Adobe, Microsoft patch document-based attacks

Adobe ditches quarterly update in favour of Patch Tuesday model.

Microsoft is urging organisations to apply its April Patch Tuesday updates one of which addresses “limited, targeted attacks” that use maliciously crafted RTF files.

The “highest priority update” of nine separate flaws Microsoft addresses in its April update is a flaw in the Windows Common Controls ActiveX control that enables ActiveX-based attacks through rigged RTF documents that are opened in either Microsoft Word or WordPad.

The critical update (MS12-027) will prevent an attacker from exploiting that flaw, typically launched by tricking a user to visit a website.

“If a victim running Office 2007 or 2010 were to receive an exploit for CVE-2012-0158 over the internet or via email, the victim would need to click the Protected View's "Enable Editing" button before the malicious code,” Microsoft security engineer Elia Florio said in a blog post.

Microsoft has provided more information about its six other security bulletins here. It warns that reliable exploits for these are likely to appear in the next 30 days.

The updates address flaws in its Internet Explorer browser, Authenticode, .NET Framework, Office Works Converter and its Forefront Unified Access Gateway.

Adobe also released its security updates for four flaws in its often targeted document viewers, Adobe Reader and Acrobat products.

The updates address “critical” vulnerabilities in several versions of Adobe Reader and Acrobat for Windows, Macintosh and Linux systems.

Even though Adobe has not observed any attacks in the wild, it classed the flaws as critical in recognition of the frequency of attack that use flaws in these products, except Acrobat and Reader X, which offers a sandboxed "Protected View".

“Although there are no exploits in the wild targeting any of the vulnerabilities addressed in Adobe Reader 9.5.1, Adobe Reader 9.x continues to be a target for attackers, so, for users who cannot update to Adobe Reader X, we feel that urgently updating Adobe Reader 9.x remains a must to stay ahead of potential attacks,” Adobe’s Secure Software Engineering Team mention on its blog.

The company, which last week took a leaf from Google’s Chrome “silent” updates to improve Flash Player security, will now move to a patching cycle that more closely aligns to the “cadence” of Microsoft’s Patch Tuesday by canning its quarterly update cycle.

This means Adobe will continue its monthly Patch Tuesday release cycle, three day pre-notification for Reader and Acrobat security updates, and “out of cycle” patches in response to serious zero-day attacks.

“What we are discontinuing is the quarterly cadence and the pre-announcement of the next scheduled release date in the security bulletin for the previous release,” Adobe noted.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsGatewayGatewayGoogleLinuxMicrosoftOffice Works

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts