boot13Next Tuesday Microsoft plans to publish 16 Security Bulletins, five of which are flagged as Critical. The updates affect Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
Category Archives: Internet Explorer
Patch Tuesday for October 2014
Yesterday saw eight security bulletins and associated patches from Microsoft, as well as two new versions of Java from Oracle, and a new version of Adobe Flash.
The Microsoft updates include three flagged Critical. The updates address twenty-four CVEs in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer. A post on the MSRC blog provides a good overview.
Two new versions of Java from Oracle address as many as 25 security vulnerabilities in Java 7 and 8. If you’re using a web browser with Java enabled, you should install Java SE 8 Update 25 and/or Java SE 7 Update 72 as soon as possible. Unfortunately, Oracle has made things a bit confusing by saying that you should install SE 7 Update 72 only if you are being affected by the issues fixed in that version, and otherwise to install Update 71. Our recommendation is to install Update 72.
The new version of Flash is 15.0.0.189, and it includes fixes for at least three security vulnerabilities. If you’re like most people and use a browser with Flash enabled, you should update to the new version as soon as possible.
Advance notification for October MS updates
Next week’s Patch Tuesday will see nine bulletins and associated updates from Microsoft. Three of the updates are flagged Critical. The updates will affect Windows, Internet Explorer, .NET, Office and ASP.NET.
Flash version 15.0.0.167 for Internet Explorer
Yesterday Adobe released Flash 15.0.0.167 for Internet Explorer on Windows. No other platforms are affected. The new version fixes one specific bug that caused video failures in certain cases.
This is not a security-related update.
Patch Tuesday for September 2014
This month’s crop of updates from Microsoft includes four security bulletins, addressing 42 CVEs in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. The update for Internet Explorer is Critical, and should be installed ASAP.
From Adobe, we get another new version of Flash, 15.0.0.152. The new version addresses memory leakage vulnerabilities that could be used to bypass memory address randomization (CVE-2014-0557), a security bypass vulnerability (CVE-2014-0554), a use-after-free vulnerability that could lead to code execution (CVE-2014-0553), memory corruption vulnerabilities that could lead to code execution (CVE-2014-0547, CVE-2014-0549, CVE-2014-0550, CVE-2014-0551, CVE-2014-0552, CVE-2014-0555), a vulnerability that could be used to bypass the same origin policy (CVE-2014-0548), and a heap buffer overflow vulnerability that could lead to code execution (CVE-2014-0556, CVE-2014-0559). Anyone still using Flash, especially within a web browser, should update immediately.
Google Chrome and Internet Explorer on Windows 8.x will be updated automatically to include the new version of Flash.
August Patch Tuesday for Microsoft software
Time once again to crank up Windows Update and patch your Windows computers. As expected, this month’s batch includes nine bulletins with associated updates for SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer. Two Critical updates affect Windows and Internet Explorer.
Related information from Microsoft:
Advance notification: Microsoft updates for August
Another month, another pile of patches from Microsoft. This month the updates will become available starting about 10am PST on August 12. According to the official advance notification, there will be nine security bulletins, with associated updates for Windows, Internet Explorer, .NET, SharePoint, OneNote and SQL Server. Two are rated critical.
Microsoft issues emergency update of Certificate Trust List
A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.
Microsoft was quick to react, issuing an update of their Certificate Trust List on July 10. Anyone using Internet Explorer should install the update as soon as possible.
Flash 14.0.0.145 fixes more security vulnerabilities
These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.
The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.
As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.
Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.
July Patch Tuesday for Microsoft software
As expected, there are six bulletins and associated patches this month. The updates affect Windows and Internet Explorer. Two are rated Critical. A total of 29 CVEs (Common Vulnerabilities and Exposures) are addressed. The MSRC post for this month’s updates has additional information.