Rapid7 Blog

Patch Tuesday  

Patch Tuesday - September 2017

It's a big month, with Microsoft patching 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE,…

It's a big month, with Microsoft patching 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE, and Office. Microsoft has also released patches for today's branded public disclosure, "BlueBorne", which is a collection of vulnerabilities affecting the Bluetooth stacks from multiple vendors. The Microsoft-specific issue is CVE-2017-8628, a spoofing vulnerability that could allow a man-in-the-middle attack when in physical proximity to an affected system. In terms of exploitability, CVE-2017-8759 (a flaw in the way the .NET framework processes untrusted input) is the most urgent as it is known to already be exploited in the wild. Any attacker able to persuade a user to open a maliciously crafted document or application will be able to take control of affected systems with the same privileges as the user. Among the Office vulnerabilities, CVE-2017-8742, CVE-2017-8743, and CVE-2017-8744 are memory corruption vulnerabilities that could lead to RCE which Microsoft has classified as being likely to be exploited. Administrators should prioritize rolling out .NET fixes to workstations, then any relevant Windows 10 (which bundle Edge) and IE updates, followed by the Microsoft Office and system-level patches. As usual, there are also server-side patches that need to be applied. SharePoint sees a fix for a XSS vulnerability (CVE-2017-8629) as well as for two RCE vulnerabilities that also apply to Office Online Server (CVE-2017-8631) and CVE-2017-8743). Exchange Server also gets some love with fixes for CVE-2017-11761 and CVE-2017-8758 (Information Disclosure and Privilege Escalation, respectively). Of course, standard Windows Server systems are also getting critical fixes, such as that for CVE-2017-0161, an RCE in NetBIOS Over TCP/IP (NetBT).

Patch Tuesday - August 2017

It was a busy month this month with a total of 48 security issues fixed. All of these have a severity of Critical or Important with Remote Code Execution vulnerabilities again figuring highly, particularly for Microsoft Edge. There were also a few publicly disclosed vulnerabilities…

It was a busy month this month with a total of 48 security issues fixed. All of these have a severity of Critical or Important with Remote Code Execution vulnerabilities again figuring highly, particularly for Microsoft Edge. There were also a few publicly disclosed vulnerabilities that were fixed, including CVE-2017-8633 (Privilege Escalation with Windows Error Reporting). None of the disclosed vulnerabilities have publicly known exploits as of writing. Another critical Adobe Flash Player RCE vulnerability has been fixed (ADV170010). Also of note were a few revisions to CVE-2017-0071, CVE-2017-0228, and CVE-2017-0299 that will require the installation of July (CVE-2017-0071) and August (CVE-2017-0228 and CVE-2017-0299) patches to ensure you are fully protected. We were waiting to see if Microsoft would release any patches for the recently disclosed SMBLoris vulnerability in this release, but they don't seem to have taken any action to fix in this round of patches. Finally, this is the first time we have seen vulnerabilities patched on the Linux subsystem under Windows. Since its introduction, it was only a matter of time: CVE-2017-8627 (Dos) and CVE-2017-8622 (Privilege Escalation) are the first of their kind.

Patch Tuesday - June 2017

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once…

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once again released fixes for end-of-life operating systems, citing "the elevated risk for destructive cyber attacks at this time," and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for MS17-013 (a Security Bulletin from April), as well as 21 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Further details are available in Microsoft's Security Advisory 4025685.This month's updates aren't just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn't even include the nine critical Adobe Flash Player RCE vulnerabilities (see APSB17-17 for details) that are also being fixed today and are rated "Priority 1" (meaning there is a high risk of vulnerable systems being targeted in the wild).Most of the vulnerabilities are for Windows, split evenly between desktop and server flavors. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint being patched, Microsoft has released a defense-in-depth update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products without addressing specific vulnerabilities.As usual, web technologies continue to provide additional attack surface. 16 issues with the Edge browser have been patched: 10 RCE, 3 information disclosure and 3 security feature bypass vulnerabilities. Internet Explorer sees 4 RCE and 2 information disclosure bugs being fixed. Last but not least, two critical RCE vulnerabilities in Silverlight have also been patched (CVE-2017-0283 and CVE-2017-8527, each of which also affects several other products).Hopefully you don't have any obsolete operating systems in your environment. But if you do, be sure to apply this month's patches as attackers often see end-of-life systems as low-hanging fruit, and exploits are already out there. Of course, this means supported systems are also at significant risk. Best get patching!

