Monthly Archives: December 2015

Crooks update their exploits – have you updated your Office?

Microsoft Office exploits are cunningly-crafted, deliberately malformed chunks of data, inserted into Office files, that crash the application in a way that gives cybercriminals control, so that they can install malware without you noticing.

With a reliable exploit in hand, they don’t need to persuade you to click a web link, or to download and install a program, or to enable Office macros (which are off by default, with very good reason) and re-open the document at a lower security level.

Just opening the document to read it, or in some cases merely looking at it in a preview window, may be enough to infect your computer with malware.


In order to keep track of the burgeoning appetite of the criminals for Office-based attacks, we’ve been monitoring the usage patterns of the most popular Microsoft Office exploits.

For many years, one exploit has been at the top of our charts: CVE-2012-0158.

As explained above, document-based malware is an alternative infection vector for malware authors, and in recent months, some cybercrime groups have started using documents as their primary malware-spreading mechanism.

In a typical infection scenario, booby-trapped documents are attached to phishing email messages and sent out:

  • To large numbers of random recipients in the case of cybercriminals who are in it for the money.
  • To a small number of selected recipients in the case of Advanced Persistent Threat (APT) groups, who are typically focused on specific organizations.

Older exploits still work against a surprising percentage of users, thanks to poor patching habits, but new exploits have more value, because even fewer users are likely to be patched against them.

As the name tells us, CVE-2012-0158 has been around for more than three years now, so it is no wonder that the malware authors were looking for a replacement.

Over the years there were a few candidates, such as CVE-2013-3906 and CVE-2014-1761, but none of those threatened the dominant position of the old exploit, presumably because they simply didn’t work as effectively in the real world.


Nothing endangered the reign of CVE-2012-0158 until August 2015, when a new Office exploit known as CVE-2015-1641 started to become popular with the crooks.

This exploit showed up only in small APT incidents before that time, but it was August when it found its way into the broader cybercrime scene.

The new exploit quickly became popular, and as we reach the end of 2015, it is poised to move into first place:

As we have written before, malware authors usually don’t concern themselves with the details of how Office exploits work, and they don’t need the technical skills to produce booby-trapped documents of their own.

They can simply do a deal, via the cyberunderground, with an exploit provider – “crimeware as a service” (CaaS), as it is known – who will arrange for the delivery of their malware to a specified number of victims, using booby-trapped documents as the infection vector.


Cybercrime gangs find Office documents a convenient way to spread their malware.

They have been using this method steadily over the past two years, and there is every sign that they will continue to do so.

Their approach is evolving over the time: they use various underground tools to generate their booby-trapped documents, and thanks to the development of these tools they automatically get to use newer Office exploits.

The good news is that they aren’t using zero-days, which are security holes for which an exploit appeared before a patch was available. (They’re called “zero-days” because there were zero days during which you could have been proactively patched).

Even the freshest exploit in their arsenal was fixed six months ago.

In other words: patch early, patch often!

Via: sophos

80 Percent of Organizations Experienced a Cyber Security Incident in 2015

Still, 71 percent of IT pros expect their organizations to be more secure in 2016, a recent survey found.

According to the results of a recent Spiceworks survey of 197 IT professionals, 80 percent of respondents acknowledged having experienced a cyber security incident in 2015.

Fifty-one percent of respondents had experienced malware attacks in 2015, 38 percent experienced phishing attacks, and 34 percent experienced spyware attacks.

When looking ahead to the coming year, there were some disconnects between past experience and future concerns — while 53 percent of respondents said they’re concerned about ransomware in 2016, only 20 percent experienced a ransomware incident in 2015.

Similarly, while 39 percent of respondents expressed concern about data theft in 2016, only 5 percent experienced a breach resulting in data theft in 2015. And while 37 percent said they’re concerned about a password breach in the coming year, only 12 percent experienced a password breach in 2015.

Fully 71 percent of respondents expect their organizations to be more secure in 2016.

“The results show that IT professionals feel responsible for the security of their organization’s data, and in a world where technology is getting more complex and organizationally distributed, their jobs aren’t getting any easier,” Spiceworks vice president of marketing Sanjay Castelino said in a statement.

“In reaction to these challenges, they’re being more proactive about preventing security incidents and breaches by learning about new threats, regularly educating employees about risks, and investing in more advanced security solutions,” Castelino added.

