August 14, 2012
Google has released a new version of its Chrome browser, 21.0.1180.79, for all platforms: Mac OS X, Windows, Linux, and Chrome Frame. This update incorporates security fixes for the bundled Flash Player, corresponding to Adobe’s update today.
Because of the security content of the new version, I recommend that you update your systems as soon as you conveniently can. Windows and Mac users should get the new version via the built-in update mechanism. Linux users should get the updated package from their distributions’ repositories, using their standard package maintenance tools.
You can check the version of Chrome that you have by clicking on the tool menu icon (the little wrench), and then selecting “About Google Chrome”.
August 14, 2012
Adobe today released new versions of its Flash Player for Windows, Mac OS X, and Linux systems. According to Adobe’s Security Bulletin [APSB12-18],
These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
The new versions are 11.3.300.271, for Windows and Mac systems, and 188.8.131.52 for Linux systems. (As I noted back in April, Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.) Adobe says that the affected versions of the software are Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux operating systems. Flash Player for Android is not affected by this vulnerability.
It appears that there are limited exploits of this vulnerability “in the wild”. At present, these seem to be targeted at the Active X version of Flash Player for Windows Internet Explorer. However, other versions are also vulnerable, and Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.
Windows users who have the silent update option enabled should receive the new version automatically. Windows or Mac OS X users can get the update using the update mechanism built into the software. Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page. Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser that they have installed.
I recommend that you update your systems as soon as you conveniently can.
August 14, 2012
It’s that time of the month again. In keeping with its usual schedule, Microsoft has released this month’s batch of security bulletins and patches for Windows and related software. For August, there are nine bulletins, for 15 identified vulnerabilities. Five of the bulletins are for Windows and its components; three of these have a maximum severity rating of Critical, and the other two are rated Important. All supported versions of Windows are affected. (For a breakdown of bulletins by severity and Windows version, please see this month’s preview post.)
There are also three bulletins that affect Microsoft Office. One of these, which is rated Critical, also applies to server software components, including SQL Server. as well as to Visual FoxPro and Visual Basic. The other two Office bulletins are rated Important. Finally, there is one bulletin, rated Critical, for Microsoft Exchange Server.
Further details, and download links, are in the Security Bulletin Summary for August 2012. Microsoft says that four of the patch installations will definitely require a system restart, and that the others may require one, depending on the configuration of your system.
As always, I recommend that you update your systems as soon as you conveniently can.
Update Tuesday, 14 August, 22:17 EDT
The folks at the SANS Internet Storm Center have posted their customary evaluation of this month’s bulletins, along with their own severity ratings.