Microsoft, Adobe issue security updates for more than 50 bugs

Powered by SC Magazine
 

Active exploits to boot.

Microsoft and Adobe on Tuesday put security administrators to work with the release of security updates covering a swath of issues.

And they're going to have to work fast, as each software provider is patching a vulnerability that is under active exploitation.

Microsoft's update consists of five "critical" and four "important" bulletins, addressing 26 deficiencies in Windows, Internet Explorer (IE), Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

Security researchers who analyzed the patches mostly agreed over which patch is the most pressing to apply: MS12-60. The vulnerability, which impacts Windows Common Controls, is similar to an issue patched in April. According to Microsoft, "limited, targeted" exploits have been spotted that take advantage of the flaw.

"It affects all platforms of Windows and addresses an ActiveX component that's redistributed in many places in Windows," said Paul Henry, security and forensic analyst at Lumension. "It's an issue that was previously patched, and this month's patch cleans up the previous one. This is a very high priority update because it's native in Windows and impacts all Windows platforms."

Adobe, meanwhile, offered updates to its Reader, Acrobat, Shockwave Player and Flash Player products. Reader/Acrobat were upgraded to plug 20 vulnerabilities, Shockwave received five patches and Flash received one fix.

But it was the Flash update that is most important. Adobe said in an advisory that the vulnerability is being actively exploited by attackers in "limited, targeted attacks" against users of Flash for Internet Explorer in Windows.

Microsoft offered a number of other fixes that piqued researchers' interests.

They pointed to the cumulative patch for Internet Explorer, MS12-052, as a biggie. None of the four holes being sealed are under active attack, but researchers said that once known, IE bugs become easily exploitable.

Marcus Carey, security researcher at Rapid7, also called out MS12-058, which remediates a publicly known vulnerability in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats.

"It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App," he said. "An attacker could then escalate privileges from there."

Administrators should also pay attention to MS12-054, which repairs four bugs in Windows network components. While launching exploits against any of the four will be difficult, according to Microsoft, one of the vulnerabilities could lead to a worm spread.

"Keen-eyed attackers are going need to focus carefully on vulnerability to uncover all of its potential," said Andrew Storms, director of security operations at nCircle. "This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups. If this describes your business, deploy this patch as soon as you can."

Along with the patches on Tuesday, Microsoft also distributed an update requiring a minimum certificate length in Windows, specifically banning "the use of certificates with RSA keys less than 1024 bits in length." This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.

The update is available now for download, and Microsoft plans to push it out next month via Microsoft Update.

.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft, Adobe issue security updates for more than 50 bugs
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
More 4G from Optus in Darwin
Nov 21, 2014
Click to see where Optus has expanded coverage to the suburbs near Darwin.
Optus steps up regional 4G coverage
Nov 20, 2014
Once 700Mhz services are working, Optus claims regional users will have a "faster and more ...
This Huawei 4G phone costs $99
Nov 12, 2014
The $99 Huawei Ascend Y550, available through Vodafone, enters the budget market as one of the ...
4G smartphones: Microsoft's Lumia 830
Nov 7, 2014
Microsoft has announced its flagship Windows Phone, the Nokia Lumia 830 4G, will be available in ...
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1073

Vote