September Patch Tuesday 2016


Patch Tuesday September 2016

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.



June Patch Tuesday 2016


I am chilling up in Daresbury, UK this Patch Tuesday, so instead of working through lunch I am working through dinner. ROOM SERVICE! There are two not so very surprising events this evening. First, it is raining in the UK. Second, Adobe Flash Player has a zero day! Like I said, no surprises. CVE-2016-4171 was observed in limited, targeted attacks by Anton Ivanov and Costin Raiu of Kaspersky Lab. Adobe has announced an imminent release of Adobe Flash Player as early as Thursday June 16, so expect that to come later this week.

Of course, along with a Flash Player update, you should also expect updates to Chrome, Firefox and IE to support the latest plug-in. Also of note, Adobe has announced that the Flash Player distribution page will be decommissioned on June 30, 2016. The urging is for companies to distribute Flash Player to get a proper enterprise agreement in place to distribute Flash Player. Most of you, however, are only concerned with updating Flash Player instances in place for any reason other than your willingness to distribute it intentionally.

For personal use, users are directed to go to  Businesses looking to distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. For more instructions, go to

Microsoft has released 16 bulletins currently, but with Flash Player releasing later this week there will be 17 total. Of the current 16, five are rated as critical, and the Flash for IE bulletin will also be critical. Altogether, Microsoft is addressing 36 unique vulnerabilities. The overall count across all bulletins is 44, but some of these are across common components used by many products.

I am going to talk about two things in particular in many of the bulletins below. User targeted vulnerabilities and vulnerabilities where privilege management can mitigate the impact if exploited.

User-targeted vulnerabilities are vulnerabilities that would require an attacker to convince the user to click on specially crafted content like an ad in a webpage or an attacked image or PDF. The exploited would be embedded in this specially crafted content allowing the attacker to exploit a vulnerability in the software that is rendering the file. This is a common form of attack to gain entry to a network, since all the attackers need is enough users in that network before they will convince one of them to open their crafty content. Phishing research, described in the Verizon 2016 Breach Investigation Report, states that 23 percent of our users will open a phishing email and 11 percent will open the attachment. If an attacker finds a list of about 10 of your users, they have roughly 90 percent chance of exploiting one of them and getting into your network.

Privilege management can mitigate the impact if exploited. This is a case where the vulnerability does not give the attacker full rights to the system. Instead, they are locked into the context of the user who was logged in. This situation means that if the user is running as less than a full admin, the attacker will have limited capabilities to do anything nefarious.

Many of the bulletins released by Microsoft include vulnerabilities that fit one of both of these categories. MS16-063 is a critical update for Internet Explorer that includes fixes for 10 vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-068 is a critical update for the Edge browser that includes fixes for eight vulnerabilities. This update also includes one public disclosure (CVE-2016-3222). Public disclosures indicate a higher risk of being exploited, as an attacker has some foreknowledge of the vulnerability, giving them a head start on developing an exploit before you can get the update in place. Statistically, this puts it at higher risk of being exploited. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

MS16-069 is a critical update for Windows that includes fixes for Jscript and VBScript for three vulnerabilities. Several of these are targeting a user, and several can be mitigated by limiting user privileges to less than a full admin.

MS16-070 is a critical update for Office and Sharepoint that includes fixes for four vulnerabilities. Several of these are targeting a user and several can be mitigated by limiting user privileges to less than a full admin.

The last of the critical updates this month, MS16-071, is an update in DNS, which includes one fix.

There are three more bulletins of note. Each of these includes a vulnerability that has been publicly disclosed.

MS16-075 (CVE-2016-3225), MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230). These are all rated as important, but due to the public disclosures, they should warrant more immediate attention.

For a deeper dive into the full Patch Tuesday release, join me tomorrow for the Shavlik Patch Tuesday webinar. I will have a special guest, Gary McAllister from AppSense, who will be discussing concerns around user targeted vulnerabilities and vulnerabilities that can be mitigated with proper privilege management.

Flash Zero Day Closure, or maybe not…

FlashPlayerLogoIt was a confusing week for those tracking the Adobe Flash Player update.  Let me summarize what happened and what may still be lingering.

