Patch Tuesday – what to know and what to do for Microsoft and Adobe users

Both Adobe and Microsoft published Patch Tuesday updates this week.

There are plenty of issues to be concerned about, which we’ve discussed below.

If you’re a Change Controller, it’s time to put your scheduling cap on!

Here are our recommendations to help you to prioritise your own patching.

Adobe Patch Tuesday – August 2012

Adobe wrapped its bad news – or good news if, like me, you prefer to see bugs wrestled, wrangled and dispatched – into three bulletins covering Reader and Acrobat (APSB12-16), Shockwave (APSB12-17), and Flash (APSB23-18).

There aren’t many specifics in APSB12-16, but there’s enough information to tell you, “Don’t hang around applying the Reader and Acrobat updates.”

Twenty CVEs (Common Vulnerabilities and Exposures database entries) have been patched by Adobe. All of the vulnerabilities involve memory corruption bugs such as heap and stack overflows – these can definitely lead to crashes and might just, given a smart enough hacker and sufficient motivation, be exploitable for remote code execution (RCE).

That would mean that you might innocently load a deliberately-damaged data file and end up unknowingly running executable code buried inside it, without any of the usual system warnings.

The patched products are versions 9 and X (which, by the way, is pronounced ten, just like the X in Apple’s OS X) of Adobe Reader and Acrobat.

Note that we still haven’t seen in-the-wild malware which has been able to escape automatically from the strictures of Adobe X products, so the company’s adoption of threat-thwarting technologies such as sandboxing, data execution prevention (DEP) and address space layout randomisation (ASLR) has had a strong protective effect.

Nevertheless, the discovery and patching of potentially-exploitable data execution flaws in Reader X and Acrobat X reminds us that nothing is eternally secure.

Adobe rates these updates as Critical, because of the possibility of RCE. SophosLabs puts them at High, one notch below our most serious risk level, because we haven’t seen any actual exploits yet.

The Flash Player patch is also rated Critical – it fixes an RCE flaw about which Adobe writes:

There are reports that [this Flash Player] vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Lastly, the Shockwave Player update is considered Critical too, closing off as it does an RCE vulnerability.

(More than a year ago, we wondered how many people still genuinely need to have Shockwave Player installed. If you have it but aren’t sure why, perhaps you should try uninstalling it? See if Flash Player is all you need instead.)

Briefly summarised: on a scale of zero to must-patch, the Adobe updates should be considered must-patch.

Microsoft Patch Tuesday – August 2012

Microsoft, in contrast, published nine bulletins covering a range of vulnerabilities and products.

Five of them have been rated Critical by Redmond and High by SophosLabs. That means that remote code execution exploits haven’t yet been seen in the wild, but that there is a “strong possibility” – in the opinion of SophosLabs – that malware might show up to abuse these vulnerabilities.

(SophosLabs reserves Critical to mean not just that RCE is a possibility, but that it should be considered “almost certain” – or, indeed, is already happening.)

Here’s a quick table summarising the Big Five patches from the Microsoft stable:

SophosLabs Microsoft Why you should care
VET-366 MS12-060 This patch fixes an RCE vulnerability in the Windows Common Controls. These are ActiveX components added automatically when you install a wide range of Microsoft products, from Office 2003 to SQL Server 2008 R2, on 32 bit, 64 bit and even Itanium platforms. The buggy ActiveX control may very well be on all your PCs and all your servers of all vintages. We haven’t seen an in-the-wild exploit yet, but the vulnerability was publicly disclosed. Patch as soon as you can.
VET-367 MS12-058 This flaw isn’t in Microsoft’s own code: it comes courtesy of the Oracle Outside In file rendering libraries licensed by Microsoft. The bug manifests itself on your Exchange server when Outlook Web Access users preview documents. This creates a dangerous situation where the behaviour of remote users could expose your in-house servers to RCE. Since the Exchange server runs as LocalSystem, there’s plenty at stake here. Exchange 2007 and 2010 are affected; patch as soon as you can.
VET-368 MS12-055 This is an RCE vulnerability in Remote Desktop. This creates the irony that a remote PC you’re best placed to support over-the-air may be at special risk of remote code execution as a result. The good news is that RDP is off by default, and the bug applies only to XP Service Pack 3. Non-ancient platforms aren’t affected – but if you still have legacy XP3 computers in the wild, patch as soon as you can.
VET-370 MS12-054 Four vulnerabilities are patched in one go here, covering a range of networking bugs, including one which could allow RCE on a Windows print spooler. The good news is that only on XP and Server 2003 are the flaws considered critical – elsewhere they just cause DoS (denial of service). If you have those legacy platforms, patch as soon as you can.
VET-371 MS12-052 This is a cumulative security update protecting, amongst other things, against RCE in Internet Explorer. It covers all versions in all bitnesses for all CPUs. That means IE 6, 7, 8 and 9; on x86, x64 and Itanium; on PCs and servers. Patch as soon as you can. (If you’re still using IE6, give humble thanks to Microsoft for still supporting you, but do us all a favour and get rid of it! Soon!)

The remaining Microsoft bulletins (MS12-055, MS12-056, MS12-057 and MS12-059) are Important by Microsoft’s measure. If you want to prioritise, you could leave these until after you’ve swatted the bugs listed above.

However, three of them are RCE vulnerabilities, and one is a kernel bug which allows already-authenticated users to perform what’s called Privilege Escalation (in UNIX parlance, “getting root”).

Remember that RCE and Privilege Escalation can be a handy combination for attackers. Sneak in under the radar without much authority; then wriggle into an officer’s uniform and start giving unauthorised orders.

There you have it.

If you can, do the Adobe and the Internet Explorer updates right away – say, by lunchtime. By all means leave the rest until the early afternoon!

Update: added additional information about Adobe updates for Shockwave and Flash, also patched on 14 August 2012.

Patch on jeans image courtesy of Shutterstock.