• Patch Tuesday not dire – quick recap

    Microsoft has released 14 security bulletins. According to the SANS Internet Storm Center, only two of the bulletins involve exploits that are currently in the wild – one is for Internet Explorer, the other for Flash. If you don’t use IE, there are no currently known exploits.

    There’s a weird patch for Diffie-Hellman Key Exchange in KB 3174644. (“Microsoft is providing updated support to enable administrators to configure longer Diffie-Hellman ephemeral (DHE) key shares for TLS servers.”) I call it weird because it’s included in Win7’s KB MS16-111/3175024, and if you’re running Win7, Microsoft recommends that you install 3175024, not 317644. Vista and 8.1 users get to install¬†3174644 separately.

    Still with me?

    Server 2008 R2 PCs get a re-run of KB3172605, which is the July 2016 update rollup for Windows 7. Go figger. UPDATE: Looks like a whole bunch of files inside the patch were updated this month. PCs are rebooting after installing the update. I have no idea what’s going on. See patchmanagement.org for details.

    Last month’s August 2016 update rollup for Windows 7, KB 3179573, is back – but this time it’s Recommended, not Optional. Looks like the list of superseded updates has changed.

    Similarly, last month’s update rollup for Win8.1 , KB 3179574, is back, Recommended this time, not Optional.

    I’d be willing to bet this is the new cumulative rollup pace we’ll see put in place in October.

    The old Windows Journal killer is back, https://support.microsoft.com/en-us/kb/3161102, as well as the version for Vista https://support.microsoft.com/en-us/kb/3185662

    As long as you aren’t running IE 11, I don’t see any reason to hurry up with the patches.

    Stay tuned.

    ER notes:

    New Adobe Flash Player security updates posted Tuesday September 13, 2016 in Adobe security bulletin APSB16-29 & Microsoft security bulletin MS16-117:



    These security patches update Flash Player to version 23.

    UPDATE: Trend Micro advizes that there’s a known, exploited security hole in both IE and Edge. So, in addition to my usual advice to avoid IE, I also need to add Edge.

    But then you aren’t using Edge, are you?