MICROSOFT HAS RELEASED its monthly Patch Tuesday bug fix bundle, this time addressing 63 vulnerabilities, 22 of which are deemed critical.
While this month's release is somewhat smaller than last month's update, there are more critical vulnerabilities being patched, with the majority of these being in browsers and browser-related technologies.
Five of the critical vulnerabilities are in the Windows Font Library (labelled as Microsoft Graphics in the bulletins). If compromised, these vulnerabilities could lead to remote code execution through a web-based or file-sharing attack, so these updates should be prioritised for workstation-type devices as well as servers.
According to security firm Tripwire, one of the most notable critical bugs is a vulnerability within SharePoint Servers. This bug could allow specially crafted web requests to read unauthorised content or perform actions in the context of an authorised user. This attack is possible due to a failure to properly sanitise certain web requests and the update ensures proper sanitization occurs.
"VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-773 today," the firm said.
Another security firm, Trustwave, noted that along with most of the "usual suspects", the MS Chakra Scripting Engine is back in this month's patch, with seven RCE vulnerabilities patched.
"The MS Chakra Scripting Engine is implemented in Internet Explorer 9 as an interpreter for Microsoft's JScript language and made its first appearance last month with eight CVEs patched," the firm said.
As usual, Adobe too issued its monthly bug patch, releasing six bulletins covering 19 vulnerabilities. These are in Flash Player, Experience Manager, InDesign, Digital Editions, Coldfusion, and the PhoneGap Push Plugin.
Of the 19, six are marked as critical in Flash, InDesign, and Coldfusion. While Coldfusion servers should be patched as soon as possible, the patches for Flash or InDesign should be treated as a high-priority for Workstation-type devices.
Microsoft and Adobe said there are no active attacks against the vulnerabilities they have issued. µ
'Alexa, snoop on the West'
That's providing the chip is legit
Out, foul Speck
Celebrates with a promise of new functionality on the way