When asked what types of attackers they’re most concerned about, 49 percent said they’re concerned about independent hackers, 36 percent said rogue employees, 25 percent said organized crime groups, 12 percent said they’re concerned about cyber-terrorist gropus and state-sponsored hackers, and just 10 percent said they’re concerned about hacktivists.

Eighty percent of the IT professionals surveyed said end users represent the biggest challenge to their organization’s cyber security.

In response to that concern, 73 percent of IT pros are enforcing end user security policies, and 72 percent regularly providing security training to employees on topics like malware and phishing scams.

Similarly, 66 percent of IT professionals are taking time to learn about new threats, and 60 percent say they regularly evalute new security solutions.

Via: esecurityplanet

One Third of CEOs Aren’t Regularly Briefed on Cyber Security Issues

And 61 percent of global IT security pros think their CEOs don’t know enough about cyber security, a recent survey found.

survey of 304 global IT security professionals has found that one third of CEOs and 43 percent of management teams are not regularly briefed on cyber security issues.

The survey, conducted by Dimensional Research and sponsored by CyberArk, also found that 61 percent believe their CEOs don’t know enough about cyber security, and 69 percent say cyber security issues are too technical for their CEO.

Additionally, 53 percent of respondents think their CEOs make business decisions without regard to security, and 44 percent believe that their CEOs simply don’t grasp the severity of today’s cyber security risks.

“Increasingly, it’s CEOs who own the security agenda — whether they want to or not,” CyberArk chief marketing officer John Worrall said in a statement.

“By providing greater visibility into how cyber security programs are performing, and regularly communicating needs around budget and skills, IT security professionals will gain the support of the executive team and in turn help their organization become more proactive in protecting against advanced threats,” Worrall added.

Executive visibility into security program effectiveness varies by industry, the survey found, with 72 percent of respondents in financial services and 70 percent in healthcare saying they regularly provide their executive teams with reports and metrics, but 50 percent of respondents in manufacturing, 50 percent in hospitality, 44 percent in transportation and 27 percent in education saying the same.

Sixty percent of respondents believe their organization is vulnerable to a data breach.

Seventy-five percent of respondents cited budget issues as the primary barrier to improving cyber security, followed by lack of expertise (52 percent) and ineffective security tools and solutions (34 percent).

And while 79 percent of respondents say they report on compliance metrics to demonstrate security program effectiveness, 59 percent say threat detection metrics are more important.

“Compliance does not equal security, ” Worrall said. “It can lull a CEO into a state of complacency because all it demonstrates is a simple checking of a box without context for responsible levels of information protection.”

“Security professionals are briefing executives on the wrong information,” Worrall added. “They need to arm their CEOs and executive teams with information that matters, such [as] threat detection and risk metrics versus compliance and system availability.”

Via: esecurityplanet

Phantom Squad Hacker Group Takes Down Xbox Live

The hacker group Phantom Squad has recently claimed responsibility for an alleged attack that caused problems for Xbox Live users.

Earlier this month, Phantom Squad announced that they intended to take down Sony’s PlayStation Network and Microsoft’s Xbox Live gaming platforms for one week beginning on Christmas Day.

“We are going to shut down Xbox live and PSN this year on christmas. And we are going to keep them down for one week straight #DramaAlert,” read a tweet posted on Dec. 8 by an account allegedly operated by the hacking group (@PhantomSqaud).

Tweets from Phantom Squad’s Twitter account (Source: Ars Technica)

It would appear that Christmas has come early this year. Ars Technica reports that yesterday the group tweeted out “Xbox Live #Offline,” followed by “Maybe if you guys didn’t talk shit about us, we would not hit Xbox Live this early.”

Both of these tweets were allegedly accompanied by problems for Xbox Live users, as a statement posted on Microsoft’s support site following the attacks seemed to confirm:

“Hey Xbox members, are you having trouble purchasing or managing your subscriptions for Xbox Live? Are you also having an issue with signing into Xbox Live? We are aware of these issues and are working to get it fixed ASAP! Thank you for being patient while we work. We’ll post another update when more information becomes available.”

As of this writing, Xbox Live is running normally. writes that Phantom Squad has since claimed responsibility for this return of service.

“Lmao OF F***ING COURSE xbox live is back online we stopped the attacks,” the hacker group boasted on Twitter some three hours after it bragged about bringing down the platform.

Phantom Squad’s Twitter account was shortly thereafter suspended, and it currently remains unavailable. Before it was taken offline, however, Phantom Squad announced that PlayStation Network was next.

Phantom Squad issued another threat before its account went offline. (Source: Ars Technica)

The group’s attacks against Xbox Live clearly invoke the distributed denial-of-service (DDoS) campaign launched by the Lizard Squad hacker group last Christmas.

Shortly thereafter, the group announced the creation of Lizard Stresser, its DDoS-for-hire service. But the group’s celebration was shoft-lived. By New Year’s Eve, two of the hacker group’s members had been arrested, while a third was charged with some 50,700 counts of “cybercrime”-related offenses in July.

Additionally, hackers successfully breached Lizard Stresser earlier this year, revealing the unencrypted credentials of 14,000 customers.

Via: tripwire

A free, almost surefire way to check for malware in 9 steps

How to scan every running process on your system for malware in seconds, without installing antimalware software.

No single antimalware engine can keep up with all the malware out there. But how about 57 of ’em?

Here’s what you should do: Install an antimalware product that does a decent job, has a long history of stability and decent success, and doesn’t slow down your system (unless you don’t mind a little sluggishness). Then use Windows Sysinternals Process Explorer or Autoruns to test currently running executables against VirusTotal‘s 57 antivirus engines, which offers the best accuracy you can ever get (with a small percentage of false positives).

Step by step, do this now for all Windows computers:

  1. Make sure your computer has an active connection to the Internet.
  2. Go to It’s a Microsoft site.
  3. Download Process Explorer and Autoruns. Both are free, as is everything on the site.
  4. Unzip these programs. If using Process Explorer, use procexp.exe. If using Autoruns, use autoruns.exe (autorunsc.exe is the command-line version).
  5. Right-click and run the program executable as Administrator, so it’s running in the Administrator’s security context.
  6. Run Process Explorer first (I’ll explain Autoruns later). Select the Options menu at the top of the screen.
  7. Choose and Check
  8. This will submit all running executables to the VirusTotal website, which is run and maintained by Google. You’ll get a message to accept the license; answer Yes. You can close the VirusTotal website that comes up and go back to Process Explorer.
  9. In Process Explorer, you’ll see a column labeled Virus Total. It will either say Hash Submitted (during the first few seconds) or give you a ratio, something like 0/57, 1/57/ 14/54, and so on.

As you’ve guessed, the ratio indicates how many antivirus engines at VirusTotal flagged the submitted executable (hash) as malicious. Currently, the list of antivirus engines is 57, but it goes up and down all the time. I’m not sure why some executables are inspected by all of the antivirus engines and not others, but if the ratio is greater than 0/57, you could have malware.

If it says 1/57 or 2/57, however, it probably isn’t malware, but a false positive instead. On the other hand, I’ve seen at least one real malware program that was detected by only one of the engines, so double-check to see if the name and vendor who created the program looks familiar. If not, it could be malicious.

Most malware programs are caught at a ratio of 3/57 or higher. When I see anything at that ratio or higher, I right-click it in Process Explorer, note the file location path, and kill the process if I don’t absolutely recognize and trust the program file.

Then I manually delete the files associated with the executable — but proceed at your own risk! Be forewarned: You might accidentally delete something you need for some application or driver to run.

Occasionally, malware will “fight” with you and not let you kill the process. If so, repeat the process above, but go with Autoruns instead. Use Autoruns to unselect the program so that it won’t load at startup. Reboot and run Process Explorer again. Usually, the malware program will not be running and you can delete it.

Put a shortcut to Process Explorer on your desktop. I recommend that everyone download and run Process Explorer or Autoruns at least once a week. If that’s too much, at least be sure to run it if your computer exhibits suspicious behavior.

Caveat emptor: No malware detection works every time

To be clear, even this detection method is not perfect. Certain malware can escape this sort of detection, although for now, it’s rare. Of course, in the future, malware writers could go out of their way to escape the clutches of Process Explorer or Autoruns. That’s not true yet, so the above method is one of the best protection methods you can use.

