Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft, Adobe Patch Critical Security Vulnerabilities

Microsoft and Adobe Systems released security updates today to fix a number of critical vulnerabilities.

Microsoft and Adobe Systems released security updates today to fix a number of critical vulnerabilities.

The Microsoft updates address 13 vulnerabilities affecting Windows, Internet Explorer, SharePoint and other products. The bugs are addressed in a total of eight security bulletins. Six of these are rated ‘important’, while the other two – which deal with Internet Explorer and SharePoint – received Microsoft’s highest severity rating of ‘critical.’

MS14-029 is aimed at Internet Explorer, and addresses remote code execution vulnerabilities. One of them, CVE-2014-1815, is currently the subject of targeted attacks, according to the company.

“Unlike what we expected, this is another surgical fix, similar to the out-of-band MS14-021 from May 1,” blogged Wolfgang Kandek. “MS14-021 addressed the zero-day CVE-2014-1776, which had been found in the wild by FireEye on April 26. In a similar fashion MS14-029 addresses CVE-2014-1815, which was detected as having attacks in the wild by the Google Security Team. For good measure Microsoft also included MS14-021/CVE-2014-1776 in this bulletin, so if you have not installed it yet, you can just install MS14-029 and address both issues at the same time.”

Interestingly, Microsoft does not list the SharePoint vulnerability as the next important issue to prioritize; instead the company recommends focusing on MS14-024 and MS14-025.

MS14-024 can be exploited to allow an attacker to bypass security features if the user can be lured into clicking on a malicious website capable of instantiating COM components such as Internet Explorer, Microsoft explained. MS14-025 meanwhile could lead to elevation of privileges if Active Directory Group Policy preferences are used to distribute passwords across the domain – a practice that could permit an attacker to retrieve and decrypt the password stored with Group Policy preferences.

“MS14-024 is going to be the other high priority patch this month,” explained Chris Goettl, product manager at Shavlik. “Though it’s only ranked important, there have been limited attacks in the wild and it allows for an attacker to bypass security features, so it will be important to get this one out quickly. Fortunately, this exploit does seem to require a degree of user participation, which is likely why it’s ranked important, rather than critical.”

Though MS14-022, the other security bulletin rated ‘critical’, was not considered a high priority by Microsoft, system administrators should not disregard it, Goettl said.

“Admins should test this patch thoroughly to ensure all SharePoint sites stay online, but don’t hold off patching this one, as many admins are prone to do,” he said. “It’s a cross-site scripting issue that could allow a remote code execution, so be sure to put this patch at the top of your list.”

Microsoft also released an update for Windows 8 and Windows Server 2012 to enhance credential protection and domain authentication controls. These features are currently available for Windows 8.1 and Windows Server 2012 R2, and the company is making them available for other platforms. In addition, Microsoft released an update for the .NET Framework that disables Rivest Cipher (RC4) in Transport Layer Security (TLS). A final update revokes the digital signature for a specific Unified Extensible Firmware Interface module. This step was taken out of an “abundance of caution,” and Microsoft is not currently aware of any customer impact. 

In addition to the Microsoft vulnerabilities, administrators must also address updates released by Adobe today for Acrobat, Flash Player, Reader and Adobe Illustrator.

“Since it is Adobe’s month to patch, they have updates for pretty much everything,” Goettl said. “The Adobe Reader and Acrobat updates are plugging 11 vulnerabilities. These are addressing a variety of issues, making it a pretty ugly priority one update. Along with the two critical Microsoft patches, it should be close to the top of your list this month.”

“Flash had a zero day vulnerability that was recently patched,” he added, “so if you haven’t issued that to users yet, be sure to do so. The new Flash release addresses six total vulnerabilities in addition to that zero-day. It’s a priority one for all Windows platforms and there will be an update to the Flash plugin for both IE and Chrome, so be sure to pay attention there. If you haven’t patched your Adobe products recently, it will be important to do.”

*This post was updated with additional information. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet