Articles about Patch Tuesday

The question over whether Secure Sockets Later, and later Transport Layer Security, was ever sufficiently impregnable never rose to such a crescendo for malicious users to become inspired to exploit it. In the end, the discovery that TLS had a weak spot was made by a security engineer, PhoneFactor engineer Marsh Ray, last month. It was when other engineers started tweeting about themselves being possibly on the verge of the same discovery, that Ray felt he had to go public to encourage everyone else to hush.

Now that the news of TLS' latent vulnerability is public, the threat of a possible exploit is real. Such an exploit, if discovered, could effectively negate the encryption system used to protect essentially every credit card transaction on the Web. And Ray and partner Steve Dispensa have been sounding the alarm with regard to other conceivable permutations of the man-in-the-middle mechanism, including forging a user's Twitter credentials.

Continue reading →

When Betanews reported last June about occurrences of the infamous "Black Screen of Death" (KSoD) in Windows Vista, a reader wrote to suggest to us that we might have only considered the matter so important this late in the game because suddenly it happened to us. A similar opinion may be appropriate for British security firm Prevx, which now says it has "exonerated" last month's set of Patch Tuesday updates from Microsoft as the cause of what it called last night a "crop" of KSoD incidents.

Early Tuesday evening, Prevx director of malware research Jacques Erasmus reported on his company's blog that he and his team have made "significant progress in determining specific triggers of the black screen event." Specifically, it determined that a side-effect accidentally discovered over three years ago by none other than SysInternals' Mark Russinovich (now with Microsoft), led to instances where Windows' product activation inadvertently triggered the black screen. When a System Registry entry of String type is supposed to be terminated by a null character (0) but isn't, the result is that the entry itself may disappear from REGEDIT, Windows' well-known Registry Editor. Such an entry may also trigger KSoD conditions.

Continue reading →

Given the choice between speed and security, Betanews readers this week have been siding with security, in a show of support that suggests that Windows Vista had the right idea after all. This morning, Windows XP, Vista, and Windows 7 users who have their Automatic Update notifications turned on manual will be making that choice, as Microsoft has published update 976749 -- released as a manual update on Monday -- to its Windows Update service, not as a "security update" or anything "critical" or even "important."

It's an "Update for Internet Explorer" whose purpose is to "resolve issues that may occur after installing the Internet Explorer cumulative security update issued as MS09-054" -- one of the major updates from the last Patch Tuesday round. The issue that update addressed is a very serious one, and Windows users who are concerned about their operating system possibly being vulnerable to a new class of attack, should apply that update and also apply the patch to that update, released this morning. Many users with Automatic Updates turned on full may wake up this morning with the update already having been applied.

Continue reading →

A lot of the presentations at security (or perhaps more appropriately, "insecurity") conferences such as Black Hat are devoted to experiments or "dares" for hackers to break through some new version of digital security. After awhile, it gets to be like watching pre-schoolers daring one another to punch through ever-taller Lego walls. But in the midst of last July's briefings came at least one scientifically researched, carefully considered, and thoughtfully presented presentation: the result of a full-scale investigation by three engineers at a consultancy called Hustle Labs, demonstrating how the presumption of trust between browsers, their add-ons, and other code components can trigger the types of software failures that can become exploitable by malicious code.

Engineers Mark Dowd, Ryan Smith, and David Dewey are being credited today with shedding light on a coding practice by developers that leaves the door open for browser crashes. The discovery of specific instances where such a practice could easily become exploitable is the focus of the most critical of Microsoft's regular second-Tuesday-of-the-month patches -- arguably the biggest of 13 bulletins addressing a record 34 fixes.

Continue reading →

Just when it appeared Windows and its associated services were looking more stable month after month, Microsoft chose June to tackle a plethora of vulnerabilities including no fewer than 14 that its security engineers believe could be exploitable within the next 30 days.

Microsoft Security Response Center engineers Adrian Stone and Jerry Bryant were audibly panting as they delivered the news to Microsoft customers today. One critical remote code execution vulnerability that's being treated very seriously affects a much older version of the server product, Windows 2000 Server with Service Pack 4 serving as domain controllers, and running Lightweight Directory Access Protocol. "While it's ranked as a '1,' which means we expect it to be easily exploitable over the next 30 days after [the patch] is released," explained Security Program Manager Lead Adrian Stone, "...it was privately disclosed to us. A security researcher worked with MSRC responsibly to make sure that we did address the vulnerability and release it without any knowledge of the vulnerability to date. It's not being actively exploited, nor is there any data publicly available at this time that talks about [it] in in-depth, technical detail."

