MICROSOFT
If you do not have WSUS or a tool like ATERA to help you manage your patching efforts it is critical you read this. In reviewing the Microsoft patches (link at bottom of MICROSOFT section) released on Tuesday May 14th, 2017 – the first large pasture of critical patches released this year – there are some very risky vulnerabilities. If you depend on manual patching then nine (9) are CRITICAL to apply if you have the associated MS products. There are many many “Important” patches to review. Those responsible for Active Directory need to review “Important” MS17-019 that closes an ADFS vulnerability on all Windows Server 2008 and up – since it is in identity management to me it is critical.
The nine Critical are:
MS17-003 Adobe Flash
MS17-005 Adobe Flash
MS17-006 Cumulative IE
MS17-007 Edge
MS17-008 Hyper-V
MS17-009 Windows PDF Online Viewing Support
MS17-010 ALL APPLICABLE WIN OS SMB VULNERABILITY
MS17-013 ALL APPLICABLE WIN OS/MS OFFICE 2010 and 2013, SILVERLIGHT, SKYPE 2016, LYNC 2010 and 2013 GRAPHICS VULNERABILITY
MS17-023 Adobe Flash
If you have these products Security strongly recommends the application of the requisite patches. Please review the remaining “Important” ones over the rest of March.
For more info:
https://technet.microsoft.com/en-us/library/security/mt745122.aspx
WORDPRESS
WordPress last week released Security release 4.7.3 and it does not appear as critical as 4.7.2 was. The six important patches are around:
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
Security recommends you upgrade to WordPress 4.7.3 this month.
For more info: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/