Microsoft Fixes 54 Vulnerabilities on July’s Patch Tuesday
Microsoft fixed 54 vulnerabilities across its products July 10 as part of its monthly patch cycle. Seventeen of those flaws are rated critical and three of them have been publicly disclosed before the patches were released.
In terms of impact, nearly half of the flaws—27—can lead to remote code execution. Eight vulnerabilities can be used to bypass security features, seven can lead to privilege escalation, four can lead to denial of service, five can lead to information disclosure, two can lead to tampering and two can lead to spoofing.
The patched vulnerabilities affect 15 products, including Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Office Services, .NET Framework, Visual Studio, PowerShell Editor Services and the Microsoft Research JavaScript Cryptography Library.
“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email,” Jimmy Graham, director of product management at vulnerability management firm Qualys, said in a blog post. “This includes multi-user servers that are used as remote desktops for users.”
Only two of the patched critical vulnerabilities are not located in Microsoft’s browsers. One affects the PowerShell Editor Services and should be prioritized because PowerShell has become a preferred method for attackers to deliver malicious payloads over the past few years.
Microsoft also released patches for a Spectre-like side-channel vulnerability called LazyFP that was publicly disclosed in June and stems from the speculative execution feature of Intel CPUs.
Qualys’ Graham also reminds systems administrators that Microsoft released out-of-band patches in June for Exchange Server to patch flaws identified in a third-party file parsing library called Oracle Outside In. If they haven’t been deployed yet, those patches should be prioritized as well.
Intel has also released a batch of 12 security advisories for vulnerabilities that affect its hardware and software products. This is reportedly part of the company’s plan to switch to a quarterly release schedule for security updates that’s better aligned with the patch cycles of other vendors, including Microsoft.
Adobe Squashes 100+ Bugs in Reader, Acrobat, Other Products
Adobe has released its monthly batch of security patches, addressing 104 vulnerabilities in Adobe Reader and Acrobat, Adobe Connect, Adobe Experience Manager and Flash Player.
The vast majority of the flaws, 96, were patched in Reader and Acrobat and are rated critical or important. Their successful exploitation can lead to arbitrary code execution, privilege escalation or information disclosure.
Fortunately, Adobe is not aware of attacks in the wild that are exploiting any of those flaws. The company advises users to update their Adobe and Acrobat DC installations to version 2018.011.20055 if they are on the Continuous track, to version 2017.011.30096 on the Classic 2017 track and to version 2015.006.30434 on the Classic 2015 track.
The security update for the Adobe Connect web conferencing solution fixes two authentication bypass vulnerabilities that could lead to session hijacking and sensitive information disclosure, as well as one insecure DLL loading issue that could be exploited for privilege escalation. Adobe assigned an update priority of 2 for the Connect patches and advises users to upgrade to version 9.8.1.
The company also released patches for Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1 and 6.0 to fix three server-side request forgery (SSRF) vulnerabilities that are rated important and could lead to sensitive information disclosure.
Finally, the updates for Flash Player address a critical arbitrary code execution vulnerability and an information disclosure flaw rated important. Users are advised to update to Flash Player 30.0.0.134 for their respective platforms.
It’s worth noting that this is Adobe’s last scheduled security update before the Black Hat and DEF CON conferences in early August, where security researchers typically gather to discuss vulnerabilities they found throughout the year. This might explain the massive number of flaws patched in Adobe Reader and Acrobat now to avoid any risk of public disclosure.
Pingback: Cyberespionage Group Steals Certificates to Sign Malware – Silicon War