#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Microsoft Patch Tuesday | Breaking Cybersecurity News | The Hacker News

Microsoft patches Stuxnet and FREAK Vulnerabilities

Microsoft patches Stuxnet and FREAK Vulnerabilities

Mar 11, 2015
Microsoft has come up with its most important Patch Tuesday for this year, addressing the recently disclosed critical the FREAK encryption-downgrade attack , and a separate five-year-old vulnerability leveraged by infamous Stuxnet malware to infect Windows operating system. Stuxnet malware , a sophisticated cyber-espionage malware allegedly developed by the US Intelligence and Israeli government together, was specially designed to sabotage the Iranian nuclear facilities a few years ago. First uncovered in 2010, Stuxnet targeted computers by exploiting vulnerabilities in Windows systems. Thankfully, Microsoft has issued a patch to protect its Windows machines that have been left vulnerable to Stuxnet and other similar attacks for the past five years. The fixes are included in MS15-020 which resolves Stuxnet issue. The company has also issued an update that patches the FREAK encryption vulnerability in its SSL/TSL implementation called Secure Channel (Schannel). The fix
Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows

Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows

Jan 16, 2015
Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft's Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought. Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix. DISCLOSURE OF UNPATCHED BUGS, GOOD OR BAD? Google's tight 90-days disclosure policy seems to be a good move for all software vendors to patch their products before they get exploited by the hackers and cybercriminals. But at the same time, disclosing all critical bugs along with its technical details in the widely used operating system like Windows 7 and 8 doesn't appears to be a righ
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Microsoft Kills Public Patch Tuesday Advance Notifications; Now for Paid Members Only

Microsoft Kills Public Patch Tuesday Advance Notifications; Now for Paid Members Only

Jan 10, 2015
Microsoft began issuing Patch Tuesday updates publically in advance over ten years ago, but from next every second Tuesday of the Month, if you want to see what security patches Microsoft is going to issue, then you will have to pay for it. UPDATE ALERTS FOR PAID CUSTOMERS ONLY Yes right, Microsoft has decided to ditch its Advanced Notification Service (ANS) and will no longer be releasing a public blog post to preview what is to come on Patch Tuesday. Microsoft is facing fierce criticism by industry experts for its decision to make advanced security bulletin available only to those who pay a premium. Note: Only advance notifications are now paid, but security updates/patches are free. NO MORE "OUT-OF-BAND" PUBLIC SECURITY ALERTS In the post on the Microsoft Security Response Center blog , Chris Betz, senior director at Microsoft's security research arm, said: " more and more customers today are seeking to cut through the clutter and obtain s
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Microsoft Releases 7 Security Updates

Microsoft Releases 7 Security Updates

Dec 09, 2014
Last week Microsoft released its Advance Notification for the month of December 2014 Patch Tuesday Updates, and finally today released a total of seven security bulletins, which will address several vulnerabilities in its products, out of which three are marked 'critical' and rest are 'important' in severity. Last month after a big pile of security patches , the company released an an unusual emergency patch to fix a critical vulnerability in Microsoft Windows Kerberos KBC, authentication system used by default in the operating system, that cybercriminals exploited to compromise whole networks of computers. The three critical bulletins affect Internet Explorer, Office and Windows. All the versions of Microsoft Internet Explorer (IE) are affected except Server Core, which does not include IE. The critical zero-day IE vulnerability (CVE-2014-8967) was discovered by security researcher Arthur Gerkis of Zero Day Initiative (ZDI) in June this year. By explo
Microsoft Releases Emergency Out-of-Band Patch for Kerberos Bug MS14-068

Microsoft Releases Emergency Out-of-Band Patch for Kerberos Bug MS14-068

Nov 19, 2014
Microsoft today released an " out-of-band " security updates to fix a critical vulnerability in all supported versions of its Windows Server software that cyber criminals are exploiting to compromise whole networks of computers. The Emergency patch release comes just one week after Microsoft provided its monthly security patch updates. The November 2014 Patch Tuesday updates included 16 security patches, five of which were rated by Redmond as "critical." The security update (MS14-068) addresses a vulnerability in the Windows component called Microsoft Windows Kerberos KBC , authentication system used by default in the operating system. The flaw allows an attacker to elevate domain user account privileges and access rights to that of a domain administrator account. As a result, if users unknowingly or accidentally run a malicious software on their system, it could therefore be used to compromise the entire network, which could be more dangerous for those who
Microsoft to Issue 16 Security Patches and 60 Other Updates

