As part of their scheduled patch cycles, Microsoft and Adobe Systems today released patches aimed at securing users.
Microsoft released 13 security bulletins today for Patch Tuesday, including a patch for the security vulnerability (MS11-087) exploited by Duqu. Adobe meanwhile issued an update for its ColdFusion software for Windows, Mac and UNIX that closes a pair of cross-site scripting vulnerabilities in version 9.0.1 and earlier.
The Adobe vulnerabilities are not currently being exploited in the wild, and Adobe said it is still working on an update for Adobe Reader and Acrobat for Windows to cover the zero-day bug reported to be under attack last week.
As for the Microsoft bulletins, three of the 13 are rated ‘critical’, while the remaining 10 hold the rating of ‘important.’ All totaled, the bulletins close 19 security holes. Among them is a remote code execution bug exploited in the Duqu attacks. The bug lies in the Windows kernel, and exists due to the improper handling of a specially-crafted TrueType font file. Despite the publicity surrounding Duqu however, that particular vulnerability may not be the most dangerous, argued Andrew Storms, director of security operations at nCircle.
“The only truly critical bug is a Windows Media drive-by flaw that should be patched immediately,” Storms said. “The other critical bulletin is a fix for the vulnerability used by Duqu. After many dire predictions in the press, Duqu hasn’t turned out to be much of a threat.”
According to Microsoft, the Windows Media vulnerability Storms is referring to also impacts Windows Media Center and can enable an attacker to execute code remotely if a user is tricked into opening a malicious Microsoft Digital Video Recorder (.dvr-ms) file. The remaining critical bulletin is an update of ActiveX Kill Bits and addresses a remote code execution issues that can be exploited if a user views a specially-crafted Web page that uses a specific binary behavior in Internet Explorer (IE).
Left off of this month’s round of Microsoft patches is a fix for the vulnerability exploited by the BEAST attack tool developed by security researchers Juliano Rizzo and Thai Duong. Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained that the bulletin was dropped from the release because an application-compatibility issue with a “major third-party vendor.”
“We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate,” she blogged. “As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope.”