November Patch Tuesday - It looks like the "Turkey" came a little early this year — 14 Patches that include 4 Critical, 8 Important, 2 Moderate and we also have a Security Advisory for Flash in IE for desert.
Lets look at the details:
- MS14-064 Mitigates Critical vulnerabilities in Windows OLE Could Allow Remote Code Execution. It addresses 2 CVE related issues that were reported privately however CVE-2014-6352 has been used in limited, targeted attacks in the wild. The Microsoft Exploitability Index (XI) for this issue is 0.
- MS14-065 Is a Cumulative Security Update that mitigates Critical vulnerabilities in Internet Explorer. It addresses 17 CVE related issues - the issues were reported privately and has not been seen in the wild. The Microsoft Exploitability Index (XI) for this issue is 1.
- MS14-066 Mitigates a Critical vulnerability in Schannel that could allow Remote Code Execution. It addresses 1 CVE related issue that was
In The Shadow Of Shell Shock - Microsoft October Patch Tuesday Brings 9 Bulletins
Most of us in IT / Flaw Remediation are still struggling with the varied responses from vendors regarding the Shell Shock issue. This Patch Tuesday from Microsoft we have 9 bulletins — 1 Moderate, 5 Important and 3 Critical. While Octobers patches address 24 CVE issues none are reportedly being used in the wild for IE and only limited attacks have been seen in the wild with MS14-058.
Looking at the details:
- MS14-056 is a Cumulative Security Update for IE, it is rated critical and mitigates 14 CVE related issues.
- MS14-057 mitigates a Critical issue that impacts the .NET Framework and could Allow Remote Code Execution. This patch mitigates 3 CVE related issues.
- MS14-058 mitigates a Critical issue in Kernel-Mode Driver that could Allow Remote Code Execution. This patch mitigates 2 CVE
In the wake of the iCloud celebrity photo hack, expert Keith Palmgren offers advice on how to build more effective passwords and avoid easy data breaches.
For more than 40 years, the IT industry has been fighting the password battle and losing. The recent celebrity iCloud hack is just one of many high-profile examples of our failure. So how can something so seemingly simple, like a password, be so difficult?
The problem with password security is that it is so simple, that it is actually paradoxically hard. In security, the most dangerous thing in the world is what you think you know, because then you don't question your knowledge. If you ask a typical IT security professional if they understand passwords, the vast majority will respond with a confident and emphatic "Yes." But if that were really true, why are
The SANS 'Securing Windows with the Critical Security Controls' course (SEC505) will be offered at the December conference in Washington DC.
It's Back To School - With An Exceptionally Light Patch Tuesday
This Patch Tuesday is a welcome light one with only a single critical issue in the Cumulative update for Internet Explorer and only three important issues. Back in September 2013 we saw a much larger IT work load with 13 bulletins — 4 critical and 9 important.
Looking at the details this Patch Tuesday, we have MS14-052 that is the cumulative update for Internet Explorer, which is rated as Critical and that handles mitigations for 37 CVE, related issues. Microsoft has recently updated their Exploitability Index and indicates that for this Internet Explorer patch, Microsoft has seen exploits; hence this patch is for most environments a very high priority.