- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Adobe releases its own Patch Tuesday security updates
Adobe’s fixed, among other things, a Flash Player flaw attackers have already exploited to break into Windows machines.
Microsoft gets most of the attention the second Tuesday of each month because of its security updates, but yesterday was also significant for the security patches Adobe released -- including one for a Flash Player flaw attackers have already exploited to break into machines running Windows.
Adobe's bulletin for Flash says the following:
These updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Word document.
The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. Adobe recommends users update their product installations to the latest versions: Users of Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.3.300.271. Users of Adobe Flash Player 22.214.171.124 and earlier versions for Linux should update to Adobe Flash Player 126.96.36.199. Flash Player installed with Google Chrome will be updated automatically, so no user action is required. Google Chrome users can verify that they have updated to Google Chrome version 21.0.1180.79.
Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux operating systems are affected.
Another update is for Adobe Shockwave Player. That bulletin says:
Adobe has released an update for Adobe Shockwave Player 188.8.131.525 and earlier versions on the Windows and Macintosh operating systems. This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 184.108.40.2065 and earlier versions update to Adobe Shockwave Player 220.127.116.116 using the instructions provided in the "Solution" section below. \
AFFECTED SOFTWARE VERSIONS: Adobe Shockwave Player 18.104.22.1685 and earlier versions for Windows and Macintosh
Adobe also released a fix for Reader and Acrobat. From that bulletin:
Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions: Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4). For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2. Users of Adobe Acrobat X (10.1.3) for Windows and Macintosh should update to Adobe Acrobat X (10.1.4). Users of Adobe Acrobat 9.5.1 and earlier versions for Windows and Macintosh should update to Adobe Acrobat 9.5.2.
AFFECTED SOFTWARE VERSIONS Adobe Reader X (10.1.3) and earlier 10.x versions for Windows and Macintosh Adobe Reader 9.5.1 and earlier 9.x versions for Windows and Macintosh Adobe Acrobat X (10.1.3) and earlier 10.x versions for Windows and Macintosh Adobe Acrobat 9.5.1 and earlier 9.x versions for Windows and Macintosh
In a recent interview, Brad Arkin -- Adobe's senior director of security, standards, open source, and accessibility -- told me one of the company's big efforts is to get more customers to use the most recent versions of these programs. To that end, Arkin has focused on automatic updates that download in the background, so the user doesn't have to be bothered with it.
"We've been putting a lot of incremental improvements into Reader but adoption wasn’t as high as we needed it to be," he said. "In April 2010 we turned on our auto-updater and that's increased deployment significantly. In June 2011 we changed the default setting from semi-auto to silent auto. Users need the update but if asked they won’t want to be bothered. So the goal was to make it so they wouldn’t have to be bothered."
He added: "The bad guys attacked Flash a lot in 2010-11. The security update response time for Flash is now an average of 5 days. We are adapting the Reader auto update strategy to Flash player, but it's a little more difficult because of the different ways Flash communicates with the different browsers. We can’t do this just once like we could with Reader."
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Redefine Business Portability
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Fighting Fraud Videos: IBM Intelligent Investigation Manager
- IBM Intelligent Investigation Manager: Online Product Demo
- Webinar: IBM IIM for Fraud, Abuse and Waste in Government
- Thwarting DDoS Attacks with Cloud Defenses
- Data Center Insight: 6 ways to Prevent Mistakes that Have Cost others Millions
- HP & CIO: Making virtualization strategic
- Bridging the IT Gap: A Fresh Approach to Infrastructure Management
- IBM PureFlex and Flex System: Infrastructure for IT Efficiency
- Accelerating Solution Deployment with IBM PureFlex and Flex System