Patch Management

Microsoft Delays Ending Security Bulletin Demise

In a blog post announcing the security updates for March 2017, Microsoft also distributed the following terse blurb: Security bulletins were also published this month to give customers extra time to ensure they are ready to transition their processes. Missing from the statement is a new deadline date.  Does this mean the company has moved it by a month since it skipped delivering security updates to customers in February – or is the date still undetermined? We’re reaching out to Microsoft for clarification. Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

Patch Tuesday for March 2017 is Coming But Its Guesswork

Famously now, Microsoft skipped patching its Windows platform in February 2017 for an uncited reason and stated that it would restart the updating engines for March’s Patch Tuesday. Patch Tuesday is now just a day away and Microsoft has  a lot of catching up to do. Will the company provide security fixes for the myriad of zero-day flaws that have cropped up since the last security update? Will customers see fixes for vulnerabilities that have been left unfixed since late 2016? Can customers count on Microsoft to patch wide-open security holes that 3rd parties have take upon themselves to provide their own patches for Microsoft’s own customers? Missing a single month has had wide-ranging repercussions. For those tasked with keeping corporate assets safe it may have seemed like a...

Microsoft Pulls Bad Device Driver and Offers Workarounds

Just a couple days ago on March 8th, Microsoft delivered a device driver (Microsoft – WPD – 2/22/2016 12:00:00 AM – 5.2.5326.4762) that would not correctly detect mobile phones or portable devices like it should. After a big thread and help from the community that installed old drivers to both prove the problem and , Microsoft relented and removed the device driver from Windows Update. However, there are those that installed the device driver before Microsoft had the chance to pull it. Those people may still experience issues. In the thread the company representative offers some workarounds for those that soldiered in and installed all their updates quickly. These workarounds include using a System Restore Point, rolling back the specific device driver, and blocking it from installin...

Microsoft Office Updates for March 2017

Microsoft is currently rolling out its monthly updates for its Office products as normal. We’ll have to wait another week to see if the company can find its way to delivering security updates for March 2017, after skipping February. Here’s what’s rolling out now: Office 2013 Update for Microsoft Office 2013 (KB3162058) Update for Microsoft Office 2013 (KB3162039) Update for Microsoft OneDrive for Business (KB3178645) Update for Microsoft Project 2013 (KB3178650) Update for Microsoft Visio 2013 (KB3172437) Office 2016 Update for Microsoft Access 2016 (KB3128054) Update for Microsoft Office 2016 (KB3141452) Update for Microsoft OneDrive for Business (KB3141458) Update for Microsoft Office 2016 (KB3178661) Update for Microsoft Office 2016 (KB3178663) Update for Microsoft Off...

ACROS Security Takes Up Slack Left by Absent Microsoft with Zero Day Patch

Its best to be very wary of any non-vendor patches for specific vendor flaws. But, this is just another effect of what Microsoft has caused due to skipping an entire month of security patches in February 2017 while zero-day flaws in its operating systems continue to be reported. If skipping patching platform security isn’t bad enough, the company has failed to communicate in any meaningful way about why it skipped a month. ACROS Security has developed a patch for the recently communicated flaw in gdi32.dll and talks about it in the following blog: 0patching a 0-day: Windows gdi32.dll memory disclosure (CVE-2017-0038) According to the ACROS site… ACROS, located in Slovenia, is a family owned, self-funded company. An equal-opportunity employer with extremely low staff turnover, i...

February’s Flash Security Update on the Wires from Microsoft

Microsoft decided to at least deliver one security patch this month, this one for a critical Adobe Flash vulnerability. The update is available now over Windows Update. Associated KB article: MS17-005: Security update for Adobe Flash Player: February 21, 2017 This security update resolves vulnerabilities in Adobe Flash Player if Flash Player is installed on any supported edition of Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 8.1, or Windows RT 8.1. Microsoft has promised to resume normal Patch Tuesday operations in March. Customers are hoping the March updates will plug a couple zero-day holes. One was partially fixed last year, and the other has yet to receive an update thought its been known for 9...

Download Microsoft Security Bulletin History

Microsoft has made available free, downloadable Excel spreadsheets that detail security bulletin history from 2008 to the present. The plan is to update this information regularly. What’s available: Excel files that contains affected software, bulletin replacement, reboot requirements, and CVE information from the Microsoft security bulletins. BulletinSearch.xlsx contains bulletin information from November 2008 to the present. BulletinSearch1998-2008.xlsx has all of the rest of the historical data. A zip file that contains security bulletins in the Common Vulnerability Reporting Framework (CVRF) format (since June 2012)   Download: Microsoft Security Bulletin Data Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kic...

Microsoft Delays February’s Patches

UPDATE: Microsoft Skips February’s Patch Tuesday Altogether Microsoft today has announced that it will delay its release of February 2017 updates. Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan. MSRC Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

MS16-135 is the Fix for the Google-outed Windows Flaw

Much to Microsoft’s chagrin, Google recently publicly outed a major Windows vulnerability just 10 days after disclosing it to Microsoft. The flaw affects all currently supported versions of Windows including Windows 10 and Windows Server 2016. Amid this month’s Patch Tuesday updates, Microsoft has delivered a fix for this reported flaw. Bulletin: Microsoft Security Bulletin MS16-135 KB Article: Security Update for Windows Kernel-Mode Drivers (3199135) Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

Best Resources for Patch Management Discussion and Support

Are you tasked with keeping your organization’s systems up-to-date, secure, and performing well through management of updates? Here’s a few of the best ways to obtain support and connect with people tasked with the same responsibilities. Patchmanagement.org email lists (Patch Management/WSUS): http://www.patchmanagement.org/ Monthly Patching Discussion online forum: https://myitforum.com/forums/Monthly-Patching-Discussion-f241.aspx Patching email list specific to System Center Configuration Manager: https://myitforum.com/myitforumwp/newsletter/email-lists-2/#configmgr Patch Management news and tips: https://myitforum.com/myitforumwp/topics/patch-management/ Know of additional resources you count on that should be added here? Let us know in the comments, on Twitter (@myITforum)....

Windows 10 Cumulative Update KB3200970 Fails Installation for Some

Another month of updates, another round of reported problems. Microsoft may not have set its own goal to ever deliver an error-free updates release, but customers continue to hope for it. We told you yesterday that the latest CU for Windows 10 is available, and while the reports are few right now, there is a growing concern that the update is failing to install and sending the PC/device into a reboot/install/reoffer loop. There are a normal set of solutions that Microsoft offers in this case, which include shutting down antivirus, rebooting first before initial installation (if possible), and clearing out Windows Update cache through repair using the Windows Update Troubleshooter. Are you having problems? If you’re experiencing installation problems with KB3200970, let us know in the...

November 2016’s Public Update Releases Available for Office Today, Too

Its a big day for Microsoft updates and updates news… Windows 10 Cumulative Update KB3200970 Rolling Out Now 14 Security Patches Ready for Voting/Patch Tuesday Microsoft Replacing Bulletins with New Security Updates Guide in January 2017 And, now, the November 2016 Public Update releases for Office are now also available. This month’s Office release is represented by 25 security updates (1 bulletin) and 39 non-security updates. All of the security and non-security updates for November are listed in KB article 3200802. Additionally, expect click-to-run updates for Office 2013 (15.0.4875.1001), Office 2010 (14.0.7176.5000), and Office 365. Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!