Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

It's official, all major SSL stacks are now vulnerable.  There are already a number of detailed blogs written about this new vulnerability, so I am not going to rewrite all of the details.  I am going to sum it up and bottom line it for you.  Here is a good detailed account of the issue if you are interested. SCHANNEL is to Windows in the same way OpenSSL is to Linux.  It is used in almost all instances where Windows is listening for SSL traffic. Many people are claiming this is something that needs to be pushed out asap, but as [...]

By | 2014-11-21T18:20:21-05:00 November 12th, 2014|Microsoft, Microsoft Security Bulletin, Patches|Comments Off on Now It’s Microsoft’s Turn, SSL Vulnerability in SCHANNEL

Internet Explorer Zero Day – Emergency Patch Released, includes XP

UPDATED 5/1/2014: Microsoft has released an emergency out-of-band update for Internet Explorer that resolves this issue.  They are including updates to IE in Windows XP as well.  We recommended deploying this update as soon as possible. Microsoft released an advisory on April 26th: Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been [...]

Windows 8.1, Server 2012 R2 no longer receiving updates

Microsoft has said the Windows 8.1 and Server 2012 R2 will no longer receive updates unless they have the April 2014 updates installed.  In other words, you can wait until November to install the April update, but you will not receive any updates from May until November until the April patch is installed. In a recent security update from Microsoft, Steve Thomas at Microsoft posted a TechNet article stating that Microsoft will no longer issue security patches for Windows 8.1 or Windows Server 2012 R2, starting in May, because "Microsoft wants to ensure that customers benefit from the best support and [...]

By | 2014-04-23T14:19:54-05:00 April 23rd, 2014|Computer & Network Security, Microsoft, Patches|0 Comments

Microsoft Word Zero Day – Confirmed Attacks

Microsoft released a zero-day advisory for Microsoft Word.  According to Microsoft, "At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer." A patch should be released on April 8th, Patch Tuesday. For now, an immediate mitigation is to Disable opening RTF content in Microsoft Word, which prevents the exploitation of this issue [...]

Adobe Flash Player Critical Update

Adobe has released a critical patch to address a vulnerability that could allow an attacker to take control of an affected system. Release date: February 4, 2014 Vulnerability identifier: APSB14-04 CVE number: CVE-2014-0497 Platform: All Platforms Source: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html

By | 2014-02-04T21:07:57-05:00 February 4th, 2014|Adobe, Computer & Network Security, Patches|0 Comments

Microsoft January Security Bulletin

Today Microsoft released four security bulletins. All five have a maximum severity rating of Important. Source:https://technet.microsoft.com/en-us/security/bulletin/ms14-jan

Poor Patching, Communication Facilitated July Dept. of Energy Breach

Source: http://threatpost.com/poor-patching-communication-facilitated-july-dept-of-energy-breach/103200 The U.S. Department of Energy is describes what lead to July breach Failures around vulnerability management, access controls and a general lack of communication between decision makers Hackers were able to penetrate a Web-facing application and steal personal information on 104,179 current and former employees, dependents and contractors. They had access to information that could have included Names, addresses, Social Security numbers, dates of birth and bank account information, unencrypted DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data but also to install software updates, purchased in March, that would [...]

Microsoft December Security Bulletin

Today Microsoft released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. http://blogs.technet.com/b/srd/archive/2013/12/10/assessing-risk-for-the-december-2013-security-updates.aspx

Microsoft November Security Bulletin

Today Microsoft released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. http://blogs.technet.com/b/srd/archive/2013/11/12/assessing-risk-for-the-november-2013-security-updates.aspx