Adobe and Microsoft put forth their respective Patch Tuesday updates this week, bringing you their last scheduled patches of 2014. Paul Ducklin digs in…
Naked Security – Sophos
Microsoft is issuing the largest number of monthly security advisories since June 2011, five of them critical and affecting all supported versions of Windows. And applying the patches will be time consuming, experts say.
“Next week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,” says Russ Ernst, the director of product management for Lumension.
+[Also on Network World: Microsoft Office advancements are a boost for BYOD programs]+
To read this article in full or to leave a comment, please click here
Users of Drupal, one of the most popular content management systems, should consider their sites compromised if they didn’t immediately apply a security patch released on Oct. 15.
The unusually alarming statement was part of a “public service announcement” issued by the Drupal project’s security team Wednesday.
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection,” the Drupal security team said. “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.”
To read this article in full or to leave a comment, please click here
If you haven’t updated your Flash Player with the fixes released on Oct. 14, you may be vulnerable to new attacks using a commercial exploit kit called Fiesta, security researchers warn.
The vulnerability, which is being tracked as CVE-2014-0569 in the Common Vulnerabilities and Exposures (CVE) database, was fixed in Flash Player updates last week.
The bundling of an exploit for CVE-2014-0569 in an attack tool that’s sold on underground markets is unusual, especially since the vulnerability was privately reported to Adobe through Hewlett-Packard’s Zero Day Initiative (ZDI) program, meaning its details should not be public.
To read this article in full or to leave a comment, please click here