Microsoft Security Updates for August 2015

This week on Patch Tuesday, Microsoft released fourteen security bulletins, four of which are considered critical.

Systems affected include Windows, Internet Explorer, Office, Silverlight, Microsoft .NET Framework, Microsoft Lync, and Microsoft Server Software. Some of the fixes are for Windows 10, including its newest browser Microsoft Edge. An attacker could run malicious code on an affected machine if a user visits a specially-crafted webpage, allowing access at the logged-in user level.

Be sure to accept the updates as they occur, or go to the Windows Update site. You may need to restart your machine after installing patches.

Read the story in the news.

WordPress Releases Update to Address Zero Day Flaw

This week WordPress released a critical update to fix a vulnerability in its content management system that could be exploited to hijack web admin accounts. An exploit for the vulnerability was released over the weekend.

Attackers could exploit the flaw by embedding malicious code in a comment. If the attacker has previously made an innocuous post that gets approved by a site administrator, the new comment containing the code would post automatically and the code would execute. The WordPress update brings the most current version to 4.2.1.

Read the story in the news.

Apple Security Update

Apple has issued its second security update this month. Turns out the security holes fixed the previous week needed a repatch. The company released security update 2015-003 for OS X Yosemite last week, addressing 2 vulnerabilities.  One vulnerability could potentially allow an attacker with a “privileged network position” to execute arbitrary code.  The other vulnerability is an privilege escalation issue.

Users can update by going to the App Store and clicking Updates. To receive updates automatically, go to System Preferences > App Store, then check the boxes for installing and downloading available updates.

Learn more about this security update.

Google and Microsoft Miscommunication?

Google’s Project Zero posted details of a vulnerability in Windows 8.1 after waiting for Microsoft to respond, to no avail, for 90 days. Once a vulnerability is public knowledge, it can be abused by attackers. Microsoft criticized Google for publicizing the flaw too early, saying the company had put Windows customers at risk.

According to Microsoft, it had specifically asked Google to withhold details of the flaw until January 13, Patch Tuesday, when the fix would be released. Microsoft patched two Windows vulnerabilities that were exposed by Google in MS15-001 and MS15-003.

With adherence to its 90-day policy, Google disclosed two additional vulnerabilities after last week Tuesday’s patches were released. One of them does not appear to be a security issue. The next Patch Tuesday is scheduled for February 10, when presumably the more serious of the two vulnerabilities will be patched.

Microsoft Security Updates for November 2014

Microsoft issued 16 security bulletins on Tuesday, November 11. Five of the bulletins were given critical ratings.

Systems affected:

  • Windows
  • Office
  • Microsoft.NET Framework
  • Microsoft Server Software
  • Internet Explorer

The updates will be available through the normal Windows Update process.

Read the full story online.

Microsoft Security Updates for October 2014

Last week Tuesday, Microsoft released 8 security updates (3 critical and 5 important) to address 24 vulnerabilities in Windows, IE and Office, including a flaw in Windows and Windows Server 2008 and 2012 that is actively exploited as part of the Sandworm Team attacks. The updates include fixes for a pair of critical flaws in the Windows kernel that could be exploited to execute code.

These patches have been approved for deployment via MIT WAUS (Windows Automatic Update Services).

Read the story online.

Microsoft Security Updates for August 2014

Last week Tuesday, Microsoft issued nine security bulletins to address a total of 37 security issues in its products. The bulletins include a cumulative update for Internet Explorer (IE) and fixes for vulnerabilities in Windows, Office, Share Point Server, SQL Server software, and .NET Framework.

One of the critical patches remediates the bulk of the vulnerabilities, including 26 bugs in IE, of which the most severe could allow remote code execution (RCE). The patch fixes IE 6 through 11. Next month a new security feature will be added to IE to deal with many of these repeat vulnerabilities. See the article on “Improved Security for Internet Explorer” in this newsletter below.

Read the full story in the news.