Hello and welcome to this month’s blog on the Microsoft patch releases. This month we also have a “Patch Tuesday” from Adobe, and Oracle is releasing their quarterly “Critical Patch Update.”
This is a very light month for Microsoft. The vendor released one bulletin covering a “critical” vulnerability that affects Embedded OpenType (EOT) Font. This is a user-level, client-side issue that requires a victim to view a Web page containing malicious content or to open a malicious file.
Adobe is releasing a security update for Reader and Acrobat. Adobe rates these issues “Critical” and urges users to update as soon as possible. In this release, the vendor is addressing the zero-day issue that was first made public December 14, 2009. Exploit code for this issue is available and active exploits have been detected.
Oracle is releasing their quarterly “Critical Patch Update” today. This release addresses 24 vulnerabilities across multiple applications.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft’s summary of the January releases can be found here:
The following issue is being addressed this month:
MS10-001 Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
CVE-2010-0018 (BID 37671) Microsoft Windows Embedded OpenType Font Engine LZCOMP Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects the Embedded OpenType Font (EOT) engine when decompressing files and content containing embedded fonts. An attacker can exploit this issue by tricking a victim into opening a malicious file, or viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems, Windows Server 2008 for Itanium-based Systems SP2, Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for Itanium-based Systems
More information on this and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.