Patch/Configuration Management, Vulnerability Management

Microsoft, Adobe patch a range of vulnerabilities

Microsoft is closing out the year with a security update featuring seven patches to address 12 vulnerabilities.

Researchers marked MS12-077, which closes three "critical" vulnerabilities in the latest versions of Internet Explorer (IE), and MS12-079, which addresses a single critical issue in Microsoft Word, as the high-priority fixes.

The IE flaws involve a class of vulnerability known as user-after free.

"It was this sort of vulnerability that was abused in the 2010 Aurora cyber espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark," Kurt Baumgartner, senior security researcher at security firm Kaspersky Lab, said in prepared comments.

IE vulnerabilities also can be used to target general web users, who can become infected simply by visiting a malicious web page that has been compromised, often by toolkits such as BlackHole, to serve malware.

Baumgartner expressed concern over the Word bug being used in targeted phishing attacks, in which a malicious executable is cloaked as a legitimate-looking document.

"An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer," Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a blog post Tuesday.

So far, however, Microsoft is not aware of any live exploits taking advantage of the flaws patched on Tuesday.

Meanwhile, Adobe coincided with security updates of its own, releasing a new version of Flash for Windows, Macintosh, Linux and Android to address three critical vulnerabilities that could permit an attacker to take control of a targeted system. The software company also shipped an updated version of its ColdFusion application server to rectify a single "important" vulnerability.

[An earlier version of this story incorrectly stated the employer of Baumgartner.]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.