Microsoft, Adobe issue security updates for more than 50 bugs

Powered by SC Magazine
 

Active exploits to boot.

Microsoft and Adobe on Tuesday put security administrators to work with the release of security updates covering a swath of issues.

And they're going to have to work fast, as each software provider is patching a vulnerability that is under active exploitation.

Microsoft's update consists of five "critical" and four "important" bulletins, addressing 26 deficiencies in Windows, Internet Explorer (IE), Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

Security researchers who analyzed the patches mostly agreed over which patch is the most pressing to apply: MS12-60. The vulnerability, which impacts Windows Common Controls, is similar to an issue patched in April. According to Microsoft, "limited, targeted" exploits have been spotted that take advantage of the flaw.

"It affects all platforms of Windows and addresses an ActiveX component that's redistributed in many places in Windows," said Paul Henry, security and forensic analyst at Lumension. "It's an issue that was previously patched, and this month's patch cleans up the previous one. This is a very high priority update because it's native in Windows and impacts all Windows platforms."

Adobe, meanwhile, offered updates to its Reader, Acrobat, Shockwave Player and Flash Player products. Reader/Acrobat were upgraded to plug 20 vulnerabilities, Shockwave received five patches and Flash received one fix.

But it was the Flash update that is most important. Adobe said in an advisory that the vulnerability is being actively exploited by attackers in "limited, targeted attacks" against users of Flash for Internet Explorer in Windows.

Microsoft offered a number of other fixes that piqued researchers' interests.

They pointed to the cumulative patch for Internet Explorer, MS12-052, as a biggie. None of the four holes being sealed are under active attack, but researchers said that once known, IE bugs become easily exploitable.

Marcus Carey, security researcher at Rapid7, also called out MS12-058, which remediates a publicly known vulnerability in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats.

"It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App," he said. "An attacker could then escalate privileges from there."

Administrators should also pay attention to MS12-054, which repairs four bugs in Windows network components. While launching exploits against any of the four will be difficult, according to Microsoft, one of the vulnerabilities could lead to a worm spread.

"Keen-eyed attackers are going need to focus carefully on vulnerability to uncover all of its potential," said Andrew Storms, director of security operations at nCircle. "This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups. If this describes your business, deploy this patch as soon as you can."

Along with the patches on Tuesday, Microsoft also distributed an update requiring a minimum certificate length in Windows, specifically banning "the use of certificates with RSA keys less than 1024 bits in length." This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.

The update is available now for download, and Microsoft plans to push it out next month via Microsoft Update.

.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft, Adobe issue security updates for more than 50 bugs
 
 
 
Top Stories
Change is the only constant at iiNet
iiNet's Matthew Toohey is trialling IBM's Watson - between preparing for an acquisition and making sure Netflix doesn't swamp the network.
 
Why straight-through processing is the holy grail for banks
Big benefits from stripping away human intervention and digitising processes.
 
CBA sued over frozen millions in IT bribery scandal
Eric Pulier's not-for profit lodges lawsuit in US.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
New features are coming to Outlook.com
May 27, 2015
Outlook.com, thanks to its predecessor Hotmail.com, is one of the world's major webmail services ...
Windows 10 to feature integrated apps for Android and iOS
May 27, 2015
Microsoft reveals multi-platform Cortana connectivity for Windows 10. What the heck is that, and ...
Microsoft launches Office for Android preview
May 22, 2015
Microsoft has launched a preview of Office for Android smartphones. Pre-release versions of ...
Microsoft is working on an iOS email chat feature called Flow
May 22, 2015
Microsoft is working on a new chat app, but at the moment we know more about what we DON'T know, ...
Windows 10 free upgrade: Microsoft details who gets what
May 22, 2015
Microsoft was meant to be streamlining its OS with Windows 10, so why is upgrading so confusing? ...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  44%
 
No
  56%
TOTAL VOTES: 670

Vote