Adobe Acrobat Updates, June 2009

Adobe has apparently decided they don’t want to be left out of the monthly patch party initiated by Microsoft, so they have decided that they will release updates on the second Tuesday of the month, too.  This month, there are security updates for Adobe Acrobat, to version 9.1.2, and to Adobe Reader (formerly Acrobat Reader), also to version 9.1.2.  In both cases both the Windows and Mac versions are affected.  The Adobe Security Bulletin has details of the vulnerabilities, rated Critical, that are addressed by the update  The new versions of Adobe Reader can be downloaded from the following pages:

• Adobe Reader 9.1.2 for Windows.
• Adobe Reader 9.1.2 for Macintosh

These pages offer a full download of version 9.1, and then have updates for versions 9.1.1 (a previous change) and for version 9.1.2 (this update).  If you are using Windows, the version 9.1.2 patch is cumulative, according to Adobe: that is, if you have 9.1, you can just apply the 9.1.2 patch.  (You don’t have to apply the 9.1.1 patch first.)  If you have a Mac, however, it appears that you have to apply the patches in sequence, so you have to apply the 9.1.1 patch, if you have not already done so, before you apply the 9.1.2 update.  (Confusing enough for you?)

The Security Bulletin page has links for updates for the full Adobe Acrobat product.  Also, it says that UNIX users will have to wait a bit for their updates:

Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.

Fortunately, there are several alternative PDF readers available on UNIX/Linux platforms, most of which are free.

Given the nature of the problems that this update addresses, I recommend people install it at their early convenience.

Apple Releases Safari 4.0

Apple has released a new version 4.0 of their Safari browser for the Mac, and for Windows XP and Vista.  This version contains a large number of security fixes,  in addition to some feature improvements.  The new version can be downloaded from Apple’s site.  Note there are two downloads offered, one of which also includes QuickTime.

Microsoft Security Bulletin, June 2009

Microsoft has now released their monthly Security Bulletin Summary for June..  There are a total of ten updates, corresponding to Security Bulletins MS09-018 through MS09-027.  (The Summary has links to the relevant Knowledge Base articles.)   Four of the fixes relate to core components of Windows, one to Internet Explorer, three to Microsoft Office components, and one each to IIS and Windows Search.  All supported versions of Windows are affected by at least some of the updates; the table in the Summary under Affected Software and Download Locations gives the details.

Six of the vulnerabilities (in Windows, Internet Explorer, and Office) are rated by Microsoft as Critical, the most serious designation.  Microsoft reserves this category for vulnerabilities that would allow someone to execute an arbitrary program from a remote location:

A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

The remaining fixes are rated as Important.  (Definitions of the various categories are given here.)  Apple Mac users should note that some of the Office updates apply to the Mac versions of MS Office.

The updates should be available through the normal Windows Update mechanism; the Summary contains download links for the stand-alone installation packages, which can be convenient if you have a number of machines to update.

As usual, I recommend that you install the security update at your earliest convenience.   As is often the case, the potential consequences of an attack are more serious if you are running with an administrative account on Windows.

Update 15:30 Tuesday, June 9

The SANS Institute has now posted their evaluation of this month’s updates, broken down into server and desktop categories, along with what is known about active explots.

Update 12:00 Wednesday, June 10

According to Brian Krebs at the Washington Post, this month sets a new Microsoft record for the number of different security defects fixed in a single month, with 31.  Doesn’t that make you feel better?  Me neither.