Microsoft, Adobe patch a range of vulnerabilities

Share this article:

Microsoft is closing out the year with a security update featuring seven patches to address 12 vulnerabilities.

Researchers marked MS12-077, which closes three "critical" vulnerabilities in the latest versions of Internet Explorer (IE), and MS12-079, which addresses a single critical issue in Microsoft Word, as the high-priority fixes.

The IE flaws involve a class of vulnerability known as user-after free.

"It was this sort of vulnerability that was abused in the 2010 Aurora cyber espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark," Kurt Baumgartner, senior security researcher at security firm Kaspersky Lab, said in prepared comments.

IE vulnerabilities also can be used to target general web users, who can become infected simply by visiting a malicious web page that has been compromised, often by toolkits such as BlackHole, to serve malware.

Baumgartner expressed concern over the Word bug being used in targeted phishing attacks, in which a malicious executable is cloaked as a legitimate-looking document.

"An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer," Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a blog post Tuesday.

So far, however, Microsoft is not aware of any live exploits taking advantage of the flaws patched on Tuesday.

Meanwhile, Adobe coincided with security updates of its own, releasing a new version of Flash for Windows, Macintosh, Linux and Android to address three critical vulnerabilities that could permit an attacker to take control of a targeted system. The software company also shipped an updated version of its ColdFusion application server to rectify a single "important" vulnerability.

[An earlier version of this story incorrectly stated the employer of Baumgartner.]

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.