Advertisement
<a href="http://krebsonsecurity.com/microsoft-fixes-scary-bluetooth-flaw-21-others/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: patch tuesday

    Latest Warnings / Security Tools / Time to Patch10 Comments
    12
    Jul 11

    Microsoft Fixes Scary Bluetooth Flaw, 21 Others

    Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

    Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.

    But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user.  The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.

    Joshua Talbot    , security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.

    “An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”

    Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.

    Continue reading →

    Time to Patch19 Comments
    15
    Jun 11

    Microsoft Patches Fix 34 Security Flaws

    Microsoft on Tuesday released 16 software updates to fix at least 34 security vulnerabilities in its Windows operating systems and other software. More than half of the updates address flaws Microsoft rates “critical,” meaning the bugs can be exploited with little to no user interaction.

    For organizations that need to test patches before deploying them, Microsoft said four of the updates deserve priority:

    • MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
    • MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
    • MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
    • MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

    Another update, labeled “important,” fixes at least eight security problems in all versions of Microsoft Excel, including Office for Mac.

    More information on this week’s updates is available at this summary. Updates are available from Windows Update and via Automatic Updates. You may want to set aside some time for this update package: Among the critical patches is an update for Microsoft’s .NET software, and .NET updates are typically bulky. If you experience problems after applying any of the updates, please leave a note about it in the comments below.

    Latest Warnings / Time to Patch19 Comments
    10
    May 11

    Security Fixes for Microsoft Windows, Office

    Microsoft issued just two updates today to fix at least three security flaws in its Windows and Microsoft Office products, a merciful respite following last month’s record-setting patch push. One of the patches issued today earned a critical rating, the company’s most serious.

    The critical patch is mainly a concern for enterprises that are running Windows Server 2003 and 2008 server operating systems. The Office update fixes two vulnerabilities in Microsoft Powerpoint, and affects older versions of Office, including Office XP, Office 2003, Office 2007 and 2004 for Mac (Office 2010 for Mac and Windows are not affected).

    Updates are available through Windows Update or via Automatic Updates. As always, please leave a note in the comments if you experience any troubles during or after the installation of these patches.

    Time to Patch25 Comments
    13
    Apr 11

    Microsoft Issues Monster Patch Update

    Microsoft released a record number of software updates yesterday to fix at least 64 security vulnerabilities in its Windows operating systems and Office products, including at least one that attackers are actively exploiting.

    Updates are available for all versions of Windows via Windows Update or Automatic Update. Nine of the patches earned Microsoft’s “critical” rating, which means the vulnerabilities they fix could be exploited to compromise PCs with little or no action on the part of the user, apart from visiting a booby-trapped Web site or opening a tainted file.

    Redmond said three of patches should be top priorities. Two of them fix critical vulnerabilities in the “server message block” or SMB service, which handles Windows networking. Attackers could exploit the flaw addressed by MS11-020 by sending a single, specially crafted evil data packet to a targeted system. This is the type of flaw that should concern any network administrator, because it has high potential to be used to power an automated computer worm.

    Microsoft also called attention to MS11-018, which is a cumulative security update for Internet Explorer that fixes critical flaws in all versions of the browser except the latest IE9, which is not affected. One of the IE vulnerabilities — the MHTML flaw I wrote about in January — is currently being exploited; another was discovered at the Pwn2Own hacking competition earlier this year.

    Continue reading →

    Latest Warnings / Time to Patch35 Comments
    8
    Mar 11

    Patch Tuesday, Etc.

    Microsoft has issued security updates to fix at least four security holes in its Windows operating system and other software. Not exactly a fat Patch Tuesday from Microsoft, but depending on how agile you are in updating third-party applications like Flash, iTunes and Shockwave, you may have some additional patching to do.

    One of the updates from Microsoft earned a “critical” rating, meaning Redmond believes it could be exploited to break into vulnerable systems with little to no help from users. That flaw, a bug in the way Windows Media Player and Media Center process certain types of media files, could be leveraged by convincing a user to open a tainted video file. This flaw affects Windows XP, Vista and Windows 7.

    Continue reading →

    Latest Warnings / Time to Patch32 Comments
    9
    Feb 11

    Adobe, Microsoft, WordPress Issue Security Fixes

    Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendor Tipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.

    Microsoft’s bundle includes a dozen updates addressing at least 22 security flaws in its Windows operating system and other software. Five of the vulnerabilities earned a “critical” rating, Redmond’s most serious. Six of the Windows flaws fixed in today’s release have been public for some time, although security experts at Symantec say they’re only aware of one of the flaws being actively exploited in the wild — a bug in the way Internet Explorer handles cascading style sheets. Updates are available through Windows Update or Automatic Update.

    Microsoft also issued an update that changes the default behavior in Windows when users insert a removable storage device, such as a USB or thumb drive. This update effectively disables “autorun,” a feature of Windows that has been a major vector for malware over the years. Microsoft released this same update in February 2009, but it offered it as an optional patch. The only thing different about the update this time is that it is being offered automatically to users who patch through Windows Update or Automatic Update.

    Update, Feb. 18, 11:56 a.m. ET: As F-Secure notes in a useful blog post, Microsoft has once again failed to disable auto-run, because this update is not offered by default, as Microsoft previously indicated.

    Original story:

    Adobe released an update for its Acrobat and free PDF Reader software that that fixes at least 29 security problems with these products. Adobe is urging users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh to update to Adobe Reader X (10.0.1), available now. Adobe says that an update to fix these flaws in UNIX installations of its products is expected to be available by the week of February 28, 2011.

    Continue reading →

    Time to Patch13 Comments
    14
    Dec 10

    Microsoft Patches 40 Security Holes

    Microsoft today issued 17 software updates to plug a total of 40 security holes in computers running its Windows operating system and other software. December’s bounty of patches means Microsoft fixed a record number of security vulnerabilities this year.

    According to Microsoft, the most urgent of the patches is a critical update that fixes at least seven vulnerabilities in Internet Explorer versions 6, 7 and 8, including three that were publicly disclosed prior to today’s update. Microsoft said that at least one of the public flaws is already being actively exploited.

    Microsoft also called special attention to the only other critical bulletin in the batch – a vulnerability in the OpenType Font Driver in Windows.  Redmond warns that an attacker could compromise a machine on a network simply by getting a user to open a shared folder containing a malicious OpenType font file.

    Continue reading →

    Time to Patch14 Comments
    29
    Mar 10

    Microsoft to Issue Emergency IE Fix

    Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately.

    Microsoft normally releases security updates on “Patch Tuesday,” the second Tuesday of each month. But this Tuesday, Mar. 30, Microsoft will release a cumulative update for Internet Explorer that fixes a critical software flaw in IE 6 and IE 7. The browser flaw lets hackers break into vulnerable systems remotely, with little help from users.

    Redmond initially said it was aware of only “targeted” attacks that leveraged this vulnerability. But Microsoft’s statement that accompanied this announcement suggests that these attacks may have become more widespread.

    “We have been monitoring this issue and have determined an out-of-band release is needed to protect customers,” Microsoft said in a statement on its Security Response Center blog today.

    Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday (April 13).

    Time to Patch32 Comments
    9
    Feb 10

    13 Ways to Protect Your Windows PC

    Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.

    Five of the 13 update bundles Redmond issued today earned a rating of “critical,” meaning Microsoft considers these flaws so serious that attackers could exploit them to seize control over vulnerable systems just by getting users to visit a hacked or malicious Web site.

    Continue reading →