(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Agora-Project Multiple Cross Site Scripting Vulnerabilities
Drupal Private Module Access Bypass Vulnerability
Asus ASUSWRT Multiple Security Vulnerabilities
MaNGOSWebV4 Multiple Cross Site Scripting Vulnerabilities

Enlarge (credit: Alachua County)

Last month, Microsoft took the unprecedented step of canceling Patch Tuesday, the company's monthly release of security fixes for its large stable of software products. The move meant that customers had to wait 28 days to receive updates that fixed vulnerabilities that allowed hackers to completely hijack computers and networks.

The last-minute move was all the more unusual because Microsoft made it a few days after exploit code for a Windows 10 flaw was released into the wild. In the nine days that followed the cancellation, technical details for two more serious vulnerabilities—one in Windows and the other in the Edge and Internet Explorer browsers—were also disclosed. Microsoft's security team almost certainly knew the latter two flaws would become public knowledge because Google's Project Zero privately reported the vulnerabilities to Microsoft and the bugs were subject to Google's long-standing 90-day disclosure deadline.

Microsoft finally patched the bugs when Patch Tuesday resumed earlier this week with a release that was unusually big by historical measures. That's good, but customers had still been forced to wait 28 days to get the fixes. And, as already noted, details about at least three of them were already well-known. So far, Microsoft hasn't explained why it canceled February's releases except to say the situation was prompted by an unspecified "last-minute issue." ZDNet writer Mary Jo Foley, meanwhile, said unnamed people speculate that the cancellation was the result of a "problem with Microsoft's build system."

Read 5 remaining paragraphs | Comments

CVE-2017-6805 MobaXterm Personal Edition v9.4 Path Traversal Remote File Disclosure
SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products
MS Internet Information Services XSS / HTML Injection vulnerability
Zammad Multiple Security Vulnerabilities
CMS Made Simple Multiple Cross Site Scripting Vulnerabilities
MagniComp Sysinfo CVE-2017-6516 Local Privilege Escalation Vulnerability
USB Pratirodh CVE-2017-6895 XML External Entity Vulnerability
Oracle MySQL Server CVE-2017-3313 Local Security Vulnerability
MariaDB and MySQL CVE-2017-3302 Denial of Service Vulnerability
Security guide for website operators CVE-2017-2128 OS Command Injection Vulnerability
Cisco NX-OS Software CVE-2017-3879 Remote Denial of Service Vulnerability
Cisco Nexus 7000 Series Switches CVE-2017-3875 Security Bypass Vulnerability
Cisco Adaptive Security Appliance Software CVE-2017-3867 Security Bypass Vulnerability
Cisco NX-OS Software CVE-2017-3878 Remote Denial of Service Vulnerability
Palo Alto Networks Terminal Services CVE-2017-6356 Information Disclosure Vulnerability
CVE-2017-6911: USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability
Cisco TelePresence Server Software CVE-2017-3815 Privilege Escalation Vulnerability
Cisco UCS Director CVE-2017-3868 Cross Site Scripting Vulnerability
Drupal Core DRUPAL-SA-CORE-2017-001 Multiple Security Vulnerabilities
Cisco WebEx Meetings Server CVE-2017-3880 Authentication Bypass Vulnerability
Cisco Prime Service Catalog CVE-2017-3866 Multiple Cross Site Scripting Vulnerabilities
Microsoft Windows Graphics Component CVE-2017-0108 Remote Code Execution Vulnerability
[slackware-security] pidgin (SSA:2017-074-01)
Path Traversal Remote File Disclosure
CVE-2017-0045 Windows DVD Maker XML External Entity File Disclosure
Internet Storm Center Infocon Status