patch tuesday


Overview From the Yes, You Really Should Upgrade Department, FortiGuard Labs has discovered a third Microsoft Office Vulnerability that is rolled into today's Patch Tuesday updates. For a bit of variety, this is a double free vulnerability in Word 2007 and 2010. The vulnerability occurs when Word fails to validate that a pointer was already released before attempting to release it again, causing conditions that attackers could leverage to achieve remote code execution scenarios. The underlying problem involves an internal structure... [Read More]
by RSS Kai Lu  |  Dec 08, 2015  |  Filed in: Security Research
Overview Microsoft Patch Tuesday continues with another FortiGuard vulnerability disclosure, this time affecting Microsoft Excel. For a bit of background on Microsoft Office in general and Office 2007 in particular, check out today's first disclosure. In this case, a memory corruption vulnerability has been discovered in Microsoft Excel 2007. The vulnerability exists due to an error while the vulnerable software attempts to open a specially crafted Excel file. As with the other disclosures today, this vulnerability could lead... [Read More]
by RSS Kai Lu  |  Dec 08, 2015  |  Filed in: Security Research
Overview Microsoft Office is the most popular productivity suite in the world, first released by the Redmond software giant in 1988. Microsoft releases updates and patches for its software, including Office, on what is now commonly known as Patch Tuesday (the second and sometimes the fourth Tuesday of each month). Today, Patch Tuesday includes not one, not two, but three vulnerabilities discovered by researchers at FortiGuard Labs. The first is a heap overflow vulnerability Microsoft Word 2007. Although it was released eight years ago, Office... [Read More]
by RSS Kai Lu  |  Dec 08, 2015  |  Filed in: Security Research
Another Patch Tuesday is upon us, and both Microsoft and Adobe have pushed out updates to fix issues with multiple products. Microsoft Microsoft released nine updates today to address 37 CVEs. These updates impact Windows, Internet Explorer, .NET, OneNote, SharePoint, and SQL Server. Two of the nine updates are rated Critical, and may allow for Remote Code Execution. The remaining patches are rated Important. It's very important that you update your systems as quickly as possible, but if you need to prioritize, make patching the two Critical... [Read More]
by RSS Richard Henderson  |  Aug 12, 2014  |  Filed in: Industry Trends
The Isolated Heap for DOM objects included in the Microsoft Patch Tuesday for June 2014 was just a fire drill aimed at making the exploitation of use-after-free (UAF) vulnerabilities more difficult. The patch for July 2014, however, has been quite a shock to exploit developers! In this release, Microsoft showed some determination in fighting back against UAF bugs with this improvement - the introduction of a new memory protector in Microsoft Internet Explorer, which would make exploitation of UAF vulnerabilities extremely difficult. An Overview... [Read More]
by RSS Zhenhua 'Eric' Liu  |  Jul 16, 2014  |  Filed in: Security Research
Last month, I blogged about Microsoft's monthly Patch Tuesday updates and how it spelled the end for Windows XP. Of course, as many speculated... it wasn't quite the end of the road for XP updates. A critical flaw found in Internet Explorer being actively used in the wild was worrisome enough to Microsoft that they pushed an IE update to include Windows XP users. You can read more about that bug, how it works, and what was done here. Personally, this author wasn't surprised it happened that way - as many sites reported, there are plenty of... [Read More]
by RSS Richard Henderson  |  May 12, 2014  |  Filed in: Industry Trends
Over twelve years ago, Microsoft released to the world what has arguably been the most successful and famous Operating System ever created: Windows XP. The "new" Windows eXPerience was a significant step up from the desktop versions of Windows before it. While Windows 95, 98 and ME were basically versions of Windows running on top of Microsoft's stalwart MS-DOS, the new version of Windows brought the much more stable and robust underpinnings of their NT (New Technology) operating system to the desktop. Users rejoiced at the time. Less blue screens!... [Read More]
by RSS Richard Henderson  |  Apr 08, 2014  |  Filed in: Industry Trends
This month we have patches from Adobe, Microsoft and Oracle launching today: Microsoft Microsoft published their monthly advanced notification for critical and important patches, and this month there are four patches: MS14-001 - Rated Important - affects Microsoft Office and Microsoft Server Software: may allow remote code execution. Patch may require a reboot. MS14-002 - Rated Important - affects Windows: may allow elevation of privilege. Patch requires a reboot. MS14-003 - Rated Important - affects Windows: may allow elevation of privilege.... [Read More]
by RSS Richard Henderson  |  Jan 14, 2014  |  Filed in: Industry Trends
Microsoft published their monthly advanced notification for critical and important patches, and this month Microsoft will deploy patches that cover Windows, Office, Outlook, Internet Explorer, SharePoint and FrontPage. Microsoft will make 14 patches available for their customers. The patches will be made available to the general public this Tuesday, September 10. Bulletin 1: Rated Critical - affects Office and Server software: may allow remote code execution. Patch may require a reboot. Bulletin 2: Rated Critical - affects Office: may allow... [Read More]
by RSS Richard Henderson  |  Sep 08, 2013  |  Filed in: Industry Trends
Yesterday Oracle released a whopping 89 fixes to many of their products, 27 of which could allow remote code execution. In Eric Maurice's post (Mr. Maurice is Oracle's Director of Software Security Assurance), he outlines some of the most important fixes: - 6 fixes target Oracle Database, one of which allows remote exploitation without any authentication. CVE-2013-3751 goes into detail about the exploit. - 21 fixes target Oracle Fusion Middleware, of which 16 allow remote unauthenticated exploit. Some of these are related to CVE-2013-2461, which... [Read More]
by RSS Richard Henderson  |  Jul 17, 2013  |  Filed in: Industry Trends