Beware of fake Microsoft updates coming through email

Email is still the most common method used for security update notifications from all major vendors, but it is also the most commonly used trigger for launching the chain of infection attacks by malware writers. When I came to work today I found in my Inbox a message from Microsoft with the Security Bulletin Advance Notification for December. I immediately clicked on one of the links to visit the yet to be published December Security Bulletin and investigate how many critical vulnerabilities will be fixed this month.
Investigating advanced security notifications is important for us in SophosLabs. It may give us warnings of potential new attack vectors as well as rough estimates of amount of work while analysing the latest vulnerabilities and writing the analysis for next week. This month we are expecting three critical vulnerabilities that may result in remote code execution. Three disclosed critical vulnerabilities is not many, compared with some of the previous months. It seems that the vulnerabilities in Microsoft products are getting more difficult to find. Hopefully, the patch for the recently discovered IE vulnerability will also be released.
Following the first message from Microsoft there are two emails from Apple Product Security team announcing availability of security updates for Java for Mac and after them another message coming directly from Steve Lipner, Microsoft’s Director of Security (continue reading...)