13
Sep 11

Adobe, Windows Security Patches

facebooktwittergoogle_plusredditpinterestlinkedinmail

If you use Windows or Adobe Reader/Acrobat, it’s patch time. Microsoft released five updates to fix at least 15 security vulnerabilities, and Adobe issued a quarterly update to eliminate 13 security flaws in its PDF Reader and Acrobat products.

The Microsoft patches, available via Windows Update and Automatic Update, address security holes in Excel, Office, Windows Server and SharePoint. None of the flaws earned Redmond’s most dire “critical” rating, but it’s a mistake to let too much time go by before installing these updates.

Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

As always, please leave a note in the comments section below if you experience any issues resulting from the installation of these updates.

Tags: , , ,

30 comments

  1. Thanks again for these invaluable heads ups.

    Watch out, sometimes patches add a mountain of stuff you do not want, in addition to fixing software which should never have been broken in the first place.

    So maybe make a configuration system backup first, before inviting whatever comes with the patches.

  2. I had an HP laptop running Windows 7 64 bit suddenly start displaying only symbols instead of English. I did a system restore, taking off these updates, and the English was back. So I’m thinking, wait a couple of days before updating if you have a similar system.

    • I also run Windows 7, 64-bit, and had smooth sailing when installing all Windows and Adobe updates.

      Thank you, Brian, for sharing your most helpful security knowledge and advice!

    • While I don’t doubt you had issues, I would not recommend to everyone with a similar system to wait on updating. What I would recommend is making sure you have important files backed up before updating your system, and if you experience issues after applying Windows updates to contact Microsoft, who will provide FREE support on any security-related issues such as this. I’ve used their free support service previously and it has been outstanding.

      • Hi EJ,

        yes, good advice from you.

        I always wait at least 72 hrs.
        after every Patch Tuesday,
        for any report on trouble & Win botched updates…

        EJ sayeth:
        “If you experience issues after applying Windows updates to contact Microsoft, who will provide FREE support on any security-related issues such as this. I’ve used their free support service previously and it has been outstanding.”

        EJ:
        can you provide the email addr.
        or 800 phone # for this MS support?

        Thanks!

        • SF Dude

          I have been receiving, what sounds like PHISHING voice phone call from someone claiming to be with Microsoft Tech Support, a call initiated not by my request, but by claim of caller that my computer is causing errors on their server (caller is unable to clarify what server … acts like there is only one server in the entire world, and it belongs to Microsoft). The accent is very thick (Asian?) and poor connection … I have to have them repeat themselves many times.

          • This is a scam. I received the same type call about a year ago. The caller said he had a report of my computer having a virus but was unable to tell me who was my ISP. When pressed about being associated with Microsoft, the caller said that some of the employees have Microsoft certification but are not actually a division of Microsoft. He will try to sell you anti-virus software or want you to allow him to remotely log into your computer, either of which you should not do.

          • Definitely a scam. Microsoft doesn’t come looking for you to offer support – you have to go looking for them. ;)

            • That guy called again today (3rd time in 2 months). I told him I believe he is a phisher. He swears up and down he is working with Microsoft, and that I can check him out by going to Windows Service Center to check on status of my computer problem.

              Last week he was on the phone with me for 1/2 hour, before we gave up (bad connections and his thick accent). Shortly before he hung up, I asked him who is paying for this unsolicited call. Before that, he had walked me thru START / My Computer / Manage Application and System, and we were discussing significance of ERRORs on the info list … the last one was when my PC locked up & I did a forced reboot. He saying it was caused by a hacker.

              I have not knowingly reported any problem to Microsoft in years.

              • Al – that’s a very interesting story. I’m assuming you’re located in the US? I’m surprised that someone would put so much effort into attempting to trick you unless they felt there was a large payoff waiting for them.

                Here’s some similar info on this scam from across the pond: http://www.guardian.co.uk/technology/blog/2011/mar/01/microsoft-virus-scam-continues

              • Al Mac, the caller is persistent but he most likely cold called you the first time and has no actual report about you other than possibly your phone number. It is possible you could coincidentally have a virus on your computer, although I have heard that these type of scammers walk their victims through system logs on their computer and then claim that errors appearing there are related to viruses when they may be nothing more than the usual errors related to the operating system and installed applications. You could check with your ISP about all of this. Many ISPs offer anti-virus packages from Norton or McCaffey that you can download without charge as part of your service contract. If you do not have anti-virus software installed (from a reputable company, not from someone cold calling you), it would be wise to do so. Also have your firewall turned on. Using a router/hub with NAT and a minimum number (ideally zero) of external direct ports turned on will better isolate your system from the internet wild.

                • KJ
                  I have two computers in my home: Home PC on XP Home; and Work PC on XP Professional, Work PC supplied by my employer. Both have AVG 2011 (I got the 3 computer pack in last upgrade, so as to replace FREE AVG with more security features). Both of them share a router, which serves as another firewall layer. I formerly used a firewall supplied by anti-virus supplier, have switched to Microsoft’s.

                  The first time he called, I told him that I am having a problem right now, which I did not give him the details, but I have supplied my employer with all the symptoms. I found out a day or two later, after this guy call. that the problem was due to severe weather at HQ knocked down VPN at that end. I reported this call to HQ. I was mystified … how can someone from Microsoft know we have a hacker problem in the network of IBM to IBM midrange systems, unless there is ANOTHER hacker problem out there?

                  By the time of the 3rd call, he saying the problem is definitely with my home computer. I asked him how he knew, because they both have identical IP address. He never answered that either. But I now suspect my questions are reverse social engineering.

                  • You seem to have a good deal of security methods in-place and access to your business network help, so it sounds like a pure social engineering attempt playing off coincidental random things occurring with your home and business systems.

