It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our
YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for November 2023
For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs came through the ZDI program, with most attributed to ZDI vulnerability researcher Mat Powell. The patch for
Acrobat and Reader is the largest with 17 CVEs, and likely the most important since it is often targeted in phishing campaigns. The update for
ColdFusion contains three Critical-rated CVEs and should also be at the top of your test and deployment list. The update for
Audition is quite large, with nine total CVEs addressed. The
After Effects is just behind it with eight CVEs receiving fixes.
The
Photoshop patch should also be prioritized. It contains six fixes and could allow code execution when opening a specially crafted file. That’s also true for the
Premiere Pro update. Both of those applications often rely on
Media Encoder, and it gets five patches this month as well. The patch for
InDesign includes seven CVEs, but the most severe is only rated Important. The update for
RoboHelp includes five CVEs – four of which are rated Critical. If you use that tool to author your technical content, definitely test and deploy the patch quickly. The fix for
Adobe Bridge contains three Moderate-rated CVEs. The fixes for
InCopy and the
FrameMaker Publishing Server both fix a single Critical-rated CVE, while the patches for
Dimension and
Animate both correct a single Important-rated CVE.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for November 2023
This month, Microsoft released 63 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. A total of five of these CVEs were reported through the ZDI program. In addition to the new CVEs, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.
Of the new patches released today, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. This is one of the smallest monthly releases Microsoft has done this year, although the total CVEs to date are right at 2021 levels with a month more to go. It will be interesting to see what patches come out of Microsoft in December.
Three of the CVEs released today are listed as under active attack at the time of release and a total of three CVEs are listed as publicly known. It seems the “Hot 0-day Summer” lasts into the fall.
www.zerodayinitiative.com
