Patch Tuesday - what to know and what to do for Microsoft and Adobe users

Filed Under: Featured, Internet Explorer, Microsoft, Vulnerability

Both Adobe and Microsoft published Patch Tuesday updates this week.

There are plenty of issues to be concerned about, which we've discussed below.

If you're a Change Controller, it's time to put your scheduling cap on!

Here are our recommendations to help you to prioritise your own patching.

Adobe Patch Tuesday - August 2012

Adobe wrapped its bad news - or good news if, like me, you prefer to see bugs wrestled, wrangled and dispatched - into three bulletins covering Reader and Acrobat (APSB12-16), Shockwave (APSB12-17), and Flash (APSB23-18).

There aren't many specifics in APSB12-16, but there's enough information to tell you, "Don't hang around applying the Reader and Acrobat updates."

Twenty CVEs (Common Vulnerabilities and Exposures database entries) have been patched by Adobe. All of the vulnerabilities involve memory corruption bugs such as heap and stack overflows - these can definitely lead to crashes and might just, given a smart enough hacker and sufficient motivation, be exploitable for remote code execution (RCE).

That would mean that you might innocently load a deliberately-damaged data file and end up unknowingly running executable code buried inside it, without any of the usual system warnings.

The patched products are versions 9 and X (which, by the way, is pronounced ten, just like the X in Apple's OS X) of Adobe Reader and Acrobat.

Note that we still haven't seen in-the-wild malware which has been able to escape automatically from the strictures of Adobe X products, so the company's adoption of threat-thwarting technologies such as sandboxing, data execution prevention (DEP) and address space layout randomisation (ASLR) has had a strong protective effect.

Nevertheless, the discovery and patching of potentially-exploitable data execution flaws in Reader X and Acrobat X reminds us that nothing is eternally secure.

Adobe rates these updates as Critical, because of the possibility of RCE. SophosLabs puts them at High, one notch below our most serious risk level, because we haven't seen any actual exploits yet.

The Flash Player patch is also rated Critical - it fixes an RCE flaw about which Adobe writes:

There are reports that [this Flash Player] vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Lastly, the Shockwave Player update is considered Critical too, closing off as it does an RCE vulnerability.

(More than a year ago, we wondered how many people still genuinely need to have Shockwave Player installed. If you have it but aren't sure why, perhaps you should try uninstalling it? See if Flash Player is all you need instead.)

Briefly summarised: on a scale of zero to must-patch, the Adobe updates should be considered must-patch.

Microsoft Patch Tuesday - August 2012

Microsoft, in contrast, published nine bulletins covering a range of vulnerabilities and products.

Five of them have been rated Critical by Redmond and High by SophosLabs. That means that remote code execution exploits haven't yet been seen in the wild, but that there is a "strong possibility" - in the opinion of SophosLabs - that malware might show up to abuse these vulnerabilities.

(SophosLabs reserves Critical to mean not just that RCE is a possibility, but that it should be considered "almost certain" - or, indeed, is already happening.)

Here's a quick table summarising the Big Five patches from the Microsoft stable:

SophosLabs Microsoft Why you should care
VET-366 MS12-060 This patch fixes an RCE vulnerability in the Windows Common Controls. These are ActiveX components added automatically when you install a wide range of Microsoft products, from Office 2003 to SQL Server 2008 R2, on 32 bit, 64 bit and even Itanium platforms. The buggy ActiveX control may very well be on all your PCs and all your servers of all vintages. We haven't seen an in-the-wild exploit yet, but the vulnerability was publicly disclosed. Patch as soon as you can.
VET-367 MS12-058 This flaw isn't in Microsoft's own code: it comes courtesy of the Oracle Outside In file rendering libraries licensed by Microsoft. The bug manifests itself on your Exchange server when Outlook Web Access users preview documents. This creates a dangerous situation where the behaviour of remote users could expose your in-house servers to RCE. Since the Exchange server runs as LocalSystem, there's plenty at stake here. Exchange 2007 and 2010 are affected; patch as soon as you can.
VET-368 MS12-055 This is an RCE vulnerability in Remote Desktop. This creates the irony that a remote PC you're best placed to support over-the-air may be at special risk of remote code execution as a result. The good news is that RDP is off by default, and the bug applies only to XP Service Pack 3. Non-ancient platforms aren't affected - but if you still have legacy XP3 computers in the wild, patch as soon as you can.
VET-370 MS12-054 Four vulnerabilities are patched in one go here, covering a range of networking bugs, including one which could allow RCE on a Windows print spooler. The good news is that only on XP and Server 2003 are the flaws considered critical - elsewhere they just cause DoS (denial of service). If you have those legacy platforms, patch as soon as you can.
VET-371 MS12-052 This is a cumulative security update protecting, amongst other things, against RCE in Internet Explorer. It covers all versions in all bitnesses for all CPUs. That means IE 6, 7, 8 and 9; on x86, x64 and Itanium; on PCs and servers. Patch as soon as you can. (If you're still using IE6, give humble thanks to Microsoft for still supporting you, but do us all a favour and get rid of it! Soon!)

