Microsoft Windows security
- March 11, 2020
Microsoft disclosed a new remote code execution vulnerability associated with the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, but there's currently no patch available.
- August 29, 2018
Security researcher SandboxEscaper released proof-of-concept code for a Windows 10 zero-day on Twitter, but Microsoft has no details for a potential patch.
- April 30, 2018
Proof-of-concept code showing how an NTFS flaw can shut down Windows systems was published by a security researcher nine months after he disclosed it to Microsoft.
- April 06, 2018
Microsoft's poor coding when forking and modifying open source UnRAR code introduced a critical Windows Defender flaw that could allow an attacker full system rights.
- March 28, 2018
A security researcher discovered the recent Windows Meltdown patches may fix the Intel flaws, but also introduced a more severe vulnerability in some versions of Windows.
- March 07, 2018
In its first move following the acquisition of cloud access security broker Skyhigh Networks, McAfee extended its cloud security platform to Microsoft Azure customers.
- February 15, 2018
Intel's bug bounty program expanded its scope and rewards for bugs across all Intel products, and the company added a new program for side-channel flaws like Meltdown and Spectre.
- February 14, 2018
Microsoft says Meltdown and Spectre vulnerabilities are now being tracked by Windows Analytics, which shows users the update status for CPU microcode and OS patches.
- December 08, 2017
A critical vulnerability found in the Windows Malware Protection Engine required an emergency Microsoft patch, but one expert said Microsoft hasn't handled the announcement well.
- October 26, 2017
Microsoft had to make several tradeoffs when developing patches for Windows XP. Expert Nick Lewis explains what these tradeoffs were and how enterprises should respond.
- September 27, 2017
The DerbyCon keynote covered why security research is an approachable field, as well as how to bypass a Windows digital signature check to run unwanted code.
- August 11, 2017
Microsoft antivirus policy changes for Windows 10 Fall Creators Update in order to avoid further action in an antitrust case brought by Kaspersky.
- July 25, 2017
Experts applaud Microsoft for clever use of a lawsuit to claim command and control server domains used by malicious Russian APT group Fancy Bear.
- June 28, 2017
Researchers discovered the rash of Petya-like attacks are nothing more than a ransomware scam, and list files are impossible to restore.
- June 28, 2017
A new global ransomware attack has been spreading quickly using the same exploits as WannaCry, but researchers have already found ways to protect users from the damage.
- June 27, 2017
A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability.
- June 15, 2017
Microsoft claims recent WannaCry attacks did not influence the decision to disable SMBv1 by default in the next major Windows updates.
- April 18, 2017
A new release of NSA cyberweapons falls flat, as Windows exploits from the Shadow Brokers have mostly been patched. But unsupported systems are still at risk.
- April 14, 2017
The Shadow Brokers released another cache of cyberweapons linked to the Equation Group, including Windows exploits and attack details for the SWIFT banking system.
- April 12, 2017
Microsoft fundamentally changes how IT pros will consume Patch Tuesday releases with the Security Update Guide and brings fixes for an actively exploited Word zero-day.
- April 07, 2017
Microsoft exposes Windows 10 telemetry practices just a week before Creators Update; may allay privacy concerns over Windows 10 data collection.
- January 25, 2017
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the Shadow Brokers' alleged exploit for Windows SMB and what it means for both enterprises and Microsoft.
- January 25, 2017
A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack.
- January 19, 2017
As Microsoft touted its Windows 10 security features defeating unpatched zero-day vulnerabilities, it also warned customers about security issues with Windows 7.
- January 19, 2017
Experts say US-CERT is taking advantage of a potential -- but unverified -- vulnerability in Windows SMB v1 to remind enterprise users the outdated service should be disabled.
- November 11, 2016
Roundup: Russia-based APT group Pawn Storm expands spear-phishing attacks after Google's disclosure of a Windows zero-day. Plus, OpenSSL updates, IoT security and more.
- November 03, 2016
A Windows zero-day disclosed by Google caught Microsoft between patch cycles, and experts questioned whether Microsoft downplayed the severity of the vulnerability.
- November 02, 2016
Google disclosed an unpatched Windows zero-day vulnerability, which Microsoft claims is actively being exploited by a Russian APT group connected to the DNC hack.
- October 28, 2016
A new attack, called AtomBombing, allows malicious code injection into atom tables by a threat actor. And while all versions of Windows are vulnerable to attack, no patch will fix the flaw.
- October 27, 2016
Surprise! It's time, again, for another critical Adobe Flash patch to fix a remote code execution vulnerability reported by the Google Threat Analysis Group.
- October 19, 2016
Researchers devised an exploit of an Intel chip flaw that allows an adversary to bypass ASLR protection and potentially boost the effectiveness of an attack on any platform.
- August 17, 2016
Will Windows 10's new native version of the Ubuntu Linux command line, Windows Bash, enable new attack vectors? Experts weigh in on Windows Subsystem for Linux.
- August 15, 2016
Microsoft accidentally released the golden key for Windows Secure Boot, causing a serious security issue for the company despite putting only less popular devices at risk.
- June 10, 2016
As the University of Calgary contends with a ransomware attack, the actors behind CryptXXX are rolling out patches and upgrades and attackers are shifting from Angler to Neutrino EK.
- June 07, 2016
FireEye researchers spotted the Angler exploit kit bypassing the current Microsoft EMET version 5.5 security tool running on Windows 7 to subvert Flash and Silverlight.
- May 24, 2016
Former computer science majors Lieu and Hurd wrote to their U.S. House of Representatives colleagues, urging improved awareness of cyber risks and cyberhygiene.
- April 26, 2016
A Windows command-line utility dating back to XP, Regsvr32, reportedly enables a simple and virtually undetectable Windows AppLocker whitelist bypass.
- April 14, 2016
The much-hyped Badlock bug is still important to patch, but raised issues with celebrity vulnerability promotion and responsible disclosure of security vulnerabilities.
- March 31, 2016
The serious Badlock vulnerability in Windows and Samba, announced three weeks prior to patches, triggers a debate over responsible disclosure of software flaws.
- February 26, 2016
Roundup: Microsoft EMET is vulnerable to exploit; it's time to update to v5.5.Plus; Dell, IBM and Gemalto research reports claim cybercriminals are getting smarter, bigger and faster.
- January 08, 2016
Internet Explorer end of life is on the way for three versions of Microsoft's Web browser, and enterprises need to understand which versions of Windows will still be supported.
- October 16, 2015
News roundup: FBI issues a public service announcement about EMV chip-and-signature cards. Plus: bumper crop of OS X malware in 2015; phishing sites with authenticated certificates and more.
- August 07, 2015
News roundup: ICANN confirmed its members' credentials were stolen Wednesday, forcing the nonprofit to enforce a site-wide password reset. Plus: VPN provider being used for APTs; Thunderstrike strikes again; Windows 10 security in its first week.
- June 26, 2015
New roundup: Sometimes the least of threats -- such as click fraud -- can end up being the bigger issues -- like ransomware. Plus: U.S. Navy won't let go of XP; U.S./China cyber code of conduct; and more!
- May 15, 2015
News roundup: Microsoft released security details of its new Edge browser, but is enough to restore user confidence? Plus: Millennial security threats; new ransomware, GPU-based malware; black hat cybersecurity services.
- April 21, 2015
Runtime application self-protection startup Waratek wins coveted RSA Innovation award.
- April 17, 2015
Opinion: Executive Editor Eric Parizo says Microsoft's security strategy may have once been the benchmark for other vendors to emulate, but in 2015 the software giant's priorities lie elsewhere.
- March 05, 2015
The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.
- January 19, 2015
For the third time in one month, Microsoft couldn't meet Google's 90-day public disclosure deadline, leading to Project Zero's disclosure, though experts say this Windows zero-day vulnerability may have little value to attackers.
- December 09, 2014
Capping a busy year of software updates, Microsoft's December 2014 Patch Tuesday release delivers three critical bulletins; separately Adobe offers a pair of critical fixes.
- November 18, 2014
Originally scheduled by Microsoft as part of its November Patch Tuesday release, the out-of-band patch resolves a serious security vulnerability in Kerberos.
- November 11, 2014
The zero-day patch was one of four critical bulletins Microsoft delivered as part of its largest Patch Tuesday release of 2014; a fifth critical bulletin was dropped at the last moment.
- August 12, 2014
Beyond the usual slew of IE security patches, Microsoft's August 2014 Patch Tuesday made a couple of moves to improve the security of its browser.
- August 06, 2014
EMET 5.0, the latest version of Microsoft's zero-day prevention tool, includes several new features, most notably improved ways to block plug-ins like Flash and Java.
- July 08, 2014
Microsoft's July 2014 Patch Tuesday release addressed two dozen flaws in Internet Explorer. Adobe also provided a critical update for Flash.
- June 10, 2014
June's patches fix an Internet Explorer 8 issue that Microsoft said was never exploited in the wild. Plus: Adobe issues a critical Flash Player patch.
- May 21, 2014
Though notified of the IE zero day months ago, Microsoft failed to address the vulnerability before it was made public.
- May 13, 2014
Microsoft's May 2014 Patch Tuesday features two critical security updates, including another fix for its beleaguered Internet Explorer browser.
- May 01, 2014
Microsoft's out-of-band patch for the 'use-after-free' IE zero day offered a fix for Windows XP, which is now being actively targeted.
- April 28, 2014
The IE zero-day, first spotted by FireEye, is being actively exploited in the wild. US-CERT recommends avoiding IE until a fix is released.
- April 08, 2014
The April 2014 Patch Tuesday release features the final Office 2003 and XP security updates, as well as a fix for a recent Word zero-day.
- April 08, 2014
Windows XP's end-of-life date is here, and while experts said dangerous new attacks won't arrive right away, they will soon enough.
- March 31, 2014
IT pros who have successfully completed large-scale Windows XP migrations advise focusing on application compatibility and up-front planning.
- March 12, 2014
PCI compliance may be nearly impossible after the April 2014 Windows XP end-of-life date if merchants don't address vulnerable XP-based POS systems.
