The patches released by Microsoft for the August Patch Tuesday include nine bulletins (two critical and seven important) and cover 38 CVEs. Per Russ Ernst, director of product management at Lumension, IT’s first priority should be the critical, cumulative update for IE. MS14-051 includes 25 CVEs for all supported versions of the browser. All are privately disclosed with the exception of one, CVE-2014-2819, which was publicly disclosed just last week at Black Hat. It allows an attacker to bypass the application sandbox and elevate privilege but it must be combined with another remote code execution vulnerability to ultimately be successful.
If you feel like you are constantly patching IE – you are. A cumulative update for the browser is now the rule more so than the exception. To help users keep up, Microsoft announced last week that it will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, it will offer customers migration resources and upgrade guidance.
Also last week, Microsoft said it will push out a new feature in IE that blocks ActiveX controls, including old versions of Java. This is a great security win for the enterprise and IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors. That is, of course, as long as your line of business apps are not tied to older versions.
IT staff, organization leaders, and the average citizen have all expressed levels of concern over the FCC about-face in regard to ISP privacy. Here’s what the security experts say. ... More >>
Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ... More >>
Security professionals are in demand right now, and entry-level security jobs generally fall into either an engineer or analyst role. Find out more about required skills and career paths. ... More >>