Microsoft security
Patch Tuesday: IE bug could spread virus; .Net affects Mac users
There were no big surprises in this month's Patch Tuesday. Microsoft issued eight updates, two critical, to fix 23 vulnerabilities. However the two critical patches are doozies. One of them fixes all versions of Internet Explorer on all versions of Windows and the other fixes .Net/Silverlight. Read more
Microsoft to fix 23 security holes in 8 patches on Tuesday
On Tuesday, Microsoft will release eight security bulletins, two rated critical and six rated important, to fix 23 vulnerabilities. These will fix holes in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG, and Microsoft Host Integration Server.
The critical patches affects all supported versions of Windows: XP, Vista and Windows 7, Windows Server 2003, 2008 and R2 (not Server Core), and all supported versions of IE, including IE 9. There's a sprinkling of patches rated important affecting all versions of Windows, too. Read more
Fake iPhone 5 e-mail carries Windows malware
Hackers are again hoping iPhone 5 hysteria will benefit them. A fake e-mail that spoofs the "news@apple.com" address contains links to websites hosting a Windows virus. The subject line proclaims the iPhone SG 5 has been released and the e-mail shows an iPhone with a see-through screen. Ironically, this is a Windows-specific virus, which Sophos calls the Mal/Zapchas-A virus, and doesn't affect Macs. Read more
Why I'm ignoring my W7 warning messages and other Microsoft Patch Tuesday news
On Tuesday, Microsoft will release five updates to fix 15 vulnerabilities, none critical, as part of its routine Patch Tuesday security patches. "A welcome break from Microsoft while we deal with the growing SSL Certificate Issues," says Paul Henry, security and forensic analyst for Lumension. He extends a hearty thank you to Microsoft, though in truth Microsoft is following its usual pattern of a alternating light/heavy Patch Tuesdays. Read more
Microsoft issues first patch for IE9 amidst 34 holes closed today
As expected, today's Patch Tuesday is a whopper. Microsoft released 16 security updates (nine critical and seven important) addressing 34 vulnerabilities, including the first patch for Internet Explorer 9 and a rare patch for Hyper-V.
The remaining patches fix vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, VML and ISA.
For nine of the patches, reboots are required and for the rest, well, a reboot may still be wise, Microsoft says. Read more
How to use a known IPv6 hole to fast freeze a Windows Network
At last week's Rocky Mountain IPv6 Summit in Denver, Ed Horley began his talk about IPv6 in Windows networks by warning attendees about a dangerous DoS vulnerability that Microsoft has so far shown no interest in fixing. I had a longer conversation about it with Horley. He pointed me to the YouTube video below that shows the hole in action. Read more
Survey: How much does Windows Patching burden you?
Network World wants to gauge the burden for enterprise companies of keeping Windows patched. Will you help? This survey will take about five minutes of your time and is anonymous. We are not gathering information about the identities of participants.
If you have comments about the survey, or the topic of Windows patch management, you can submit them via the survey, or e-mail them directly to Network World’s Online Community Editor, Julie Bort jbort@nww.com.
Thank you for participating! Read more
Record-breaking Microsoft patch day affects all versions of Windows
As expected, Microsoft released a record-breaking, massive number of patches today that affects all versions of Windows and Office -- including its cloud apps -- and addresses some long-standing holes that hackers have been exploiting in the wild. Read more
Microsoft warns of hack attempt on Windows Live, Google, Yahoo, Skype, Mozilla
Microsoft issued a warning today that nine fraudulent digital certificates were issued by root certificate authority, Comodo Group. Although the certificates were quickly revoked, their initial release still poses a threat to browser users, including users of Internet Explorer. This is not a security flaw in Microsoft software, the company says, but it released a security update for Windows all the same.
