Microsoft, Adobe Issue Patches

Thursday, April 12, 2012 @ 05:04 PM gHale


Microsoft released six security bulletins that address 11 vulnerabilities in its products, eight of which are critical. Four of the bulletins address critical holes in all supported versions of Windows, Internet Explorer (IE), the .NET Framework, Office and SQL Server, as well as Microsoft Server and Developer tools.

Attackers could exploit all of these bugs to remotely inject and execute malicious code on a victim’s system via a specially crafted file.

RELATED STORIES
Samba Fixes Critical Vulnerability
Apple Working on Malware Fix
Mac Botnet Growing Rapidly
Apple Fixes Java Holes

Adobe, on the other hand, released versions 10.1.3 and 9.5.1 of its Acrobat and Reader products to address high priority security vulnerabilities an attacker could use to cause the application to crash and potentially take control of an affected system. These include memory corruption in the JavaScript API and JavaScript handling, an integer overflow in the True Type Font (TTF) handling and a security bypass via the Adobe Reader installer, all of which could lead to arbitrary code execution.

Adobe Acrobat and Reader 10.1.2 and earlier 10.x versions, as well as 9.5 and earlier 9.x versions for Windows and Mac OS X suffer from the issue; on Linux, Reader 9.4.6 and earlier 9.x versions are also vulnerable. The company also said Reader and Acrobat 10.1.3 also include the Flash Player updates. All users should upgrade to the current versions, officials said.

Meanwhile, for Microsoft one critical bulletin, MS12-024 notes a privately reported vulnerability which could allow attackers to modify existing signed executable files.

Another, MS12-027, is an issue in Microsoft’s common controls, used in numerous Microsoft applications, which can suffer from exploitation when a user visits a malicious site or opens an email attachment to allow remote code execution.

An Internet Explorer bulletin, MS12-023, affects all supported versions of IE, closes 5 holes, one when printing a specially crafted HTML page and four when IE accesses deleted objects in various situations. The rating for these holes is either critical or moderate depending on the combination of operating system and IE version. Finally, MS12-025 closes a vulnerability in the .NET framework which allows attackers to “take complete control of an affected system”.

The remaining two bulletins rated “Important” by Microsoft fix an additional remote code execution problem in Office and an information disclosure issue in Microsoft’s Forefront United Access Gateway (UAG).



Leave a Reply

You must be logged in to post a comment.