icetray - Fotolia
Adobe released two security bulletins this week that patched a total of 83 vulnerabilities, including several critical flaws that could allow attackers to remotely take control of vulnerable systems.
The Adobe patches address flaws for Adobe Flash Player, Acrobat and Reader. A third bulletin addresses a single, less serious, privilege escalation vulnerability in the Creative Cloud desktop application.
Adobe's security bulletin for Flash Player covers the Windows, Mac, Linux and ChromeOS versions, while the Acrobat and Reader bulletin updates Windows and Mac versions. "These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe warned in both the Flash Player and Acrobat and Reader bulletins.
"Adobe released three security advisories today, fixing 84 security issues in total," Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif., wrote in a blog post. "This is a big number, but the silver lining is that none of the patches released today were for zero-day vulnerabilities. All vulnerabilities were privately reported to Adobe and, so far, none seem to be exploited before the release of their respective patch."
"Overall, a lot of vulnerabilities are fixed in Adobe core components, and we will see how fast attackers are able to reverse these patches to learn about the vulnerabilities and start targeting unpatched systems," Sarwate wrote. "Therefore, we recommend patching as soon as possible."
The extensive crop of Adobe patches comes after continued criticism this year of Adobe's software, especially Flash. Both Mozilla and Google this summer announced they would drop support of Flash in their respective browsers, Firefox and Chrome. In addition, a research report from cybersecurity firm Digital Shadows recently highlighted Flash as one of the more popular targets of exploit kits; the company found in a review of 22 of the most common exploit kits used by hackers, a total of 76 vulnerabilities were used, with 27 of them belonging to Flash.
In other news:
- The MITRE Corp. introduced the MITRE Challenge, Unique Identification of IoT Devices, a new contest to discover ways to uniquely identify internet of things (IoT) devices. The objective is to explore "nontraditional approaches for identifying IoT devices," according to the Bedford, Mass., nonprofit that operates multiple federally funded research and development centers. While IoT devices may be identifiable in the future through unique digital signatures embedded in devices, MITRE is seeking ways to monitor those devices that are already deployed. "We're looking for a game-changing approach to identifying devices that would require no modification to the existing inventory, e.g., no change in protocols or manufacturing."
- Qihoo 360, the largest shareholder of beleaguered Chinese certificate authority WoSign, is shaking things up at the CA. The company is legally separating operations of WoSign from StartCom, the Israel-based CA that WoSign purchased last year, and removing WoSign CEO Richard Wang. The changes are in response to Mozilla's plan to sanction WoSign as a trusted CA and Apple's move to block new certificates from the CA after Mozilla discovered WoSign had been issuing backdated SHA-1 certificates. Mozilla's charges last month detailed improper practices at the CA, and Mozilla plans to remove both WoSign and StartCom from its trusted CA program for at least one year.
- SAP dropped its biggest crop of patches since 2012, with fixes for 48 vulnerabilities, including one that had been unpatched since 2013. The vulnerability, caused by a missing authentication check, affects SAP NetWeaver AS Java P4. "This service enables a remote control of SAP's Java platform, for example, all SAP Portal systems," ERPscan wrote. The flaw was one of two critical vulnerabilities identified by ERPScan researcher Vahagn Vardanyan. "An attacker can exploit a missing authorization check vulnerability to access a service without passing authorization procedures and use functionality of this service, access to which shall be limited. This may result in an information disclosure, privilege escalation and other types [of] attacks."
Find out more about why ignoring software patching could spell trouble.
Learn about automated patch management software for enterprises.
Read about the biggest myths about software patching.