Microsoft, Adobe Patch Vulnerabilities

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft, Adobe Patch Vulnerabilities


Microsoft patches 15 important vulnerabilities, Adobe update fixes critical Reader and Acrobat vulnerabilities, and multiple vendors block more DigiNotar-related certificates.



Slideshow: Adobe CS 5.5: Evaluating Bundle, Feature Upgrades (click image for larger view and for slideshow)
Microsoft released five security bulletins Tuesday, patching 15 different vulnerabilities in Microsoft Windows, Excel, Office, SharePoint, and Windows Server. All of the bugs are rated important, but not critical, since they cant be exploited without some user interaction.
Of all the
vulnerabilities patched
, one to prioritize fixing is an arbitrary code execution vulnerability in Excel, said Wolfgang Kandek, CTO of Qualys, in a
blog post
. It affects all versions of Excel including the most recent 2010 version. To exploit this issue, attackers could create malicious Excel files, which, when opened on vulnerable hosts, can take control of the system.
Likewise, he recommends installing the fix for a code execution vulnerability in Microsoft Office versions 2003, 2007, and 2010--including Microsoft Word--as soon as possible, because the bug could allow an attacker to use a malicious Word file to execute arbitrary code on a users PC.
Interestingly, two of the other vulnerabilities have already been publicly disclosed, but neither are of too great a concern, said Joshua Talbot, security intelligence manager for Symantec Security Response, via email. The first is the HTML Sanitization Vulnerability, which is simply an information disclosure issue. The other is the Insecure Library Loading Vulnerability, which is part of the ongoing DLL issue that the company has been working on correcting for more than a year now. Weve yet to see any exploits targeting one of these vulnerabilities.
By all accounts, this months patch update from Microsoft was mild, but it comes on the heels of the
DigiNotar debacle
, in which the Dutch registrar was hacked, with the attacker or attackers generating fake certificates for well-known Web concerns, including Microsoft Update and Gmail.
On Tuesday, Microsoft released another
update
to revoke bad DigiNotar certificates. According to Kandek, the update revokes certificates signed by two Certificate Authorities (CAs): Entrust and Cybertrust, who issued certificates on behalf of DigiNotar.
Since the exploit of DigiNotar, which publicly came to light last month, a number of browser makers, including
Microsoft
,
Mozilla
,
Google
, Opera, and more recently
Apple
, released updates to block the bad certificates. Since then, other companies, including Facebook, Skype, and Adobe, have followed suit to block the certificates in their products.
Entrust requested that Microsoft blacklist two cross-certificates that it
signed with DigiNotar
in 2007, and recently revoked, just as a belt and suspenders type of approach to security, to make sure that even if [attackers] did find a way to get to that old route, and issue something that was somehow tied to Entrust, it wouldn’t be trusted out there in the market, said David Rockvam, Entrusts general manager of certificate services and chief marketing officer. In other words, the company is being cautious. Entrust has had no breach, he said.
Back on the security patch front, Adobe also released fixes Tuesday for
critical
security issues--meaning they can be remotely exploited, potentially without a user being aware--in Reader and Acrobat. If exploited, the vulnerability could allow an attacker to crash and potentially take control of a users machine. Adobe said it had not seen the vulnerability being used in the wild.
The bug affects multiple versions of Adobe Reader and Acrobat: Reader and Acrobat X 10.1 and earlier (Windows, Mac), versions 9.4.5 and earlier (Windows, Mac, Unix), as well as versions 8.3 and earlier (Windows, Mac). To fix the vulnerability, Adobe on Tuesday released Reader and Acrobat updates, numbered 8.3.1, 9.4.5, and 10.1.1, for Windows and Mac.
While the bug is also present in Reader version 9.x on Unix, users will have to wait two months for a patch. Adobe said it plans to release Reader version 9.4.6 for Unix on November 7.
Security professionals often view compliance as a burden, but it doesnt have to be that way. In this report, we show the security team how to partner with the compliance pros.
Download the report here
. (Free registration required.)

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft, Adobe Patch Vulnerabilities