- March 11, 2014
Microsoft moved to address a lingering Internet Explorer zero-day vulnerability that was originally discovered by security vendor FireEye in February.
- March 04, 2014
Experts say Microsoft's EMET security tool remains valuable to enterprise security teams if used as one layer in a larger security strategy.
- February 21, 2014
Both Microsoft and Adobe have issued emergency fixes for active zero-day exploits that bypass the ASLR security mechanism.
- February 04, 2014
More than a third of enterprises using Windows XP have no plans to migrate, according to the report, regardless of the growing XP security risks.
- January 16, 2014
Software giant Microsoft will extend Windows XP antivirus updates past the XP end-of-life date, but security patches are still slated to end in April.
- January 14, 2014
Microsoft's January 2014 Patch Tuesday fixes a Windows XP zero-day vulnerability that could grant admin rights. Adobe also released two updates.
- December 10, 2013
Microsoft's December Patch Tuesday release addresses a recent zero-day vulnerability affecting TIFF images, but leaves a Windows XP zero day for 2014.
- October 08, 2013
Among its 26 patches, Microsoft's October 2013 Patch Tuesday release delivers the anticipated fix for a critical Internet Explorer zero-day flaw.
- October 03, 2013
Microsoft's October Patch Tuesday expected to resolve four critical vulnerabilities, with experts hoping a recent high-profile IE zero-day is patched.
- September 18, 2013
Microsoft provides an Internet Explorer fix after confirming a vulnerability affecting all versions of the Web browser is being actively exploited.
- May 09, 2013
Microsoft is still working on a permanent fix for the IE8 zero-day found in the Dept. of Labor website attack. Also: Adobe preps ColdFusion patch.
- December 11, 2012
Microsoft released seven security bulletins, addressing flaws in Internet Explorer, Word and Windows kernel-mode drivers.
- November 13, 2012
Microsoft issued six bulletins in November's Patch Tuesday, including fixes in Internet Explorer, Windows Kernel and the .NET Framework.
- November 08, 2012
Despite a recent Windows 8 zero-day vulnerability, security experts say the new Microsoft platform is the most secure OS on the market.
- October 04, 2012
Microsoft's October 2012 Patch Tuesday release, slated for Oct. 9, will address an RSA key-length certificate issue exposed by the Flame malware.
- September 17, 2012
Researchers say attackers have exploited the flaw and recommend switching browsers until there's a fix.
- July 18, 2012
Researchers have explored the updated Windows 8 memory protection security features and will present their findings at Black Hat 2012.
- July 10, 2012
The Microsoft XML Core Services vulnerability is being actively targeted by cybercriminals. In addition, Microsoft issued a critical update to Internet Explorer 9.
- June 19, 2012
The Metasploit pen testing software contains working exploits that can target Microsoft XML Core Services flaw and a hole in Internet Explorer.
- June 19, 2012
A software implementation issue enables an attacker to escalate privileges or break out of a virtual machine environment.
- June 13, 2012
The feature can automatically remove revoked certificates from Windows Vista and Windows 7 systems. The measure is in response to the Flame attacks.
- June 05, 2012
The overhaul to Windows Update is to follow Microsoft’s emergency update, revoking three fraudulent certificates that could be used in broad attacks.
- June 04, 2012
The fraudulent Microsoft certificates were used in the Flame malware attacks and could be used by less sophisticated cybercriminals, according to Microsoft.
- May 08, 2012
Experts suggest patience when dealing with this month’s round of Microsoft updates.
- May 03, 2012
Microsoft said a member of its confidential Active Protections Program leaked information that prompted an exploit targeting a flaw patched in March.
- March 16, 2012
Antimalware vendors say proof-of-concept exploit code has surfaced on several Chinese websites. Experts recommend patching Windows systems now.
- March 13, 2012
Vulnerability experts call the Microsoft Remote Desktop Protocol flaws dangerous and say they should be quickly addressed by patching admins.
- December 20, 2011
Danish vulnerability clearinghouse Secunia is warning of a highly critical memory corruption zero-day vulnerability that could be targeted by attackers. Proof-of-concept code has been published.
- December 13, 2011
Microsoft’s 13 security bulletins included critical Windows and Windows Media Player updates.
- November 08, 2011
Microsoft’s November 2011 Patch Tuesday security update features four bulletins, one critical, but no patch for the kernel-level vulnerability exploited by the Duqu Trojan.
- August 29, 2011
Security firms say the Morto worm isn’t a Trojan, but an Internet worm that spreads via Windows Remote Desktop Protocol (RDP).
- August 09, 2011
Coding errors could enable attackers to target Windows machines remotely, gain access to sensitive data and gain complete control of a victim’s computer.
- July 07, 2011
The software giant plans to issue four bulletins, one rated “critical” as part of its Patch Tuesday scheduled security updates.
- June 09, 2011
Critical fixes planned for Windows, Internet Explorer and Adobe Reader.
- May 05, 2011
Microsoft will revamp its Exploitability Index this month when it issues Patch Tuesday bulletins addressing flaws in Microsoft Windows and Office PowerPoint.
- April 07, 2011
The software giant will release a record number of patches April 12.