This month’s Patch Tuesday Round-Up is more of a continuation of Patch Tuesday. If you are not aware already, there was an Oracle quarterly Critical Patch Update yesterday. This means that a boat load of Oracle products now need updates. Pardon the image above, I hacked a last minute Java bulletin into it. Don’t let the one bulletin fool you though, there are still 25 vulnerabilities being resolved in that single bulletin. Read on for details.
Oracle released its quarterly CPU this Tuesday. There are a total of 154 vulnerabilities being addressed across all Oracle products being updated. This is 29 more vulnerabilities than are addressed in October Microsoft’s Patch Tuesday release and the updates from Adobe and Google combined. It can be difficult to sift through this much security data to prioritize what needs the most attention, but there are a few things you can use to narrow the priorities:
Microsoft is taking it easy on us this month. But don’t worry, Adobe, Google and Oracle are adding to the Patch Tuesday queue this month.
Microsoft has released just six bulletins this Patch Tuesday. This is a welcome reprieve given the 2015 bulletin count has already exceeded the total bulletin count for 2014 (85). With this month’s bulletins, the count is now up to 111 so far in 2015.
Yesterday Microsoft released KB3096053, but as a separate patch. On Patch Tuesday MS15-098 released to resolve security vulnerabilities in Windows Journal. The initial patch release failed to install correctly on Windows 8 and Server 2012. As a response to these issues Microsoft has released a non-security update that must be run before MS15-098 can be installed on the affected operating systems. The fix seems to come with it’s own pains:
Other than the Microsoft conspiracy to kill off disc based gaming ONCE AND FOR ALL!!!!! it was a pretty uneventful Patch Tuesday for issues.
For those who want to read up on, and fume over, the terrible conspiracy to kill off your disc based games, here is a little media fodder.
This feels like a light month compared to the last few Patch Tuesdays, especially for third parties. Coming off of Black Hat, all the vendors we would normally expect to see on patch day have had their hands forced last month to respond quickly to any vulnerability they may have had, likely causing a slow month this time around. Next month we should expect a Java quarterly release, along with more third-party patches.
As for Microsoft, it has released 12 bulletins. Five of these bulletins are rated as Critical. There are a lot of media content vulnerabilities being resolved this month for graphics drivers, Windows Journal and Media Center, and Microsoft Office and Sharepoint.
Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.
Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).
Here is the August summary:
For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.
You can keep shouting “bring out your dead,” but Patch Tuesday is not dead yet. There is a large lineup this month on both the Microsoft and third party front, and even some Windows 10 updates to boot!
Patch Tuesday is always fun after a major security conference. We are going to see some fallout from the BlackHat conference last week, as security researchers showed off their skills with live exploits of popular browsers and plug-ins. Mozilla already released a security update last week and, for Patch Tuesday, we have updates for IE, Edge, Flash, Chrome and Java.
Microsoft has released 14 bulletins, four of which are critical. The critical updates affect Internet Explorer, Edge, Windows, .Net Framework, Microsoft Office, Microsoft Lync and Microsoft Silverlight. Two of the critical updates affect Office.
Exploits detected in wild:
Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.
Did you know that WUB is the new UNTS in Electronica Dubstep? I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB. Windows Update for Business.
There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.