The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Microsoft Patch Tuesday

Immediately Patch Windows 0-Day Flaw That's Being Used to Spread Spyware

Immediately Patch Windows 0-Day Flaw That's Being Used to Spread Spyware

September 13, 2017Unknown
Get ready to install a fairly large batch of security patches onto your Windows computers. As part of its September Patch Tuesday , Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). Affected Microsoft products include: Internet Explorer Microsoft Edge Microsoft Windows .NET Framework Skype for Business and Lync Microsoft Exchange Server Microsoft Office, Services and Web Apps Adobe Flash Player .NET 0-Day Flaw Under Active Attack According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild. Here's the list of publically known flaws and their impact: W
Microsoft Issues Security Patches for 25 Critical Vulnerabilities

Microsoft Issues Security Patches for 25 Critical Vulnerabilities

August 08, 2017Mohit Kumar
Here we go again… As part of its August Patch Tuesday, Microsoft has today released a large batch of 48 security updates for all supported versions Windows systems and other products. The latest security update addresses a range of vulnerabilities including 25 critical, 21 important and 2 moderate in severity. These vulnerabilities impact various versions of Microsoft's Windows operating systems, Internet Explorer, Microsoft Edge, Microsoft SharePoint, the Windows Subsystem for Linux, Adobe Flash Player, Windows Hyper-V and Microsoft SQL Server. CVE-2017-8620: Windows Search Remote Code Execution Vulnerability The most interesting and critical vulnerability of this month is Windows Search Remote Code Execution Vulnerability (CVE-2017-8620), affects all versions of Windows 7 and Windows 10, which could be used as a wormable attack like the one used in WannaCry ransomware , as it utilises the SMBv1 connection. An attacker could remotely exploit the vulnerability thro
Microsoft Issues Updates for 96 Vulnerabilities You Need to Patch this Month

Microsoft Issues Updates for 96 Vulnerabilities You Need to Patch this Month

June 14, 2017Swati Khandelwal
As part of June's Patch Tuesday, Microsoft has released security patches for a total of 96 security vulnerabilities across its products, including fixes for two vulnerabilities being actively exploited in the wild. This month's patch release also includes emergency patches for unsupported versions of Windows platform the company no longer officially supports to fix three Windows hacking exploits leaked by the Shadow Brokers in the April's data dump of NSA hacking arsenal . The June 2017 Patch Tuesday brings patches for several remote code execution flaws in Windows, Office, and Edge, which could be exploited remotely by hackers to take complete control over vulnerable machines with little or no interaction from the user. While two of the vulnerabilities have been exploited in live attacks, another three flaws have publicly available proof-of-concept (POC) exploits that anyone could use to target Windows users. Vulnerabilities Under Active Attack The two vul
Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities

Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities

May 10, 2017Swati Khandelwal
As part of this month's Patch Tuesday, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild. Just yesterday, Microsoft released an emergency out-of-band update separately to patch a remote execution bug ( CVE-2017-0290 ) in Microsoft's Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems. The vulnerability, reported by Google Project Zero researchers, could allow an attacker to take over your Windows PC with just an email, which you haven't even opened yet. May 2017 Patch Tuesday — Out of 55 vulnerabilities, 17 have been rated as critical and affect the company's main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft's anti-malware products. Sysadmins all over the world should prioriti
Microsoft Issues Patches for Actively Exploited Critical Vulnerabilities

Microsoft Issues Patches for Actively Exploited Critical Vulnerabilities

April 12, 2017Swati Khandelwal
Besides a previously undisclosed code-execution flaw in Microsoft Word, the tech giant patches two more zero-day vulnerabilities that attackers had been exploiting in the wild for months, as part of this month's Patch Tuesday . In total, Microsoft patches 45 unique vulnerabilities in its nine products, including three previously undisclosed vulnerabilities under active attack. The first vulnerability ( CVE-2017-0199 ) under attack is a remote-code execution flaw that could allow an attacker to remotely take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object. The attack can bypass most exploit mitigations developed by Microsoft, and according to Ryan Hanson of security firm Optiv, in some cases, exploits can execute malicious code even when Protected View is enabled. As The Hacker News reported Monday, this code-execution flaw in Microsoft Word was being exploited by hackers to spread a version
Microsoft Finally Releases Security Patches For Publicly-Disclosed Critical Flaws

Microsoft Finally Releases Security Patches For Publicly-Disclosed Critical Flaws

March 15, 2017Mohit Kumar
After last month's postponement, Microsoft's Patch Tuesday is back with a massive release of fixes that includes patches for security vulnerabilities in Windows and associated software disclosed and exploited since January's patch release. Meanwhile, Adobe has also pushed out security updates for its products, releasing patches for at least seven security vulnerabilities in its Flash Player software. Microsoft patched a total of 140 separate security vulnerabilities across 18 security bulletins, nine of them critical as they allow remote code execution on the affected computer. Microsoft Finally Patches Publicly Disclosed Windows Flaws Among the "critical" security updates include a flaw in the SMB (server message block) network file sharing protocol, which had publicly disclosed exploit code since last month. The original patch released last year for this flaw was incomplete. The flaw is a memory corruption issue that could allow remote code execu
Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!

Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!

February 18, 2017Swati Khandelwal
Microsoft is once again facing embarrassment for not patching a vulnerability on time. Yes, Google's Project Zero team has once again publicly disclosed a vulnerability  ( with POC exploit ) affecting Microsoft's Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched. A few months back, the search engine giant disclosed a critical Windows vulnerability to the public just ten days after revealing the flaw to Microsoft. However, this time Google revealed the vulnerability in Windows to the public after Microsoft failed to patch it within the 90-day window given by the company. Google's Project Zero member Mateusz Jurczyk responsibly reported a vulnerability in Windows' Graphics Device Interface (GDI) library to Microsoft Security Team on the 9th of June last year. The vulnerability affects any program that uses this library, and if exploited, could potentially allow hackers to steal informatio
Microsoft Releases 4 Security Updates — Smallest Patch Tuesday Ever!

Microsoft Releases 4 Security Updates — Smallest Patch Tuesday Ever!

January 11, 2017Swati Khandelwal
In Brief Microsoft has issued its first Patch Tuesday for 2017 , and it's one of the smallest ever monthly patch releases for the company, with only four security updates to address vulnerabilities in its Windows operating system as well as Adobe Flash Player. Meanwhile, Adobe has also released patches for more than three dozen security vulnerabilities in its Flash Player and Acrobat/Reader for Windows, MacOS, and Linux desktops. According to the Microsoft Advisory, only one security bulletin is rated critical, while other three are important. The bulletins address security vulnerabilities in Microsoft's Windows, Windows Server, Office, Edge and Flash Player. The only security bulletin rated as critical is the one dedicated to Adobe Flash Player, for which Microsoft distributed security patches through Windows Update. Other security bulletins that addresses flaws in Microsoft products are as follows: Bulletin 1 — MS17-001 This security update resolves just one v
Microsoft releases 12 Security Updates; Including 6 Critical Patches

Microsoft releases 12 Security Updates; Including 6 Critical Patches

December 14, 2016Mohit Kumar
For the last Patch Tuesday for this year, Microsoft has released 12 security bulletins, half of which are rated 'critical' as they give attackers remote code execution capabilities on the affected computers. The security bulletins address vulnerabilities in Microsoft's Windows, Office, Internet Explorer and Edge. The first critical security bulletin, MS16-144 , patches a total of 8 security vulnerabilities in Internet Explorer, 3 of which had publicly been disclosed before Microsoft issued patches for them, though the company said they're not being exploited in the wild. The 3 publicly disclosed vulnerabilities include a Microsoft browser information disclosure vulnerability (CVE-2016-7282), a Microsoft browser security feature bypass bug (CVE-2016-7281) and a scripting engine memory corruption vulnerability (CVE-2016-7202) that allow remote code execution on the affected computer. The remaining 5 security flaws include a scripting engine memory corruption b
Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild

Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild

October 12, 2016Swati Khandelwal
Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not. That's because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install. October's patch bundle includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release. The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim's system. Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company wa
Microsoft Releases 9 Security Updates to Patch 34 Vulnerabilities

Microsoft Releases 9 Security Updates to Patch 34 Vulnerabilities

August 10, 2016Mohit Kumar
In Brief Microsoft's August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows. A security bulletin, MS16-102 , patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by getting you to view specially-crafted PDF content in your web browser. Users of Microsoft Edge on Windows 10 systems are at a significant risk for remote code execution (RCE) attacks through a malicious PDF file. Web Page with PDF Can Hack Your Windows Computer Since Edge automatically renders PDF content when the browser is set as a default browser, this vulnerability only affects Windows 10 users with Microsoft Edge set as the default browser, as the exploit would execute by simply by viewing a PDF online. Web browsers for all other affected operating systems do not automatically
Critical Print Spooler Bug allows Attackers to Hack any version of Microsoft Windows

Critical Print Spooler Bug allows Attackers to Hack any version of Microsoft Windows

July 13, 2016Swati Khandelwal
Microsoft's July Patch Tuesday offers 11 security bulletins with six rated critical resolving almost 50 security holes in its software. The company has patched a security flaw in the Windows Print Spooler service that affects all supported versions of Windows ever released, which if exploited could allow an attacker to take over a device via a simple mechanism. The "critical" flaw ( CVE-2016-3238 ) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers. The flaw could allow an attacker to install malware remotely on victim machine that can be used to view, modify or delete data, or create new accounts with full user rights; Microsoft said in MS16-087 bulletin posted Tuesday. Users who are logged in with fewer user rights on the system are less impacted than users who operate with administrative user rights, such as some home accounts and server users. Microsoft said the critical flaw could
Microsoft releases tons of Security Updates to patch 44 vulnerabilities

