Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework.
Five of the 12 patches Microsoft released today earned its most dire “critical” label, meaning these updates fix vulnerabilities that attackers or malware could exploit to seize complete control over a PC with no help from users.
Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer; other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining critical patch fixes a flaw that is present only on Windows XP systems.
Updates are available via Windows Update or from Automatic Update. A note about applying these Windows patches: Today’s batch includes an update for .NET, which in my experience should be applied separately. In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works. Consider applying the rest of the patches first, rebooting, and then installing the .NET update, if your system requires it.
And for the second time in a week, Adobe has released an update for its Flash Player software. This one addresses at least 17 distinct vulnerabilities; unlike last week’s emergency Flash Update, this one thankfully doesn’t address flaws that are already actively being exploited, according to Adobe. Check the graphic below for the most recent version that includes the updates relevant to your operating system. This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.
Chrome and Internet Explorer 10 have built-in auto-update features that should bring Flash to the most recent version. The patched version of Flash for Chrome is 11.6.602.167, which Google pushed out today. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
As Adobe does every time it releases a Flash Update, it has released a fix for Adobe AIR. If you have that software installed, it can updated from this link.
Finally, as the graphic above indicates, a fix for Adobe’s Shockwave Player is available that fixes at least two flaws. The latest version of Shockwave is 220.127.116.11, available here. You can find the new version and an accounting of whether you have this program installed and its current version from this page. If you have this program installed update it; if that page offers a download, you don’t have Shockwave installed and probably don’t need it.