Adobe May 2014 Patch Tuesday
We are now up to 3 bulletins from Adobe.
TL;DR ? Current versions in one simple table (I hope I got that right):
| Windows | OS X | Linux | |
|---|---|---|---|
| Adobe Reader XI | 11.0.07 | 11.0.07 | - |
| Adobe Reader X | 10.1.10 | 10.1.10 | - |
| Adobe Flash Player 13 | 13.0.0.214 | 13.0.0.214 | 11.2.202.359 |
| Adobe Flash Player (Google Chrome) | 13.0.0.214 | 13.0.0.214 | 13.0.0.214 |
| Adobe Flash Player (MSFT Internet Expl) | 13.0.0.214 | - | - |
| Adobe Air SDK | 13.0.0.111 | ||
| Adobe Illustrator Subscription | 16.2.2 | 16.2.2 | |
| Adobe Illustrator Non-Subscription | 16.0.5 | 16.0.5 |
APSB14-14: covering Flash Player [1]. It fixes 6 different vulnerabilities, one of which was found earlier this year during the pwn2own contest (CVE-2014-0510).
These vulnerabilities affect Windows, Linux and OS X. Adobe assigned them "Priority 1" indicating that they may have been used in targeted exploits. This makes this a "Patch Now!" vulnerability for us.
CVE-2014-0510: pwn2own vulnerability. remote code execution with sandbox bypass.
CVE-2014-0516: Same origin bypass
CVE-2014-0517: Security feature bypass
CVE-2014-0518: Security feature bypass
CVE-2014-0519: Security feature bypass
CVE-2014-0520: Security feature bypass
APSB14-15: For Adobe Acrobat and Reader [2]
CVE-2014-0511: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0512: pwn2own vulnerability. remote code execution wiht sandbox bypass
CVE-2014-0521: information disclosure in Javascript API
CVE-2014-0522: code execution (memory corruption)
CVE-2014-0523: code execution (memory corruption)
CVE-2014-0524: code execution (memory corruption)
CVE-2014-0525: code exectution (use after free?)
CVE-2014-0526: code execution (memory corruption)
CVE-2014-0527: code execution (use after free)
CVE-2014-0528: code execution (double free)
CVE-2014-0529: code execution (buffer overflow)
Like the Flash bulletin, this one is rated "Priority 1".
APSB14-11: Hotfix for Adobe Illustrator
CVE-2014-0513: code execution (Stack Overflow)
This bulletin is only rated "Priority 3".
[1] http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
[2] http://helpx.adobe.com/security/products/reader/apsb14-15.html
[3] http://helpx.adobe.com/security/products/illustrator/apsb14-11.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Microsoft May 2014 Patch Tuesday
Overview of the May 2014 Microsoft patches and their status.
IMPORTANT: Don't miss MS14-029. This bulletin fixes ANOTHER vulnerability in MSIE that has already been used in targeted exploits!
| # | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
|
(released May 1st) |
Security Update for Internet Explorer | |||||
| Microsoft Windows, Internet Explorer CVE-2014-1776 |
KB 2965111 | Yes! | Severity:Critical Exploitability: 1 |
PATCH NOW | Critical | |
| MS14-022 | Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution | |||||
| Microsoft Server Software,Productivity Software CVE-2014-0251 CVE-2014-1754 CVE-2014-1813 |
KB 2952166 | . | Severity:Critical Exploitability: 1,3 |
Important | Critical | |
| MS14-023 | Vulnerabilities in Microsoft Office Could Allow Remote Code Execution | |||||
| Microsoft Office CVE-2014-1756 CVE-2014-1808 |
KB 2961037 | . | Severity:Important Exploitability: 1 |
Critical | Important | |
| MS14-024 | Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (ASLR Bypass) | |||||
| Microsoft Office CVE-2014-1809 |
KB 2961033 | Yes | Severity:Important Exploitability: NA |
Important | Important | |
| MS14-025 | Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege | |||||
| Group Policy Preferences CVE-2014-1820 |
KB 2962486 | . | Severity:Important Exploitability: 1 |
Important | Important | |
| MS14-026 | Vulnerability in .NET Framework Could Allow Elevation of Privilege | |||||
| Microsoft Windows,Microsoft .NET Framework CVE-2014-1806 |
KB 2958732 | . | Severity:Important Exploitability: 1 |
Important | Important | |
| MS14-027 | Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege | |||||
| Microsoft Windows CVE-2014-1807 |
KB 2962488 | Yes | Severity:Important Exploitability: 1 |
Important | Important | |
| MS14-028 | Vulnerability in iSCSI Could Allow Denial of Service | |||||
| iSCSI CVE-2014-0225 CVE-2014-0226 |
KB 2962485 | . | Severity:Important Exploitability: 3 |
Important | Important | |
| MS14-029 | Security Update for Internet Explorer | |||||
| Microsoft Windows, Internet Explorer CVE-2014-0310 CVE-2014-1815 |
KB 2962482 | Yes | Severity:Critical Exploitability: 1 |
PATCH NOW! | Critical | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments