June 14, 2011
In addition to the pre-announced updates for Reader and Acrobat today, Adobe has also released a new version of its Flash Player, version 10·3·181·26, for Windows, Mac OS X, Linux, and Solaris platforms. The update incorporates a fix for a critical memory corruption vulnerability (CVE-2011-2110, which could cause a crash and potentially allow an attacker to take control of the affected system. Adobe says there is evidence that this vulnerability is currently being exploited by means of corrupted Web pages. Further details are in Adobe’s Product Security Bulletin [APSB11-18]. The affected versions of Flash Player are:
- Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.3.185.23 and earlier versions for Android
An update for the Android version is not available at present, but Adobe says one will be available by the end of this week. According to Adobe, this vulnerability does not affect the
authplay.dll component of Reader and Acrobat that allows the display of Flash content.
I recommend installing this update as soon as you conveniently can. Windows and Mac users should be able to obtain the update via the product’s built-in update mechanism; alternatively, versions for all platforms can be downloaded here.
June 14, 2011
As announced last week, Adobe today has released new versions of its Reader and Acrobat products for the Windows and Mac OS X platforms. The new versions address 13 identified security vulnerabilities, and are rated by Adobe as Critical updates. The new versions also include updates to the embedded Flash capability corresponding to the Flash Player updates issued in May and June. Affected versions of the software are:
- Adobe Reader X (10.0.1) and earlier 10.x versions for Windows
- Adobe Reader X (10.0.3) and earlier 10.x versions for Macintosh
- Adobe Reader 9.4.4 and earlier 9.x versions for Windows and Macintosh
- Adobe Reader 8.2.6 and earlier 8.x versions for Windows and Macintosh
- Adobe Acrobat X (10.0.3) and earlier 10.x versions for Windows and Macintosh
- Adobe Acrobat 9.4.4 and earlier 9.x versions for Windows and Macintosh
- Adobe Acrobat 8.2.6 and earlier 8.x versions for Windows and Macintosh
The Reader version for Linux/UNIX is apparently not affected.
The new versions are Reader X 10.1, Reader 9.4.5, Acrobat X 10.1, and Acrobat 9.4.5. Further details, including CVE identifiers, are in the Security Bulletin [APSB11-16].
You can get the new version using the built-in update mechanism (Help / Check for Updates) in either Reader or Acrobat. Alternatively, you can get the new Reader versions directly for Windows or Mac OS X. For Acrobat download links, see the Security Bulletin.
Because of the security content of these updates, I recommend that you install the new versions as soon as you conveniently can.
June 14, 2011
In keeping with its usual schedule, Microsoft today released a batch of 17 security bulletins, and associated security patches, for Windows and related software; together, the patches address 32 identified vulnerabilities. Nine of these bulletins have a maximum severity rating of Critical; seven are rated Important. Each supported version of Windows has several Critical vulnerabilities. (For a breakdown of severity ratings by Windows version, see my preview post of last Thursday.) There are also bulletins for Microsoft Office (including Microsoft Office for Mac), Silverlight, Forefront, and Visual Studio. Further details, and download links for the updates, are in the Security Bulletin Summary for June 2011.
Microsoft says that nine of these patches will definitely require a system reboot; the others may require a reboot, depending on the configuration of the patched system. As usual, I recommend that you install these patches as soon as you conveniently can.
The folks at the SANS Internet Storm Center have also posted their usual monthly summary of these bulletins, along with their own severity assessments.