Skip to main content
Tag

adobe

||

Adobe Patches Released for New Critical Flaws

By Patch ManagementNo Comments

Adobe Patches Released for New Critical Flaws

Adobe has released dozens of critical patches this week, addressing 42 separate CVEs in its regularly scheduled February updates.

Adobe Puts Out Dozens of Patches

Adobe has released dozens of patches this week, addressing 42 separate CVEs in its regularly scheduled February updates, with 35 of the flaws rated as Critical severity.

The full release includes a total of five of Adobe’s widely-used software:

  • Adobe Acrobat and Reader
  • Adobe Digital Edition
  • Adobe Experience Manager
  • Adobe Flash Player
  • Adobe Framemaker

“This update addresses multiple critical vulnerabilities,” Adobe stated in its security bulletin. “Successful exploitation could lead to arbitrary code execution in the context of the current user.”

Fixing Framemaker

The majority of the fixes (21) impact Adobe Framemaker, a document processor designed for writing and editing large or complex documents, according to a security advisory published on Tuesday.

The Framemaker flaws include buffer errors, heap overflow problems, out-of-bounds write, and memory corruption issues; any of which can lead to the execution of arbitrary code. Adobe Framemaker versions 2019.0.4 and below (for Windows) are affected and thus a patch has been published for version 2019.0.5.

Exploring the Vulnerabilities

Adobe Acrobat and Reader for Windows and macOS also contain 12 similar code execution vulnerabilities. These vulnerabilities include heap overflow, buffer errors, use-after-free flaws, and privilege escalation bugs.

Just like with Framemaker bugs, if exploited, these can lead to arbitrary code execution and file system writes. Adobe also remediated 3 important out-of-bounds read issues leading to information disclosure and 2 moderate stack exhaustion vulnerabilities that could be easily exploited to cause memory leaks.

The latest update for Adobe Flash Player, potentially one of the most infamous applications in terms of having a horrible security record, has a critical arbitrary code execution flaw. If exploited, the flaw could allow hackers to compromise targeted Windows, macOS, Linux, and Chrome OS-based devices.

Adobe’s Digital Edition, an eBook reader application, also has a critical and an important flaw in versions 4.5.10 and below. The critical flaw stems from a command-injection glitch (CVE-2020-3760) allowing potential arbitrary code execution. Command-injection attacks are possible when an application passes unsafe user supplied data (such as forms or HTTP headers) to a system shell.

Last, but possibly least, Adobe Experience Manager, Adobe’s content management solution, has an important-level uncontrolled resource consumption vulnerability (CVE-2020-3741) that could result in a denial-of-service condition.

Patching the Problems

Though none of the software vulnerabilities resolved this month were publicly disclosed or appear to have been exploited in the wild, all of the products mentioned above should be patched as soon as possible.

For a “one-stop-shop” with vulnerability scanning, patch management and endpoint detection and response in one package, look no further than Syxsense Secure. Available as a standalone software product or alongside 24/7 managed services from our dedicated, experienced team.

The similarly comprehensive Syxsense Manage solution offers additional endpoint, OS and patch management, oversight to complete the picture of meticulous and wide-ranging threat management.

Begin your organization’s journey toward airtight endpoint security with a free trial of Syxsense’s products and services.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

Microsoft’s February 2020 Patch Tuesday Fixes 99 Security Issues

By Patch Management, Patch TuesdayNo Comments

Microsoft’s February 2020 Patch Tuesday Fixes 99 Security Issues

The official Patch Tuesday updates have arrived for February, including 99 vulnerability fixes. Catch up on the latest news from Microsoft and start patching.

February Patch Tuesday is Here

Microsoft have released 99 patches today. There are 12 Critical patches with the remaining marked Important.

Support for Windows 7 and Windows Server 2008 (including R2) was officially ended last month, but there are plenty of updates released this month for customers who have purchased an extension agreement.

Zero Day Weaponized Bug for IE

CVE-2020-0674, which carries a Critical vendor severity and High CVSS score, has been documented as being Publicly Aware and actively Weaponized.

This is as close to a Zero Day as you can get, and we encourage all users still using Internet Explorer to update this as soon as possible. This vulnerability affects Windows 7, which officially ended support last month, and Windows 10 through Windows Server 2008 to 2012.

Robert Brown, Director of Services for Syxsense said, “If you are still using Internet Explorer on Windows 7 and have not purchased the CSA / ESU extension, you may wish to consider uninstalling IE and replacing it with another browser immediately due to the critical nature of this vulnerability. It has huge potential to be used to install Ransomware or other software simply by accessing an infected website. Customers using Syxsense Manage or Syxsense Secure will be able to deploy all new Windows 7 content to your licensed Windows 7 systems.”

Microsoft released a security advisory for an unpatched IE code-execution vulnerability.

Another Adobe Headache

Adobe released 42 updates today—the largest of the year so far. They have fixed bugs in Framemaker, Experience Manager, Adobe Digital Editions, Flash, and Acrobat and Reader. Both Syxsense and Adobe recommend these Critical updates be deployed within the next 7 days.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

|||||

Who Are the Worst Vendors of 2019?

By News, Patch ManagementNo Comments

Who Are the Worst Vendors of 2019?

From the highest number of software updates to highest number of critical vulnerabilities, find out which vendors are the worst offenders.

