Springtime for patches: Microsoft 9 - Adobe 3
April has arrived and spring approaches – both Microsoft and Adobe have a whole bundle of spring-cleaning patches and updates. Microsoft is even closing a hole in a program that is normally expected to protect its users – the Windows Defender malware scanner built into Windows 8 and RT.
It turns out that a user who has limited privileges can escalate those privileges by exploiting path names used by Defender; they can even create new Admin accounts on the system. To exploit the problem, which Microsoft classifies as important and records as MS13-034, the user needs to be able to create files in C:\ .
Two of the nine bulletins cover fixes for critical holes. One update, MS13-028, for Internet Explorer closes a critical security holes in Internet Explorer, but not all versions of the browser. The vulnerabilities that the Vupen team exploited at Pwn2Own, where they successfully compromised a system, are only going to be resolved "through a future security update" according to Microsoft's risk assessment.
The other critical bulletin, M13-029, seals up a hole in the ActiveX control of the Remote Desktop Client which is on most Windows editions. Through the vulnerabilities, Internet Explorer users could be sent to maliciously crafted web pages where code could be injected and executed to gain the same privileges as the user. Microsoft says there are no exploits for this currently, but it expects reliable exploits to be developed within the next 30 days – the black, grey and white hat hackers know where to look now.
Microsoft has also released an "important" bulletin, MS13-031, to address privilege-escalating holes in the Windows kernel. Another privilege escalation can be found in MS13-036 where a problem with kernel mode USB drivers allows a user to use a thumb drive and run malicious code to get system privileges. Other bulletins address problems that have been found in Sharepoint Server 2013, the Windows client/server run-time subsystem (CSRSS), Active Directory, and InfoPath 2010, Groove and other components.
Adobe has three updates for April including updates for Flash Player and AIR. There are fixes for Flash Player on Windows, Mac, Linux, Android, Internet Explorer 10 and Chrome with the latter two being part of automatic updates for those browsers. The Windows updates for Flash are rated as high priority by Adobe. The company also has a high priority update for Shockwave Player on Windows and Mac. A lower priority is given to the ColdFusion Hotfix which close holes in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 on all platforms.