Microsoft, Adobe issue security updates for more than 50 bugs

Powered by SC Magazine
 

Active exploits to boot.

Microsoft and Adobe on Tuesday put security administrators to work with the release of security updates covering a swath of issues.

And they're going to have to work fast, as each software provider is patching a vulnerability that is under active exploitation.

Microsoft's update consists of five "critical" and four "important" bulletins, addressing 26 deficiencies in Windows, Internet Explorer (IE), Exchange Server, SQL Server, Server Software, Developer Tools, and Office.

Security researchers who analyzed the patches mostly agreed over which patch is the most pressing to apply: MS12-60. The vulnerability, which impacts Windows Common Controls, is similar to an issue patched in April. According to Microsoft, "limited, targeted" exploits have been spotted that take advantage of the flaw.

"It affects all platforms of Windows and addresses an ActiveX component that's redistributed in many places in Windows," said Paul Henry, security and forensic analyst at Lumension. "It's an issue that was previously patched, and this month's patch cleans up the previous one. This is a very high priority update because it's native in Windows and impacts all Windows platforms."

Adobe, meanwhile, offered updates to its Reader, Acrobat, Shockwave Player and Flash Player products. Reader/Acrobat were upgraded to plug 20 vulnerabilities, Shockwave received five patches and Flash received one fix.

But it was the Flash update that is most important. Adobe said in an advisory that the vulnerability is being actively exploited by attackers in "limited, targeted attacks" against users of Flash for Internet Explorer in Windows.

Microsoft offered a number of other fixes that piqued researchers' interests.

They pointed to the cumulative patch for Internet Explorer, MS12-052, as a biggie. None of the four holes being sealed are under active attack, but researchers said that once known, IE bugs become easily exploitable.

Marcus Carey, security researcher at Rapid7, also called out MS12-058, which remediates a publicly known vulnerability in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats.

"It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App," he said. "An attacker could then escalate privileges from there."

Administrators should also pay attention to MS12-054, which repairs four bugs in Windows network components. While launching exploits against any of the four will be difficult, according to Microsoft, one of the vulnerabilities could lead to a worm spread.

"Keen-eyed attackers are going need to focus carefully on vulnerability to uncover all of its potential," said Andrew Storms, director of security operations at nCircle. "This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups. If this describes your business, deploy this patch as soon as you can."

Along with the patches on Tuesday, Microsoft also distributed an update requiring a minimum certificate length in Windows, specifically banning "the use of certificates with RSA keys less than 1024 bits in length." This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.

The update is available now for download, and Microsoft plans to push it out next month via Microsoft Update.

.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft, Adobe issue security updates for more than 50 bugs
 
 
 
Top Stories
How hard do you hack back?
[Blog post] Taking the offensive could have unintended consequences.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
The big winners from Defence’s back-office IT refresh
Updated: The full list of subcontractors.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
This 4G smartphone costs $219
Sep 3, 2014
It's possible to spend a lot less on a smartphone if you're prepared to go with a brand you ...
Looking for storage? Seagate has five new small business NAS devices
Aug 22, 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
Aug 15, 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Buying a tablet? Microsoft's Surface Pro 3 goes on sale this month
Aug 8, 2014
Microsoft has announced its Surface Pro 3 will go on sale in Australia on 28 August from ...
Apple's top MacBook Pro with Retina is now cheaper
Aug 1, 2014
Apple has updated its MacBook Pro range with faster processors and new pricing, including ...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1009

Vote