Wednesday, September 14, 2011

Adobe AND Microsoft Patch Tuesday - SysAdmins have work this week

If you are a system admin, you are going to have a busy week.  Adobe patched Acrobat and Adobe Reader (versions 8, 9, and 10) and Microsoft patched Microsoft Office 2003 and later -- Office 2000 users are no longer supported and should switch to LibreOffice instead.  If you are still using Adobe Reader 8, please note that support for it ends on November 3, 2011, so it might be time to replace it with Sumatra PDF or Foxit Reader (I use both and only load Adobe Reader in a VirtualBox virtual machine for difficult PDFs).

The Office patches are important because everyone either receives Office documents as attachments to emails or downloads them from websites, and the vulnerabilities, if unpatched, will allow remote code to be executed on your computer.  All of the reported vulnerabilities have limited effect if you run as a non-admin user, so this is just another reminder that running this way is a Good Thing.

The last link below is Microsoft's official blog entry on this month's updates.

Adobe, Windows Security Patches — Krebs on Security
If you use Windows or Adobe Reader/Acrobat, it’s patch time. Microsoft released five updates to fix at least 15 security vulnerabilities, and Adobe issued a quarterly update to eliminate 13 security flaws in its PDF Reader and Acrobat products.

The Microsoft patches, available via Windows Update and Automatic Update, address security holes in Excel, Office, Windows Server and SharePoint. None of the flaws earned Redmond’s most dire “critical” rating, but it’s a mistake to let too much time go by before installing these updates.

Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

MS Patch Tuesday warning: Opening legitimate .doc, .txt files brings code execution risk | ZDNet
Microsoft today warned that innocuous documents, including legitimate rich text format files (.rtf), text files (.txt), or Word documents (.doc) could be used in code execution attacks against Windows users.
Microsoft, Adobe release scheduled security patches - SC Magazine US
Light Patch Tuesday fixes 15 vulnerabilities
In today's Patch Tuesday, Microsoft delivers 5 security bulletins (all rated "important") that address 15 vulnerabilities affecting Windows, Microsoft Office and Microsoft Server Software.

In addition to that, Microsoft has also released updated security advisory and has added six more DigiNotar root certificates to its Windows Untrusted Certificate Store.
More on DigiNotar Certificates, and September Bulletins - MSRC - Site Home - TechNet Blogs

No comments: