Microsoft on Tuesday will push out its first set of patches since it announced the dissolution of the Trustworthy Computing group that gave birth to Patch Tuesday.
The monthly patch cycle was just one output from TwC, which was formed in the ashes of Code Red, Nimda and hundreds of other network worms and email viruses that ran roughshod through vulnerabilities in Windows and other Microsoft software in the early 2000s. With the security group folded under enterprise and cloud computing organizationally, the maturity of vulnerability management and secure development processes at Microsoft enters a new era.
Unfortunately, for the time being for Windows admins, it’s much of the same refrain.
Today’s advance notification gave IT shops a heads-up that nine bulletins are on deck next Tuesday, including a critical Internet Explorer rollup—the ninth straight month Microsoft has patched its flagship browser. The two other critical bulletins affect all supported versions of Windows and the .NET development framework, and address remote code execution vulnerabilities.
Microsoft is also sending out a bulletin rated moderate, a rare rating coming out of Redmond. Moderate ratings are a notch below important and indicate that the exploits for the vulnerability in question require local access or authentication, or apply only where non-default configurations are in use, Microsoft said.
The moderate-rated bulletin addresses a privilege-escalation vulnerability in Microsoft Office 2007 Service Pack 3 IME, or Input Method Editor. IMEs support character-heavy languages, such as Japanese; IMEs are assigned by default in Windows 8.1 once a language is added.
The remaining five bulletins, all rated important, address two remote code execution bugs Windows and Office, Office Services and Office Web Apps, two privilege escalation flaws in Windows, and a security feature bypass in Microsoft Developers Tools, specifically ASP.NET MVC 2.0, 3.0, 4.0, 5.0 and 5.1.
The Office bugs rated important are in Office 2007, 2010, Office for Mac, Office Compatibility Pack, Word Automation Services and Office Web Apps Server.
Adobe also announced that it plans to soon patch a privacy hole in its Digital Edition 4 e-reader software. Researcher Nate Hoffelder disclosed earlier this week that data from the e-reader on a user’s reading habits are sent in the clear back to Adobe. Hoffelder said some of that data includes book metadata and which pages have been read and in what order.
“Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers,” Hoffelder wrote. “In. Plain. Text. And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.”
Hoffelder posted a response sent to him from Adobe that indicates the company uses that data for license validation and to protect licensing models used by publishers.
The Electronic Frontier Foundation (EFF), meanwhile, likened the leak to the Sony rootkit scandal of 2005.
“The rootkit scandal put several nails in the coffin of DRM and music,” wrote Corynne McSherry. “If enough readers, librarians, publishers and authors speak up, perhaps this latest scandal will do the same for DRM and books.”