        • SFdude: I’ve always used the online method for receiving support on problems related to Windows Updates. The link for contacting MS is here: http://support.microsoft.com/contactus

          The process can be a bit daunting as you have to make your way through several layers of choices in describing what product you’re using (Win 7 / Vista / XP / etc.), and some descriptions of what you’re experiencing. Make sure to specify as you make your way through the process that your issues are related to Windows Updates, as support related to non-security and Windows Update issues is fee-based. With that said, I’ve never had an issue with questioning that I’m eligible for free support when submitting a legitimate Windows Update issue to Microsoft.

          • I can second EJ’s experience. I have had outstanding help from the MS support team on every issue with updates I encountered. I do always back-up the image before and after updates, but occasionally rolling back is not sufficient when the different update files have been corrupted. As for avoiding the vendor junk, I always use Secunia to get the fluff free update links and if in doubt Brian’s older posts are good resources of those links too.

    • I had an hp laptop b4 and after i installed service pack 1, I had issues as well

  3. I have a huge dislike for Adobe’s download/update page. Why can’t Adobe just offer the package without all the arcane fiddle-faddle filling the page?

    I located an alternate to the reader and have been test driving for a couple of weeks. No problems to date

    • It was one of the few updates that does not require Adobe Updater, a program that is supposed to uninstall itself on completion but one that is always running on my computer.

  4. Thanks for the overview Brian.

    direct link for Adobe Reader 10.1 download is at http://get.adobe.com/reader/direct/

    • Just to clarify, the above link includes the option to install Google Toolbar (enabled by default) and it looks like it will include Adobe Air, based on the file name, install_reader10_en_air_gtba_aih.exe.

      I’m guessing that Adobe Updater is not included as this “update” is not a full version upgrade.

      Generally, I apply for a distribution license from Adobe for each version upgrade. http://www.adobe.com/products/reader/distribution.html This allows me to download Adobe Reader without Adobe Air or Adobe Updater. I have the option to download Reader with Acrobat.com included. Unfortunately, the license agreement forbids me from sharing the direct download links with you’s guys.

  5. What about alternatives to the unsecure Adobe Reader ?
    Foxit Reader for example….

    • http://www.foxitsoftware.com/Secure_PDF_Reader/version_history.php

      It seems that the latest version (4.3) offers a browser plug-in, which means that any vulnerabilities in their product (plug-in or core) can now be attacked directly from the web.

      Note that 4.2 was the first version w/ DEP+ASLR; iiuc, Reader had (a bad implementation of) them in version 9.

      At this point, Foxit and friends are partially a “security by not being the biggest target” cult, it’s what made mac users in days of old secure, it wasn’t that their software was secure, its that their population was insignificant to warrant serious research for attack purposes (low opportunity for RoI). I’m not opposed to using Foxit (and have on some of my systems), but it isn’t easy to see if their “many bug fixes” include security fixes. Adobe for its size (big Piñata) has been forced to generally document when it’s fixing a security hole (and it generally is…).

  6. A thumbs down for Acrobat Reader’s built-in updater. It wants me to restart my system. I don’t mind restarting for an OS update, or to enable VT-x in my BIOS, but restarting for Reader? — grumble —

    I’d suggest avoiding the built in update option; download the full installer instead, uninstall reader and then run the full installer — maybe that will work better…

    • After reading a review/recommendation of Ninite.com by ZDNet’s Ed Bott, I went to the site and created a custom installer/updater for all my third party apps. To each his own, but for me it really doesn’t get any simpler than this. I run it every day and it takes about two minutes unless there’s a large app update. Best of all, Ninite automatically says “No” to toolbars and other junk. Everything is completely automated, so you also don’t have to click “Next” multiple times. That said, if you run Windows as a “standard user,” you will need to input your administrator password.

      • Just found out about Ninite earlier this week. Absolutely love it, makes installing all the standard software super easy, and no problems so far. Works great when I have to reload a system for example.

        I never download anything from Adobe’s site….I always goto File Hippo if I have to download a standalone product. But now that I found out about Ninite, I rarely do that either! lol

  7. A pair of ASUS computers, 1 laptop w/ x64 Windows 7 Home Premium and 1 netbook with x86 Windows 7 Starter have had trouble with the recent Windows updates (don’t run Adobe products, so no need for an update there). Custom built Win 7 x64 desktop had no problem at all.

    Still trying to suss out the problem…

    • Update: After several restarts and 2 system restores, I got the latest Windows updates installed on the above mentioned laptop. No mention on the Windows Update site about the error codes I saw during this process, and no returned e-mail from the help desk. I’m sure they’re busy…

      No success yet with the netbook, but I never give up.

      If anyone else is having trouble and happens to read this post, hang in there! Sometimes tenacity is all it takes.

  8. Sorry my comment at the start of this thread generated so many negative comments. Here is an update. After restoring the HP laptop, I tried installing the updates again, because I’m paranoid about computer security. The same thing happened again: all the english on the display was turned into geometric symbols. Once again, I was able to navigate to the restore screen by referencing another laptop running windows 7. Following that, I tried to do the installs one by one, to try to identify the one causing the problem. I was able to install the system updates without any problem. So the problem is likely related in some way to one of the Office updates. I wasn’t able to install the updates individually, but just got an error message. I also did a full scan with Microsoft Security Esssentials, just to make sure that there wasn’t some malware afoot here — there wasn’t.

  9. So it was a russian hack.I was investigating an incident on a neighbour’s network, and i wasnt sure.Seeing their language in plain text clinched it.

    Thanks Krebs.


Read previous post:
Pharma Wars: Paying for Prosecution

In June 2011, Russian authorities arrested Pavel Vrublevsky, co-founder of ChronoPay, Russia's largest processor of online payments, for allegedly hiring...

Close