Adobe update trumps Microsoft's lone fix in patch frenzy
Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.
Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.
This month, with Microsoft only releasing one bulletin, to address a single Windows flaw, security experts said administrators should make the Adobe update their priority. The Microsoft issue is only "critical" for Windows 2000 systems, and deemed "low" risk for all other editions of the operating system.
Unless they are running Windows 2000, administrators "should hold back and focus their attention on the Adobe Reader situation," said Wolfgang Kandek, CTO of vulnerability management firm Qualys.
He said worldwide Adobe deployments measure more than Windows, and the Adobe issue, corrected with the expected release of Reader and Acrobat versions 9.2 and earlier for Windows, Mac and UNIX platforms, has been exploited through malicious PDF attacks for more than a month.
In addition to the updated software, Adobe on Tuesday was to release a pilot version of a new automatic updater for Reader, Brad Arkin, the company's director of product security and privacy, tweeted on Monday.
Such a tool will help organizations better handle patching Adobe software, Kandek said. As it stands now, most organizations lack a central tool for distributing Adobe updates.
Richie Lai, director of vulnerability research at Qualys, said that as Adobe continues to enter the cross-hairs of malware authors, exploits are going to become better built and more difficult to detect by anti-malware products.
"It's just a natural evolution of code writing," he told SCMagazineUS.com. "It's more reliable across platforms."
Meanwhile, Tuesday's Microsoft bulletin addresses a vulnerability in the Embedded OpenType Font Engine. Functioning exploit code is unlikely to be developed for the flaw, except on Windows 2000 systems, where "inconsistent" code is possible.
"The vulnerable code is present on newer operating systems, but through the Security Development Lifecycle, there are several mitigations in place that help prevent the likelihood of exploitation," said Jerry Bryant, senior security program manager at Microsoft, in a Tuesday blog post.
Microsoft also issued a security advisory informing users that flaws in Adobe Flash Player 6, which is distributed for Windows XP machines, could permit remote code execution. Users are encouraged to install the latest version of Flash, 10.0.42.34.
To round out Tuesday's patching frenzy, Oracle is planning 24 fixes, including 10 for its popular Database Server.