Patch Tuesday - May 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the…

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the weekend was also addressed late Monday evening. A flaw in the scanning engine used by various Microsoft anti-malware products could allow attackers to fully compromise a user's system simply by sending them a file as an email attachment or in an instant message, or by enticing them to visit a malicious web page. This vulnerability is especially dangerous for two reasons. In most attacks, users need to be tricked into opening a file or visiting a web page, and even then the malware would generally run at their privilege level unless it's able to escalate. But because the engine runs as SYSTEM, the highest privilege level, it's game over for a compromised system; the attacker has full control. Additionally, because the engine may scan files in the background before the user even sees them, exploitation can occur without the typical prerequisite social engineering tactics. The only good news here is that Microsoft shipped the fix very quickly after being notified, and since it's being delivered as an anti-malware update as opposed to via Windows Update, most users should get the patch without having to take any action.The fixes released as part of the regular Patch Tuesday updates continue some long-standing trends we've seen from Microsoft, with critical KBs for all supported operating systems addressing remote code execution (RCE) and privilege escalation vulnerabilities. Two separate RCE vulnerabilities in Office were also patched, one of which (CVE-2017-0261) is known to be exploited in the wild. The other Office vulnerability, CVE-2017-0281, is rated "Important" but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps, and Project Server 2013. Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (CVE-2017-0171) affecting all supported server operating systems.Alongside today's updates Microsoft published Security Advisory 4010323 indicating that they've now fully deprecated SSL/TLS certificates that use SHA-1 due to known weaknesses in the algorithm. IE 11 and Edge will no longer load sites with such certificates, and will instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a Microsoft-trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.

Simple Vulnerability Remediation Collaboration with InsightVM

Many security groups today use ticketing systems that were originally designed for IT or developers, and are usually ill-suited to their vulnerability management needs. Even more commonly, teams simply rely on spreadsheets and unwieldy reports. On the other end of the spectrum, some security teams…

Many security groups today use ticketing systems that were originally designed for IT or developers, and are usually ill-suited to their vulnerability management needs. Even more commonly, teams simply rely on spreadsheets and unwieldy reports. On the other end of the spectrum, some security teams build a self-service workflow for their remediators and run into lack of user adoption – remediators just are not logging in to the security console. At Rapid7, we think there has got to be a better way, so we've built Remediation Workflow Ticketing. What is "Remediation Workflow Ticketing?" Remediation Workflow Ticketing is a way to connect your Remediation Workflow to the systems that remediation work in on a daily basis. We've built a capability that simply integrates remediation projects with Atlassian JIRA to make it easier and more efficient to collaborate with vulnerability remediation teams. Security, IT, DevOps, Development, and Engineering may keep using their existing systems and workflow. The Remediation Workflow Ticketing Integration is not a replacement, but rather a complement to the native Remediation Workflow projects.  With this ticketing integration, users can enable the automated generation tickets for only the Remediation Workflow projects they see fit, saving increasingly more time as new work is added and must be tracked easily. Here's how you can get started... Easy setup and re-use of ticketing preferences A brief setup wizard asks for the minimal amount of information necessary – no need for complicated, tedious mappings between it and your ticketing system. Creating ticketing preferences does not automatically create tickets. Users can feel confident that their remediators will not be flooded with tickets while also being able to re-use preferences across projects. Users can designate the assignees of the tickets utilizing rules based on filters.  The filter query language is the same as the one today for Liveboard cards and Remediation Workflow Dynamic Projects.  Tickets that meet the filter criteria will be assigned to the ticketing system user of your choice.  Users can reuse these preferences, saving time and effort by no longer having to constantly remember and repeat assignment logic.  Deliver the right message to IT Tickets generated by the Remediation Workflow integration are targeted, precise, and contain the solution, vulnerability and asset information.  Security groups no longer have to spend valuable time to decipher, redact, and translate long reports into actionable work items. With powerful templating options, users can decide how much and how verbose they wish to be with the security data (i.e. context) or as terse as they want to be with what they share on the tickets to their remediators. This is helpful as security groups interface with and rely on multiple groups, each with its own way of working with security.  Using remediation variables, users can be strategic about managing their remediation orchestrations. Tracking progress User can quickly monitor the progress of their remediation by looking at the “Tickets” column in the list of projects.  While viewing a specific project, users can quickly see if a ticketing connection exists and whether it's enabled.  By inspecting further, users can access each individual ticket associated with a particular solution.  In short, users enjoy the flexibility of taking quick temperature reads of remediation tickets overall and also viewing individual tickets in full detail. How to get started The Remediation Workflow Ticketing Integration is a flexible way to gain greater visibility and control into your organization's remediation efforts, both big and small.  It extends and is also a great complement to the native capabilities of Remediation Workflow.  Security teams are freed from user management overhead and remediators do not have to disrupt their existing workflows.  Both teams benefit from having just the right amount of security context in their tickets. Get started today by going to Remediation Workflow - Project lists page and clicking on “Add a Ticketing Connection.”   Of course, you can also read more in our Help documentation for Remediation Workflow Ticketing Integration. If you are not a current customer of InsightVM, you can download a free 30-day trial and test drive this new capability as well.

