Skip Links

Network World

Microsoft security

Patch Tuesday: IE bug could spread virus; .Net affects Mac users

Microsoft fixes 22 holes in eight patches, two critical, with no big surprises
Submitted by Microsoft Subnet on Tue, 10/11/11 - 6:39pm.

There were no big surprises in this month's Patch Tuesday. Microsoft issued eight updates, two critical, to fix 23 vulnerabilities. However the two critical patches are doozies. One of them fixes all versions of Internet Explorer on all versions of Windows and the other fixes .Net/Silverlight.

Read more

Microsoft to fix 23 security holes in 8 patches on Tuesday

Next Patch Tuesday will be moderately big, fixing holes in IE, Windows, Forefront and .Net/Silverlight
Submitted by Microsoft Subnet on Thu, 10/06/11 - 3:02pm.

On Tuesday, Microsoft will release eight security bulletins, two rated critical and six rated important, to fix 23 vulnerabilities. These will fix holes in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG, and Microsoft Host Integration Server.

The critical patches affects all supported versions of Windows: XP, Vista and Windows 7, Windows Server 2003, 2008 and R2 (not Server Core), and all supported versions of IE, including IE 9. There's a sprinkling of patches rated important affecting all versions of Windows, too.

Read more

Fake iPhone 5 e-mail carries Windows malware

The threat of infection is small, but it is targeted at Windows users, not Macs
Submitted by Microsoft Subnet on Mon, 10/03/11 - 2:53pm.

Hackers are again hoping iPhone 5 hysteria will benefit them. A fake e-mail that spoofs the "news@apple.com" address contains links to websites hosting a Windows virus. The subject line proclaims the iPhone SG 5 has been released and the e-mail shows an iPhone with a see-through screen. Ironically, this is a Windows-specific virus, which Sophos calls the Mal/Zapchas-A virus, and doesn't affect Macs.

Read more

Why I'm ignoring my W7 warning messages and other Microsoft Patch Tuesday news

Microsoft will issue five patches to five 15 holes, none critical while the world deals with the SSL certificate mess.
Submitted by Microsoft Subnet on Thu, 09/08/11 - 6:39pm.

On Tuesday, Microsoft will release five updates to fix 15 vulnerabilities, none critical, as part of its routine Patch Tuesday security patches. "A welcome break from Microsoft while we deal with the growing SSL Certificate Issues," says Paul Henry, security and forensic analyst for Lumension. He extends a hearty thank you to Microsoft, though in truth Microsoft is following its usual pattern of a alternating light/heavy Patch Tuesdays.

Read more

Microsoft issues first patch for IE9 amidst 34 holes closed today

Today's regularly scheduled security updates fix holes in Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, VML and Forefront/ISA.
Submitted by Microsoft Subnet on Tue, 06/14/11 - 4:34pm.

As expected, today's Patch Tuesday is a whopper. Microsoft released 16 security updates (nine critical and seven important) addressing 34 vulnerabilities, including the first patch for Internet Explorer 9 and a rare patch for Hyper-V.

The remaining patches fix vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, VML  and ISA.

For nine of the patches, reboots are required and for the rest, well, a reboot may still be wise, Microsoft says.

Read more

How to use a known IPv6 hole to fast freeze a Windows Network

Security experts want Microsoft and Juniper to patch a dangerous DoS hole. With this video, see it for yourself.
Submitted by Microsoft Subnet on Tue, 05/03/11 - 4:20pm.

At last week's Rocky Mountain IPv6 Summit in Denver, Ed Horley began his talk about IPv6 in Windows networks by warning attendees about a dangerous DoS vulnerability that Microsoft has so far shown no interest in fixing. I had a longer conversation about it with Horley. He pointed me to the YouTube video below that shows the hole in action.

Read more

Survey: How much does Windows Patching burden you?

Please tell us how much time it takes you to patch Windows systems monthly.
Submitted by Microsoft Subnet on Fri, 04/22/11 - 3:21pm.

Network World wants to gauge the burden for enterprise companies of keeping Windows patched. Will you help? This survey will take about five minutes of your time and is anonymous. We are not gathering information about the identities of participants.

If you have comments about the survey, or the topic of Windows patch management, you can submit them via the survey, or e-mail them directly to Network World’s Online Community Editor, Julie Bort jbort@nww.com.

Thank you for participating!

Read more

Record-breaking Microsoft patch day affects all versions of Windows

Microsoft fixes 64 holes, including patches for the Web version of Office and a rootkit fix
Submitted by Microsoft Subnet on Tue, 04/12/11 - 2:44pm.

As expected, Microsoft released a record-breaking, massive number of patches today that affects all versions of Windows and Office -- including its cloud apps -- and addresses some long-standing holes that hackers have been exploiting in the wild.

Read more

Microsoft warns of hack attempt on Windows Live, Google, Yahoo, Skype, Mozilla

Nine fake certificates were issued and revoked prompting Microsoft to release an out-of-band security update.
Submitted by Microsoft Subnet on Wed, 03/23/11 - 2:14pm.

Microsoft issued a warning today that nine fraudulent digital certificates were issued by root certificate authority, Comodo Group. Although the certificates were quickly revoked, their initial release still poses a threat to browser users, including users of Internet Explorer. This is not a security flaw in Microsoft software, the company says, but it released a security update for Windows all the same.

The nine fake certificates affect the following Web sites, Microsoft says:

Read more

Microsoft patches 22 bugs, stops Autorun hole that helps Conficker

Patch Tuesday is a biggie, as expected, with a surprise addition for XP, Vista that stops USB infections via Autorun.
Submitted by Microsoft Subnet on Tue, 02/08/11 - 2:32pm.

