Back to qualys.com
54 posts

Adobe October Security Advisories

Adobe released three security advisories today fixing 84 security issues in total. This is a big number but the silver lining is that none of the patches released today were for 0-day vulnerabilities.  All vulnerabilities were privately reported to Adobe and so far none seem to be exploited before the release of their respective patch.

APSB16-32 patches 12 vulnerabilities in Flash player and gets a priority rating of 1. Flash has been targets by Exploit Kits like Rig, Neutrino and Angler and we agree that it should be patched as soon as possible. If left un-patched the vulnerability has a potential to allow attackers to take control of the affected system. It affects the Windows, Mac and Linux runtime as well as flash player for Internet Explorer, Edge and Chrome.

Continue reading …

Adobe September 2016 Security Update

Today Adobe released three security updates that patched Adobe Flash, AIR and Adobe Digital Editions. Top priority goes to Adobe flash bulletin APSB16-29 which fixes a whopping 29 vulnerabilities. This update applies to Windows, Macintosh, Linux and ChromeOS platforms.

Continue reading …

Patch Tuesday July 2016: Microsoft and Adobe

Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.

Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.

Continue reading …

Update: Last Adobe 0-day Patched for the Year

Update: Qualys QID is 124421: Adobe Flash Player and AIR Security Update (APSB16-01).

Original: Adobe issued today their last update for 2015 for its Flash player. It addresses nineteen vulnerabilities and was released out of band because one of them (CVE-2015-8651) is under attack in the wild. At this point attacks are limited to special targets. The update is numbered APSB16-01, not APSB15-33 as expected, most likely because it is basically the planned January 2016 update, anticipated due to the circumstances.

As with all 0-days fixes this one deserves special attention and a quick turnaround.

Patch Tuesday December 2015

There we are: the last Patch Tuesday of 2015. It turns out to be about average, with maybe a bit more severity in the bulletins than usually. We have eight critical bulletins in the total 12, including one that fixes a 0-day vulnerability, currently in use by attackers to escalate privileges in Windows. 0-days used to be very rare occasions, but this year they have become almost mainstream. After all the year started off with a string of 0-days in Adobe Flash and since then we have seen almost every month a patch for a vulnerability that is already under attack. Definitely a sign of the increasing technical capabilities that attackers are wielding and a reminder that IT Managers should not only patch their systems promptly, but also look for additional robustness. Your list of things to look at in 2016 should include investigation of minimal software installs with the least features enabled, plus an additional piece software such as EMET that enhances robustness.

Continue reading …

Adobe Addresses 0-Day Vulnerability in Flash

Just three days after Trend Micro had notified Adobe of a 0-day vulnerability in their Flash player, Adobe addressed the flaw with a patch. APSB15-27 provides fixes for three vulnerabilities, and one of them, CVE-2015-7645, is currently being used in attacks in the wild. You should apply the update as quickly as possible as we expect the exploit to show up in ExploitKits soon, which will greatly increase the number of attacked machines.

Continue reading …

Patch Tuesday October 2015

Patch Tuesday October 2015 turns out to be a light edition. There are only six bulletins, but all of the important products are covered. We have a critical bulletin for Internet Explorer (but not for Edge), a bulletin for Office that has Remote Code Execution (RCE) vulnerabilities, plus Windows Kernel vulnerabilities that allow for Privilege escalation. Plus an interesting issue in Windows shell that allows for RCE as well. Pretty much everybody, meaning all versions of Windows and Office, are affected except this month there are none of the additional software packages with updates (.NET, server software, etc).

Continue reading …