Microsoft on Tuesday released five security bulletins, along with an update revoking six more DigiNotar certificates, while Adobe issued critical updates for Reader and Acrobat.
After accidentally giving a sneak peak of its September security patches four days early, Microsoft has officially released the lot, which addresses 15 flaws. As was previously reported, Microsoft's September Patch Tuesday resolves six vulnerabilities in SharePoint, five in Excel, two in Office, and one each in Windows and the Windows Internet Name Service (WINS). Experts agreed that priority should be given to MS11-072, which fixes flaws in all versions of Excel that could allow for remote code execution.
“To exploit this issue, attackers could create malicious Excel files, which, when opened on vulnerable hosts, can take control of the system,” Wolfgang Kandek, chief technical officer at Qualys, said in a statement sent to SCMagazineUS.com on Tuesday.
In addition to its regularly scheduled security patches, Microsoft on Tuesday released an update for all supported Windows versions that revokes six additional DigiNotar root certificates.
The Redmond, Wash.-based computing giant last week issued a similar patch, following the discovery of active attacks using at least one fraudulent cert issued by DigiNotar. Fake certs could be used to spoof content, and perform phishing or man-in-the-middle attacks, Microsoft warned.
The company's latest update revokes trust of DigiNotar certs that were cross-signed by two other CAs – Entrust and Cybertrust, Andrew Storms, director of security at nCircle, said in a statement sent to SCMagazineUS.com on Tuesday.
“Anything and everything associated with DigiNotar is getting purged,” Storms said.
Meanwhile, Adobe on Tuesday released critical updates for Windows and Mac versions of its popular Reader and Acrobat software, as part of its quarterly patch cycle. The updates fix 13 security flaws, which could cause the application to crash, and potentially allow an attacker to take control of an affected system.
Storms praised Adobe for issuing the updates early in the day.
“It's definitely an improvement over their previous late afternoon releases, but it's still a ‘classic' Adobe patch in that we have very little information about the bugs being fixed,” he said. “The bad news is that most of them could result in the worst kind of security outcome – remote code execution.”
The updates bring the current versions of Reader and Acrobat to 10.1.1, 9.4.6 and 8.3.1. Adobe will, however, end support for Reader and Acrobat version 8.x on Nov. 3.
Adobe's next quarterly updates for Reader and Acrobat are scheduled for December 13.