October 8, 2013

Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader.

crackedwinFour of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint, .NET Framework, Office and Silverlight.

Front and center in the Microsoft patch batch is MS13-080, which addresses the zero-day IE vulnerability (CVE-2013-3893) that Microsoft first warned about on Sept. 17, as well as nine other security flaws in the default Windows Web browser. Amping up the threat level on this flaw, exploit code allowing attackers to leverage the flaw was released publicly last week as a module for the Metasploit exploit framework, a penetration testing toolkit.

Microsoft late last month released a stopgap “Fix It” solution to block exploits against the zero-day flaw, and the good news is that if you already applied that solution, you don’t need to undo those changes before applying this update. The bad news is that this isn’t the only zero-day vulnerability fixed in the IE patch bundle: Researchers at Trustwave Spiderlabs say they’ve confirmed that attackers are already exploiting one of the other flaws fixed in this IE update  (CVE-2013-3897).

Ross Barrett, senior manager of security engineering at Rapid7, said another critical Microsoft vulnerability — MS13-083, a flaw in the Windows Common Control Library —   “looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net web pages.” Barrett said that if ever there were a real, honest to goodness flaw of late that would be considerable eminently capable of propelling a self-propagating Internet worm, it is this one.

adobeshattered“If the ‘bad guys’ figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested,” Barrett said. “However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation.”

More information on the remaining patches is available via the Microsoft Technet blog.

Adobe has issued updates for its Windows versions of Adobe Reader XI and Adobe Acrobat XI. The updates fix a single vulnerability and bring these products to version 11.0.05. Links to the updates and more information about the flaw is available in Adobe’s advisory. The company said that Adobe Reader and Acrobat X (10.1.8) and earlier versions for Windows are not affected, and all versions of Adobe Reader and Acrobat for Macintosh are also not affected by this vulnerability. Adobe also said it is not aware of any exploits or attacks “in the wild” for the issue addressed in this update.


37 thoughts on “Adobe, Microsoft Push Critical Security Fixes

  1. Debbie Kearns

    You forgot to mention that Adobe Flash Player 11.9 is now released to the public today.

          1. Vee

            Adobe AIR has an update too.

            It does help people looking to grab all the updates, but I can understand your reasoning to only report security updates.

            I still use Qualys BrowserCheck which I learned about years ago from here. That really helps a ton.

      1. JimV

        FileHippo provided notification first thing this morning, but as usual I downloaded the full installer files directly from Adobe’s permanent link instead of using either FileHippo’s or Adobe’s stub installer files. Both AX and non-AX versions are updated to v11.9.900.117.

          1. JCitizen

            I noticed for the machines on my network, File Hippo sent me to the Adobe site as well. Seems they are changing the way they do things with their venerable file checker. I’ve still not tested Ninite, but would like to see if it is a good substitute for it, or even Secunia PSI, or both!

  2. not me

    Gee Brian, after all the great investigative stuff lately this had to be some dry writing. Thanks for ALL the work you do everyday.

    1. Likes2LOL

      > Thanks for ALL the work you do everyday.

      Dittos x 6.022e23! Your blog is very much appreciated, as are the expanded Subject lines on the Brian Krebs Bot e-mail digest.

  3. george

    Useful info, as always but, to be honest today and yesterday come to this site almost every half-hour (no RSS feed fan 🙂 ) to see if you wrote something about Paunch story.

    1. BrianKrebs Post author

      The Paunch story is complicated. I don’t want to write something that is half-assed. But sometimes these things take time. And there’s no sense in writing just what everyone else is writing. So when I am confident I can advance the story, rest assured I will.

      1. Steve

        And that’s just one of the reasons I follow you here. 🙂

  4. The Oregano Router

    Their was also update for Internet Explorer flash player x-64 bit Windows 8 systems, KB2886439

    1. Federal Bureau of Incompetence

      Allow me to complete your username, for any interested people here: “Who needs Silk Road when you have”

      1. Black Market Reloaded (5onwnspjvuk7cwvk.onion)

      2. Sheep Marketplace (sheep5u64fi457aw.onion)

      3. DeepBay (deepbay4xr3sw2va.onion)

      The Pandora’s Box has been opened, the Dark Web drug sites will pop up like a bad case of zits, and the drugs will flow like fine wine. Kudos to the FBI for accomplishing nothing. Seriously, the number of anti-FBI vs. pro-FBI comments online regarding Silk Road are probably at least 10 to 1… FBI should take a hint.

