Microsoft, Adobe patch a range of vulnerabilities

Share this article:

Microsoft is closing out the year with a security update featuring seven patches to address 12 vulnerabilities.

Researchers marked MS12-077, which closes three "critical" vulnerabilities in the latest versions of Internet Explorer (IE), and MS12-079, which addresses a single critical issue in Microsoft Word, as the high-priority fixes.

The IE flaws involve a class of vulnerability known as user-after free.

"It was this sort of vulnerability that was abused in the 2010 Aurora cyber espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark," Kurt Baumgartner, senior security researcher at security firm Kaspersky Lab, said in prepared comments.

IE vulnerabilities also can be used to target general web users, who can become infected simply by visiting a malicious web page that has been compromised, often by toolkits such as BlackHole, to serve malware.

Baumgartner expressed concern over the Word bug being used in targeted phishing attacks, in which a malicious executable is cloaked as a legitimate-looking document.

"An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer," Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a blog post Tuesday.

So far, however, Microsoft is not aware of any live exploits taking advantage of the flaws patched on Tuesday.

Meanwhile, Adobe coincided with security updates of its own, releasing a new version of Flash for Windows, Macintosh, Linux and Android to address three critical vulnerabilities that could permit an attacker to take control of a targeted system. The software company also shipped an updated version of its ColdFusion application server to rectify a single "important" vulnerability.

[An earlier version of this story incorrectly stated the employer of Baumgartner.]

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

As EMV deadline looms, industry looks to next ATM attack front

As EMV deadline looms, industry looks to next ...

Next year, EMV migration in the U.S. will inevitability change fraudsters' attack methods.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.