Another Flash Player Security Update

February 12, 2013

Adobe has once again released new versions of its Flash Player for Windows, Mac OS X, Android, and Linux systems.  According to Adobe’s Security Bulletin [APSB13-05], the updates address 17 identified security vulnerabilities in the software (the Security Bulletin gives the CVE identifiers for these).  An attacker exploiting any of these vulnerabilities could cause a crash, and potentially take control of the target system,

According to Adobe, the following versions of the software are affected:

  • Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.262 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.1060 and earlier versions
  • Adobe AIR 3.5.0.1060 SDK and earlier versions

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.

The new versions are 11.6.602.168 for Windows systems, 11.6.602.167 for Mac systems, and 11.2.202.270 for Linux systems.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   The new version number for the Flash Player bundled with Google’s Chrome browser is 11.6.602.167.  Please see the Security Bulletin for information on Android versions.

Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.  Although I have not seen any reports of exploits “in the wild”, I do recommend that you update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.


Adobe Flash Player Security Update

February 7, 2013

Adobe today released new versions of its Flash Player for Windows, Mac OS X, Android, and Linux systems.  According to Adobe’s Security Bulletin [APSB13-04], the updates address two critical vulnerabilities in the software.  (The vulnerabilities are identified as CVE-2013-0633 and CVE-2013-0634.)   An attacker exploiting either of these vulnerabilities could cause a crash, and potentially take control of the target system,

There are reports that both of these vulnerabilities are being exploited “in the wild”, via malicious Web sites and E-mail attachments.

The following versions of the software are affected:

  • Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.261 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.

The new versions are 11.5.502.149, for Windows and Mac systems, and 11.2.202.262 for Linux systems.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   Please see the Security Bulletin for information on Android versions.

Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.  Although I have not seen any reports of exploits “in the wild”, I do recommend that you update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Google’s Chrome browser comes with a bundled version of Flash Player.  Although I have not yet seen a release announcement from Google, I expect that we will get a new version of Chrome fairly soon.  I’ll post a note when I see the announcement.


Microsoft Issues Out-of-Cycle Patch for IE

January 14, 2013

Microsoft today released a security patch, outside its normal schedule, for versions 6, 7, and 8 of its Internet Explorer browser, to fix a recently discovered  Critical vulnerability that is being actively exploited.  According to Microsoft’s Security Bulletin [MS13-008], the vulnerability stems from a memory management error in the browser, which can cause memory corruption, leading to the execution of arbitrary code in the context of the current user.  The Security Bulletin [MS13-008] contains more information, and download links for the relevant patches.  Microsoft says that applying the patch will require a system restart.  Microsoft has also added information on this new bulletin to its Microsoft Security Bulletin Summary for January 2013, which also continues to contain information on the patches released on the usual schedule last Tuesday, January 8.

This is a serious security flaw, particularly for desktop clients, and I urge you to update your systems as soon as you can.

Update Monday, 14 January, 16:47 EST

There is a Microsoft Knowledge Base article (KB 2799329) that contains some additional information.


Adobe Flash Player Security Update

January 9, 2013

Adobe today released new versions of its Flash Player for Windows, Mac OS X, Android, and Linux systems.  According to Adobe’s Security Bulletin [APSB13-01], the updates address a critical vulnerability in the software:

These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system

The following versions of the software are affected:

  • Adobe Flash Player 11.5.502.135 and earlier versions for Windows
  • Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.258 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.880 and earlier versions for Windows, Adobe AIR 3.5.0.890 and earlier versions for Macintosh and Adobe AIR 3.5.0.880 for Android
  • Adobe AIR 3.5.0.880 SDK and Adobe AIR 3.5.0.890 SDK

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.

The new versions are 11.5.502.146, for Windows and Mac systems, and 11.2.202.261 for Linux systems.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   Please see the Security Bulletin for information on Android versions.

Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.  Although I have not seen any reports of exploits “in the wild”, I do recommend that you update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Google’s Chrome browser comes with a bundled version of Flash Player.  Although I have not yet seen a release announcement from Google, I expect that we will get a new version of Chrome fairly soon.  I’ll post a note when I see the announcement.


Mozilla Releases Firefox 18

January 8, 2013

Mozilla has released a new major version of its browser, Firefox 18.0, for Mac OS X, Linux, and Windows.  In addition to fixing 21 identified security vulnerabilities (of which 12 are rated Critical), the new version incorporates some additional features:

  • Better JavaScript performance using the IonMonkey compiler
  • Support for Retina displays under OS X 10.7 and up
  • Preliminary support for WebRTC
  • Better scaling of images in HTML
  • Better performance in tab switching

Further details on the updates are available in the Release Notes.

Because of the security fixes incorporated in this release, I recommend that you update your systems as soon as you conveniently can.  You can get the new version using the update mechanism built into the browser, either automatically or via Help / About Firefox / Check for Updates.  Alternatively, you can get a complete installation package, available in more the 70 languages, from the download page.

Update Tuesday, 8 January, 21:45 EST

Ars Technica also has an article on the new version.


Adobe Patches Reader, Acrobat

January 8, 2013

As noted in a preview announcement last week, Adobe has released a Security Bulletin [APSB13-02] for its Reader and Acrobat software.  The bulletin addresses 27 identified security vulnerabilities, and is rated Critical.  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

For the corresponding new version numbers, please see the Security Bulletin.

Users of Reader on Windows or Mac OS X can get the new version via the update mechanism built into the software, as can Acrobat users.  Alternatively, you can download an update package for Reader for Windows here, and for Mac OS X here.  Linux users can download an installation package  (via FTP) for the new version.  Download links for the new versions of Acrobat are in the Security Bulletin.

I recommend that you update your systems as soon as you conveniently can.


Microsoft to Block Insecure Certificates

September 10, 2012

Tomorrow is Microsoft’s “Patch Tuesday” for this month.  As I noted in the preview post, there are only two patches scheduled for release, neither of which is for Windows itself.  Many home users, especially, will have no patches to apply.

Dr. Johannes Ullrich, of the SANS Technology Institute, has a diary post at the SANS Internet Storm Center that suggests one reason that the patch load is especially light this month.

In part, the low number of bulletins appears to be intentional, to not distract from the more complex issue which will affect Windows users starting with the October update set: Windows will no longer allow SSL certificates with RSA keys that are less then 1024 bits in length.

These certificates are cryptographic credentials used to secure Internet connections via the SSL/TLS protocols, which create an encrypted connection between the user’s browser and the server.   The connection protocol also provides the user with some assurance that she is actually connecting to her bank’s Web site, and not to some Bad Guy’s imitation.  The certificates can also be used for encrypted E-mail.  I’ve written here before about some of the problems associated with these certificates and the Certificate Authorities [CAs] that issue them.

Microsoft’s intention is to disallow certificates that have a key length less than 1024 bits, on the grounds that they are insecure, which is certainly true.  Further details are given in Microsoft’s Security Advisory (2661254).  The change, which will be pushed as a patch as part of October’s “Patch Tuesday”, will affect all supported versions of Windows and its components.  (It will not affect Windows 8 Release Preview or Windows Server 2012 Release Candidate, because those versions already include this change.)

The potential problem for users is that some may have specialized or internally-developed applications that use certificates with short keys.  These will cease to work once the October update is installed.  Microsoft has a Knowledge Base article explaining the implications of the change; it also contains download links for the patch, which is available now for testing.  As Dr. Ullrich says, you really should test this while you have the opportunity.

As a first step, you should install the patch on a test system, and watch for any problems. You should also carefully inventory your certificates, in particular if you are using non-standard (internal) certificate authorities.

He goes on to say that you should, if possible, avoid creating new 1024-bit RSA keys, but use 2048- or 4096-bit keys instead.  This is also excellent advice.


%d bloggers like this: