Adobe released five security bulletins today following a pre-notification which was released on Thursday of last week. Highest priority goes to the Flash update APSB17-10 as flash has been the top choice for malware and exploit kits. If left un-patched, the vulnerabilities allow attackers to take complete control of user’s computer if the user views malicious flash content hosted by the attacker. Although flash based exploit kit activity has reduced as compared to last year we still recommend updating this first. The affected versions are listed in the table below:
UPDATE: Microsoft has announced that all updates will be delivered in the March 14 patch cycle.
As covered in our January blog, today Microsoft was supposed to scrap the existing system in which users used to get a bulletin like MS17-001 in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. But as per Microsoft’s blog, February’s Patch Tuesday has been delayed as Microsoft discovered a last minute issue that could impact some customers and could not resolve it in time for the planned update. This comes on the heels of the announcement that individual patches will not be available as they will be bundled together in the monthly Security update or monthly Cumulative update. If there is a problem in the patch for one kernel vulnerability for example, then all kernel or related vulnerabilities cannot be released as they are bundled together. A zero day SMB vulnerability was expected to be patched today and as of this writing there is no official statement on the new release date.
On the Adobe front, three security updated were released and the most important one is for Flash APSB17-04 which affects Windows, Mac, Linux and ChromeOS. If left un-patched this allows attackers to take complete control of the system. An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.
Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Since Flash vulnerabilities have a high potential of being weaponized in exploit kits, organizations should apply both the updates as soon as possible. A total of 13 vulnerabilities were fixed in the Flash update, while 29 were fixed in the Acrobat and Reader. If unpatched, flaws in both the bulletins can potentially allow attackers to take complete control of the affected system.
Adobe released nine security bulletins today in the December Security updates. The most notable update was APSB16-39 for Flash which fixed a 0-day vulnerability with exploits in the wild that is being used in targeted attacks. Adobe products including Flash and Acrobat PDF reader have long being targeted by exploit kits. In addition to the 0-day (CVE-2016-7892), 17 other vulnerabilities were fixed in Flash. This update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Other updates included in today’s release fixed Coldfusion (APSB16-44) , Robohelp (APSB16-46), Adobe Digital Editions (APSB16-45), InDesign (APSB16-43) , Experience Manager (APSB16-42) , DNG Converter (APSB16-41) and Animate (APSB16-38).
Adobe released APSB16-37 today which is an update to its Flash Player. APSB16-37 fixes nine privately disclosed vulnerabilities. Flash Player runtime for Windows, Mac, Linux as well as Chrome OS and browsers like Microsoft Edge and Google Chrome are affected. This patch comes two weeks after an emergency release on October 26 which fixed an actively attacked Flash Player issue.
Adobe released APSB16-36 today to fix one 0-day vulnerability in Flash. The vulnerability is currently being used in active attacks and therefore Adobe released this emergency fix. If left un-patched, attackers can remotely take complete control of the machine. The vulnerability (CVE-2016-7855) is triggered when the victim views malicious Adobe flash content. Usually innocent users end up with malicious flash content by clicking on bad links from e-mails, blogs, bulletin boards and other sources.
Adobe released three security advisories today fixing 84 security issues in total. This is a big number but the silver lining is that none of the patches released today were for 0-day vulnerabilities. All vulnerabilities were privately reported to Adobe and so far none seem to be exploited before the release of their respective patch.
APSB16-32 patches 12 vulnerabilities in Flash player and gets a priority rating of 1. Flash has been targets by Exploit Kits like Rig, Neutrino and Angler and we agree that it should be patched as soon as possible. If left un-patched the vulnerability has a potential to allow attackers to take control of the affected system. It affects the Windows, Mac and Linux runtime as well as flash player for Internet Explorer, Edge and Chrome.
Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.
Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.