Cisco Blogs


Cisco Blog > Threat Research

Microsoft Patch Tuesday – January 2016

The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.

Bulletins Rated Critical

Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month’s release.

MS16-001 and MS16-002 are this month’s Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addressed and unlike in previous bulletins there are no vulnerabilities that IE and Edge have in common.

  • MS16-001 is the IE bulletin for IE versions 7 through 11. Two vulnerabilities are addressed with those being CVE-2016-0002, a use-after-free flaw and CVE-2016-0005, a privilege escalation flaw. Note that CVE-2016-0002 is a VBScript engine vulnerability that is addressed in this bulletin for systems with IE 8 through 11 installed. Those who use IE7 and earlier or who do not have IE install will need to install MS16-003 to patch this vulnerability.
  • MS16-002 is the Edge bulletin addressing two vulnerabilities as well. Both CVE-2016-0003 and CVE-2016-0024 are memory corruption vulnerabilities that could result remote code execution if exploited.

One special note regarding this month’s IE advisory: In August 2014, Microsoft announced the end-of-life for Internet Explorer versions older than IE 11 that would take effect today. As a result, this month’s bulletin will be the final one for affected versions. After today, “only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.” As such, there are exceptions to the end-of-life announcement with those being Windows Vista SP2 (IE9), Windows Server 2008 SP2 (IE9), and Windows Server 2012(IE 10). For more information on the IE end-of-life, please refer to Microsoft’s documentation here:
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support

Read More >>

Tags: , , , , ,

Microsoft Patch Tuesday – December 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated “Critical” this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated “Important” and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.

Bulletins Rated Critical

MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.

MS15-124 and MS15-125 are this month’s Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilities were addressed this month between the two browsers with 11 vulnerabilities affecting both Edge and IE. The vast majority of the vulnerabilities addressed this month are memory corruption vulnerabilities along with a couple ASLR and XSS filter bypasses. One special note with this bulletin is that CVE-2015-6135 and CVE-2015-6136 are VBScript engine flaws that affect all supported versions of Internet Explorer. However, this bulletin only addresses these vulnerabilities for IE 8 through 11. Users and organizations who use IE 7, or that do not have IE installed will need to install MS15-126 to address these two vulnerabilities.

Read More >>

Tags: , , ,

Microsoft Patch Tuesday – November 2015

Microsoft’s Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 12 bulletins addressing 53 vulnerabilities. Four bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, Windows Journal, and Windows. The remaining eight bulletins are rated important and address vulnerabilities in .NET, IPsec, Kerberos, Lync/Skype for Business, NDIS, Office, SChannel, and Winsock.

Bulletins Rated Critical

Microsoft bulletins MS15-112 through MS15-115 are rated as critical in this month’s release.

MS15-112 and MS15-113 are this month’s Internet Explorer and Edge security bulletin respectively. In total, 25 vulnerabilities are addressed with four of them specifically affecting both IE and Edge. The remaining 21 vulnerabilities only affect Internet Explorer. The majority of the vulnerabilities that are resolved in this month’s release are memory corruption defects. In addition, an ASLR bypass, an information disclosure vulnerability, and a couple of scripting engine flaws are also addressed.

Read More >>

Tags: , , ,

Microsoft Patch Tuesday – September 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated “Critical” this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated “Important” and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.

Read More »

Tags: , , ,

Microsoft Patch Tuesday – August 2015

Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins released which address 58 CVEs. Four bulletins are rated “Critical” this month and address vulnerabilities in Internet Explorer, Graphics Component, Office, and Edge. The other ten bulletins are rated “Important” and address vulnerabilities within Remote Desktop Protocol (RDP), Server Message Block (SMB), XML Core Services, Mount Manager, System Center Operations Manager, UDDI Services, Command Line, WebDAV, Windows, and the .NET Framework. Read More »

Tags: , , ,