This is a big week for updates: Microsoft issued its usual Windows fixes on Patch Tuesday, but also Adobe pushed out 69 patches for Flash, Reader and Acrobat while and a new version of Google’s Chrome browser appeared.
All of this means the next few days will be busy for sysadmins.
But before we get to a brief outline of the fixes, a word about a vulnerability that hasn’t been patched: Trend Micro warned Tuesday that the attackers behind Pawn Storm cyber espionage campaign are using a new Adobe Flash zero-day exploit in their latest campaign.
“In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe,” the security vendor said in a blog. “The targets received spear phishing e-mails that contained links leading to the exploit.” The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects such as ‘Suicide car bomb targets NATO troop convoy Kabul.’
URLs hosting the new Flash zero-day exploit — which affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207 — are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year, the report added.
It’s again another reason why CISOs should insist that all corporately-owned PCs should either disable Flash or configure it so users can only run Flash content by right clicking, rather than have it run automatically.
For its part Adobe issued two security bulletins listing updates for Windows and Macintosh systems. One outlines 56 critical vulnerabilities affecting Acrobat and Reader that could allow attackers to gain remote access to a system. The other bulletin deals with Flash fixes for several browsers and Linux.
Microsoft issued several bulletins for critical fixes, including a memory corruption bug covering all versions of Internet Explorer going back to 7.0. “The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” Microsoft says. “An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.”
Another series of critical fixes for Vista and WinServer 2008 solves vulnerabilities in the VBScript and JScript scripting engines. “The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that uses the IE rendering engine to direct the user to the specially crafted website.”
The last of the critical fixes for all versions of Windows could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Three other important patches were released for Windows, Microsoft Edge browser, Office, Office Services and Web Apps, and Server. Qualys CTO Wolfgang Kandek noted in a blog that one needs to be looked after quickly. An attacker could trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities, he wrote, if the Excel sheets is disguised in an email as product information, such as pricing and discounts of competing vendors.
Finally, Google released Chrome 46, which patches 24 vulnerabilities