Adobe and Microsoft today each issued updates to address critical security flaws in their software. Adobe’s patch plugs at least five holes in its Shockwave Player, while Microsoft has released a bundle of seven updates to correct 23 vulnerabilities in Windows and other products.

Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.

According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.

Separately, Adobe has issued an update for its Shockwave Player. Adobe recommends that users of Adobe Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635. Fixes are available for Windows and Mac systems, from this link. Windows users can tell if they have Shockwave installed by checking for an entry for the program in the Add/Remove Programs listing from the Windows Control Panel. If you don’t already have this program, I’d recommend keeping it that way. I seem to have gotten along fine without it for several years now, and going without it just means one less buggy application to patch.

As always, if you experience any issues installing these updates, please leave a note in the comments section below.

Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.

Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.

Nevertheless, there are updates available for Flash Player versions designed for all operating systems that Adobe supports, including Mac, Linux and Android devices.

Adobe is urging users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Windows users of Flash Player 11.2.x who have selected the silent update option will receive the update automatically. Flash Player installed with Google Chrome is updated automatically, so no user action should be required for Chrome users. Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9.

To find out if you have Flash installed, or which version is on your system, visit this link. If you have trouble updating your Flash version, consider uninstalling the program using Adobe’s Flash removal tool, rebooting, and then reinstalling the latest version. Updates are available via the Adobe Flash Player Download Center. Direct links to the OS-specific downloads are here.

An earlier version of this blog post incorrectly stated that Oracle had shipped security updates for its Java software. Oracle did push out an update for Java earlier this month — Java 6 Update 32 — but the new version was a maintenance update that did not include security fixes. My apologies for any confusion this may have caused.

Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.

Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.

“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”

Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.

“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”

Other notable fixes from Microsoft this month include a .NET update, and a patch for at least five Internet Explorer flaws. Patches are available for all supported versions of Windows, and available through Windows Update.

Adobe’s updates fix critical problems in Acrobat and Reader on all supported platforms, including Windows, Mac OS X, and Linux. Users on Windows and Mac can use each products’ built-in update mechanism. The newest, patched version of both Acrobat and Reader is v. 10.1.3 for Windows and Mac systems. The default configuration is set to run automatic update checks on a regular schedule, but update checks can be manually activated by choosing Help > Check for Updates. Reader users who prefer direct links to the latest version can find them by clicking the appropriate OS, Windows, Mac or Linux (v. 9.5.1).

As always, if you have any problems installing or applying these updates, please leave a note about your experience in the comments below.

Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.

Distribution of 550,000 Flashback-infected Macs. Source: Dr.Web.com

The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.

Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica, among others. F-Secure has additional useful information on this Trojan attack here.

As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).

I can’t stress this point strongly enough: If you don’t need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I’d encourage you to browse through some of my past Java-related posts.

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.

Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws  in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating.

Here’s how Adobe describes the updates to its updater:

The new Adobe Flash Player background updater updates all instances of a release version of Adobe Flash Player for all Web browsers on a computer. Previously, users had to perform separate updates for each Web browser running on their system.

With the introduction of the new background updater, Windows users have the option to download and install updates for Adobe Flash Player automatically (when available), without user interaction. After a successful installation of Adobe Flash Player 11.2, users are presented with a dialog box to choose an update method. The following three update options are available to users:

§  Install updates automatically when available (recommended)

§  Notify me when updates are available

§  Never check for updates (not recommended)

Additionally, the user can change his update preferences at any time via the Flash Player Settings Manager, which for Windows users can be accessed via the Control Panel > Flash Player. In the Flash Player Settings Manager, the update preferences can be found and selected in the “Advanced” tab under “Updates.”

Want to learn which version of Flash you have on your system? Visit this link. Updates are available via the Adobe Flash Player Download Center. Google’s Chrome browser usually auto-installs Flash updates, often before Adobe even publicizes them. But this is the second time Chrome has fallen behind on that front: My installation of Chrome still shows version 11,1,102,63.

Sadly, Adobe’s fancy new updater doesn’t go beyond Flash itself. If you have Adobe Air installed (that means you, Tweetdeck users), Air will need to be updated as well to accommodate these Flash fixes. For more on how to do that, see these instructions.

If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

The exploit targets a bug in Java (CVE-20120-0507) that effectively allows the bypassing of Java’s sandbox, a mechanism built into the ubiquitous software that is designed partly to blunt attacks from malicious code. Microsoft’s Malware Protection Center warned last week that new malware samples were surfacing which proved highly effective at exploiting the flaw. Microsoft says the samples it saw loaded the ZeuS Trojan, but thieves can use such attacks to install malware of their choosing.

According to posts on several underground carding forums, the exploit has now been automatically rolled out to miscreants armed with BlackHole, by far the most widely used exploit pack. An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed, and Java is almost universally the most successful method of compromise across all exploit kits.

According to software giant Oracle, Java is deployed across more than 3 billion systems worldwide. But the truth is that many people who have this powerful program installed simply do not need it, or only need it for very specific uses. I’ve repeatedly encouraged readers to uninstall this program, not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

Case in point: On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java. I have not seen firsthand evidence that proves this 0day exploit exists, but it appears that money is changing hands for said code.

If you do not need Java, junk it; you can always re-install it later if you need to. If you need Java for a specific Web site, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

The Java latest versions (which patch the CVE-2012-0507 hole) are Java Version 6 Update 31, or Java 7 Update 3, released on Feb. 15, 2012. Please note that if you disable the Java plugin from a browser, the next time you update the program, you may need to disable it again, as Java tends to re-enable itself with every security update.

Update, March 28, 3:48 p.m. ET: Marcus Carey, a security researcher at Rapid7, adds a bit more perspective on the severity of the situation with this exploit. He estimates that upwards of 60 to 80 percent of users probably are not yet patched against this flaw. Here’s what he wrote:

Anytime an exploit, such as one for CVE-2012-0507,  is added to mass exploit kits it goes from being a “hypothetical risk” to becoming a real risk. This particular exploit can be found in the widely used BlackHole Exploit kit.

Based on the Java patching habits of 28 million unique Internet users, Rapid7 estimates that 60-80% of computers running Java are vulnerable to this attack today.

Looking long term, upwards of 60% of Java installations are never up to the current patch level. Since so many computers aren’t updated, even older exploits can be used to compromise victims.

Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior. We found that during the first month after a Java patch is released,  adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, we found that more than 30% are patched.  We determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.

Since this is only about a month since the patch was released (February 15), it’s likely that only approximately 10% of users have applied the patch.

Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.

“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys.

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, said this bulletin should be considered a top priority, noting that Microsoft has rated its “exploitability index” as 1, meaning that Microsoft expects working exploits to be available in fewer than 30 days.

“An unauthenticated remote code execution is pretty much as bad as it gets,” Marcus said.

For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.

The remainder of today’s updates address three other Windows vulnerabilities, and problems in Microsoft Expression Design and Microsoft Visual Studio.

For a breakdown of the patches, see Microsoft’s Security Bulletin Summary for March 2012. The fixes are available through Windows Update. As always, if you experience any problems or issues updating, please leave a note about your experience in the comments below.

For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The patch addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.

The fixes being released today address a pair of critical bugs that are present in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Mac, Linux and Solaris, Flash Player v 11.1.115.6 and earlier versions for Android 4.x, and Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. Adobe says both flaws in today’s release were reported by Google security researchers.

For Windows, Mac, Linux and Solaris users, the newest version is 11.1.102.63, and is available through the Player Download Center. To find out which version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted.

Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome normally auto-updates Flash – often hours or days before the fixes are publicly released for download — although for some reason I still had the vulnerable version 11.1.102.62 installed when Adobe’s security advisory was released today. According to the Chrome Releases blog, Google began pushing out an update last night that includes the new Flash version.

Today’s update comes close on the heels of a critical Flash patch that closed at least seven security holes, including one that was at the time already being exploited to break into vulnerable systems (that one, also, was reported by Google).

Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.

In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google –  was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.

Adobe is urging users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris to update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6.

To find out what version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted. Thankfully, Adobe no longer appears to make you first install its annoying Download Manager to grab the latest Flash version, or at least it didn’t when I fetched the update today.

Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome users should already have this update, as Chrome auto-installs Flash updates – often hours or days before the fixes are publicly released for download.