Since mid-October, several major software vendors have released a number of security announcements and updates, most of them serious or outward critical. Let\u2019s take a look at them, as most of the updated products are firmly nested in business networks.<\/p>\n
Critical roundup: important patches from major vendors #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n
Microsoft<\/strong><\/p>\n
Microsoft released six security bulletins on October 13, of which three were marked \u201ccritical\u201d. But, as Threatpost wrote, the real news was the deprecation of the outdated RC4 encryption algorithm in Windows 10.<\/p>\n
Windows 10 is a new system and, as usual, it\u2019s being fine-tuned \u2013 the process will take some extra time, most likely. Moving away from RC4 is, however, a very timely move.<\/p>\n
RC4 is a stream cipher known for its simplicity and speed. Unfortunately it was found vulnerable, so the industry gradually moved away from it. Microsoft has previously deprecated it in .NET, and now in Windows 10, too.<\/p>\n
The advisory also updated the default transport encryption in Windows to TLS 1.2.<\/p>\n
As for critical updates, they included the \u201cubiquitous\u201d Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows. For details please visit Threatpost<\/a>.<\/p>\n
Apple<\/strong><\/p>\n
Apple has also patched a batch of vulnerabilities in its software, including Keynote, Pages, Numbers, and iWork.<\/p>\n
The most serious flaw allowed an attacker to execute code on a compromised OS X computer running Yosemite 10.10.4 or later, or iOS 8.4 or later on mobile devices.<\/p>\n
Input validation and memory corruption errors in the aforementioned software also allowed attackers to run an arbitrary code or steal data. Detailed information is available here<\/a>.<\/p>\n
Adobe<\/strong><\/p>\n
Adobe released an urgent, emergency, red alert patch for a Flash zero day vulnerability a week earlier than the company had originally planned.<\/p>\n
The zeroday known as CVE-2015-7645<\/a> was exploited, albeit in a limited fashion, in the wild.<\/p>\n
\u201cThe flaw, a type confusion vulnerability, has been tied to attacks carried out by a Russian-speaking APT group operating under the guise of Pawn Storm, or APT 28. Type confusion vulnerabilities occur when code doesn\u2019t verify the type of object that\u2019s passed to it, and uses it without type-checking\u201d, Threatpost wrote.<\/p>\n
CVE-2015-7645 exploits have been used in spearphishing emails.<\/p>\n
Adobe\u2019s patch also addressed two other type confusion vulnerabilities: CVE-2015-7647 and CVE-2015-7648. Details are available here<\/a>.<\/p>\n
Oracle<\/strong><\/p>\n
Oracle is probably October\u2019s number one fix regarding the amount of patched flaws: 154 vulnerabilities in 54 different products were fixed last week, as part of its Critical Patch Update.<\/p>\n
84 patches addressed vulnerabilities that Oracle claimed might be remotely exploitable without authentication.<\/p>\n
24 of the vulnerabilities were patched in Java SE, of which seven were marked as high severity. Oracle warned if the bugs were exploited under the right conditions it could result in a full compromise of the targeted system.<\/p>\n
There are also severe bugs in Oracle Fusion Middleware and Oracle Database, as well as Siebel, Pillar Axiom, Applications for Work and Asset Management. Many are \u201cdefinitely\u201d remotely exploitale without authentication, although actual exploits hasn\u2019t been spotted in the wild by Oracle at the time of the patches release.<\/p>\n
Details are available here<\/a>.<\/p>\n
We assume, all of these patches had been installed? #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n
WordPress<\/strong><\/p>\n
Akismet, an antispam plugin critical for WordPress, has been updated in order to fix a serious cross-site scripting error.<\/p>\n
It was exploitable via the comment section on sites running versions of the Akismet plugin after 2.5.0 and allowed for injection of malicious scripts into the comment section of the admin panel. This could in theory lead to a full site compromise, although Akismet was technically already blocking attempts during the comment-check API call.<\/p>\n
No exploits in the wild so far, and WordPress plugin developers have pushed an automatic update for any sites running the vulnerable versions to auto update plugins last\u00a0week.<\/p>\n
Earlier in October, yet another XSS error in WordPress was\u00a0fixed<\/a>.<\/p>\n