Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities. The software maker also is warning that attackers are targeting a previously unidentified security hole in its Acrobat and PDF Reader products.
The Shockwave patch plugs 11 security holes in program, most of which attackers could use remotely to take control over an affected system. Updates are available for Mac and Windows computers, from this link. The latest version is 18.104.22.1685. Before you blithely click through the process, keep a lookout for pre-checked “free” software that will install alongside this Shockwave update if you simply accept all the default options. When I tested the Shockwave installer, it included a “free PC performance scan from PC Tools’s Registry Mechanic. I opted to untick the check mark next to that option before proceeding with the rest of the install, which was otherwise uneventful.
Due to Adobe’s huge market share and apparent abundance of as-yet-undiscovered security holes, life with Adobe’s products can feel a bit like playing Whac-a-Mole: Just when you’ve patched one Adobe product it seems like there’s another one under assault by attackers. True to form, Adobe released a separate advisory today warning that hackers were targeting a critical flaw in the latest version of its Acrobat and PDF Reader products.
Adobe says the Acrobat/Reader vulnerability could cause a crash and potentially allow an attacker to take control of the affected computer, and that there are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. The flaw also exists in ubiquitous Adobe’s Flash Player, although the company said it is not currently aware of attacks targeting the latest version of Flash (v. 10.1.85.3).
Even so, Adobe plans to fix the issue in Flash before tackling it in Reader and Acrobat. The company says it plans to issue a fix for the bug in Flash by Nov. 9, 2010, but that it doesn’t expect to release an update to clobber the problem on Acrobat/Reader until the following week.
In other patch news, Mozilla has released an update that fixes a critical flaw that security experts warned this week was being used to attack Firefox users. Chances are good that your copy of Firefox (assuming it is semi-recent) has already downloaded this update, which brings Firefox to version 3.6.12 If you haven’t already been prompted to restart Firefox, click “Help” in the menu bar on top and look for an item that says “Apply Downloaded Update Now.” Otherwise, it’s available from Mozilla’s home page.