The hits just keep on coming, as two of the world’s most high-profile software makers were forced to distribute security updates for critical vulnerabilities in their most popular products over the last several days.
Microsoft issued a patch on June 24 for a “critical” vulnerability discovered in the core XML services code base of many of its most widely used software packages, including supported versions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003 and Office 2007.
The security update is rated as only “moderate” for all supported editions of Windows Server 2003 and Windows Server 2008.
Microsoft said the flaw could allow an attacker to carry out remote code execution if the attacker can lure an affected user into viewing a malicious URL using the Internet Explorer Web browser.
Systems set up to give administrative rights to their users are at even greater risk for exploitation of the XML issue than those set with limited privileges, Microsoft reported in its related security bulletin, located here.
The company said the security update addresses the vulnerability by “modifying the way that the Microsoft XML Core Services performs parameter validation” and it recommends that all affected customers apply the update immediately.
The Microsoft bulletin arrives shortly after desktop publishing market leader Adobe issued its own update June 23 for a “critical” vulnerability affecting multiple versions of its ubiquitous Reader and Acrobat products — located here.
The Adobe flaw, which affects nearly every recent version of the programs, is related to the products’ ability to “sufficiently sanitize user-supplied input,” according to a brief on the issue posted on SecurityFocus.
According to the Adobe warning, an exploit aimed at the problem could cause the applications to crash and could potentially allow an attacker to take control of the affected system.
As a result, the vendor also recommends that affected users update their installations.
Best to hurry up and gets these patches installed; the malware crowd doesn’t tend to sit too long on these types of high-profile announcements.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.