April Patch Tuesday: Adobe and Microsoft

This month’s patch Tuesday is a big one. Not only did Microsoft release their bulletins, but Adobe also released critical updates for Adobe Reader and Acrobat 9.3.1 for Windows and Mac and Unix along with updates for Reader and Acrobat 8.2.1 for Windows and Mac. These updates address multiple issues including memory corruption, buffer overflows and cross-site scripting.

Adobe has also decided to activate their new updater that will allow users to easily keep their Adobe products up to date. The updater will determine a time when your computer isn’t busy and silently install Adobe’s updates.

Considering Adobe is one of the programs exploited regularly this sounds great right? Well here is the thing, Adobe is releasing the updater, but they have no plans on activating this feature by default in this release. What this means is that people won’t be getting automatic updates unless they choose to turn on the updater.. Adobe however does say they feel this is the best option for most users and they are currently evaluating options for the best long-term solution. One of the solutions they might choose would be to provide users with an opt-in screen as part of the next phase in the roll out.

My feeling is that Adobe needs to take security seriously and start using the more secure methods as default settings.

In the Microsoft world today brings 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office and Exchange. This month’s bulletins affect all operating systems including Windows 7. The ratings for the 11 bulletins range from moderate to critical with 5 critical, 5 important and one moderate. This month’s updates include bulletins addressing the critical SMB vulnerability Microsoft notified us about last November and the vulnerability in VBScript from March of this year.

MS10-019 – is resolving two vulnerabilities in Windows Authenticode Verification. These vulnerabilities may allow attackers to modify executables (PE and CAB files) without making the signature invalid. This bulletin addresses this issue by performing additional verification operations when signing and verifying a portable executable or cabinet files.

MS10-020– is the bulletin Microsoft released addressing the SMB vulnerability. This affects both SMBv1 and SMBv2. The SMB client is mainly used to provide shared access to files and printers on a network. If exploited this could lead to a Denial of Service attack.

MS10-022 – Addresses the vulnerability in VBScript that could allow remote code execution. Users can be exploited by visiting a specially crafted web page and tricked into pressing the F1 key. This bulletin is rated important for users running windows 2000, XP or Server 2003. Users running Windows 7, Server 2008 or server 2008 R2 there is no severity rating. Microsoft is calling it a defense-in-depth measure.

MS10-025 – Resolves a vulnerability in which by modifying the way Windows Media Unicast Services handles transport info network packets. An attacker would be able to take complete control of the computer. Something to note is that on Windows 2000 server Windows Media Services is an optional component and isn’t installed by default.

MS10-026 – Is addressing a vulnerability in how Windows handles MPEG Layer-3 (MP3) audio stream. If a user were to open a specially crafted AVI file the attacker would have complete control of the system.

MS10-027 – Is fixing a vulnerability in Windows Media Player. For users to be exploited they would need to view the malicious web site and open the specially crafted media.

For information about the rest of the bulletins and detailed information about today’s Microsoft release please visit Microsoft Security Bulletin Summery or Adobe Security bulletin.

While updating, keep in mind all of these updates require a restart so make sure you’re ready for a reboot.