Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft, Adobe Issue Critical Security Updates

Today is the start of a busy time of patching courtesy of Microsoft and Adobe Systems.

Today is the start of a busy time of patching courtesy of Microsoft and Adobe Systems.

As part of Patch Tuesday, Microsoft released a total of 13 security bulletins, including three classified as ‘critical.’ The Microsoft bulletins join updates being released today by Adobe that affect Adobe Reader, Flash Player and Acrobat.

In the case of the Microsoft bulletins, the critical bugs affect Internet Explorer, Windows and other products. Among the bulletins is MS15-044, which addresses two vulnerabilities. The most serious of the two is a remote code execution vulnerability that exists when components of Windows, .NET Framework, Office, Lync and Silverlight fail to properly handle TrueType fonts. If successfully exploited, this vulnerability could allow an attacker to hijack an affected system, according to Microsoft.

The Internet Explorer bulletin addresses roughly two dozen vulnerabilities. The most severe of these could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer. The final critical bulletin deals with a vulnerability in Windows Journal that could be used to remotely execute code if a victim opens a specially-crafted Journal file.

“The vulnerability with Windows Journal is particularly interesting in the target scenario, where an administrator is opening a journal file to determine or diagnose a problem, and the tools we’re given to manage problems are at the same time being used to penetrate the target host, and open you up for further attacks,” explained Jon Rudolph, principal software engineer at Core Security. “This most likely would not be aimed at the typical user, but someone with admin permissions. Other vulnerabilities this month address Elevation of Privilege in .NET, Silverlight, and Windows Kernel mode drivers, the kernel mode driver issue MS15-051 bears a striking initial resemblance to what we saw back in March in MS15-023. Overall it’s a normal month for patches, but the most immediate defense you can take is to think twice before you open or run your next files.”

Outside of the three Microsoft critical bulletins, the others are rated ‘important.’

Adobe customers will have a full plate of patching as well. According to Adobe, none of the bugs are being actively exploited. The updates for Flash Player impact Windows, Macintosh and Linux, and could potentially be used to take over an affected system. The updates for Acrobat and Reader impact Windows and Mac computers, and could be used to hijack vulnerable systems as well.

“Adobe’s APSB15-10 update closes an impressive number of holes related to processing of PDF documents,” said Craig Young, security researcher at Tripwire. “With 14 flaws related to bypassing restrictions on the JavaScript API, I expect that some attackers are having a field day leveraging the JavaScript bypasses for easier exploitation of the 10 memory corruption bugs also being fixed. As with browser based exploits, the ability to execute JavaScript code gives attackers an edge at getting specific memory arrangements required for reliable exploitation of memory corruption bugs.”

Advertisement. Scroll to continue reading.

In addition, some JavaScript security bypasses can be used directly as a platform for attacking other network accessible systems in ways that browsers would typically prevent through the same-origin policy, he said.

“The risk of this type of attack grows exponentially as we see more and more vulnerable by design Internet of Things devices coming online in homes and offices,” said Young.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.