Microsoft March updates to be released on Tuesday

Microsoft will release monthly updates on Tuesday.

This time there will be three updates. Two of them are classified as Important and one as Critical. Updates are for Microsoft Windows 2000, XP, Vista, Server 2003 and Server 2008 and are against Remote Code Execution and spoofing.

Microsoft Windows Malicious Software Removal Tool will also be updated.

Read more about updates here

SP3 has vulnerable Flash

Computerworld reports that Microsoft Windows XP Service Pack 3 includes vulnerable Flash, version 9.0.115.0.

Version 9.0.124.0 was released before SP3 but for some reason Microsoft didn't include it to SP3.

Read more about Flash vulnerability here
and update Flash here

May Windows Updates to be released on next Tuesday

Monthly Windows Updates will be released on next Tuesday.

There will be four updates, three of them classified as critical and one as moderate.

All critical updates are fixes for code execution vulnerabilities. Two of them are for Microsoft Office (Word and Publisher) and one for Jet Bulletin.

Microsoft Windows Malicious Software Removal Tool will be also updated.

See more here

Unpatched vulnerability in Windows

There has been found locally abusable vulnerability from Windows for which there is currently no fix. Microsoft is working on it but haven't found yet any attack related to that vulnerability.

This vulnerability gives users with NetworkService or LocalService accounts a possibility to raise their user rights to LocalSystem level. Microsoft Internet Information Services (IIS) and Microsoft SQL Server services might use those accounts. If attacker is able to execute malicious program code in eg, those services, there are chances to abuse that vulnerability. Microsoft may release a fix outside monthly updates or included to some of those.

Vulnerability is in XP/Server 2003/Server 2008/Vista. Here is a solution before update.

April Microsoft Updates released

April Microsoft Updates have been released. There are in total 8 new updates. Five of them are classified as Critical and three as Important.

Microsoft Windows Malicious Software Removal Tool has also been updated.

Updates are for mainly Internet Explorer, Vista SP1 and Server 2008 (two updates are for other OSes as well) and MS Office.

Read more here

March Microsoft Updates come out tomorrow

Monthly Microsoft Updates will be published tomorrow.

Those updates include four critical updates concerning Office and Outlook.

Microsoft Windows Malicious Software Removal Tool will be updated as usual, too.

Read more here

Microsoft February updates released

February updates have 11 updates which fix 17 vulnerabilities in Windows, Office and Works products.

Six of them are classified as critical, 3 of them is for Windows and 3 for Office. One of the critical Windows updates fixes 4 vulnerabilities in Internet Explorer considering handling of html pages, pictures, ActiveX components and memory. These vulnerabilities enable to execute malicious code
using user rights.

Other updates are for Windows Vista tcp/ip protocol stack, IIS server software and Active Directory directory service.

Office updates are for handling of objects in Office documents and .doc, .wps and .pub file formats. Attacker can execute malicious code using system rights if user opens a document created by certain way.

Excel vulnerability discussed in January was not fixed yet.

Read more here

January windows updates come out tomorrow

Microsoft will release tomorrow 2 security updates, one of them being classified as critical and another as important.

Also Malicious Software Removal Tool will be updated.

More info can be found here

Problems with latest IE security update

Microsoft has get reports of users that have had problems using Internet Explorer after last week IE security update.

Some told that they have problems accessing web sites and others said that IE won't open at all.

Reports started to come almost immediately after MS07-069 update release a week ago.

Problems seem to affect both IE 6 and IE7 as well as both Windows XP and Windows Vista.
Microsoft has released a temporary solution.

Source: PC World, Microsoft

November Windows updates coming on next Tuesday

Total 7 security updates will be released on 11th of December. They are for Windows itself, DirectX, Windows Media Player and Internet Explorer.

Three of them are classified as critical and rest as important. Also Malicious Software Removal tool, Microsoft Update, Windows Server Update Services and Download Center get updated.

Microsoft is also planning to release 7 non-security updates, all classified as high.

November Windows updates released

There are only 2 updates in monthly Windows update package.

First of them is for a critical vulnerability in uri technology (uniform resource identifier). That means situations in which user opens programs by clicking a web link. There have been found situations in which crackers have included on code in those links and tried to get own software to users computer.

That vulnerability is for IE 7 only and it's not in browser itself but in shell32.dll file. Same vulnerability was fixed in Firefox already in summer.

Second update is for vulnerability in Windows DNS Server service in Windows 2000 Server and Windows Server 2003 operating systems. This spoofing vulnerability could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.

Copy protection makes Windows vulnerable

Earlier on October was found a vulnerability in Macrovision Safedisc copy protection (affects XP and Server 2003 operating systems).

Driver suffers from corruption error which means that attacker can get access to core and take over computer completely.

Using that vulnerability probably needs that victim opens bad file attachment via instant messenger or email.

Microsoft has released security advisory regarding that issue though problem is related to 3rd party software.

Macromedia has released patch for that and Microsoft will release own fix among November security bulletin.