Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader.
Four of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint, .NET Framework, Office and Silverlight.
Front and center in the Microsoft patch batch is MS13-080, which addresses the zero-day IE vulnerability (CVE-2013-3893) that Microsoft first warned about on Sept. 17, as well as nine other security flaws in the default Windows Web browser. Amping up the threat level on this flaw, exploit code allowing attackers to leverage the flaw was released publicly last week as a module for the Metasploit exploit framework, a penetration testing toolkit.
Microsoft late last month released a stopgap “Fix It” solution to block exploits against the zero-day flaw, and the good news is that if you already applied that solution, you don’t need to undo those changes before applying this update. The bad news is that this isn’t the only zero-day vulnerability fixed in the IE patch bundle: Researchers at Trustwave Spiderlabs say they’ve confirmed that attackers are already exploiting one of the other flaws fixed in this IE update (CVE-2013-3897).
Ross Barrett, senior manager of security engineering at Rapid7, said another critical Microsoft vulnerability — MS13-083, a flaw in the Windows Common Control Library — “looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net web pages.” Barrett said that if ever there were a real, honest to goodness flaw of late that would be considerable eminently capable of propelling a self-propagating Internet worm, it is this one.
“If the ‘bad guys’ figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested,” Barrett said. “However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation.”
More information on the remaining patches is available via the Microsoft Technet blog.
Adobe has issued updates for its Windows versions of Adobe Reader XI and Adobe Acrobat XI. The updates fix a single vulnerability and bring these products to version 11.0.05. Links to the updates and more information about the flaw is available in Adobe’s advisory. The company said that Adobe Reader and Acrobat X (10.1.8) and earlier versions for Windows are not affected, and all versions of Adobe Reader and Acrobat for Macintosh are also not affected by this vulnerability. Adobe also said it is not aware of any exploits or attacks “in the wild” for the issue addressed in this update.