2019 has brought serious threats causing massive disruption and data theft. Which vendor has released the most software updates and fixes in 2019, and of these, which updates are the most critical? Let’s find out!

The top 20 vendors look like this for 2019—this means Microsoft has released the most patches to fix a vulnerability of any severity out of the most popular software vendors.

Let’s see how the top 10 from this list compare when we deep dive into the severity of the vulnerabilities fixed. For simplicity, we will base our statistics on the CVSS Score.

What is a CVSS Score?

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help properly assess and prioritize their vulnerability management processes.

We can see that Microsoft have released a total of 6330 patches so far this year, with 2143 of these patches resolving a vulnerability with a CVSS score of 9 or higher. Just behind Microsoft in second place is Adobe – which has released 2052 updates.

Let’s take a look at how the most serious vulnerabilities impact the original ranking. We can see from the table below that the top 5 vendors have made significant movements and some are unexpected, e.g. IBM has moved out of the top 5 and Adobe has moved into the top 5.

Who’s the worst?

To continue this trend analysis review and to find out who has fixed the highest number of critical vulnerabilities, let’s compare the percentage of those threats against the total number of patches they have released this year.

We can do this by dividing all vulnerabilities with CVSS score more than 9 and dividing by the total number released by 100. The following table shows the new ranking of the vendors against the original ranking.

Robert Brown, Director of Services said, “What is really surprising is that a third party vendor to Microsoft has fixed more high priority vulnerabilities than them. If you do not have a strategy to include third party updates believing that only Microsoft needs to be patched, I hope this table convinces you to implement a different, more inclusive process. Not only that, some of these third party vendors like Oracle and Cisco are less likely to appear in a patching strategy which would expose a lot of your estate. Lastly, the toolset you use to patch your environment should be flexible to include other non-Windows operating systems like RedHat and Suse.”

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
|||

Adobe Patches Critical Flaw Twice in One Week

By News, Patch ManagementNo Comments

Adobe Patches Critical Flaw Twice in One Week

In a matter of days, Adobe has patched a critical information disclosure flaw in Reader twice.

Adobe has been tripping over its own patches this week.

After its original fix failed, Adobe has issued yet another patch for a critical zero-day vulnerability in its Acrobat Reader. The previous vulnerability (CVE-2019-7089) was resolved last week in Adobe’s February 12 patch release. It was described as a sensitive data leak issue which can lead to information disclosure when exploited.

Cure53 researcher, Alex Inführ, originally reported the zero-day vulnerability in Adobe Reader. The exploit could permit attackers to steal victims’ hashed password values, known as “NTLM hashes.”

Despite an embarrassing few days, Adobe has issued a second patch (CVE-2019-7815) that will hopefully resolve the issue. This should serve as a reminder for the importance of third-party patching—ensure you never miss an update with Syxsense.

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
|||||||

Critical Out-of-Band Adobe Update

By NewsNo Comments

Updates Released for Acrobat Reader and DC on Mac and Windows

A week after their usually-scheduled monthly update, Adobe released more patches to tackle several vulnerabilities. One of the vulnerabilities addressed is rated as critical. In their security bulletin, Adobe states “Successful exploitation could lead to arbitrary code execution in the context of the current user.”

The remaining vulnerabilities also addressed are rated as ‘important’, so they also could pose a significant threat. While there are no currently known exploits, Adobe recommends the updates be deployed as soon as possible.

Any company should have a stable update deployment strategy already in place. Since Adobe just released its monthly set of updates, work these additional patches into your remediation process. A true IT solution should facilitate the strategies that work best for your unique environments.

Never Miss an Update

Syxsense is straight-forward to use while being immensely customizable.

Its Patch Manager has both Microsoft updates and a massive library of third-party software updates. Within the individual patch information, the number of devices that require the update or need to be scanned for it is featured. By clicking either of these, a task is launched that is prepopulated for rapid execution.

In the devices section, the device health indicators and overview gadgets show the current state of device vulnerability. Information about devices that may need specific patches is immediately available.

Our system rules are sets of updates from predetermined vendors. These facilitate rapid update deployments. You can also easily create your own and set up repeatable deployments. Maintenance windows ensure tasks occur around business hours and don’t interrupt productivity. Finally, run reports to confirm that remediation has occurred and prove it to anyone who might need it.

There’s a better way to manage your environment. Start a trial with Syxsense.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
||

Adobe Alert: Zero-Day Update

By News, Patch ManagementNo Comments

Photoshop Gets Edited

Adobe released an out-of-band security update to address two critical remote code execution vulnerabilities impacting Adobe Photoshop CC for Windows and Apple devices.

These two vulnerabilities, identified as CVE-2018-12810 and CVE-2018-12811, impact Adobe Photoshop CC 2018 version 19.x as well as Adobe Photoshop CC 2017 version 18.x.

Although these updates carry an Adobe Priority of 3; meaning it is not currently being exploited, we would advise a proactive deployment of these updates as quickly as possible. Their vulnerabilities are listed as critical and would be very disastrous if active exploitation begins.

Use Syxsense to survey your environment and rapidly deploy any needed updates. On the home page, you can quickly see which devices require critical updates.

By clicking on the gadget, you’ll jump right into a patch deployment process, prepopulated to deploy all critical updates to all devices that need them. You can easily modify this task to be more specific or start the task as-is to deploy the critical patches.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo