Patch Watch: Critical updates from Adobe, Cisco, Symantec, McAfee

Patch Watch: Critical updates from Adobe, Cisco, Symantec, McAfee

Summary: Patch Tuesday is no longer an exclusive Microsoft event. Slowly but surely, it's beginning to look like more and more big-name software vendors are piggybacking on Microsoft's scheduled patch day to roll out critical software fixes.

SHARE:

Critical updates from Adobe, Cisco, Symantec, McAfeePatch Tuesday is no longer an exclusive Microsoft event. Slowly but surely, it's beginning to look like more and more big-name software vendors are piggybacking on Microsoft's scheduled patch day to roll out critical software fixes.

This week, in addition to Microsoft's six bulletins, computer users should also pay attention to high-severity updates from Adobe, Cisco, Symantec and McAfee.

Adobe rolled out two updates for gaping holes in Flash Player and PhotoShop CS2 and CS3, warning that attackers can exploit the vulnerabilities remotely to launch harmful code.

The Flash Player patch addresses several issues affecting Flash Player versions 8 through 9.

  • An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456)
  • An issue with insufficient validation of the HTTP Referer has been identified in Flash Player 8.0.34.0 and earlier. This issue does not affect Flash Player 9. This issue could potentially aid an attacker in executing a cross-site request forgery attack. (CVE-2007-3457)
  • The Linux and Solaris updates for Flash Player 7 (7.0.70.0) address the issues with Flash Player and the Opera and Konqueror browsers described in Security Advisory APSA07-03. These issues do not impact Flash Player 9 on Linux or Solaris. (CVE-2007-2022)

Adobe's Photoshop update, also rated "critical," addresses flaws that could be triggered by opening malicious image files.

Multiple input validation errors have been identified in Photoshop CS2 and Photoshop CS3 which could lead to the potential execution of arbitrary code. These vulnerabilities are not remotely exploitable, but could, for instance, be triggered by opening a malicious BMP, DIB, RLE or PNG file delivered to a user via their e-mail client. Users are recommended to update their installations with the patches provided below, and Adobe encourages all customers to be cautious before opening any unknown file, regardless of which application they may be using. These issues were previously publicly disclosed by a third party (CVE-2007-2244 and CVE-2007-2365).

Joining Adobe in the patching line with two bulletins is Cisco Systems. The switching and routing giant shipped two bulletins to correct critical bugs in the Cisco Unified Communications Manager (formerly CallManager).

The first Cisco bulletin warns to two overflow vulnerabilities that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code.

The second update contains this warning from Cisco:

Cisco Unified Communications Manager (CUCM), formerly CallManager, and Cisco Unified Presence Server (CUPS) contain two vulnerabilities that could allow an unauthorized administrator to activate and terminate CUCM / CUPS system services and access SNMP configuration information. This may respectively result in a denial of service (DoS) condition affecting CUCM/CUPS cluster systems and the disclosure of sensitive SNMP details, including community strings.

Separately, Symantec plugged a heap buffer overflow vulnerability that affects the Symantec Backup Exec for Windows Servers software. CERT/CC warns that a remote unauthenticated attacker may be able to cause the affected service to crash, resulting in a denial of service. Symantec also reports that the attacker may also potentially be able to execute arbitrary code on the affected system.

Rival McAfee also joined the patching party, fixing four different memory corruption vulnerabilities in the e-Policy Orchestrator Agent.

Topics: Security, Cisco, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • no end in sight

    Naraine, these endless patches, both for the OS and 3rd party apps will never stop unless we climb out of this hole and start utilizing hardware protection of code. If you disagree, you either think:

    1) there's simply no hope - we will have patches forever
    2) some OTHER fundamental shift in technology will fix this mess

    What's your take?

    gary
    gdstark13
  • Inherent problem

    As long as there's software and/or hardware to challenge the hacker element in our world there will have to be software and/or hardware updates. Most home computer users are confused enough with the security items and hardware configuration on their machines. One more would trip their trap.

    Update and clean up - you have to change the oil and filters on your car, too!
    aussiedawg
    • RE: Interesting problem

      So when's the last time you changed the oil on your television set. It has sophisticated components, including CPUs. The analaogy is bogus. The answer is very simple....protect code that doesn't need to change with hardware.

      gary
      gdstark13