March 12, 2013
Today Google released a new version, 25.0.1364.172, of its Chrome browser, for all platforms: Windows, Linux, Mac OS X, and Chrome Frame. The principal change is the updated version of the bundled Adobe Flash Player; there are some other miscellaneous bug fixes, as well. More information is available in the Release Announcement.
Because of the security content of this release, I recommend that you update your systems as soon as you conveniently can. Windows and Mac users can get the new version via the built-in update mechanism; Linux users should check their distribution’s repositories for the new version.
March 12, 2013
Not wanting, apparently, to be left out of the Patch Tuesday fun, Adobe has released a new Security Bulletin [APSB13-09] for its Flash Player for all platforms. The updates address four identified security flaws that, if exploited, might lead to a system crash or remote code execution. (One of these relates to handling of an integer overflow exception; the other three are good old-fashioned memory management errors.) According to Adobe, the following versions of the software are affected:
- Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
- Adobe Flash Player 220.127.116.113 and earlier versions for Linux
- Adobe Flash Player 18.104.22.168 and earlier versions for Android 4.x
- Adobe Flash Player 22.214.171.124 and earlier versions for Android 3.x and 2.x
- Adobe AIR 126.96.36.1997 and earlier versions for Windows, Macintosh and Android
- Adobe AIR 188.8.131.527 SDK and earlier versions
- Adobe AIR 184.108.40.2069 SDK & Compiler and earlier versions
The new version number for Mac OS X and Windows is 11.6.602.180; for Linux it is 220.127.116.115. Please see the Security Bulletin for information and update information for Android and AIR.
Windows users who have the silent update option enabled should receive the new version automatically. Windows or Mac OS X users can get the update using the update mechanism built into the software. Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page. Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.
Flash Player has, historically, been an attractive attack target, because it is so widely installed across different platforms. I recommend updating your systems as soon as you conveniently can.
March 12, 2013
As expected, Microsoft today released its regular monthly batch of security bulletins and associated patches. This month there are seven bulletins, addressing 20 identified vulnerabilities. Four bulletins have a Critical severity rating, and three are rated Important. Two of the bulletins are for Windows and its components; every supported version of Windows is affected. One of the bulletins, rated Critical, affects all desktop/client versions of Windows (XP, Vista, 7, 8, and RT).
There are four bulletins that affect Microsoft Office, two of which are rated Critical, and two Important. Some of these also affect Office for Mac.
There is one bulletin for Microsoft Silverlight, rated Critical; this also applies to Silverlight installations on Mac systems. One of the bulletins (MS13-024) also applies to SharePoint.
Microsoft says that the two Windows bulletins will definitely require a system restart. The Silverlight bulletin and one of the Office bulletins will not require a restart. The other bulletins may require one, depending on the system’s configuration.
For more detailed information, and download links, please see the Microsoft Security Bulletin Summary for March 2013.
As usual, I recommend applying these patches to your systems as soon as you conveniently can.
The handlers at the SANS Internet Storm Center have posted their usual summary and evaluation of this month’s patches.