Microsoft and Adobe on Tuesday put security administrators to work with the release of security updates covering a swath of issues.
And they’re going to have to work fast, as each software provider is patching a vulnerability that is under active exploitation.
Microsoft’s update consists of five “critical” and four “important” bulletins, addressing 26 deficiencies in Windows, Internet Explorer (IE), Exchange Server, SQL Server, Server Software, Developer Tools, and Office.
Security researchers who analyzed the patches mostly agreed over which patch is the most pressing to apply: MS12-60. The vulnerability, which impacts Windows Common Controls, is similar to an issue patched in April. According to Microsoft, “limited, targeted” exploits have been spotted that take advantage of the flaw.
“It affects all platforms of Windows and addresses an ActiveX component that’s redistributed in many places in Windows,” said Paul Henry, security and forensic analyst at Lumension. “It’s an issue that was previously patched, and this month’s patch cleans up the previous one. This is a very high priority update because it’s native in Windows and impacts all Windows platforms.”
Adobe, meanwhile, offered updates to its Reader, Acrobat, Shockwave Player and Flash Player products. Reader/Acrobat were upgraded to plug 20 vulnerabilities, Shockwave received five patches and Flash received one fix.
But it was the Flash update that is most important. Adobe said in an advisory that the vulnerability is being actively exploited by attackers in “limited, targeted attacks” against users of Flash for Internet Explorer in Windows.
Microsoft offered a number of other fixes that piqued researchers’ interests.
They pointed to the cumulative patch for Internet Explorer, MS12-052, as a biggie. None of the four holes being sealed are under active attack, but researchers said that once known, IE bugs become easily exploitable.
Marcus Carey, security researcher at Rapid7, also called out MS12-058, which remediates a publicly known vulnerability in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats.
“It appears to be an excellent option for spear phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App,” he said. “An attacker could then escalate privileges from there.”
Administrators should also pay attention to MS12-054, which repairs four bugs in Windows network components. While launching exploits against any of the four will be difficult, according to Microsoft, one of the vulnerabilities could lead to a worm spread.
“Keen-eyed attackers are going need to focus carefully on vulnerability to uncover all of its potential,” said Andrew Storms, director of security operations at nCircle. “This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups. If this describes your business, deploy this patch as soon as you can.”
Along with the patches on Tuesday, Microsoft also distributed an update requiring a minimum certificate length in Windows, specifically banning “the use of certificates with RSA keys less than 1024 bits in length.” This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.
The update is available now for download, and Microsoft plans to push it out next month via Microsoft Update.