Microsoft Corp. and Adobe Systems Inc. Tuesday separately delivered a raft of security updates that address vulnerabilities said to impact common user activities such as watching video files or opening portable document format (PDF) files.
Microsoft Tuesday released 11 security bulletins addressing 25 vulnerabilities, most of which are rated critical or important. The software giant recommends all updates be applied, but called out three in particular for immediate attention.
The vulnerability addressed by MS10-026 can be triggered by visiting a Web page with “a specially crafted AVI file that began streaming when the page loads,” according to Microsoft. And MS10-027 deals with a vulnerability that can be “exploited by simply visiting a specially crafted Web page,” Microsoft says. Both updates address multimedia files, which are commonly accessed by home users, but are more and more commonplace on business PCs as well, according to Jason Miller, data and security team leader at Shavlik Technologies.
“If you open a malicious file, you can get remote code execution, which is essentially a virus if you are not patched,” Miller says. “Online videos are huge right now, and if you are uncertain of the person sending the video or the site hosting the video, you could kick off remote code execution.”
MS10-026 addresses the entire operating system with its patch, while MS10-027 deals with just Windows Media Player 9, Miller says.
This month’s release affects Windows, Microsoft Office, and Microsoft Exchange.
Another update from MS0-019 pertains to the practice of digital signatures, which help assure people that a file is coming from a secure source. Microsoft found a way in which a hacker could include malicious code into a file without breaking the digital signature.
“They fixed the vulnerability in which that file could be manipulated, embedded with malicious code for instance, without making the signature invalid,” Miller explains.
Separately, Adobe released patches for several versions of its Reader and Acrobat software. The company says the updates address vulnerabilities that could lead to remote code execution.
“You are going to want to patch this one right away,” Shavlik’s Miller says. “These vulnerabilities are rated as critical and can lead to remote code execution. I call these out because PDF files are very common in businesses.”
Andrew Storms, director of security operations for nCircle, said video files can be vulnerable.
“More movies and more malware: that’s what we’ve got to look forward to on the Internet,” he told PC World. “Microsoft is patching critical bugs in Windows Media Player and Direct Show this month–both of these bugs lend themselves to online video malware. If you put these fixes together with Apple’s recent patch of Quicktime, it’s pretty obvious that attackers are finding a lot of victims through video.”
With files from Tom Bradley, PC World