2015-05-14



This week you have quite a long list of updates to follow from Microsoft, Adobe as well as Firefox.

Despite announcing plans to kill its monthly patch notification for Windows 10, the tech giant has issued its May 2015 Patch Tuesday, releasing 13 security bulletins that addresses a total of 48 security vulnerabilities in many of their products.

Separately, Adobe has also pushed a massive security update to fix a total of 52 vulnerabilities in its Flash Player, Reader, AIR and Acrobat software.

Moreover, Mozilla has fixed 13 security flaws in its latest stable release of Firefox web browser, Firefox 38, including five critical flaws.

First from the Microsoft’s side:

MICROSOFT PATCH TUESDAY

Three out of 13 security bulletins issued by the company are rated as ‘critical’, while the rest are ‘important’ in severity, with none of these vulnerabilities are actively exploited at this time.

The affected products include Internet Explorer (IE), current versions of Windows (and its components), Office, SharePoint Server, Silverlight and the .NET Framework as well.

The bulletin rated Critical bundles:

MS15-943 – A cumulative update for Internet Explorer that patches 22 separate flaws, including 14 memory corruption bugs and the most critical one that include remote code execution vulnerabilities.

MS15-944 – It patches two flaws in the OpenType and TrueType font rendering code that could be exploited in .NET Framework, Lync, Office, Windows, and Silverlight. The most critical of which includes remote code execution.

MS15-945 – It patches six flaws in Windows Journal program, which comes installed by default in all supported client versions of Windows. All the six flaws could allow remote code execution.
The bulletin rated Important bundles:

MS15-946 – Fixes a pair of vulnerabilities in Office allowing remote code execution.

MS15-947 – Patches one remote code execution vulnerability in SharePoint.

MS15-948 – Patches a pair of vulnerabilities in the .NET Framework allowing denial of service (DoS) and elevation of privilege.

MS15-949 – Fixes one elevation of privilege bug in Silverlight.

MS15-950 – Fixes one elevation of privilege flaw in Windows Service Control Manager.

MS15-951 –MS15-951 – Patches six vulnerabilities in Windows Kernel allowing information disclosure and elevation of privilege.

MS15-952 – Fixes one security bypass flaw in Windows Kernel.

MS15-953 – Patches a pair of security bypass vulnerabilities in VBScript.

MS15-954 – Fixes one denial of service (DoS) bug in the Microsoft Management Console.

MS15-955 – Patches one vulnerability in Schannel allowing for information disclosure.

The company advised users and administrators to test and install the updates as soon as possible. This May Patch Tuesday 2015 could be one of the last patch Tuesdays by Microsoft.

ADOBE PATCH UPDATES

On Wednesday, Adobe released its recent set of security updates for the Adobe Flash Player, Adobe Reader and Acrobat software, including patches for some critical vulnerabilities.

Adobe patches at least 18 security holes in its Flash Player and AIR software. The updates are available for Windows, Mac OS X and Linux versions of the software, addressing “vulnerabilities that could potentially allow an attacker to take control of the affected system,” according to the company.

The Flash Player update addresses:

A number of remote code execution vulnerabilities

Four memory corruption vulnerabilities

One heap overflow vulnerability

One integer overflow bug

Three type confusion flaws

One use-after-free vulnerability

A time-of-check time-of-use (TOCTOU) race condition that bypasses Protected Mode in Internet Explorer

Validation bypass issues that could be exploited to write arbitrary data to the file system under user permissions

Memory leak vulnerabilities that could be used to bypass ASLR (Address Space Layout Randomization)

One security bypass vulnerability that could lead to information leaks
Affected Flash Player Versions:

Adobe Flash Player version 17.0.0.169 and earlier

Adobe Flash Player version 13.0.0.281 and earlier 13.x versions

Adobe Flash Player version 11.2.202.457 and earlier 11.x versions

AIR Desktop Runtime 17.0.0.144 and earlier versions

AIR SDK and SDK & Compiler 17.0.0.144 and earlier versions
Adobe Reader and Acrobat update addresses:

Critical remote code execution vulnerabilities

Five use-after-free vulnerabilities

Heap-based buffer overflow vulnerabilities

One buffer overflow vulnerability

Ten memory corruption vulnerabilities
Affected Adobe Reader and Acrobat Versions:

Adobe Reader XI (11.0.10) and earlier 11.x versions

Reader X (10.1.13) and earlier 10.x versions

Acrobat XI (11.0.10) and earlier 11.x versions

Acrobat X (10.1.13) and earlier 10.x versions

Adobe Acrobat Reader DC has not been affected in this security update.

Also, the latest Adobe update also resolves:

Various methods to bypass JavaScript API execution restrictions

A memory leak issue

A null-pointer dereference issue that could lead to a denial-of-service (DoS) attacks

An information disclosure bug in the handling of XML external entities that could lead to information disclosure

The company recommends its users to accept automatic updates for the Adobe Flash Player desktop runtime for Windows and Mac OS X when prompted or update manually via the Adobe Flash Player Download Center.

MOZILLA UPDATES

Mozilla addresses five critical flaws, five high-risk bugs and two moderately rated vulnerabilities in its Firefox 38.

One of the serious problems it fixes resides in Firefox 38 – An out-of-bounds read and write vulnerability in the JavaScript subset “asm.js” during the validation procedure, whose exploitation could lead an attacker to read parts of the memory that may contain users sensitive data.

Among the critical vulnerabilities is a buffer overflow in the way the browser parses compressed XML, which have been fixed in the latest Firefox 38 update.

The most important update in Firefox is that the new version of the browser includes a feature that enables the use of DRM-enabled (Digital Rights Management-enabled) video content in Firefox.

The latest Firefox browser update also includes an integration with the Adobe Content Decryption Module (CDM), allowing users to play DRM-wrapped content in HTML5 video tag.

“A year ago, we announced the start of efforts to implement support for a component in Firefox that would allow content wrapped in Digital Rights Management (DRM) to be played within the HTML5 video tag. This was a hard decision,” the company states in the blog post.

“As we explained then, we are enabling DRM to provide our users with the features they require in a browser and allow them to continue accessing premium video content. We don’t believe DRM is a desirable market solution, but it’s currently the only way to watch a sought-after segment of content.”

To reimburse, Mozilla has also designed a sandbox that encompasses the CDM, restricting interaction with sensitive parts of the system and the browser. In addition, the Mozilla developer is also offering a version of Firefox 38 that doesn’t include the CDM component from the browser.

Show more