Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.
Microsoft released 11 security updates that collectively fix at least 25 vulnerabilities in versions of Windows, Office, Exchange, and other Microsoft products.
Redmond said customers should install all of the relevant updates, but it called attention to a few as particularly urgent. Among those is a patch for all versions of Windows that fixes a bug which could allow attackers to fool Windows into thinking that a malicious program was created by a legitimate software vendor, said Joshua Talbot, security intelligence manager, Symantec Security Response.
“This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate,” Talbot said.
Another patch fixes a flaw that is critical on Windows 2000, XP, Server 2003 and Server 2008, and could be triggered just by visiting a Web page hosting a specially-crafted .avi video file. A separate critical bug patched today for Windows 2000 and XP users is another browse-a-bad-site-and-get-owned type of flaw.
Adobe issued an update to its PDF Reader and Acrobat software that fixes at least 15 security flaws in those programs. Adobe labels this update “critical,” meaning the attackers could use the security holes to crash the programs and seize control over a vulnerable system.
As promised, Adobe also is including a new updater technology with the latest version of both Reader and Acrobat (version 9.3.2) on both Windows and Mac systems. Adobe said the new updater includes an option to let Adobe “automatically install updates,” although the company said it will respect whatever update settings users currently have selected (the default is “download all updates automatically and notify me when they are ready to be installed”). Adobe’s Brad Arkin has more on this new updater in a post on Adobe’s ASSET blog.