Microsoft to Issue 16 Security Patches and 60 Other Updates

Nov 10, 2014
Microsoft has this time quite a big pile of security patches in its November 2014 Patch Tuesday , which will address almost 60 non-security updates for its Windows OS along with 16 security updates . The software giant released Advance Notification for 16 security bulletins, the most in more than three years, which will be addressed as of tomorrow, 11 November, 2014. Five of the bulletins have been marked as " critical ", nine are " importan t" in severity, while two were labeled " moderate ." The updates will patch vulnerabilities in Microsoft's various software including Internet Explorer (IE), Windows, Office, Exchange Server, SharePoint Server and the .NET framework as well. Five critical vulnerabilities affect specific versions of Microsoft Windows, including Windows 7, Windows 8, Windows RT, and Windows Server. One of them also affects Internet Explorer versions 7 through 11 as well. Four of the five critical bugs are said to al
Microsoft PowerPoint Vulnerable to Zero-Day Attack

Microsoft PowerPoint Vulnerable to Zero-Day Attack

Oct 22, 2014
It seems that there is no end to the Windows zero-days, as recently Microsoft patched three zero-day vulnerabilities in Windows which were actively exploited in the wild by hackers, and now a new Zero-day vulnerability has been disclosed affecting all supported releases of Windows operating system, excluding Windows Server 2003. Microsoft has issued a temporary security fix for the flaw and also confirmed that the zero-day flaw is being actively exploited by the hackers through limited, targeted attacks using malicious Microsoft PowerPoint documents sent as email attachments. According to the Microsoft Security Advisory published on Tuesday, the zero-day resides within the operating system's code that handles OLE (object linking and embedding) objects. OLE technology is most commonly used by Microsoft Office for embedding data from, for example, an Excel spreadsheet in a Word document. The vulnerability (designated as CVE-2014-6352 ) is triggered when a user is forced
Microsoft to Patch Critical Internet Explorer Vulnerability Next Week

Microsoft to Patch Critical Internet Explorer Vulnerability Next Week

Sep 05, 2014
You all won't have forget about the dodgy update released by Microsoft in its last month's Patch Tuesday Updates which was responsible for crippling users' computers - specially users running Windows 7 PCs with the 64bit version - with the infamous " Blue Screens of Death ." The company fixed the issue at the end of last month, and now is planning to release a light edition of Patches. Today Microsoft has released its Advance Notification for the month of September Patch Tuesday Updates. There will be a total of four security Bulletins next Tuesday, September 9, which will address several vulnerabilities in its products, one of them is marked critical and rest are important in severity. CRITICAL PATCH This time also administrators can expect a cumulative patch release for Internet Explorer which will address a number of remote code execution vulnerabilities in the browser. As usual, Internet Explorer (IE) update is rated Critical on Windows client systems and Moder
Microsoft Says to Uninstall August Patch Updates, Causing 'Blue Screen of Death'

Microsoft Says to Uninstall August Patch Updates, Causing 'Blue Screen of Death'

Aug 19, 2014
Microsoft on Friday quietly urged its users to uninstall the most recent round of security updates, after reports emerged that it crippled their computers with the infamous " Blue Screens of Death " (BSoD), which is really a matter of shame for one of the largest technology giants. Microsoft released security updates on its August Patch Tuesday that addressed privilege escalation vulnerabilities but an apparent font cache clearing issue caused Windows boxes to turn the colour of the screen to Blue. The tech giant forced to make this decision after hundreds of complaints, regarding the infamous Blue Screen of Death error, were sent to the company. This was not the only update to be made last week. The offending Microsoft patch identified as MS 14-045 , one of the nine updates which fixes three security issues including one in the Windows kernel - the heart of the operating system - can cause system crashes forcing users to reboot it. Soon after the initial release o
Microsoft Tuesday Update to Patch Critical Windows and Internet Explorer Vulnerabilities