The best long-term advice to avoid infection in the first place will sound familiar if you read my blog regularly: Keep your software fully patched — especially Java, which you should uninstall if not needed — as well as any third-party browser products (I’m looking at you, Adobe). Most of all, don’t be fooled into installing something you shouldn’t. Finally, don’t share passwords between different sites — or use two-factor authentication — and you’ll become a top security defender. Those three pieces of advice trump any antimalware advice that you’ll ever get.

If your computer is connected to the Internet, no defense is perfect, and you owe it to yourself to apply the best detection regimen available. Feel free to pass my detection recipe along to every friend and co-worker. It’s hard to beat 57 antivirus programs for accuracy.

Via: infoworld

MacKeeper fails to keep 13 million Mac users safe

Even if you don’t have a Mac, you’ve probably heard of MacKeeper.

If you do have a Mac, you’ve probably seen the company’s promotional material, whether as clickable ads in third-party websites, or as popup warnings, or as pop-under dialogs. (Pop-unders are those annoying windows that are left behind when you close or move your main browser window.)

With slogans such as “Clean your Mac”, “100% performance boost” and “Increase security level”, the company’s aggressive advertising pitches its utilities as a personal technical assistant that helps with anti-virus protection, data encryption, junk file cleanup and performance optimisation.

Unfortunately, the company is in the news for all the wrong reasons at the moment, following a Reddit posting entitled Massive Data Breach by a security researcher calling himself FoundTheStuff.

Forbes identified the researcher as Chris Vickery, and says that he was able to access a MacKeeper company database of more than 13,000,000 customer records, apparently including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information and more.

What’s worse is that it sounds as though the stored password items were just the straight MD5 hashes of each raw password, without any salting or stretching.

Salts are random characters added to each password before it’s hashed, so that even if two users pick the same password, they end up with a different hash, so they stand or fall alone.

Stretching is applying the hashing function repeatedly in a loop, to make each password guess take longer, thus slowing down password guessing attacks.

Storing passwords as straight MD5 hashes is better than using plaintext, but not a whole lot better.

Modern password cracking machines can compute hundreds of billions of MD5 hashes per second, each of which can be directly compared with an unsalted password database to see if anyone picked that password.

MacKeeper itself hasn’t yet confirmed or denied any details of what was stolen, advising only that “[a]ll customer credit card and payment information is processed by a 3rd party merchant and was never at risk,” and that the company “[does] not collect any sensitive personal information of [its] customers.”

Vickery, it seems, simply did some internet searches using a server-searching tool called Shodan to see if he could find publicly accessible databases running database software called MongoDB.

When he dug into the results, he found that MacKeeper’s databases were directly online with no authentication at all, meaning that he didn’t need to know any usernames or passwords.

According to MacKeeper, he was the only outsider who connected to the databases recently, and the company affirms that he looked, reported what he’d found, and did nothing more with the data that was openly accessible.

If true, that means MacKeeper has sort-of dodged a data breach bullet…

…but it’s still a bad look for a system utility company to let 13 million customer records get openly published on the internet.

If you’re a MacKeeper user, set a new password, don’t use a password you’ve already used somewhere else, and pick your new password properly!

Via: nakedsecurity

Google extends Safe Browsing to Android Chrome

Google says that its Safe Browsing service already protects about 1 billion desktop users from all sorts of online nastiness, be it malwareunsavory software, or social engineering (particularly phishing) sites.

Make that 1 billion plus all its free-range users: Google last Monday (7 December) announced that it’s extending Safe Browsing inoculation to Chrome users on Android.

Google added unwanted software download warnings to its Safe Browsing warnings in August 2014 to give users a heads-up when software was doing something sneaky – like switching your homepage or other browser settings to ones you don’t want, piggybacking on another app’s installation, or collecting or transmitting private information without letting a user know, among other things.

Noé Lutz, Nathan Parker, and Stephan Somogyi, from Google’s Chrome and Safe Browsing teams, said on Google’s online security blog that the Android platform and Google’s Play Store have long had protection against potentially harmful apps.

(Mind you, that protection hasn’t always been foolproof: Nothing like a little Fake Flappy Birds sequel or fake anti-virus app to make that clear.)

At any rate, beyond Google’s attempts to protect Android and the Play Store from harmful apps, “not all dangers to mobile users come from apps,” as Google’s online security team members said.

