Today, Microsoft released an update to their Coordinated Vulnerability Disclosure (CVD) program. The CVD program aims to streamline the practice for vulnerabilities in how they are disclosed, addressed by the vendor and coordinated with security researchers.
For some time now, there has been a massive and quite ugly debate over Responsible Disclosure versus Full Disclosure when it comes to software vulnerabilities. The main difference between the two comes down to how and when software vulnerabilities are disclosed to the public. If a vulnerability is disclosed before a vendor can patch the flaw, the vulnerability is considered a Full Disclosure vulnerability.
I am …
Read More»
As you know, Patch Tuesday is tomorrow. On Wednesday, after the dust settles, I will be hosting a Webinar to provide even more information about the latest Microsoft patches and how they may effect your network.
We created this Webinar to provide you with an additional Patch Tuesday resource to make your job easier. I hope you join us and find it helpful.
Here are the details:
Date: Wednesday, April 14
Time: 11:00 AM, CT
Fee: FREE
Register: Here
- Jason Miller
Read More»
Today, the unplanned patch day started with:
Microsoft going out-of-band in releasing MS10-018
Sun releasing Sun Java 6 update 19
Mozilla releasing Thunderbird 3.0.4
Apple releases new patches for Mac OS X 10
Now, we have more joining the patching fun:
Mozilla has just released SeaMonkey 2.0.4. This release fixes 8 vulnerabilities. The vulnerability details can be found here.
Apple has just released iTunes 9.1. This release fixes 7 vulnerabilities.
Apple has just released QuickTime 7.6.6. This release fixes 16 vulnerabilities.
Let’s hope this is the end of security patches for today… Tomorrow is another patching day.
- Jason Miller
Read More»
Microsoft is going out of their normal release cycle to post a new security bulletin for Internet Explorer. This bulletin fixes a vulnerability that is currently being exploited in the wild.
In the past few years, Microsoft has gone out-of-band with security bulletin releases on limited occasions. In both 2008 and 2009, Microsoft released only two out-of-band security bulletins to fix critical vulnerabilities. With today’s out-of-band release, Microsoft has already released two in 2010, both addressing known critical vulnerabilities in Internet Explorer and kicking off a record year for out-of-band patch releases.
Microsoft typically releases cumulative updates for …
Read More»
After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month. Microsoft released two new security bulletins addressing 8 vulnerabilities, all not publically known at this time. It is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.
As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed. As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (
Read More»
It has been quite a while since I have blogged and I am finally getting some free time to get back to it. Today, we announced our new SCUPdates offering. We will be providing third party software updates (non-Microsoft) data files for the System Center Updates Publisher for SCCM. SCCM users will now be able to easily patch non-Microsoft products without having to create their own updates.
The SCUPdates offering is a data file. There are no Shavlik products that need to be installed on your servers or workstations. If you are a SCCM user, you can keep your same environment …
Read More»
Microsoft just announced another new security advisory for Internet Explorer. With this zero-day vulnerability, a user would need to visit a malicious website that takes advantage of this vulnerability. The title of the advisory is stating the vulnerability could allow information disclosure. Microsoft is reporting there are no active attacks for this vulnerability.
Microsoft has listed numerous workarounds to help mitigate the risk of attack on a system. If you choose to apply any of these workarounds, each workaround should be tested thoroughly in your environment to ensure functionality of your applications.
Tomorrow is the February Advanced Notification for patch …
Read More»
Microsoft has just published a new security advisory. This advisory affects Internet Explorer and can lead to remote code execution on machines. There have been reports of limited targeted attacks which makes this a zero-day exploit as there is no patch available yet for this vulnerability.
Microsoft has posted a couple of workarounds to help mitigate this risk:
Set your Internet Security Zone settings to “High” for ActiveX Controls and Active Scripting
Set Internet Explorer to prompt or disable Active Scripting
Enable DEP for Internet Explorer
With a vulnerability like this, it is very important to be aware of phishing attempts through email, …
Read More»
The U.S. Court of Appeals just sent judgment down on Microsoft prohibiting them from selling Microsoft Word starting January 11, 2010. Microsoft is planning to release a new version of Word that will pull the offending code that started this patent infringement lawsuit.
The good news: Microsoft will still be able to provide support (patching) to the product.
If Microsoft was not able to support the offending version of Word, many people would have vulnerable products for future patches that affect Word.
- Jason Miller
Read More»
A few weeks ago, we added official support for scanning and patching of Windows XP Embedded devices. Those of you who have these devices on your network and use the Shavlik product line may have noticed no patches were applicable from December’s patch Tuesday. This does not mean those devices do not need to be kept up to date.
Microsoft does not release support for XP Embedded patches the same day as they do for their other operating systems. There is an approximate two week period between patch Tuesday and when the patches become available to vendors.
If you have Windows XP …
Read More»
