Microsoft and Adobe Systems released a bevy of patches today to plug security holes in their products.
Only one of the month’s seven Microsoft Patch Tuesday bulletins is rated ‘critical’; the others are considered ‘important.’ The critical bulletin covers two vulnerabilities affecting Windows Media Player. If exploited, both could enable an attacker to execute code remotely with the same rights as the local user.
“The Windows Media player bulletin for Windows Vista and XP should be the top deployment priority for everyone,” noted Andrew Storms, director of security operations for nCircle. “The most significant bug in the bulletin can be exploited via a drive-by attack, and that’s always a major concern.”
So far, Microsoft is unaware of any attempt to exploit the vulnerabilities in the wild.
“Although only rated important, we actually picked the Assembly Execution Vulnerability as the most severe issue this month,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file. Email attachments will probably be the most common attack method in which this vulnerability is exploited,” Talbot added.
Also bundled in with the fixes is the patch for the SSL (secure sockets layer) vulnerability exploited by the BEAST attack tool developed by security researchers Juliano Rizzo and Thai Duong. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system.
“As you may remember, last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513,” blogged Angela Gunn, senior response communications manager for Microsoft Trustworthy Computing. “Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation. We’re-releasing that bulletin today as MS12-006; we’re also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.”
On Adobe’s end, the company closed a number of security holes affecting Adobe Reader and Acrobat X (10.1.1) and earlier versions for Windows and Macs. Among these fixes is a patch for a critical vulnerability the company first warned about in December that could cause the application to crash and potentially allow an attacker to take control of the affected system. That issue, which is chronicled in CVE-2011-2462 and CVE-2011-4369, was previously patched for Adobe Reader and Acrobat 9.x for Windows due to attacks. The company said it is not aware of any attempts to exploit any other vulnerabilities fixed in today’s release.
Adobe adds JavaScript Whitelisting Capabilities to Reader and Acrobat
In addition to the patches, Adobe also introduced a new JavaScript whitelisting capability in Adobe Reader and Acrobat X (10.1.2) and 9.5. “Adobe Reader and Acrobat allow administrators to disable the execution of JavaScript embedded in PDF files, a potential attack vector for exploits,” according to the company. “While doing so provides mitigation against JavaScript-based vulnerabilities, it also breaks PDF-based solution workflows that rely on forms and JavaScript.”
“The new JavaScript whitelisting capability introduced in Adobe Reader and Acrobat X (10.1.2) and 9.5 allows JavaScript execution in PDF files based on document trust,” the company continues. “If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution.”
Symantec also reminded us of the importance to patch a vulnerability that was addressed by Microsoft over the holidays with an out-of-band security update. “This is also a good time to remind everyone about the critical out-of-band patch Microsoft issued late last month,” Talbot said. “Because it’s likely many people were out on vacation, it may have slipped through the cracks. However, it’s very important that the MS11-100 bulletin gets addressed as soon as possible.”