informa
/
Risk
News

Microsoft, Adobe Patch Vulnerabilities

Microsoft patches 15 important vulnerabilities, Adobe update fixes critical Reader and Acrobat vulnerabilities, and multiple vendors block more DigiNotar-related certificates.
Adobe CS 5.5: Evaluating Bundle, Feature Upgrades
Slideshow: Adobe CS 5.5: Evaluating Bundle, Feature Upgrades
(click image for larger view and for slideshow)
Microsoft released five security bulletins Tuesday, patching 15 different vulnerabilities in Microsoft Windows, Excel, Office, SharePoint, and Windows Server. All of the bugs are rated "important," but not "critical," since they can't be exploited without some user interaction.

Of all the vulnerabilities patched, one to prioritize fixing is an arbitrary code execution vulnerability in Excel, said Wolfgang Kandek, CTO of Qualys, in a blog post. "It affects all versions of Excel including the most recent 2010 version. To exploit this issue, attackers could create malicious Excel files, which, when opened on vulnerable hosts, can take control of the system."

Likewise, he recommends installing the fix for a code execution vulnerability in Microsoft Office versions 2003, 2007, and 2010--including Microsoft Word--as soon as possible, because the bug could allow an attacker to use a malicious Word file to execute arbitrary code on a user's PC.

Interestingly, two of the other vulnerabilities have already been publicly disclosed, "but neither are of too great a concern," said Joshua Talbot, security intelligence manager for Symantec Security Response, via email. "The first is the HTML Sanitization Vulnerability, which is simply an information disclosure issue. The other is the Insecure Library Loading Vulnerability, which is part of the ongoing DLL issue that the company has been working on correcting for more than a year now. We've yet to see any exploits targeting one of these vulnerabilities."

By all accounts, this month's patch update from Microsoft was mild, but it comes on the heels of the DigiNotar debacle, in which the Dutch registrar was hacked, with the attacker or attackers generating fake certificates for well-known Web concerns, including Microsoft Update and Gmail.

On Tuesday, Microsoft released another update to revoke bad DigiNotar certificates. According to Kandek, "the update revokes certificates signed by two Certificate Authorities (CAs): Entrust and Cybertrust, who issued certificates on behalf of DigiNotar."

Since the exploit of DigiNotar, which publicly came to light last month, a number of browser makers, including Microsoft, Mozilla, Google, Opera, and more recently Apple, released updates to block the bad certificates. Since then, other companies, including Facebook, Skype, and Adobe, have followed suit to block the certificates in their products.

Entrust requested that Microsoft blacklist two cross-certificates that it signed with DigiNotar in 2007, and recently revoked, "just as a belt and suspenders type of approach to security, to make sure that even if [attackers] did find a way to get to that old route, and issue something that was somehow tied to Entrust, it wouldn’t be trusted out there in the market," said David Rockvam, Entrust's general manager of certificate services and chief marketing officer. In other words, the company is being cautious. "Entrust has had no breach," he said.

Back on the security patch front, Adobe also released fixes Tuesday for critical security issues--meaning they can be remotely exploited, potentially without a user being aware--in Reader and Acrobat. If exploited, the vulnerability could allow an attacker to crash and potentially take control of a user's machine. Adobe said it had not seen the vulnerability being used in the wild.

The bug affects multiple versions of Adobe Reader and Acrobat: Reader and Acrobat X 10.1 and earlier (Windows, Mac), versions 9.4.5 and earlier (Windows, Mac, Unix), as well as versions 8.3 and earlier (Windows, Mac). To fix the vulnerability, Adobe on Tuesday released Reader and Acrobat updates, numbered 8.3.1, 9.4.5, and 10.1.1, for Windows and Mac.

While the bug is also present in Reader version 9.x on Unix, users will have to wait two months for a patch. Adobe said it plans to release Reader version 9.4.6 for Unix on November 7.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5