November Patch Tuesday 2015

2015_11_09 PatchTuesday01


November Patch Tuesday comes with 12 Microsoft bulletins and an update for Adobe Flash Player. For Windows 10 users there is the question of the Fall Refresh. It did not release today, but it’s likely not too far off. We may even see it on Thursday.

Microsoft has released four critical updates and eight important updates. The updates are mostly OS related, but there is an Office update and two other updates that affect Skype for Business. Four of the bulletins are resolving a vulnerability that has been publicly disclosed. This means that these four bulletins are a higher risk of exploit. For these, expect that in as few as two to four weeks there could be working code exploits taking advantage of these vulnerabilities.

If you look closely at MS15-113, the update for the Edge browser on Windows 10, you will see that it has been released for the Fall Refresh (Threshold 2). Expect that you’ll need to apply this after you upgrade to Windows 10 build 1511, which we expect on Thursday of this week.

MS15-115 resolves seven vulnerabilities in Windows, which could allow remote code execution.  CVE-2015-6109 is resolved by this bulletin and has been publicly disclosed. This particular vulnerability resolves an issue where an attacker could gain information on the location of the Kernal driver in memory. 

MS15-116 resolves seven vulnerabilities in Office, Sharepoint, Lync and Skype for Business, which could allow remote code execution. CVE-2015-2503 is resolved by this bulletin and has been publicly disclosed. This vulnerability on its own is not too terrible, but if used in conjunction with other vulnerabilities it could be used to elevate privileges. 

MS15-120 resolves one vulnerability in Windows, which could allow an attacker to cause a denial of service to systems running IPSec. CVE-2015-6111 is resolved by this bulletin and has been publicly disclosed. 

MS15-121 resolves one vulnerability in Windows, which could allow an attacker to exploit Schannel using a man-in-the-middle attack. CVE-2015-6112 is resolved by this bulletin and has been publicly disclosed. 

On the third party front, Flash player has released an update that includes 17 security fixes. This is a Priority 1 update and should be considered a high priority. Keep in mind that with Flash Player comes additional updates. You should expect plug-in updates for Internet Explorer, FireFox and Chrome today as well. You must update the Player instance and all browser plug-ins to be fully protected from these 17 vulnerabilities.

Join us tomorrow for the November Patch Tuesday webinar where we will discuss the bulletins in more detail.

October Patch Tuesday Round-Up

2015-10-08B_patchTuesdayThis month’s Patch Tuesday Round-Up is more of a continuation of Patch Tuesday. If you are not aware already, there was an Oracle quarterly Critical Patch Update yesterday. This means that a boat load of Oracle products now need updates. Pardon the image above, I hacked a last minute Java bulletin into it. Don’t let the one bulletin fool you though, there are still 25 vulnerabilities being resolved in that single bulletin. Read on for details.

Oracle released its quarterly CPU this Tuesday. There are a total of 154 vulnerabilities being addressed across all Oracle products being updated. This is 29 more vulnerabilities than are addressed in October Microsoft’s Patch Tuesday release and the updates from Adobe and Google combined. It can be difficult to sift through this much security data to prioritize what needs the most attention, but there are a few things you can use to narrow the priorities:

October Patch Tuesday 2015


Microsoft is taking it easy on us this month. But don’t worry, Adobe, Google and Oracle are adding to the Patch Tuesday queue this month.

Microsoft has released just six bulletins this Patch Tuesday. This is a welcome reprieve given the 2015 bulletin count has already exceeded the total bulletin count for 2014 (85). With this month’s bulletins, the count is now up to 111 so far in 2015.

Microsoft releases fix for MS15-098 issues on Windows 8 and Server 2012, but it is no piece of cake


Yesterday Microsoft released KB3096053, but as a separate patch.  On Patch Tuesday MS15-098 released to resolve security vulnerabilities in Windows Journal.  The initial patch release failed to install correctly on Windows 8 and Server 2012.  As a response to these issues Microsoft has released a non-security update that must be run before MS15-098 can be installed on the affected operating systems.  The fix seems to come with it’s own pains:

September Patch Tuesday, a lot of Microsoft with a touch of Adobe


This feels like a light month compared to the last few Patch Tuesdays, especially for third parties. Coming off of Black Hat, all the vendors we would normally expect to see on patch day have had their hands forced last month to respond quickly to any vulnerability they may have had, likely causing a slow month this time around. Next month we should expect a Java quarterly release, along with more third-party patches.

As for Microsoft, it has released 12 bulletins. Five of these bulletins are rated as Critical. There are a lot of media content vulnerabilities being resolved this month for graphics drivers, Windows Journal and Media Center, and Microsoft Office and Sharepoint.

August Patch Tuesday Round-Up

Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.

Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).

Here is the August summary:



For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

Bring out yer dead! I’m not dead yet says Patch Tuesday


You can keep shouting “bring out your dead,” but Patch Tuesday is not dead yet. There is a large lineup this month on both the Microsoft and third party front, and even some Windows 10 updates to boot!

Patch Tuesday is always fun after a major security conference. We are going to see some fallout from the BlackHat conference last week, as security researchers showed off their skills with live exploits of popular browsers and plug-ins. Mozilla already released a security update last week and, for Patch Tuesday, we have updates for IE, Edge, Flash, Chrome and Java.


Microsoft has released 14 bulletins, four of which are critical. The critical updates affect Internet Explorer, Edge, Windows, .Net Framework, Microsoft Office, Microsoft Lync and Microsoft Silverlight. Two of the critical updates affect Office.

Exploits detected in wild:

Protect 9.2 Sneak Peek: Patch Tuesday + X

Every month, you start your maintenance, not on Patch Tuesday, but on Patch Tuesday + x days. I have seen dozens of spreadsheets that all look alike and heard the same from even more customers. They pretty much all start on the second Tuesday of the month with all of the subsequent execution happening with that as the anchor. +1 day test group 1, +3 days test group 2, +5 days dev group 1, +9 days dev group 2, + 11 days Prod 1, etc. The problem with this is in the Outlook style scheduling.

WUB WUB WUB and Windows 10


Did you know that WUB is the new UNTS in Electronica Dubstep?  I’m more of a Rock n Roll kinda guy myself, so news to me! Today I want to talk about WUB, but a different kind of WUB.  Windows Update for Business.

There are a lot of vague announcements, and a myriad of conclusions from security experts and the media, regarding recent Microsoft news about the upcoming release of Windows 10 and the introduction of Windows Update for Business.