Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.
Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.
Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.
“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”
Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.
“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”
Other notable fixes from Microsoft this month include a .NET update, and a patch for at least five Internet Explorer flaws. Patches are available for all supported versions of Windows, and available through Windows Update.
Adobe’s updates fix critical problems in Acrobat and Reader on all supported platforms, including Windows, Mac OS X, and Linux. Users on Windows and Mac can use each products’ built-in update mechanism. The newest, patched version of both Acrobat and Reader is v. 10.1.3 for Windows and Mac systems. The default configuration is set to run automatic update checks on a regular schedule, but update checks can be manually activated by choosing Help > Check for Updates. Reader users who prefer direct links to the latest version can find them by clicking the appropriate OS, Windows, Mac or Linux (v. 9.5.1).
As always, if you have any problems installing or applying these updates, please leave a note about your experience in the comments below.
I have had 2 blue screens of death some time apart after installing the April 2012 Microsoft patches on my Innova laptop with Windows 7. I don’t know if it is due to the patches or not, but this is unusual, as I don’t often have them, certainly not within an hour or so of each other. Has anyone else had a similar problem?
Which one was your blue screen…?
Best start may be at ‘Microsoft Answers’:
No problems with MS updates on win7 x64.
Finally bailed on Adobe Acrobat this weekend after a number of years. Heard good things about Foxit reader, but I tried Sumatra (which updated to 2.0.1 today). Couldn’t recommend it more.
I like Sumatra, too. The last time I tried updating Foxit, it rearranged my desktop icons. I didn’t want to mess around with that.
It is worth noting that Adobe is making a big change to Acrobat in this update. They are separating Flash capability from Acrobat to rely on the external non-activeX plugin. This is good and bad news.
Good if you never need Flash in PDFs which most don’t. You used to have to mangle authplay.dll to disable it. Now it requires a separate installed which you won’t have if you run Chrome or IE.
The downside is that PDF binders/portfolios require it which means some enterprises may have to install the plugin for users that need that functionality. Also if you use Firefox and have Flash installed it doesn’t sound like you can disable it for PDFs anymore. It would be nice if everyone just agreed to stop using Flash so it could die off.
went smooth with eMachines D725, Win 7 Ultimate 32bit.
Why is the Adobe download so EXTREMELY slow even when being downloaded on Verizon’s 4g network?
Sorry, that was me. I was downloading porn. On Adobe’s server. Which millions of other people were also downloading from.
Love Sumatra, especially on older machines with less memory, but:
1) does not have browser plug-in (just save and open outside browser, not too bad)
2) worse, from the manual “Editing interactive forms and adding comments is not implemented.”
But it’s great as reader only.
I always thought the STDU Viewer has less download size (2.1 MB) than Sumatra PDF (4.4 MB and 8.4 MB).
So many constant flaws in the Windows software, I wonder if they do this on purpose so they can constantly “evolve” and continue to produce new versions of their software for sale. A little cynical, but it just seems unreasonable that these security flaws are so consistent.
went smooth with clone desktop, Windows 7 Ultimate 32bit
So if this is only a X.X.3 release for Adobe, I believe they won’t make an MSI available for this, so question: how does everyone else push this out on a corporate network?
For me it doesn’t matter. Our corporate IT department still pushes out Reader 9.3.3, so I uninstalled it and update my own Reader X as Adobe releases fixes.
I do not know why we do not have a choice i.e.:
1. Do the .msi patch with several .msp dance and then deploy with the change of making detailed mistakes.
2. Download an up to date .msi
What do you want? For me it is clear.
I had no trouble on XP S3, or Windows 7 64-bit prof, but on Windows 7 64-bit ultimate, security updates to other programs (Open Office, Java JRE, shockwave) are blocked and will not run. The warning “Publisher could not be verified” appears, but clicking through fails.
The Opacus Sugar CRM plugin for Outlook had all its configuration info wiped out by the updates. You have to reconfigure it. Probably some similar problem for other Outlook plugins(Affected programs Outlook 201, Opacus Sugar CRM plugin).
Thanks for all the great informative news.
I was just wondering if is it possible to have the article date displayed near the titles of your articles. eg-“Adobe, Microsoft Issue Critical Update” What date was this issued.
Second, is this form I’m filling out being transmitted securely ?
Hi Greg, you can load this site in https:// and in which case it would be sent securely. If, however, you have something that is really sensitive, you should probably send it encrypted the old fashioned way. My encryption key is available from the “About the Author” link on this blog.
The date is displayed on each post, albeit in a nonstandard format. If you view these posts on the home page (not in individual post form), the date is there; The big number is the day, followed by the month and year. If you’re viewing the article version of a story (with the comments below), then the date and timestamp are at the bottom of the article (in admittedly small print), just before the comments start.
E.g., the timestamp from this post says:
This entry was posted on Tuesday, April 10th, 2012 at 3:41 pm and is filed under Latest Warnings, Security Tools, Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed. Edit this entry
I would like to see each article’s date near the title, as well. I often print Brian’s articles for reference and later research (why do today what you can put off til tomorrow?). I usually write the article’s date near the top of the first printed page.
Btw Brian, our ‘Footer’ does not include “Edit this entry.” Perhaps the krebsonwiki.com version would. 😉
blue screen here one time so far, but im running no pagefile, and with some older xp programs on win 7. this is a laptop with a sdcard slot, and i just leave the card in and on dedicated ready boost. i can open alot of tabs to the point i forgot the pagefile was zero. 4gigs ram. there are so many strange options in windows 7 im thinking i may have purchased the Adams Family edition.