Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:34 PM
Connect Directly

Fixes For Microsoft, Adobe Zero Days Out For Patch Tuesday

Busy patch cycle awaits administrator this month

Adobe and Microsoft are planning on releasing Patch Tuesday fixes for two separate zero-day vulnerabilities that are targeted by exploits in the wild.

The first is an impending hotfix for an Adobe ColdFusion vulnerability that can be used to give attackers unauthorized access to files stored on servers running ColdFusion. The second is for the zero-day vulnerability in Internet Explorer 8 that was most publicly found to be exploited in malware hosted on a Department of Labor website.

Both come in conjunction with a slew of changes by Microsoft and a couple more fixes by Adobe within their normal monthly patch cycles.

On the Adobe front, this is the third Cold Fusion zero-day fix that the vendor has had to make in 2013 given that the application has come under attacker sights of late. Just yesterday, the Washington State Administrative Office of the Courts announced a breach at the hands of a now-patched ColdFusion zero-day flaw that exposed up to 1 million drivers license numbers and 160,000 Social Security numbers belonging to citizens.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works.]

Adobe also released a new version of Reader, which most notably fixed an information leak problem in the application. According to Wolfgang Kandek, CTO of Qualys, Adobe has done a good job of fixing Reader vulnerabilities, but the problem has been convincing enterprises and consumers to update to the most recent Reader versions and keep those patched in a timely fashion.

"I think we'll see continued attacks against Reader. Adobe Reader X and 11 are really robust, but there are plenty of people that still use the older versions of Adobe Reader and continue to have problems through that," he says. "As long as the standard builds include these older tools, it will be worthwhile for the attackers to invest in that technology."

Meanwhile, Microsoft will release 10 security bulletins including the fix for the zero-day, the most important of which have to do with browser or application vulnerabilities.

"May is going to a busy month for administrators, with 10 patches and a number of restarts required," says Alex Horan, senior product manager, CORE Security. "Reboots are always dreaded by admins, not only because they have a negative effect on uptime, but also raise the possibility of potential hardware failure upon restarting the machine."

For those enterprises that do run IE 8, the zero-day patch should take the highest priority in the patch schedule, Kandek says. According to data collection Qualys has done online, the firm has shown that approximately 43 percent of computers online still use IE 8.

"It's the most modern Internet Explorer that you can get on Windows XP -- if you run Windows XP, that's the end of the line for those browsers," he says. "While it was the standard on Windows 7 starting out, they now have gone to IE 9 and even IE 10. But, again, it's the same issue we have with Adobe Reader. People have IE 8, and it works and might even be fully patched so they don't see a reason to go to 9. But here's a pretty good reason."

Next up in priority is the only other vulnerability rated as critical by Microsoft in this slate of Patch Tuesday fixes, a patch for all IE versions that Kandek says addresses vulnerabilities found at CanSecWest this year.

Kandek also suggests that enterprises pay close attention the Microsoft Office vulnerabilities patched in this batch that allow for remote code execution, even though they aren't tagged as critical.

"I think those are the next most important ones," he says. "They are only rated important by Microsoft because you have to open a file to trigger them, but that's not really that difficult because all I have to do is send you an email and say, 'Here is the budget planning document or attendee list of this meeting' with an attachment, and all you have to do is open it and you're infected."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...