(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Agora-Project Multiple Cross Site Scripting Vulnerabilities
 
Drupal Private Module Access Bypass Vulnerability
 
Asus ASUSWRT Multiple Security Vulnerabilities
 
MaNGOSWebV4 Multiple Cross Site Scripting Vulnerabilities
 

Enlarge (credit: Alachua County)

Last month, Microsoft took the unprecedented step of canceling Patch Tuesday, the company's monthly release of security fixes for its large stable of software products. The move meant that customers had to wait 28 days to receive updates that fixed vulnerabilities that allowed hackers to completely hijack computers and networks.

The last-minute move was all the more unusual because Microsoft made it a few days after exploit code for a Windows 10 flaw was released into the wild. In the nine days that followed the cancellation, technical details for two more serious vulnerabilities—one in Windows and the other in the Edge and Internet Explorer browsers—were also disclosed. Microsoft's security team almost certainly knew the latter two flaws would become public knowledge because Google's Project Zero privately reported the vulnerabilities to Microsoft and the bugs were subject to Google's long-standing 90-day disclosure deadline.

Microsoft finally patched the bugs when Patch Tuesday resumed earlier this week with a release that was unusually big by historical measures. That's good, but customers had still been forced to wait 28 days to get the fixes. And, as already noted, details about at least three of them were already well-known. So far, Microsoft hasn't explained why it canceled February's releases except to say the situation was prompted by an unspecified "last-minute issue." ZDNet writer Mary Jo Foley, meanwhile, said unnamed people speculate that the cancellation was the result of a "problem with Microsoft's build system."

Read 5 remaining paragraphs | Comments

 
CVE-2017-6805 MobaXterm Personal Edition v9.4 Path Traversal Remote File Disclosure
 
SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products
 
MS Internet Information Services XSS / HTML Injection vulnerability
 
Zammad Multiple Security Vulnerabilities
 
CMS Made Simple Multiple Cross Site Scripting Vulnerabilities
 
MagniComp Sysinfo CVE-2017-6516 Local Privilege Escalation Vulnerability
 
USB Pratirodh CVE-2017-6895 XML External Entity Vulnerability
 
Oracle MySQL Server CVE-2017-3313 Local Security Vulnerability
 
MariaDB and MySQL CVE-2017-3302 Denial of Service Vulnerability
 
Security guide for website operators CVE-2017-2128 OS Command Injection Vulnerability
 
Cisco NX-OS Software CVE-2017-3879 Remote Denial of Service Vulnerability
 
Cisco Nexus 7000 Series Switches CVE-2017-3875 Security Bypass Vulnerability
 
Cisco Adaptive Security Appliance Software CVE-2017-3867 Security Bypass Vulnerability
 
Cisco NX-OS Software CVE-2017-3878 Remote Denial of Service Vulnerability
 
Palo Alto Networks Terminal Services CVE-2017-6356 Information Disclosure Vulnerability
 
CVE-2017-6911: USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability
 
Cisco TelePresence Server Software CVE-2017-3815 Privilege Escalation Vulnerability
 
Cisco UCS Director CVE-2017-3868 Cross Site Scripting Vulnerability
 
Drupal Core DRUPAL-SA-CORE-2017-001 Multiple Security Vulnerabilities
 
Cisco WebEx Meetings Server CVE-2017-3880 Authentication Bypass Vulnerability
 
Cisco Prime Service Catalog CVE-2017-3866 Multiple Cross Site Scripting Vulnerabilities
 
Microsoft Windows Graphics Component CVE-2017-0108 Remote Code Execution Vulnerability
 
[slackware-security] pidgin (SSA:2017-074-01)
 
Path Traversal Remote File Disclosure
 
CVE-2017-0045 Windows DVD Maker XML External Entity File Disclosure
 
Internet Storm Center Infocon Status