A very exciting Patch Tuesday for us at Cybellum, with 5 CVEs published for vulnerabilities discovered by our automated vulnerability detection platform. Four of them are in Adobe products, whereas the fifth is byproduct of a decision reversal by Microsoft Security Research Center from a few months ago.

It’s worth pointing out that these vulnerabilities were detected in an automated manner, by testing our platform against closed binaries in order to help it learn. 

Among the four Adobe CVEs, the most technically interesting one is CVE-2017-16379, which we’ve detailed in a separate blog post. It concerns 8 icons, which are rendered in a way that might lead to remote code execution.

 

As for Microsoft, we’re very happy about their decision to prioritize the vulnerability we’ve discovered and patch it through a security update. We’ve had several very productive conversations with MSRC after being informed that the Type Confusion vulnerability our platform had discovered in IE/Edge would not be getting a CVE or patched via a security update. The reason given back then was the requirement to open Developer Tools/View Source window. The result of these conversations is CVE-2017-11827, which was patched as part of the the November Patch Tuesday.

As our automated vulnerability detection continues to evolve and expand, we’re certain that these 5 CVEs are just the tip of the iceberg of what was detected and will be publicized in the coming months.

Meanwhile, our platform keeps growing nicely, with significant increase in resource efficiency and  speed. We’re also working on expanding its OS and architecture support, with exciting new announcements coming soon.