March 12, 2013 at 21:38Microsoft and Adobe have released updates for their products.
Microsoft announced the release of the next series of patches aimed at fixing vulnerabilities in their products. The security fixes announced earlier in the pre-release (March 7) cover a total of 20 unique vulnerabilities (4 fixes with Critical status and 3 with Important status). Detailed report (including corrections of corrections with CVE ID) can be found here . One of the critical updates is aimed at eliminating the vulnerability that is present in all versions of Internet Explorer, starting from version 6 and ending with the latest IE 10 . Another critical fix targets the Silverlight platform.Both of these vulnerabilities belong to the “Remote Code Execution” class and can potentially be used to successfully carry out drive-by download / installation attacks , for example, involving some set of exploits for this purpose.
Unlike last month, this set of fixes contains much less fixes (the February set of updates fixed a total of 57 vulnerabilities, most of which occurred in the "long-suffering" win32k.sys). This month, critical updates target products: Microsoft Silverlight, Internet Explorer, Office, and Microsoft Server Software, and three important updates are targeted at Microsoft Windows and Office .
The MS13-021 update closes nine vulnerabilities in IE that are of type use-after-free.
Update MS13-027 with the status “Important” is aimed at eliminating several vulnerabilities like “Elevation of Privilege” in the OS itself. These vulnerabilities relate to the built-in USB kernel mode drivers and cover the entire spectrum of the OS, starting from Windows XP and ending with Windows 8, as well as Windows Server 2012. The vulnerability numbers are: CVE-2013-1285, CVE-2013-1286, CVE-2013 -1287. Using them, an attacker can run arbitrary code in kernel mode and elevate his privileges to the system level.
We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).
Also note that Adobe Flash Player updates are released today .The updates are aimed at closing four vulnerabilities (CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375) .
The current version of Flash Player for browsers is:
be secure.
Unlike last month, this set of fixes contains much less fixes (the February set of updates fixed a total of 57 vulnerabilities, most of which occurred in the "long-suffering" win32k.sys). This month, critical updates target products: Microsoft Silverlight, Internet Explorer, Office, and Microsoft Server Software, and three important updates are targeted at Microsoft Windows and Office .
The MS13-021 update closes nine vulnerabilities in IE that are of type use-after-free.
Update MS13-027 with the status “Important” is aimed at eliminating several vulnerabilities like “Elevation of Privilege” in the OS itself. These vulnerabilities relate to the built-in USB kernel mode drivers and cover the entire spectrum of the OS, starting from Windows XP and ending with Windows 8, as well as Windows Server 2012. The vulnerability numbers are: CVE-2013-1285, CVE-2013-1286, CVE-2013 -1287. Using them, an attacker can run arbitrary code in kernel mode and elevate his privileges to the system level.
We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).
Also note that Adobe Flash Player updates are released today .The updates are aimed at closing four vulnerabilities (CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375) .
Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system .
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-0646).We recommend that users use a check of the version of Flash Player used by your browser, for this you can use the official. Adobe source here or here . Note that browsers such as Google Chrome and Internet Explorer 10 are automatically updated with the release of the new version of Flash Player. You can get Flash update information for your browser at this link .
These updates resolve a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).
These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-1371).
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).
The current version of Flash Player for browsers is:
be secure.