Newsletter Archives

• Understanding CVE

  Posted on January 27, 2025 at 02:21 CST by Susan Bradley • Comment in the Forums

  PATCH WATCH

  

  By Susan Bradley

  Vendors track issues using the Common Vulnerabilities and Exposures (CVE) database.

  Maintenance of the database is handled by the MITRE Corporation under the sponsorship of the Cybersecurity and Infrastructure Security Agency (CISA), part of the US Department of Homeland Security. It has been operating since 1999. In 2021, MITRE launched a new website with the domain cve.org and with new features and capabilities.

  Read the full story in our Plus Newsletter (22.04.0, 2025-01-27).

  Patch Watch CISA, CVE, CVE-2025-21309, Documentation, Newsletters, Outlook, Outlook (classic), Outlook (new), Patch Lady Posts, Windows Mail

• Microsoft’s Malware Protection Engine Vulnerable

  Posted on December 7, 2017 at 02:23 CST by Kirsty • Comment in the Forums

  Gunter Born has posted a new topic here on a vulnerability in Defender & Security Essentials:

  I received this night (Germany) a notification from Microsoft about a critical vulnerability in Microsoft’s Malware Protection Engine (CVE-2017-11937). All Windows versions using either Defender or Microsoft Security Essentials or Forefront are affected. But there are no updates available – and the link within Microsoft’s Update Catalog are broken.

  He is calling for information and insights. Can you help?

  Check it out here:
  Critical vulnerability in Microsoft’s Malware Protection Engine (CVE-2017-11937)

  UPDATE:

  Defender and MSE are updating itself – and it seems that yesterday the Security module has been updated.

  Windows Patches/Security CVE, CVE-2017-11937, Forefront, Microsoft Security Essentials, Vulnerability, Windows Defender

• Is Wi-Fi security irretrievably broken?

  Posted on October 15, 2017 at 19:45 CDT by woody • Comment in the Forums

  There’s a lot of buzz this weekend about a flaw that’s purported to break security on most Wi-Fi connections, allowing an eavesdropper to snoop or use the connection without permission.

  Said to involve CVE-2017-13077, 13078, 13079, 13080, 13081, 13082, 13084, 13086, 13087, 13088, when they’re posted.

  See this thread from @campuscodi and be watching Bleepingcomputer tomorrow for details.

  Security CVE, Vulnerability, Wi-Fi, WPA2, WPS

• Microsoft Edge has inherited many of Internet Explorer’s security holes

  Posted on December 9, 2015 at 11:47 CST by woody • Comment in the Forums

  Looking at recent patch lists for IE and Edge has me wondering how many of IE’s warts will continue to haunt us

  InfoWorld Woody on Windows

  Windows Patches/Security CVE, Edge, Internet Explorer

• Ten bulletins, 31 patches, a million potential problems

  Posted on June 10, 2009 at 07:06 CDT by woody • Comment in the Forums

  There’s a huge crop of patches waiting for you, covering 31 separate vulnerabilities, and I dunno-how-many different downloads.

  As usual, the best overview is at the SANS Internet Storm Center.

  Bottom line (tell me if you’ve heard this one before): don’t use Internet Explorer. Apparently none of the bad problems (except the ones in IE) have exploits that you need to worry about. Don’t apply any patches until the screams have subsided.

  We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  Oh. Don’t forget to patch Acrobat Reader, if you have it. Adobe just fixed 13 security holes in Reader. You could take advantage of the unease you’re feeling right now and install Foxit reader, which works just fine most of the time and has a significantly better track record for fixing security holes.

  An interesting note: several of you have asked how Microsoft and industry pundits count the number of bugs: Gregg Keizer at ComputerWorld reports, for example, that this monster set of patches fixes 31 security holes – a record, by his estimation. Brian Krebs at the Washington Post echoes the statement. Brian credits Symantec.

  All of these people are counting the number of CVEs that Microsoft claims to fix in the security bulletins. CVEs are “Common Vulnerabilities and Exposures” listed and maintained by the MITRE organization, which is an independent non-profit originally associated with MIT. Each CVE number corresponds to one or more identified security holes. While the CVE count is a better indicator of how many holes have been patched than the number of security bulletins, it frequently doesn’t differentiate between different versions of programs, and other subtleties.

  Windows Patches/Security Adobe Acrobat Reader, CVE, Foxit, June 2009 Black Tuesday, MITRE