Today Microsoft released the bulletins for March Patch Tuesday. We have five bulletins, MS14-012 to MS14-016, a light patch tuesday by all comparisons, even with Adobe chiming in with an update that is non-critical. If it wasn't for the Internet Explorer (IE) patch that addresses the 0-day that was found during last month's Patch Tuesday, one could call it almost uneventful.
Here is our lineup for today:
MS14-012, a critical bulletin which addresses 18 vulnerabilities in all versions of IE, from IE6 on Windows XP, to IE11 on Windows 8.1. It also includes the fix for a 0-day vulnerability that was identified by FireEye on February 11, first on the website of the organization of the US Veterans of Foreign Wars. The attack used a previously unknown flaw in IE 10 (CVE-2014-0322), plus a known vulnerability in Adobe Flash to bypass ASLR protections and gave the attackers control over the computers visiting the site with that particular configuration. Microsoft has acknowledged the problem and provided a FixIT in KB2934088, but this is the permanent patch for the problem. Apply it as soon as possible.
MS14-013, the second critical bulletin, addresses one critical vulnerability. The attack also uses the webpage vector, but rather than going against IE directly, involves the DirectShow Windows component. Microsoft states that exploitation is hard and gives it an exploitation index of 3, but you should give it priority in your patch cycle.
The remaining bulletins, MS14-014, MS14-015 and MS14-016, are all rated important and do not provide Remote Code Execution (RCE) capabilities. MS14-014 is an ASLR bypass vulnerability that needs to be paired with a code execution vulnerability in order to become useful (see also the recent 0-day that used Adobe Flash exactly for that purpose). MS14-015 is a Windows Kernel driver fix addressing two CVEs, and MS14-016 is a change in the Windows API that allowed an attacker to bypass password shutout rules, which could be used in brute force attack attempts. Take a look at Microsoft SRD blog to see where ASLR fixes fit in overall.
Adobe's update to Flash (APSB14-08) addresses two vulnerabilities in Adobe Flash V12 and V11 on Windows, Mac OS X and Linux. Both are rated as important, meaning they cannot be used to gain remote code execution on the targeted platforms. Organizations that run Chrome or a modern version of IE will get their Flash update delivered through their browsers, others will need to update their software directly via Adobe.
The other major Microsoft issue is the coming end-of-life of Windows XP. We are now less than 28 days away from the final set of patches that XP will receive. Nevertheless, we are not seeing a reduction in vulnerabilities. All of today's bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won't have access to patches for these problems anymore. This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.
So far, you have done an incomplete job. In our latest survey of roughly 35 Million monthly scans, we are still seeing 14% of Windows XP machines, down from 16% In January and 17% in December of 2013. If that trend continues, we are projecting 10% by the end-of-life date, at least in the enterprise space that is covered by QualysGuard.
Two weeks ago at the RSA US 2014 conference in San Francisco Microsoft released a preview version of their EMET 5 (Enhanced Mitigation Experience Toolkit) security toolkit. EMET implements additional restrictions on Windows, monitoring programs for violations of policy and, optionally, shutting down the offending programs. It has been effective against all 0-day attacks of 2013 and 2014, starting with MS13-008, MS13-021, and MS13-038. In the known exploit against this month's MS14-012, the attacker acknowledges that power and tests for the presence of EMET beforehand, proactively forfeiting when the EMET DLL is detected. I recommend IT admins to take a look at this toolkit and test its compatibility with their installations. The new EMET version 5 introduces a plugin whitelisting capability that could be a great asset in controlling browser plugins, for example only allowing Java to run on a controlled subset where the plugin is actually required.
That is it for this month's bulletins, but stay tuned for more coverage about XP in the SMB and home market, plus a breakdown of the numbers that takes geography into account.
Patch the Internet Explorer vulnerability addressed in Bulletin #1, as it covers the current 0-day that was discovered about three weeks ago. Microsoft has so far addressed it with a Fix-It in KB2934088, but this will be the permanent patch reaching a much larger audience.
Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore. Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of of life date:
So you need a strategy for the XP machines remaining in your infrastructure. We are still seeing a significant number of XP machines in our scans, ranging from around 25% in our consumer oriented service BrowserCheck to under 20% in our entreprise oriented data from QualysGuard.
Back to the March bulletins: priority one should be the two critical bulletins: Bulletin #1 for all versions of Internet Explorer, starting with v6 all the way to v11 and bulletin #2 for Windows, affecting all Windows OS versions from XP to 2012, with the exception being WIndows RT. Bulletin #3 and #4 address important vulnerabilities in Windows, and Bulletin #5 will be for users of Silverlight on Mac and Windows.
Stay tuned for our coverage next week, when we get more details on the patches.
Earlier today I gave a presentation at RSA Conference 2014 in San Francisco about the 20 Critical Security Controls (CSC) and some ideas on how to implement them using QualysGuard. The document for the 20 CSC provides a number of suggestions for each control, called Quick Wins that point out aspects of the controls that are relatively easy to implement. One example is the detection of new machines, or how to report on machines that do not run an approved version of the operating system.
The presentation looks at how QualysGuard data can be used to answer these questions. We show how a script can access the QualysGuard API to pull down data and populate a database in a format that is then easily used to output the relevant reports. In our example we use Splunk as the database, mainly for its ease to treat time-based data, its intuitive query language and built-in reporting, alerting and graphing capabilities.
Attach please find the presentation. I would be very interested in hearing from you, especially if you have used solutions such as Splunk to enhance your reporting.
Today Adobe released their second out-of-band update for Adobe Flash this month. APSB14-07 fixes three vulnerabilities in Adobe Flash, including CVE-2014-0502 which is being used in the wild to attack users through malicious webpages. The 0-day flaw in Flash CVE-2014-0502 was discovered about a week ago by FireEye which states that it was found on three websites that are run by non-profit institutions. Fortunately organizations that are running latest operating systems and application code are not affected by the attack. They lack the vulnerable components that enable the attack to come to a successful conclusion.
In particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:
Windows XP (which does not have ASLR)
Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits
Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits
Our recommendation is to update as quickly as possible. Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.
Microsoft has updated advisory KB2755801 which centralizes the Flash updates in Internet Explorer 10 and 11. Users of IE10 or IE11, as well as Google Chrome do not need to update Adobe Flash separately, but instead it is handled through their browsers automatically.
Update 2: Microsoft just published KB2934088 which acknowledges the vulnerability in Internet Explorer 9 and 10 and publishes a Fixit, that uses the MSHTML Shim mechanism to patch Internet Explorer. MSHTML Shim was originally developed for application compatibility, but has been successfully used for a number of security problems in the past year. Microsoft has a post at their SRD blog that explains vulnerable versions, plus the defensive options available.
Update: It seems both Internet Explorer 9 and 10 are affected. That equates to a large share of all users, just over 30 %. ImplementingEMET makes a lot of sense, since it has deflects this attack and has countred last year the known 0-days of this type last as well.
Original: On Patch Tuesday, when Microsoft released new versions of Internet Explorer (6-11) addressing 24 vulnerabilities, FireEye detected a previously unknown attack on IE10 at the website of the Veterans of Foreign Wars (vfw.org). The attack is using a Adoeb Flash Object to setup the environment for the rest of the exploit. Currently this 0-day vulnerability (CVE-2014-0322) only applies to Internet Explorer 10, other versions are not affected. EMET, as many times during the IE 0-days of last year, is also successful in preventing the exploit from running successfully, but this time because it actually checks for its presence and aborts if EMET is found.
After initially announcing five bulletins (two critical, three important) last week, Microsoft added two new bulletins, both critical, and both related to Internet Explorer (IE), to the lineup. Last week, packaging problems prevented their inclusion in the pre-announcement, but these issues were resolved over the weekend, giving us a total of seven bulletins addressing 32 vulnerabilities for February 2014.
This month’s top Microsoft bulletin is definitely MS14-010 for IE, which addresses 24 vulnerabilities. The bulletin is rated critical and affects all versions of IE, from IE6 on Windows XP to IE11 on Windows RT. Attacks against the vulnerabilities addressed would come through the most common attack vector: malicious webpages. MS14-007 is the next in our priority list, at least if you are running Windows 7 or later. The patch fixes an issue in the graphics library DirectWrite. The attack would come through the browser in a malicious webpage that uses the <SVG> tag for Scalable Vector Graphics, a good reminder that new technology is usually not free of implementation vulnerabilities.