Social engineering – phishing in particular – requires different protection, they said, and that requires Google to keep an up-to-date list of bad sites on the device to make sure the company can warn people before they browse into a trap.

Keeping that list from getting stale is one of many tricky things about protecting mobile users.

Beyond that complicating factor are the facts that…

  • mobile data costs money for most users,
  • mobile data speeds are slower than Wi-Fi in many places, and
  • connectivity quality can be spotty depending on where a user is.

Every one of those conditions means that “data size matters a lot,” Google said.

To protect precious network bandwidth and battery usage, Google says it thought hard about how to best protect mobile users.

That means factoring in location, for one thing. From the announcement:

Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they’re in.

Google has also paid attention to prioritizing the warnings and squashing them into bite-sized tidbits:

We send information about the riskiest sites first: if we can only get a very short update through, as is often the case on lower-speed networks in emerging economies, the update really has to count. We also worked with Google’s compression team to make the little data that we do send as small as possible.

Google says it also made the software “extra stingy with memory and processor use, and careful about minimizing network traffic.”

All of these details matter to us; we must not waste our users’ data plans, or a single moment of their battery life.

If you’re an Android user, you probably already have the new Safe Browsing mode. It’s part of Google Play Services, starting with version 8.1.

Chrome is the first app to use it, starting with version 46, and Google’s now protecting all Android Chrome users by default.

You can verify that it’s enabled by looking at the Privacy menu under Chrome settings.

Via: sophos

Firms expect fines, new costs from Safe Harbor changes

Survey says 70 percent of IT decision makers expect to increase spending next year as a result.

IT budgets are expected to see a rumble of activity in the wake of the Safe Harbor earthquake.

In a new Ovum survey of IT decision makers at international companies, 70 percent said they expect to increase spending next year, 66 percent expect to have to make changes in their European business strategy, and 52 percent expect to be facing fines.

In October, the European Court of Justice, citing a lack of privacy protections in the U.S., invalidated the Safe Harbor agreement that had previously governed the sharing of data between Europe and the United States.

A new framework is currently being negotiated, but it is likely that companies will face stricter controls about moving data between countries, will need to encrypt or tokenize more data, and may even have to move data centers closer to their users and customers.

Intralinks, a global cloud-based collaboration software provider and sponsor of the report, is one of the companies affected, and has already begun investing in technology to cope with the expected regulatory changes.

“We’ve actually seen this coming, so we’ve been architecting our solutions and putting controls in place to give customers protections that they need so they don’t need to make drastic changes,” said Daren Glenister, the company’s field CTO. “We secure and encrypt documents in motion, even if you email documents outside the organization and keep it encrypted and safe and restrict access to that document to only people who need to have access to that document. We use customer-managed keys as well.”

Intralinks claims 99 percent of the Fortune 1000 as customers, including the majority of the worlds 20 largest banks.

And a third of its customers are now asking for logical control of their data, Glenister said.

This means that Intralinks can store the data in any location, but in secure, encrypted form. When the customer accesses that data, from their location, that is the only time it is decrypted and shown in plain text — and only the customer has those encryption keys.

Some regulators already accept these kinds of logical controls, where the keys are kept inside the customer’s country, as a safe equivalent to keeping all the data inside the country.

“I think we’ll see more of a legal and logical control rather than just a physical control,” he said.

Companies that do business in both the U.S. and Europe — and their service providers — will also need to be able to track who has access to the data, have controls in place, and monitor for data policy violations, he said. And those with more than 250 employees will also need to appoint a data privacy officer.

However, according to the Ovum report, only 44 percent of respondents monitor user activities and generate alerts when data policies are violated. Only 53 percent have data classification systems in place to align data with access controls. And 47 percent have no policies or controls related to the use of consumer-grade cloud storage and filesharing services.

“Businesses will have to change business processes and strategies,” Glenister said. If they don’t, the fines are “substantial” — up to 2 percent of global revenues.

New rules are expected to come out at the beginning of 2016, he said, and it’s likely that companies will have 12 to 18 months to get into compliance.

Via: csoonline

My Talking Tom offers up naked selfie ads to kids

My Talking Tom, heralded as the “world’s most popular cat” by the maker of the Android and iOS children’s app, is a fully animated, interactive 3D character that users can tickle, poke, play with, spend parents’ money to customize, get to repeat what they say, force to sing a pimple-themed version of Lady Gaga’s My Poker Face, and induce to dance Gangnam style.

