Adobe Flash Player Security Update

Adobe today released new versions of its Flash Player for Windows, Mac OS X, Android, and Linux systems.  According to Adobe’s Security Bulletin [APSB13-04], the updates address two critical vulnerabilities in the software.  (The vulnerabilities are identified as CVE-2013-0633 and CVE-2013-0634.)   An attacker exploiting either of these vulnerabilities could cause a crash, and potentially take control of the target system,

There are reports that both of these vulnerabilities are being exploited “in the wild”, via malicious Web sites and E-mail attachments.

The following versions of the software are affected:

• Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.261 and earlier versions for Linux
• Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
• Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.

The new versions are 11.5.502.149, for Windows and Mac systems, and 11.2.202.262 for Linux systems.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   Please see the Security Bulletin for information on Android versions.

Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.  Although I have not seen any reports of exploits “in the wild”, I do recommend that you update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Google’s Chrome browser comes with a bundled version of Flash Player.  Although I have not yet seen a release announcement from Google, I expect that we will get a new version of Chrome fairly soon.  I’ll post a note when I see the announcement.

Microsoft Patch Tuesday Preview, February 2013

Today, in keeping with its usual schedule, Microsoft released its Security Bulletin Advanced Notification for February, previewing the security fixes it intends to release next Tuesday, February 12.   Microsoft plans to release eleven security bulletins this month.  Nine are for Windows and its components; four of these have a maximum severity rating of Critical, and the others are rated Important.  All  supported versions of Windows are affected.

The table below shows the breakdown of patches by Windows version and severity:

Windows Version	Critical	Important	Moderate
Windows XP+SP3	4	3	—
Windows Vista	3	4	—
Windows Server 2003	2	3	1
Windows Server 2008	2	4	1
Windows 7	2	4	1
Windows Server 2008 R2	1	6	1
Windows 8	2	3	1
Windows RT	2	3	—
Windows Server 2012	1	5	1
Windows Server Core	—	6	—

There are also two bulletins that affect Microsoft server software: one, rated Critical, is for Exchange Server, and the other, rated Important, is for the FAST Search Server.

According to Microsoft, seven of the Windows bulletins will require a system restart, and the other bulletins may require one, depending on your system’s configuration.

As always, this information is subject to change between now and the actual release of the bulletins next Tuesday.  I will post a note here once the actual updates are available.