Windows 10: Microsoft pushes out fixes for 17 critical flaws as part of Patch Tuesday updates

As part of Patch Tuesday Microsoft rolled out updates for all its previous Windows operating system. As is always the case with Patch Tuesday releases, Microsoft aims at pushing out fixes for some critical flaws. With today’s updates Microsoft has fixed not less than 61 security flaws which include fixes for 17 flaws rated as critical.

Microsoft has pushed out Patch Tuesday updates for its products Windows, Internet Explorer, Microsoft Edge, Office, ASP.NET and .NET Framework. The First important patch is for the ALPC Elevation of Privilege vulnerability which was disclosed earlier in the month.

The vulnerability termed as “ALPC Elevation of Privilege” can be exploited by the attacker by running the arbitrary code in the security context of the local system. The attacker will be able to install programs, view, change or delete data by getting access to full users rights.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system. The update addresses the vulnerability by correcting how Windows handles calls to ALPC”, Microsoft explains.

The Patch Tuesday updates also fixes three publicly disclosed vulnerabilities. The most important of the three publicly disclosed vulnerabilities is a “Denial of Service” which has been discovered in System.IO.Pipelines which can be exploited remotely, the company explains. Microsoft has flagged the flaw with an important severity rating.

Another vulnerability which is termed as “Scripting Engine Memory Corruption” hits Microsoft Edge and Internet Explorer on all supported Windows versions which allows the attacker to execute arbitrary code in the context of current user and successfully gain users rights.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft warns.

Microsoft has also included fixes for Windows Remote Code Execution vulnerability that can be exploited with a specially crafted image file which allows the attacker to successfully execute arbitrary code.

The post Microsoft pushes out fixes for 17 critical flaws as part of Patch Tuesday updates appeared first on Windows Latest

Weiterlesen...

 

Microsoft's infamous 'Patch Tuesday' addresses seven flaws

Yesterday, Microsoft patched seven problems with Windows XP SP2. The three updates that were marked "critical"-

• An update to Windows Internet Explorer 7
• Windows Media Player patch
• Visual Studio 2005 fix

The last four updates marked "important" fix flaws in Outlook Express, the SNMP network management protocol, fix privelage problems, and patch a problem with remote installation services. You can read a full rundown of December's Patch Tuesday here. A recent flaw discovered in Microsoft Word remains unpatched.

Source: The Register

 

Microsoft delays Patch Tuesday as world awaits fix for SMB flaw

"Yesterday was the second Tuesday of February, and that means it should be Microsoft's Patch Tuesday. It should be a big Patch Tuesday, too. First, there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed, and the patch should be released today.

Second, Microsoft is continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2. The company started moving to a Windows 10-like cumulative model last year in a bid to ensure that the configurations the company tested (all patches applied, all the time) matched the end-user experience. Each operating system is getting two packages a month: a "Monthly Rollup" and a "Security Only" update.

The "Monthly Rollup" contains both security fixes and general reliability improvements, and it's a cumulative update, incorporating both the current month's fixes and historic updates. The intent is to make it easier to get a freshly installed system up to date; instead of installing hundreds of individual fixes, the latest Monthly Rollup should do the job.

The "Security Only" package isn't cumulative, and it skips the general reliability improvements.

Starting this month, the Security Only package is changing a little. Previously, it contained both operating system and Internet Explorer fixes. Going forward, however, the Security Only package will only contain non-Internet Explorer fixes. A second package, the Cumulative Security Update for Internet Explorer, will apply browser fixes. Like the Monthly Rollup—and unlike the Security Only patch—the Internet Explorer package will be cumulative, containing both new and historic patches. Microsoft says this change is being made to reduce the size of the Security Only package.

The deployment system is also being refined to ensure that neither the Security Only patch nor the Internet Explorer patch will be installed on machines that have a current Monthly Rollup.

This is all well and good, except it's not happening. Due to a "last-minute issue," Microsoft has delayed this month's updates, and currently, there's no expected time of arrival. This delay may hint at one of the downsides of the combined patching: in the past, an individual fix might be held back due to a late-breaking problem, but other fixes could still be delivered on time as expected. With everything bundled—and, critically, tested—together, the company may be more reluctant to punt an individual fix to next month.

Still, if the delay means that Microsoft is avoiding shipping a fix that breaks people's computers, it's probably for the best."

https://arstechnica.com/information...tch-tuesday-as-world-awaits-fix-for-smb-flaw/

 

Microsoft passes 130 security fixes for 2015 with final Patch Tuesday


Microsoft passes 130 security fixes for 2015 with final Patch Tuesday update
by Dan Worth

09 Dec 2015

Microsoft issues final 2015 Patch Tuesday update

Microsoft has issued its final Patch Tuesday update of 2015, taking the total number of security fixes for the year to 135. This is well in excess of the 85 issued in 2014.

The December update contained 12 fixes, eight of which are rated critical while the other four are rated as important.

The critical fixes relate to key Microsoft products including Internet Explorer, its new Edge browser, the Silverlight video player and issues within Windows, as well as Skype for Business and Lync. The four important fixes all relate to Windows.

The MS15-124 fix for Internet Explorer is a cumulative update for the browser, fixing several issues. Microsoft said the most severe of these could allow remote code execution if a user visits a specifically crafted web page in IE. The Edge update fixes the same problem.

“An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user,” explains Microsoft in its notes.

Meanwhile, the MS15-128 fix covers similar issues in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync and Silverlight.

“The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a web page that contains specially crafted embedded fonts," Microsoft's notes explain.

One other notable fix is MS15-135, which, while only rated as important, is the issue that Qualys CTO Wolfgang Kandek said businesses should focus on first, as it addresses a zero-day vulnerability within the Windows kernel.

“There is no further information about how widely spread the vulnerability and its exploit are, but it is worth a top spot in our priority list," he said.

Another fix Kandek said IT admins should focus on is MS15-131, which covers an issue within Microsoft Office and is rated as critical.

"CVE-2015-6172 is a critical vulnerability in Outlook that is triggered by a maliciously formatted email message," he said.

"There is no reasonable workaround: Microsoft suggests turning off the preview pane - the digital equivalent of 'Just don’t do it', so patch this vulnerability as soon as possible."

Kandek also said that while part of the increase in vulnerabilities found and fixed in 2015 can be attributed to the release of new products, such as Windows 10 and its Edge browser, the focus on finding security issues is also growing.

“The majority of the increase is due to new parts of the Windows ecosystem that are being investigated for the first time, a tendency that shows how much more important computer security has become over the years," he said.

Patch Tuesday

Microsoft passes 130 security fixes for 2015 with final Patch Tuesday update - IT News from V3.co.uk