Microsoft, Adobe and Google have released patches for their products to fix Critical security vulnerabilities. Microsoft released eight security bulletins – two rated Critical and six rated Important – to address 13 different vulnerabilities in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. Adobe released security updates to address multiple vulnerabilities in Reader, Acrobat, Flash Player, and Illustrator. For both companies, some of the vulnerabilities could allow hackers to run arbitrary code and take control of the affected system. Google also updated its Chrome web browser with the new version of Adobe Flash, but it also took the opportunity to patch some vulnerabilities in the internals of its browser.
Listed among Microsoft’s updates is a patch for IE which fixes the zero-day vulnerability that attackers were using against the browser at the end of April. Microsoft released this particular patch on May 1 2014 and the patch also applied to Windows XP. However the same can’t be said of the rest of Microsoft’s updates. XP is now officially dead, from a support point of view anyway.
May’s patches also include another update for IE. This time to fix two privately reported vulnerabilities in the browser. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. IE 6 to IE 11 are all affected.
Microsoft are also recommending that system administrators ensure that their systems are updated with MS14-024 and MS14-025. The former fixes a vulnerability in the MSCOMCTL common controls library that could allow a security feature bypass if a user views a specially crafted webpage with a web browser capable of instantiating COM components, such as Internet Explorer. The latter patches a vulnerability in Windows that could allow elevation of privilege if the Active Directory Group Policy preferences are used to distribute passwords across the domain. The update removes the ability to configure and distribute passwords that use certain Group Policy preference extensions because such actions could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.
- Adobe Reader XI 11.0.07 for Windows and Macintosh
- Adobe Reader X 10.1.10 for Windows and Macintosh
- Adobe Acrobat XI (11.0.07) for Windows and Macintosh
- Adobe Acrobat X (10.1.10) for Windows and Macintosh
- Adobe Flash Player 184.108.40.206 for Windows, Macintosh, and Linux
- Adobe Flash Player 220.127.116.119 for Linux
- Adobe AIR SDK and Compiler 18.104.22.168 for Windows and Macintosh
- Adobe Illustrator (subscription) 16.2.2 for Windows and Macintosh
- Adobe Illustrator (non-subscription) 16.0.5 for Windows and Macintosh
The patch for Adobe Illustrator (CS6) for Windows and Macintosh fixes a “vulnerability that could be exploited to gain remote code execution on the affected system”, while the updates for Adobe Flash Player “address vulnerabilities that could potentially allow an attacker to take control of the affected system.” All the updates are rated as Critical including the third set which patch Adobe Reader and Acrobat XI to “address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”
With the release of a new version of Adobe Flash, Google released Chrome 34.0.1847.137 for Windows, Mac and Linux to include Flash Player 22.214.171.124. However the search giant also took the opportunity to fix three security problems. The non-Google researchers who contributed to finding the vulnerabilities where rewarded $4500 between them for their efforts:
- [$2000] High CVE-2014-1740: Use-after-free in WebSockets. Credit to Collin Payne.
- [$1500] High CVE-2014-1741: Integer overflow in DOM ranges. Credit to John Butler.
- [$1000] High CVE-2014-1742: Use-after-free in editing. Credit to cloudfuzzer.