Microsoft released its monthly security patches –known as the Patch Tuesday updates. This month the company fixed 38 vulnerabilities across a large set of products. For the fourth month in a row, Microsoft patched a Windows OS zero-day vulnerability that was being exploited in the wild.
Just like in the last two months this zero-day was being (ab)used in nation-state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.
Read more about the patched Windows zero-day on ZDNet.
Microsoft today released patches for 63 vulnerabilities as part of its November Patch Tuesday update. Twelve of the bugs were deemed Critical, two were publicly known at the time of release, and one is reportedly under active attack.
The bug being exploited is CVE-2018-8589, a Windows Win32k elevation of privilege vulnerability. It was reported by researchers as Kaspersky Labs, a sign attackers are using it in malware, notes Dustin Childs of Trend Micro’s Zero-Day Initiative. Malware leverages kernel elevation bugs to escalate to admin mode, which gives them full control of a target system.
Read more about the latest Patch Tuesday fixes on DarkReading.
A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.
The vulnerability, which was a zero-day at the time of its disclosure in mid-September, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target. Microsoft shipped an update this past Tuesday. But according to Mitja Kolsek, co-founder of 0patch, the recent patch is incomplete, and an attacker can still exploit the original vulnerability.
Read more about the issues with Microsoft’s recent JET patch on ZDNet.
Microsoft’s monthly Patch Tuesday came with 49 security fixes and two advisories for Internet Explorer (IE), Microsoft Edge, Windows components, Microsoft Office and Office Services, Exchange, SQL Server, ChakraCore, Hyper-V, and .NET Core.
Twelve of the patched vulnerabilities are deemed Critical, 35 are categorized Important, one is Moderate, and one is considered Low severity. Three were known at the time their patches were released, and one is currently being exploited in active attacks. The bug being abused in attacks is CVE-2018-8453, a Win32k elevation of privilege vulnerability that exists in Windows when the Win32k component doesn’t properly handle objects in memory.
Read more about this month’s Patch Tuesday security fixes on DarkReading.
Microsoft’s Windows Patch Tuesday resolves a total of 60 vulnerabilities, 19 of which are critical, including two zero-day security flaws which are being actively used in attacks today. The Redmond giant published a security advisory detailing the latest round of updates.
The update impacts the Windows operating system, Internet Explorer, Microsoft Edge, Microsoft Office services and apps, ChakraCore, the .NET Framework, Microsoft Exchange and SQL Server, as well as Visual Studio. Security updates were also released for Adobe Flash Player.
Read more about the resolved vulnerabilities on ZDNet.
Microsoft issued a range of security patches today, including its anticipated exploit-mitigation update for the so-called Lazy FP State Restore vulnerability in Intel microprocessors.
Intel late last month disclosed Lazy FP State Restore (CVE-2018-3665), the latest speculative execution side-channel vulnerability to be discovered since the first two, Meltdown and Spectre. This class of microprocessor flaws lets an attacker steal data, including cryptographic secrets. Microsoft’s new mitigations for Lazy FP provide protections from the attack for Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and x64-based Windows 8.1 and 10.
Read more about the vulnerabilities fixed by Microsoft on Patch Tuesday on DarkReading.
Another Patch Tuesday, another mess for Microsoft, which has pulled update 3004394, aka “December 2014 update for Windows Root Certificate Program in Windows”.
Redmond says the patch “is causing additional problem on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. “
Read more about the Microsoft’s patch flip-flop and the phantom patch that even Google couldnt find on The Register.
Adobe is expected to update its Reader and Acrobat software next Tuesday as part of its scheduled security updates, and the updates likely include patches for a Reader vulnerability disclosed this week by Google’s Project Zero.
Researcher James Forshaw, a well-known bug-hunter and Project Zero member, went public with details of a sandbox escape vulnerability in Reader as well as exploit code.
Read more about the Tuesday patches from Adobe which will fix the Sandbox Escape on Threat Post.
Microsoft today announced it will release seven security updates on Tuesday, three of them critical, to patch Internet Explorer (IE), Windows, various pieces of the Office suite, and the SharePoint and Exchange server software.
The Exchange update was originally intended to ship last month, but Microsoft pulled it at the last minute because of a problem with the installer package for Exchange Server 2013.
Read more about the latest fixes from Microsoft which will be released on Patch Tuesday in the coming week on Computer World.
Microsoft has issued a warning in the knowledge base article for the MS14-066 update released this past week. The company has provided a workaround, but is not recommending that users avoid the update or uninstall it.
The update fixed at least one critical vulnerability in Schannel, Microsoft’s implementation of SSL/TLS encryption. It has widely been considered highly critical and last week we urged users to apply the update as soon as possible.
But some users who apply the update are having serious problems. The issues occur in configurations in which TLS 1.2 is enabled by default and negotiations fail. When this happens, according to Microsoft, “TLS 1.2 connections are dropped, processes hang (stop responding), or services become intermittently unresponsive.” There may also be an event ID 36887 in the System event log withe description “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.”
Read more about the Microsoft’s warning regarding its Schannel update on ZDNet.