July 11th, 2007
Patch Watch: Critical updates from Adobe, Cisco, Symantec, McAfee
Patch Tuesday is no longer an exclusive Microsoft event. Slowly but surely, it’s beginning to look like more and more big-name software vendors are piggybacking on Microsoft’s scheduled patch day to roll out critical software fixes.
This week, in addition to Microsoft’s six bulletins, computer users should also pay attention to high-severity updates from Adobe, Cisco, Symantec and McAfee.
Adobe rolled out two updates for gaping holes in Flash Player and PhotoShop CS2 and CS3, warning that attackers can exploit the vulnerabilities remotely to launch harmful code.
The Flash Player patch addresses several issues affecting Flash Player versions 8 through 9.
- An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456)
- An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. (CVE-2007-3457)
- The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. (CVE-2007-2022)
Adobe’s Photoshop update, also rated “critical,” addresses flaws that could be triggered by opening malicious image files.
Multiple input validation errors have been identified in Photoshop CS2 and Photoshop CS3 which could lead to the potential execution of arbitrary code. These vulnerabilities are not remotely exploitable, but could, for instance, be triggered by opening a malicious BMP, DIB, RLE or PNG file delivered to a user via their e-mail client. Users are recommended to update their installations with the patches provided below, and Adobe encourages all customers to be cautious before opening any unknown file, regardless of which application they may be using. These issues were previously publicly disclosed by a third party (CVE-2007-2244 and CVE-2007-2365).
Joining Adobe in the patching line with two bulletins is Cisco Systems. The switching and routing giant shipped two bulletins to correct critical bugs in the Cisco Unified Communications Manager (formerly CallManager).
The first Cisco bulletin warns to two overflow vulnerabilities that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code.
The second update contains this warning from Cisco:
Cisco Unified Communications Manager (CUCM), formerly CallManager, and Cisco Unified Presence Server (CUPS) contain two vulnerabilities that could allow an unauthorized administrator to activate and terminate CUCM / CUPS system services and access SNMP configuration information. This may respectively result in a denial of service (DoS) condition affecting CUCM/CUPS cluster systems and the disclosure of sensitive SNMP details, including community strings.
Separately, Symantec plugged a heap buffer overflow vulnerability that affects the Symantec Backup Exec for Windows Servers software. CERT/CC warns that a remote unauthenticated attacker may be able to cause the affected service to crash, resulting in a denial of service. Symantec also reports that the attacker may also potentially be able to execute arbitrary code on the affected system.
Rival McAfee also joined the patching party, fixing four different memory corruption vulnerabilities in the e-Policy Orchestrator Agent.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
