Adobe Patches Flash Player, Reader

January 15, 2014

Not to be left out of this month’s “Patch Tuesday” festivities, Adobe has released security updates for its Reader, Acrobat, Flash Player, and AIR software.

The Security Bulletin [APSB14-01] for Acrobat and Reader applies only to the Windows and Mac OS X platforms.  Adobe says the affected software versions are:

  • Adobe Reader XI (11.0.05) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.8) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat XI (11.0.05) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.8) and earlier 10.x versions for Windows and Macintosh

Adobe rates the severity of the vulnerabilities addressed by this bulletin as Critical.  You can obtain the new version using the software’s built-in update mechanism (Help / Check for Updates); alternatively, you can download Reader installation packages for all platforms here.

The Security Bulletin [APSB14-02] for Flash Player and AIR applies to all platforms (Windows, Linux, and Mac OS X).  Affected software versions are:

  • Adobe Flash Player 11.9.900.170 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.332 and earlier versions for Linux
  • Adobe AIR 3.9.0.1380 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.9.0.1380 and earlier versions for Android
  • Adobe AIR 3.9.0.1380 SDK and earlier versions
  • Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions

(You can check the version of Flash Player installed on your system by visiting Adobe’s About Flash Player page.)  Adobe says this is also a Critical vulnerability.  Users of Google’s Chrome browser, of of Microsoft’s Internet Explorer (Versions 10 and 11) should get the new (bundled) Flash Player automatically.   Others can obtain installation packages for all platforms from Adobe’s Flash Player Download Center.   Please see the Security Bulletin for information on AIR updates.

These Adobe packages have, historically, been popular targets for attackers, because they are widely installed across different platforms.  I recommend that you update you systems as soon as you conveniently can.

Microsoft Patch Tuesday, December 2013

December 10, 2013

Microsoft today released its regular monthly batch of security updates for Windows and other software, summarized in the Security Bulletin Summary.  This month, there are 11 bulletins, addressing 24 identified vulnerabilities.  Five of the bulletins have a Critical severity rating; the other six are rated Important.  Six of the bulletins apply to Windows and its components and four apply to Microsoft Office.   There are also patches for Exchange, SharePoint, Office Web Apps, and Lync server software, as well as for some Microsoft developer tools. (The complete list of affected software is given in the Security Bulletin Summary, along with download links for the patches.)

All supported versions of Windows have at least two Critical bulletins.  The table below shows a breakdown of the Windows bulletins by severity and Windows version.

Windows Version Critical Important Moderate
Windows XP+SP3 3 2
Windows Vista 4 1
Windows Server 2003 2 3
Windows Server 2008 3 2
Windows 7 3 1
Windows Server 2008 R2 2 2
Windows 8 3 1
Windows RT 3 1
Windows Server 2012 2 2
Windows Server 2012 R2 2 2
Windows 8.1 3 1
Windows RT 8.1 3 1
Windows Server Core 3 1

One bulletin applicable to Office is rated Critical; the others are rated Important.

Microsoft says that four of the bulletins for Windows will definitely require a restart; the other bulletins may require one, depending on your system’s configuration.

The SANS Institute has published its usual post summarizing the updates, with their assessment of the severity of each bulletin.


Microsoft Patch Tuesday Preview, November 2013

November 11, 2013

On Thursday, in keeping with its usual schedule,  Microsoft released the Security Bulletin Advanced Notification for November 2013, previewing the security bulletins and associated patches it intends to release on Tuesday, November 12, 2013.   This month there are eight bulletins in all; three of these have a maximum security rating of Critical; the others are rated Important.  Six of the bulletins affect Windows and its components.  Two bulletins affect Microsoft Office.   More details on specific versions are given in the Advanced Notification.

All supported versions of Windows have at least one Critical bulletin.  The table below shows a breakdown of the Windows bulletins by severity and Windows version.

Windows Version Critical Important Moderate
Windows XP+SP3 3 2
Windows Vista 3 2
Windows Server 2003 1 3 1
Windows Server 2008 1 3 1
Windows 7 3 2
Windows Server 2008 R2 1 3 1
Windows 8 3 3
Windows RT 3 1
Windows Server 2012 1 4 1
Windows Server 2012 R2 1 4 1
Windows 8.1 3 3
Windows RT 8.1 3 1
Windows Server Core 1 3

The bulletins for Office are rated Important.

Microsoft says that five of the bulletins for Windows will definitely require a restart; the other bulletins may require one, depending on your system’s configuration.

As always, this information is subject to change between now and the actual release of the bulletins on Tuesday.  If there are significant changes, I will post a note here once the actual updates are available.


Microsoft Patch Tuesday Preview, October 2013

October 3, 2013

Today, in keeping with its usual schedule,  Microsoft released the Security Bulletin Advanced Notification for October 2013, previewing the security bulletins and associated patches it intends to release on Tuesday, October 8, 2013.   This month there are eight bulletins in all; four of these have a maximum security rating of Critical; the others are rated Important.  Four of the bulletins affect Windows and its components.  Three bulletins affect Microsoft Office (including Office for Mac); one of these also affects Microsoft’s SharePoint server.  A final bulletin affects Microsoft’s Silverlight.   More details on specific versions are given in the Advanced Notification.

All supported desktop versions of Windows have at least one Critical bulletin.  The table below shows a breakdown of the Windows bulletins by severity and Windows version.

Windows Version Critical Important Moderate
Windows XP+SP3 4
Windows Vista 4
Windows Server 2003 3 1
Windows Server 2008 3 1
Windows 7 4
Windows Server 2008 R2 3 1
Windows 8 4
Windows RT 2 1
Windows Server 2012 3 1
Windows Server 2012 R2 1
Windows 8.1 1
Windows RT 8.1 1
Windows Server Core 3

The bulletins for Office and Slverlight are rated Important.

Microsoft says that three of the bulletins will definitely require a restart, and the other bulletins may require one, depending on your system’s configuration.

As always, this information is subject to change between now and the actual release of the bulletins on Tuesday.  If there are significant changes, I will post a note here once the actual updates are available.


Adobe Fixes Flash Player

September 11, 2013

Adobe Systems has released a new version of its Flash Player for all platforms: Windows, Mac OS X, Linux, and Android.  The new version fixes four serious security vulnerabilities identified in Adobe’s Security Bulletin [APSB13-21]; the affected versions of the Flash Player software are:

  • Adobe Flash Player 11.8.800.94 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.297 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.69 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.64 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.8.0.870 and earlier versions for Windows and Android
  • Adobe AIR 3.8.0.910 and earlier versions for Macintosh
  • Adobe AIR 3.8.0.870 SDK & Compiler and earlier versions for Windows
  • Adobe AIR 3.8.0.910 SDK & Compiler and earlier versions for Macintosh

Further details are given in the Security Bulletin.

Windows, Linux, and Mac OS X users can get the new release from Adobe’s download page.  For Windows and Mac OS X, the new version is 11.8.800.168; the new version for Linux is 11.2.202.310.  (Windows users should note that they may require two updates: one for Internet Explorer, and one for all other browsers.) Details of the new Android versions are given in the Security Bulletin.

The Flash Player bundled with Google’s Chrome browser should be updated automatically to version 11.8.800.170, according to a post on the “Chrome Releases” blog.

Windows, Linux, and Mac OS X  users can check the version of Flash Player installed on their systems by visiting Adobe’s About Flash Player page.


Microsoft Patch Tuesday Preview, September 2013

September 5, 2013

Today, in keeping with its usual schedule,  Microsoft released the Security Bulletin Advanced Notification for September 2013, previewing the security bulletins and associated patches it intends to release on Tuesday, September 10, 2013.   This month there are fourteen bulletins in all; four of these have a maximum security rating of Critical; the other ten are rated Important.  Seven of the bulletins affect Windows and its components.  Seven bulletins affect Microsoft Office (including Office for Mac); one of these also affects Microsoft’s SharePoint server.  More details on specific versions are given in the Advanced Notification.

All supported desktop versions of Windows have at least one Critical bulletin.  The table below shows a breakdown of the Windows bulletins by severity and Windows version.

Windows Version Critical Important Moderate
Windows XP+SP3 2 3
Windows Vista 1 3
Windows Server 2003 1 3 1
Windows Server 2008 3 1
Windows 7 1 4
Windows Server 2008 R2 4 1
Windows 8 1 3
Windows RT 1 2
Windows Server 2012 3 1
Windows Server Core 4

Two of the bulletins for Office are rated Critical; the other five are rated Important.

Microsoft says that three of the bulletins will definitely require a restart, and the other bulletins may require one, depending on your system’s configuration.

As always, this information is subject to change between now and the actual release of the bulletins on Tuesday.  I will post a note here once the actual updates are available.


Mozilla Updates Firefox, Thunderbird

August 12, 2013

Last week, the Mozilla organization released a new version, 23.0, of its Firefox browser, for all platforms (Linux, Windows, and Mac OS X).   The new version fixes 13 identified security vulnerabilities.  Mozilla rates four of these as being of Critical severity, and seven as High severity.

In addition, the new version introduces some new and changed capabilities.  It incorporates mixed content blocking, to protect against eavesdropping and “man-in-the-middle” attacks on secure pages.  It also incorporates a new Options panel for the Web Developer Toolbox.

This version also removes the JavaScript options from the Preferences page, and resets all values to the defaults.  (The controls under about:config  still work, but they are for experts.)  The rationale is that, because JavaScript is so widely used, turning it off breaks an unacceptable number of Web pages.  The suggested alternative, for those concerned about JavaScript-based exploits, is to use the NoScript extension, which allows more selective control.  Although my initial reaction to the Preferences change was negative, on reflection I think this approach, with NoScript, really is the better way to go.   I have been using NoScript myself for several years, and recommend it.

For further information on these changes, please see the Firefox Release Notes.  You can obtain the new version using the built-in update mechanism, or download a complete installation package.

Mozilla also released a new version, 17.0.8, of its Thunderbird E-mail client for Linux, Windows, and Mac OS X.  This is a security release, which fixes eight identified vulnerabilities; Mozilla rates two of these as Critical, and six as High severity.  For more information, see the Thunderbird Release Notes.

As with Firefox, you can obtain the new version via the built-in update mechanism, or download a complete installation package.

Because of the security content of these releases, I recommend that you upgrade your systems if you have not already done so.


%d bloggers like this: