Wednesday, May 12, 2010

Patch Tuesday: Windows, Microsoft Office, Adobe Shockwave all get critical patches

Well, yesterday was a quiet Patch Tuesday, but the Microsoft patches are listed as "Critical" on the SANS page. My own systems patched without problems and I'm not seeing any reports of issues elsewhere, so I will be applying them on client systems later this week. Home users should update themselves.

May 2010 Microsoft Patches
Overview of the May 2010 Microsoft Patches and their status.

Patch Tuesday: Microsoft plugs Windows worm holes | ZDNet
Microsoft today issued patches for a pair of critical (remote code execution) vulnerabilities in Windows and Microsoft Office and urged affected users to apply the fixes as soon as possible.

In addition, to Microsoft, Adobe issued a patch rated "Critical", but it only affects those few people who have the Adobe Shockwave Player (this is different from the "Shockwave Flash Player" which almost everyone has installed. NOTE: last time Adobe updated the Shockwave Player, you had to manually uninstall the older version first, then reboot, then install the new version. I haven't found out if that is necessary this time.

Adobe zaps critical Shockwave vulnerabilities | ZDNet
Adobe joined the Patch Tuesday train today with the release of patches for at least 21 documented security vulnerabilities in the Shockwave and ColdFusion product lines.

According to the APSB10-12 security bulletin, 18 of the 21 flaws affected the Shockwave Player, a free software product that lets users view rich-media content on the web.

Critical vulnerabilities have been identified in Adobe Shockwave Player and earlier versions for Windows and Macintosh. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

This bulletin is rated “critical” and Adobe recommends users of Adobe Shockwave Player and earlier versions update to Adobe Shockwave Player

Here's a link to the bulletin: Adobe - Security Bulletins: APSB10-12 - Security update available for Shockwave Player

You can also use Mozilla's free Plugin Check page to check on which plugins you have and which need updating, but you have to enable scripting on the page and it only has "Limited" support for IE7+. There's a blog entry on the Mozilla Security blog about it here: Plugin Check for Everyone at Mozilla Security Blog

No comments: