An Adobe zero-day update received top billing as Microsoft released its April Patch Tuesday fixes.
Microsoft issued 13 bulletins for April Patch Tuesday, including a zero-day update for Adobe Flash Player and cumulative security updates for IE and Edge.
There were also even important bulletins, bringing the total for 2016 up to 50.
“Every one of the 13 bulletins requires reboot, which spells massive headache for admins because you’re not secured until the reboot,” said Robert Brown, director of services for Verismic Software Inc., in Aliso Viejo, Calif. “Until the reboot, you can still be exploited and susceptible.”
This month’s batch of patches address 173 individual vulnerabilities, more than four times as many flaws that were addressed last month. There are 29 common vulnerability and exposures, Brown said, which is a dictionary of identifiers for publicly known information security vulnerabilities,- but since some cover more than one operating system, they are counted as individuals.
Adobe, Graphics Component updates receives top priority
Security analysts gave MS16-050 the top priority this month. The bulletin resolves a number of vulnerabilities in Adobe Flash Player. Adobe released its own update, APSB16-10, last week, and said it is aware of reports that one of the vulnerabilities is being actively exploited on machines running Windows 10 and earlier with Flash Player version 220.127.116.116 and earlier.
Microsoft also released a patch for zero day in Windows that allows for privilege elevation.
“Those two vulnerabilities, being able to get into systems through Flash and then being able to escalate to administrator roles using one of the Windows vulnerabilities, that’s kind of the one-two punch that an attacker has to have to fully control a system and do whatever he or she wants with it,” said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif.
The Adobe vulnerability is crucial to patch, analysts said.
“This is the most important update of the year,” Brown said. “The bug can exploit the browser’s Flash plugin, but what makes this so serious is that you don’t need to do anything other than access a webpage. If you simply access a webpage, you’re infected.”
Kandek gave the second highest priority to MS16-039, which resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe vulnerability could allow remote code execution (RCE) if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts, but the bulletin also fixes elevation of privilege vulnerabilities that are already being exploited in the wild.
Read the full article at techtarget.com.