Multiple Updates Issued and Vulnerabilities Found

  Severity: CRITICAL
  Advisory Date: APR 14, 2010

  DESCRIPTION

Following this month's Patch Tuesday release of Microsoft, multiple software vendors have also released patches for their own products. These companies include Adobe and Oracle.

Below is a summary of the patches released by these companies and the specific vulnerabilites they aim to address:

  • Adobe
    • Unknown vulnerability in Adobe Reader and Acrobat. This affects Versions 8.x before 8.2.1 and 9.x before 9.3.1. Once exploited, attackers can deploy denial of service (DoS) attacks on the compromised system. For more information, please refer to this page: Malware Blog entry: "Adobe and Microsoft Simultaneously Release Patches"
  • Microsoft
    • Vulnerabilities in Windows Could Allow Remote Code Execution. Once exploited, attackers can take complete control on an affected system. For more information, please refer to this page:
    • Vulnerabilities in SMB Client Could Allow Remote Code Execution. Once exploited, attackers can perform remote code execution. For more information, please refer to this page:
    • Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege. Once exploited, attackers can run specially crafted applications on the affected system. For more information, please refer to this page:
    • Vulnerability in VBScript Could Allow Remote Code Execution. Once exploited, attackers can take complete control of the affected system. For more information, please refer to this page:
    • Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution. Once exploited, attackers can gain elevated rights on a system. For more information, please refer to this page:
    • Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service. Once exploited, attackers can launch denial of service (DoS) attacks on the affected system. For more information, please refer to this page:
    • Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution. Once exploited, attackers can perform remote code execution. For more information, please refer to this page:
    • Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution. Once exploited, attackers can take complete control of an affected system. For more information, please refer to this page:
    • Vulnerability in Windows Media Player Could Allow Remote Code Execution. Once exploited, attackers can gain elevated rights on a system. For more information, please refer to this page:
    • Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution. Once exploited, attackers can gain elevated rights on a system. For more information, please refer to this page:
    • Vulnerability in Windows ISATAP Component Could Allow Spoofing. Once exploited, attackers can spoof an IPv4 address. For more information, please refer to this page: Malware Blog entry: "Adobe and Microsoft Simultaneously Release Patches"
  • Oracle

Trend Micro recommends users to apply these patches if they are installed in their systems.

Java, on the other hand, has issued a document days before Patch Tuesday fully disclosing an error found in their toolkit. A patch for it is yet to be provided.

Users of Trend Micro Deep Security™ and Trend Micro OfficeScan™ are already protected against this vulnerability via the Intrusion Defense Firewall (IDF) plug-in. Make sure your systems are updated with the IDF rule number 1004091.