Weekly Infosec News Brief – Mar 09-15, 2015
Microsoft Releases Fourteen Patches, Five Critical, on Patch Tuesday
Last Tuesday, on this month’s “Patch Tuesday,” Microsoft released security bulletins on fourteen new vulnerabilities, five of which can lead to critical remote code execution exploits. The Office update (MS15-022) is particularly important, as it is the first new remotely-exploitable Office document vulnerability announced in some time. The other four critical bulletins are all remotely exploitable via malicious websites viewed using Internet Explorer, or possibly even other browsers in the case of MS15-021.
https://technet.microsoft.com/en-us/library/security/ms15-mar.aspx
https://isc.sans.edu/forums/diary/Microsoft+March+Patch+Tuesday/19445/
One March Microsoft Update Causing Problems on Some PCs
On some Windows 7 computers, the KB3033929 update released last week has been causing continuous reboot loops. The update provides important new security capabilities, but does not patch a serious vulnerability. Therefore our recommendation is to not install at this time but to wait for Microsoft to provide an updated patch. This is another in a string of recent Microsoft patches to cause problems, illustrating again the need for basic testing of patches prior to wide deployment.
https://technet.microsoft.com/en-us/library/security/3033929.aspx
https://technet.microsoft.com/library/security/MS15-025
Common WordPress Plugin Susceptible to Exploitation via SQL Injection
WordPress SEO by Yoast is a very popular third-party plugin for WordPress, which is the most popular website content management tool in use today. A serious vulnerability in this plugin can allow an attacker to completely take over a website that uses this plugin. This vulnerability is estimated to affect over one million websites.
http://www.securityweek.com/sql-injection-flaw-found-popular-wordpress-seo-plugin
https://wpvulndb.com/vulnerabilities/7841
Adobe Releases Flash Update Fixing Multiple Critical Vulnerabilities
On March 12, Adobe released a new version of their Flash Player software (version 17.0.0.134) that includes fixes for a number of critical vulnerabilities. Flash vulnerabilities are the most common targets of web-based attacks today, so ensuring this is patched promptly is critical. Fortunately Flash updates are largely automated these days. If you don’t have a procedure or system to verify whether Flash is being patched in your network, you need one. Anchor would be happy to help you deal with your patching issues.
http://www.scmagazine.com/adobe-issues-patches-addressing-11-vulnerabilities-in-flash-player/article/403248/
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html
Last Tuesday, on this month’s “Patch Tuesday,” Microsoft released security bulletins on fourteen new vulnerabilities, five of which can lead to critical remote code execution exploits. The Office update (MS15-022) is particularly important, as it is the first new remotely-exploitable Office document vulnerability announced in some time. The other four critical bulletins are all remotely exploitable via malicious websites viewed using Internet Explorer, or possibly even other browsers in the case of MS15-021.
https://technet.microsoft.com/en-us/library/security/ms15-mar.aspx
https://isc.sans.edu/forums/diary/Microsoft+March+Patch+Tuesday/19445/
One March Microsoft Update Causing Problems on Some PCs
On some Windows 7 computers, the KB3033929 update released last week has been causing continuous reboot loops. The update provides important new security capabilities, but does not patch a serious vulnerability. Therefore our recommendation is to not install at this time but to wait for Microsoft to provide an updated patch. This is another in a string of recent Microsoft patches to cause problems, illustrating again the need for basic testing of patches prior to wide deployment.
https://technet.microsoft.com/en-us/library/security/3033929.aspx
https://technet.microsoft.com/library/security/MS15-025
Common WordPress Plugin Susceptible to Exploitation via SQL Injection
WordPress SEO by Yoast is a very popular third-party plugin for WordPress, which is the most popular website content management tool in use today. A serious vulnerability in this plugin can allow an attacker to completely take over a website that uses this plugin. This vulnerability is estimated to affect over one million websites.
http://www.securityweek.com/sql-injection-flaw-found-popular-wordpress-seo-plugin
https://wpvulndb.com/vulnerabilities/7841
Adobe Releases Flash Update Fixing Multiple Critical Vulnerabilities
On March 12, Adobe released a new version of their Flash Player software (version 17.0.0.134) that includes fixes for a number of critical vulnerabilities. Flash vulnerabilities are the most common targets of web-based attacks today, so ensuring this is patched promptly is critical. Fortunately Flash updates are largely automated these days. If you don’t have a procedure or system to verify whether Flash is being patched in your network, you need one. Anchor would be happy to help you deal with your patching issues.
http://www.scmagazine.com/adobe-issues-patches-addressing-11-vulnerabilities-in-flash-player/article/403248/
https://helpx.adobe.com/security/products/flash-player/apsb15-05.html
Comments
Post a Comment