Patch Tuesday

While Customers Wait for March, Microsoft Software Flaws Continue to Mount

As Microsoft continues to lackadaisically count down the days until its March Patch Tuesday, yet another zero-day bug has been publicly unveiled. This new bug, also announced by Google’s security research team, affects both Internet Explorer 11 and Microsoft Edge: Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement This makes the second bug revealed in just a few weeks time.  Microsoft customers were already waiting for a third bug to be completely fixed since late 2016 – which Microsoft failed to acknowledge with a fix in January. Microsoft then skipped February’s Patch Tuesday altogether, stating it would resume security patching in March. The company hasn’t been forthcoming about why it skipped providing security patches for its plat...

February’s Flash Security Update on the Wires from Microsoft

Microsoft decided to at least deliver one security patch this month, this one for a critical Adobe Flash vulnerability. The update is available now over Windows Update. Associated KB article: MS17-005: Security update for Adobe Flash Player: February 21, 2017 This security update resolves vulnerabilities in Adobe Flash Player if Flash Player is installed on any supported edition of Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 8.1, or Windows RT 8.1. Microsoft has promised to resume normal Patch Tuesday operations in March. Customers are hoping the March updates will plug a couple zero-day holes. One was partially fixed last year, and the other has yet to receive an update thought its been known for 9...

Microsoft Set to Release Flash Security Update on Tuesday

Microsoft may have skipped February for patching its own systems, but the company will use Tuesday, February 21, 2017 to at least release an update to secure the Adobe Flash components in its Internet Explorer and Microsoft Edge web browsers. Years ago, Adobe piggy-backed on Microsoft own Patch Tuesday to help ease the burden of IT administrations when patching. But, with Microsoft skipping February 2017 for no publicly communicated reason, that has left Flash modern web browsers with exposed vulnerabilities. Instead of waiting until March as it has planned to do with its other security updates, Microsoft has notified paid support customers by email today that they should expect the Flash updates to deliver on Tuesday. Looking for an awesome, no-nonsense technical conference for IT Pros, D...

As Microsoft Skips Patching, Zero-days Pile Up

A severe SMB flaw is still in the wild after Microsoft has failed to patch it and has also skipped February’s Patch Tuesday for reasons the company will not communicate. Now, according to a policy for a 90-day stay between notifying the offending company and making a flaw public, Google’s security research team has outed yet another vulnerability in Microsoft Windows platform. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. It’s being reported that Microsoft fixed portions of this recently reported flaw, but stopped short of fixing the entire vulnerability. Details on this latest flaw here: Windows gdi32.dll heap-based out-of-bounds reads / memory...

Microsoft Skips February’s Patch Tuesday Altogether

Just a couple days after announcing it was going to delay its regularly scheduled security patch day, Microsoft has updated the original announcement to now say… UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017. Rumors swirl. Some have suggested that the reason is due to infrastructure problems. Others, say its because of Microsoft’s upcoming Windows 10 Creators Update and that the March schedule coincides better with the big release. Still others are concerned that Microsoft’s big shift into differential updates is causing some last minute problems. Its interesting, to say the least. Microsoft has rarely (if ever) been one to delay patches even when a patch or two cause customer pains, but its new patching policy built ...

Microsoft’s Strict Patching Policy Puts Customers at Risk of Zero-day SMB Exploit

A couple weekends ago, news of a SMB exploit in Windows 8.1, Windows 10, and Windows Server editions was discovered and reported in hopes that Microsoft would deliver an update to plug the hole. Further investigation reveals that Microsoft has known about the issue, but failed to deliver a fix in its Cumulative Update releases for the past 3 months. The company is rumored to deliver the update this month, but the exploit has already gone live in the wild. The problem is serious enough to warrant an alert from US-CERT: Microsoft Windows SMB Tree Connect Response denial of service vulnerability Why Microsoft has failed to deliver a fix has not been communicated by the company. However, many blame it on Microsoft’s latest attempt at rewriting its patching policies due to how it needs to...

Microsoft Gives “All Clear” Message on Monthly Preview Rollups for Pre-Windows 10 OS’s

Customers have been complaining to Microsoft for some time that the Windows maker just isn’t supplying enough information about its updates and what the updates contain. Call it what you will, but here’s a little levity for you in Microsoft’s updating process. The company today provided information on its Update History pages for both Windows 8.1 and Windows Server 2012 R2 and Windows 7 SP1 and Windows Server 2008 R2 SP1 to say that customers shouldn’t be expecting anything new today. Or, as Microsoft put it… (click to view larger)   Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

Microsoft Separates Internet Explorer Updates from Security Updates (Again)

According to an updated blog post on simplifying updates for Windows 7 and Windows 8.1, Microsoft has decided to remove Internet Explorer updates from the monthly Security Updates and update  its Patch Tuesday policies. This comes just a couple months after altering its policy on updating the pre-Windows 10 operating systems. The move essentially takes a small step back to accommodate customers complaints. Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above. (Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2; IE10 for Windows Server 2012) The blog post goes on to suggest that the reason is to reduc...

Reminder: Microsoft Replaces Security Bulletins with Security Updates Guide This Month

As announced in November 2016, this month Microsoft will no longer be making security bulletins available, but instead will deliver information about security released in its new Security Updates Guide. The new Security Updates Guide is located here: https://portal.msrc.microsoft.com/en-us/security-guidance Using the new portal, you can… Sort and filter security vulnerability and update content, for example, by CVE, KB number, product, or release date. Filter out products that don’t apply to you, and drill down to more detailed security update information for products that do. Leverage a new RESTful API to obtain Microsoft security update information. Download the current list in .cvs format. Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/D...

Rolling Out Now: Windows 10 CUs KB3213986 and KB3210720

Promising that no new features will roll out as part of the regular security update Tuesday, Microsoft is now delivering new cumulative updates, KB3213986 and KB3210720, for Windows 10. KB3213986 is for Windows 10 version 1607 and KB3210720 is for Windows 10 version 1507. Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

Microsoft Fixes High DPI Scaling for Skype for Business 2016

In November, an issue with high DPI scaling was fixed for those running the Lync 2013 (Skype for Business) bits. Now, Microsoft has released a noteworthy new patch for those running Skype for Business 2016 and affected by the issue of… When you drag the Microsoft Skype for Business 2016 client or window from one monitor to another, the UI in the client or window doesn’t scale correctly. It’s either too small or too big. The update was made available without much fanfare, but more information is available here: Improvements on VDIv2 implementation and high DPI scaling across multiple monitors in Skype for Business 2016 Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

Tracking: KB3205386 Breaks the AD Administrative Center on Windows 10

According to a thread on Reddit, and reports elsewhere that are now are surfacing, a  security-only update (KB3205386) is causing the AD Administrative Center when trying to edit an object’s properties and consoles for System Center Configuration Manager users. Uninstalling the update resolves the problem, but so far there’s no indication that Microsoft is aware of the issue or that the company is working on a full resolution. According to some, the problem affects Windows 7, Windows 10 1511, and Windows Server 2012 R2. If you’re also experiencing this issue in production or in testing, let us know. Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!