December 11, 2012

Microsoft, Adobe patch a range of vulnerabilities

Microsoft is closing out the year with a security update featuring seven patches to address 12 vulnerabilities.

Researchers marked MS12-077, which closes three "critical" vulnerabilities in the latest versions of Internet Explorer (IE), and MS12-079, which addresses a single critical issue in Microsoft Word, as the high-priority fixes.

The IE flaws involve a class of vulnerability known as user-after free.

"It was this sort of vulnerability that was abused in the 2010 Aurora cyber espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark," Kurt Baumgartner, senior security researcher at security firm Kaspersky Lab, said in prepared comments.

IE vulnerabilities also can be used to target general web users, who can become infected simply by visiting a malicious web page that has been compromised, often by toolkits such as BlackHole, to serve malware.

Baumgartner expressed concern over the Word bug being used in targeted phishing attacks, in which a malicious executable is cloaked as a legitimate-looking document.

"An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer," Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a blog post Tuesday.

So far, however, Microsoft is not aware of any live exploits taking advantage of the flaws patched on Tuesday.

Meanwhile, Adobe coincided with security updates of its own, releasing a new version of Flash for Windows, Macintosh, Linux and Android to address three critical vulnerabilities that could permit an attacker to take control of a targeted system. The software company also shipped an updated version of its ColdFusion application server to rectify a single "important" vulnerability.

[An earlier version of this story incorrectly stated the employer of Baumgartner.]

Related Articles
Related Topics

Sign up to our newsletters

More in News

Oracle releases Java update to close 37 high-risk vulnerabilities

Oracle releases Java update to close 37 high-risk ...

Updates for the software platform will now arrive on a quarterly basis, beginning in October.

Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

Flaw in BlackBerry Protect app addressed, impacts Z10 ...

To exploit the vulnerability, an intruder would need a user's device password and a bit of skill to access troves of data on the phone.

Tor to blame for its users being unable to access Facebook

Malicious activity on the anonymity software's network tripped Facebook's "site integrity systems."