While we enjoyed a relatively low number of patches each month so far this year, November definitely takes a big jump up with 14 total bulletins released today. 4 are critical, 8 important and 2 moderate. While this is two less than what we thought we would have today according to last week’s ANS,
A group of organised criminal hackers, possibly backed by an unknown country, are targeting government, media and military organisations in the United States, Pakistan, and across Europe, according to new research [PDF] released by researchers at Trend Micro.
In an operation dubbed “Pawn Storm”, the hackers have targeted computers belonging to –
The single most popular browser on computer desktops around the world is Internet Explorer 8 – and its days are officially numbered.
Because, from January 12 2016, Microsoft is only going to provide support and security updates for the following operating system/browser combinations:
- Windows Vista SP2 and Windows Server 2008 SP2: Internet Explorer 9
- Windows Server 2012: Internet Explorer 10
- Windows 7 SP1,
While 10 patches covering 33 vulnerabilities may seem like a high number, it isn’t all bad news for IT professionals this May Patch Tuesday. Only two of the 10 patches released today are critical and both impact Microsoft Windows and Internet Explorer. The two critical-rated patches address the IE 8 zero-day that made news after attacking a website belonging to the U.S.
Several reboots affecting all versions of Windows makes August a busy patch month. Microsoft updates include patches to new problems, updates to old problems and something that may cause more work than you may have been anticipating this month.
Prioritizing the Patches
There are nine security bulletins this Patch Tuesday, five critical and four important.
As sure as night follows day, malware follows the meme. And latest meme, apparently, is all Charlie Sheen, all the time.
I don’t watch much TV (read: none), and don’t read many celebrity gossip blogs (read: none), but even *I* am painfully aware of Charlie Sheen’s seemingly wacked out 20/20 special and the sundry other interviews.
Microsoft announced today they will be releasing a critical out-of-band patch MS10-018. From an impact perspective, this is a remote code execution and impacts Internet Explorer (IE) versions 6 and 7. The unscheduled release is in response to a reported upswing in attacks against Microsoft customers as detailed in Microsoft Security Advisory 981374.
It certainly seems that in 2010, a month doesn’t go by without hearing about yet another zero-day threat affecting a popular browser software. In the first quarter of 2010, we already have seen new zero-day issues in the most popular browsers in use today:
- Microsoft reported yet another new zero-day issue with Internet Explorer,
Not sure this is entirely coincidental, but Mozilla released Firefox 3.6 on Jan. 21 – the same day that Microsoft announced their out-of-band patch to the so-called Google Attack / Aurora exploit / IE zero-day. Perhaps fortuitous is a better way of putting it.
There is a new Internet Explorer zero-day vulnerability this week that is at the center of “in-the-wild” attacks targeting large corporations including Google and Adobe. As the research and vendor communities have been deconstructing the vulnerability, automated attack tools and various methodologies used to carry out the attack, a number of facts and mitigation steps have been identified.
Today, Microsoft released an out-of-band security patch: Microsoft Security Bulletin MS10-002 – Critical, Cumulative Security Update for Internet Explorer (978207). MS10-002 address the previously announced flaw in Internet Explorer that has been widely reported as the key attack vector in reported attacks against Google and other companies by entities based in China (MS Security Advisory #979352.) Microsoft has confirmed that there are active exploits attacking Internet Explorer 6.
Video Blog discussing Patch Tuesday December 2009.
In my post some time ago about the newly released Windows 7, I made mention of a Gartner report entitled “Planning for the Security Features of Windows 7.” I want to revisit this report in a little greater detail – in particular, the statement “Use the migration to Windows 7 as the catalyst to get rid of IE6.
The latest Internet Explorer zero day threat will unfortunately catch many off guard and will have a significant impact on many organizations that are still relying on outdated defenses.
For the past decade or perhaps longer, our way of dealing with threats has been to try to filter our way out of trouble.
IT pros are anxiously awaiting this Tuesday’s out-of-band patches from Microsoft. The patches are supposed to add an additional layer of security to the issues for Internet Explorer, which was patched just last Tuesday, as well as handle issues within Visual Studio.
The IE issues involve the ongoing Active X saga and hopefully will provide an actual fix to the underlying code issue this time instead of applying some form of the work-around such as simply disabling the impacted code by default and calling it “fixed.”
Microsoft is taking it right down to the wire –