Speaking of attacks that come through the web, last week Adobe released an out-of-band patch for an Adobe Flash 0-day vulnerability. The attack was detected by Kaspersky and affects all current versions of Adobe Flash on Windows and Mac OS X. If you have Adobe Flash installed directly, please make sure that you fix this vulnerability as quickly as possible.
The two remaining critical Microsoft bulletins are MS14-011, addressing a vulnerability in VBScript, the scripting engine used in IE, again with an attack vector of malicious webpages, and MS14-008, addressing a file format vulnerability in Forefront for Exchange, a legacy anti-spam product for Microsoft Exchange.
MS14-005 for MSXML, MS14-006 for Windows and MS14-009 for .NET are all rated “important” because they do not allow remote code execution, but are limited to fixing Information Disclosures and Denial of Service conditions. The Information Disclosure vulnerability fixed in MS14-005 had previously been used in attacks last year that were countered by bulletin MS13-090, which disabled the ActiveX component that was vital to the attack. MS14-005 now closes the auxiliary flaw to complete the fix. MS14-009 fixes a number of known vulnerabilities, for example the well-known Slowloris HTTP DoS attack.
Microsoft also made the advisory KB2862973, which deprecates the MD5 algorithm in certificates, now an automatic download in Windows Update. The KB was released six months ago in August for manual installation and testing. MD5 deprecation in certificates has become an industry best practice for SSL. In Qualys’ SSL Labs tests, an MD5 certificate leads to a failing grade of F since the January 2014 release.
In addition to last week's release of Flash, Adobe also released an update to their Shockwave Player. Take a look at APSB14-06 if you run Shockwave.
Overall, we are back to normal after a quiet January Patch Tuesday: Seven bulletins from Microsoft and one from Adobe, with the three highest priority fixes being: Adobe Flash, IE and Windows 7 and 8 - DirectWrite.
Microsoft just added two new bulletins to the lineup. Bulletin #1 is now a critical update for Internet Explorer affecting all versions of the browser from IE6 to IE11. Bulletin #2 is a critical vulnerability in Windows affecting XP to Windows 8 and RT. This makes this Patch Tuesday quite a bit more relevant, with now a pretty normal workload.
The remaining bulletins are all renumbered: the old Bulletins #1 becomes #3, #2 becomes #4, and so on.
Today Microsoft announced its line up for next week's Patch Tuesday. With only five bulletins, it is quite small again for the second time this year with January's four-bulletin release. Also for the second time, there is no update to Internet Explorer, which we have grown accustomed to seeing in the monthly releases. We definitely expect an update next month in March, at the very least to get the newest browser out in front of the PWN2OWN competition at CanSecWest that is held on March 12-14.
Two of this month's bulletins are rated "critical," with the remainder rated "important." Bulletin #1 directly addresses a flaw in the Windows operating system and applies to both clients and servers, Windows 7, 2008, 8 and RT, but Windows XP and Vista are not affected. Bulletin #2 is on the server side only for Microsoft's Forefront Security product, which is an anti-spam and anti-malware tool for Microsoft Exchange Server.
Bulletins #3 and #4 are local vulnerabilites for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively. Bulletin #5 addresses a Denial of Service condition in Windows 8.
In addition to Microsoft, both Adobe and Mozilla released new software this week.
Adobe addressed a 0-day in Adobe Flash with an out-of-band update (APSB14-04) . It fixes a vulnerability (CVE-2014-0497) that is being exploited in the wild. Flash version 12 and 11 are affected on both Windows and Mac OS X, and Flash version 11 is affected on the Linux platform. Users of Google Chrome and Microsoft Internet Explorer 10 and 11 have gotten their updates automatically through a browser update. Users of other browsers, for example, Safari on Mac OS X, Firefox or older versions of IE need to update Flash on the operating system itself. Adobe credits Kaspersky with the discovery of the problem, Kaspersky has posted a detailed technical analysis on their blog.
