Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.
The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.
Nevertheless, the underlying vulnerability being targeted exists in Windows, Mac and Linux versions of the software. Windows and Mac users can grab the latest version (v. 11.3.300.271) via the Flash Player download center. Be sure to uncheck the “free” software scans that Adobe loves to bundle with updates, such as McAfee‘s obnoxious Security Scan Plus, if you don’t want it. Linux users should update to v. 188.8.131.52, and Chrome users who are at Chrome v. 21.0.1180.79 (click the wrench icon in Chrome and select About Chrome to see your version number) should have the latest Flash update, which for Windows Chrome users is. v. 184.108.40.206. To find out what version of Flash you have installed, visit this page.
Adobe also pushed out a new version (v. 10.1.4) of Adobe Acrobat and Reader that corrects at least 20 distinct security vulnerabilities in Windows and Mac versions of these products. Windows users can grab the latest update from this link, and Mac users from here. Those looking for links to Adobe Acrobat updates and support for older versions of Reader should check the advisory that the company issued today for more information.
In addition, Adobe released an update that fixes at least five critical flaws in Windows and Mac versions of its Shockwave Player software. If you have this program installed, update it. If not, forget about this patch, as you probably don’t need the software. The latest version is Shockwave Player 220.127.116.116 and is available via this link.
At the top of the heap of security updates that Microsoft released today is MS12-060, which fixes a vulnerability in Microsoft Office that is already being exploited in the wild. Other high-priority updates from Redmond include a patch for a flaw in the Remote Administration protocol of Windows networking, and an Internet Explorer update that fixes two security holes. More information on the Windows patches is available from Microsoft’s Security Response Center and from Qualys.
Microsoft patches are available through Windows Update or Automatic Update. As usual, please leave a note in the comments section if you experience problems applying any of these updates.