Adobe and Microsoft today each issued updates to address critical security flaws in their software. Adobe’s patch plugs at least five holes in its Shockwave Player, while Microsoft has released a bundle of seven updates to correct 23 vulnerabilities in Windows and other products.
Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.
According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.
Separately, Adobe has issued an update for its Shockwave Player. Adobe recommends that users of Adobe Shockwave Player 126.96.36.1994 and earlier for Windows and Macintosh update to Adobe Shockwave Player 188.8.131.525. Fixes are available for Windows and Mac systems, from this link. Windows users can tell if they have Shockwave installed by checking for an entry for the program in the Add/Remove Programs listing from the Windows Control Panel. If you don’t already have this program, I’d recommend keeping it that way. I seem to have gotten along fine without it for several years now, and going without it just means one less buggy application to patch.
As always, if you experience any issues installing these updates, please leave a note in the comments section below.