Critical Updates from Microsoft, Adobe, and Oracle
Today is the second Tuesday of 2010, which means it’s the second Tuesday in January, which makes it Patch Tuesday. Microsoft welcomed 2010 by taking things easy this month and released only a single security bulletin.
Light Month from Microsoft
Microsoft security bulletin MS10-001 affects a vulnerability in the embedded Open Type font engine. The security bulletin is rated as Critical, but that rating really only applies to Windows 2000 systems. For all other versions of Windows, this flaw is rated as a Low severity.
Tyler Reguly, senior security engineer for nCircle characterized the Microsoft update as more or less trivial. “Welcome to a slow start to the new year. A single patch, and from a research standpoint, not even an interesting one. All patches should be taken seriously but this definitely isn’t a fire that needs to be put out quickly, this one can definitely fall into regular patching cycles.”
nCircle director of security Andrew Storms suggests putting the time normally spent on assessing and implementing patches into other worthwhile endeavors. “This is a very light Patch Tuesday from Microsoft and IT security teams should be taking advantage of the situation to address housekeeping items. Take the time this month to find every out-of-date Microsoft system and apply any necessary patches from those 2009 vulnerabilities.”
Storms added, though, that “One of the outstanding bugs that wasn’t patched this month is an SMB denial of service attack vulnerability that has been open since mid-November. Since Microsoft has left the bug open for this long it’s now clear that the threat isn’t as serious as many people believed.”
Adobe and Oracle Join the Fray
While Adobe and Oracle don’t follow the same security update and patch release cycle as Microsoft, both coincidentally released critical updates of their own today.
Adobe published a quarterly patch which addresses a zero-day vulnerability in Adobe Reader that has been actively exploited in-the-wild since the holidays. As a temporary workaround, Adobe has recommended blacklisting the JavaScript function being exploited.
nCircle’s Storms noted “Once considered the safest document format, Adobe PDF has fallen prey to a rash of serious security threats. After a solid year of security issues, Adobe’s product security and secure product development practices are being seriously questioned. It’s ironic to consider that we may have reached the point where Microsoft Office documents are now more secure than PDF documents.”
Storms also commented on the recommended workaround from Adobe “Part of the controversy surrounding this vulnerability has been the mitigation advice from Adobe that included the recommendation to disable JavaScript. The security issues surrounding JavaScript and Adobe have left a lot of people wondering why JavaScript is included in Adobe’s PDF products at all.”
Wolfgang Kandek, CTO of Qualys explains further “Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader–JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.”
Oracle joined the party as well, rolling out a quarterly patch of its own. The Oracle update contains a total of 24 updates affecting seven different Oracle products. Most of the vulnerabilities are remotely exploitable without authentication, making them critical security concerns. Database servers should not be exposed to the network, but IT administrators need to scrutinize affected application servers to determine the amount of risk the servers are exposed to.
Zero-Day Exploits
Qualys’ Kandek also noted that a Intevydis, a Russian security research firm, announced last week that it plans to publish server-based zero-day vulnerabilities over the next three weeks. “The first two are live and have POC [proof-of-concept] code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further developments.”
Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page.