Network Security, Vulnerability Management

Adobe issues patches, Microsoft’s usual Patch Tuesday fixes delayed

Adobe released security updates on Tuesday for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS, according to its latest Security Bulletin

The company released fixes as part of its regularly scheduled patch series for more than a dozen code execution vulnerabilities in its Flash Player.

While Adobe said that none of the flaws have been exploited publicly, the company urged users to upgrade immediately.

All of the flaws involve memory-related functions that could enable an attacker to execute code on a host system running Flash. Adobe patched four memory-corruption and four use-after-free bugs, along with type-confusion, integer overflow and heap buffer overflow vulnerabilities.

The company also addressed nine bugs in Adobe Digital Editions, its ebook reader software. One flaw, a heap buffer overflaw vulnerability, while not rated critical, could still enable attackers to execute code. The other bugs potentially enabled memory leaks.

Two bugs also were patched in Adobe Campaign for Windows and Linux, its online marketing and web analytics software. While these were rated moderate severity, one of the holes could allow a remote attacker to gain system privileges to read and write, and the other – an input validation weakness – could potentially open the system up to cross-site scripting attacks.

Meanwhile, Microsoft, which usually issues its patches on the second Tuesday of every month, announced that it was delaying the release of its February fixes owing to a "last minute issue."

"This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today," Microsoft announced. "After considering all options, we made the decision to delay this month's updates."

Amol Sarwate, director of engineering at Qualys, told SC Media on Tuesday, that “overall, it was an easy day for system administrators with only Adobe patches, but a cliff-hanger from Microsoft as there is no indication when the patches with the new format will arrive." 

"If there is a problem in the patch for one kernel vulnerability then all kernel or related vulnerabilities cannot be released as they are bundled together," he explained. "A zero-day SMB vulnerability was expected to be patched [on Tuesday] and as of this writing there is no official statement on the new release date."

UPDATE: On Thursday, Microsoft amended its blog post regarding the delay in issuing its February Patch Tuesday upgrades with a note: "We will deliver updates as part of the planned March Update Tuesday, March 14, 2017." 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.