Greg Lambert

About the Author Greg Lambert


IDG Contributor Network: May Patch Tuesday delivers fixes critical Windows 10 exploits

For this May Microsoft Patch Tuesday, we see Microsoft attempt to resolve 56 reported vulnerabilities in Microsoft Office, Windows, both Browsers and the .NET development platform.

Three of the vulnerabilities have been reported publicly and several have been actively exploited. Adding to an already serious situation, Microsoft’s anti-malware tool was compromised, resulting in the inadvertent deployment of malware through the anti-malware engine.

Microsoft responded very quickly with an out-of-band update (Security Advisory 4022344). Though there was general relief and kudos to Microsoft for their rapid response to this embarrassing episode, this bug was described as the “worst in recent memory” and as “crazy bad” by two of the lead researchers from Google’s Project Zero.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Massive change to a moderate Patch Tuesday

Last month, we had the largest ever release of patches and updates from Microsoft.

This month, we see the biggest change to Patch Tuesday since the first updates were released on the second Tuesday in October 2003, starting with MS03-041. Security bulletins with easy to follow formats like MSyy-xxx are no longer published by Microsoft as of April 2017.

Now, we have the Microsoft Security Update Guide which is defined by Microsoft as the “authoritative source of information on our security updates.” The MSUG is a searchable database of patches and updates that offers some basic queries and filtering. In addition to this database-driven approach, Microsoft has published summary release notes for April 2017 that can be found here. Helpfully, this summary outlines that the following technologies are updated for April:

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Largest ever Patch Tuesday from Microsoft

After last month’s rather brief Patch Tuesday from Microsoft, we see the largest ever release of updates for Windows and Microsoft Office — and of course another critical update for Adobe Flash Player.

For this March update, we see an unusually large number of critical updates — nine patches rated as critical and the remaining nine rated by Microsoft as important. In addition to this large cohort of patches, we also get a security advisory with KB3123479.

We have added both browser patches (MS17-006 and MS17-007) and the Adobe Flash Player update (MS17-023) to our “Patch Now” list. In addition, the core XML Services patch (MS17-022), though only rated as important by Microsoft, attempts to resolve a publicly disclosed zero-day flaw. MS17-022 was therefore also added to our “Patch Now” list.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: February Patch Tuesday updated

Microsoft released a single update last week with this February Patch Tuesday, after a week’s delay. Or, perhaps MS17-005 is considered an out-of-band update from Microsoft?

I am not sure, as it does not look like we will see the usual accompanying updates to Microsoft, .NET and the Windows (desktop and server) platforms. This sole update to Adobe Flash Player is worth deploying immediately. Evergreen browsers such as Microsoft Edge and Google Chrome will automatically update (using the default settings) and so will patch this serious memory-related vulnerability in Flash Player. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Why February’s Patch Tuesday is delayed

After a short break since our Patch Tuesday Debugged analysis in January, it looks like we are going to have some delay with Patch Tuesday in February due to a last minute technical issue with the Microsoft release process.

Microsoft had previously indicated that it was going to change the update process for security-related fixes this month — and a bug discovered during this process change may have caused the delay. Chris Goettl from Ivanti, offers this: “In the hours since Microsoft announced it was going to postpone Update Tuesday I have had a number of people asking if this delay was related to Microsoft’s change to a cumulative update model. If it were just one update that was delayed I would agree, but with all updates being delayed I think it is more of a Windows Update Services infrastructure issue.” I would tend to agree.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Final patches for Office, Windows and Adobe Flash for 2016

This is the final Patch Tuesday for the year and also the last one using the “per-patch” detailed format. Starting in January, we will match the latest Microsoft patch deployment grouping or “roll-ups” and provide patch-related insights and deployment guidance based on the Windows Security, Quality, Office, and .NET cumulative updates.

For December, Microsoft has released 12 updates, six of which are rated as critical, with the remaining six rated as important. This month also includes a fix for those Windows 10 users who had trouble connecting to the internet after the last wave of patches from Microsoft. For this month, Microsoft did not provide any mitigating factors or workarounds for any of the updates bar one. MS16-154 is the Microsoft wrapper for the Adobe Flash patch that comes with some advice, “Disable Flash.”

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Windows, Office and Flash Player updates for this Patch Tuesday

This is the second round of cumulative updates for Windows 7 and 8.x systems following Microsoft’s announcement to use the Windows 10 patch roll-up approach for all desktop systems. With 14 bulletins for this November Patch Tuesday, Microsoft has updated Windows and Office and has also had to wrap another Adobe Flash Player update to manage two zero-day exploits. Six updates have been rated as critical and the remaining eight are rated as important, together covering a total of 68 vulnerabilities, three with public disclosures.

Shavlik has helpfully created this month’s Patch Tuesday infographic and has also added some useful narrative on the upcoming Google and Oracle updates.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: 5 critical updates for October Patch Tuesday

October’s change of season brings a fundamental change to how Microsoft presents and delivers updates to Windows 7 and 8.x systems. As of this month, Microsoft will now follow the Windows 10 cumulative update model for all currently supported versions of Windows platforms — including Windows 7 and 8.x systems. You can read more about this major change to Patch Tuesday on the Microsoft’s TechNet blog found here. This is a big departure from a more granular approach using individual updates and patches. Microsoft will now “roll-up” security, browser and system component (.NET) into aggregate patches.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: September Patch Tuesday brings 7 critial updates to IE, Windows and Adobe Flash

Microsoft traditionally has a large patch release for September. This September’s Patch Tuesday is no exception with 14 updates, seven rated as critical, seven rated as important, altogether resolving a total of 50 reported vulnerabilities.

Unlike last month, September brings a zero-day vulnerability with the update MS16-104. Unfortunately, this patch to IE also includes a publicly reported security issue. So this month we have a number of Microsoft updates on the “Patch Now” list including: MS16-104, MS16-115, MS16-116 and MS16-117. And the update to the Windows kernel with MS16-111 may make some administrators pause for a little more testing due to the core system files updated.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: August Patch Tuesday 2016 — Microsoft releases 5 critical updates

This August Patch Tuesday from Microsoft brings a relatively light series of updates, with five rated as critical and the remaining four rated as important.

Aside from the relatively few updates from Microsoft, there are no zero-day or publicly disclosed vulnerabilities this month. Microsoft has also chosen to update a number of relatively minor components this month with the exception of MS16-098 (another kernel update). Later this month, we will add some additional in-depth analysis to this patch update cycle including potential patch deployment clashes with common applications and a risk assessment for deployment desktop and server updates.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Critical Updates to IE, Edge and Adobe Flash Player for July Patch Tuesday

I think that we were all hoping for a “boring” Patch Tuesday for this July update cycle. With “only” 11 updates, six rated as critical and the remaining patches rated as important, this month does provide some relief from the very large releases seen in the past few months.

However, although there are no “zero-day” vulnerabilities reported so far from Microsoft, there is an urgent “Patch Now” update in the form of MS16-093, wrapping a huge update from Adobe that resolves a whopping 52 issues in Adobe Flash Player. In addition, we all need to deploy MS16-087 as a priority due to a relatively easily exploitable drive-by attack on the Windows Spooler print sub-system.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: 5 critical updates and the end of QuickTime for June Patch Tuesday

A few months ago, we saw the end of Oracle JAVA Plugin support, and now we see the end of QuickTime with the call to remove it from your systems. If only we could get rid of Adobe Flash.

For this June Patch Tuesday, we won’t see an update to Adobe Flash from Microsoft, but we may see an update from Adobe later this month. With 16 updates for June, we already have enough to worry about. Microsoft has released five critical updates and the remaining 11 patches are rated as important, covering a total of 44 vulnerabilities.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Critical updates for IE, Edge and Flash for this May Patch Tuesday

Historically, May has been a big month for Microsoft updates. This May, we see 16 updates, covering all versions of Windows, IE and Edge as well as an update for Adobe Flash player.

With eight updates rated as critical and the remaining patches rated as important, Microsoft seems to have adopted a new clustering approach to patches. We have seen pairings of IE and Edge in the past, but this month we see core components (VBscript and JScript) linked with browser updates. In addition, we also have kernel updates linked to kernel mode driver updates (MS16-060 and MS16-061). We are also missing MS16-063! And, this month we also get the benefit of a nice looking infographic from Shavlik.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Critical updates for IE, Edge and Adobe Flash for April Patch Tuesday

This April, Microsoft has released another large batch of Windows updates with six rated as critical and the remaining seven rated as important.

Although there has been a large amount of hype relating to the latest security scare (BadLock), the real issue this month is the Adobe Player vulnerability addressed in MS16-050. Both Microsoft browsers require urgent updates due to more memory corruption issues (MS16-037 and MS16-038). I am not quite sure that Microsoft does this deliberately, but it seems that every month, the second to last update rated as important could be considered a little “worrisome.” This month it’s MS16-048, which updates a key windows system (that handles logins) that may require some additional testing before production deployments. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: 5 critical updates for March Patch Tuesday

Following Microsoft’s recent practice of issuing large updates covering multiple versions of Microsoft IE, Office as well as both desktop and server OS platforms, the 13 updates for March probably represents the new “average” Patch Tuesday payload. Five of the updates are rated as critical, while the remaining eight are rated as important, together covering 44 newly reported security vulnerabilities. In addition to these Microsoft patches, I expect that we will see an update to Adobe’s Flash player.

If you are looking for a helpful infographic for this month’s patch cycle, check out Shavlik’s latest offering here.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

IDG Contributor Network: Microsoft delivers major updates to Internet Explorer and Adobe Flash Player

This month Microsoft returns to form with 13 patches, with six rated as critical and the remaining seven rated as important. You’ll notice that MS16-010 is missing — that’s because it was released last month on January 12th, with the standard January update cycle.

As always, I recommend a reboot after installing these updates, even if not explicitly required by Microsoft. In addition, some attention may be required on MS16-022 (the update to Adobe Flash Player) and the two kernel mode updates MS16-016 and MS16-018.

To read this article in full or to leave a comment, please click here

Read more 0 Comments