Microsoft and Adobe release security updates

SOFTWARE GIANTS Microsoft and Adobe have released security updates for their products in order to patch critical vulnerabilities that can be exploited to execute arbitrary code.

This Patch Tuesday Microsoft published five security bulletins that cover remote code execution and elevation of privilege flaws in Windows, Office and Sharepoint.

The MS11-071 bulletin addresses a publicly disclosed DLL hijacking vulnerability in the Windows components handling RTF, TXT and DOC files. By placing a rogue dynamic library into the same remote directory as a file opened by the victim, an attacker can force its execution.

However, because the file sharing protocol is usually disabled on perimeter firewalls Microsoft only rates this vulnerability as important. The other security bulletins are also rated as important, so this Patch Tuesday is not getting any critical updates.

Two similar library loading flaws are covered by the MS11-073 bulletin for Microsoft Office. They allow a potential attacker to execute malicious code by placing a rogue DLL in the same network directory as an Office file.

The second Microsoft Office bulletin, MS11-072 addresses five separate remote code execution flaws in Excel that can be exploited by tricking victims into opening maliciously crafted XLS files.

The remaining MS11-074 and MS11-070 security bulletins cover six elevation of privilege (EoP) vulnerabilities, one of which is located in the Windows Internet Name Service (WINS) and the rest in Sharepoint.

Meanwhile, Adobe released new versions of its Reader and Acrobat products to patch thirteen vulnerabilities, most of them critical. The company urges users to upgrade to Adobe Reader 10.1.1 for Windows and Mac or Adobe Reader 9.4.6 and Adobe Reader 8.3.1 if they can't switch to the 10.x branch.

The new Adobe Acrobat versions are the same, namely 10.1.1, 9.4.6 and 8.3.1, while Adobe Reader 9.4.6 for UNIX will be released later, on 7 November. In addition to vulnerability patches, the new versions also incorporate the latest Flash Player security update released last month.

These releases are part of Adobe's quarterly patch cycle. The next Adobe Reader and Acrobat security updates are scheduled for Tuesday, 13 December. µ