Microsoft, Adobe Roll Out 12 Fixes for Patch Tuesday
It's the second Tuesday of the month, which means it's time for the monthly round of Microsoft Windows patches to be pushed out to the world.
In addition, Adobe is pushing out updates to its Acrobat, Flash Player, Reader and Shockwave Player for both Windows and Mac OS X machines. (The Flash Player update is for Linux as well.)
"It's a double-header patch day," said Andrew Storms, director of security operations at San Francisco-based information-security company nCircle. "There's enough IT work here to require extra pizza for the team, because the risks these bugs present are going to keep a lot of IT security armpits very sweaty."
Nine for mortal men
Five of the nine Microsoft patches, which fix 26 vulnerabilities in total (13 of which are actually holes in Oracle Java and database software), are rated "critical," meaning they need to be applied right away.
Three of the five critical patches involve possible attacks using "specially crafted" Web pages that can be accessed via Internet Explorer or Outlook email.
"However, an attacker would have no way to force users to visit such a website," the Microsoft Security Bulletin Summary said concerning one of the exploits. "Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."
Another critical patch involves the Remote Desktop Protocol, which allows full remote operation of a Windows XP or Server 2003 machine.
"By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system," Microsoft noted. "Systems that do not have RDP enabled are not at risk."
The fifth patch fixes, among other things, a vulnerability that "could allow remote code execution if an attacker sends a specially crafted response to a Windows print spooler request."
"Keen-eyed attackers are going need to focus carefully on vulnerability to uncover all of its potential," Storms said. "This is something that predominately affects small business and campus locations where Windows computers are configured in workgroups."
However, the patch is critical only for Windows XP and Windows Server 2003. For later versions, it's only a "moderate" urgency, which Microsoft "recommends that customers consider applying."
Home or small-business users of Windows should have Microsoft Update set to automatically download security updates. Microsoft also offers its updates as manual downloads.
Patching Adobe's abode
On the Adobe side of things, the patch for Acrobat and its free version, Reader, fixes a whopping 20 vulnerabilities at once, vulnerabilities "that could cause the application to crash and potentially allow an attacker to take control of the affected system."
The patch will bump users of Acrobat X and Reader X up to version 10.1.4, and users of the Acrobat 9 and Reader 9 (who might not be able to upgrade to X) up to version 9.5.2. The patch is applicable to both Windows and Mac OS X machines.
Likewise, the Shockwave Player patch applies to both PCs and Macs. It plugs four holes that could let an attacker "run malicious code on the affected system."
The Flash Player patch fixes only one vulnerability, but one that's possibly "being exploited in the wild in limited targeted attacks, distributed through a malicious Word document."
It applies to the Windows, Mac OS X and Linux platforms, but not to Android. (Apple's mobile iOS platform does not run Flash.)
All three Adobe patches are rated "critical." Users can either set their various Adobe applications to update automatically, or can download patches from the Adobe website at http://www.adobe.com/downloads/.
Remember: Don't click on emailed links offering to update Adobe software, which likely come from malware distributors.