Microsoft Fixes 24 Browser Flaws, Adobe Repairs Flash Player Bug


Microsoft and Adobe issued critical updates on Tuesday impacting users of Internet Explorer and other browsers that have Flash Player enabled.

Microsoft issued a critical update to Internet Explorer, repairing two-dozen vulnerabilities in the browser and a critical flaw in Windows that can be remotely exploited by an attacker. The Redmond, Wash.-based software maker released six security bulletins as part of its July 2014 Patch Tuesday. The update fixes 29 flaws across its product portfolio.

The two critical bulletins address a variety of vulnerabilities in Internet Explorer and an update to Windows Journal, which fixes an error on workstations and terminal servers where Windows Journal is enabled. Microsoft said it addressed a publicly disclosed vulnerability in Internet Explorer, fixing a serious error that could enable an attacker to bypass the browser's Extended Validation SSL Certificates feature, a built in security mechanism that verifies the authenticity of secure sessions with banks, eCommerce businesses and other websites. The company said it was unaware of any attacks actively targeting the vulnerabilities it addressed this month.

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

Adobe Systems repaired three vulnerabilities in Flash Player, including a flaw that could be used by criminals to bypass a Flash Player security restriction and upload stolen data to a remote server. A tool to exploit the weakness was independently released this week by a Google security engineer based in Switzerland. The Adobe update impacts users of Internet Explorer 10 and 11 along with users of Flash Player running on Linux, Apple Macintosh systems and Android devices.

The updates reflect an ongoing barrage of patches for Internet Explorer and Flash Player, two of the most frequently targeted software components on the endpoint, said solution providers who monitor the patching cycle for their clients. Larger firms have established processes in place to test security updates before broadly issuing them to the install base, said Chris Camejo, director of consulting and professional services at NTT Com Security. Web-based attacks, mainly driven by automated attack toolkits frequently add exploits targeting vulnerabilities in browsers and their components, including Flash and Java, Camejo said in a recent interview.

"Organizations that are slow to update, and users that aren't properly maintaining their systems are at the greatest risk," Camejo said.  "For businesses, these highly used endpoint applications often represent the first stage of an attack."

Adobe Flash and other browser components are often left open to attack, despite available patches from the manufacturer, according to Danish vulnerability management vendor Secunia. The security vendor issued a report earlier this year, finding third-party browser components containing the most vulnerabilities. Those components are frequently not covered in enterprise patch management programs, according to the company. It recently launched a channel program, engaging solution providers in the U.S. to sell its patch management software for third-party components and software applications. 

It will be a busy patching month for system administrators as Oracle is also expected to issue its quarterly patch updates impacting users of Java and other Oracle enterprise software and servers, said Wolfgang Kandek, CTO of vulnerability management vendor Qualys. Kandek said the update to Microsoft Internet Explorer posed the biggest risk to enterprise users, because the software maker gave the update the highest exploitability rating, indicating that exploit writers could quickly develop malware targeting some the vulnerabilities. 

"There are no 0-days open for IE, which would dictate the shortest turnaround possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation," Kandek said.

PUBLISHED JULY 8, 2014