Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:34 PM
Connect Directly

Fixes For Microsoft, Adobe Zero Days Out For Patch Tuesday

Busy patch cycle awaits administrator this month

Adobe and Microsoft are planning on releasing Patch Tuesday fixes for two separate zero-day vulnerabilities that are targeted by exploits in the wild.

The first is an impending hotfix for an Adobe ColdFusion vulnerability that can be used to give attackers unauthorized access to files stored on servers running ColdFusion. The second is for the zero-day vulnerability in Internet Explorer 8 that was most publicly found to be exploited in malware hosted on a Department of Labor website.

Both come in conjunction with a slew of changes by Microsoft and a couple more fixes by Adobe within their normal monthly patch cycles.

On the Adobe front, this is the third Cold Fusion zero-day fix that the vendor has had to make in 2013 given that the application has come under attacker sights of late. Just yesterday, the Washington State Administrative Office of the Courts announced a breach at the hands of a now-patched ColdFusion zero-day flaw that exposed up to 1 million drivers license numbers and 160,000 Social Security numbers belonging to citizens.

[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works.]

Adobe also released a new version of Reader, which most notably fixed an information leak problem in the application. According to Wolfgang Kandek, CTO of Qualys, Adobe has done a good job of fixing Reader vulnerabilities, but the problem has been convincing enterprises and consumers to update to the most recent Reader versions and keep those patched in a timely fashion.

"I think we'll see continued attacks against Reader. Adobe Reader X and 11 are really robust, but there are plenty of people that still use the older versions of Adobe Reader and continue to have problems through that," he says. "As long as the standard builds include these older tools, it will be worthwhile for the attackers to invest in that technology."

Meanwhile, Microsoft will release 10 security bulletins including the fix for the zero-day, the most important of which have to do with browser or application vulnerabilities.

"May is going to a busy month for administrators, with 10 patches and a number of restarts required," says Alex Horan, senior product manager, CORE Security. "Reboots are always dreaded by admins, not only because they have a negative effect on uptime, but also raise the possibility of potential hardware failure upon restarting the machine."

For those enterprises that do run IE 8, the zero-day patch should take the highest priority in the patch schedule, Kandek says. According to data collection Qualys has done online, the firm has shown that approximately 43 percent of computers online still use IE 8.

"It's the most modern Internet Explorer that you can get on Windows XP -- if you run Windows XP, that's the end of the line for those browsers," he says. "While it was the standard on Windows 7 starting out, they now have gone to IE 9 and even IE 10. But, again, it's the same issue we have with Adobe Reader. People have IE 8, and it works and might even be fully patched so they don't see a reason to go to 9. But here's a pretty good reason."

Next up in priority is the only other vulnerability rated as critical by Microsoft in this slate of Patch Tuesday fixes, a patch for all IE versions that Kandek says addresses vulnerabilities found at CanSecWest this year.

Kandek also suggests that enterprises pay close attention the Microsoft Office vulnerabilities patched in this batch that allow for remote code execution, even though they aren't tagged as critical.

"I think those are the next most important ones," he says. "They are only rated important by Microsoft because you have to open a file to trigger them, but that's not really that difficult because all I have to do is send you an email and say, 'Here is the budget planning document or attendee list of this meeting' with an attachment, and all you have to do is open it and you're infected."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...