Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader.
Four of the eight patch bulletins from Microsoft earned its most dire “critical” rating, meaning the updates fix problems deemed so severe that miscreants or malware could use them to break into vulnerable systems without any help from users. The patches impact a broad range of Microsoft products, including Windows, IE, SharePoint, .NET Framework, Office and Silverlight.
Front and center in the Microsoft patch batch is MS13-080, which addresses the zero-day IE vulnerability (CVE-2013-3893) that Microsoft first warned about on Sept. 17, as well as nine other security flaws in the default Windows Web browser. Amping up the threat level on this flaw, exploit code allowing attackers to leverage the flaw was released publicly last week as a module for the Metasploit exploit framework, a penetration testing toolkit.
Microsoft late last month released a stopgap “Fix It” solution to block exploits against the zero-day flaw, and the good news is that if you already applied that solution, you don’t need to undo those changes before applying this update. The bad news is that this isn’t the only zero-day vulnerability fixed in the IE patch bundle: Researchers at Trustwave Spiderlabs say they’ve confirmed that attackers are already exploiting one of the other flaws fixed in this IE update (CVE-2013-3897).
Ross Barrett, senior manager of security engineering at Rapid7, said another critical Microsoft vulnerability — MS13-083, a flaw in the Windows Common Control Library — “looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net web pages.” Barrett said that if ever there were a real, honest to goodness flaw of late that would be considerable eminently capable of propelling a self-propagating Internet worm, it is this one.
“If the ‘bad guys’ figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested,” Barrett said. “However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation.”
More information on the remaining patches is available via the Microsoft Technet blog.
Adobe has issued updates for its Windows versions of Adobe Reader XI and Adobe Acrobat XI. The updates fix a single vulnerability and bring these products to version 11.0.05. Links to the updates and more information about the flaw is available in Adobe’s advisory. The company said that Adobe Reader and Acrobat X (10.1.8) and earlier versions for Windows are not affected, and all versions of Adobe Reader and Acrobat for Macintosh are also not affected by this vulnerability. Adobe also said it is not aware of any exploits or attacks “in the wild” for the issue addressed in this update.
We know !!
You forgot to mention that Adobe Flash Player 11.9 is now released to the public today.
It was? Where do you see that, Debbie?
This is a cosmetic/bugfix update, and according to Adobe does not include security fixes. I generally don’t write about these updates.
Adobe AIR has an update too.
It does help people looking to grab all the updates, but I can understand your reasoning to only report security updates.
I still use Qualys BrowserCheck which I learned about years ago from here. That really helps a ton.
FileHippo provided notification first thing this morning, but as usual I downloaded the full installer files directly from Adobe’s permanent link instead of using either FileHippo’s or Adobe’s stub installer files. Both AX and non-AX versions are updated to v11.9.900.117.
I noticed for the machines on my network, File Hippo sent me to the Adobe site as well. Seems they are changing the way they do things with their venerable file checker. I’ve still not tested Ninite, but would like to see if it is a good substitute for it, or even Secunia PSI, or both!
Gee Brian, after all the great investigative stuff lately this had to be some dry writing. Thanks for ALL the work you do everyday.
Yeah, there’s only so sexy you can make a set of security updates.
> Thanks for ALL the work you do everyday.
Dittos x 6.022e23! Your blog is very much appreciated, as are the expanded Subject lines on the Brian Krebs Bot e-mail digest.
Useful info, as always but, to be honest today and yesterday come to this site almost every half-hour (no RSS feed fan 🙂 ) to see if you wrote something about Paunch story.
The Paunch story is complicated. I don’t want to write something that is half-assed. But sometimes these things take time. And there’s no sense in writing just what everyone else is writing. So when I am confident I can advance the story, rest assured I will.
And that’s just one of the reasons I follow you here. 🙂
Their was also update for Internet Explorer flash player x-64 bit Windows 8 systems, KB2886439
This post sucks .dry as a bone no drama no hackers nothing just a stupid update 🙂 Here is some funny story a read today . .Last paragraph is epic .Made my day .
Allow me to complete your username, for any interested people here: “Who needs Silk Road when you have”
1. Black Market Reloaded (5onwnspjvuk7cwvk.onion)
2. Sheep Marketplace (sheep5u64fi457aw.onion)
3. DeepBay (deepbay4xr3sw2va.onion)
The Pandora’s Box has been opened, the Dark Web drug sites will pop up like a bad case of zits, and the drugs will flow like fine wine. Kudos to the FBI for accomplishing nothing. Seriously, the number of anti-FBI vs. pro-FBI comments online regarding Silk Road are probably at least 10 to 1… FBI should take a hint.