Actionable Vulnerability Remediation Projects in InsightVM

Security practitioners and the remediating teams they collaborate with are increasingly asked to do more with less. They simply cannot remediate everything; it has never been more important to prioritize and drive remediations from start to finish. The Remediation Workflow capability in InsightVM was designed…

Security practitioners and the remediating teams they collaborate with are increasingly asked to do more with less. They simply cannot remediate everything; it has never been more important to prioritize and drive remediations from start to finish. The Remediation Workflow capability in InsightVM was designed to drive more effective remediation efforts by allowing users to project manage efforts both large and small. Remediation Workflow is designed for security practitioners, with the aim of getting them from where they are today to where they envision their security programs to be in the future. Vulnerability remediation can be a struggle Let's say a security team wants a set of 10 vulnerabilities remediated across a set of 500 assets.  This sounds simple, but in practice could entail months of effort across several remediation teams. There are many considerations: What's the most efficient way to eliminate 10 vulnerabilities across 500 assets? Which assets should be remediated first? The vulnerability is found across multiple OS's and platforms.  As a remediator, how do I track down the solution that is applicable to the asset I am trying to fix? How do I get the right instructions to the right asset owners/administrators? To address these questions through typical means i.e. by vulnerability and by asset means exposing the security team to theoretically 5,000 scenarios (10 vulnerabilities times 500 assets). This is most certainly an exaggeration, but doesn't the back and forth of remediation sometimes FEEL like there are 5,000 questions? We think there's a better way, and we've designed Remediation Projects to be driven by solutions, not vulnerabilities or assets. Solutions drive vulnerability remediation Solutions are the remediation steps to eliminate or mitigate a given vulnerability. A vulnerability may contain one or more solutions. Each solution may contain: The steps to perform the solution References to learn more about the solution or vulnerability Risk associated with the solution Here's the key: A single solution can remediate multiple vulnerabilities. You just have to know which solutions are shared across vulnerabilities. If you knew that, you could determine which solutions to execute on which assets to take down the greatest risk. This is precisely what Remediation Projects are designed to do: take the mindless work of finding the best solutions for the assets within scope. Creating Actionable Projects The objective of using a Remediation Project is to drive action in remediation. That's it. To that end, a project should be readily actionable by you and the project's assignees. What do we mean by actionable? The project should be able to be understood at a glance, without significant filtering, sorting or scrolling. The project should be attainable within a finite period of time. With these principles in mind, we have a few thoughts on how to create projects for action.  Start with Dynamic Projects We recommend creating dynamic projects first because the asset and vulnerability filters give you more visibility and control over the number of solutions that will populate the project.   Dynamic projects are very powerful and flexible.  They provide elastic scoping based on real time criteria on assets and vulnerabilities. In other words, any assets or vulnerabilities that meet the dynamic project's criteria will be included in the scope of the project.  Dynamic projects provide unprecedented ways to maintain oversight on a defined set of work and enable users to pivot quickly in the event there are spikes (numerous instances of a vulnerability found or an influx of matching assets enters the network). Any assets of a certain OS or platform family: Windows, Linux, servers, desktops, virtual hosts, etc. Any assets with vulnerabilities of a certain category: Critical, Exploitable, CVSS or Risk Scores over a certain threshold. Microsoft Patch Tuesday remediation tracking: Utilize the filter criteria such as vulnerability.title CONTAINS “msft-cve-2017” AND vulnerability.datePublished BETWEEN 03-01-2017 AND 04-01-2017. Mission-critical, legacy, or otherwise sensitive assets. Remediation response to 0-day. Determine your use case If you're seeking to drive vulnerability remediation efforts and monitor progress, then utilize the asset filters to help scope by asset ownership (owner tag or OS/Platform) and vulnerability filters to focus on remediations prioritized by risk, CVSS score, severity, category, and exploitability, etc. Projects are not just for assigning work. There are other uses for Remediation Workflow aside from delegating solutions to assigned remediators. Security Managers can utilize projects without assignees in order to ease ad-hoc and recurring reporting requests. Security Managers can define organization-wide project scopes and separate “sub” projects of increasingly smaller scope in order to have visibility into remediation progress quickly and without disturbing or disrupting remediators. Is your aim more geared towards reporting and monitoring? If so, create project with a due date and no assignees (unless they are required to aid in reporting).  Refine your project's scope As a project owner, you can edit your dynamic project's scope at any time. Because some solutions can remediate multiple vulnerabilities, a high number of assets and a high number of vulnerabilities do not necessarily guarantee that a large number of solutions will result. However, scoping dynamic projects to a small number of assets and a narrow set of vulnerabilities will help yield a project with a manageable amount of solutions. You can test results of the asset and vulnerability filters by hitting “Apply.” If your aim is to project manage and drive vulnerability remediation efforts, a dynamic project that is not too broad in scope is best in order to avoid solutions populating a project that are not really part of what you want to have actioned. Utilize the type-ahead behavior of the filters, as well as the Syntax Help/Query Dictionary (see below), in order to get a fuller sense of the filter criteria at your disposal.  Vulnerability Exploitability Skill set required to exploit the vulnerability Asset tags (owner, custom, location) Asset OS (family, architecture, vendor) Asset risk score Vulnerability severity, CVSS score Vulnerability title contains a certain string Vulnerability publish date How to Get Started Remediation Workflow provides a powerful and flexible way to define, monitor, manage, and drive remediation efforts big and small throughout your organization. Remediations can be challenging. Remediation Workflow reduces friction between security and IT teams with its solution centric approach that automatically incorporates solution, asset, and vulnerability data, empowering teams to get from start to remediated faster. Get started today by clicking on the Projects button in the left hand navigation menu, and if you need more details, you can find them in our Help documentation for Remediation Workflow.

Patch Tuesday - April 2017

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an…

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an attacker to run arbitrary code on a victim's system if they are able to successfully social engineer their target into opening or previewing a maliciously crafted document.Microsoft has also already issued a fix for their new version of Windows 10 (1703, also known as the "Creators Update"), which was only made generally available today. It addresses several RCE and elevation of privilege vulnerabilities.Data center admins can't rest easy, however. This month sees updates for all supported versions of Windows Server, with fixes across the board for RCE, privilege escalation, and denial of service (DoS) vulnerabilities.Administrators should be aware that after today, Windows Vista will no longer be supported. Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day IIS exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.It is also worth noting that information about this month's fixes are only available from Microsoft's Security Updates Guide. Instead of grouping related fixes under Security Bulletins such as MS16-XXX, their new system allows users to pivot on the vulnerability identifiers (CVEs) and KB article numbers. They also provide the ability to search and filter based on product, severity, and impact (e.g. RCE, DoS, etc.) which can help administrators prioritize how they roll out the updates. Please refer to this blog post for more details about how this affects Nexpose users.

Patch Tuesday - March 2017

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for…

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for vulnerabilities that were previously disclosed by external vendors and have exploit code publicly available. Administrators should prioritize these three updates before moving on to the remaining Critical and then Important ones. CVE-2017-0037 is a particularly nasty one, allowing attackers to remotely execute arbitrary code if a user visits a malicious web page using Internet Explorer 11 (or potentially Edge). CVE-2017-0038 allows remote attackers to glean potentially sensitive information from process heap memory due to an EMF file handling defect. And CVE-2017-0016 is a denial of service vulnerability that can crash Windows when connecting to a malicious SMB share. Exploit code for it has been publicly available since at least February 1st. The fact that Microsoft published security bulletins at all this month may come as a surprise to some, given that they announced their intention to transition away from the Security Bulletin model in favour of their Security Updates Guide after January's updates. February's out-of-band release of Adobe Flash Player fixes as MS17-005 hinted that they weren't quite done with the format, and the slew of bulletins issued this month confirms that it's not yet deprecated. Even so, the Rapid7 vulnerability content team is pressing forward with our promised changes to the way we identify Microsoft vulnerabilities. Instead of being bulletin-centric (e.g. "MS17-004: Security Update for Local Security Authority Subsystem Service (3216771)") vulnerabilities will be broken down by CVE. For example, MS17-017 is split across four separate CVE identifiers: msft-cve-2017-0050: Microsoft CVE-2017-0050: Windows Kernel Elevation of Privilege Vulnerability msft-cve-2017-0101: Microsoft CVE-2017-0101: Windows Elevation of Privilege Vulnerability msft-cve-2017-0102: Microsoft CVE-2017-0102: Windows Elevation of Privilege Vulnerability msft-cve-2017-0103: Microsoft CVE-2017-0103: Windows Registry Elevation of Privilege Vulnerability This provides a more accurate assessment of risk compared to the legacy approach, where a single bulletin could encompass many individual vulnerabilities. Indeed, across the 18 bulletins this month there are a total of 134 unique CVE identifiers. One last piece of administrivia this month that security teams should be aware of: the security-only updates for Windows 7, Server 2008 R2, Windows 8.1, and Server 2012 R2 do not include security updates for Internet Explorer. This aligns with how Microsoft has traditionally shipped IE fixes, but is a change back from how they've done it over the past several months. Happy patching!

February 2017 Patch Tuesday: Delayed

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time…

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time for today's planned release.We will be keeping an eye out for any updates and will, as always, provide timely coverage for the security vulnerabilities once they become public. There is no word yet of when that might be.

A Reminder About Upcoming Microsoft Vulnerability Content Changes

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in…

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in how Microsoft issues their security updates. Since October 2003, on the second Tuesday of each month (plus occasional bonus out-of-band updates) Microsoft has published a number of Security Bulletins detailing fixes to vulnerabilities in their software products. System administrators and security professionals are well familiar with identifiers of the form MS14-060, where the first two digits after MS refer to the year the bulletin was published and the last three increment over the course of the year. Each of these bulletins could include several vulnerabilities and/or Knowledge Base article identifiers (KBs).After last month's atypically small number of bulletins, MS17-004 is the last of this format. Microsoft has announced that their new single destination for security vulnerability information will be their Security Updates Guide (still in "preview" as of this writing). Instead of publishing bulletins to describe related vulnerabilities, the new Updates Guide breaks down fixes by CVE identifier, KB number, and product.What This Means For Nexpose UsersNexpose's existing Windows Hotfix vulnerability content uses Microsoft's bulletin numbers, for example, MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651). If you have any habits or workflows that assume identifiers or titles in this particular format (e.g. filtering by vulnerability title), they will not include Windows Hotfix content from this coming Patch Tuesday onward. The new format will be CVE-based, with identifiers of the form msft-cve-yyyy-nnnn. Legacy content will not be changed to reflect this new format. However, to take the above MS16-151 as an example, it would become two distinct vulnerabilities:Microsoft CVE-2016-7259: Win32k Elevation of Privilege VulnerabilityMicrosoft CVE-2016-7260: Win32k Elevation of Privilege VulnerabilityIn case you are used to dealing with vulnerability IDs, these would be called msft-cve-2016-7259 and msft-cve-2016-7260 respectively.Although this may take some getting used to, it will result in more accurate risk scores, as described in this blog post from when we introduced a similar change for Adobe, Debian and Ubuntu security advisories.Check back next week after Microsoft issues February's updates; we will provide some more concrete examples of these changes, along with our standard analysis of the fixes.

