Security Alert: Adobe and Microsoft Release Patches

By gTIC ·

Critical patches were released by both Adobe and Microsoft. These updates include security patches for Adobe Flash Player, Shockwave and ColdFusion applications and the following Microsoft software: Windows, .NET framework, Silverlight, Office, Visual Studios, Lync, Internet Explorer and Security Software.

FishNet Security recommends that all organizations review these updates and apply patches in a fashion that is in line with corporate policy.

Adobe (http://www.adobe.com/support/security/):

Adobe Security Bulletin APSB13-17

Application Affected: Flash Player

CVE(s): CVE-2013-3344, CVE-2013-3345, CVE-2013-3347

Priority: Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:

Product

Updated version

Platform

Priority rating

Adobe Flash Player

11.8.800.94

Windows & Macintosh

1

 

11.7.700.232

Windows & Macintosh

1

 

11.2.202.297

Linux

3

 

11.1.115.69

Android 4.x

3

 

11.1.111.64

Android 3.x

3

Adobe has released security updates for:

  • Adobe Flash Player 11.7.700.224 and earlier versions for Windows
  • Adobe Flash Player 11.7.700.225 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.291 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.63 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.59 and earlier versions for Android 3.x and 2.x. 

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Additional information on this bulletin may be found here.

Adobe Security Bulletin APSB13-18

Application Affected: Shockwave Player

CVE(s): CVE-2013-3348

Priority: Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product

Updated version

Platform

Priority rating

Adobe Shockwave Player

12.0.3.133

Windows & Macintosh

1

 

Adobe has released a security update for Adobe Shockwave Player 12.0.2.122 and earlier versions on the Windows and Macintosh operating systems. This update addresses a vulnerability that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system.  Adobe recommends users of Adobe Shockwave Player 12.0.2.122 and earlier versions update to Adobe Shockwave Player 12.0.3.133 using the instructions provided in the "Solution" section found in the security bulletin.

Additional information on this bulletin may be found here.

Adobe Security Bulletin APSB13-19

Application Affected:

CVE(s): CVE-2013-3349, CVE-2013-3350

Priority: Adobe categorizes these hotfixes with the following priority ratings and recommends users update their installation to the newest version:

ColdFusion Version

Hotfix/Patch Version

Platform

Priority rating

10

Update 11

All

1

9.0.2

jrun-hotfix-3329722.jar

JRun

2

9.0.1

jrun-hotfix-3329722.jar

JRun

2

9.0

jrun-hotfix-3329722.jar

JRun

2

 

Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux. This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets. 

Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun. This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun. ColdFusion 10 customers are not affected by CVE-2013-3349.

Adobe recommends users update their product installation using the instructions provided in the "Solution" section as found in the security bulletin.

Microsoft (http://technet.microsoft.com/en-us/security/bulletin/ms13-jul):

Additional information on the full bulletin may be found at the above link.

Microsoft Security Bulletin MS13-052

Affected Application(s): Windows, .NET framework, Silverlight

Priority: Critical

This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a trusted application uses a particular pattern of code. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Security Bulletin MS13-053

Affected Application(s):  Windows

Priority: Critical

This security update resolves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft Security Bulletin MS13-054

Affected Application(s): Windows, Office, Visual Studios, Lync

Priority: Critical

This security update resolves a privately reported vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync and Microsoft Visual Studio. The vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files.

Microsoft Security Bulletin MS13-055

Affected Application(s):  Windows, Internet Explorer

Priority: Critical

This security update resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Security Bulletin MS13-056

Affected Application(s): Windows

Priority: Critical

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted image file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Security Bulletin MS13-057

Affected Application(s): Windows

Priority: Critical

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Security Bulletin MS13-058

Affected Application(s): Security Software

Priority: Critical

This security update resolves a privately reported vulnerability in Windows Defender for Windows 7 and Windows Defender when installed on Windows Server 2008 R2. The vulnerability could allow elevation of privilege due to the pathnames used by Windows Defender. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change or delete data; or create new accounts with full user rights. An attacker must have valid log-on credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.