Adobe update trumps Microsoft's lone fix in patch frenzy

Share this article:

Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.

Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.

This month, with Microsoft only releasing one bulletin, to address a single Windows flaw, security experts said administrators should make the Adobe update their priority. The Microsoft issue is only "critical" for Windows 2000 systems, and deemed "low" risk for all other editions of the operating system.

Unless they are running Windows 2000, administrators "should hold back and focus their attention on the Adobe Reader situation," said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

He said worldwide Adobe deployments measure more than Windows, and the Adobe issue, corrected with the expected release of Reader and Acrobat versions 9.2 and earlier for Windows, Mac and UNIX platforms, has been exploited through malicious PDF attacks for more than a month.

In addition to the updated software, Adobe on Tuesday was to release a pilot version of a new automatic updater for Reader, Brad Arkin, the company's director of product security and privacy, tweeted on Monday.

Such a tool will help organizations better handle patching Adobe software, Kandek said. As it stands now, most organizations lack a central tool for distributing Adobe updates.

Richie Lai, director of vulnerability research at Qualys, said that as Adobe continues to enter the cross-hairs of malware authors, exploits are going to become better built and more difficult to detect by anti-malware products.

"It's just a natural evolution of code writing," he told SCMagazineUS.com. "It's more reliable across platforms."

Meanwhile, Tuesday's Microsoft bulletin addresses a vulnerability in the Embedded OpenType Font Engine. Functioning exploit code is unlikely to be developed for the flaw, except on Windows 2000 systems, where "inconsistent" code is possible.

"The vulnerable code is present on newer operating systems, but through the Security Development Lifecycle, there are several mitigations in place that help prevent the likelihood of exploitation," said Jerry Bryant, senior security program manager at Microsoft, in a Tuesday blog post.

Microsoft also issued a security advisory informing users that flaws in Adobe Flash Player 6, which is distributed for Windows XP machines, could permit remote code execution. Users are encouraged to install the latest version of Flash, 10.0.42.34.

To round out Tuesday's patching frenzy, Oracle is planning 24 fixes, including 10 for its popular Database Server.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.