Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:34 PM
Connect Directly

Fixes For Microsoft, Adobe Zero Days Out For Patch Tuesday

Busy patch cycle awaits administrator this month

Adobe and Microsoft are planning on releasing Patch Tuesday fixes for two separate zero-day vulnerabilities that are targeted by exploits in the wild.

The first is an impending hotfix for an Adobe ColdFusion vulnerability that can be used to give attackers unauthorized access to files stored on servers running ColdFusion. The second is for the zero-day vulnerability in Internet Explorer 8 that was most publicly found to be exploited in malware hosted on a Department of Labor website.

Both come in conjunction with a slew of changes by Microsoft and a couple more fixes by Adobe within their normal monthly patch cycles.

On the Adobe front, this is the third Cold Fusion zero-day fix that the vendor has had to make in 2013 given that the application has come under attacker sights of late. Just yesterday, the Washington State Administrative Office of the Courts announced a breach at the hands of a now-patched ColdFusion zero-day flaw that exposed up to 1 million drivers license numbers and 160,000 Social Security numbers belonging to citizens.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works.]

Adobe also released a new version of Reader, which most notably fixed an information leak problem in the application. According to Wolfgang Kandek, CTO of Qualys, Adobe has done a good job of fixing Reader vulnerabilities, but the problem has been convincing enterprises and consumers to update to the most recent Reader versions and keep those patched in a timely fashion.

"I think we'll see continued attacks against Reader. Adobe Reader X and 11 are really robust, but there are plenty of people that still use the older versions of Adobe Reader and continue to have problems through that," he says. "As long as the standard builds include these older tools, it will be worthwhile for the attackers to invest in that technology."

Meanwhile, Microsoft will release 10 security bulletins including the fix for the zero-day, the most important of which have to do with browser or application vulnerabilities.

"May is going to a busy month for administrators, with 10 patches and a number of restarts required," says Alex Horan, senior product manager, CORE Security. "Reboots are always dreaded by admins, not only because they have a negative effect on uptime, but also raise the possibility of potential hardware failure upon restarting the machine."

For those enterprises that do run IE 8, the zero-day patch should take the highest priority in the patch schedule, Kandek says. According to data collection Qualys has done online, the firm has shown that approximately 43 percent of computers online still use IE 8.

"It's the most modern Internet Explorer that you can get on Windows XP -- if you run Windows XP, that's the end of the line for those browsers," he says. "While it was the standard on Windows 7 starting out, they now have gone to IE 9 and even IE 10. But, again, it's the same issue we have with Adobe Reader. People have IE 8, and it works and might even be fully patched so they don't see a reason to go to 9. But here's a pretty good reason."

Next up in priority is the only other vulnerability rated as critical by Microsoft in this slate of Patch Tuesday fixes, a patch for all IE versions that Kandek says addresses vulnerabilities found at CanSecWest this year.

Kandek also suggests that enterprises pay close attention the Microsoft Office vulnerabilities patched in this batch that allow for remote code execution, even though they aren't tagged as critical.

"I think those are the next most important ones," he says. "They are only rated important by Microsoft because you have to open a file to trigger them, but that's not really that difficult because all I have to do is send you an email and say, 'Here is the budget planning document or attendee list of this meeting' with an attachment, and all you have to do is open it and you're infected."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.