Apple Releases Multiple Security Updates

Original release date: December 08, 2015

Apple has released security updates for iOS 9.2, tvOS 9.1, OS X, watchOS 2.1, Safari 9.0.2, and Xcode 7.2 to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system.

Updates available include:

  • iOS 9.2 for iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
  • tvOS 9.1 for Apple TV (4th generation)
  • OS X El Capitan 10.11.2 and Security Update 2015-008 for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • watchOS 2.1 for Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
  • Safari 9.0.2 for OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
  • Xcode 7.2 for OS X Yosemite v10.10.5 or later

US-CERT encourages users and administrators to review Apple security updates for iOS 9.2, tvOS 9.1, OS X El Capitan 10.11.2 and Security Update 2015-008, watchOS 2.1, Safari 9.0.2, Xcode 7.2 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Google Releases Security Update for Chrome

Original release date: December 08, 2015

Google has released Chrome version 47.0.2526.80 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Chrome Releases page and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.


December Patch Tuesday avalanche of patches includes leaked Xbox certificate

(credit: CyberHades)

Today, Microsoft issued three new security advisories and a dozen new patches in the company’s monthly round of security updates. And one of the advisories was apparently the result of a security fumble by Microsoft's internal IT team—the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.

The certificate, which was used for Microsoft's xboxlive.com domain, has been revoked on Microsoft's Certificate Trust list, but it could potentially be used to attack systems that haven't been updated in man-in-the-middle attacks that "spoof" the Xbox Live network. Microsoft isn't saying how the certificate was "inadvertently disclosed", but it's likely that the "wildcard" certificate was accidentally shared with a partner. It's unlikely that the certificate will be used for an attack now that it's been revoked, but systems that don't regularly get their certificate trust lists updated might still be vulnerable.

System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated "critical" by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a "specially-crafted" Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.

Read 1 remaining paragraphs | Comments

Microsoft Releases December 2015 Security Bulletin

Original release date: December 08, 2015

Microsoft has released 12 updates to address vulnerabilities in Microsoft software. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Microsoft Security Bulletins MS15-124 through MS15-135 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.