Microsoft and Adobe to patch critical holes next Tuesday
Microsoft and Adobe have advised users that they will be releasing critical updates next Tuesday, but both patch day releases will miss fixing recently discovered critical holes. Microsoft's advance notification says the company will be releasing seven updates, for two critical and five important flaws. A patch for the critical vulnerability in Internet Explorer 6, 7 and 8, which is only currently addressed with a "FixIt" tool, is not among them.
Adobe has announced that it will be releasing patches for Adobe Reader and Acrobat. It has also advised ColdFusion 10 and 9 users that it is aware of "security issues" with the web software which are being exploited in the wild, but is still evaluating the reports and has yet to issue any schedule for a fix.
Of the Microsoft vulnerabilities, one of the critical flaws affects all users of Windows XP, Vista, 7, 8, and Windows RT and also affects Microsoft Office 2003 and 2007, Microsoft Expression Web, Microsoft SharePoint 2007 and Groover Server 2007. The other critical flaw only affects Windows 7, Server 2008 R2 and Server Core installations of 2008 R2. Both critical flaws allow remote code execution without user intervention.
Another three flaws are rated as important and allow for elevation of privilege on Windows, Windows Server and .NET Framework. A further flaw, also rated as important, allows for security features to be bypassed on Windows Vista and later, while a final important vulnerability allows for denial of service on all versions of Windows except RT and Server Core 2008.
Adobe's notification classifies its flaws as critical. There are priority 1 bugs in Adobe Reader and Acrobat 9.5.2 and earlier on Windows being patched next week; priority 1 means that the company is aware of exploits for the vulnerabilities in use in the wild and that it will be recommending updating as soon as possible. Adobe Reader and Acrobat 9.x on other platforms and X and XI on all platforms have been given a priority 2 rating, meaning that the company doesn't know of any exploits for the flaws, but advises that the patches should be applied within a month.