The remaining Microsoft bulletins (MS12-055, MS12-056, MS12-057 and MS12-059) are Important by Microsoft's measure. If you want to prioritise, you could leave these until after you've swatted the bugs listed above.

However, three of them are RCE vulnerabilities, and one is a kernel bug which allows already-authenticated users to perform what's called Privilege Escalation (in UNIX parlance, "getting root").

Remember that RCE and Privilege Escalation can be a handy combination for attackers. Sneak in under the radar without much authority; then wriggle into an officer's uniform and start giving unauthorised orders.

There you have it.

If you can, do the Adobe and the Internet Explorer updates right away - say, by lunchtime. By all means leave the rest until the early afternoon!
-

-

Update: added additional information about Adobe updates for Shockwave and Flash, also patched on 14 August 2012.

Patch on jeans image courtesy of Shutterstock.

, , , , , , , , , , , , ,

You might like

10 Responses to Patch Tuesday - what to know and what to do for Microsoft and Adobe users

  1. @tyw7 · 778 days ago

    I took the plunge and uninstalled Shockwave. However, I left Adobe Flash Player on my machine since almost every website uses Flash. Even HTML5 video is not up to par with Flash since they do not offer full screen viewing! But I do prefer HTML5 audio to using plugins.

  2. Freida Gray · 778 days ago

    Since Microsoft has stopped support for Windows XP with SP2 already,& since I have done a system recovery which put my computer back to SP2 I have been unable to get the SP3 update.Without this update I can no longer install updates beyond those that will accept the SP2.So the only updates from this Patch Tuesday that I can install will be the Adobe updates for Reader & for Flash Player

  3. @tyw7 · 778 days ago

    You forgot Java.

    Java (Version 7 Update 6): http://www.oracle.com/technetwork/java/javase/dow... or through the program updater. Not available at the get Java website yet.

    • Paul Ducklin · 777 days ago

      I didn't forget Java :-)

      I covered it separately as Java 1.7.0_6, aka 7u6, was a slightly different deal to a Patch Tuesday update - in particular, it announced "Java for OS X now direct from Oracle with updates at the same time as everyone else", a sea change from only ever getting Mac Java and its updates from Apple.

      My Java 7u6 writeup can be found here:
      http://nakedsecurity.sophos.com/2012/08/15/oracle...

  4. greemble · 777 days ago

    No specific mention, but is the Desktop Gadget problem covered yet?

  5. Sprout · 777 days ago

    Hi - a small typo on VET-368 MS12-055 - should read MS12-053.
    Appreciate your analysis!
    Cheers

  6. Wayne · 777 days ago

    Thanks for reminding me about the Adobe patches. I get notification via WSUS about the Microsoft ones but Adobe has always been hit-or-mis.

  7. Robert · 777 days ago

    At least one site that I use and recommend to my music students requires Shockwave: http://jan.ucc.nau.edu/~tas3/wtc.html
    an award-winning site that explains Bach's Well-Tempered Clavier and fugues in a way no-one else has done.

    • Paul Ducklin · 777 days ago

      There'll be plenty of examples of people who _do_ need Shockwave - just as there are plenty of people who need to have Word, or PowerPoint, or Java installed.

      The trick is, though, not to install stuff you don't need - or, if you need it only occasionally, to install and remove it as required.

      The more holes you have in your computer into which ill-intentioned cybercrooks can poke knitting needles and wiggle them around to see what happens, the more likely it is that something bad will occur. (Trendy security analysts call this "having a large attack surface area" - slipping into military-sounding terminology often has a positive effect on your security budget, which is why you hear a lot of it - but you should be just as worried about those knitting needles.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog