NVDi Support News & Alerts » security patches

Alert: Microsoft to release out-of-band security update July 28th

wkwalker — Sat, 25 Jul 2009 03:06:15 +0000

Microsoft is releasing a pair of critical Windows security updates on July 28th. This is highly unusual. Microsoft normally issues security fixes on the second Tuesday of the month — “Patch Tuesday.” When they release an out-of-band update like this, it is usually because it deals with a critical vulnerability that is being actively exploited. According to Microsoft’s advance notification, the updates will affect Internet Explorer and Visual Studio. For most of us pluggers, it’s the Internet Explorer patch that will matter.

Temporary fix available for new Internet Explorer vulnerability

wkwalker — Thu, 16 Jul 2009 19:07:17 +0000

Just as Microsoft was rolling out this month’s collection of security patches and software updates, a new Internet Explorer vulnerability cropped up. Basically, it’s another one of those deals where you could get infected simply by visiting a maliciously crafted web page.

Unless the bad guys start exploiting this bug heavily, Microsoft will likely not fix it until the next regular second-Tuesday patch cycle. Until then, there’s a Help and Support page offering a temporary workaround.

July Microsoft patches are available

wkwalker — Tue, 14 Jul 2009 22:19:58 +0000

The July Microsoft patches for Windows and layered products, such as Office, are available for download. The servers are slow right now, probably because a whole bunch of people are jumping on them, trying to get at the “critical” Internet Explorer updates.

Alert: May 12th is “Patch Tuesday”

wkwalker — Fri, 08 May 2009 17:27:24 +0000

May 12th is “Patch Tuesday,” the day Microsoft traditionally issues security updates. Adobe is also issuing a patch for Adobe Reader and Acrobat.

The sole Microsoft patch fixes a “critical” flaw in PowerPoint. “Critical” means it’s a big deal. In this case, opening a maliciously crafted PowerPoint presentation could allow an attacker to execute code remotely on a victim’s computer. All versions of PowerPoint released in the past 10 years are vulnerable to this one.

Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here.

You can safely assume that the bad guys, knowing that people are often sloppy about security updates, will try to take advantage of both vulnerabilities. The Adobe Reader bug will likely be the primary target. Almost everyone has Adobe Reader installed on their computer and most folks are used to encountering PDF files on web sites.

Be careful out there.

Patch Tuesday looms

wkwalker — Fri, 10 Apr 2009 23:35:52 +0000

April 14th is “Patch Tuesday.” Barring a major panic, Microsoft issues security updates for its products on the second Tuesday of the month. This month, we’re looking at eight patches, five of them rated “critical.” Microsoft’s offical security bulletin has all the details they’re willing to share so far.

It’s generally a good idea not to let security updates slide for very long. Once the word is out, the bad guys try to reverse-engineer the patches. If they find anything particularly juicy, they take advantage of the fact that many people are remiss about applying the patches. For instance, the primary mode of infection used by the currently infamous Conficker worm is a vulnerability that was fixed several months ago.

A little side-note: April 14, 2009 is also the day Windows XP goes on “extended support.”