Patch Tuesday, January 2017

Update: See below for an update for the upcoming February Patch Tuesday. Microsoft starts off the year with 4 bulletins and continues a long running trend with their products where the majority of bulletins (2) are remote code execution (RCE) followed by an even distribution…

Update: See below for an update for the upcoming February Patch Tuesday. Microsoft starts off the year with 4 bulletins and continues a long running trend with their products where the majority of bulletins (2) are remote code execution (RCE) followed by an even distribution of elevation of privilege and denial of service. Missing from this month's list of affected products is Internet Explorer, which typically complements the Edge bulletin (MS17-002). All this month's critical bulletins are remote code execution vulnerabilities, affecting Adobe Flash Player, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Windows.While Microsoft continue actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing table in which they are unable to permanently address these vulnerabilities, which predominately affect the consumer applications listed above. Unfortunately this leads to one of the single largest attack vectors, consumers.This month Microsoft resolves 15 vulnerabilities across 4 bulletins. Both consumers and server users MS17-002 and MS17-003 are the bulletins to watch out for, addressing 14 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, two vulnerabilities addressed by MS17-001 (CVE-2017-0002) and MS17-004 (CVE-2017-0004) are known to have been publicly disclosed.Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS17-002, MS17-003).Please note that January marks the end of Microsoft's Security Bulletins as the tech giant transitions to their Security Update Guide; instead of publishing bulletins to describe related vulnerabilities. This new portal provides security vulnerability information through an online database where users can filter, sort and search. Be advised that the current Security Update Guide is in preview; for further information refer to Microsoft's blog post on furthering their commitment to security updates.CVE-2017-0002 (MS17-001)CVE-2017-0003 (MS17-002)CVE-2017-2925 (MS17-003)CVE-2017-2926 (MS17-003)CVE-2017-2927 (MS17-003)CVE-2017-2928 (MS17-003)CVE-2017-2930 (MS17-003)CVE-2017-2931 (MS17-003)CVE-2017-2932 (MS17-003)CVE-2017-2933 (MS17-003)CVE-2017-2934 (MS17-003)CVE-2017-2935 (MS17-003)CVE-2017-2936 (MS17-003)CVE-2017-2937 (MS17-003)CVE-2017-0004 (MS17-004)Update: Microsoft's Security Update Guide FAQThis Patch Tuesday, February 14th, marks a change for the security community as Microsoft introduces a new portal to consume security updates about their products. For the past 12 years, Microsoft has published security bulletin webpages (e.g. MS16-118) that often-referenced multiple vulnerabilities and KB article IDs. Microsoft has taken the opportunity to pivot to a new model focusing around vulnerability ID (CVE-2017-0004) and KB article ID numbers (KB2913602) in attempts to easy the access of security information, providing customers more flexibility. The tech giant is actively working with vendors whose tools rely on security bulletin pages in-order to help them transition to their new portal. One point the FAQ does not address is if Microsoft intends to localize their new API.

Patch Tuesday, December 2016

December continues a long running trend with Microsoft's products where the majority of bulletins (6) are dominated by remote code execution (RCE) followed by an even distribution of elevation of privilege (3) and information disclosure (3). All of this month's critical bulletins are remote code…

