1. General Information
In January 2010, many giant software vendors in the world released the update patches for their products. The followings are detailed updates from Microsoft, Adobe and Oracle:
|
Release Date
|
Affected Software
|
Severity
|
|
Jan 12, 2010
|
Microsoft Windows
|
Critical
|
|
Jan 07, 2010
|
Adobe Illustrator CS4 (14.0.0) and Adobe Illustrator CS3 (version 13.0.3 and earlier) for Windows and Macintosh
|
Critical
|
|
Jan 12, 2010
|
Adobe Reader 9.2 and earlier versions
Adobe Reader 8.1.7 and earlier versions
|
Critical
|
|
Jan 19, 2010
|
Shockwave Player Version 11.5.2.602 and earlier versions for Windows and Macintosh
|
Critical
|
|
Jan, 2010
|
Oracle Database 11g, Version 11.1.0.7
Oracle Database 10g Release 2, Version 10.2.0.3, 10.2.0.
Oracle Database 10g, Version 10.1.0.5
Oracle Database 9i Release 2, Version 9.2.0.8, 9.2.0.8DV
Oracle Application Server 10g Release 3 (10.1.3), Version 10.1.3.4.0, 10.1.3.5*, 10.1.3.5.1*
Oracle Application Server 10g Release 2 (10.1.2), Version 10.1.2.3.0
Oracle Access Manager Version 7.0.4.3, 10.1.4.2
Oracle E-Business Suite Release 12, Version 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
Oracle E-Business Suite Release 11i, Version11.5.10.2
PeopleSoft Enterprise HCM (TAM), Version8.9 and 9.0
Oracle WebLogic Server 10.0 via MP2, 10.3.0 and 10.3.
Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 qua 9.2 MP3
Oracle WebLogic Server 8.1 qua 8.1 SP6
Oracle WebLogic Server 7.0 qua 7.0 SP7
Oracle JRockit R27.6.5 and earlier versions (JDK/JRE 6, 5, 1.4.2) Primavera P6 Enterprise Project Portfolio Management 6.1, 6.2.1 and 7.0
Primavera P6 Web Services 6.2.1, 7.0 and 7.0SP1
|
Critical
|
2. Technical details
Microsoft patch resolves the vulnerability in EOT rendering mechanism (Embedded OpenType Font – a compact font formats often used on websites). This vulnerability may allow hacker to remotely install malicious code on users’ systems when they use such EOT supported applications as: Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. If successfully exploiting this vulnerability, hacker may gain complete control of the affected systems, execute malicious codes, view, modify, delete data or create account on the users’ computers.
While Microsoft released only one update patch in January, the previous month may be considered as “Abode’s month” with a number of vulnerabilities reported.
Adobe update patches in January resolve the following vulnerabilities:
Vulnerabilities in Adobe Reader 9.2 and Acrobat 9.2:
• A user-after-free vulnerability in Multimedia.api (this vulnerability has just been found in Adobe Reader 9.2 and Acrobat 9.2 on Windows platforms).
• An array boundary issue in U3D (Universal 3D - a compressed file format standard for 3D computer graphics data). This issue had been falsely identified as a previously found vulnerability in Metasploit framework.
• A DLL-loading vulnerability in 3D graphics module.
• A memory corruption vulnerability.
• Reduce script injection threats by changing default error notifications.
• A null-pointer vulnerability that may lead to denial of service.
• A buffer overflow vulnerability in the Download Manager.
• An integer overflow vulnerability in U3D.
The two vulnerabilities are in Adobe Illustrator CS4 (14.0.0) and Adobe Illustrator CS3 (13.0.3) and earlier versions).
Buffer overflow vulnerability and multiple integer overflow vulnerabilities in Shockwave Player 11.5.2.602 – an application that allows you to create dynamic animated graphics over online environment.
These vulnerabilities may allow an attacker to execute arbitrary code on the affected systems, then take control of the system or steal private information, etc.
Oracle’s products updated lately include 4 database softwares, 9 server softwares and 4 enterprise management softwares. Many vulnerabilities and security threats still exist in these softwares. Oracle has released 24 patches for their 17 software products.
3. Solution
These are critical vulnerabilities that exist in widely used softwares. Bkis recommends that users immediately get the updates from the following links:
For Windows OS users: http://www.micsoft.com/technet/security/bulletin/ms10-jan.mspx
For Adobe Reader users on Windows, Macintosh and Unix platforms: http://get.adobe.com/reader
Acrobat Standard and Pro on Windows platform: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat Pro Extended on Windows platform: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
Acrobat 3D on Windows platform: http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
Acrobat Pro on Macintosh platform: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Link dedicated for Adobe Reader 8.x on UNIX platform, Adobe Reader 7.x and Acrobat 7.x on Windows, Macintosh and UNIX platform: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86
Patch update for Adobe Illustrator CS4 on Windows platform: http://download.macromedia.com/pub/security/bulletins/apsb10-01/win/APSB10_01_CS4_Win.zip
Patch update for Adobe Illustrator CS4 on Macintosh platform: http://download.macromedia.com/pub/security/bulletins/apsb10-01/mac/APSB10_01_CS4_Mac.zip
Patch update for Adobe Illustrator CS3 on Windows platform: http://download.macromedia.com/pub/security/bulletins/apsb10-01/win/APSB10_01_CS3_Win.zip
Patch update for Adobe Illustrator CS3 on Macintosh platform: http://download.macromedia.com/pub/security/bulletins/apsb10-01/mac/APSB10_01_CS3_Mac.zip
Patch update for Shockwave Player: http://get.adobe.com/shockwave/
Software products of Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html
Analyst: Le Minh Tuan