Microsoft Corp. and Adobe Systems each released security updates on Tuesday. Microsoft issued two “critical” patches that address one security flaw apiece, while Adobe’s patches fix a whole mess of serious vulnerabilities in its software.
One of the critical updates pushed by Microsoft fixes a flaw in Outlook Express, Windows Mail and Windows Live Mail. On older versions of Windows (Windows XP for example) Outlook Express is installed by default, while Windows Mail and Windows Live Mail generally require users to affirmatively download and install the program.
The other MS patch addresses a vulnerability in Microsoft Office, but the problem may turn out to be more complex down the road for some users. The trouble is that the vulnerable component, Microsoft Visual Basic for Applications is used not only by Microsoft Office products, but it’s also a component that is potentially installed by many third-party software apps built to work with Windows.
“Like the ATL issue last July, we could see many vendors supplying their own patches to address this vulnerability,” said Jason Miller, data and security team manager for Shavlik Technologies. “This is just another important reminder that patching is not just a Microsoft issue when it comes to software vulnerabilities.”
Adobe issued patches to fix security problems in its Cold Fusion and Shockwave Player software packages. Most end users will only have to worry about the Shockwave update, if that. The Shockwave patch fixes at least 18 security vulnerabilities in the commonly-installed media player application, on both Windows and Mac systems. Adobe has assigned the bugs an aggregate “critical” rating, meaning that an attacker who successfully exploited the flaws could seize control over an affected system.
Here’s a way to test whether you even have Shockwave Player on your system: Visit this page. If it says you need to install a missing plugin, then you don’t have Shockwave Player installed, and you probably don’t need it. I haven’t had it on my main PC since I bought the thing more than a year ago, and apparently I haven’t missed it.
If that link above shows that you do have Shockwave Player installed, it’s time to update it. The flaws are in Shockwave Player version 184.108.40.2066 and earlier. Adobe recommends that Shockwave users actually uninstall the program (Windows users can do this via the Add/Remove Programs menu), and then reboot before attempting to install the latest, patched version, v. 220.127.116.119, available here.