Microsoft and Adobe Systems each released patches today to address critical security vulnerabilities in their products.
For Patch Tuesday, Microsoft issued four security bulletins to plug a total of four vulnerabilities. Just one of those bulletins is rated ‘critical’ – a bug in Microsoft Windows that can be exploited by an attacker to remotely execute code.
According to Microsoft, the vulnerability is caused when the Windows TCP/IP stack processes a continuous flow of specially-crafted User Datagram Protocol (UDP) packets. This result is an integer overflow.
“The Reference Counter Overflow Vulnerability from this month’s update is probably the most concerning of the bunch,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “We estimate an attack attempting to leverage it would take a considerable amount of time; perhaps 4 to 5 hours to complete a single attack. However, if an attacker can pull it off the result would be a complete system crash or compromise if the attacker develops a reliable means of exploitation.”
So far, Microsoft has not seen any evidence the vulnerability has been targeted in the wild, and while this bulletin had the most severe ranking, two of the other bulletins were considered more likely to be exploited. Those two – MS11-085 and MS11-086 – were both rated ‘Important’, but had Microsoft’s highest exploitability rating possible. MS11-085 covers a remote code execution bug that is due to the way Windows Mail and Windows Meeting Space handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system, the company said in an advisory.
MS11-086 addresses a vulnerability impacting Active Directory (AD), Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Service (AD LDS). It can be exploited by an attacker for privilege escalation if AD is configured to use LDAP over SSL and the attacker has a revoke SSL certificate associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain.
The final bulletin, MS11-084, is ranked ‘moderate’ and can be exploited to launch a denial of service attack.
“MS11-084 is definitely the most interesting bulletin this month,” opined Andrew Storms, director of security operations for nCircle. “This kernel bug and deals with how font files are parsed and only received only a moderate risk rating.”
“The interesting thing about this bulletin is that it appears to have a lot in common with the Duqu advisory Microsoft released last week,” he added, referring to the security advisory Microsoft put out about a Windows Nov.3. “I wonder if we are seeing the beginning of a new malware trend focused on exploiting kernel and font parsing bugs.”
Meanwhile, the patching continues for systems running Adobe Shockwave Player. The company issued security update today to address critical vulnerabilities in Shockwave Player 22.214.171.1249 and earlier for Windows and Macs. According to Adobe, these bugs could allow an attacker to run malicious code on a vulnerable system. Among the bugs fixed by the update are two memory corruption vulnerabilities in the DIRapi library and multiple memory corruption issues in the TextXtra module that could lead to code execution.
Adobe said that it is unaware of any attempts to exploit the vulnerabilities, and recommends users of Adobe Shockwave Player 126.96.36.1999 and earlier versions update to Adobe Shockwave Player 188.8.131.523 using the instructions provided in the security bulletin.