The patches released by Microsoft for the August Patch Tuesday include nine bulletins (two critical and seven important) and cover 38 CVEs. Per Russ Ernst, director of product management at Lumension, IT’s first priority should be the critical, cumulative update for IE. MS14-051 includes 25 CVEs for all supported versions of the browser. All are privately disclosed with the exception of one, CVE-2014-2819, which was publicly disclosed just last week at Black Hat. It allows an attacker to bypass the application sandbox and elevate privilege but it must be combined with another remote code execution vulnerability to ultimately be successful.
If you feel like you are constantly patching IE – you are. A cumulative update for the browser is now the rule more so than the exception. To help users keep up, Microsoft announced last week that it will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, it will offer customers migration resources and upgrade guidance.
Also last week, Microsoft said it will push out a new feature in IE that blocks ActiveX controls, including old versions of Java. This is a great security win for the enterprise and IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors. That is, of course, as long as your line of business apps are not tied to older versions.
When phone calls, video conference information, pictures, chat logs, etc. are all stored in a central location via social media, a potential hacker has access to just about everything, quickly and easily. ... More >>
Unearth the real story behind five commonly held myths about distributed denial-of-service attacks. ... More >>
IT security ultimately depends on making sure employees use the appropriate tools and comply with policies designed to protect them and their data/applications. ... More >>