This weekâs highlights also include patches from Adobe, Riverbed, Juniper and more.
Microsoft Patch Tuesday fixes multiple flaws already under attack
This month, Microsoft has issued security updates for multiple products, including Windows (including fixes for the just-released Creators Update), Hyper-V, Microsoft Office for both Windows and Mac, WordPad, Internet Explorer, Microsoft Edge browser, .NET Framework, Silverlight, Visual Studio for Mac, and Adobe Flash for Windows 8.x and 10. One critical flaw in all supported versions of Microsoft Word has already been used by attackers to spread malware; it only requires opening the document to activate, and can’t be stopped by disabling macros. A second, in Internet Explorer, lets an attacker inject information from one domain into another, and the third, which was not patched but has been mitigated, is in the Encapsulated PostScript (EPS) filter in Microsoft Office. Note that several of the updates bear this warning: “If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution and will provide an update in an upcoming release.”
Adobe issues 59 patches for Flash, Reader, Photoshop, and more
Adobe has released security updates to address vulnerabilities in Adobe Campaign, Flash Player, Acrobat and Reader, Photoshop CC, and Creative Cloud. Most of the bugs – 44 of them – are rated Critical, and could allow a remote attacker to take control of an affected system.
Riverbed Technology patches SteelCentral Portal
Threatpost reports that Riverbed Technology has patched four serious vulnerabilities in its SteelCentral portal that could allow an attacker to access application data, as well as move through the network to compromise other Riverbed agents. The issues were discovered in January by researchers at Digital Defense, who published details of the flaws after the patches were released. Customers can contact Riverbed support through its support portal for more information.
Juniper patches multiple products
The Register reports that Juniper has patched vulnerabilities in nine products, including Junos, EX Series switches, BIND for SRX, vSRX and J-Series units, and the NorthStar controller. Juniper has issued ten security advisories about the issues, some of which can result in denial of service when they cause the device to crash.
The Internet Systems Consortium patches BIND
The Internet Systems Consortium (ISC) has issued patches for three issues in its open-source DNS server, BIND. Two are rated of medium severity, and one, which could be used in a denial of service attack, is rated High. Once of the Medium severity flaws could allow an unprivileged user to issue commands that could stop the server, and the other, which only affects servers with specific configurations, could allow an attacker to create a query that would terminate the program’s execution.
App combinations can steal data
Researchers at Virginia Tech have discovered that pairs of Android apps can be used to steal data. They analyzed more than 100,000 of the most frequently downloaded Android apps, and found almost 23,500 pairs that can leak data. Over half of the pairs also let one of the pair access information it normally was forbidden to see. The Atlantic published a non-technical analysis of the findings, noting that sometimes a malicious app takes advantage of a flaw in another app to execute its attack.
Payday loan firm Wonga suffers data breach
UK-based payday loan firm Wonga has published an advisory warning customers that there has been “illegal and unauthorized access” to their personal data, which may include name, e-mail address, home address, phone number, the last four digits of bank card numbers and/or bank account numbers and sort code. It does not believe passwords were stolen, but recommends customers change their passwords as well as taking other precautions. Up to 245,000 customer in the UK were affected, and an additional 25,000 in Poland.