Continue reading →

Adobe this week delivered a patch for a highly critical PDF vulnerability that's been hanging open since late April -- 14 days of potential mayhem, but a lot faster than their previous month-long delay on a critical-level hole earlier this year.

Though Adobe has denied knowledge of exploits in the wild for the problem, which stems from a JavaScript memory corruption error, at least one security firm says they're out there if you look. Speaking to SCMagazineUS.com, a representative of Arizona-based Lumension says the firm has spotted infected PDF files on China-based Web servers.

Continue reading →

After a series of critical out-of-band security patches were issued by Microsoft two weeks ago, most of the thunder has been squelched for next Tuesday's regular set: down to one critical and one important patch.

In keeping with Microsoft's current policy, the company no longer releases too detailed information in advance of patches' distribution. For example, if the company were to say too much about interim workarounds, it might give away clues that could make many more machines vulnerable prior to Tuesday.

Continue reading →

On Tuesday, Adobe Systems Inc. issued patches for a five-month old vulnerability in Reader and Acrobat 8.1.2, and today, six critical patches were released for Flash Player 9.

JavaScript vulnerabilities in older versions of Acrobat and Reader could allow remote code execution if not properly patched. This is the fifth update to Reader this year that addresses JavaScript issues. NCircle security expert Andrew Storms told Computerworld in June that Adobe's repeated JavaScript bugs amounted to an epidemic. "Since JavaScript has been a target for so many years, why hasn't Adobe flushed out these vulnerabilities already?" he questioned.

Continue reading →

It's a part of Windows that handles all the file and print sharing services over any network. Today, Microsoft decided to take the unusual step of issuing a patch for a vulnerability on this part now, and not wait until November 11.

The part of Windows known as the Server service -- the component responsible for handling file sharing, print sharing, and pipelining between computers -- has been hit once again with an exploit whose profile resembles an August 2006 problem patched the following month. But this time, Microsoft is announcing it received information about this latest exploit privately, indicating that unlike the older incident, Microsoft was working to pre-empt any possibility of the exploit making its way into the wild.

Continue reading →

Download Silverlight 2.0 for Windows from FileForum now.

1:03 pm EDT October 13, 2008 - In a teleconference today, Microsoft Corporate Vice President Scott Guthrie told the press that the company's 2.0 version of Silverlight will be ready to ship tomorrow, October 14.

Continue reading →

In an advisory published by Apple this afternoon, Mac users and admins are being advised of the availability of the seventh major security package this year, which will include some 20 patches for both the System and Mac applications.

The last major Apple security update came on September 15, and the one before was issued on the last day of July. So security updates are getting to be a monthly affair with Apple, just as they've been with Microsoft for quite some time.

Continue reading →

The full effect of yesterday's round of patches from Microsoft is just now being felt. This time, it's not the worldwide DNS flaw that's the big issue, but the typical stuff that afflicts Microsoft products, including and especially Office.

One of the "critical" vulnerabilities addressed yesterday affects older versions of Microsoft Word, and was acknowledged by the company last month. It involves intentionally malformed documents that, when parsed by Word, cause it to crash but also leave memory corrupted. Within that corrupt memory can lurk remnant code that could then be executed to give a remote, malicious user unauthorized privileges.

Continue reading →

Microsoft's regular pre-briefing on monthly security issues contained some dire news, including patches for a reportedly "Critical" vulnerability affecting Windows Media Player for XP, Vista, and Windows Server 2008.

The dynamics of this problem, in keeping with Microsoft's current policy, are not being revealed until at least next Tuesday, though the company did acknowledge its existence late yesterday. If the company is implementing its so-called MAPP policy, announced earlier this week, then it's possible that some select partners who produce security software may know the details.

Continue reading →

In its monthly advance notice the weekend before the second Tuesday of the month, Microsoft said it will only be addressing four security issues this time around, two dealing with Windows. But a surprisingly big Vista bug fix is under way.

If you think about it, the relative security of Windows Vista hasn't been the subject of much debate recently. If there's any problem consumers have with it, whether it's born out of market perception or real-world experience, it's a feeling that it's not all that reliable.

Continue reading →

On its next "Patch Tuesday," slated for June 10, Microsoft plans to release seven security fixes, including three critical updates.

According to Microsoft's Security Bulletin Advance Notification for June, the fixes will also include three important updates and one classified by Microsoft as moderate.

Continue reading →