Adobe update trumps Microsoft's lone fix in patch frenzy

Share this article:

Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.

Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.

This month, with Microsoft only releasing one bulletin, to address a single Windows flaw, security experts said administrators should make the Adobe update their priority. The Microsoft issue is only "critical" for Windows 2000 systems, and deemed "low" risk for all other editions of the operating system.

Unless they are running Windows 2000, administrators "should hold back and focus their attention on the Adobe Reader situation," said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

He said worldwide Adobe deployments measure more than Windows, and the Adobe issue, corrected with the expected release of Reader and Acrobat versions 9.2 and earlier for Windows, Mac and UNIX platforms, has been exploited through malicious PDF attacks for more than a month.

In addition to the updated software, Adobe on Tuesday was to release a pilot version of a new automatic updater for Reader, Brad Arkin, the company's director of product security and privacy, tweeted on Monday.

Such a tool will help organizations better handle patching Adobe software, Kandek said. As it stands now, most organizations lack a central tool for distributing Adobe updates.

Richie Lai, director of vulnerability research at Qualys, said that as Adobe continues to enter the cross-hairs of malware authors, exploits are going to become better built and more difficult to detect by anti-malware products.

"It's just a natural evolution of code writing," he told SCMagazineUS.com. "It's more reliable across platforms."

Meanwhile, Tuesday's Microsoft bulletin addresses a vulnerability in the Embedded OpenType Font Engine. Functioning exploit code is unlikely to be developed for the flaw, except on Windows 2000 systems, where "inconsistent" code is possible.

"The vulnerable code is present on newer operating systems, but through the Security Development Lifecycle, there are several mitigations in place that help prevent the likelihood of exploitation," said Jerry Bryant, senior security program manager at Microsoft, in a Tuesday blog post.

Microsoft also issued a security advisory informing users that flaws in Adobe Flash Player 6, which is distributed for Windows XP machines, could permit remote code execution. Users are encouraged to install the latest version of Flash, 10.0.42.34.

To round out Tuesday's patching frenzy, Oracle is planning 24 fixes, including 10 for its popular Database Server.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.