Microsoft, Adobe issue security updates for more than 50 bugs

Powered by SC Magazine
 

Active exploits to boot.

Microsoft and Adobe on Tuesday put security administrators to work with the release of security updates covering a swath of issues.

And they're going to have to work fast, as each software provider is patching a vulnerability that is under active exploitation.

Microsoft's update consists of five "critical" and four "important" bulletins, addressing 26 deficiencies in Windows, Internet Explorer (IE), Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

Security researchers who analyzed the patches mostly agreed over which patch is the most pressing to apply: MS12-60. The vulnerability, which impacts Windows Common Controls, is similar to an issue patched in April. According to Microsoft, "limited, targeted" exploits have been spotted that take advantage of the flaw.

"It affects all platforms of Windows and addresses an ActiveX component that's redistributed in many places in Windows," said Paul Henry, security and forensic analyst at Lumension. "It's an issue that was previously patched, and this month's patch cleans up the previous one. This is a very high priority update because it's native in Windows and impacts all Windows platforms."

Adobe, meanwhile, offered updates to its Reader, Acrobat, Shockwave Player and Flash Player products. Reader/Acrobat were upgraded to plug 20 vulnerabilities, Shockwave received five patches and Flash received one fix.

But it was the Flash update that is most important. Adobe said in an advisory that the vulnerability is being actively exploited by attackers in "limited, targeted attacks" against users of Flash for Internet Explorer in Windows.

Microsoft offered a number of other fixes that piqued researchers' interests.

They pointed to the cumulative patch for Internet Explorer, MS12-052, as a biggie. None of the four holes being sealed are under active attack, but researchers said that once known, IE bugs become easily exploitable.

Marcus Carey, security researcher at Rapid7, also called out MS12-058, which remediates a publicly known vulnerability in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats.

"It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App," he said. "An attacker could then escalate privileges from there."

Administrators should also pay attention to MS12-054, which repairs four bugs in Windows network components. While launching exploits against any of the four will be difficult, according to Microsoft, one of the vulnerabilities could lead to a worm spread.

"Keen-eyed attackers are going need to focus carefully on vulnerability to uncover all of its potential," said Andrew Storms, director of security operations at nCircle. "This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups. If this describes your business, deploy this patch as soon as you can."

Along with the patches on Tuesday, Microsoft also distributed an update requiring a minimum certificate length in Windows, specifically banning "the use of certificates with RSA keys less than 1024 bits in length." This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.

The update is available now for download, and Microsoft plans to push it out next month via Microsoft Update.

.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft, Adobe issue security updates for more than 50 bugs
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 327

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 136

Vote