As expected, Microsoft's February Patch Tuesday is big: 22 bugs fixed via 12 updates, including patches for three zero-day exploits. Microsoft also made a change to the Autorun services in XP and Vista that it hopes will put a cramp in the spread of Conficker.

Read more

Yikes, Microsoft to patch 22 bugs next week

Three zero days will be fixed and security experts warn that the massive re-boot could cause some services to freak out.
Submitted by Microsoft Subnet on Thu, 02/03/11 - 6:13pm.

There's some good news and bad news about next Tuesday's scheduled monthly patch day. The bad news is that it will be monster big, with restarts required. Microsoft will issue 12 updates that fix 22 holes, including holes in Internet Explorer (IE), Windows, its Internet server and Visio. So what, pray tell, is the good news?

Read more

Microsoft warns of critical unpatched bug for Vista, XP

Zero-day in Windows Graphics Rendering Engine affects XP, Vista, Windows Server 2003
Submitted by Microsoft Subnet on Tue, 01/04/11 - 2:50pm.

Microsoft today confirmed that a publicly disclosed critical bug affects all of the current but older versions of Windows, and issued workaround advice but not an out-of-bound patch. The bug attacks the Windows’ Graphics Rendering Engine in Vista, XP and Windows Server 2003. It does not affect Windows 7 or Windows Server 2008 R2.

Read more

Why concurrent logins to a Windows network are a (very) bad idea

Once hackers gain legitimate Windows login credentials, they have unfettered use of them
Submitted by Microsoft Subnet on Mon, 11/15/10 - 3:08pm.

A vast number of Microsoft's security holes are dependent on the credentials of the user logged in when a Windows machine is hacked. But one of Windows' weakest areas of baked-in security is login controls. Third-party software, such as IS Decisions' UserLock takes on the task of filling in the gaps.

Read more

Microsoft fixes critical DLL hole in Office but not XP SP3

Patch Tuesday included Microsoft's first (and only) DLL hijacking patch
Submitted by Microsoft Subnet on Thu, 11/11/10 - 6:51pm.

This month's fairly light Patch Tuesday included a critical patch for Microsoft Office that fixed a couple of dangerous issues, including Microsoft's first and only patch for the DLL hijacking vulnerability that made big news in August. The Office patch also included a fix for a scary drive-by exploit which could infect a PC if an evil e-mail showed up in the preview box of Outlook.

Read more

Microsoft warns of new Zero-day attack affecting Internet Explorer 6, 7, 8

Attack installs a Trojan just by visiting an infected Web site and no patch is available yet.
Submitted by Microsoft Subnet on Wed, 11/03/10 - 12:16pm.

Today Microsoft released Security Advisory 2458511 to warn Internet Explorer users of a new zero-day attack that Microsoft has seen in the wild. It affects versions 6, 7, and 8, although Microsoft says that the default installations of IE8 make that version of the browser harder to exploit.

Read more

Java exploits have skyrocketed, Microsoft researcher says

The number of attacks on Java in 3Q 2010 dwarfed those made on Adobe PDF
Submitted by Microsoft Subnet on Mon, 10/18/10 - 7:26pm.

An unprecedented wave of attacks that exploit weaknesses in Java has gone largely unnoticed by the security community, said a Microsoft malware researcher in a blog post today. Some 6 million attacks against Java occured in the third quarter of 2010, compared to about a quarter of that amount in the quarter prior. This compares to less than 100,000 attacks in the same period on Adobe PDF documents.

Read more

Microsoft Patch Tuesday halts two live attacks but offers no help for others

Two of the nine Patch Tuesday fixes need to be installed fast
Submitted by Microsoft Subnet on Tue, 09/14/10 - 4:05pm.

Patch Tuesday has arrived and it is filled with bad news. Two of today's nine patches fix problems that are currently being exploited in the wild and most of them fix problems that have a high likelihood that exploit code will be available soon. But wait, there's more!

Read more

Microsoft beat up, then defended over ancient IE8 zero-day

The strange story of how and when a Google researcher disclosed an IE bug
Submitted by Microsoft Subnet on Tue, 09/07/10 - 7:46pm.

The war between security researchers (particularly from Google) and Microsoft is heating up, again, over an old bug in IE8 that was reportedly disclosed to Microsoft years ago. Once again, it seems like there aren't any good guys looking out for the users. On Friday, Google security researcher Chris Evans, in a fit of frustration over what he said was Microsoft's lack of action, posted a link to proof-of-concept code for the bug to the Full Disclosure mailing list.

Read more

Sources to protect you from the zero-day Windows DLL exploit

Microsoft's DLL exploit mess could eventually lead to safer libraries. Until then, get ready for a manual fix.
Submitted by Microsoft Subnet on Thu, 08/26/10 - 6:34pm.

Even though Microsoft is so far refusing to patch the critical Windows DLL vulnerability that has become the source of an ever growing number of new exploits, you can protect your systems now. But it won't be easy.

The fix involves manually auditing which applications are vulnerable and then applying Microsoft's new fix-it tool. Many makers of Windows software, such as Wireshark, are also promising patches for their apps.

Read more

Microsoft to issue patch for dangerous USB rootkit hole

Rare out of band patch should fix a scary vulnerability that has lead to espionage-like attacks.
Submitted by Microsoft Subnet on Fri, 07/30/10 - 2:05pm.

Microsoft on Tuesday will release a rare out-of-band patch to fix the highly dangerous zero-day vulnerability that has caused multiple researchers to issuing warnings earlier this month. The patch will be for all supported versions of Windows and will require a restart.

Read more