Establishing Digital Trust: Don't Sacrifice Security for Convenience
Both Microsoft and Adobe issued 'Patch Tuesday' updates yesterday fixing security flaws across their respective product lines.
Adobe is fixing its products for at least 13 different security vulnerabilities, while Microsoft's tally comes in at 15. In addition to the security patches, both vendors also issued updates on their positions relative to the current threat of fraudulent SSL certificates from Certificate Authority DigiNotar.
"Microsoft Patch Tuesday would be quiet and normal, but Microsoft released an update (KB 2616676) continuing the saga of recent stolen DigiNotar certificates," Wolfgang Kandek, CTO of Qualys wrote in a blog post. "The update revokes certificates signed by two Certificate Authorities (CAs): Entrust and Cybertrust who issued certificates on behalf of DigiNotar."
At the end of August, attackers broke into DigiNotar and began issuing fake SSL certificates for multiple sites including Google. Multiple browser vendors including Mozilla Firefox and Microsoft Internet Explorer have since revoked DigiNotar certificates.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Adobe's Patch Tuesday update now also removes DigiNotar from the list of trusted Certificate Authorities in Adobe Reader and Reader X.
Beyond the DigiNotar fix, Microsoft has issued a number of patches that it has rated as being 'important.' The MS11-071 advisory titled, 'Vulnerability in Windows Components Could Allow Remote Code Execution' carries a high Common Vulnerabilities Scoring System (CVSS) rating of 9.3 (out of a scale of 10) according to a rating given by Cisco
"The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file," Microsoft warned in its advisory.
Microsoft is also providing a fix for a set of five important vulnerabilities in Excel. The flaws could be triggered via a malicious Excel file that will enable unauthorized remote code execution.
Microsoft Office has been tagged with an additional two vulnerabilities that could also potentially lead to remote code execution.
"The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file," Microsoft warned.
The Adobe Reader and Acrobat Patch Tuesda updates fix multiple critical vulnerabilities in Reader X, Reader 9.4.2 and Acrobat X. The flaws could potentially lead to arbitrary code execution if not patched. At the root cause are buffer, heap and stack overflow vulnerabilities in Adobe's code.
Adobe has taken steps in recent years to improve security. Brad Arkin, senior director of Product Security and Privacy at Adobe, told InternetNews.com earlier this year that the Reader X product in general, has improved security by way of a sandbox that protects against multiple types of attacks.