Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.
Six of the seven Microsoft patches released today earned the company’s most dire “critical” rating, meaning the patches plug security holes that could be exploited by malware or miscreants with no help from PC users, save for visiting a hacked site or opening a specially crafted document.
Microsoft and security experts are calling special attention to MS13-053, which fixes at least eight flaws in Windows’ implementation of TrueType font files. These critical TrueType vulnerabilities exist on nearly every supported version of Windows, including XP, Vista, Windows 7 and Windows 8, and can be exploited to gain complete control over a vulnerable Windows system, just by having the user visit a Web page that contains malicious TrueType content. To make matters worse, Microsoft says one component of this vulnerability (CVE-2013-3660) is already being exploited in the wild.
There’s something else that’s interesting about these TrueType flaws: Ross Barrett, senior manager of security engineering at Rapid7, notes that For the first time ever Microsoft is addressing a single TrueType vulnerability (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054). “By splitting this out, Microsoft is directly addressing a complaint about previous “rolled up” advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed,” Barrett notes.
The other big deal in today’s patch batch from Redmond is the Internet Explorer update (MS13-055), which is rated critical for all versions of IE and addresses 17 vulnerabilities. For a breakdown of the updates released today, check out this summary page, which includes links to all of the individual patches.
Also, Microsoft today announced a policy change related to the security of applications for sale or download in the Microsoft marketplace: Henceforth, any app that has a reported security issue will be removed from the marketplace store if it is not patched within 180 days of Microsoft confirming the problem. Read more about that policy change at Microsoft’s Technet Blog.
ADOBE FLASH & SHOCKWAVE
Adobe’s Flash Player update fixes at least three critical bugs in the program. Updates are available for Windows, Mac, Linux and Android versions of Flash. This update brings Flash Player to version 11.8.800.94 on Windows and Mac systems (other OS users see the chart at the end of this post). To find out which version of Flash you have installed, visit this page. Internet Explorer 10 auto-updates its built-in Flash Player; Chrome does as well, but the latest patched version of Flash on Chrome is 11.8.800.97. My installation of Chrome does not appear to have updated to the latest version yet.
The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).
Adobe also released a new version of its Shockwave Player software that fixes at least one critical flaw, bringing Shockwave to v. 220.127.116.11 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
Adobe did not release any updates for AIR today, as it normally does when it pushes out Flash updates. The company says it is not aware of any active exploits or attacks in the wild that take advantage of the vulnerabilities fixed in today’s Flash and Shockwave releases.
If all of this patch frenzy has your head spinning, consider using some free tools to help automate the process for you. File Hippo’s Update Checker works great on this front, as does Secunia’s Personal Software Inspector (I prefer PSI 2 over PSI 3, but your mileage may vary). And, as always, if you experience any problems or interesting issues applying the Windows updates or any of the other patches, please drop a note in the comments section below.