Adobe today released updates to fix at least a dozen critical security problems in its Flash Player and AIR software. Separately, Microsoft pushed four update bundles to address at least 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework. If you use any of these, it’s time to update! Continue reading →
Posts Tagged: adobe flash player
If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.
Most of the bugs that Microsoft addressed with today’s updates (24 of the 29 flaws) are fixed in a single patch for the company’s Internet Explorer browser. According to Microsoft, one of those 24 flaws (a weakness in the way IE checks Extended Validation SSL certificates) was already publicly disclosed prior to today’s bulletins.
The other critical patch fixes a security problem with the way that Windows handles files meant to be opened and edited by Windows Journal, a note-taking application built in to more recent versions of the operating system (including Windows Vista, 7 and 8).
Adobe’s Flash Player update brings Flash to version 18.104.22.168 on Windows, Mac and Linux systems. Adobe said it is not aware of exploits in the wild for any of the vulnerabilities fixed in this release.
To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 22.214.171.124.
Flash has a built-in auto-updater, but you might wait days or weeks for it to prompt you to update, regardless of its settings. The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.
Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed (required by some programs like Tweetdeck and Pandora Desktop), you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 126.96.36.199 for Windows, Mac, and Android.
Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late.
Microsoft’s five bulletins address 23 distinct security weaknesses in Microsoft Windows, Internet Explorer and Silverlight. The Internet Explorer patch is rated critical for virtually all supported versions of IE, and plugs at least 18 security holes, including a severe weakness in IE 9 and 10 that is already being exploited in targeted attacks.
Microsoft notes that the exploits targeting the IE bug seen so far appear to perform a check for the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET); according to Microsoft, the exploits fail to proceed if EMET is detected. I’ve recommended EMET on several occasions, and would encourage any Windows users who haven’t yet deployed this tool to spend a few minutes reading this post and consider taking advantage of it to further harden their systems. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform. For those of you who don’t mind beta-testing software, Microsoft has released a preview version of the next generation of EMET — EMET 5.0 Technical Preview.
This month’s updates include a fix for another dangerous bug — deep within the operating system on just about every major version of Windows — that also was publicly disclosed prior to today’s patches. Microsoft’s Technet Blog has more details on these and other bulletins released today.
Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.
Microsoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.
Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.
<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>
As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities. IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.
Adobe has released an emergency update for its Flash Player software that fixes three critical vulnerabilities, two of which the company warns are actively being exploited to compromise systems.
In an advisory, Adobe said two of the bugs quashed in this update (CVE-2013-0643 and CVE-2013-0648) are being used by attackers to target Firefox users. The company noted that the attacks are designed to trick users into clicking a link which redirects to a Web site serving malicious Flash content.
Readers can be forgiven for feeling patch fatigue with Flash: This is the third security update that Adobe has shipped for Flash in the last month. On Feb. 12, Adobe released a patch to plug at least 17 security holes in Flash. On Feb. 7, Adobe rushed out an update to fix two other flaws that attackers were already exploiting to break into vulnerable computers.
For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least
five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.
Updates are available for Windows, Mac, Linux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android users should see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 188.8.131.52 for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).
To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”
Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR 184.108.40.2060. Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.
Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.
If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating. Continue reading →
Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.
In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google — was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.
Members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity.com, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”
Last week, I listed the various ways this blog and its author has been “honored” over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called Darkode.com sought to fraudulently place a rogue ad on KrebsOnSecurity.com. The ad was made to appear as though it was advertising BitDefender antivirus software. Instead, it was designed to load a malicious domain: sophakevans. co. cc, a site that has been associated with pushing fake antivirus or “scareware.”
The miscreants agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on my site. Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval.
I learned about this little stunt roughly at the same time it was being planned; Much to the constant annoyance of the site administrators, I secretly had gained access to Darkode and was able to take this screen shot of the discussion. The incident came just a few weeks after I Tweeted evidence of my presence on Darkode by posting screenshots of the forum. The main administrator of Darkode, a hacker who uses the nickname “Mafi,” didn’t appreciate that, and promised he and his friends had something fun planned for me. I guess this was it. Interestingly, Mafi also is admin at malwareview.com and is the developer of the Crimepack exploit kit.
Adobe has shipped patches to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.
The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flash versions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2.
To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.