Posts Tagged: Ivanti


14
Nov 17

Adobe, Microsoft Patch Critical Cracks

It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.

Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.

Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update). Continue reading →


13
Sep 17

Adobe, Microsoft Plug Critical Security Holes

Adobe and Microsoft both on Tuesday released patches to plug critical security vulnerabilities in their products. Microsoft’s patch bundles fix close to 80 separate security problems in various versions of its Windows operating system and related software — including two vulnerabilities that already are being exploited in active attacks. Adobe’s new version of its Flash Player software tackles two flaws that malware or attackers could use to seize remote control over vulnerable computers with no help from users.

brokenwindows

Of the two zero-day flaws being fixed this week, the one in Microsoft’s ubiquitous .NET Framework (CVE-2017-8759) is perhaps the most concerning. Despite this flaw being actively exploited, it is somehow labeled by Microsoft as “important” rather than “critical” — the latter being the most dire designation.

More than two dozen flaws Microsoft remedied with this patch batch come with a “critical” warning, which means they could be exploited without any assistance from Windows users — save for perhaps browsing to a hacked or malicious Web site.

Regular readers here probably recall that I’ve often recommended installing .NET updates separately from any remaining Windows updates, mainly because in past instances in which I’ve experienced problems installing Windows updates, a .NET patch was usually involved.

For the most part, Microsoft now bundles all security updates together in one big patch ball for regular home users — no longer letting people choose which patches to install. One exception is patches for the .NET Framework, and I stand by my recommendation to install the patch roll-ups separately, reboot, and then tackle the .NET updates. Your mileage may vary. Continue reading →