It’s Microsoft’s July Patch Tuesday and Redmond has issued fixes for four critical flaws while Adobe contribution is 34 fixes for critical flaws in Adobe Flash Player.
The good news for browser users around the world with this update is that the fixes Adobe has made available today for Flash Player aren’t already under attack. They follow last months’ emergency fixes for flaws revealed in a leak from an Italian surveillance vendor that have since been used in numerous attacks, including malvertising campaigns levelled at visitors to Yahoo.
Still, as Adobe noted in a security bulletin on Tuesday, the updates address numerous critical vulnerabilities that could allow an attacker to take control of an affected Windows, Mac of Linux system.
The Flash Player update is the first to include fixes for Microsoft’s new Windows 10 browser Edge which affect the Flash libraries inside it and prior editions, including Internet Explorer 10 and 11.
Adobe noted that Flash Player installed with Edge on Windows 10 will be automatically updated to Flash Player 126.96.36.199, which is the same version as the software installed with Google’s Chrome browser for Windows and Mac while version 188.8.131.52 is for Linux and Chrome OS.
Microsoft’s July security included fixes for 14 bulletins, including a cumulative security update for three remotely exploitable flaws in its Edge browser as well as one bug that bypasses its anti-exploitation feature ASLR or address space layout randomisation.
“The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” Microsoft said.
Microsoft noted that three bugs fixed in this update had not been publicly disclosed and were not currently exploited.
Meanwhile, the ASLR bypass required that a logged on user of Edge browser to a malicious site.
“Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this,” Microsoft explained.
Microsoft also fixed a critical flaw in Office that it said was being exploited by hackers.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here