November 9, 2011

Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions of Shockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  As I noted earlier this year, I haven’t had Shockwave on my system for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to 3.6.24 (if anyone can help decipher Mozilla’s timeline for exactly how long it will continue to support this workhorse version of Firefox, please drop a line in the comments below). Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).


21 thoughts on “Adobe, Apple, Microsoft & Mozilla Issue Critical Patches

  1. Brian E

    Brian Krebs said: “(if anyone can help decipher Mozilla’s timeline for exactly how long it will continue to support this workhorse version of Firefox, please drop a line in the comments below).”

    From the Firefox Extended Support Proposal:
    “Firefox 8 or 9 will be the base for the initial ESR”

    “Firefox 3.6 will be end-of-lifed 12 weeks after the initial ESR is offered”

    Assuming the ESR will be offered before Firefox 10 is released, which is in 12 weeks, that presumably means Firefox 3.6.x has 12-24 weeks left before its “end-of-life”.

    1. zoltan

      ESR seems to be a good idea, for people who don’t want the treadmill of updates every 6 weeks, especially enterprise deployments.

      However, at this stage, it’s still only a proposal, and not yet something that Mozilla has committed to actually doing.

  2. Nic

    17 security holes in Java just since the last release? If that doesn’t convince a person to uninstall Java, I’m not sure what will.

    1. rb

      Nic, by your reasoning, we should throw away all our computers, tablets, and smart phones.

      Security has always been a cat-and-mouse game. Those who don’t need java should uninstall it. The rest of us update, follow best practices, and pray.

      1. Nic

        Let me explain what my logic is:

        If a component has a poor security history, I don’t use it. 99% of the time it’s either superfluous or a secure alternative exists. For genuinely critical components, there are _always_ secure alternatives.

        You are free to keep your bad software and prayer. Nothing will stop you: not 17 holes, not 30 holes, not 50 holes.

        I’ll keep my secure software and sleep like a baby!

  3. OhioMC

    Thanks Brian – It’s always very helpful to have your work with the links. I can’t avoid having some Adobe crud like Flash on my machines but at least with your links and the IE View lite extension for Firefox I can check it and IE very quickly.

    When I first starting using Firefox (pre 1.0?) there were security and privacy advantages to it. The hassle factor has grown but I appreciate the effort it takes for the community to try to keep pace with a juggernaut like Google. I have been tempted to switch to Chrome, but have already committed too much of my online life to Google.

    I haven’t bought into the the Apple ecosystem, and don’t want to put my entire life into the Google one. Ultimately the fix for me may be to move some services away from Google before switching to Chrome.

  4. JJ

    This month’s patches are interesting because the older operating systems are not part of all of them, like the UDP issue.

    On the great news front, Adobe announced they stopped all work on Flash for mobile browsers and will only supply bug and security fixes for the current products.

    http://blogs.adobe.com/flashplatform/2011/11/flash-to-focus-on-pc-browsing-and-mobile-apps-adobe-to-more-aggressively-contribute-to-html5.html

    “We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations (chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook. We will of course continue to provide critical bug fixes and security updates for existing device configurations.”

    Now if we could just get it off the desktop the world would be a safer place.

    Any bets on whether Microsoft will offer a patch to block the insertion or execution of Flash objects from within Office dcocuments? Maybe under “national security threat” grounds?

  5. Andrew f. Vancouver

    Brian, unlike Flash Player, the Shockwave Player only requires *one* installation to service IE and Firefox.

    I agreed to the distribution licence so that I could get the .MSI version of the installer. Here’s a screenshot https://imgur.com/VvViz without the URL showing.

    It’s the next day, but Adobe has not yet updated that .msi file, it’s still the August 16th 2011 version.

    1. Andrew f. Vancouver

      Adding to my earlier post… both of the .exe installers are updated. Note that there is no indicator on the page that states the version of these files.

      The problem is that Adobe is redirecting the links here to Akamai, and Akamai does have the current build of all three installers, but Adobe has not updated the redirection link for the .msi file to the correct URL at Akamai.

      The link that needs to be updated redirects to:

      http://redacted.redacted.com/get/shockwave/default/english/win95nt/10.1.4.020/sw_lic_full_installer.msi

      But fixing the version number in this URL to match the (working) .exe downloads:

      http://redacted.redacted.com/get/shockwave/default/english/win95nt/10.2.0.022/sw_lic_full_installer.msi

      sigcheck.exe sw_lic_full_installer.msi now shows Signing date: 9:59 PM 11/7/2011

      NB: Of course, the real host and domain are not “redacted” but the distribution agreement prevents me from posting the direct URL.

  6. Charlie

    You mentioned transitioning to Google Chrome; I had the same thought, but didn’t like that it phones home more than I prefer.

    Comodo put out a browser based on Chromium, Dragon, that I switched to instead.

  7. WWH

    In re the “critical” Windows patch, security bulletin MS11-083 indicates that Win XP SP3 and Server 2003 variants are among the non-affected software.

  8. John Cali

    Hi Brian,

    I switched to Google Chrome a couple months ago. I love it. As you said, it’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on both my computers.

  9. bruce

    Brian

    This is actually a real nice read from my new HP Touchpad which HP will be supporting for another year.

    By then eitherUbuntu or Android should be working.

  10. nonameform

    According to the link, “Firefox 3.6 will be end-of-lifed on April 24th, 2012”. That’s if “Firefox 10 will be the base version for the initial ESR”.

  11. d

    I gather I will not install the Java update. I found this on the Apple site:

    Reference releases; update vs. upgrade
    Mac OS X v10.1, 10.2, 10.3, 10.4, 10.5, 10.6 and OS X Lion themselves are not free updates, they are reference releases, also called upgrades. The OS X Lion reference release can be purchased in Mac OS X Snow Leopard via the Mac App Store.

    The phrase “reference release” means that the software is distributed as a stand-alone system software package that can be installed regardless of the version of Mac OS currently installed (assuming the Mac is compatible with the reference release). Note: You should not install Mac OS versions that are older than what came with your computer.

    The Java for OS X Lion Update 1 does not download through “Software Update,” you must search for it. On a pc, I would simply delete Java, but I know it’s not that easy on a Mac.

  12. Wilhelm Graas

    I fully agree that the incessant Firefox ( and Thunderbird) updates are gradually becoming a real nuisance and tend to drive you round the bend as far as add-ons are concerned. This is a perfect way to lose friends and cut back on market shares! I have also changed to Google Chrome and am presently trying to replace Thunderbird as well

  13. Kent

    On Windows, I updated to the latest Java JRE7/v1.7 but OpenOffice won’t recognize it – had to go back to JRE6.

    Why Oracle makes JRE7 publicly available, but it doesn’t work with their Open Office, I don’t quite get.

    But this time it didn’t work out trying to be on the leading edge.

  14. StarKiller

    I just installed microsoft updates and I am so pissed I had to take an extra BP pill. Microsoft HIJACKED my home page, I can add a tab with my original homepage but I can NOT turn off the MSN page. I am ready to delete IE altogether and F every page that requires it to function. How many of my other programs will not function correctly if I do?
    I have some programs I need that require windows or I would install Linux right now, instead of just using a live USB for banking.

    1. F-3000

      “I am ready to delete IE altogether and F every page that requires it to function. How many of my other programs will not function correctly if I do?”

      My bet is, that your Windows wont work anymore after doing that. Otherwise, it would be quite standard procedure for a lot of people to uninstall IE after getting new PC/reinstalling Windows.

      But why in the heaven’s name you are using IE? If there’s a page that requires IE, contact the site support and complain. I personally don’t use ANY site/service that requires IE. If there would be something I’d desperately need, and it would be IE-only site, and there simply would be no equivalent service, I’d “bombard” them with complaints and requests for widening their browser-support. (bombard in quotes as spamming gets you nowhere, but couple times per week emails might push them some)

      IMHO, any site that builds “IE-only” pages, is simply being an ***hole service, denying access for a lot of users. If it’s commercial, then they’re saying NO to huge amount of possible customers.

      I stopped using Myspace when they included “IE only” games on their site. They told me that they don’t appreciate me as an user, because I don’t use IE.

Comments are closed.