Microsoft released 13 security bulletins, patching 22 vulnerabilities across its product line, including two critical updates affecting Internet Explorer and the Windows DNS Server.
While Microsoft issued fewer updates this month, August was still marked as a busy month for system administrators. Adobe Systems Inc., which issues fixes on a quarterly cycle, issued a critical security update late Tuesday, repairing seven flaws in its Shockwave Player, more than a dozen holes in its Flash Player and an error in its Flash Media Server.
Microsoft addressed seven vulnerabilities in Internet Explorer, including two zero-day flaws. According to MS11-057, Microsoft said an attacker who successfully exploited any of the vulnerabilities could gain the same user rights as the local user. Microsoft said the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Jason Miller, manager of research and development at VMware’s Shavlik Technologies, said the IE flaws and the Windows DNS error allows cybercriminals to attack systems remotely. Any time there’s a public vulnerability “out in the wild, it’s important to disclose it as soon as possible,” Miller said.
Patching administrators also must address server-side vulnerabilities. MS11-058 addresses two privately reported vulnerabilities in the Windows DNS server. The flaws affect the server side rather than a client request to a DNS server. If the company DNS servers have caching of DNS relaying enabled, the system is at risk. Otherwise, if the DNS role is not enabled, users are not at risk, although they should still deploy the patch to be on the safe side, Miller said.
Another noteworthy bulletin is MS11-065, which resolves a vulnerability in the Remote Desktop Protocol. Although the security bulletin is rated “important” for users of Windows Server 2003, Miller said Microsoft has seen attacks targeting the flaw in the wild. The flaw can be targeted if an attacker sends a malicious remote desktop protocol connection request to the victim’s computer, which could cause the system to crash.
Details outlining all the security bulletins are available at the Microsoft Security Response Center blog.
Adobe update repairs Shockwave Player flaws
Adobe Systems Inc. issued a critical update Tuesday, fixing seven vulnerabilities in Shockwave Player that could be used by an attacker to run malicious code on the affected system and gain access to sensitive data.
Adobe also issued an update to its Flash Player and Flash Media Server. More than a dozen Flash Player flaws were patched in the update. The update affects users of Flash Player on Windows, Macintosh, Linux and Solaris, Flash Player for Android and Adobe Air 2.7 and earlier versions for Windows, Macintosh and Android.
Meanwhile, users of Flash Media Server are being urged to update to Flash Media Server 4.0.3 or 3.5.7 to fix a critical vulnerability, which can cause a denial-of-service on an affected system.