Vulnerabilities / Threats
5/10/2013
05:34 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Fixes For Microsoft, Adobe Zero Days Out For Patch Tuesday

Busy patch cycle awaits administrator this month

Adobe and Microsoft are planning on releasing Patch Tuesday fixes for two separate zero-day vulnerabilities that are targeted by exploits in the wild.

The first is an impending hotfix for an Adobe ColdFusion vulnerability that can be used to give attackers unauthorized access to files stored on servers running ColdFusion. The second is for the zero-day vulnerability in Internet Explorer 8 that was most publicly found to be exploited in malware hosted on a Department of Labor website.

Both come in conjunction with a slew of changes by Microsoft and a couple more fixes by Adobe within their normal monthly patch cycles.

On the Adobe front, this is the third Cold Fusion zero-day fix that the vendor has had to make in 2013 given that the application has come under attacker sights of late. Just yesterday, the Washington State Administrative Office of the Courts announced a breach at the hands of a now-patched ColdFusion zero-day flaw that exposed up to 1 million drivers license numbers and 160,000 Social Security numbers belonging to citizens.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works.]

Adobe also released a new version of Reader, which most notably fixed an information leak problem in the application. According to Wolfgang Kandek, CTO of Qualys, Adobe has done a good job of fixing Reader vulnerabilities, but the problem has been convincing enterprises and consumers to update to the most recent Reader versions and keep those patched in a timely fashion.

"I think we'll see continued attacks against Reader. Adobe Reader X and 11 are really robust, but there are plenty of people that still use the older versions of Adobe Reader and continue to have problems through that," he says. "As long as the standard builds include these older tools, it will be worthwhile for the attackers to invest in that technology."

Meanwhile, Microsoft will release 10 security bulletins including the fix for the zero-day, the most important of which have to do with browser or application vulnerabilities.

"May is going to a busy month for administrators, with 10 patches and a number of restarts required," says Alex Horan, senior product manager, CORE Security. "Reboots are always dreaded by admins, not only because they have a negative effect on uptime, but also raise the possibility of potential hardware failure upon restarting the machine."

For those enterprises that do run IE 8, the zero-day patch should take the highest priority in the patch schedule, Kandek says. According to data collection Qualys has done online, the firm has shown that approximately 43 percent of computers online still use IE 8.

"It's the most modern Internet Explorer that you can get on Windows XP -- if you run Windows XP, that's the end of the line for those browsers," he says. "While it was the standard on Windows 7 starting out, they now have gone to IE 9 and even IE 10. But, again, it's the same issue we have with Adobe Reader. People have IE 8, and it works and might even be fully patched so they don't see a reason to go to 9. But here's a pretty good reason."

Next up in priority is the only other vulnerability rated as critical by Microsoft in this slate of Patch Tuesday fixes, a patch for all IE versions that Kandek says addresses vulnerabilities found at CanSecWest this year.

Kandek also suggests that enterprises pay close attention the Microsoft Office vulnerabilities patched in this batch that allow for remote code execution, even though they aren't tagged as critical.

"I think those are the next most important ones," he says. "They are only rated important by Microsoft because you have to open a file to trigger them, but that's not really that difficult because all I have to do is send you an email and say, 'Here is the budget planning document or attendee list of this meeting' with an attachment, and all you have to do is open it and you're infected."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.