The nine fake certificates affect the following Web sites, Microsoft says: Read more
Microsoft patches 22 bugs, stops Autorun hole that helps Conficker
As expected, Microsoft's February Patch Tuesday is big: 22 bugs fixed via 12 updates, including patches for three zero-day exploits. Microsoft also made a change to the Autorun services in XP and Vista that it hopes will put a cramp in the spread of Conficker. Read more
Yikes, Microsoft to patch 22 bugs next week
There's some good news and bad news about next Tuesday's scheduled monthly patch day. The bad news is that it will be monster big, with restarts required. Microsoft will issue 12 updates that fix 22 holes, including holes in Internet Explorer (IE), Windows, its Internet server and Visio. So what, pray tell, is the good news? Read more
Microsoft warns of critical unpatched bug for Vista, XP
Microsoft today confirmed that a publicly disclosed critical bug affects all of the current but older versions of Windows, and issued workaround advice but not an out-of-bound patch. The bug attacks the Windows’ Graphics Rendering Engine in Vista, XP and Windows Server 2003. It does not affect Windows 7 or Windows Server 2008 R2. Read more
Why concurrent logins to a Windows network are a (very) bad idea
A vast number of Microsoft's security holes are dependent on the credentials of the user logged in when a Windows machine is hacked. But one of Windows' weakest areas of baked-in security is login controls. Third-party software, such as IS Decisions' UserLock takes on the task of filling in the gaps. Read more
Microsoft fixes critical DLL hole in Office but not XP SP3
This month's fairly light Patch Tuesday included a critical patch for Microsoft Office that fixed a couple of dangerous issues, including Microsoft's first and only patch for the DLL hijacking vulnerability that made big news in August. The Office patch also included a fix for a scary drive-by exploit which could infect a PC if an evil e-mail showed up in the preview box of Outlook. Read more
Microsoft warns of new Zero-day attack affecting Internet Explorer 6, 7, 8
Today Microsoft released Security Advisory 2458511 to warn Internet Explorer users of a new zero-day attack that Microsoft has seen in the wild. It affects versions 6, 7, and 8, although Microsoft says that the default installations of IE8 make that version of the browser harder to exploit. Read more
Java exploits have skyrocketed, Microsoft researcher says
An unprecedented wave of attacks that exploit weaknesses in Java has gone largely unnoticed by the security community, said a Microsoft malware researcher in a blog post today. Some 6 million attacks against Java occured in the third quarter of 2010, compared to about a quarter of that amount in the quarter prior. This compares to less than 100,000 attacks in the same period on Adobe PDF documents. Read more
Microsoft Patch Tuesday halts two live attacks but offers no help for others
Patch Tuesday has arrived and it is filled with bad news. Two of today's nine patches fix problems that are currently being exploited in the wild and most of them fix problems that have a high likelihood that exploit code will be available soon. But wait, there's more! Read more
Microsoft beat up, then defended over ancient IE8 zero-day
The war between security researchers (particularly from Google) and Microsoft is heating up, again, over an old bug in IE8 that was reportedly disclosed to Microsoft years ago. Once again, it seems like there aren't any good guys looking out for the users. On Friday, Google security researcher Chris Evans, in a fit of frustration over what he said was Microsoft's lack of action, posted a link to proof-of-concept code for the bug to the Full Disclosure mailing list. Read more
Sources to protect you from the zero-day Windows DLL exploit
Even though Microsoft is so far refusing to patch the critical Windows DLL vulnerability that has become the source of an ever growing number of new exploits, you can protect your systems now. But it won't be easy.
The fix involves manually auditing which applications are vulnerable and then applying Microsoft's new fix-it tool. Many makers of Windows software, such as Wireshark, are also promising patches for their apps. Read more
Microsoft to issue patch for dangerous USB rootkit hole
Microsoft on Tuesday will release a rare out-of-band patch to fix the highly dangerous zero-day vulnerability that has caused multiple researchers to issuing warnings earlier this month. The patch will be for all supported versions of Windows and will require a restart. Read more
-
Network World, Inc
The Connected Enterprise