Microsoft and Adobe Critical Patch Advisories: Patch

Vulnerability Details:

Microsoft Critical Patches Released – Patch Now

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Adobe Critical Patches Released – Patch Now

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsoft Threat Intelligence

Two zero-day vulnerabilities addressed in this advisory were reported by Microsoft, one of which is currently being exploited in the wild.

Systems Affected:

From Windows Office to Workstation Services… most products appear to be impacted.  Please visit this page and set the timeline from Dec. 2022 to Jan. 2023 :

https://msrc.microsoft.com/update-guide

Adobe THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Adobe Acrobat DC, Continuous, 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
• Acrobat Reader DC, Continuous, 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions
• Acrobat 2020, Classic 2020, 20.005.30418 and earlier versions
• Acrobat Reader 2020, Classic 2020, 20.005.30418 and earlier versions
• Adobe InDesign ID17.4, ID18.0 and earlier versions

CyberHoot Recommendations:

1. Apply the appropriate patches (or mitigations) to your systems starting with the most critical systems first.  CyberHoot recommends you patch this week if possible and follow your Vulnerability Alert Management Process to determine your response.
2. Remind your users not to visit untrustworthy websites or to click on any links from unknown, or untrustworthy sources.
3. Remove administrative rights from your users to significantly mitigate the risks from both the Adobe and Microsoft vulnerabilities in this month’s alerts.  Doing this one item could be the difference between a crashed workstation hit with a zero day, and a system compromise.  Please heed this advice… as your cybersecurity program matures, following the principle of Least Privilege will pay great dividends in your overall cybersecurity program.
4. Consider deploying as next generation Endpoint Detection and Response (EDR) solution that can help you identify, prevent, and contain some of these attacks before they can sink your entire ship/business.

Source: 

https://msrc.microsoft.com/update-guide/releaseNote/2023-Jan

https://helpx.adobe.com/security/products/acrobat/apsb23-01.html

Additional Reading: 

Naked Security: Microsoft Zero Day and Last Patches Ever for Windows 7 and 8.1

ZDNet Security Blog: Microsoft Delivers Massive 98 Patches in Jan. 

SecurityWeek Blog: Adobe Patches 29 Vulnerabilities in Jan.