Microsoft Patch Tuesday and patch management

  • May 08, 2007 08 May'07

    Microsoft issues critical updates, patches DNS zero-day flaw

    Microsoft issued patches to plug 19 holes, including a critical zero-day DNS Server Service flaw as part of its monthly Patch Tuesday bulletin.

  • May 08, 2007 08 May'07

    Inside MSRC: Microsoft issues further guidance on Exchange update

    Microsoft's Christopher Budd explains vulnerabilities affecting Microsoft Exchange and other critical patch updates.

  • May 03, 2007 03 May'07

    Microsoft to release DNS patch Tuesday

    In addition to a fix for the DNS Server Service flaw, Microsoft plans to patch critical flaws in Windows, Office, Exchange, CAPICOM and BizTalk.

  • April 30, 2007 30 Apr'07

    Symantec fixes flaw in multiple products

    In other vulnerability news, a critical flaw is found in Adobe Photoshop and Cisco fixes flaws affecting a number of its products.

  • April 25, 2007 25 Apr'07

    Compliance drives security configuration management

    IT operations is turning to software that monitors security configurations across the enterprise to meet a number of regulations.

  • April 19, 2007 19 Apr'07

    Anatomy of a zero-day: Security researchers face hurdles

    Despite industry organizations bringing some order to the software testing process, security researchers say obstacles continue to slow their progress.

  • April 18, 2007 18 Apr'07

    Oracle patches 36 holes

    Oracle Corp. on Tuesday issued patches for 36 holes in the database management system, application server, E-Business Suite and JD Edwards and PeopleSoft software.

  • April 13, 2007 13 Apr'07

    Microsoft DNS server flaw called dangerous

    UPDATE: Microsoft said Sunday that attacks are still limited, but a proof of concept code to exploit the vulnerability is publicly available.

  • April 11, 2007 11 Apr'07

    Microsoft investigates new Office zero-day flaws

    On the same day Microsoft released five security updates for Windows and Content Management Server, McAfee reported possible new zero-day flaws in Office.

  • April 10, 2007 10 Apr'07

    Microsoft releases four critical patch updates

    The security patches Microsoft released Tuesday include four critical fixes for Windows and Content Management Server. One expert described two of the flaws as very wormable.

  • April 10, 2007 10 Apr'07

    Oracle to patch 37 flaws

    Database giant Oracle Corp. offered a preview of its April Critical Patch Update (CPU). Fixes are planned for 37 flaws across its product line.

  • April 09, 2007 09 Apr'07

    Symantec fixes 'high-risk' flaw in Enterprise Security Manager

    Attackers could hijack machines from remote locations by exploiting a flaw in Symantec Enterprise Security Manager (ESM). Kaspersky Lab users also have a flaw to deal with.

  • April 05, 2007 05 Apr'07

    More Windows patches coming next week

    In a preview of next week's monthly patch release, Microsoft said it plans to issue four more Windows updates on top of the ANI fix it rushed out this week.

  • April 04, 2007 04 Apr'07

    Windows ANI patch problems reported

    Some IT administrators are having trouble installing the Windows ANI patch. Meanwhile, the researcher who discovered the flaw said Firefox is also vulnerable.

  • April 02, 2007 02 Apr'07

    Microsoft releases patch for Windows ANI flaw

    Security companies are seeing massive attacks against the Windows ANI zero-day flaw, prompting Microsoft to rush out a fix a week before Patch Tuesday.

  • March 23, 2007 23 Mar'07

    Flaws haunt protocol tied to national infrastructure

    Also: A weakness is found in Windows settings, Microsoft investigates a new Vista flaw, and flaws are addressed in and Firefox.

  • March 14, 2007 14 Mar'07

    OpenBSD open to remote kernel vulnerability

    A flaw in several versions of the popular operating system could give attackers complete control over vulnerable machines. A patch has been released.

  • March 12, 2007 12 Mar'07

    DST switchover causing some problems

    The earlier start to daylight-saving time (DST) went smoothly for some IT administrators, while others spent Sunday troubleshooting problems.

  • March 09, 2007 09 Mar'07

    DST security concerns pervade bloggers

    This week in Security Blog Log: IT professionals are spending a lot of time on security issues related to this Sunday's start to daylight-saving time (DST).

  • March 08, 2007 08 Mar'07

    Microsoft cancels Patch Tuesday as DST looms

    IT administrators who are struggling to apply all their daylight-saving time (DST) patches will get a break from Microsoft next week, as no new security fixes will be released.

  • March 05, 2007 05 Mar'07

    WordPress upgrade fixes 'dangerous' flaw

    Developers of the open source blogging platform WordPress say users should upgrade to version 2.1.2 immediately to address a "dangerous" security hole that was recently attacked.

  • March 02, 2007 02 Mar'07

    Citrix update repairs security flaw

    Also in this week's Bug Briefs: Symantec fixes Mail Security flaw, Cisco fixes Catalyst-IOS glitch; McAfee addresses a Mac OS X antivirus flaw; and Mozilla plugs Firefox holes.

  • February 23, 2007 23 Feb'07

    Flaws haunt Symantec, IBM, Cisco and IE

    Bug Briefs: Security holes plague Symantec Norton products, IBM DB2; Mozilla Firefox; Trend Micro ServerProtect; Cisco IP phones; Google Desktop; IE and Snort.

  • February 15, 2007 15 Feb'07

    Microsoft investigates new Word zero-day; Cisco releases firewall patches

    Microsoft says Office 2000 and Office XP could be affected. Also, Cisco patches firewall flaws that could be exploited to bypass security restrictions or cause a denial of service.

  • February 14, 2007 14 Feb'07

    Inside MSRC: Microsoft explains security bulletins

    Microsoft issued 12 new security bulletins in February. Christopher Budd of the Microsoft Security Response Center provides information about the most important fixes.

  • February 13, 2007 13 Feb'07

    Microsoft fixes zero-day flaws in Word, Office

    Twelve security updates from Microsoft fix a range of problems, including a flaw in the Malware Protection Engine and previously-exploited zero-days glitches in Word and Office.

  • February 08, 2007 08 Feb'07

    Briefs: Vulnerabilities found in Trend Micro, Firefox browser

    This week, Trend Micro released a fix for a flaw in its antivirus engine, while no fixes are available for two newly discovered Mozilla Firefox browser flaws.

  • February 08, 2007 08 Feb'07

    Twelve Microsoft patches to include fixes for OneCare, ForeFront

    Patches are being readied to plug security holes in Windows, Office, Visual Studio, Windows Live OneCare, Defender and ForeFront. Per usual, Microsoft will release the mega-fix Tuesday.

  • February 01, 2007 01 Feb'07

    Patch testing may suffer due to zero-day fears

    Windows users faced a breathtaking spike in zero-day threats last year and most security experts agree the problem is only going to get worse. Mark Shavlik, founder and CEO of Roseville, Minn.-based patch management firm Shavlik Technologies, is ...

  • January 22, 2007 22 Jan'07

    Cisco fixes MARS flaw

    Also in this week's Bug Briefs: Microsoft re-releases a patch, the Month of Apple Bugs exposes more Mac OS X flaws and Oracle fixes 51 flaws in its quarterly CPU.

  • January 17, 2007 17 Jan'07

    Oracle releases 51 security fixes

    The flaws are across Oracle's product line and attackers could exploit them remotely to compromise vulnerable systems.

  • January 16, 2007 16 Jan'07

    PatchLink offers solid flaw management

    Product review: PatchLink Update 6.3 is a solid solution to the enterprise patch management problem and demonstrates its true power in a Windows environment.

  • January 16, 2007 16 Jan'07

    Who patches better: Microsoft or Mozilla?

    Window Snyder was a senior security strategist at Microsoft before leaving in 2005 to become a founder and CTO of Matasano Security LLC. Last September she became Mozilla Corp.'s security chief and is now responsible for locking down the popular ...

  • January 15, 2007 15 Jan'07

    CA fixes multiple flaws in back-up product

    Also in Bug Briefs: Cisco patches an IOS flaw, HP fixes OpenView glitches; Adobe fixes critical vulnerabilities; and more Mac OS X flaws are disclosed.

  • January 12, 2007 12 Jan'07

    'Month-of' flaw projects come under fire

    This week in Security Blog Log: The Month of Apple Bugs has some wondering if the real motive for such disclosure projects is better security or better press coverage.

  • January 12, 2007 12 Jan'07

    Oracle emulates Microsoft with advance patch notice

    Oracle will patch 52 security flaws across its product line Tuesday, according to its inaugural CPU advance notification bulletin.

  • January 11, 2007 11 Jan'07

    Out-of-cycle Microsoft patch likely, experts say

    Patch specialists and IT administrators were surprised Microsoft didn't fix much-publicized Word zero-day flaws Tuesday. But they don't fault the company for holding back.

  • January 09, 2007 09 Jan'07

    New flaw found in Microsoft Excel

    In other news: Suspicious Web traffic increases on Port 6502, McAfee hires a new security chief; and Check Point completes its acquisition of NFR.

  • January 09, 2007 09 Jan'07

    Inside MSRC: Microsoft updates WSUSSCAN issue

    Christopher Budd of the Microsoft Security Response Center is urging customers to deploy the latest versions of the Systems Management Server Inventory Tool for Microsoft Updates or Microsoft Baseline Security Analyzer to receive all the current ...

  • January 09, 2007 09 Jan'07

    Critical fixes for Excel, Outlook and Windows

    Microsoft starts the year with security updates for Excel, Outlook and Windows. Three of the fixes are rated critical.

  • January 08, 2007 08 Jan'07

    Microsoft nixes four patch bulletins

    Eight security updates were originally scheduled for Tuesday, but Microsoft has decided to hold back on half of them.

  • January 04, 2007 04 Jan'07

    Multiple Windows patches on tap next week

    Microsoft will hand IT shops up to eight security updates for Windows, Visual Studio and Microsoft Office next week. Some fixes will address critical flaws.

  • January 02, 2007 02 Jan'07

    Security pros glean insight from '06

    Corporate acquisitions, an abundance of spam, and the White House's take on cybersecurity mark 2006.

  • December 20, 2006 20 Dec'06

    Microsoft releases Vista APIs to security vendors

    Microsoft released a draft set of programming interfaces allowing security vendors to develop software using the Windows kernel on 64-bit systems.

  • December 12, 2006 12 Dec'06

    Inside MSRC: Visual Studio flaw, tool extensions explained

    Christopher Budd of the Microsoft Security Response Center sheds detail about a flaw in Visual Studio 2005 and explains that support for Software Update Services 1.0 will be extended.

  • December 12, 2006 12 Dec'06

    Microsoft fixes two zero-day flaws

    The December security update from Microsoft includes patches for zero-day flaws in Visual Studio and Windows Media Player, but two zero-day flaws in Word remain unfixed.

  • December 08, 2006 08 Dec'06

    Zero-day tracker a hit, but IT shops need better strategy

    This week in Security Blog Log: Reaction to eEye's new zero-day tracker is positive, but some experts say it won't help unless IT shops have a layered defense to start with.

  • December 07, 2006 07 Dec'06

    Microsoft to fix Visual Studio, Windows flaws

    Microsoft plans to release five security updates to address vulnerabilities in Windows and a flaw in Visual Studio as part of its monthly security bulletin release cycle.

  • December 06, 2006 06 Dec'06

    New zero-day affects Microsoft Word

    Microsoft confirmed reports of "limited" zero-day attacks and warned customers to be cautious when opening unsolicited Word attachments.

  • December 01, 2006 01 Dec'06

    Oracle responds to security critics

    This week in Security Blog Log: Oracle takes on researchers who have criticized its security procedures in recent weeks. Meanwhile, Symantec warns of new zombie malware.

  • November 30, 2006 30 Nov'06

    Oracle should heed critical report touting SQL Server security

    A prominent security researcher sheds light on Oracle's security lapses, but how will the vendor respond? As Executive Editor Dennis Fisher explains, Oracle should look internally.

  • November 30, 2006 30 Nov'06

    Multiple flaws in Adobe Reader, Acrobat

    Updated: Multiple flaws in Adobe Reader and Acrobat could allow attackers to execute malicious commands on victims' computers. A fix is now available.

  • November 30, 2006 30 Nov'06

    Report: Microsoft beats Oracle on security

    In a new whitepaper, security guru David Litchfield of Next Generation Security explains why Microsoft has a tighter grasp on its database defenses than Oracle.

  • November 21, 2006 21 Nov'06

    New Mac OS X flaw exposed

    A Mac OS X flaw was exposed as part of the Month of Kernel Bugs. Also, a new Web site vows to follow the lead of researchers LMH and H.D. Moore with a week of Oracle zero-days.

  • November 20, 2006 20 Nov'06

    Inside MSRC: Microsoft details security tool update

    Microsoft's Christopher Budd explains how to use the new versions of the Security Baseline Analyzer and the Systems Management Server Inventory Tool for Microsoft Updates.

  • November 16, 2006 16 Nov'06

    Microsoft Kernel Patch Protection should be lauded

    Microsoft Vista's Kernel Patch Protection feature, designed to prevent malicious people from accessing the kernel, deserves praise, but the software giant's actions bear watching.

  • November 14, 2006 14 Nov'06

    Exploit code out for MS06-070 flaw

    Microsoft said it is aware of proof-of-concept exploit code for the Windows Workstation service flaw, which was among the vulnerabilities patched this week.

  • November 09, 2006 09 Nov'06

    Microsoft to patch critical zero-day flaws in Windows

    Microsoft plans to repair five critical flaws in Windows and a flaw in XML Core Services as part of its monthly patch update next week.

  • November 01, 2006 01 Nov'06

    Podcast: The state of Oracle security

    In this edition of Security Wire Weekly, Oracle DBA Jon Emmons gives his observations about Oracle's new critical patch update format.

  • October 26, 2006 26 Oct'06

    AOL Security Edition 9.0 vulnerable to attack

    Attackers could exploit a flaw in AOL Security Edition 9.0 to run malicious code on targeted machines. A fix is available.

  • October 25, 2006 25 Oct'06

    Oracle DBAs mixed on security progress

    Some DBAs praise Oracle for its revamped patch bulletins, but others say the database giant's patching process still leaves much to be desired.

  • October 24, 2006 24 Oct'06

    Symantec patches AntiVirus Corporate Edition flaw

    Attackers could exploit a flaw in Symantec AntiVirus Corporate Edition and Client Security to overwrite kernel addresses, crash machines and run malicious code.

  • October 17, 2006 17 Oct'06

    Oracle fixes 101 flaws

    Attackers could exploit 45 of the 101 flaws remotely without a username or password. Meanwhile, the new CPU offers more detail on the number of flaws patched and their severity.

  • October 17, 2006 17 Oct'06

    Security Bytes: Flaws fixed in Bugzilla

    Meanwhile, security holes are also plugged in Cisco's Wireless Location Appliance software and Clam AntiVirus.

  • October 16, 2006 16 Oct'06

    Flaw found in Toshiba wireless device driver

    Attackers could exploit a flaw in the Toshiba Bluetooth wireless device driver to cause a denial of service or launch malicious code on victims' machines.

  • October 12, 2006 12 Oct'06

    Oracle bulletins will rank patches, offer more detail

    Oracle has been criticized in the past for releasing complex security bulletins that are hard to decipher. The streamlined bulletins will be easier to digest, the company says.

  • October 11, 2006 11 Oct'06

    Inside MSRC: Public vulnerability disclosures on the rise

    Even though irresponsible publicly disclosed vulnerabilities seem to be on the rise, Microsoft's Christopher Budd discusses how the software giant was able to quickly release a fix for the recent VML flaw, plus offers best practices on how to make ...

  • October 05, 2006 05 Oct'06

    Standalone patch management vendors under siege

    McAfee's acquisition of Citidel this week demonstrates that the patch-management niche may be one of the more active battlegrounds for larger vendors with deep pockets.

  • October 05, 2006 05 Oct'06

    Patch Tuesday will see the release of 11 security updates

    After a light September, Microsoft said it would release 13 security updates on Tuesday, including ones for Windows and Office.

  • October 03, 2006 03 Oct'06

    McAfee acquires patch-management vendor Citadel for $56 million

    Purchase gives McAfee strong presence in assessment, remediation and policy compliance.

  • September 29, 2006 29 Sep'06

    ZERT rekindles third-party patching debate

    This week in Security Blog Log: IT security pros express more reservations about third-party patching, including the CEO of a company that released one a few months ago.

  • September 14, 2006 14 Sep'06

    Inside MSRC: A look at Microsoft's September patches

    Christopher Budd of the Microsoft Security Response Center says this is the final month of public security support for Windows XP Service Pack 1.

  • September 14, 2006 14 Sep'06

    Security Wire Weekly podcast: Sept. 13, 2006

    This week, Senior News Writer Bill Brenner interviews SPI Dynamics' Michael Sutton about this month's Microsoft security patches. Also the latest news about flaws in Apple QuickTime and Adobe Flash Player, the limits of NAC-NAP interoperability and ...

  • August 28, 2006 28 Aug'06

    Third-party patching: Prudent or perilous?

    Security patches issued by third parties have become more prevalent in recent months, and while some security pros endorse them, others say they're more trouble than they're worth.

  • August 22, 2006 22 Aug'06

    Update: Microsoft fixes faulty Internet Explorer patch

    Update: Microsoft has fixed a faulty browser fix that enabled an exploitable condition. Souces say a compatibility problem with Systems Management Server delayed the fix.

  • August 18, 2006 18 Aug'06

    Security Blog Log: Fear and loathing in MS06-040's wake

    This week, security bloggers wonder if the some of the MS06-040 warnings have gone too far. Meanwhile, Symantec uses its blog to warn about the timed release of exploits.

  • August 08, 2006 08 Aug'06

    Update: Microsoft's fixes 23 flaws, DHS urges action

    Updated: Microsoft releases a dozen August security updates, nine critical. The Department of Homeland Security says one fix in particular should be implemented immediately.

  • August 08, 2006 08 Aug'06

    Inside MSRC: Time to rethink security workarounds

    Christopher Budd of the Microsoft Security Response Center recommends implementing one of several security workarounds to ensure a secure infrastructure until this month's most important Windows update can be installed.

  • August 07, 2006 07 Aug'06

    Security Bytes: CA fixes eTrust Antivirus flaws

    Meanwhile: Online thieves steal $700,000 from personal accounts, researchers expose e-passport vulnerability; and arrests are made in the VA security breach case.

  • August 03, 2006 03 Aug'06

    Twelve Microsoft fixes coming on Patch Tuesday

    Microsoft Tuesday will release a dozen new security bulletins for its Windows and Office products, likely including fixes for several outstanding PowerPoint flaws.

  • July 31, 2006 31 Jul'06

    Security Bytes: ISS warns of new Microsoft Windows flaw

    Attackers could exploit the latest Microsoft Windows flaw to crash vulnerable machines. Meanwhile, Symantec fixes a Brightmail AntiSpam flaw.

  • July 17, 2006 17 Jul'06

    Oracle owns up to patching problems

    Database giant Oracle Corp. has faced mounting criticism of its security patching process during the last two years.

    Its quarterly Critical Patch Updates (CPUs) are ...

  • July 11, 2006 11 Jul'06

    Inside MSRC: Debunking Excel exploits

    Microsoft's Christopher Budd puts the magnifying glass to Microsoft's July bulletins, offers some Windows networking best practices and says one alleged Excel exploit isn't what it seems.

