Adobe update trumps Microsoft's lone fix in patch frenzy

Share this article:

Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.

Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.

This month, with Microsoft only releasing one bulletin, to address a single Windows flaw, security experts said administrators should make the Adobe update their priority. The Microsoft issue is only "critical" for Windows 2000 systems, and deemed "low" risk for all other editions of the operating system.

Unless they are running Windows 2000, administrators "should hold back and focus their attention on the Adobe Reader situation," said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

He said worldwide Adobe deployments measure more than Windows, and the Adobe issue, corrected with the expected release of Reader and Acrobat versions 9.2 and earlier for Windows, Mac and UNIX platforms, has been exploited through malicious PDF attacks for more than a month.

In addition to the updated software, Adobe on Tuesday was to release a pilot version of a new automatic updater for Reader, Brad Arkin, the company's director of product security and privacy, tweeted on Monday.

Such a tool will help organizations better handle patching Adobe software, Kandek said. As it stands now, most organizations lack a central tool for distributing Adobe updates.

Richie Lai, director of vulnerability research at Qualys, said that as Adobe continues to enter the cross-hairs of malware authors, exploits are going to become better built and more difficult to detect by anti-malware products.

"It's just a natural evolution of code writing," he told SCMagazineUS.com. "It's more reliable across platforms."

Meanwhile, Tuesday's Microsoft bulletin addresses a vulnerability in the Embedded OpenType Font Engine. Functioning exploit code is unlikely to be developed for the flaw, except on Windows 2000 systems, where "inconsistent" code is possible.

"The vulnerable code is present on newer operating systems, but through the Security Development Lifecycle, there are several mitigations in place that help prevent the likelihood of exploitation," said Jerry Bryant, senior security program manager at Microsoft, in a Tuesday blog post.

Microsoft also issued a security advisory informing users that flaws in Adobe Flash Player 6, which is distributed for Windows XP machines, could permit remote code execution. Users are encouraged to install the latest version of Flash, 10.0.42.34.

To round out Tuesday's patching frenzy, Oracle is planning 24 fixes, including 10 for its popular Database Server.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.