Microsoft and Adobe close almost 40 holes
Microsoft and Adobe have held their monthly patch day with Microsoft releasing seven bulletins to close twelve security holes – including critical ones in most versions of Windows. Adobe's patches are rather substantial as well: they fix vulnerabilities with a total of 27 CVE numbers in Flash, Reader and Acrobat.
Two of Microsoft's bulletins are considered "critical" by the company: the first one closes a hole in the printer spooler components of Windows 7 and Server 2008 R2. Attackers who manage to submit a specially crafted print job can subsequently execute arbitrary code on the computer, and they can even do so remotely and without authorisation.
The second bulletin fixes further issues in the XML Core Services and affects all Windows versions as well as Office 2003 and 2007, Word Viewer, Office Compatibility, Expression Web and Expression Web 2, SharePoint Server 2007 and Groove Server 2007. It corrects two critical flaws in the code for processing XML data that also allow code to be injected. To exploit the hole, attackers only need to persuade potential victims to visit a specially crafted web page.
The remaining five bulletins have been rated important by Microsoft. Three of them close holes that allow attackers to escalate their privileges beyond their authorised level. This escalation can be achieved in System Center Operations Manager 2007 by launching a cross-site scripting attack on the web interface; in the .NET Framework by triggering, for example, a buffer overflow; and in Windows Vista and above by exploiting a kernel flaw in the code for processing Windows broadcast messages.
In Vista and above, Microsoft has also fixed a flaw in the SSLv3 protocol that allows a "security feature bypass". Since this and all the other holes were reported privately to Microsoft, no details have become available so far. Finally, the company has also fixed a Denial-of-Service vulnerability in the .NET Framework. For the critical hole in Internet Explorer (version 6 to 8) that was found at the end of 2012, the only available solution continues to be the temporary Fix-It, although a security researcher says that he has already bypassed that. When this hole will be closed properly remains a subject of speculation.
Meanwhile, Adobe has issued a major security update for Adobe Reader and Acrobat. Fixed vulnerabilities range from stack and heap buffer overflows that allow malicious code to be injected to privilege escalation holes. In short: those who use Adobe Reader or Acrobat will do well to install the appropriate update as soon as possible.
Versions 9, X, and XI on all supported operating systems are affected. The current, fixed, versions are: 11.0.1 (XI), 10.1.5 (X), and 9.5.3. Another critical security issue has made it necessary to update Flash and AIR. The current version numbers for the numerous supported operating systems can be found in Adobe's advisory. Google Chrome and Internet Explorer 10 under Windows 8 will be updated to the fixed version automatically.