1. Dashboards
  2. Companies
May 12, 2021

Patch Tuesday: Microsoft and Adobe unveil solutions to cybersecurity weaknesses

By Eric Johansson

Patch Tuesday is back with Microsoft and Adobe unveiling a smattering of fixes to vulnerabilities across their products. As an added bonus, the news comes as researchers revealed that most connected devices could suffer from a security flaw dating back to 1997. In other words, we’ve got a lot of ground to cover.

Let’s start with Microsoft. True to its regular Patch Tuesday form, the Redmond-headquartered computer colossus announced 55 fixes to vulnerabilities in 32 of its applications yesterday. Four were rated as critical, 50 were rated as important and one was rated as moderate.

These cybersecurity weaknesses were found across several of the company’s core services, including its Office suite, Windows OLE, Windows WalletService as well as Microsoft Exchange Server.

As a reminder, Exchange Server was the product that was central to a massive global cyberattack earlier this year when Chinese state-linked hacking group Hafnium used zero-day exploits to target Microsoft’s on-premises Exchange Server tech. Early reports suggested that the digital miscreants’ actions affected over 100,000 organisations around the world.

This time the four vulnerabilities linked to Exchange Server were all rated as moderate.

Dustin Childs, director of communications for the Zero Day Initiative, wrote in a blog that many of these bugs had been uncovered at the organisation’s Pwn2Own contest earlier this year.

“More Exchange patches are expected as not everything disclosed at the contest has been addressed,” Childs said.

The four critical vulnerabilities patched by Microsoft all involved the threat of remote code execution hacks. The four digital weaknesses were named CVE-2021-31166, CVE-2021-28476, CVE-2021-26419 and CVE-2021-31194.

Up next in this Patch Tuesday round: Adobe. The company unveiled 43 vulnerabilities on Tuesday which affected 12 of its products, including InDesign, Illustrator and Magento.

The one to take particular note of was named CVE-2021-28550. This bug exposed users of Acrobat Reader to the risk of suffering an arbitrary code execution hack. Adobe unveiled a patch to close the zero-day hole that is already being actively exploited by cyber crooks.

“Adobe has received a report that CVE-2021-28550 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows,” the company said.

While black hats have so far seemingly only targeted Windows users, the bug risk affecting eight different versions spread across both PCs and iMacs. With the latest security bulletin, the company said that it had patched Acrobat Reader for ten weaknesses rated as critical and four rated as important.

“These and other vulnerabilities could lead to code execution if someone were to open a specially crafted PDF with an affected version of Acrobat or Reader,” Childs said. “The update for InDesign also stands out. These bugs result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.”

The patches comes as security researcher Mathy Vanhoef has unveiled another smattering of vulnerabilities for connected devices.

In a new blog, he warned that an attacker could exploit the dozen weaknesses he’d discovered to launch so-called frag attacks, or fragmentation and aggregation attacks, which enable ill-doers to gather data or inject malicious codes into these gadgets’ systems. Many of these vulnerabilities date back as far as 1997.

“Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings,” said Vanhoef. “As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.”

The researcher was surprised to find these weaknesses “because the security of Wi-Fi has in fact significantly improved over the past years.”

Microsoft, Cisco and Juniper have already begun to patch for these vulnerabilities, ZDNet reported.

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.