows was a car that had been “repaired” this many times, it wouldn’t have any original parts left.

/anyway, get busy with the updating, don’t let the bad guys in, at least until they find new holes in Widows that Microsoft will have to patch next month

Tuesdays With Microsoft

Thankfully, it’s a relatively wee one.

Microsoft Unleashes Critical Update for Windows Server

Today is Patch Tuesday, and Microsoft is taking it easy on IT admins with a meager two security bulletins this month. But, don’t let the small number of updates lull you into a false sense of security. They may be few, but the patches this month are still crucial for network and computer security.

MS11-035 is rated as Critical and affects the WINS component of Windows Server 2003 and 2008, and MS11-036 is an Important security bulletins related to flaws in Microsoft PowerPoint.

See also:
Microsoft Security Bulletin Summary for May 2011
Microsoft plugs critical hole in Windows
Microsoft Releases Patch Tuesday Fixes for Windows Server and PowerPoint
Microsoft Releases Critical Patch for Windows Servers
Microsoft distributes Windows, PowerPoint patches
Patch Tuesday updates fix a trio of Windows 7 SP1 glitches
Microsoft Fixes Critical Windows Internet Name Service Flaw In Two-Patch Release
Microsoft fixes critical worm hole in Windows Server
Microsoft downplays Server bug threat, say researchers
Windows Update

Now get off your ass and do the Microsoft patch dance!

/so, until next time, stay updated, same patch day, same patch channel

It’s Another New Record And For All The Wrong Reasons

It’s Tuesday, and we all know what fun event happens on Tuesdays.

Patch Tuesday brings record harvest of security fixes

Run Windows? Notice a little icon toward the bottom right of the screen that wasn’t there last night? Please don’t ignore it. That icon is your cue to take part in the monthly Microsoft ritual called Patch Tuesday.

For this month, Microsoft shipped a set of 16 patches that close a record 49 vulnerabilities in such software as Internet Explorer, Word and Windows Media Player.

Many of these holes allow a remote takeover of your computer, in some cases after you do nothing wrong beside visit the wrong Web page. One such opening has frequently been exploited by the Stuxnet worm that’s been running around the world.

Your computer should at least download, if not download and install, these updates for you. But if not, don’t reject Windows’ attempt to help you out. Click that icon, look over the resulting list of security updates, and install them.

See also:
Microsoft security updates for October 2010
Microsoft Plugs a Record 49 Security Holes
It’s Microsoft Patch Tuesday: October 2010
Microsoft Unleashes Massive Security Patch
Microsoft fixes record 49 holes, including Stuxnet flaw
Microsoft Releases Biggest-ever Security Update
Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
Microsoft Patches Stuxnet Vulnerability in Massive Security Update
Microsoft releases fixes for record number of vulns
Microsoft aims barrage of fixes at Stuxnet and more

So, you know what to do, clean up after Microsoft’s crappy software before someone remotely takes over your computer with a worm and you become part of the problem.

/unless you’re Iranian, in which case there’s a special set of patches coming out for your computers and they download and install themselves so you don’t even need to worry about this latest bulletin

Chinese Dragon And American Eagle Headed In Opposite Directions

While we unilaterally disarms under Obama, the Chinese are strengthening their military capabilities, specifically gearing toward a confrontation with the United States.

China Strengthens Strategic Capability, Report Says

The U.S. Defense Department said in a report issued yesterday that China continues to strengthen its strategic capability through updates to its nuclear and missile systems, the Associated Press reported (see GSN, June 3; Anne Flaherty, Associated Press/Yahoo!News, Aug. 16).

. . .

Beijing’s aggressive spending on its effort to become a top military force has been recognized for some time, AP reported. China has rejected U.S. concerns about its defense program. Frustrated by Washington’s military support for Taiwan, it has halted U.S.-Chinese military contact that could address the issue.

“The limited transparency in China’s military and security affairs enhances uncertainty and increases the potential for misunderstanding and miscalculation,” the report says (Flaherty, Associated Press).

U.S. Senator John Cornyn (R-Texas) said the Pentagon document “paints an alarming picture, despite its ‘glass half full’ perspective,” the Washington Times reported.

“It is clear that China is aggressively expanding its military capabilities, which appear to be aimed at limiting American strategic options in the Pacific,” he said. “This troubling reality is inconsistent with China’s supposed interest in fostering a peaceful, stable region” (Bill Gertz, Washington Times, Aug. 16).

Read the report:

Military and Security Developments
Involving the People’s Republic of China
2010

See also:
U.S. Sounds Alarm at China’s Military Buildup
Economic powerhouse China focuses on its military might
Pentagon: China Continues to Expand Military Capability
The Chinese Military Challenge
China Could Intervene at Military ‘Flash Points,’ Pentagon Warns
China threat: Now you see it, now you don’t
Chinese military’s cyber-attack capabilities mysterious: Pentagon
China Fires Back on U.S. Report
China warns U.S. military report threatens ties
Pentagon’s China military report ‘ignores objective truth,’ says China
Chinese Government Rejects Pentagon Report on Country’s Military Ambition

I used to think that, given our vast Pacific superiority in the air, in space, and on the sea, there was no way in Hell that China would ever dare to invade Taiwan or otherwise engage the United States in a military conflict. Now, I’m no longer sure that’s necessarily true.

/every day, they get stronger, we get weaker, and the gap in the military balance of power narrows toward parity

If It’s Tuesday, It Must Be Microsoft Patch Day

Pack a lunch, it’s massive.

