Malicious Word doc taps previously unknown Microsoft Office vulnerability
Credit to Author: Andrew Brandt| Date: Tue, 31 May 2022 00:41:42 +0000
MSDT.exe misuse in May makes for Memorial Day Monday mayhem
Read moreCredit to Author: Andrew Brandt| Date: Tue, 31 May 2022 00:41:42 +0000
MSDT.exe misuse in May makes for Memorial Day Monday mayhem
Read moreCredit to Author: Susan Bradley| Date: Mon, 16 May 2022 09:00:00 -0700
It’s the third week of the month — the week we find out whether Microsoft acknowledges any side effects it’s investigating as part of the monthly patch-release process.
First, a bit of background. Microsoft has released patches for years. But they haven’t always been released on a schedule. In the early days, Microsoft would release updates any day of the week. Then in October 2003, Microsoft formalized the release of normal security updates on the second Tuesday of the month. Thus was born Patch Tuesday. (Note: depending on where you are in the world, Patch Tuesday may be a Patch Wednesday.) The following day, or in some cases, over the next week, users and admins report issues with updates — and Microsoft finally acknowledges that, yes, there are issues.
Credit to Author: Greg Lambert| Date: Sat, 14 May 2022 05:51:00 -0700
This past week’s Patch Tuesday started with 73 updates, but ended up (so far) with three revisions and a late addition (CVE-2022-30138) for a total of 77 vulnerabilities addressed this month. Compared with the broad set of updates released in April, we see a greater urgency in patching Windows — especially wiith three zero-days and several very serious flaws in key server and authentication areas. Exchange will require attention, too, due to new server update technology.
Credit to Author: Greg Lambert| Date: Fri, 15 Apr 2022 10:40:00 -0700
This week’s Patch Tuesday release was huge, diverse, risky, and urgent, with late update arrivals for Microsoft browsers (CVE-2022-1364) and two zero-day vulnerabilities affecting Windows (CVE-2022-26809 and CVE-2022-24500). Fortunately, Microsoft has not released any patches for Microsoft Exchange, but this month we do have to deal with more Adobe (PDF) printing related vulnerabilities and associated testing efforts. We have added the Windows and Adobe updates to our “Patch Now” schedule, and will be watching closely to see what happens with any further Microsoft Office updates.
Credit to Author: Greg Lambert| Date: Fri, 11 Feb 2022 12:21:00 -0800
There are (as of now) 51 patches to the Windows ecosystem for February, but no critical updates and no “Patch Now” recommendations from the Readiness team. I’m hoping that with this month’s list of Patch Tuesday updates, we can enjoy the quiet after the storm. January was tough for a lot of folks. And, with this month’s very light release from Microsoft, corporate security and systems administrators can take the time needed to test their applications and desktop/server builds. It’s also important to invest in their testing methodologies, release practices, and how their applications may be affected by OS-level updates and patches.
Credit to Author: Greg Lambert| Date: Thu, 12 Mar 2020 11:41:00 -0700
This is a big update to the Windows platform for the Microsoft March Patch Tuesday release cycle. Consisting of 115 patches, mostly to the Windows desktop, with almost all of the critical issues relating to browser-based scripting engine memory issues, this will be a difficult set of updates to release and manage.
The testing profile for the Windows desktop platform is very large, with a lower than usual exploitability/risk rating. For this month, we do not have any reports of publicly exploited or disclosed vulnerabilities (zero-days), so my recommendation is to take your time, test the changes to each platform, create a staged rollout plan and wait for future (potentially) imminent changes from Microsoft.
Credit to Author: Woody Leonhard| Date: Wed, 26 Feb 2020 09:44:00 -0800
The real stinker this month, KB 4524244, rolled out the automatic update chute for four full days until Microsoft yanked it – leaving a trail of wounded PCs, primarily HP machines, in its wake. The other big-time bug in this month’s patches, a race condition in the KB 4532693 Win10 version 1903 and 1909 cumulative update installer, hasn’t been officially acknowledged by Microsoft outside of a blog post. But at least it’s well known and understood.
Folks running SQL Server and Exchange Server networks need to get patched right away.
Patch Tuesday brought KB 4524244 for Windows 10 owners, a bizarre single-purpose patch apparently directed at one specific UEFI bootloader. I talked about it last week.
Credit to Author: Woody Leonhard| Date: Thu, 23 Jan 2020 07:17:00 -0800
The big patching problems this month fell at the feet of admins who had to deal with an unholy mess of pressing exposures: Fixing the holes in Microsoft’s RD Gateway (CVE-2020-0610; see Susan Bradley’s Patch Watch, paywalled); dealing with Server 2008 R2 systems that booted to Recovery mode after installing the January patches; scrambling to pick up after breaches in Citrix networking products; or the 334 Oracle security patches. They all took a toll.