Adobe, Cisco Stung By Bugs - InformationWeek
06:32 PM
Free Yourself from Legacy Apps
Jun 08, 2017
They've served their purpose years ago, but now they're stretching your IT budget and increasing s ...Read More>>

Adobe, Cisco Stung By Bugs

Six vulnerabilities affecting Adobe's Reader and Acrobat products were discovered in the past two weeks. Meanwhile, Cisco has warned customers of some potential denial-of-service vulnerabilities.

Adobe Systems and Cisco Systems were a bit under the weather last week. Perhaps they caught a bug.

For Adobe, six vulnerabilities affecting its popular Reader and Acrobat products were discovered in the past two weeks, one of which could be used in cross-site scripting attacks.

Attackers could exploit one group of vulnerabilities by creating rigged PDF files and getting unsuspecting users to open them. These flaws are more dangerous because remote attackers could use them to execute malicious code and take over affected machines, Adobe said in an advisory last week. The advisory noted that a malicious file would have to be loaded in Adobe Reader.

Adobe, San Jose, Calif., assigned its highest threat rating of "critical"—4 on a 4-point scale—to the vulnerabilities. Symantec Deepsight rated the severity of the flaws as 8.3 on a 10-point scale, while Secunia said they were "highly critical"—or 4 on a 5-point scale.

Craig Schugmar, a threat researcher with McAfee's Avert Labs, says the spate of Adobe vulnerabilities is part of an ongoing shift by hackers away from operating system-focused bugs and toward application flaws.

Widely deployed, cross-platform applications are especially attractive to attackers, which means other Adobe products such as Flash and Shockwave also could be targeted, according to Schugmar.

For Cisco, meanwhile, the company is warning customers of denial-of-service vulnerabilities affecting its IOS and Unified Content Center Enterprise products.

In an advisory issued last week, Cisco said its Unified Content Center Enterprise, Unified Content Center Hosted, IP Contact Center Enterprise and IP Contact Center Hosted products are vulnerable to a glitch in the JTapi Gateway service. An attacker could exploit the flaw to get the JTapi Gateway service to restart, a process that takes several minutes and during which time no new connections can be handled, although existing connections wouldn't be cut off, Cisco said.

With IOS, the San Jose-based vendor patched a vulnerability in the Data-Link Switching feature in some versions that could enable attackers to launch denial-of-service attacks, the company also said in its advisory last week.

Data-Link Switching is used to transmit IBM Systems Network Architecture and network basic input/output system traffic over an IP network. On devices running vulnerable versions of IOS, attackers could exploit the flaw remotely without needing to be logged in, although they would need to be able to establish a Data-Link Switching connection to the device, Cisco said.

Using the 10-point Common Vulnerability Scoring System that Cisco recently began using, base scores of 3.3 were issued to both vulnerabilities. However, Symantec Deepsight saw them as more serious, assigning a severity rating of 6.7 to the IOS flaw and 5.6 to the Unified Contact Center flaw.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll