Posts Tagged: Flash Player update

Nov 15

Critical Fixes for Windows, Adobe Flash Player

For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

brokenwindowsOne-quarter of the patches from Microsoft address flaws that the company labels “critical,” meaning they can be exploited by malware or malcontents to break into vulnerable systems with no help from users. Four of the bulletins address vulnerabilities that were publicly disclosed prior to Patch Tuesday, meaning malicious hackers had a head start in figuring out how to exploit those weaknesses.

Top of the priority list among these 12 patches should probably be the one for Internet Explorer, which fixes more than two dozen flaws in IE, nearly all of them critical, browse-to-a-hacked-site-and-get-owned flaws. Another patch, MS15-113, fixes critical bugs in Microsoft’s Edge Browser, its intended replacement for IE. Also of note is a Microsoft Office patch that addresses seven flaws.

This month also includes a patch for .NET, a program that past experience has taught me to patch separately. If you use Windows and Windows Update says you have patches available for .NET, consider unchecking those updates until you’ve applied the rest released on Tuesday. Reboot and install any available .NET updates.

Separately, Adobe issued a patch for its Flash Player software that fixes at least 17 vulnerabilities in the program and in Adobe AIR. Adobe says it is not aware of any exploits in the wild for issues addressed in this update, but readers should seriously consider whether having Flash installed and/or enabled in the browser is worth the risk.  Continue reading →

Oct 14

Microsoft, Adobe Push Critical Security Fixes

Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.

brokenwindowsEarlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today (CVE-2014-4114). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is apparently present in every supported version of Windows. The New York Times carried a story today about the extent of the attacks against this flaw.

In its advisory on the zero-day vulnerability, Microsoft said the bug could allow remote code execution if a user opens a specially crafted malicious Microsoft Office document. According to iSight, the flaw was used in targeted email attacks that targeted NATO, Ukrainian and Western government organizations, and firms in the energy sector.

More than half of the other vulnerabilities fixed in this month’s patch batch address flaws in Internet Explorer. Additional details about the individual Microsoft patches released today is available at this link. Continue reading →