Microsoft, Adobe Plan Critical Patch Tuesday Security Updates

Microsoft's Patch Tuesday updates touch Windows, Internet Explorer and a host of other products, while Adobe plans to patch problems in Adobe Reader and Acrobat.

Microsoft and Adobe Systems are planning to release security updates Aug. 14 to patch security holes in many of their enterprise applications.

Adobe released few details about the updates. According to the company, the updates will be for Adobe Reader and Acrobat X (10.1.3) and earlier 10.x versions for Windows and Macs. Adobe Reader and Acrobat versions 9.5.1 and earlier 9.x versions are affected for both operating systems as well. So far, no known exploits have been observed in the wild targeting any of the vulnerabilities slated to be fixed, the company said.

Microsoft meanwhile has plans to release nine security bulletins for its monthly Patch Tuesday update on Aug. 14. Five of the nine are rated critical.

"This month is a mixed bag of critical bulletins, which affects workstations, browser, server and productivity products," said Marcus Carey, security researcher at Rapid7.

The five critical bulletins span a number of products: Windows, Internet Explorer, Microsoft SQL Server, Microsoft Exchange, Server Software and Developer Tools.

"Bulletin one is rated critical and will address Internet Explorer 6, 7 and 8," Carey said. "Browser bulletins always deserve attention since client-side browser attacks are the de facto way to compromise corporate networks."

The Exchange bulletin will address an issue Microsoft warned about in July regarding vulnerabilities in the way unstructured files are parsed by Oracle Outside In libraries. The situation affects Microsoft Exchange Server 2007, Exchange Server 2010 and FAST Search Server 2010 for SharePoint.

In the case of Exchange Server 2007 and Exchange Server 2010, it is possible under certain circumstances for an attacker to use the vulnerabilities to take control of the server process that is parsing a specially-crafted file. An attacker could then install programs or take any other action the server process has access to, according to Microsoft.

"Bulletin five is one to pay attention to since it addresses a critical remote code execution vulnerability in Microsoft Exchange," Carey said.

"This is interesting from an exploitation standpoint because Exchange servers are usually exposed on the Internet. When attackers hear "remote code execution on Exchange" it's music to their ears," he said. "They could see potential for remote discovery, remote exploitation and propagation of attacks since Exchange is the epicenter of most organizations' communications. Email servers are prime targets for exploitation."

The other four bulletins address issues in Windows and Office. The Patch Tuesday updates are slated to be released at 10 a.m. PDT.