Flash Player did announce an Advisory on Patch Tuesday (APSA16-02) announcing a Zero Day vulnerability (CVE-2016-4117) which was detected in exploits in the wild.  The update for the Zero Day did not drop on Patch Tuesday.  Instead it was released on Thursday this week (May 12th) as bulletin APSB16-15.

As many of you are familiar with already, updating Adobe Flash Player is not a simple matter of updating a single product.  If you are running Internet Explorer, Chrome and Firefox and are using the Flash Player Plug-In you could have three more variations of Flash Player that need updating to fully resolve the vulnerabilities in a new release.  That is where the confusion set in this week.

On Patch Tuesday, Microsoft released MS16-064, which was the Critical update for Adobe Flash Player as it is bundled in Windows OS and IE versions.  This update documented the 24 fixes initially planned for release by Adobe in bulletin APSB16-15, but did not include the Zero Day vulnerability (CVE-2016-4117).  Today (Friday May 13th) Microsoft re-released MS16-064 to address the slight version update that included the exploited vulnerability.

What is a bit uncertain at the moment is Chrome.  When Flash Player updates occur, Chrome also needs to be updated to support the newer version of the Flash Player Plug-In.  The Chrome update this week came out before the Flash Player Zero Day was resolved.  Does this mean that they are only supporting the initial drop similar to Microsoft releasing on Patch Tuesday?

I will be doing my typical Patch Tuesday Round Up next week and will try to have answers by then on if there is still a bit of Zero Day hanging on the spring breeze or if we are good.

For updates like this and more relating to Patch Tuesday check out our webinars page for upcoming Patch Tuesday webinars and on-demand playback of previous Patch Tuesday webinars and presentations for download.

May Patch Tuesday 2016

ShavlikMay_PATCH02fMay’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053).  Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update?  Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?

In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.

Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.

MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188).  The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.

It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.

MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189).  This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.  The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.

The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.

MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server.  On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.

Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.

Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.

With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.

Join us tomorrow for the May Patch Tuesday webinar where we will discuss the bulletins in more detail.

Remove Apple Quicktime from your Windows systems


Apple has announced the end of availability for QuickTime 7 on Windows systems. In their announcement they explained their reason for pulling support:

“QuickTime 7 for Windows is no longer supported by Apple. New versions of Windows since 2009 have included support for the key media formats, such as H.264 and AAC, that QuickTime 7 enabled. All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows.”

To add to this, there are two known vulnerabilities that will go unpatched for QuickTime 7 on Windows which elevates the need to remove it. While the vulnerabilities are not being exploited, to anybodies’ knowledge, security experts are calling for removal of QuickTime as quickly as possible and are treating these two vulnerabilities as Zero Days since they have been disclosed and will never be fixed.

In response to this, Shavlik is creating uninstallers for our customers to find and remove QuickTime.


March Patch Tuesday Round-Up

MarchPatchTuesday2016SumThings were going too smoothly this month, but it did not take long to accumulate some curve balls to make your March patching more interesting.

As we expected, Flash was very close to a release on Patch Tuesday. It’s here and with it Microsoft has released MS16-036, which is the Flash plug-in for Flash Player Security Bulletin. Also, expect ANOTHER Google Chrome update to support the latest Flash plug-in version there as well.

Ok, so APSB16-018: Adobe Flash Player contains 23 vulnerabilities, several of which are critical in nature, but lets focus in on CVE-2016-2010. This vulnerability was reported as being used in limited, targeted attacks. ZERO DAY!

Next lets talk about a stealthy addition to the IE cumulative security update this month. Microsoft has added in another GWX trigger, so your users will get a dialog to upgrade to Windows 10. Check out this post by Rod Trent at WindowsITPro for details. The IE Cumulative KB page states that there are a number of non-security changes in this month’s cumulative and KB3146449 is in the list.

I have been keeping up with a thread on regarding this little stealth change, and I can say there are some very displeased people out there. As an aside, one of the comments on Rod Trent’s article recommended this writeup for blocking GWX. We are in no way affiliated with them and I have not personally tested this, but I thought I would share it as I expect people will be looking for ways to prevent their users from getting the dialog at all.


January Patch Tuesday 2016


January 2016 is going to be anything but boring. Microsoft has a large lineup of updates. The bulletin list opens up 2016 with 10 bulletins — minus one. MS16-009 has been skipped and Microsoft went to MS16-010 instead. Is that a small joke relating to Windows 9 skipping to Windows 10? Maybe Microsoft doesn’t like the number nine for some reason. That oddity aside, Microsoft released six critical, three important and six public disclosures, along with a total vulnerability count of 26 resolved for January Patch Tuesday.

Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded. Adobe announced a bulletin for Reader with an additional non-security release of Shockwave and Oracle is gearing up for its quarterly CPU, so expect Java to release next Tuesday, January 19.

Microsoft System Updates and End of Life Scheduling

Jan. 12 is a significant milestone for Internet Explorer support. Microsoft is releasing a final update for all supported IE versions, but after January it will only support the latest available for each Operating System. This means that for anything Windows 7 SP1 and later, you must be on IE 11 to continue receiving updates. There are a few exceptions for older operating systems that only supported up to IE 9 or 10. If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct Internet access. In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.

Windows XP Embedded SP3 is also reaching its end of life today. It will be followed in a few months by Windows XP Embedded Point of Sale SP3, which is due to end on April 12. Retailers will start to sweat if you are still on those platforms after that date.

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. I am guessing there will be those who look into the registry hack that was used to trick Windows XP into thinking it was Windows XP Embedded POSReady 2009. If you have no other recourse, you may roll the dice on that, since POSReady 2009 is really just another distribution of Windows XP Embedded. Moving off of the end of lifed platform is still the best option though.

Oracle’s quarterly CPU is coming on Jan. 19. I mention it now as those of you running Java will definitely want to plan to roll that update out when it arrives next week as well. In 2015, the lightest of the Java updates included 14 CVEs, all of which were remotely executable without authentications. The rest had 19–25 vulnerabilities resolved with more than 15 being remotely executable without requiring credentials.

Microsoft January Bulletins

MS16-001 and MS16-002 are updates to Microsoft’s Internet Explorer and Edge browsers. Both are rated as critical, resolving two vulnerabilities each. The IE patch includes a public disclosure (CVE-2016-005), which puts it at a higher risk of being exploited.

MS16-004 is an update for Microsoft Office and Visual Basic. The bulletin is rated critical and resolves six vulnerabilities including two public disclosures (CVE-2016-0035, CVE-2015-6117).

MS16-005 is a critical update for the Windows Operating System resolving two vulnerabilities including one public disclosure (CVE-2016-009). This is also a Kernel-Mode Driver update. Thorough testing is always recommended. If an application patch goes wrong you can just reinstall, but if a kernel patch goes wrong it will be more severe.

MS16-007 is an important update for Microsoft Windows, which resolves six vulnerabilities including two public disclosures (CVE-2016-0016, CVE-2016-0018). There are a few known issues with this update. To be fully protected you also need to have MS16-001 for Internet Explorer. Windows 10 users who have Citrix XenDesktop should be aware that installing this update will prevent login. Microsoft recommends users uninstall XenDesktop and installing this bulletin, then follow up with Citrix for a fix for XenDesktop.

The way the issue is worded on the bulletin page makes it sound like Microsoft’s methods of updating Windows 10 (Windows Update, WSUS, SCCM) will not offer this update if XenDesktop is installed. It states “Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update.” So, if Windows 10 updates are all bundled, cumulative updates, this would mean that the January cumulative for Windows 10 would not be installed. That means all five bulletins that would affect Windows 10 would go unpatched until the issue is resolved.

MS16-008 is only rated as Important and no public disclosures, but it is a Kernel patch addressing Elevation of Privilege vulnerabilities. Thorough testing is recommended before rollout.

MS16-009 did not drop yet. This could mean it will not arrive until February, or it could come out of band. The last time we saw a bulletin be skipped in the order was an SQL update that dropped between Patch Tuesdays. Keep an eye out for this one in case it comes late. It will likely be a high priority if that is the case.

MS16-010 is an important update for Microsoft Exchange. No public disclosures or known issues, so recommendation is thorough testing and rollout in a timely manner.

Third Party Bulletins

Adobe has released one bulletin this month. APSB16-002 for Adobe Reader is a Priority 2 update resolving 17 vulnerabilities. The only other update from Adobe today was an update for Shockwave, which did not have an accompanying bulletin. APSB16-001 for Adobe Flash actually first dropped in late December with a re-release the next day resolving an Active-X issue. That release likely came early due to a known exploit in the wild (CVE-2015-8651). Ensure that the Flash update is rolled out if you have not already done so.

Join us tomorrow for the January Patch Tuesday webinar where we will discuss the bulletins in more detail.


December Patch Tuesday 2015


December Patch Tuesday is upon us. Let’s see if we have presents under the tree or coal in our stockings…

Microsoft has released 12 bulletins, eight of which are Critical, resolving a total of 71 vulnerabilities. Adobe released a whopper of a Flash update resolving 78 vulnerabilities. Google Chrome is dropping today as well. Aside from an update for the Flash Player plug-in and its 78 security fixes, there are reportedly security fixes coming for the browser as well.

While Microsoft has quite the lineup this month, it didn’t quite catch Adobe’s 78 vulnerabilities resolved for the month. They did, however, have one public disclosure (CVE-2015-6175), and two vulnerabilities exploited in the wild (CVE-2015-6175, CVE-2015-6124). Here are the highlights for Microsoft:

MS15-0124 is a critical update for Internet Explorer with 30 vulnerabilities resolved in total. Also of note, Internet Explorer supported versions will be changing quite a bit in January. After January 12, 2016, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. Time to check your browser versions across the enterprise and compare to the versions listed in this blog post:

MS15-125 is a critical update for Edge with 15 vulnerabilities resolved. This update will be included with six others in the December Windows 10 Cumulative Security Update.

MS15-128 is a critical update for Windows, .Net Framework, Office, Skype, Lync and Silverlight, resolving three vulnerabilities. This is a Microsoft Graphics Component update, which is a shared library that affects many applications. Expect many variations of this update to affect the same system for each product you have installed that is affected.

MS15-131 is a critical update for Microsoft Office, resolving six vulnerabilities. This bulletin includes a fix for CVE-2015-6124, which has been detected in exploits in the wild. The vulnerability takes advantage of a failure to properly handle objects in memory. If exploited, the attacker could run arbitrary code in the context of the user. Least privilege policies would help mitigate the impact if exploited by limiting what the attacker could do. This vulnerability can be exploited in web-based attacks using specially crafted content designed to exploit the vulnerability.

MS15-135 is an important update for Microsoft Windows, which resolves four vulnerabilities. This bulletin includes a fix for CVE-2015-6175, which has been publicly disclosed and also has been detected in exploits in the wild. While this is only rated as important, we recommend treating this as a high priority. This update resolves Kernel memory handling. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. At that point they could install programs, view, change or delete data or create new accounts with full user rights. This is a Kernel update, so thorough testing is highly recommended.

Windows also released its Windows 10 December Cumulative Update (3116869). This update includes seven bulletins: MS15-124, MS15-125, MS15-126, MS15-128, MS15-132, MS15-133 and MS15-135. This update includes five critical bulletins and MS15-135, which includes CVE-2015-6175. This vulnerability has been publicly disclosed and detected in exploits in the wild.

APSB15-32 is a Priority 1 update for Adobe Flash Player, resolving 78 vulnerabilities. This bulletin includes a large number of code execution vulnerabilities and a few security feature bypass vulnerabilities. To fully resolve these vulnerabilities you need to ensure you update Flash Player on the OS, as well as the plug-in in your browsers. You will need to update IE, Chrome and Firefox plug-ins to fully ensure these vulnerabilities are resolved.

Google has also released an update to Chrome resolving at least 7 vulnerabilities by initial reports from Google. It will also include support for the Flash Player plug-in and the 78 vulnerabilities resolved there. This is recommended to be a high-priority update this month.

Join us tomorrow for the December Patch Tuesday webinar where we will discuss the bulletins in more detail.

August Patch Tuesday Round-Up

Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.

Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).

Here is the August summary:



For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

July Patch Tuesday Round-Up

Patch Tuesday + 8.  It was a large one this month.  Initially there were four Critical updates from Microsoft, but a fifth Critical released on July 20th as an out of band.  MS15-078 was discovered in the 400GBs of data from the Hacking Team breach.  The fact that the data was part of the breach means that CVE-2015-2426 has been publicly disclosed.  8 public disclosures and depending on how you score them, there are now 7 Zero Days in the lineup of updates this month.  Java is plugging one, Flash is plugging two, and Microsoft now as four (three already exploited and the fourth resolved by MS15-078).   See the summary of updates below for details.