Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing at least two dozen flaws in Windows and other software.
Five of today’s 11 update bundles earned Microsoft’s “critical” rating, meaning that the vulnerabilities those patches fix can be exploited remotely by malware or miscreants without any help from users. At the top of the priority list for Windows users should be MS13-096, a patch that plugs a critical zero-day security hole in certain versions of Windows and Office. Microsoft first warned about this flaw on Nov. 5.
Microsoft also is urging customers and system administrators to prioritize two other critical fixes: MS13-097, a cumulative patch for Internet Explorer (all versions), and MS13-099, which fixes a dangerous scripting issue in Windows. All three of these patches fix bugs that Microsoft says are likely to be exploited by attackers in the near future.
Ross Barrett, senior manager of security engineering at Rapid7, points out a noteworthy patch (MS13-104) for users of Microsoft Office 2013’s “cloud” services, which apparently fixes another vulnerability that is actively being exploited. “This information disclosure issue affects the Office ‘client’ and could allow an attacker to hijack an authentication token and gain access to documents stored in cloud resources,” Barrett said.
For more information on today’s updates, see the roundups at Microsoft’s Technet Blog, the SANS Internet Storm Center Diary, and the Qualys blog.
ADOBE FLASH AND SHOCKWAVE UPDATES
Adobe has issued a patch for its Flash Player software that addresses at least two security holes, including a vulnerability that is already under active attack. Adobe said it is aware of reports of an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content. The company credits researcher Attila Suszter for reporting the flaw; more information about this bug is available at Suszter’s blog.
To find out whether your system has Flash installed and at what version, check this page. Updates are available for Windows, Mac and Linux versions of Flash. The latest version for Windows and Mac users is 11.9.900.170, and 22.214.171.1242 for Linux.
Google Chrome auto-updates its own versions of Flash (although not always right away); the newest Flash for Chrome is 11.9.900.170. Internet Explorer 10 and 11 on Windows 8 include an embedded version of Flash that gets updates from Windows Update, rather than through Adobe’s installer. On Windows 7 and earlier, Flash is not embedded, and needs ot be updated via Adobe’s updater or manually by downloading the appropriate version from this page.
In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.9.1380 for Windows, Mac and Android devices. Adobe AIR checks for and prompts you to install any available updates anytime you launch an application that uses AIR; in any case, the download link is here.
Adobe also issued an update for its Shockwave Player software that fixes at least two vulnerabilities, bringing Shockwave to v. 126.96.36.199 on Windows and Mac systems. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.