Security News for January 2016

Microsoft releases a monthly set of security bulletins that addresses security vulnerabilities in its products. The first Patch Tuesday was released on January 12, 2016, and it had nine bulletins on 25 vulnerabilities. Bulletins MS16-001 through MS16-0006 were rated critical and these pertain to Internet Explorer (IE) and Edge respectively.

MS16-001 is the IE bulletin for IE version 7 to 11 and it addresses two vulnerabilities: the use-after-free flaw (CVE-2016-2002) and a privilege escalation flaw (CVE-2016-0005). The first one is a VBScript engine vulnerability that was addressed in the bulletin for systems that have IE 8 to 11. Those who have IE 7 and earlier versions—or those who do not have IE installed—will need to install the MS16-003 to patch the vulnerability.

MS16-001 is the IE bulletin for IE version 7 to 11 and it addresses two vulnerabilities: the use-after-free flaw (CVE-2016-2002) and a privilege escalation flaw (CVE-2016-0005). The first one is a VBScript engine vulnerability that was addressed in the bulletin for systems that have IE 8 to 11. Those who have IE 7 and earlier versions—or those who do not have IE installed—will need to install the MS16-003 to patch the vulnerability.A noteworthy aspect of January 2016’s IE advisory is that Microsoft announced end-of-life for Internet Explorer versions that are older than IE 11 in August

A noteworthy aspect of January 2016’s IE advisory is that Microsoft announced end-of-life for Internet Explorer versions that are older than IE 11 in August 2014, and that it would take effect upon its release. Hence, that was the final bulletin for affected versions. After January 12, only the most recent versions of IE for supported operating systems will receive security updates and technical support.

Apart from Microsoft, other companies have released critical security patches for the first quarter of 2016. Oracle—the company responsible for Java—released a critical patch update that contained 248 new security fixes to address multiple security vulnerabilities for different product families like Java SE, Oracle Database, and Oracle E-Business suite. For Java SE, Oracle strongly recommended that home users should visit the java.com website to make sure that they are running the most recent version. Moreover, they are advised to uninstall obsolete Java SE versions if they are not needed any more.

Adobe released the APSB16-02 (security bulletins for Acrobat and Reader) in January 12 to address critical vulnerabilities in which a remote attacker may execute an arbitrary code by convincing users to open a certain PDF file, or terminate Acrobat and Reader.

It is important to update to the latest versions of critical applications to protect your business or organization and its assets. On January 22, 2016, the University of Virginia notified some employees about illegal access to personally identifiable information, following a notice from the FBI. Suspects are already in custody. Another incident concerning users of OpenSSL prompted users to upgrade immediately to prevent attackers from exploiting and decrypting web traffic. Also, the global restaurant chain Wendy’s has started investigating suspected data breach related to debit and credit cards that were used at some of its branches, based on recent alerts on fraud patterns.

 

About the Author:                    

Mike Rana is the Chief Technology Advisor of Orion Network Solutions. Orion Network Solutions specializes in providing Computer Installation, Maintenance, and Consulting services along with 24×7 help desk services for small and midsize companies. We provide network solutions that enable small businesses to not only lower their management cost but also increases employee productivity at the same low price. We offer network solution that becomes an integral part of your organization and can provide an increase in productivity of your organization.