Patch Tuesday Updates Fix Critical Flaws in IE and DirectShow

Microsoft’s Patch Tuesday for June 2010 is here. Microsoft released a total of 10 new security bulletins, addressing 34 separate vulnerabilities, including critical flaws in DirectShow and the Internet Explorer Web browser. Let’s turn to some industry experts and security professionals for additional insight on the Microsoft security bulletins, and perspective on how to prioritize and protect against the potential threats.

Seven of the security bulletins are rated as Important, while the remaining three are Critical. The Critical security bulletins include MS10-033 for DirectShow, and MS10-035 which addresses six different vulnerabilities in Internet Explorer.

Joshua Talbot, security intelligence manager for Symantec Security Response, points out that “This is the largest Microsoft patch release of 2010 and ties the record for the most vulnerabilities ever addressed in a single month; a record set in October of last year. This month’s release also features the largest ever single bulletin, with 14 vulnerabilities in Excel being addressed together.”

See also:
Microsoft plugs critical holes in huge Patch Tuesday
Microsoft emphasizes three critical updates on patch-heavy Tuesday
Microsoft Issues Critical IE Fix In 10-Patch Update
Microsoft issues 10 patches as part of June update
Microsoft: 10 security bulletins, 34 vulnerabilities for Patch Tuesday
Microsoft patches IE8’s Pwn2Own bug in massive update
Microsoft finally fixes Pwn2Own browser flaw
Windows Update

The update takes a while to download and install, but several of the patches are critical.

/so, you know what you need to do, get in their and protect your computer from the evil doers

Patchapalooza Tuesday

It’s a triple witching day for computer patches.

Microsoft, Adobe, and Oracle Patch Nearly 100 Vulnerabilities

It’s a busy day for IT administrators and information security professionals. Not only is today Microsoft’s Patch Tuesday for the month of April, it is also the day of Adobe’s quarterly security updates. In total, there are 40 vulnerabilities being addressed today–many of them rated as critical and exposing systems to potential remote exploits.

Microsoft Patch Tuesday

A Microsoft spokesperson e-mailed the following “Today, as part of its routine monthly security update cycle, Microsoft is releasing 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania.”

Qualys CTO Wolfgang Kandek noted in his blog post “Microsoft’s patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time to evaluating which machines need patches.”

“The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts,” said Joshua Talbot, security intelligence manager, Symantec Security Response in an e-mailed statement. “Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability.”

Talbot continued “It allows an attacker to fool Windows into thinking that a malicious program was created by a legitimate vendor. If a user begins to download an application and they see the Windows’ notification telling them who created it, they might think twice before proceeding if it’s from an unfamiliar source. This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate.”

Andrew Storms, director of security operations for nCircle offered this analysis “More movies and more malware: that’s what we’ve got to look forward to on the Internet. Microsoft is patching critical bugs in Windows Media Player and Direct Show this month–both of these bugs lend themselves to online video malware. If you put these fixes together with Apple’s recent patch of Quicktime, it’s pretty obvious that attackers are finding a lot of victims through video.”

nCircle’s Tyler Reguly points out that there is also a greater message to be learned from the patches. “As an avid Windows XP user, I’m leaning more and more towards making the jump to Windows 7; with the added security it just makes sense. Looking at the top two vulnerabilities (MS10-027 and MS10-026), my Windows XP systems are vulnerable to both, yet my Windows 7 laptop isn’t affected by either of them. The newer operating system just makes sense.”

Adobe Quarterly Update

As if eleven security bulletins fixing 25 different vulnerabilities wasn’t enough, IT administrators must also address the critical updates released today from Adobe. nCircle’s Storms points out that “Every one of the 15 bugs can be used for remote code execution. Given the increase in the number of attacks that use Adobe PDF files, all users are strongly urged to upgrade immediately.”

Storms added “In stark contrast to Microsoft’s patch process, Adobe’s security bulletin information lacks details, especially critical information about potential workarounds. For enterprises that have a long test cycle, it can take weeks or even months to roll out updates. With no workaround information, Adobe leaves their enterprise customers vulnerable and security teams everywhere frustrated and annoyed.”

Andrew Brandt, lead threat research analyst with Webroot, warns “What’s more, they should be aware that Foxit Reader–which also reads PDFs–is actually more vulnerable.”

It is also worth noting that Adobe has rolled out its new update system which it has been beta testing over the past couple of months. Users can now configure Adobe software to automatically install updates, enabling security patches to be applied without requiring any user intervention.

Don’t Forget Oracle

Wait, there’s more! Not wanting to be left out of the patch day festivities, Oracle has also unleashed its own deluge of updates–more than Microsoft and Adobe combined.

There is a little bit of good news, though. Very few organizations will actually be impacted by every single one of the disclosed vulnerabilities. Qualys’ Kandek points out “This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.”

The same logic holds true for Oracle and, to a lesser extent Adobe–although Adobe Reader is fairly ubiquitous. Have fun!

See also:
Microsoft, Adobe, Oracle offer fixes in big Patch Tuesday
Patch Tuesday: Microsoft safeguards video, Adobe secures PDFs
Microsoft Patch Tuesday Fixes 5 Critical Flaws
Microsoft Targets Media Flaws In April Patches
Microsoft blocks ‘movies-to-malware’ attacks
Microsoft Releases Multiple Updates; Vista SP0 Support Ends
Microsoft Security Bulletin Summary for April 2010
New Adobe Auto-Updater Debuts On Super (Patch) Tuesday
Adobe Patches Acrobat/Reader Vulnerabilities, Updates on Updating
Security update available for Adobe Reader and Acrobat

/so, you know the drill people, get busy downloading those patches, hope you’re not on dial up!