Adobe update trumps Microsoft's lone fix in patch frenzy

Share this article:

Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.

Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.

This month, with Microsoft only releasing one bulletin, to address a single Windows flaw, security experts said administrators should make the Adobe update their priority. The Microsoft issue is only "critical" for Windows 2000 systems, and deemed "low" risk for all other editions of the operating system.

Unless they are running Windows 2000, administrators "should hold back and focus their attention on the Adobe Reader situation," said Wolfgang Kandek, CTO of vulnerability management firm Qualys.

He said worldwide Adobe deployments measure more than Windows, and the Adobe issue, corrected with the expected release of Reader and Acrobat versions 9.2 and earlier for Windows, Mac and UNIX platforms, has been exploited through malicious PDF attacks for more than a month.

In addition to the updated software, Adobe on Tuesday was to release a pilot version of a new automatic updater for Reader, Brad Arkin, the company's director of product security and privacy, tweeted on Monday.

Such a tool will help organizations better handle patching Adobe software, Kandek said. As it stands now, most organizations lack a central tool for distributing Adobe updates.

Richie Lai, director of vulnerability research at Qualys, said that as Adobe continues to enter the cross-hairs of malware authors, exploits are going to become better built and more difficult to detect by anti-malware products.

"It's just a natural evolution of code writing," he told SCMagazineUS.com. "It's more reliable across platforms."

Meanwhile, Tuesday's Microsoft bulletin addresses a vulnerability in the Embedded OpenType Font Engine. Functioning exploit code is unlikely to be developed for the flaw, except on Windows 2000 systems, where "inconsistent" code is possible.

"The vulnerable code is present on newer operating systems, but through the Security Development Lifecycle, there are several mitigations in place that help prevent the likelihood of exploitation," said Jerry Bryant, senior security program manager at Microsoft, in a Tuesday blog post.

Microsoft also issued a security advisory informing users that flaws in Adobe Flash Player 6, which is distributed for Windows XP machines, could permit remote code execution. Users are encouraged to install the latest version of Flash, 10.0.42.34.

To round out Tuesday's patching frenzy, Oracle is planning 24 fixes, including 10 for its popular Database Server.


Share this article:

Sign up to our newsletters

More in News

Feds warn health care sector of looming cyber attacks

The FBI believes that the lax security systems that the health care industry has in place make it a prime target for cyber attacks.

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.