Microsoft, Adobe patch a range of vulnerabilities

Share this article:

Microsoft is closing out the year with a security update featuring seven patches to address 12 vulnerabilities.

Researchers marked MS12-077, which closes three "critical" vulnerabilities in the latest versions of Internet Explorer (IE), and MS12-079, which addresses a single critical issue in Microsoft Word, as the high-priority fixes.

The IE flaws involve a class of vulnerability known as user-after free.

"It was this sort of vulnerability that was abused in the 2010 Aurora cyber espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark," Kurt Baumgartner, senior security researcher at security firm Kaspersky Lab, said in prepared comments.

IE vulnerabilities also can be used to target general web users, who can become infected simply by visiting a malicious web page that has been compromised, often by toolkits such as BlackHole, to serve malware.

Baumgartner expressed concern over the Word bug being used in targeted phishing attacks, in which a malicious executable is cloaked as a legitimate-looking document.

"An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer," Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a blog post Tuesday.

So far, however, Microsoft is not aware of any live exploits taking advantage of the flaws patched on Tuesday.

Meanwhile, Adobe coincided with security updates of its own, releasing a new version of Flash for Windows, Macintosh, Linux and Android to address three critical vulnerabilities that could permit an attacker to take control of a targeted system. The software company also shipped an updated version of its ColdFusion application server to rectify a single "important" vulnerability.

[An earlier version of this story incorrectly stated the employer of Baumgartner.]

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.