Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.


View Cookie Policy for full details

Rapid7 Blog

Greg Wiseman  

AUTHOR STATS:

31

Patch Tuesday - December 2017

No big surprises from Microsoft this month, with 70% of the 34 vulnerabilities addressed being web browser defects. Most of these are Critical Remote Code Execution (RCE) vulnerabilities, so administrators should prioritize patching client workstations. It doesn't take sophisticated social engineering tactics to convince most…

Patch Tuesday - November 2017

Web browser issues account for two thirds of this month's patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are classified as Critical (allowing code execution without user interaction). This is no surprise, as browser bugs are…

Patch Tuesday - September 2017

It's a big month, with Microsoft patching 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE,…

Patch Tuesday - July 2017

Most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate Remote Code Execution (RCE) issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critical…

Patch Tuesday - June 2017

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once…

Patch Tuesday - May 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the…

Patch Tuesday - April 2017

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an…

Patch Tuesday - March 2017

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for…

February 2017 Patch Tuesday: Delayed

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time…

A Reminder About Upcoming Microsoft Vulnerability Content Changes

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in…

Nexpose OS Fingerprinting Feedback

Have you ever run a Nexpose scan and had the wrong operating system identified for an asset? Perhaps the incorrect TCP/IP stack fingerprint was used, or you scanned an embedded device we haven't seen before. The March 9th release of Nexpose (6.1.14)…

TLS Coverage Improvements in Nexpose 6.0.2

Over the last couple of years, some of the most serious and widely publicized vulnerabilities have been related to the Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer (SSL). Because TLS is so fundamental to keeping network communications secure, new flaws that…

Apple Releases Patch for Shellshock, May Still Be Vulnerable

Yesterday, Apple released security updates that address two of the "Shellshock" bash vulnerabilities: CVE-2014-6271 and CVE-2014-7169. At the time of writing, the updates are not available using Software Update on OS X. Instead, users should download the package directly from Apple's web site to install…

Oracular Spectacular

Nexpose version 5.9.10 includes significant improvements to its Oracle Database fingerprinting and vulnerability coverage. When configured with appropriate database credentials, Nexpose scans can accurately identify which patches have been applied. This post will go through the steps for setting up such a scan,…