As part of their scheduled patch cycles, Microsoft and Adobe Systems today released patches aimed at securing users.
Microsoft released 13 security bulletins today for Patch Tuesday, including a patch for the security vulnerability (MS11-087) exploited by Duqu. Adobe meanwhile issued an update for its ColdFusion software for Windows, Mac and UNIX that closes a pair of cross-site scripting vulnerabilities in version 9.0.1 and earlier.
The Adobe vulnerabilities are not currently being exploited in the wild, and Adobe said it is still working on an update for Adobe Reader and Acrobat for Windows to cover the zero-day bug reported to be under attack last week.
As for the Microsoft bulletins, three of the 13 are rated ‘critical’, while the remaining 10 hold the rating of ‘important.’ All totaled, the bulletins close 19 security holes. Among them is a remote code execution bug exploited in the Duqu attacks. The bug lies in the Windows kernel, and exists due to the improper handling of a specially-crafted TrueType font file. Despite the publicity surrounding Duqu however, that particular vulnerability may not be the most dangerous, argued Andrew Storms, director of security operations at nCircle.
“The only truly critical bug is a Windows Media drive-by flaw that should be patched immediately,” Storms said. “The other critical bulletin is a fix for the vulnerability used by Duqu. After many dire predictions in the press, Duqu hasn’t turned out to be much of a threat.”
According to Microsoft, the Windows Media vulnerability Storms is referring to also impacts Windows Media Center and can enable an attacker to execute code remotely if a user is tricked into opening a malicious Microsoft Digital Video Recorder (.dvr-ms) file. The remaining critical bulletin is an update of ActiveX Kill Bits and addresses a remote code execution issues that can be exploited if a user views a specially-crafted Web page that uses a specific binary behavior in Internet Explorer (IE).
Left off of this month’s round of Microsoft patches is a fix for the vulnerability exploited by the BEAST attack tool developed by security researchers Juliano Rizzo and Thai Duong. Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained that the bulletin was dropped from the release because an application-compatibility issue with a “major third-party vendor.”
“We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate,” she blogged. “As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
