Patch Tuesday: Microsoft Tackles 48 Flaws, But Adobe Acrobat Dominates

Tom Jowitt,
Adobe

Largish patch update from Microsoft, but administrators advised to tackle Adobe updates ASAP

Microsoft has issued fixes for 48 vulnerabilities spread across six products in its August ‘Patch Tuesday’ security update.

But instead of Microsoft flaws dominating, attention should rather be focused on Adobe, which has patched 67 flaws, 43 of which are ‘critical’.

And for once Adobe Flash is not the main culprit, but rather Acrobat and Acrobat Reader.

microsoft-patch-l

On the Microsoft side, it patched 48 flaws, 15 of which affect Windows. Although Microsoft says that 25 of these vulnerabilities are ‘Critical’ and 27 can result in Remote Code Execution, the good news is that none of these vulnerabilities are currently being exploited in the wild.

“Top priority for patching should go to CVE-2017-8620, which is a vulnerability in the Windows Search service,” said Qualys’ Jimmy Graham. “This is the third Patch Tuesday to feature a vulnerability in this service.”

“Many of the vulnerabilities in this month’s release involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser.”

“It was a busy month, with a total of 48 security issues fixed,” added Bobby McKeown, senior manager of engineering at Rapid7. “All of these have a severity of ‘critical’ or ‘important’, with Remote Code Execution vulnerabilities again figuring highly particularly with Microsoft Edge.

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ... Loading ...

Adobe Flaws

But it could be argued that in August Adobe flaws have overshadowed the Microsoft Patch Tuesday update.

One in particular targeted Adobe Acrobat Reader DC. An arbitrary code execution vulnerability that could potentially be achieved using a social engineering attack was discovered by Cisco’s Talos cybersecurity division.

“For non-Microsoft updates, we have 4 overall from Adobe,” said Ivanti’s Chris Goettl. “The Flash Player update is rated as Priority 1, the other three are rated as Priority 2.  The Acrobat\Reader update is a bit odd this month. 69 total CVEs resolved, 43 of which are rated as Critical CVEs yet it is still rated as a Priority 2.”

Compare this to the Flash update with 2 CVEs, 1 of which was Critical and the math just does not add up…,” he added. “Open question to Adobe on that one, but probably safer to put the Acrobat\Reader update into your Priority 1 bucket this month to be on the safe side.”

Elsewhere, Mozilla Firefox has released Firefox 55 and ESR 52,which fix 29 CVEs, including 5 that are critical

Quiz: Know all about Microsoft?