Today is the start of a busy time of patching courtesy of Microsoft and Adobe Systems.
As part of Patch Tuesday, Microsoft released a total of 13 security bulletins, including three classified as ‘critical.’ The Microsoft bulletins join updates being released today by Adobe that affect Adobe Reader, Flash Player and Acrobat.
In the case of the Microsoft bulletins, the critical bugs affect Internet Explorer, Windows and other products. Among the bulletins is MS15-044, which addresses two vulnerabilities. The most serious of the two is a remote code execution vulnerability that exists when components of Windows, .NET Framework, Office, Lync and Silverlight fail to properly handle TrueType fonts. If successfully exploited, this vulnerability could allow an attacker to hijack an affected system, according to Microsoft.
The Internet Explorer bulletin addresses roughly two dozen vulnerabilities. The most severe of these could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer. The final critical bulletin deals with a vulnerability in Windows Journal that could be used to remotely execute code if a victim opens a specially-crafted Journal file.
“The vulnerability with Windows Journal is particularly interesting in the target scenario, where an administrator is opening a journal file to determine or diagnose a problem, and the tools we’re given to manage problems are at the same time being used to penetrate the target host, and open you up for further attacks,” explained Jon Rudolph, principal software engineer at Core Security. “This most likely would not be aimed at the typical user, but someone with admin permissions. Other vulnerabilities this month address Elevation of Privilege in .NET, Silverlight, and Windows Kernel mode drivers, the kernel mode driver issue MS15-051 bears a striking initial resemblance to what we saw back in March in MS15-023. Overall it’s a normal month for patches, but the most immediate defense you can take is to think twice before you open or run your next files.”
Outside of the three Microsoft critical bulletins, the others are rated ‘important.’
Adobe customers will have a full plate of patching as well. According to Adobe, none of the bugs are being actively exploited. The updates for Flash Player impact Windows, Macintosh and Linux, and could potentially be used to take over an affected system. The updates for Acrobat and Reader impact Windows and Mac computers, and could be used to hijack vulnerable systems as well.
“Adobe’s APSB15-10 update closes an impressive number of holes related to processing of PDF documents,” said Craig Young, security researcher at Tripwire. “With 14 flaws related to bypassing restrictions on the JavaScript API, I expect that some attackers are having a field day leveraging the JavaScript bypasses for easier exploitation of the 10 memory corruption bugs also being fixed. As with browser based exploits, the ability to execute JavaScript code gives attackers an edge at getting specific memory arrangements required for reliable exploitation of memory corruption bugs.”
In addition, some JavaScript security bypasses can be used directly as a platform for attacking other network accessible systems in ways that browsers would typically prevent through the same-origin policy, he said.
“The risk of this type of attack grows exponentially as we see more and more vulnerable by design Internet of Things devices coming online in homes and offices,” said Young.