Adobe and Microsoft each separately released a raft of updates to fix critical security holes in their software. Adobe pushed patches to plug holes in Adobe Acrobat/Reader and its Flash and Shockwave media players. Microsoft released 14 13 patch bundles to fix at least 47 security vulnerabilities in Windows, Office, Internet Explorer and Sharepoint.
Four of the 13 bulletins Microsoft released today earned the company’s “critical” rating, meaning that on balance they address vulnerabilities that can be exploited by miscreants or malware to break into vulnerable systems without any help from users.
For enterprises and those who need to prioritize the installation of updates, Microsoft recommends installing the Outlook, Internet Explorer and SharePoint Server fixes as soon as possible. The Sharepoint update addresses some ten vulnerabilities, including one that Microsoft says was publicly disclosed prior to today’s patch batch.
Adobe’s Flash update fixes at least four flaws in the widely-installed media player, and brings the player to version 11.8.800.168 for Mac and Windows users (users of other OSes please see the chart below). Google Chrome should auto-update itself to the latest version for Chrome (11.8.800.170 for Windows, Mac and Linux); Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. Likewise, Internet Explorer 10 should auto-update to the latest version. To find out which version of Flash you have installed, see this page.
The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Updates for Adobe Acrobat and Reader fix at least eight security holes in these products. For Windows and Mac users with Reader XI, the new version is v. 11.0.04. Users of these software titles can grab the updates from the links at Adobe’s advisory, or from within the software by choosing Help > Check for Updates.
Adobe also released a new version of its Shockwave Player software that fixes at least two flaws, bringing Shockwave to v. 188.8.131.52 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
Finally, there is an update for Adobe AIR, which you may have if you’ve installed desktop clients like Pandora or Tweetdeck. Adobe says it is not aware of any exploits or attacks in the wild targeting any of the issues addressed in the updates the company released today. Applications that rely on AIR check for updates upon start, but the latest version (v. 184.108.40.2060) also is available from this link.
Update, 11:06 p.m. ET: Apple just released an update that blocks older versions of Flash from running in Safari on OS X. systems. “Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 11.8.800.94.” That version is not the version of Flash that Adobe released today, but the one it released back in July. Which means if the last time you updated your Flash Player on your Mac was in June, you won’t be able to view Flash content in Safari if you apply the latest Apple updates without also patching Flash.