December continues a long running trend with Microsoft's products where the majority of bulletins (6) are dominated by remote code execution (RCE) followed by an even distribution of elevation of privilege (3) and information disclosure (3). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.This month Microsoft resolves 59 vulnerabilities across 12 bulletins. For consumers MS16-144, MS16-145, MS16-146, MS16-147 and MS16-154 are the bulletins to watch out for, addressing 36 vulnerabilities. For server users MS16-146 and MS16-147 are the bulletins to watch out for, addressing 4 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been be exploited in the wild. However, five vulnerabilities addressed by MS16-144 (CVE-2016-7202, CVE-2016-7281, CVE-2016-7282), MS16-145 (CVE-2016-7206, CVE-2016-7281, CVE-2016-7282) and MS16-155 (CVE-2016-7270) are known to have been publicly disclosed.Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, MS16-154).CVE-2016-7278 (MS16-144)CVE-2016-7202 (MS16-144)CVE-2016-7279 (MS16-144, MS16-145)CVE-2016-7281 (MS16-144, MS16-145)CVE-2016-7282 (MS16-144, MS16-145)CVE-2016-7283 (MS16-144)CVE-2016-7284 (MS16-144)CVE-2016-7287 (MS16-144, MS16-145)CVE-2016-7181 (MS16-145)CVE-2016-7206 (MS16-145)CVE-2016-7280 (MS16-145)CVE-2016-7286 (MS16-145)CVE-2016-7288 (MS16-145)CVE-2016-7296 (MS16-145)CVE-2016-7297 (MS16-145)CVE-2016-7257 (MS16-146, MS16-148)CVE-2016-7272 (MS16-146)CVE-2016-7273 (MS16-146)CVE-2016-7274 (MS16-147)CVE-2016-7262 (MS16-148)CVE-2016-7264 (MS16-148)CVE-2016-7265 (MS16-148)CVE-2016-7266 (MS16-148)CVE-2016-7267 (MS16-148)CVE-2016-7268 (MS16-148)CVE-2016-7275 (MS16-148)CVE-2016-7276 (MS16-148)CVE-2016-7277 (MS16-148)CVE-2016-7289 (MS16-148)CVE-2016-7290 (MS16-148)CVE-2016-7291 (MS16-148)CVE-2016-7298 (MS16-148)CVE-2016-7263 (MS16-148)CVE-2016-7300 (MS16-148)CVE-2016-7219 (MS16-149)CVE-2016-7292 (MS16-149)CVE-2016-7271 (MS16-150)CVE-2016-7259 (MS16-151)CVE-2016-7260 (MS16-151)CVE-2016-7258 (MS16-152)CVE-2016-7295 (MS16-153)CVE-2016-7867 (MS16-154)CVE-2016-7868 (MS16-154)CVE-2016-7869 (MS16-154)CVE-2016-7870 (MS16-154)CVE-2016-7871 (MS16-154)CVE-2016-7872 (MS16-154)CVE-2016-7873 (MS16-154)CVE-2016-7874 (MS16-154)CVE-2016-7875 (MS16-154)CVE-2016-7876 (MS16-154)CVE-2016-7877 (MS16-154)CVE-2016-7878 (MS16-154)CVE-2016-7879 (MS16-154)CVE-2016-7880 (MS16-154)CVE-2016-7881 (MS16-154)CVE-2016-7890 (MS16-154)CVE-2016-7892 (MS16-154)CVE-2016-7270 (MS16-155)

Patch Tuesday, November 2016

November continues a long running trend with Microsoft's products where the majority of bulletins (7) address remote code execution (RCE), closely followed by elevation of privilege (6) and security feature bypass (1). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a…

November continues a long running trend with Microsoft's products where the majority of bulletins (7) address remote code execution (RCE), closely followed by elevation of privilege (6) and security feature bypass (1). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server). While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers. These types of vulnerabilities are difficult to distinguish as they typically lure users to visit/open an e-mail, webpage or multimedia, which makes use of specially crafted content. In the worst case, upon viewing this content, a bad actor has the ability to execute malicious code and take complete control of an affected system with the same privileges of the user known as remote code execution. This month Microsoft resolves 77 vulnerabilities across 14 bulletins. For consumers MS16-129, MS16-130, MS16-131, MS16-141 and MS16-142 are the bulletins to watch out for, addressing 30 vulnerabilities. For server users MS16-130, MS16-132, MS16-135 and MS16-141 are the bulletins to watch out for, addressing 21 vulnerabilities. Unfortunately, at this time two vulnerabilities addressed by MS16-132 (CVE-2016-7256), and MS16-135 (CVE-2016-7255) are known to have been be exploited in the wild. Additionally four vulnerabilities addressed by MS16-129 (CVE-2016-7199, CVE-2016-7209), MS16-135 (CVE-2016-7255) and MS16-142 (CVE-2016-7199) are known to have been publicly disclosed. Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-129, MS16-130, MS16-131, MS16-132, MS16-141 and MS16-142). CVE-2016-7195 (MS16-129, MS16-142) CVE-2016-7196 (MS16-129, MS16-142) CVE-2016-7198 (MS16-129, MS16-142) CVE-2016-7199 (MS16-129, MS16-142) CVE-2016-7200 (MS16-129) CVE-2016-7201 (MS16-129) CVE-2016-7202 (MS16-129) CVE-2016-7203 (MS16-129) CVE-2016-7204 (MS16-129) CVE-2016-7208 (MS16-129) CVE-2016-7209 (MS16-129) CVE-2016-7227 (MS16-129, MS16-142) CVE-2016-7239 (MS16-129, MS16-142) CVE-2016-7240 (MS16-129) CVE-2016-7241 (MS16-129, MS16-142) CVE-2016-7242 (MS16-129) CVE-2016-7243 (MS16-129) CVE-2016-7221 (MS16-130) CVE-2016-7222 (MS16-130) CVE-2016-7212 (MS16-130) CVE-2016-7248 (MS16-131) CVE-2016-7210 (MS16-132) CVE-2016-7205 (MS16-132) CVE-2016-7217 (MS16-132) CVE-2016-7256 (MS16-132) CVE-2016-7213 (MS16-133) CVE-2016-7228 (MS16-133) CVE-2016-7229 (MS16-133) CVE-2016-7230 (MS16-133) CVE-2016-7231 (MS16-133) CVE-2016-7232 (MS16-133) CVE-2016-7233 (MS16-133) CVE-2016-7234 (MS16-133) CVE-2016-7235 (MS16-133) CVE-2016-7236 (MS16-133) CVE-2016-7244 (MS16-133) CVE-2016-7245 (MS16-133) CVE-2016-0026 (MS16-134) CVE-2016-3332 (MS16-134) CVE-2016-3333 (MS16-134) CVE-2016-3334 (MS16-134) CVE-2016-3335 (MS16-134) CVE-2016-3338 (MS16-134) CVE-2016-3340 (MS16-134) CVE-2016-3342 (MS16-134) CVE-2016-3343 (MS16-134) CVE-2016-7784 (MS16-134) CVE-2016-7184 (MS16-134) CVE-2016-7214 (MS16-135) CVE-2016-7215 (MS16-135) CVE-2016-7218 (MS16-135) CVE-2016-7246 (MS16-135) CVE-2016-7255 (MS16-135) CVE-2016-7249 (MS16-136) CVE-2016-7250 (MS16-136) CVE-2016-7254 (MS16-136) CVE-2016-7251 (MS16-136) CVE-2016-7252 (MS16-136) CVE-2016-7253 (MS16-136) CVE-2016-7220 (MS16-137) CVE-2016-7237 (MS16-137) CVE-2016-7238 (MS16-137) CVE-2016-7223 (MS16-138) CVE-2016-7224 (MS16-138) CVE-2016-7225 (MS16-138) CVE-2016-7226 (MS16-138) CVE-2016-7216 (MS16-139) CVE-2016-7247 (MS16-140) CVE-2016-7857 (MS16-141) CVE-2016-7858 (MS16-141) CVE-2016-7859 (MS16-141) CVE-2016-7860 (MS16-141) CVE-2016-7861 (MS16-141) CVE-2016-7862 (MS16-141) CVE-2016-7863 (MS16-141) CVE-2016-7864 (MS16-141) CVE-2016-7865 (MS16-141)

Patch Tuesday, October 2016

October continues a long running trend with Microsoft's products where the majority of bulletins (6) address remote code execution (RCE) followed by elevation of privilege (3) and information disclosure (1). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of…

October continues a long running trend with Microsoft's products where the majority of bulletins (6) address remote code execution (RCE) followed by elevation of privilege (3) and information disclosure (1). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server). While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers. This month Microsoft resolves 49 vulnerabilities across 10 bulletins. For consumers MS16-118, MS16-119, MS16-120, MS16-121 and MS16-127 are the bulletins to watch out for, addressing 38 vulnerabilities. For server users no particular bulletin draws immediate attention enabling the majority of server admins to roll out patches at a fairly leisurely pace. Unfortunately, at this time 4 vulnerabilities addressed by MS16-118 (CVE-2016-3298), MS16-119 (CVE-2016-7189), MS16-120 (CVE-2016-3393), MS16-121 (CVE-2016-7193), MS16-126 (CVE-2016-3298) are known to have been be exploited in the wild. Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-118, MS16-119, MS16-120, MS16-122 and MS16-127). CVE-2016-3298 (MS16-118, MS16-126) CVE-2016-3267 (MS16-118, MS16-119) CVE-2016-3331 (MS16-118, MS16-119) CVE-2016-3382 (MS16-118, MS16-119) CVE-2016-3383 (MS16-118) CVE-2016-3384 (MS16-118) CVE-2016-3385 (MS16-118) CVE-2016-3387 (MS16-118, MS16-119) CVE-2016-3388 (MS16-118, MS16-119) CVE-2016-3390 (MS16-118, MS16-119) CVE-2016-3391 (MS16-118, MS16-119) CVE-2016-3386 (MS16-119) CVE-2016-3389 (MS16-119) CVE-2016-3392 (MS16-119) CVE-2016-7189 (MS16-119) CVE-2016-7190 (MS16-119) CVE-2016-7194 (MS16-119) CVE-2016-3209 (MS16-120) CVE-2016-3262 (MS16-120) CVE-2016-3263 (MS16-120) CVE-2016-3270 (MS16-120) CVE-2016-3393 (MS16-120) CVE-2016-3396 (MS16-120) CVE-2016-7182 (MS16-120) CVE-2016-7193 (MS16-121) CVE-2016-0142 (MS16-122) CVE-2016-3266 (MS16-123) CVE-2016-3341 (MS16-123) CVE-2016-3376 (MS16-123) CVE-2016-7185 (MS16-123) CVE-2016-7191 (MS16-123) CVE-2016-0070 (MS16-124) CVE-2016-0073 (MS16-124) CVE-2016-0075 (MS16-124) CVE-2016-0079 (MS16-124) CVE-2016-7188 (MS16-125) CVE-2016-4273 (MS16-127) CVE-2016-4286 (MS16-127) CVE-2016-6981 (MS16-127) CVE-2016-6982 (MS16-127) CVE-2016-6983 (MS16-127) CVE-2016-6984 (MS16-127) CVE-2016-6985 (MS16-127) CVE-2016-6986 (MS16-127) CVE-2016-6987 (MS16-127) CVE-2016-6989 (MS16-127) CVE-2016-6990 (MS16-127) CVE-2016-6991 (MS16-127) CVE-2016-6992 (MS16-127)

Patch Tuesday, September 2016

September continues a long running trend with Microsoft's products where the majority of bulletins (10) address remote code execution (RCE) followed by elevation of privilege (2) and information disclosure (2). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of…