We recommend installing this update as quickly as possible. Adobe Flash is widely installed and used in the majority of web pages to provide active content for videos and games. It is difficult to restrict its use, and users cannot be expected to present any obstacle to an attack that is embedded in a well-known, trusted web-page.
Mozilla updated Firefox to v27, which is a very popular browser with about 23% marketshare, according to our statistics from our free browser security tool BrowserCheck. Mozilla addressed 13 vulnerabilities. Five of the addressed vulnerabilities are rated as "critical," which means that an attacker can use them to take control over the targeted machine. Attacks of this type usually come through a website that the attacker controls, either itself a victim of the attacker that counts on the site's normal visitors to fall prey to the attack, or specifically setup for the task and then using "Search Engine Poisoning" to attract visitors to the site. The vulnerability fixed in MFSA2014-08, one of the 5 critical ones, shows how this could work. In this patch, the image processing within Firefox is being fixed; to abuse the condition, an attacker would have to feed images to the browser with certain format violations to achieve a processing error and gain code execution in the browser.
Again, we recommend installing to this latest version as quickly as possible if you are a Firefox user.
Adobe just released an out-of-band update (APSB14-04) to their Flash player, which fixes a vulnerability (CVE-2014-0497) that is being exploited in the wild. Flash version 12 and 11 is affected on Windows and Mac OS X and Flash version 11 is affected on the Linux platform. Users of Google Chrome and Microsoft Internet Explorer 10 and 11 will get their updates automatically through a browser update, but should still verify if they need to update Flash on the operating system itslef as well, if a browser is installed that does not bring its own version of Flash (for example, Safari on Mac OS X, Firefox or older versions of IE).
We recommend installing the update as quickly as possible. Adobe Flash is widely installed and used in the majority of webpages to provide active content: videos and games. It is difficult to restrict its use and users cannot be expected to present any obstacle to an attack that in embedded in a well-known, trusted web-page.
If you are a Firefox user, take a look at the latest release v27. While it does not address this latest Adobe Flash problem, Mozilla fixed 13 vulnerabilities, including four critical vulnerabilities. Recommended to install as quickly as possible as well.
Oracle addresses 144 vulnerabilities in its Critical Patch Update (CPU) for January 2014, which is a new record for Oracle. The majority of vulnerabilities are in Java v7; remember, Java v6 has reached its end-of-life already. The Java v7 update 51 has 34 remotely exploitable fixes, with the most critical ones receiving a ranking of “10,” the maximum value on the Common Vulnerability Scoring System (CVSS) scale. Java was one of the most attacked softwares in 2013 and it will continue to be so due to its sluggish update record. It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines. Fix this vulnerability first, and if you encounter resistance to updating Java, map out why the machines in question cannot run this this latest version.
Adobe is releasing two updates, both critical, i.e., they allow remote code execution and total control of the affected system. APSB14-01 is an update to Adobe Acrobat and Reader, with an attack vector being a PDF file. APSB14-02 is an update to Adobe Flash, which has the typical attack vectors of malicious web pages and documents with embedded Flash objects. Both packages of Adobe should be high on your update list. Users of Google Chrome and Internet Explorer 10 and 11 do not need to worry about the Flash update as it will be installed through their respective auto update mechanisms.
Microsoft has four bulletins all of which are rated “Important” in severity. MS14-001 addresses a file format vulnerability in Microsoft Word that can be used to get Remote Code Execution of the targeted system when opening a malicious file. It is the most important vulnerability to address. It applies to all Microsoft Word versions on Windows 2003, 2007, 2010 and 2013, plus the Word document viewers. Mac OS X users are not affected. MS14-002 is a patch for last month’s 0-day vulnerability in Windows XP and 2003. The vulnerability is a local Escalation of Privilege, i.e., it can only be used by an attacker who is already on the machine as a standard user and needs to gain administrative rights. Microsoft first acknowledged its existence on November 27, 2013 in KB2914486 and indicated that it was used in a small number of targeted attacks that used a patched vulnerability in Adobe Reader (APSB13-15 from May 2013) as a delivery vehicle. The remaining vulnerabilities – MS14-003 and MS14-004 – address a kernel vulnerability in Windows and a Denial of Service condition in Microsoft’s Dynamic AX ERP program.
