Microsoft, Adobe Release Priority Patch Tuesday Fixes

Microsoft released details on critical patches to Windows, Internet Explorer, SQL Server, while Adobe fixes various versions of Reader and Acrobat.

Microsoft issued nine security bulletins, five of them critical, in its Aug. 14 Patch Tuesday update, while Adobe issued patches for various versions of Reader and Acrobat for both Microsoft Windows and Apple Macintosh operating systems.

The Microsoft patches start with Internet Explorer, mostly IE6, 7 and 8, but also the current version, IE9. Microsoft continually advises users to update to the latest version of the Web browser, which is the most secure.

The company says the latest patches address vulnerabilities in IE "that could allow an attacker to compromise a system that is running Microsoft Internet Explorer and gain control over it," Microsoft stated. One of the fastest-growing threats for computer networks comes from malware delivered through a Web browser, including instances in which companies use software through the browser.

Another set of patches applies to the Windows OS, including "critical" ones for Windows Server 2003 and Windows XP, another labeled "important" for Windows Server 2003 and several packages labeled "moderate" for such versions as Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista. Microsoft also introduced new patches that supersede earlier patches for the same systems.

Both the Microsoft and Adobe patches had been previewed earlier by eWEEK.

Marcus Carey, a security researcher at Rapid7, provides some guidance on how to prioritize the patches. Carey says the IE patches, detailed in bulletin MS12-052, "should be No. 1 on organizations' and consumers' 'must patch' list."

The second priority should be MS12-058, he said, which protects an Exchange Server vulnerability. "It appears to be an excellent option for spear-phishing attempts since it can compromise the server simply by a legitimate user opening a malicious document using Outlook Web App," Carey notes. This fix addresses a vulnerability that was introduced by Oracle Outside In, which is used as part of Exchange.

Other priorities, he said, are bulletins MS12-053 affecting a Remote Desktop Protocol vulnerability, MS12-054 relating to Windows Network Components and MS12-060, which involves controls affecting Office and SQL Server.

The Adobe patches target the Adobe Reader for viewing documents created in the portable document format (PDF) and Adobe Acrobat, for creating PDFs. Specifically, the patches are to fix "vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system."

The highest-priority patches are for Adobe Reader and Acrobat users on versions 9.52 of each to upgrade to versions X (10.1.4) of the applications. Of less urgency, though still important, is for users of Adobe and Acrobat X (10.1.3) running on either Windows or Macintosh machines to upgrade to (10.1.4). Users of Adobe and Acrobat versions 9.5.1 or earlier on either Windows or Macs, who cannot upgrade to 10.1.4, should upgrade to 9.5.2.