  • July 11, 2006 11 Jul'06

    Microsoft patches seven July security holes, five critical

    The software giant's monthly batch of fixes includes critical repairs for Internet Explorer and Windows' networking features, plus "important" bulletins for Internet Information Server.

  • July 07, 2006 07 Jul'06

    Hot Pick: Tenable offers solid vulnerability management

    Product review: Tenable Network Security's Security Center 3.0 helps organizations throughout the vulnerability management lifecycle, from asset discovery to remediation.

  • July 06, 2006 06 Jul'06

    Microsoft to patch critical Windows, Office flaws

    The software giant plans to release seven security bulletins Tuesday: four for Windows and three for Office. Some of the patches will fix critical flaws.

  • June 30, 2006 30 Jun'06

    iTunes flaw could enable malicious code

    Apple has fixed a critical hole that attackers could exploit to launch malicious code on PCs, including corporate clients, running the popular music software.

  • June 26, 2006 26 Jun'06

    New threats target Microsoft apps

    Microsoft warns customers to apply a RASMAN patch to protect against new exploit code. Meanwhile, Symantec warns of code targeting Windows Live Messenger.

  • June 16, 2006 16 Jun'06

    Microsoft Excel zero-day flaw discovered

    Attackers could exploit the Excel zero-day flaw to launch malicious code. Security experts say users should beware of emails with Excel file attachments.

  • June 16, 2006 16 Jun'06

    Security Blog Log: Doing good with exploit code

    This week, IT pros take note of the latest Microsoft patches and exploit code. Also, a look at why exploit code isn't always evil.

  • June 15, 2006 15 Jun'06

    Exploit code targets Microsoft flaws

    At least two new potential threats are on the loose less than a day after Microsoft's June patch rollout. Security experts warn IT shops to patch immediately.

  • June 13, 2006 13 Jun'06

    Microsoft releases 13 security patches, eight critical

    The baker's dozen of new patches includes 12 new ones that address flaws in Internet Explorer and Word, plus a re-release of a patch first issued in March.

  • June 13, 2006 13 Jun'06

    Inside MSRC: ActiveX control change goes permanent

    Microsoft's Christopher Budd outlines the finer points behind this month's security bulletins, plus offers advice on when to open Word files and guidance for Exchange administrators.

  • June 08, 2006 08 Jun'06

    Microsoft to release 12 June security fixes

    June's "Patch Tuesday" security bulletins will feature nine Windows fixes, including a cumulative update for Internet Explorer, plus a pair of patches for Office and one for Exchange.

  • May 16, 2006 16 May'06

    Experts: Exchange patch OK, despite glitches

    A fast-moving worm exploit could follow Microsoft's recent Exchange patch. Despite causing issues for mobile devices, security experts urge organizations to install the fix.

  • May 09, 2006 09 May'06

    Exchange, Windows focus of latest Microsoft fixes

    The software giant releases its May security bulletins and two of the three are rated critical. Issues with Exchange and Flash Player are addressed, but none fixes the latest IE flaws.

  • May 09, 2006 09 May'06

    Inside MSRC: Wisdom on Exchange security

    Microsoft's trio of May security bulletins includes a critical update for Exchange. The Microsoft Security Response Center's Christopher Budd explains why that particular bulletin may be more complex than it appears.

  • May 08, 2006 08 May'06

    Oracle refuses to learn its lesson, experts say

    Oracle critics say the database giant sits on known flaws for too long, leaving its applications open to attack. Is it time for infosec pros to extract Oracle products?

  • April 25, 2006 25 Apr'06

    Microsoft customers want more out-of-cycle patches

    Customers say Microsoft was right to issue an out-of-cycle fix for its flawed Windows Explorer patch. In fact, they wish the vendor would do it more often.

  • April 21, 2006 21 Apr'06

    Windows patch problems to force out-of-cycle repair

    Microsoft on April 25 will re-release a critical update that fixes a Windows Explorer code-execution vulnerability. The patch has caused problems with certain third-party software.