      1. tjallen

        The FBI is taking the hint…
        They’re makin’ a list,
        Checkin’ it twice,
        Gonna find out
        Who’s naughty or nice!

  5. JoelCairo

    A little editing is needed here: “Barrett if ever there were a real, honest to goodness flaw of late that would be considerable eminently capable of propelling a self-propagating Internet worm, it is this one.”

    Perhaps: Barrett if ever there were a real, honest-to-goodness flaw of late that be eminently capable of propelling a self-propagating Internet worm, it is this one.

  6. JoelCairo

    The comment software stripped out the suggested replacements, so here’s the alternate text:

    Barrett stated that if ever there were a real, honest-to-goodness flaw of late that could be considered eminently capable of propelling a self-propagating Internet worm, it is this one.

    1. BrianKrebs Post author

      The story was edited and fixed before your comment was even left. Not sure, but perhaps you were working from a cached page?

  7. JimV

    Sigh.

    Yet again there are .NET patches which won’t install on a couple of XP machines in my office and fail with the dreaded 0x643 error code. Neither the NetFX repair tool or permissions-reset widget supplied by the MS .NET guru Aaron Stebner are capable of a successful resolution, so I’ll eventually have to waste a day (or more) uninstalling and reinstalling/patching all the different flavors needed on each of those machines.

    No trouble with anything on the Vista or Win7 machines, so perhaps with XP approaching the end of its lifecycle the MS Windows Update crew may not be devoting so much of their time to testing and debugging the monthly patches for XP architecture.

    Either that, or the Windows gremlins just have it in for me — Arrrgh!

    1. JCitizen

      I have pretty good luck as long as I save the .NET updates for last; but then you probably already do that. Vista hasn’t given me any problems for a while. Office 2007 was goofy last time, and I noticed a raft of updates for that as well this time; probably one of them to fix that bad update from last patch Tuesday.

      1. JimV

        Finally got the recalcitrant .NET patch to install. I had run several times a repair tool which the MS .NET guru Aaron Stebner had long ago suggested, but without success until I ran the latest version of the Tweaking.com all-in-one repair tool over the weekend which automates a number of command-syntax apps that AS had also walked me through. The new version is more robust, and I know it won’t damage my OS like some of the various registry cleaners which install adware or malware (or just break things by deleting too many registry elements).

        I toggled most all of its options and had it set a restore point and backup the registry before starting, and after the system rebooted once again tried to install the .NET patch from Windows Update but had low expectations of potential success. To my quite pleasant surprise, the patch installed successfully and so I was then able to successfully install all the subsequent updates which had been blocked.

        For now all is running great on that XP Pro machine, but guess I’ll see whether .NET breaks on it again in a couple of weeks when November’s Patch Tuesday rolls around….

        1. JCitizen

          Ah yes! I do seem to remember reading about that tool somewhere in an article! Good suggestion JimV – thanks! 🙂

  8. capuchinmonkey

    Has Google updated the Chrome browser with version 11.9.900.117 of the integrated Pepper Flash Player yet?

  9. Mike

    Even though we supposedly did not have to undo the temporary patch before installing the new update, Flash still does not have full functionality. I went back to the MSFT web page, but there is no longer any buttons to undo the temp fix. I have the latest Flash update.

  10. bob.

    yeah i know i was on my tablet and the comment link kind of sits on the bottom of scamtrex post. oops 🙂 feel free to remove my post lol

  11. Chris Thomas

    Not mentioned in the Microsoft Security Bulletin for October 2013 is the years old KB951847 (Microsoft .NET Framework 3.5 Service Pack 1) which arrived very shortly after Patch Tuesday in automatic updates. I have a hunch that this little darling has been received by XP users only. This ‘update’ is not amenable to uninstalling so resort is necessary to System Restore which was effective, give or take a minor repair or two in the aftermath.

    I was caught off guard (gnashing of teeth).

    Thank you for the parting gift Mr Ballmer.

    1. BrianKrebs Post author

      Yeah, sorry about that Chris. I actually meant to call out the .NET updates when they’re included, because I recommend people install those separately. Almost every time there are problems with a huge batch of patches from Microsoft like this month’s release, there almost always seem to be .NET updates involved. I prefer to install everything but the .NET updates, reboot and then install them.

      1. Chris Thomas

        You have nothing to apologise for, Brian. I appreciate the great intelligence and insights you place before us.

        The KB number gives a clue. I was plain dopy when I overlooked KB951847.

Comments are closed.