September continues a long running trend with Microsoft's products where the majority of bulletins (10) address remote code execution (RCE) followed by elevation of privilege (2) and information disclosure (2). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.This month Microsoft resolves 94 vulnerabilities across 14 bulletins. For consumers MS16-104, MS16-105, MS16-106, MS16-107, MS16-115 and MS16-117 are the bulletins to watch out for, addressing 60 vulnerabilities. For server users MS16-108 is the bulletins to watch out for, addressing 21 vulnerabilities. As pointed out by todb, Senior Research Manager at Rapid7, “This update is of particular interest because it patches eleven remote code execution bugs in Oracle Outside In, a rather massive file format parsing library that ships with Exchange and is responsible for parsing a wide variety of file types…  it looks like the Exchange server itself can be compromised merely by e-mailing the target organization a maliciously crafted file.” Unfortunately, at this time one vulnerability addressed by MS16-104 (CVE-2016-3551) is known to have been exploited in the wild.Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-104 MS16-105 MS16-106 MS16-107 MS16-108 MS16-116 MS16-117).CVE-2016-3375 (MS16-104, MS16-116)CVE-2016-3247 (MS16-104, MS16-105)CVE-2016-3291 (MS16-104, MS16-105)CVE-2016-3292 (MS16-104)CVE-2016-3295 (MS16-104, MS16-105)CVE-2016-3297 (MS16-104, MS16-105)CVE-2016-3324 (MS16-104)CVE-2016-3325 (MS16-104, MS16-105)CVE-2016-3351 (MS16-104, MS16-105)CVE-2016-3353 (MS16-104)CVE-2016-3294 (MS16-105)CVE-2016-3330 (MS16-105)CVE-2016-3350 (MS16-105)CVE-2016-3370 (MS16-105, MS16-115)CVE-2016-3374 (MS16-105, MS16-115)CVE-2016-3377 (MS16-105)CVE-2016-3348 (MS16-106)CVE-2016-3349 (MS16-106)CVE-2016-3354 (MS16-106)CVE-2016-3355 (MS16-106)CVE-2016-3356 (MS16-106)CVE-2016-0137 (MS16-107)CVE-2016-0141 (MS16-107)CVE-2016-3357 (MS16-107)CVE-2016-3358 (MS16-107)CVE-2016-3359 (MS16-107)CVE-2016-3360 (MS16-107)CVE-2016-3361 (MS16-107)CVE-2016-3362 (MS16-107)CVE-2016-3363 (MS16-107)CVE-2016-3364 (MS16-107)CVE-2016-3365 (MS16-107)CVE-2016-3366 (MS16-107)CVE-2016-3381 (MS16-107)CVE-2016-0138 (MS16-108)CVE-2016-3378 (MS16-108)CVE-2016-3379 (MS16-108)CVE-2016-3575 (MS16-108)CVE-2016-3581 (MS16-108)CVE-2016-3582 (MS16-108)CVE-2016-3583 (MS16-108)CVE-2016-3595 (MS16-108)CVE-2016-3594 (MS16-108)CVE-2015-6014 (MS16-108)CVE-2016-3593 (MS16-108)CVE-2016-3592 (MS16-108)CVE-2016-3596 (MS16-108)CVE-2016-3591 (MS16-108)CVE-2016-3574 (MS16-108)CVE-2016-3576 (MS16-108)CVE-2016-3577 (MS16-108)CVE-2016-3578 (MS16-108)CVE-2016-3579 (MS16-108)CVE-2016-3580 (MS16-108)CVE-2016-3590 (MS16-108)CVE-2016-3367 (MS16-109)CVE-2016-3346 (MS16-110)CVE-2016-3352 (MS16-110)CVE-2016-3368 (MS16-110)CVE-2016-3369 (MS16-110)CVE-2016-3305 (MS16-111)CVE-2016-3306 (MS16-111)CVE-2016-3371 (MS16-111)CVE-2016-3372 (MS16-111)CVE-2016-3373 (MS16-111)CVE-2016-3302 (MS16-112)CVE-2016-3344 (MS16-113)CVE-2016-3345 (MS16-114)CVE-2016-4271 (MS16-117)CVE-2016-4272 (MS16-117)CVE-2016-4274 (MS16-117)CVE-2016-4275 (MS16-117)CVE-2016-4276 (MS16-117)CVE-2016-4277 (MS16-117)CVE-2016-4278 (MS16-117)CVE-2016-4279 (MS16-117)CVE-2016-4280 (MS16-117)CVE-2016-4281 (MS16-117)CVE-2016-4282 (MS16-117)CVE-2016-4283 (MS16-117)CVE-2016-4284 (MS16-117)CVE-2016-4285 (MS16-117)CVE-2016-4287 (MS16-117)CVE-2016-6921 (MS16-117)CVE-2016-6922 (MS16-117)CVE-2016-6923 (MS16-117)CVE-2016-6924 (MS16-117)CVE-2016-6925 (MS16-117)CVE-2016-6926 (MS16-117)CVE-2016-6927 (MS16-117)CVE-2016-6929 (MS16-117)CVE-2016-6930 (MS16-117)CVE-2016-6931 (MS16-117)CVE-2016-6932 (MS16-117)

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now