Patch Tuesday for February 2011 – Adobe and Microsoft

As expected, today Microsoft and Adobe published updates for Windows, Internet Explorer, Windows FTP service, Visio, Flash Player, Shockwave Player, Reader, Acrobat and ColdFusion.

Microsoft published 3 critical and 9 important fixes today. The first noteworthy fix is MS11-003 (CVE-2010-3971), a recursive CSS vulnerability, discovered last December in Internet Explorer, that could allow remote code execution (RCE). Considering the vulnerability has been included in the MetaSploit Framework for well over a month and we haven’t seen it active in the wild, SophosLabs has rated it medium.

The second critical fix was for MS11-006, (CVE-2010-3970) a flaw in the graphics rendering engine that could allow RCE when thumbnails of files are viewed in Explorer. While we haven’t seen this successfully exploited in the wild yet, there have been reports that some malware authors have made unsuccessful stabs at it. SophosLabs has provided protection against exploitation as MAL/CVE3970-A and rates this flaw as medium.

The last critical patch is MS11-007 (CVE-2011-0033), which closes a hole that could allow an attacker to create a malicious font and lure a user to view a website using that font to compromise their machine. This bug was privately disclosed, but may be interesting to enterprising criminals. SophosLabs has not seen anyone using this as a method of exploitation, so they have decided to rate it medium as well.

Adobe bulletin APSB11-01 resolves 21 vulnerabilities in Shockwave Player. Adobe has rated this patch as critical and more worryingly all 21 vulnerabilities can lead to code execution. I’ve mentioned this before, but I feel the need to again… Do you really need Shockwave Player on your PC? If not, it’s best to reduce the attack surface of your machines by removing it. If you do require it, you can download the latest version at http://get.adobe.com/shockwave.

Adobe bulletin APSB11-02 fixes 13 vulnerabilities in Flash Player, all of which can lead to code execution. Adobe has rated this patch as critical. Because Flash Player is so widely used and distributed, we recommend updating your Flash Player installations as soon as possible. The latest Flash Player can be downloaded from http://get.adobe.com/flashplayer. Users of Google Chrome should have already received an update patching these vulnerabilities.

Adobe bulletin APSB11-03 addresses 29 vulnerabilities in Adobe’s Reader and Acrobat products. This includes fixes for 23 code execution, 1 elevation of privilege, 3 denial of service and 2 cross-site scripting flaws. Adobe has rated this patch as critical. Similar to Flash, the ubiquity of Adobe’s Reader software requires that you update as soon as possible. Fortunately Adobe Reader includes an auto-update function now. Those of you who need to download it for distribution can get it from http://get.adobe.com/reader.

The last bulletin, APSB11-04, affects Adobe ColdFusion and Adobe has rated it as important. It covers five flaws, two of which are related to cross-site scripting. ColdFusion users can find instructions for applying this hotfix in this technical note.

As always, for SophosLabs analysis of all important vulnerabilities visit our latest vulnerabilities page. Microsoft’s advice on the February 2011 patches can be found on their blog. The Adobe security bulletins can be found on their security page.

Update: Microsoft have confirmed that MS11-011 fixes the elevation of privilege bug that bypassed UAC in Windows 7 we wrote about last December.

Creative Commons image of a Band-Aid courtesy of kevindean’s Flickr photostream. Creative Commons image of Bad Fonts courtesy of twcollins Flickr photostream. Creative Commons image of Adobe product montage courtesy of pcsiteuk’s Flickr photostream.