Microsoft and Adobe released security updates this Patch Tuesday which patched several critical vulnerabilities including zero-days that were actively being exploited in the wild.
Microsoft issued 14 bulletins , including six vulnerabilities that were rated as “Critical” and eight that were rated as “Important.” The patch included a zero day that was actively being exploited in the wild. The zero-day is located in Window’s Kernel-mode drivers which was used in conjunction with a recently patched Adobe flaw to launch a low volume spearphishing campaign which sought to take control of an infected systems, Microsoft reported.
Three of the bulletins contained public disclosures and the vulnerabilities that affect Microsoft Windows, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft SQL Server, Internet Explorer, and even Adobe Flash Player.
Microsoft users are encouraged to download the latest versions of their software and ensure all of their applications are up to date.
The Adobe Security update patched nine critical vulnerabilities in its Flash Player which affect the Windows, Macintosh, Linux and Chrome OS platforms, and one vulnerability in the and a low level vulnerability in the Adobe Connect which affects the Windows platform.
The updates resolve type confusion vulnerabilities and resolve use-after-free vulnerabilities that could each lead to code execution. Users are encouraged to upgrade to Flash Player 18.104.22.168 for Windows and Mac and to Flash Player 22.214.171.1244 for Linux, Adobe reported.
The Microsoft vulnerability which was exploited in the wild was spotted by Google which typically gives vendors 60 days to patch any vulnerability that is discovered privately however, because the flaw was actively being exploited the timeline was reduced to seven days.
“While Adobe issued a patch almost immediately, Microsoft was not able to before Google disclosed the vulnerability publicly,” Trustwave Researcher Karl Sigler said in a Nov. 8 blog post. “The fact that these vulnerabilities were being actively exploited in the wild changed Google’s typical disclosure policy.”
Deploying fixes for browsers, graphics components and Office will be a top priority for most administrators, Tripwire Security Researcher Craig Young told SC Media.
“All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,” Young said. “These are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.”