Credit to Author: Woody Leonhard| Date: Wed, 02 Oct 2019 11:00:00 -0700
It’s a smelter-weight slapdown.
In one corner you have the Chicken Little contingent, which insists that September’s IE zero-day patch must be important because Microsoft marked it as “Exploited: Yes” and memorialized it with an extremely odd patch on a Monday, followed in Keystone Kops fashion with a stumbling trail of follow-ons.
Credit to Author: Gregg Keizer| Date: Wed, 02 Oct 2019 05:29:00 -0700
Microsoft on Tuesday changed its plans for selling Windows 7 post-retirement support, saying that it will offer patches-for-a-price to any business, no matter how small, that’s willing to pay.
“Through January 2023, we will extend the availability of paid Windows 7 Extended Security Updates (ESU) to businesses of all sizes,” Jared Spataro, an executive in the Microsoft 365 group, wrote in a post to a company blog.
Microsoft had announced the ESU program in September 2018. Since April, when the company started selling ESU, only customers with volume licensing deals for Windows 7 Enterprise or Windows 10 Professional have been eligible to purchase the support add-on.
Credit to Author: Woody Leonhard| Date: Mon, 30 Sep 2019 10:16:00 -0700
So you think Windows 10 patching is getting better? Not if this month’s Keystone Kops reenactment is an indicator.
In a fervent frenzy, well-meaning but ill-informed bloggers, international news outlets, even little TV stations, enjoyed a hearty round of “The Windows sky is falling!” right after the local weather. It wasn’t. It isn’t – no matter what you may have read or heard.
Microsoft has a special way of telling folks how important its patches might be. Every individual security hole, listed by its CVE number, has an “Exploitability Assessment” consisting of:
Credit to Author: John E Dunn| Date: Mon, 30 Sep 2019 11:56:21 +0000
Outlook on the web bans a further 38 file types<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/9PAQW38fA1c” height=”1″ width=”1″ alt=””/>
Read more
Credit to Author: Woody Leonhard| Date: Wed, 25 Sep 2019 07:29:00 -0700
Microsoft set the patching world on its ear on Monday when it released an “out of band” patch to fix a vulnerability known as CVE-2019-1367. Susan Bradley raised the alarm immediately. I chimed in a few hours later with more details.
Credit to Author: John E Dunn| Date: Wed, 25 Sep 2019 11:48:58 +0000
Microsoft has rushed to patch two flaws affecting IE versions 9 to 11, one of which the company says is being exploited in real attacks.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/JKx5VMBH6xs” height=”1″ width=”1″ alt=””/>
Read more
Credit to Author: Woody Leonhard| Date: Tue, 24 Sep 2019 12:13:00 -0700
I’ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed – the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.
On a Monday.
In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They’re “optional non-security” and “Monthly Rollup preview” patches, so you won’t get them unless you specifically go looking for them.
Credit to Author: Gregg Keizer| Date: Tue, 24 Sep 2019 03:00:00 -0700
Microsoft on Monday released an emergency security update to patch a vulnerability in Internet Explorer (IE), the legacy browser predominantly used by commercial customers.
The flaw, which was reported to Microsoft by Clement Lecigne, a security engineer with Google’s Threat Analysis Group (TAG), has already been exploited by attackers, making it a classic “zero-day,” a vulnerability actively in use before a patch is in place.
In the security bulletin that accompanied the release of the IE patch, Microsoft labeled the bug a remote code vulnerability, meaning that a hacker could, by exploiting the bug, introduce malicious code into the browser. Remote code vulnerabilities, also called remote code execution, or RCE, flaws, are among the most serious. That seriousness, as well as the fact that criminals are already leveraging the vulnerability, was reflected in Microsoft’s decision to go “out of band,” or off the usual patching cycle, to plug the hole.
Credit to Author: Woody Leonhard| Date: Thu, 12 Sep 2019 09:32:00 -0700
Two months ago, the July Win7 security-only patch was found to install telemetry software, triggered by newly installed scheduled tasks called ProgramDataUpdater, Microsoft Compatibility Appraiser, and AitAgent. As best I can tell, Microsoft never admitted that its security-only patch dropped a telemetry component.
The August security-only update didn’t include that bit of snooping, so it looked like the July snooping was a one-off aberration.
Credit to Author: John E Dunn| Date: Thu, 12 Sep 2019 11:33:58 +0000
Sometimes, a Patch Tuesday update arrives with a bang that sends users scrambling for cover – September’s update earns that description.<img src=”http://feeds.feedburner.com/~r/nakedsecurity/~4/lRHTsM8cImQ” height=”1″ width=”1″ alt=””/>
Read more