Dozens of vulnerabilities have been dealt with by Microsoft and Adobe in the companies’ early 2017 patch releases, though the former is quieter than usual.
Towards the end of last year, Google revealed a problem with both Adobe and Microsoft: after a seven-day grace period while it sorted its own fix, Google waited a few days longer before it brought a serious zero-day vulnerability into the public domain.
At the time, Adobe had already acted to fix the problem but Microsoft had not, and a bit of a spat ensued.
It seems neither Adobe nor Microsoft want such an issue revealed like that again, with the duo releasing patches to shore up in excess of 50 vulnerabilities between them.
Adobe’s patches relate to its much-maligned Flash Player, as well as its Reader and Acrobat service. The former sees 13 vulnerabilities addressed – 12 can lead to remote code execution, with the final issue potentially allowing attackers to bypass a security restriction and disclose information.
The Adobe Reader and Acrobat updates deal with 29 vulnerabilities, 28 of which can lead to arbitrary code execution.
None of the vulnerabilities have been known to be capitalised on in the wild, according to the company, with automatic updates taking care of most of the consumer-based workload.
Flash Player v18.104.22.168 is the version users should update to, with Acrobat and Reader DC continuous users to upgrade to version 15.023.20053 and classic users to upgrade to version 15.006.30279.
Microsoft’s releases cover far fewer vulnerabilities, indeed, the bulk of which are actually follow-ons from Adobe’s issues.
MS17-001 resolves a vulnerability in Microsoft Edge, which could allow elevation of privilege if a user views a specially crafted webpage using the browser.
MS17-002 addresses a vulnerability in Microsoft Office, whereby people could access remote code execution if a user opens a specially crafted Microsoft Office file.
MS17-003 resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
MS17-004 relates to a denial of service vulnerability that exists in the way the LSASS handles authentication requests. This security update is rated ‘Important’ for Microsoft Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.