Credit to Author: John E Dunn| Date: Wed, 25 Sep 2019 11:48:58 +0000
Microsoft has rushed to patch two flaws affecting IE versions 9 to 11, one of which the company says is being exploited in real attacks.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/JKx5VMBH6xs” height=”1″ width=”1″ alt=””/>
Read more
Credit to Author: Woody Leonhard| Date: Tue, 24 Sep 2019 12:13:00 -0700
I’ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed – the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.
On a Monday.
In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They’re “optional non-security” and “Monthly Rollup preview” patches, so you won’t get them unless you specifically go looking for them.
Credit to Author: Gregg Keizer| Date: Tue, 24 Sep 2019 03:00:00 -0700
Microsoft on Monday released an emergency security update to patch a vulnerability in Internet Explorer (IE), the legacy browser predominantly used by commercial customers.
The flaw, which was reported to Microsoft by Clement Lecigne, a security engineer with Google’s Threat Analysis Group (TAG), has already been exploited by attackers, making it a classic “zero-day,” a vulnerability actively in use before a patch is in place.
In the security bulletin that accompanied the release of the IE patch, Microsoft labeled the bug a remote code vulnerability, meaning that a hacker could, by exploiting the bug, introduce malicious code into the browser. Remote code vulnerabilities, also called remote code execution, or RCE, flaws, are among the most serious. That seriousness, as well as the fact that criminals are already leveraging the vulnerability, was reflected in Microsoft’s decision to go “out of band,” or off the usual patching cycle, to plug the hole.
Credit to Author: Woody Leonhard| Date: Thu, 12 Sep 2019 09:32:00 -0700
Two months ago, the July Win7 security-only patch was found to install telemetry software, triggered by newly installed scheduled tasks called ProgramDataUpdater, Microsoft Compatibility Appraiser, and AitAgent. As best I can tell, Microsoft never admitted that its security-only patch dropped a telemetry component.
The August security-only update didn’t include that bit of snooping, so it looked like the July snooping was a one-off aberration.
Credit to Author: John E Dunn| Date: Thu, 12 Sep 2019 11:33:58 +0000
Sometimes, a Patch Tuesday update arrives with a bang that sends users scrambling for cover – September’s update earns that description.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/lRHTsM8cImQ” height=”1″ width=”1″ alt=””/>
Read more
Credit to Author: Danny Bradbury| Date: Mon, 09 Sep 2019 10:09:52 +0000
If you’re worried about the evil potential of deepfake video, you’re not alone; so is Facebook.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/M4dTDNkzUsk” height=”1″ width=”1″ alt=””/>
Read more
Credit to Author: Woody Leonhard| Date: Fri, 06 Sep 2019 08:16:00 -0700
August brought loads of drama to the Windows and Office patching scene. Microsoft’s first round of patches killed Visual Basic, Visual Basic for Applications and VBScript in certain situations — on all versions of Windows. Fixes for the bugs dribbled out three, four, six and 17 days after the original infection.
Those Microsoft-introduced bugs were all the more daunting because the August patches are the ones intended to protect us from DejaBlue — the recently announced “wormable” malware infection vector that (thankfully!) has yet to be exploited. The mainstream press picked up the Chicken Little cry to install August patches right away. Then the buggy offal hit the impeller, and the press fell silent.
Credit to Author: Woody Leonhard| Date: Fri, 30 Aug 2019 10:27:00 -0700
What happens when Microsoft releases eight – count ‘em, eight – concurrent beta test versions of Win10 version 1909 without fixing bugs introduced into 1903 on Patch Tuesday?
Pan. De. Moaaan. Ium.
No doubt, you recall the first wave of pain inflicted by the August 2019 patching regimen. Microsoft somehow managed to mess up Visual Basic (an old custom programming language), Visual Basic for Applications (for Office macros) and VBScript (a largely forgotten language primarily used inside Internet Explorer). Folks running applications in any of those languages would, on occasion, receive “invalid procedure call error” messages when using apps that had been working for decades.
Credit to Author: Lisa Vaas| Date: Fri, 30 Aug 2019 10:35:34 +0000
Apple is turning off automatic review of Siri audio and locking it down so that only Apple employees get to listen to it.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/YC7GTRUdtR8″ height=”1″ width=”1″ alt=””/>
Read more
Credit to Author: Lisa Vaas| Date: Thu, 29 Aug 2019 10:52:13 +0000
EU data watchdogs are yet again sniffing at Windows 10.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/0qhmDvOnAaI” height=”1″ width=”1″ alt=””/>
Read more