Microsoft releases tons of Security Updates to patch 44 vulnerabilities

June 14, 2016Swati Khandelwal
Microsoft has released 16 security bulletins on Tuesday resolving a total of 44 security holes in its software, including Windows, Office, Exchange Server, Internet Explorer and Edge. Five bulletins have been rated "critical" that could be used to carry out remote code execution and affected: Windows, Internet Explorer (IE), Edge (the new, improved IE), Microsoft Office and Office services; and the remaining 11 are marked important. One of the critical issues, MS16-071 that caused alarm bells to go off for many security experts involves a Use-After-Free bug (CVE-2016-3227), which affects Microsoft Windows Domain Name System (DNS) servers for Windows Server 2012 and 2012 R2. The vulnerability resides in the way servers handle requests. Attackers could send a specially crafted request to a DNS server and convinced it to run arbitrary code in the context of the Local System Account, Microsoft's advisory warns. Another critical vulnerability is addressed in MS16-070, which patc
Patch Report: All Versions of Windows affected by Critical Vulnerability

Patch Report: All Versions of Windows affected by Critical Vulnerability

October 13, 2015Mohit Kumar
Microsoft has rolled out six security updates this Patch Tuesday , out of which three are considered to be " critical, " while the rest are marked as " important. " Bulletin MS15-106 is considered to be critical for Internet Explorer (IE) and affects absolutely all versions of Windows operating system. The update addresses a flaw in the way IE handles objects in memory. The flaw could be exploited to gain access to an affected system, allowing hackers to gain the same access rights as the logged-in user. A hacker could " take advantage of compromised websites, and websites that accept or host user-provided content or advertisements ," the advisory states. " These websites could contain specially crafted content that could exploit the vulnerabilities. " Therefore, the dependency here is that an IE user must knowingly click on the malicious link, which then be leveraged by an attacker to get the full control over a computer t
Microsoft Releases 12 Security Updates (5 Critical and 7 Important Patches)

Microsoft Releases 12 Security Updates (5 Critical and 7 Important Patches)

September 09, 2015Khyati Jain
With the release of 12 Security Bulletins , Microsoft addresses a total of 56 vulnerabilities in its different products. The bulletins include five critical updates, out of which two address vulnerabilities in all versions of Windows. The September Patch Tuesday update (released on second Tuesday of each month) makes a total of 105 Security Bulletins being released this year; which is more than the previous year with still three months remaining for the current year to end. The reason for the increase in the total number of security bulletins within such less time might be because of Windows 10 release and its installation reaching to a score of 100 million. Starting from MS15-094 to   MS15-105 ( 12 security bulletins ) Microsoft rates the severity of the vulnerabilities and their impact on the affected software. Bulletins MS15-094 and MS15-095 are the cumulative updates, meaning these are product-specific fixes for security related vulnerabilities that are rated
Microsoft issues Security Patches for Windows 10 and Edge Browser

Microsoft issues Security Patches for Windows 10 and Edge Browser

August 12, 2015Swati Khandelwal
Updated your PCs to Windows 10 ? Now it's time to patch your Windows 10 software. Microsoft has issued its monthly Patch Tuesday by releasing 14 security bulletins , nearly half of it address vulnerabilities in its latest operating system, Windows 10. Four of them are marked critical, affecting Windows, .Net Framework, Microsoft Office, Microsoft Lync, Internet Explorer, Microsoft Silverlight and Edge Browser . Yes, the critical update includes even Edge browser – Microsoft's newest and supposedly super-secure web browser. Windows users are advised to patch their system as soon as possible because the security flaws can be remotely exploited to execute malicious code on vulnerable systems, allowing hackers to install malware and take full control of systems. Most Critical Security Updates: MS15-079 – The critical update fixes a total of 10 privately disclosed flaws in Internet Explorer. Most of these flaws allow a hacker to execute malicious code on v
Microsoft patches Stuxnet and FREAK Vulnerabilities

Microsoft patches Stuxnet and FREAK Vulnerabilities

March 11, 2015Swati Khandelwal
Microsoft has come up with its most important Patch Tuesday for this year, addressing the recently disclosed critical the FREAK encryption-downgrade attack , and a separate five-year-old vulnerability leveraged by infamous Stuxnet malware to infect Windows operating system. Stuxnet malware , a sophisticated cyber-espionage malware allegedly developed by the US Intelligence and Israeli government together, was specially designed to sabotage the Iranian nuclear facilities a few years ago. First uncovered in 2010, Stuxnet targeted computers by exploiting vulnerabilities in Windows systems. Thankfully, Microsoft has issued a patch to protect its Windows machines that have been left vulnerable to Stuxnet and other similar attacks for the past five years. The fixes are included in MS15-020 which resolves Stuxnet issue. The company has also issued an update that patches the FREAK encryption vulnerability in its SSL/TSL implementation called Secure Channel (Schannel). The fix
Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows

Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows

January 16, 2015Swati Khandelwal
Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft's Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought. Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix. DISCLOSURE OF UNPATCHED BUGS, GOOD OR BAD? Google's tight 90-days disclosure policy seems to be a good move for all software vendors to patch their products before they get exploited by the hackers and cybercriminals. But at the same time, disclosing all critical bugs along with its technical details in the widely used operating system like Windows 7 and 8 doesn't appears to be a righ
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.