Adobe Updates Flash Player

Adobe has issued a new Security Bulletin [APSB13-28] for its Flash Player.  The fixes address two critical security vulnerabilities.  According to Adobe, the affected software versions are:

• Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.327 and earlier versions for Linux
• Adobe AIR 3.9.0.1210 and earlier versions for Windows and Macintosh
• Adobe AIR 3.9.0.1210 and earlier versions for Android
• Adobe AIR 3.9.0.1210 SDK and earlier versions
• Adobe AIR 3.9.0.1210 SDK & Compiler and earlier versions

Note that Adobe’s AIR software is also affected.  You can check the version of Flash Player that you have, at any time, by visiting the Adobe “About Flash” page.

The new version of Flash Player for Windows and Mac OS X is 11.9.900.170; for Linux, the new version is 11.2.202.332.  Please see the Security Bulletin for information on Android versions.

Flash Player has always been a popular target for attackers, because it is so widely installed across different platforms.  There is some evidence that the vulnerabilities addressed by these fixes are being exploited; therefore I recommend that you update your system as soon as you conveniently can.

Users of Google’s Chrome browser, and of Internet Explorer 10 or 11 on Windows 8/8.1, should get the updated version automatically via the built-in update mechanism.  Other users can obtain the new version from the Flash Player Download page.

Mozilla Releases Firefox 26.0

The Mozilla organization today released a new version, 26.0, of its Firefox Web browser, for all platforms: Windows, Linux, and Mac OS X.  The new version includes fixes for 14 identified security vulnerabilities, five of which Mozilla rates at Critical severity.  There are also some other bug fixes:

• Text rendering on Windows 7 or 8
• Improved page load times
• MP3 back end on OS X

This version also incorporates some new features:

• Java plugins default to “click to play”
• H.264 is supported on Linux
• Password manager supports script-generated password fields

More details are available in the Release Notes.

Because of its security content, I recommend that you update your system as soon as you conveniently can.  You can get the new version using the built-in update mechanism, or you can get a complete installation package, in any of 70+ languages, from the download page.

Microsoft Patch Tuesday, December 2013

Microsoft today released its regular monthly batch of security updates for Windows and other software, summarized in the Security Bulletin Summary.  This month, there are 11 bulletins, addressing 24 identified vulnerabilities.  Five of the bulletins have a Critical severity rating; the other six are rated Important.  Six of the bulletins apply to Windows and its components and four apply to Microsoft Office.   There are also patches for Exchange, SharePoint, Office Web Apps, and Lync server software, as well as for some Microsoft developer tools. (The complete list of affected software is given in the Security Bulletin Summary, along with download links for the patches.)

All supported versions of Windows have at least two Critical bulletins.  The table below shows a breakdown of the Windows bulletins by severity and Windows version.

Windows Version	Critical	Important	Moderate
Windows XP+SP3	3	2	—
Windows Vista	4	1	—
Windows Server 2003	2	3	—
Windows Server 2008	3	2	—
Windows 7	3	1	—
Windows Server 2008 R2	2	2	—
Windows 8	3	1	—
Windows RT	3	1	—
Windows Server 2012	2	2	—
Windows Server 2012 R2	2	2	—
Windows 8.1	3	1	—
Windows RT 8.1	3	1	—
Windows Server Core	3	1	—

One bulletin applicable to Office is rated Critical; the others are rated Important.

Microsoft says that four of the bulletins for Windows will definitely require a restart; the other bulletins may require one, depending on your system’s configuration.

The SANS Institute has published its usual post summarizing the updates, with their assessment of the severity of each bulletin.