13
Apr 10

Adobe, Microsoft Push Security Upgrades

Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.

Microsoft released 11 security updates that collectively fix at least 25 vulnerabilities in versions of Windows, Office, Exchange, and other Microsoft products.

Redmond said customers should install all of the relevant updates, but it called attention to a few as particularly urgent. Among those is a patch for all versions of Windows that fixes a bug which could allow attackers to fool Windows into thinking that a malicious program was created by a legitimate software vendor, said Joshua Talbot, security intelligence manager, Symantec Security Response.

“This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate,” Talbot said.

Another patch fixes a flaw that is critical on Windows 2000, XP, Server 2003 and Server 2008, and could be triggered just by visiting a Web page hosting a specially-crafted .avi video file. A separate critical bug patched today for Windows 2000 and XP users is another browse-a-bad-site-and-get-owned type of flaw.

Adobe issued an update to its PDF Reader and Acrobat software that fixes at least 15 security flaws in those programs. Adobe labels this update “critical,” meaning the attackers could use the security holes to crash the programs and seize control over a vulnerable system.

As promised, Adobe also is including a new updater technology with the latest version of both Reader and Acrobat (version 9.3.2) on both Windows and Mac systems. Adobe said the new updater includes an option to let Adobe “automatically install updates,” although the company said it will respect whatever update settings users currently have selected (the default is “download all updates automatically and notify me when they are ready to be installed”). Adobe’s Brad Arkin has more on this new updater in a post on Adobe’s ASSET blog.

Tags: , , , ,

20 comments

  1. Note: MS10-022, which MS marks as merely “Important” is catagorized beyond “Critical” as “Patch Now” by SANS due to live exploits.

  2. Only MS update that I have received today was the Defender definition file. Just checked again, and MS update indicates everything is up-to-date.

  3. 11 updates -25 meg on a Vista machine available at 1:20 pm Pacific Time.

  4. Thanks, yet once more, Brian!

    Adobe’s new updater switched setting from “do not download” to “automatically download updates, but …” Thanks for mentioning the new settings, which got me to check them. I don’t allow any automatic downloads if I can prevent them.

    As for Microsoft, I’ll wait a few days; the BSOD episode has me running scared. Hope someone will post whether there are any problems this month.

  5. JBV, rememberthe BSOD issue only hit systems that were infected by malware. Here is some good news from the MS Security Response Center blog:

    “MS10-021 is a Windows Kernel update. You may recall that the last Kernel update, MS10-015, exposed some systems that were infected with the Alureon rootkit. For MS10-021, and for all of our Kernel updates going forward, we have included detection logic for unusual conditions or modifications to the Windows Kernel binaries. If such conditions are detected, the update will return an error to the user and fail to install. Customers who see this error should contact our Customer Service and Support team for help determining if you have malware on your system.”
    http://blogs.technet.com/msrc/archive/2010/04/13/april-2010-security-bulletin-release.aspx

    Thus this patch won’t BSOD your system. It will fail and most people on whose systems it fails will not realize its’ failing because of malware.

  6. Brian, you once mentioned that the Adobe Updater had a flaw that could allow an attacker to force an install of Adobe software. For instance, the Updater could be caused to download and install Adobe Reader even if I previously uninstalled it in favor of FoxIt. For this reason, you recommended uninstalling the Updater as well. Any idea if this new version of the Updater is similarly vulnerable?

  7. Installed all applicable Microsoft patches early this afternoon(for Windows XP w/SP3, IE8, and Office 2003 w/SP3). As is usual, no problems to report.

  8. JustMyThreeCents

    I had a strange experience with this last Windows update. A message box came up saying Windows wanted to reboot in 15 minute. I couldn’t cancel the timer or close the message. I had to close a dozen tasks I was working on even though I wasn’t ready to close any of them. I’m appreciative of updates, but shouldn’t the decision as to when to reboot be mine?

  9. My computer hung in the “computer is shutting down” screen after I clicked to restart it after running the MS updates. I ended up manually shutting it off. It powered back up just fine.

    Windows XP Home, SP3.

    • Heron,

      It might be prudent to check the installation with Micrsoft’s baseline security tool, or Bel Arc Advisor. It is pretty easy to hose up an update installation like that.

  10. Brian, what’s your impression of the new Adobe updater? I really don’t like how they’ve changed the “details” link. Where previously you would click on “details” and see what the update(s) were, now it opens a browser window to a list of all of the updates.

  11. Robert Guenther

    I installed the 9 Windows Vista updates without problems.

    The 2 Microsoft Office 2007 updates failed with a Windows Update error code 646, which I can’t find documented anywhere — even on Microsoft’s own website.

  12. I woke up this morning with the bouncing Acrobat updater icon on my Mac’s desktop asking if I want to install it (running Adobe CS4). Like duh. It took about a minute to install. I agree the details link to a Web browser window is screwy. They could borrow Apple’s detail window view for the Mac version.

  13. After installing the MS updates on 5 different development servers, I noticed service logon failures where we had dedicated service accounts. After resetting the service passwords all was fine. I haven’t isolated the update that caused this behavior. Anyone notice the same?

  14. @Heron: “My computer hung in the “computer is shutting down” screen after I clicked to restart it…” Lately, after installing any software updates that require a restart, my computer has hung during the process at the log-in screen. Like Heron, I have had to manually shut down all the way and then reboot from power-off. XP/SP3 fully patched and secure. Is there something about some current software updates (happened with Java, too) that tends to overload the XP restart process? Or is my computer (wiped and cleanly reinstalled just a year ago) showing its age? Everything else works fine…

  15. Brian,

    I only run Flash Player 10 Plugin from Adobe (i think). Do I still need to download fixes and if so how do I download just the stuff I need?

    As always, thanks in advance,
    Sean