Vulnerabilities / Threats
05:34 PM
Connect Directly

Fixes For Microsoft, Adobe Zero Days Out For Patch Tuesday

Busy patch cycle awaits administrator this month

Adobe and Microsoft are planning on releasing Patch Tuesday fixes for two separate zero-day vulnerabilities that are targeted by exploits in the wild.

The first is an impending hotfix for an Adobe ColdFusion vulnerability that can be used to give attackers unauthorized access to files stored on servers running ColdFusion. The second is for the zero-day vulnerability in Internet Explorer 8 that was most publicly found to be exploited in malware hosted on a Department of Labor website.

Both come in conjunction with a slew of changes by Microsoft and a couple more fixes by Adobe within their normal monthly patch cycles.

On the Adobe front, this is the third Cold Fusion zero-day fix that the vendor has had to make in 2013 given that the application has come under attacker sights of late. Just yesterday, the Washington State Administrative Office of the Courts announced a breach at the hands of a now-patched ColdFusion zero-day flaw that exposed up to 1 million drivers license numbers and 160,000 Social Security numbers belonging to citizens.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works.]

Adobe also released a new version of Reader, which most notably fixed an information leak problem in the application. According to Wolfgang Kandek, CTO of Qualys, Adobe has done a good job of fixing Reader vulnerabilities, but the problem has been convincing enterprises and consumers to update to the most recent Reader versions and keep those patched in a timely fashion.

"I think we'll see continued attacks against Reader. Adobe Reader X and 11 are really robust, but there are plenty of people that still use the older versions of Adobe Reader and continue to have problems through that," he says. "As long as the standard builds include these older tools, it will be worthwhile for the attackers to invest in that technology."

Meanwhile, Microsoft will release 10 security bulletins including the fix for the zero-day, the most important of which have to do with browser or application vulnerabilities.

"May is going to a busy month for administrators, with 10 patches and a number of restarts required," says Alex Horan, senior product manager, CORE Security. "Reboots are always dreaded by admins, not only because they have a negative effect on uptime, but also raise the possibility of potential hardware failure upon restarting the machine."

For those enterprises that do run IE 8, the zero-day patch should take the highest priority in the patch schedule, Kandek says. According to data collection Qualys has done online, the firm has shown that approximately 43 percent of computers online still use IE 8.

"It's the most modern Internet Explorer that you can get on Windows XP -- if you run Windows XP, that's the end of the line for those browsers," he says. "While it was the standard on Windows 7 starting out, they now have gone to IE 9 and even IE 10. But, again, it's the same issue we have with Adobe Reader. People have IE 8, and it works and might even be fully patched so they don't see a reason to go to 9. But here's a pretty good reason."

Next up in priority is the only other vulnerability rated as critical by Microsoft in this slate of Patch Tuesday fixes, a patch for all IE versions that Kandek says addresses vulnerabilities found at CanSecWest this year.

Kandek also suggests that enterprises pay close attention the Microsoft Office vulnerabilities patched in this batch that allow for remote code execution, even though they aren't tagged as critical.

"I think those are the next most important ones," he says. "They are only rated important by Microsoft because you have to open a file to trigger them, but that's not really that difficult because all I have to do is send you an email and say, 'Here is the budget planning document or attendee list of this meeting' with an attachment, and all you have to do is open it and you're infected."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.