Microsoft releases emergency IE patches inside 'optional, non-security' cumulative updates

Credit to Author: Woody Leonhard| Date: Tue, 24 Sep 2019 12:13:00 -0700

I’ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed – the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.

On a Monday.

In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They’re “optional non-security” and “Monthly Rollup preview” patches, so you won’t get them unless you specifically go looking for them.

To read this article in full, please click here

Read more

Microsoft delivers emergency security update for antiquated IE

Credit to Author: Gregg Keizer| Date: Tue, 24 Sep 2019 03:00:00 -0700

Microsoft on Monday released an emergency security update to patch a vulnerability in Internet Explorer (IE), the legacy browser predominantly used by commercial customers.

The flaw, which was reported to Microsoft by Clement Lecigne, a security engineer with Google’s Threat Analysis Group (TAG), has already been exploited by attackers, making it a classic “zero-day,” a vulnerability actively in use before a patch is in place.

In the security bulletin that accompanied the release of the IE patch, Microsoft labeled the bug a remote code vulnerability, meaning that a hacker could, by exploiting the bug, introduce malicious code into the browser. Remote code vulnerabilities, also called remote code execution, or RCE, flaws, are among the most serious. That seriousness, as well as the fact that criminals are already leveraging the vulnerability, was reflected in Microsoft’s decision to go “out of band,” or off the usual patching cycle, to plug the hole.

To read this article in full, please click here

Read more

Heads up: Microsoft is back to snooping with this month’s Win7 and 8.1 'security-only' patches

Credit to Author: Woody Leonhard| Date: Thu, 12 Sep 2019 09:32:00 -0700

Two months ago, the July Win7 security-only patch was found to install telemetry software, triggered by newly installed scheduled tasks called ProgramDataUpdater, Microsoft Compatibility Appraiser, and AitAgent. As best I can tell, Microsoft never admitted that its security-only patch dropped a telemetry component.

The August security-only update didn’t include that bit of snooping, so it looked like the July snooping was a one-off aberration.

To read this article in full, please click here

Read more

September 2019’s Patch Tuesday: 2 zero-days, 17 critical bugs

Credit to Author: John E Dunn| Date: Thu, 12 Sep 2019 11:33:58 +0000

Sometimes, a Patch Tuesday update arrives with a bang that sends users scrambling for cover – September’s update earns that description.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/lRHTsM8cImQ” height=”1″ width=”1″ alt=””/>

Read more

Heads up: A free, working exploit for BlueKeep just hit

Credit to Author: Woody Leonhard| Date: Fri, 06 Sep 2019 11:33:00 -0700

There’s been a lot of discussion about BlueKeep, its ramifications and various strategies for blocking it. In a nutshell, it’s a security hole in the Windows Remote Desktop Protocol that allows a malicious program to enter your machine – if you have Remote Dekstop turned on, it’s accessible directly from the internet, and you haven’t installed the May patches.

Two weeks ago, Susan Bradley posted a CSO article that details ways admins can  avoid using RDP. I’ve seen reams of advice about blocking ports, disabling services, setting authentication levels, deploying voodoo dolls, reading chicken entrails…, but the simplest way for almost everybody to avoid the problem is to install the May (or later) Windows patches.

To read this article in full, please click here

Read more

Time to install the August Windows patches — but watch out for the bugs

Credit to Author: Woody Leonhard| Date: Fri, 06 Sep 2019 08:16:00 -0700

August brought loads of drama to the Windows and Office patching scene. Microsoft’s first round of patches killed Visual Basic, Visual Basic for Applications and VBScript in certain situations — on all versions of Windows. Fixes for the bugs dribbled out three, four, six and 17 days after the original infection. 

Those Microsoft-introduced bugs were all the more daunting because the August patches are the ones intended to protect us from DejaBlue — the recently announced “wormable” malware infection vector that (thankfully!) has yet to be exploited. The mainstream press picked up the Chicken Little cry to install August patches right away. Then the buggy offal hit the impeller, and the press fell silent.

To read this article in full, please click here

Read more