Microsoft Tuesday Update to Patch Critical Windows and Internet Explorer Vulnerabilities

Aug 08, 2014
Today Microsoft has released its Advance Notification for the month of August 2014 Patch Tuesday Updates releasing a total of nine security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity. The latest updates, which is set to arrive on August 12, will address two critical bugs affect Internet Explorer and Windows with seven other issues rated as important. The vulnerabilities in the company's products range from remote code execution to protection bypasses. Both of the critical fixes will address remote-code execution flaws. The critical Windows update affects only business and professional editions of Windows 7 and Windows 8. Whereas, the Internet Explorer update affects all versions of Windows on all supported platforms. The remaining seven updates affect its various products, including Windows, Office, SQL Server, the .NET Framework and SharePoint Server 2013. There wi
This July Microsoft Plans to Patch Windows and Internet Explorer Vulnerabilities

This July Microsoft Plans to Patch Windows and Internet Explorer Vulnerabilities

Jul 04, 2014
Beginning of the new month, Get Ready for Microsoft Patch Tuesday! Microsoft has released its Advance Notification for the month of July 2014 Patch Tuesday releasing six security Bulletins, which will address a total of six vulnerabilities in its products, out of which two are marked critical, one is rated moderate and rest are important in severity. All six vulnerabilities are important for you to patch, as the flaws are affecting various Microsoft software, including Microsoft Windows, Microsoft Server Software and Internet Explorer, with the critical ones targeting Internet Explorer and Windows. Microsoft is also providing an update for the " Microsoft Service Bus for Windows Server " which is rated moderate for a Denial of Service (DoS) flaw. " At first glance it looks like Microsoft may be taking it easy on us this month, which would be nice since we will be coming off a long holiday weekend here in the U.S."  Chris Goettl from IT Security firm
Microsoft to Patch Critical Internet Explorer Zero-Day Vulnerability Next Tuesday

Microsoft to Patch Critical Internet Explorer Zero-Day Vulnerability Next Tuesday

Jun 06, 2014
Today Microsoft has released its Advance Notification for the month of June 2014 Patch Tuesday releasing seven security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity. This Tuesday, Microsoft will issue Security Updates to address seven major vulnerabilities and all those are important for you to patch, as the flaws are affecting various Microsoft software, including Microsoft Word, Microsoft Office and Internet Explorer. CRITICAL VULNERABILITY THAT YOU MUST PATCH Bulletin one is considered to be the most critical one, which will address a the zero-day Remote Code Execution vulnerability, affecting all versions of Internet Explorer, including IE11 in Windows 8.1.  All server versions of Windows are affected by this vulnerability, but at low level of severity because by default, Internet Explorer runs in Enhanced Security Configuration and just because Server Core version
Microsoft and Adobe to Release Important Security Patches Next Week

Microsoft and Adobe to Release Important Security Patches Next Week

May 09, 2014
Microsoft has released its advance notification for the month of May 2014 patch Tuesday security updates, that will patch a total of eight flaws issued next Tuesday , May 13. Among the eight vulnerabilities two of them are rated critical, rest all are rated important in severity. Just a week before, Microsoft provided an 'out-of-band security update' for all versions of Internet Explorer (IE) that were affected by the zero-day vulnerability , and since IE6 for Windows XP retired last month, even though it received patches for IE6 zero-day flaw. But, Microsoft has no plan to make any such accommodations this time. 13th MAY 2014 - MICROSOFT PATCH TUESDAY  Next week the security updates will include fixes for vulnerabilities including the critical one in Internet Explorer (IE), along with .NET Framework, Windows, Office and SharePoint for all versions of Windows except Windows XP.  " Our existing policy remains in place, and as such, Microsoft no longer supports
Microsoft Critical Vulnerabilities that You Must Patch Coming Tuesday

Microsoft Critical Vulnerabilities that You Must Patch Coming Tuesday

Apr 05, 2014
On passed Thursday, Microsoft has released an advance advisory alert for upcoming Patch Tuesday which will address Remote Code Execution vulnerabilities in several Microsoft's products. Microsoft came across a limited targeted attacks directed at their Microsoft Word 2010 because of the vulnerability in the older versions of Microsoft Word. This Tuesday Microsoft will release Security Updates to address four major vulnerabilities, out of which two are labeled as critical and remaining two are Important to patch as the flaws are affecting various Microsoft software such as, Microsoft Office suite, Microsoft web apps, Microsoft Windows, Internet Explorer etc. VULNERABILITY THAT YOU  MUST PATCH Google Security Team has reported a critical Remote code execution vulnerability in Microsoft Word 2010 ( CVE-2014-1761 ) which could be exploited by an attacker to execute the malicious code remotely via a specially crafted RTF file , if opened by a user with an affected vers
Microsoft February Patch Tuesday : Two critical and Three Important Security Updates

Microsoft February Patch Tuesday : Two critical and Three Important Security Updates

Feb 07, 2014
Today Microsoft has released Security Bulletin Advanced Notification for February 2014 Patch Tuesday. The notification dictates five bulletins out of which two have critical Remote Code Execution and rest are important in aspect to severity of security flaw. A Remote Code Execution vulnerability has been found in Security software of Microsoft i.e. Forefront Protection 2010 for Exchange Server, but this time there will be no new bulletins for Internet Explorer. Not only this, users of Windows 7, Windows Server 2008 R2, Windows 8 and Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1 are also advised to patch their systems in order to protect themselves from being a victim of malicious code which is exploiting Remote code execution vulnerability. Except the remote code execution, Microsoft is going to release patches for privilege escalation, information disclosure, and denial of service security flaws in Windows operating syste
Internet Explorer 8 zero-day attack spreads on 9 other sites

Internet Explorer 8 zero-day attack spreads on 9 other sites

May 08, 2013
Watering hole Internet Explorer 8 zero-day attack on the US Department of Labor website last week has spread to 9 more global websites over the weekend, including those run by a big European company operating in the aerospace, defense , and security industries as well as non-profit groups and institutes Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least. Researchers analyzing the attacks say that the attack tie it to a China-based hacking group known as " DeepPanda ". Security firm CrowdStrike said its researchers unearthed evidence suggesting that the campaign began in mid-March. Their analysis of logs from the malicious infrastructure used in the attacks revealed the IP addresses of visitors to the compromised sites. The logs showed addresses from 37 different countries, with 71 percent of them in the US, 11 percent in South/Southeast Asia, and 10 percent in Europe. Micros
It's Patch Tuesday, Microsoft rolling out Critical security updates

It's Patch Tuesday, Microsoft rolling out Critical security updates

Mar 11, 2013
It's Microsoft Patch Tuesday, and time of the month in which we gather round, hold hands, and see just how much of Microsoft's software needs patching. Prepare your systems, Microsoft is expected to issue seven bulletins affecting all versions of its Windows operating system (OS), some Office components and also Mac OS X, through Silverlight and Office and 4 out of 7 are critical patches. Critical :  The first bulletin will address a remote code execution vulnerability affecting Windows and Internet Explorer. Critical : The second bulletin addresses a remote code execution vulnerability affecting Microsoft Silverlight. Critical :  The third bulletin addresses a remote code execution vulnerability affecting Office. The fourth security bulletin addresses a critical elevation of privilege vulnerability affecting both the Office and Server suites. Important : The fifth and sixth security bulletins address an information disclosure vulnerability affecting Microsoft Off
Microsoft's Patch Tuesday fully loaded with patch for 57 security flaws

Microsoft's Patch Tuesday fully loaded with patch for 57 security flaws

Feb 09, 2013
Microsoft next updates are fully loaded with 57 different security vulnerabilities through 12 separate updates. It will roll out fixes as it always does on Patch Tuesday, the second Tuesday of every month. Anyone who uses Windows as their primary operating system will be quite familiar with Patch Tuesday. According to Microsoft's advisory , The 12 security update including two for Internet Explorer (IE), that will patch a near-record 57 vulnerabilities in the browser, Windows, Office and the enterprise-critical Exchange Server email software. Part of this update will be security patches for every single version of Internet Explorer. Apparently, this is to address a security hole that leaves users open to being exploited through drive-by attacks. Out of the 12 updates, five are considered " critical, " and others are labeled " important, ". As always, the critical patches will automatically install for any Windows users with automatic updates enabled. Two of the
Cybersecurity Resources