Microsoft and Adobe issued their monthly patch Tuesday releases today, and Microsoft posted eight bulletins, three of which are considered critical including the now-monthly cumulative Internet Explorer update, addressing 24 vulnerabilities in various products. Adobe has fixes for three vulnerabilities in both its Flash Player and ColdFusion lines.
The Microsoft patches, which were plentiful despite last month’s announcement that the company was shuttering its Trustworthy Computing Group, resolve vulnerabilities in Windows, Internet Explorer, the .NET Framework, Developer Tools, Office, Office Services and Web Apps.
Patching priority should be given to MS14-058, a vulnerability in kernel mode driver that could enable remote code execution, according to Russ Ernst of Lumension.
MS14-058 actually resolves two privately reported bugs, the more serious of which could give an attacker the ability to remotely execute code if a user opened a specially crafted document or visited an untrusted website containing embedded TrueType fonts.
Ernst notes that “this is under active attack and is applicable to all shipping versions of Windows, including the Server Core installations of Windows Server 2008 and Windows Server 2012, so it should be patched quickly.”
Second priority, Ernst says, is the cumulative Internet Explorer update, which resolves 14 privately reported vulnerabilities, the most severe of which could be exploited to execute code remotely if the user opens a specially crafted webpage with Internet Explorer.
“Third on your priority list is the final critical bulletin this month, MS14-057. It covers vulnerabilities in the .NET framework that could allow a remote code execution,” Ernst claims. “The vulnerabilities addressed in this bulletin were privately disclosed and there are no known active attacks.”
The remaining bulletins from Microsoft – all important rated – consist of a vulnerability in ASP.net MVC that could allow for an attacker to bypass security features, a remote code execution bug in Windows OLE–which is the zero day used by the Sandworm APT team–another remote code execution issue in Microsoft Word and Office Web Apps, a privilege escalation problem in Message Queuing Service and another privilege escalation issue in FAT32 disk partition driver.
On to Adobe:
This patch Tuesday is primarily a Flash Player affair with security updates for Adobe Flash Player for Windows, Macintosh and Linux, which seal off holes that could potentially have given attackers the capacity to take control of the affected system.
For that reason, four of the nine bugs addressed by the three CVEs here received Adobe highest priority rating. So, users of Flash Player desktop runtime for Windows and Mac should update to version 188.8.131.52 immediately; users of the Flash Player Extended Support Release should update to version 184.108.40.206; and Flash Player installed with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will be automatically updated to the current versions.
The remaining bugs are not nearly as critical, but Adobe is still urging users of Flash Player for Linux to update to version 220.127.116.111; users of the AIR desktop runtime should update to version 18.104.22.1683; users of the AIR SDK and AIR SDK & Compiler should update to version 22.214.171.1242; and users of AIR for Android should update to Adobe AIR 126.96.36.1993.
Adobe gives credit to Ian Beer of Google Project Zero for CVE-2014-0558, Wen Guanxing from Venustech ADLAB for CVE-2014-0564 and bilou working with HP’s Zero Day Initiative for CVE-2014-0569.
Affected products include: Adobe Flash Player 188.8.131.52 and earlier versions, 184.108.40.206 and earlier 13.x versions, 220.127.116.116 and earlier versions for Linux, Adobe AIR desktop runtime 18.104.22.168 and earlier versions as well as the AIR SDK 22.214.171.124 and earlier versions and Compiler 126.96.36.199 and earlier versions and AIR 188.8.131.52 and earlier versions for Android.
The ColdFusion patches are actually hotfixes resolving a series of moderately rated permissions issues and a few cross-site scripting and cross-site request forgery vulnerabilities. The permission problems could be exploited by an unauthenticated local user to bypass Internet protocol address access control restrictions applied to ColdFusion admins.
All of these patches, in versions 11 (fixed by update two), 10 (fixed by update 14), 9.0.2 (fixed by update 7), 9.0.1 (fixed by update 12) and 9.0 (fixed by update 13), are given level two severity ratings, meaning they resolve bugs in important products, but that there are currently no in-the-wild attacks.
Adobe credits Craig Young of Tripwire VERT for CVE-2014-0570, Pete Freitag for CVE-2014-0571 and Aaron Foote for CVE-2014-0572.