Gladiator Research and Security

GSA Reference Number: AD101105-01

Simply Put: Multiple Adobe products are vulnerable to some new high-risk remote code execution issues.  First off, Adobe Flash Player versions earlier than 10.1.85.3 have critical vulnerabilities that can be exploited by an attacker to take control of affected systems.  Adobe has released an update for Flash.  Second, Adobe Acrobat and Reader versions 9.4 and earlier are vulnerable to a similar issue because they implement Flash features through an authplay.dll file that can be called from a PDF.  Finally, Adobe Shockwave Player is vulnerable to attack through a remote code execution issue, as well.  There are no patches available for the Adobe Acrobat, Reader or Shockwave Player vulnerabilities.

Simply Put: A critical patch addressing 29 vulnerabilities has been released by Oracle for the Java software platform.

Abobe has just released its quarterly security updates early to address critical vulnerabilities in Adobe Reader.  Gladiator strongly advises that users patch all devices as soon as possible as some of the Adobe Reader and Flash vulnerabilities could allow remote code execution. Currently, all Adobe installations prior to versions 9.4 or 8.2.5 (for the non v9 code base) are affected by the vulnerabilities.  Affected software can be updated using the Adobe update manager or by visiting Adobe’s download pages to obtain the latest version.  You can read more about the vulnerabilities and solutions here at Adobe’s security blog.

Microsoft has announced nine new patches today to fix vulnerabilities that could allow remote code execution and elevation of privileges.  Four patches are rated Critical by Microsoft and affect Microsoft Windows and Microsoft Office.  Five patches are rated Important by Microsoft and affect Microsoft Windows.  Gladiator recommends that users with impacted systems apply all Critical patches immediately. Detailed information regarding the patches can be found in Microsoft’s September Security Bulletin. 

Microsoft has announced 15 new patches today to fix vulnerabilities that could allow remote code execution and elevation of privileges.  Nine patches are rated Critical by Microsoft and affect Microsoft Windows, Microsoft Office, Microsoft .NET, and Internet Explorer.  Six patches are rated Important by Microsoft and affect Microsoft Windows and Microsoft Office.  Gladiator recommends that users with impacted systems apply all Critical patches immediately. Detailed information for the patches can be found in Microsoft’s August Security Bulletin. 

GSA Reference Number: AD100630-01
Related GSA Reference Number: AD100607-01

Simply Put: Adobe has released a patch for the previously reported critical remote-code-execution vulnerability in Adobe Reader and Acrobat.  This patch addresses additional issues as well.  Adobe Reader and Acrobat versions 9.3.2 and earlier should upgrade.

GSA Reference Number: AD100616-01

Simply Put: Microsoft has released an advisory for a remote code execution vulnerability in Microsoft Windows Help and Support Center.  This vulnerability affects Windows XP and Windows Server 2003.  This vulnerability can be exploited if a user visits a malicious website or clicks a specially-crafted link in an email.  Microsoft has also been alerted to targeted attacks using this exploit code.  Gladiator recommends that users apply workarounds recommended by Microsoft as soon as possible.  No patch has been released as of yet.