Skip to main content
Monthly Archives

June 2015

|

Flash Back: Adobe issues emergency Flash fix

By News, Patch ManagementNo Comments
[vc_single_image image=”6006″ img_size=”full” alignment=”center”]

It feels like Déjà vu, Adobe has released another emergency update to resolve a vulnerability with Flash Player which is currently being exploited.

By Robert Brown | June 24, 2015

The company said it had evidence of “limited, targeted attacks” and urged people to update their software immediately. What makes this zero day threat (0-day) even more serious, is that it impacts versions of Flash player on different operating systems – Microsoft, Linux and Mac are all susceptible to attack. Already this year there have been half a dozen of these emergency updates released.

This specific update (and all other emergency updates) have already been tested and has been added into our third party patch content, for all our CMS customers to deploy to keep their environment safe.

The BBC is reporting that “Adobe’s Flash software has a long history of needing security fixes and is regarded by some security researchers as a weak point in many websites.”

Along with Java, Flash is routinely targeted by hackers making use of zero-day exploits – the term given to previously unknown security holes.

Read the BBC article here

|

Fill your cloud toolbox and put it to good use

By Managed Service Providers, NewsNo Comments

It would be easy to switch off when people start talking about cloud. The subject is not only worn out, but is one that means so many different things to so many people. As a result of that jaded confusion, there is a danger that some of the potential opportunities cloud presents could be missed.

MicroScope garnered opinions from across the channel about what cloud technology could offer resellers this year and where efforts would be best placed for those looking to grow their businesses. The good news is that there are plenty of suggestions, and with Microsoft Windows Server 2003 support ending next month, it is a good time to encourage those running on traditional setups to look at a hosted alternative.

[vc_single_image image=”5946″ img_size=”medium” alignment=”center”]

Management of systems
Ashley Leonard, president and CEO at Verismic, says the channel community, particularly managed service providers (MSPs), need to arm themselves with a simple, cloud-based systems management tool.

“PCs and laptops are not going away, despite the rush to adopt tablets and smart devices. PCs and laptops need managing, monitoring, patching and licensing. Windows 10 will likely create a flurry of upgradework, application compatibility testing and roll-out,” he says.

“MSPs need a systems management tool that combines the cloud with agentless end-device setup, so they don’t need to deploy and maintain another piece of software at every customer site and on every
PC,” he says.

Read more at microscope.uk

|

Patch Tuesday Sunset Will Be a Mixed Bag for Windows Security

By News, Patch Management, Patch TuesdayNo Comments

Microsoft will phase out Patch Tuesday, its monthly potpourri of software product fixes, when it rolls out Windows 10, which could be a mixed bag for the operating system’s security. Patches will be applied automatically as they’re ready. That means users no longer will have to wait until the second Tuesday in the month to secure their systems from potentially troublesome vulnerabilities. However, there are a number of caveats to that scenario.

[vc_single_image image=”5800″ img_size=”medium” alignment=”center”]

First, the scheme applies only to Windows 10. Other versions of Windows, as well as most of the company’s other software products, will be updated in the traditional way — at least for awhile.

Second, enterprises will have the option to determine when patches are applied. Microsoft is making that easier to do with its Windows Update for Business, which allows system administrators to choose machines to be updated, and to set maintenance windows to determine when updates should take place.

Because fixes may not be applied to enterprise equipment as fast as they’re applied to consumer and small business machines, a gap could occur, which hackers might exploit.

Window of Opportunity

Depending on the size of the organization, automatic updates will be a benefit or problem, noted Ashley Leonard, CEO of Verismic.

“Small organizations are generally going to benefit from the end of Patch Tuesday, because patches are going to be released more frequently, which means bugs and security vulnerabilities are going to get fixed more frequently,” he told TechNewsWorld.

“For larger organizations, it creates a significant challenge,” Leonard continued. “The reason for that is that larger companies have a more mature patch process.”

When Microsoft releases software patches, large enterprises test those patches against the operating system images and applications they use, he explained. Then, after an appropriate period time, they’ll push the patches to the whole organization.

Read the full article at technewsworld.com

||

Don’t be fooled by June’s light Patch Tuesday updates

By News, Patch Management, Patch TuesdayNo Comments

This month’s baseline of updates may give a false sense of security as most of Microsoft’s updates are only ranked as Important, but of the six Important updates, half of them have a CVSS of 9.3, indicating these updates are actually very severe. But with so few updates in this month’s bulletin, the challenge of prioritizing these shouldn’t be as much of an issue compared to previous months.

[vc_single_image image=”5784″ img_size=”medium” alignment=”center”]

Whilst not specifically a Microsoft Bulletin, KB3035583 has been released in this patch update, which is a pre-requisite for the Windows 10 “self-updating” mechanism, which will enable a user to upgrade to Windows 10 for free. This, of course, poses a risk for any company that cannot control the release of this patch. Installing this particular patch by accident can lead to users downloading and installing an unsupported operating system – before the IT department gets a chance to test their builds are compatible.

Those of you with a hawk eye will have noticed there is a patch update missing – MS15-058. As we’ve seen in the past, this could be for a number of reasons such as the patch not being stable or ready for release. There’s the possibility that it could be a severe vulnerability that would require an out-of-band patch later in the month. Only time will tell as to why it’s missing. For the meantime, let’s take a look at each vulnerability in a little more detail.

Critical updates

There are only two Critical updates this month according to Microsoft, but as I mentioned above there are in fact a total of five bulletins that are ranked very high [9.3] by US-Cert using CVSS scoring. With that in mind, I certainly would make the first two updates of this month the first patches you install.

Similar to previous months, the first patch update is a cumulative update for Internet Explorer, fixing a total of 20 separate vulnerabilities. I’m sure it doesn’t come as a surprise that the most severe of these vulnerabilities could allow remote code execution – an attacker could take full control of a system, creating new user accounts with full admin rights. Patch MS15-056 first, ask questions later (well, once you’ve tested the patch before rolling it out).

Read the full article at itchannelexpert.com