In summary, our priority list for this month: Java, Adobe Reader and Flash, Microsoft Word and the 0-day.
BTW, there are more vulnerabilities in the Oracle CPU release that you should look at if you run the respective Oracle software:
MySQL has 18 vulnerabilities, and three can be attacked remotely with a maximum CVSS score of “10.”
Solaris has 11 fixes, including one that can be attacked remotely. The maximum CVSS score is “7.2.”
Oracle Virtualization Software, which includes the popular VirtualBox, has nine vulnerabilities, and four of them can be triggered remotely with a maximum CVSS score of “6.2.”
The Oracle RDBMS itself has five vulnerabilities, one of which can be exploited remotely.
Update: Adobe will release a new version of its Reader and Acrobat products on Tuesday as well. The new versions will address critical issues on both Windows and Mac OS X.
Original: 2014's first Patch Tuesday is coming up next week and it will be a full plate for IT administrators even though we are looking at only four bulletins from Microsoft. Oracle will simultaneously release its Critical Patch Update, and these quarterly releases typically address over 100 vulnerabilities in their large software line. For example, 127 were addressed in October of 2013. Analyzing the applicability of these flaws to one’s software infrastructure and addressing them are a major concern for any organization that uses Oracle products.
Microsoft will have four bulletins addressing flaws in Windows, Microsoft Office and Dynamics AX, none of them rated critical. This is significantly less than January’s seven bulletins in 2013 and 2012. We expect Bulletin #2 to address the 0-day vulnerability CVE-2013-5065 in Windows XP and 2003, which has seen limited attacks since the end of November of last year. These attacks have been coming in through PDF documents using an already fixed vulnerability of Adobe Reader and users of updated versions, i.e post APSB13-15 from May of 2013 should be immune to this attack vector.
While there is no update for Internet Explorer, taking care of your browser should still be among your highest priority items. Running the most updated browser version is the best way to deal with the web based attacks, which have increased their heft in 2013. They are now the main threat vector, and more companies have been infected through web-based attacks than through e-mail. Beyond the browser, one needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle’s Java. Java just suffered a widely published attack during the Yahoo Ad-based attacks from Dec 30 2013-Jan 3 2014, where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java. Oracle is coming out with Java v7u51, which is addressing a number of security flaws and further tightening its security parameters setup.
Back to the Microsoft January release. In summary, we will have four patches total, with only one in the Remote Code Execution (RCE) category:
Bulletin #1, a RCE for a new version of Internet Explorer
Bulletin #2, to address 0-day flaw in XP and 2003
Bulletin #3 in Windows
Bulletin #4 in Dynamcs AX, Microsoft’s ERP system
Please stay tuned for more updates on this post as we get more information about the Oracle patches.
Today Microsoft released 11 security bulletins that address 24 vulnerabilities in the last Patch Tuesday of 2013. This month’s patches takes the total number of bulletins to 106 and the distinct vulnerability count to just over 330 for the year.
Our top priority today is MS13-096, which addresses the 0-day vulnerability in the TIFF parser in Microsoft GDI+ library. This vulnerability is currently under targeted attacks in the Middle East and Asia, and the exploits typically arrive in an Office document. If your machines run on later versions of Microsoft software, you are not affected. However, if you are behind, you should install this patch as soon as possible as you are most likely on a vulnerable configuration, such as Windows XP or an older version of Office (2003 or 2007).
The second currently open 0-day vulnerability does not get addressed in this patch cycle, as it was discovered too late to make it into this release. It is also less severe as it depends on a second vulnerability for delivery on the targeted machine. In the wild, exploits have been delivered through a PDF document abusing an older vulnerability in Adobe Reader. Fortunately, the vulnerability only affects the older Windows, versions XP and 2003, and allows an attacker to become administrator and then install malware to take control of the machine. If you have a vulnerable configuration, we recommend you implement the work-around specified in security advisory KB2914486 and turn off the NDPROXY component. Side-effects should be minimal and limited to the telephony and modem interfaces which should not be in use in most environments.
If you are impacted by these two 0-days, you are running older versions of Microsoft software and should evaluate whether it is worth maintaining that strategy. In particular, Windows XP and Office 2003 are on their way out and will be discontinued in April 2014. Their security situation will then become very quickly unmaintainable as Microsoft will cease to publish updates. However, you are not alone - there are almost 15% of enterprise users who still have Windows XP in their networks. We have seen some substantial drop-offs in recent months, but it is doubtful that they will be able to eliminate all XP machines from their networks by April 2014.
But back to the December bulletins. After the TIFF 0-day bulletin we believe that MS13-097, which addresses 7 vulnerabilities in Internet Explorer (IE) should be next on your priority list. All versions of IE are affected and the bulletin comes with a low Exploitability rating of 1, indicating that an exploit for the vulnerabilities would not be hard to craft. The exploit would be delivered through a malicious webpage. Also browser-related but in a separately installed ActiveX component, MS13-099 addresses a critical flaw in VBScript, which could be used to take control of the targeted machine.
MS13-105 is a bulletin related to Microsoft Exchange and addresses a number of flaws related to Outlook Web Access (OWA). After Oracle’s release of a new version of their Outside-In in the Critical Patch Update of October 2013, we already knew that Microsoft would have to incorporate the patch into a future release. The attack vector here is a malicious document sent via e-mail and if visualized by a user, could be used to take control of the mail server. It is not the only the vulnerability in OWA that was addressed, there is also a Viewstate serialization issue and XSS scripting problem. If you use OWA in your setup, MS13-105 is an important patch for your organization.
The remaining critical vulnerability addresses a flaw in the Authenticode signing algorithm that is currently being exploited in the wild. Attackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism. MS13-098 addresses the concrete issue that was found in the wild and prepares the system for a more stringent integrity check that will prevent such abuse in the future. Because of the presence of legacy code, this more stringent system will be activated only six months from now. If you are interested in the underlying technical issues, Microsoft has a detailed post on the issue on the the SRD blog.
One more vulnerability is being abused in the wild. MS13-104 updates Microsoft Office and addresses a flaw in a new SAML-based authentication protocol in Office 365. The vulnerability can be used to steal the authentication token and impersonate a user on the online version of Microsoft Office suite - Office 365.
The remaining vulnerabilities are less critical - rated “important.” They should be addressed in your normal patch schedule and fix local Windows issues in MS13-101 and MS13-102, Office in MS13-106, Sharepoint in MS13-100 and Microsoft Visual Studio in MS13-103.
Adobe published two updates today: both Shockwave and Flash are getting new versions. Adobe is aware of attacks in the wild against the Flash player, which come embedded in a Word document. Our recommendation is to include the Flash release in your "patch urgently" category. Users of Google Chrome and Internet Explorer 10 get the new Flash player automatically.
In other security news we had another example of the fragility of the SSL certificate ecosystem. Last weekend Google detected a rogue certificate; a French government agency had emitted a certificate for Google websites enabling them to decrypt all traffic by that flowed through their network, a classic MITM setup. The certificate has been revoked, and Google and Microsoft have blacklisted the certificate in question in their browsers directly. Today Mozilla is releasing a new version of Firefox (v26) that excludes that certificate from their certificate store. In addition to fixing five critical vulnerabilities the version also introduces a security feature: click-to-play for plug-ins (for example Java which has been much under attack this past year), which requires a user to approve the execution of a plug-in.
Overall, while this is normal sized Patch Tuesday, it is closing a year with over 100 software updates. 100+ updates continues a trend that we already saw in the last couple of years. While we are getting better in writing software and are committing fewer errors, attackers are stepping up their game as well, constantly looking for new loopholes in our infrastructure. One thing is clear to me though - the 0-days show that being on the latest version of operating systems and application software is a clear advantage in terms of resilience, and it helps IT to run a safer infrastructure. I hope you are already in the category of organizations that have migrated away from XP, Server 2003 and Office 2003, or are at least in the group that is quickly moving towards 0% by April 2014.