It was a relatively low-key year-ender for Microsoft’s Patch Tuesday, as the company’s monthly release of updates was relatively light in terms of noteworthy vulnerabilities. With that said, there were still a few notable vulnerabilities that were addressed.Read More
Microsoft rolled out fixes for over 50 security issues in this month’s Patch Tuesday. The updates cover vulnerabilities and bugs in the Windows operating system, Internet Explorer (IE), Edge, ASP .NET Core, Chakra Core browsing engine, and Microsoft Office. Microsoft also released a security advisory providing defense-in-depth mitigations against attacks abusing the Dynamic Data Exchange (DDE) protocol in light of recent attacks misusing this feature.
Abusing DDE isn’t new, but the method has made a resurgence with reports of cyberespionage and cybercriminal groups such as Pawn Storm, Keyboy, and FIN7 leveraging it to deliver their payloads.Read More
Microsoft’s Patch Tuesday for October addresses 62 vulnerabilities, 27 of which are critical and 35 important in terms of severity; many of these flaws can lead to remote code execution (RCE). Microsoft’s fixes are patches for features in the Windows operating system (OS) and Microsoft Office (including Office Web Apps), Skype for Business, Edge, Internet Explorer (including the Chakra Core browser engine), Exchange Server, and .NET development framework, among others. As per Microsoft’s previous advisories, this month’s Patch Tuesday also marks the end of support and patches/updates for Office 2007 and Outlook 2007.
Of note is Microsoft’s fix for CVE-2017-11826, a memory corruption vulnerability in Microsoft Office that was publicly disclosed and reported to be actively exploited in the wild.Read More
Microsoft has released their monthly security bulletin—colloquially known as Patch Tuesday—for September. The most important update is one that addresses a zero-day vulnerability that exploits Microsoft Word to potentially allow attackers to execute code on the target system remotely.Read More
Microsoft has released their monthly security bulletin with 48 security patches—25 of which are labeled Critical, 21 are Important, and two are Moderate in severity. This was a standard batch of updates, addressing issues in Internet Explorer, Microsoft Edge, Windows, Microsoft SharePoint, Adobe Flash Player and Microsoft SQL Server.
A majority of the critical CVEs are Scripting Engine Memory Corruption Vulnerabilities, which is not surprising. Since April of this year, we’ve been seeing a steady increase in vulnerabilities for the Scripting Engine. Typically, in a web-based attack scenario, an attacker would leverage Scripting Engine vulnerabilities to create a malicious website and then maneuver users to visit the site. This current batch of critical vulnerabilities could result in remote code execution if exploited successfully.Read More