Patch Tuesday has arrived with a bevy of patches from Microsoft starring alongside patches from Adobe Systems.
On Microsoft’s end, the company issued five security bulletins to plug a total of 15 vulnerabilities. Details of the bulletins were inadvertently made public briefly last week. All of the bulletins are rated ‘Important’, and none carry an exploitability rating higher than ‘2.’
“Overall this Patch Tuesday is on the small side,” said Dave Marcus, director of security research and communications at McAfee Labs, in a statement. “Though there are no critical updates this month, these vulnerabilities can pave the way for cybercriminals to execute more severe attacks, such as remote code execution or remote information disclosure.”
The security vulnerabilities cover a wide range of products, including Windows, Microsoft Office and Microsoft Server software.
“MS11-071, MS11-072, MS11-073 are all malicious file exploits which are usually used in spear phishing campaigns,” noted Rapid7 security researcher Marcus Carey, in a statement. “Many times end users will open up those malicious files, compromising their computer and organizations. Users should always be vigilant about the files they open, regardless of these bulletins.”
MS11-070 requires valid logon credentials in order to exploit, and has routinely been exploited due to social engineering and weak passwords, Carey said. MS11-074 meanwhile is related to several vulnerabilities associated with Microsoft SharePoint and Windows SharePoint Services.
“Administrators should pay attention to the details on this bulletin (MS11-074),” he said. “There are some known issues that could prevent organizations from using SharePoint after applying this update, effectively creating a self-inflicted denial of service scenario. This is why is it important to read the fine print, because many organizations use SharePoint as a vital part of their business operations. Microsoft lists the known issues and work-arounds related to this bulletin.”
But while this month’s Patch Tuesday was relatively quiet for Microsoft, Adobe issued an update to patch 13 vulnerabilities in Adobe Reader and Acrobat. The vulnerabilities range from heap overflow issues to a logic error that could be exploited to execute code.
“Critical vulnerabilities have been identified in Adobe Reader X (10.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh,” the company wrote in an advisory. “These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.”
Adobe recommends users of Adobe Reader and Acrobat X (10.1) and earlier versions for Windows and Macintosh update to version 10.1.1 of the software they are using. For users of Adobe Reader 9.4.5 and earlier versions for Windows and Macintosh that cannot update to Adobe Reader X (10.1.1), Adobe has made Adobe Reader 9.4.6 and Adobe Reader 8.3.1 available. The company issued identical advice for the corresponding versions of Acrobat. Adobe Reader 9.4.6 for UNIX is slated to be released Nov. 7.