What he is not designed to do is to serve as a delivery vehicle for ads that invite children to “f**k.”

But that’s exactly what the cartoon cat was used for in two in-game pop-up ads that were shown over the course of four days in August.

The ads were for a site that advertises the grammatically garbled “Meet Secret Sex Affairs” and which warns that “This site likely contains sexual pics of local hotties you may recognize!”

The UK’s Advertising Standards Authority (ASA) on Wednesday upheld complaints made by two parents, who said that their 7-year-old and 3-year-old children saw the ads while playing the game.

This is the second time the ASA has made a ruling on the content of ads featured in the app.

In June, the watchdog had confirmed that ads of three naked women, engaged in sexual activities with four other women, were shown, with a “play” symbol on top of the image.

According to the ASA, this time around, this is what the ads showed (profanity rendered work-safe):

  1. The first ad included a selfie of a naked woman sitting in front of a mirror. The photo had been cropped to just show her torso. Her breasts were exposed but her crotch was concealed by her hand. The words “Wanna f**k?” were written in lipstick on the mirror. Text above the image stated “Want to f**k her?” and the options “YES”, “MAYBE” and “NO” were stated below.
  2. The second ad was a slight variation on the first.

My Talking Tom is made by Outfit7 Ltd, but the ASA ruling was against the advertiser in question, Plymouth Associates Ltd.

From the ruling:

We considered that the sexually explicit content of the ads and the product they promoted meant that they should not appear in media which might be seen by children. We considered that the “My Talking Tom” app, in which the ads had appeared, would be of particular appeal to children.

Plymouth Associates, for its part, denied placing the ads in the app and said that it suspected that they’d been produced and placed “by a malicious third party,” as opposed to an affiliate, but the company couldn’t identify who was responsible.

Given that Plymouth Associates couldn’t present any evidence to confirm that somebody else was responsible, the buck stopped there, the advertising watchdog said:

Given that the ads promoted and they were the sole beneficiaries, we considered that Plymouth Associates were responsible for the material and for ensuring that it was compliant with the Code.

The code referenced by the ASA is concerned with social responsibility.

The ASA said that Plymouth Associates had procedures in place intended to prevent their ads appearing in apps or websites that could appeal to, or were targeted at, users under under the age of 18, but they sure didn’t work in this case.

From the ASA’s ruling:

We were concerned… that their procedures had not been adequate to ensure their ads only appeared in appropriate mediums. Therefore, we concluded that the ads had been irresponsibly placed and breached the Code.

The upshot: the ASA told Plymouth Associates Ltd to ensure that its ads were targeted appropriately and didn’t pop up again in apps played by children.

In the meantime, poor Talking Angela.

When she’s not putting up with internet freak-outs about scary guys looking out of her cartoon eyeballs, she has to put up with users making Talking Tom pressure her into cat-inappropriate behavior.

And now this? My Talking Tom delivering lewd ads?

Forgive me for what I am about to do, but it must be said: it’s Cat-astrophic.

Via: nakedsecurity

Microsoft warns of possible attacks after Xbox Live certificate leaked

Microsoft updated its Certificate Trust List (CTL) after private keys for an SSL/TLS digital certificate for Xbox Live were “inadvertently disclosed,” it said in a security advisory.

The * digital certificate could be used to attempt man-in-the-middle attacks, the company said.

In such an attack, the attacker could use the certificate to impersonate the domain and intercept the website’s secure connection.

Tricked Xbox users might then hand over their username and password, potentially leading to yet more attacks on the user.

However, according to Microsoft, the certificate couldn’t be used to issue other certificates, impersonate other domains, or sign code.

Though Microsoft isn’t currently aware of attacks related to the certificate fumble, it says that the issue affects all supported releases of Microsoft Windows.

Windows users on supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511, and those using devices running Windows Phone 8, Windows Phone 8.1, and Windows 10 Mobile don’t have to sweat this, Microsoft said, given that their certificate trust lists are automatically updated.

For customers running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 and are using the automatic updater of CTLs, the update will also be applied without you needing to do anything.

For everyone else, make sure you update now!

Via: sophos