The FBI is taking the hint…
They’re makin’ a list,
Checkin’ it twice,
Gonna find out
Who’s naughty or nice!
Thanks for the summary here, very useful!
A little editing is needed here: “Barrett if ever there were a real, honest to goodness flaw of late that would be considerable eminently capable of propelling a self-propagating Internet worm, it is this one.”
Perhaps: Barrett if ever there were a real, honest-to-goodness flaw of late that be eminently capable of propelling a self-propagating Internet worm, it is this one.
The comment software stripped out the suggested replacements, so here’s the alternate text:
Barrett stated that if ever there were a real, honest-to-goodness flaw of late that could be considered eminently capable of propelling a self-propagating Internet worm, it is this one.
The story was edited and fixed before your comment was even left. Not sure, but perhaps you were working from a cached page?
Yet again there are .NET patches which won’t install on a couple of XP machines in my office and fail with the dreaded 0x643 error code. Neither the NetFX repair tool or permissions-reset widget supplied by the MS .NET guru Aaron Stebner are capable of a successful resolution, so I’ll eventually have to waste a day (or more) uninstalling and reinstalling/patching all the different flavors needed on each of those machines.
No trouble with anything on the Vista or Win7 machines, so perhaps with XP approaching the end of its lifecycle the MS Windows Update crew may not be devoting so much of their time to testing and debugging the monthly patches for XP architecture.
Either that, or the Windows gremlins just have it in for me — Arrrgh!
I have pretty good luck as long as I save the .NET updates for last; but then you probably already do that. Vista hasn’t given me any problems for a while. Office 2007 was goofy last time, and I noticed a raft of updates for that as well this time; probably one of them to fix that bad update from last patch Tuesday.
Finally got the recalcitrant .NET patch to install. I had run several times a repair tool which the MS .NET guru Aaron Stebner had long ago suggested, but without success until I ran the latest version of the Tweaking.com all-in-one repair tool over the weekend which automates a number of command-syntax apps that AS had also walked me through. The new version is more robust, and I know it won’t damage my OS like some of the various registry cleaners which install adware or malware (or just break things by deleting too many registry elements).
I toggled most all of its options and had it set a restore point and backup the registry before starting, and after the system rebooted once again tried to install the .NET patch from Windows Update but had low expectations of potential success. To my quite pleasant surprise, the patch installed successfully and so I was then able to successfully install all the subsequent updates which had been blocked.
For now all is running great on that XP Pro machine, but guess I’ll see whether .NET breaks on it again in a couple of weeks when November’s Patch Tuesday rolls around….
Ah yes! I do seem to remember reading about that tool somewhere in an article! Good suggestion JimV – thanks! 🙂
Ah so it posted it on wrong post, damn.
xkcd (“a webcomic of romance, sarcasm, math, and language”)
reflects on Adobe updates:
xkcd: All Adobe Updates
Has Google updated the Chrome browser with version 11.9.900.117 of the integrated Pepper Flash Player yet?
Even though we supposedly did not have to undo the temporary patch before installing the new update, Flash still does not have full functionality. I went back to the MSFT web page, but there is no longer any buttons to undo the temp fix. I have the latest Flash update.
Wasn’t this about scamtrex? 🙂
I think you may be commenting on the wrong story, Bob.
yeah i know i was on my tablet and the comment link kind of sits on the bottom of scamtrex post. oops 🙂 feel free to remove my post lol
Not mentioned in the Microsoft Security Bulletin for October 2013 is the years old KB951847 (Microsoft .NET Framework 3.5 Service Pack 1) which arrived very shortly after Patch Tuesday in automatic updates. I have a hunch that this little darling has been received by XP users only. This ‘update’ is not amenable to uninstalling so resort is necessary to System Restore which was effective, give or take a minor repair or two in the aftermath.
I was caught off guard (gnashing of teeth).
Thank you for the parting gift Mr Ballmer.
Yeah, sorry about that Chris. I actually meant to call out the .NET updates when they’re included, because I recommend people install those separately. Almost every time there are problems with a huge batch of patches from Microsoft like this month’s release, there almost always seem to be .NET updates involved. I prefer to install everything but the .NET updates, reboot and then install them.
You have nothing to apologise for, Brian. I appreciate the great intelligence and insights you place before us.
The KB number gives a clue. I was plain dopy when I overlooked KB951847.