If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products. Separately, Adobe released a critical update that addresses nine vulnerabilities in its Shockwave Player software.
Four of the patches earned Microsoft’s most dire “critical” rating, meaning that miscreants and malware can leverage the flaws to hijack vulnerable systems remotely without any help from the user. At least four of the vulnerabilities were publicly disclosed prior to the release of these patches.
The critical patches repair faulty components that can lead to browse-and-get-owned scenarios; among those is a fix for a vulnerability in Microsoft Silverlight, a browser plugin that is required by a number of popular sites — including Netflix — and can affect multiple browsers and even Mac systems. Microsoft believes that attackers are likely to quickly devise reliable exploits to attack at least a dozen of the 21 flaws it is fixing with this month’s release.
Some Windows users and loyal readers of this blog prefer to wait a day or two before applying these patches, reasoning that the occasional system stability problems introduced by security updates only become widely known after a critical mass of users have applied them. I tend to fall into this camp as well, but given the seriousness of these flaws, I think it’s a mistake to put off patching for long.
Adobe’s Shockwave update is a critical one, but not everyone who has this program needs it, and those who don’t probably don’t need it. It’s easy to tell: Browse to this page. If it says you need to install a plugin, you don’t have it. Otherwise, it’s time to update it (or remove it). The latest, patched version is Shockwave Player v. 18.104.22.1684. Updates are available for Windows and Mac systems from this link.
For deeper dives on some of the individual vulnerabilities in this month’s patch batch from Redmond, the SANS Internet Storm Center, McAfee and Qualys have deeper dives. Summaries of and links to the individual security bulletins from Microsoft are available here.
As ever, please drop a note in the comments to let readers know how your patching went, particularly if you experienced any problems in applying these updates.
Update, 4:10 p.m. ET: Corrected the number of critical updates released by Microsoft.